NC_2023_07_30
[0:00] Music.
[0:09] Today is Sunday, July 30th, 2023, and this is show number 951.
Well, I really wanted to take some time to talk about Mac Stock and what a great conference it, was, but I'm going to have to defer that till next week. I want to make sure I tell you in a way that doesn't sound like when your best friend tells you all about their summer vacation in Hawaii and you have to pretend to be happy for them while you spent the week working in a stuffy cubicle. I want to hopefully make it more interesting than that. All right, this coming weekend we are going to be going off to Mammoth for a week with Lindsay and her family so there will be no live show on Sunday, August 6th. I'm going to release the show early again, probably on Saturday. So Saturday, August 5th you will get the show and that'll be your hint not to show up to the live show. We get back on Saturday the 12th and because of the awesome no-silicast ways there will be plenty of content for me to publish another show on Sunday the 13th even though I won't be working all week at all.
We will have the live show on the 13th, but it'll be most of me just chatting with the audience and goofing around because I'm going to rely on the kindness of the nocella castaways for that.
[1:16] Now, I'll still have two recordings ready for the trips that are still coming up.
So if you've got an idea for something that you're going to record, please go ahead and still do it.
Don't hold back, because we've got during the live show here, I've been waving around a calendar of all the different times going to be gone so I can definitely use some more help. And anyway, let's kick into gear for this week's show, shall we? I'm sure that by now you've watched or listened to my interview with
Shottr Tutorial on ScreenCastsONLINE
[1:43] Nobel Prize-winning astrophysicist Andrea Ghez. If you haven't yet, stop listening to this now and go check it out because it is an amazing interview. It's just fantastic. Anyway, in this interview she explains how she and her team determined that there's a supermassive black hole at the center of our galaxy. One of the reasons they were successful was that they discovered a star they call SO2, which has an incredibly short orbit around the center of our galaxy.
It's only 16 years. That means that they were able to track its entire orbit during their study, and it means that even more science will come from observing it during its most rapid movement at either end of the elliptical orbit. During the interview, when Andrea said that SO2 was her favorite star, I asked her whether her team has t-shirts. She enthusiastically said, No, but there should be.
[2:33] Well, Steve and I decided to take matters into our own hands and we designed SO2 t-shirts.
Andrea's team already had done the work of mapping several stars orbiting the Milky Way center, so I simply replicated the orbits, making one of the star's orbits white, or all of them white, except for SO2 which I made in yellow so it stands out.
[2:51] Now you too can own one of these coveted t-shirts by ordering them through our online store at Cotton Bureau. Because we believe science should be open source, we removed any profit on the shirts So the $27 you see is purely the Cotton Bureau pricing.
We also wanted to make sure the shirts were as inexpensive for Andrea's team as possible.
We shipped shirts to her and her assistant, who helped me get the interview and I can't wait to find out whether she likes hers.
Since everything good starts with podfeet.com, go to podfeet.com slash shop to buy your very own SO2 is my favorite star t-shirts for $27. We chose tons of different colors.
I love the tri-blend shirt options, but you know what? You do you.
We also made an iPhone case and it's $27 for the MagSafe version and $23 for the slim, non-MagSafe version. I can't attest to how those look in real life. I'm kind of tempted to buy myself one though. Anyway, my favorite thing about the shirts is that pretty much, no one will ever know what they mean when you wear them. But if you know, you know.
In May, I told you about the amazingly capable and inexpensive screenshot annotation tool called Shotter.
"SO-2 is My Favorite Star" T-Shirts Honoring Dr. Andrea Ghez
[4:01] I'm so enamored with Shotter that I decided to create a full video tutorial about it for ScreenCastsOnline.
[4:07] As always, I learned so much more about the tool because I had to really know how to use all of it, so the tutorial has even more information in the article I wrote.
Let me give my usual disclaimer. ScreenCastsOnline is a paid-for tutorial podcast, but it also has a free 7-day trial that gives you access to the current back catalog, so you can watch all of what you can watch. You can binge like crazy for 7 days.
Now, it's dangerous to do the free trial because the tutorials are incredible. We've got a great cast of characters who do the tutorials, and you'll get hooked on the service if you try it.
It is only $8 a month if you subscribe annually, and I challenge you to find training of this quality at that price. I put a link in the show notes to a little teaser video for Shotter. It's kind of just the introduction where I'm just kind of getting it set up. So it really is a cliffhanger teaser kind of video this time. But go check it out on ScreenCastsOnline.com.
CCATP #774 — Bart Busschots on PBS 153 – Bash: Functions & Scope
[5:01] This week's Chit Chat Across the Pond is another installment of Programming by Stealth, and Bart and I have come to the end of our journey with Bash. I'm going to be sad to have it complete because as I tell Bart in this episode, I've really enjoyed this mini-series.
Next time, he will do a final bow-tying episode where he brings everything we learned together in one set of notes as a handy reference guide, so we'll be able to know which lesson to go to to remember how to do stuff. I think he wants that reference guide for himself, too.
[5:29] Anyway, in this week's episode, he explains how functions work in Bash, and after about the 12th time he repeated it, I understand that functions we create in Bash work just like built-in functions, such as ls or cat.
[5:43] That. After walking us through some easy-to-follow scripts to illustrate this and show us the syntax, we go into a harder concept where we talk about scope.
We learn that Bash does scope differently from pretty much every other language, so he teaches us how to avoid what he calls spooky action at a distance because of this different way of dealing with scope.
Protecting ourself isn't actually that hard, but it's very important to understand why we need to do this, and of course, Bart is the best person to explain this.
You can find Bart's fabulous tutorial show notes at pbs.bartificer.net.
I Finally Found a Use for the iPad mini
[6:15] I usually try to figure out how a piece of tech will fit into my life before I buy it, but sometimes I buy it on faith that the device will find its own place.
I'm easily influenced by my geek friends in this regard, so if a lot of them say something is great, I'll probably give it a try.
In 2019, I bought a 5th gen iPad mini. I already had a 16-inch MacBook Pro and a 12.9-inch iPad Pro, but everyone told me that the Mini is such a great device and there was room for it in my life.
They were wrong.
I carried it around for a while, and I even used my Gen 1 Apple Pencil with it.
I can tell you that an Apple Pencil sticking out of the side of an iPad Mini looks really silly.
I bought the Logitech Crayon for it, which required a cable, but didn't look quite as silly.
At the time, I was using MyScript, a now-discontinued piece of software that would recognize my handwriting and convert it on the fly to text.
And it worked reasonably well. I also tried drawing with it.
I always felt cramped with the iPad mini and I would continuously reach for my 12.9-inch iPad Pro.
[7:17] I found an article I wrote about the 5th gen iPad mini entitled, Does the new iPad mini have a place in your digital life?
And my conclusion was yes, but that was evidently well before the honeymoon was over.
Sounds like wishful thinking to me.
I started realizing the problem. I use the iPad Pro a lot because it has a keyboard that also acts as a stand.
The obvious answer was that I needed a keyboard case for my iPad mini.
I set out on a quest to find the perfect keyboard for the iPad mini.
If I could just find that perfect keyboard case, then I would be productive with the iPad mini.
In 2019, I wrote an article entitled, Maybe if I had a keyboard for my iPad mini, I'd use it more, in which I admitted that the novelty had worn off and described the keyboard cases I'd tried.
I'm going to save you the time of reading that old article. they were all awful. And I mean truly terrible. The obvious solution was to upgrade in 2021 to the 6th generation iPad Mini. That's going to solve the problem. This was a sweet little iPad with a flat magnetic side for the Gen 2 pencil to charge. And it sports USB-C, which is so much nicer than lightning. I thought maybe I'd use it as a book reader. But you know, it's so much heavier than the Kindle. The battery only lasts a day or two, while the Kindle lasts weeks.
It was also too easy to flip over to social media and play around and read books when I really wanted to read books. The new pencil support was nice, but when I would scribble notes on it, I felt like I was always at the end of the page with the Mini.
[8:46] I don't have a lot of need to scribble on an iPad, but when I'm programming, I find it a much better way to think things out. I wrote an article called Write by Hand When You Need to Think where I described how it works, but it doesn't work for me in the iPad mini because it's too small. I know a lot of people who simply love the iPad mini, but they all tend to use it as a consumption device. They read Apple News or they idly scroll through social media with it. And my problem is that I simply can't read anything without wanting to contribute. If I see content I like, at the very least, I want to copy the link and send it to someone. If it's social media like Mastodon, I want a reply. I like to engage with content with other people.
I was still holding out hope to find a good keyboard solution for the iPad Mini when I heard Andy Anotko talk about an interesting solution.
He bought a wraparound cover for the Magic Keyboard. When unwrapped, it gives a nice stand for the iPad Mini.
Instead of the overly cramped and improperly placed keys of the keyboard case solutions I'd tried before, the Magic Keyboard has full-size keys, so typing on it would be a dream.
After I got the case, I put my spare Magic Keyboard in it, and I thought I was set.
[9:56] But you know what? It's a big pain to carry around not one, but two devices. It was clumsy to open and it was awkward to carry because the keyboard case and the iPad were different shapes and sizes. That poor case? It's been sitting in my closet for years now.
[10:12] I did find a small use for the iPad Mini for a while. I used to use some software for running the live show that had a companion app for iOS. This companion app gave me a nice control surface with big buttons as an audio-video switcher. This let me do things like mute Steve or change what the viewers were seeing on screen. While it was perfect for this use, every single week when I opened it up, the battery was dead. I had to get in the habit of shutting it down every week just so I didn't have to wait for it to charge up for the live show the following week. Now, it turns out we don't use that software any longer, so the iPad Mini went back in the drawer again.
[10:48] The end of this story is that I finally found the perfect use for my 6th Gen iPad Mini.
My son and his wife had a third baby and I gave it to them.
When they had two babies, they used my 1st Gen 12.9 inch iPad Pro and my 2nd Gen 12.9 inch iPad Pro as baby monitors.
It worked great.
They could see both babies and hear both babies if anything went wrong.
Kyle knew he needed a new solution and he didn't think carrying three giant iPads around would be a good idea, so he was delighted to find out that Wyze supported two cameras in view at the same time. He figured he'd have the TrueBaby monitor on the new baby, and Wyze on my two older and very adorable grandchildren. But when he went to set it up after the new baby was born four weeks early, he discovered you can only hear one of the Wyze cams at a time. I did a little bit of research, and I think this might be a limitation from Apple. I'm not sure it's Wyze's fault. But in any case, not being able to hear the baby is a big problem. So I sent Kyle the iPad mini and he set it up as the third baby monitor and finally my little device has a loving home.
Tiny Tip - How to Tether Your Kindle to Your iPhone’s Hotspot
[11:56] Music.
[12:05] To Chicago for Mac stock, I finished the book I was reading on my Kindle. One of my favorite things about reading on a Kindle is that I can easily buy another book and just keep on reading.
I don't have to wait until I can find a bookstore or drag along several heavy, made-of-wood books.
When I got to my hotel, I used my Mac to buy another book from Amazon and I sent it to my Kindle. I turned on the Kindle and I went to Wi-Fi settings and I realized I wasn't going to be able to connect to the hotel Wi-Fi. Connecting to Wi-Fi at the hotel had the typical interstitial pop-up page where you have to enter your hotel room number and your name. The Kindle does have an experimental browser that's been experimental for about 10 years now, but connecting to the hotel Wi-Fi did not make that pop-up happen in the experimental browser.
No worries, books are just mostly text files, so they're wee tiny, which means even the worst cell phone signal over tethering would be good enough to download my book. I have, iPhone's hotspot was enabled, but when I opened up the Wi-Fi section on my Kindle, my iPhone was not visible in the list of available hotspots.
I tried rebooting the Kindle, turning off the hotspot on my phone and turning it on again, but nothing would make my iPhone's hotspot appear.
[13:18] There's a solution to this problem, and that's our tiny tip for today.
In Settings, Personal Hotspot, you'll see a toggle called Maximize Compatibility.
If you toggle it on, the Kindle can immediately see the Wi-Fi created by your phone.
As soon as I connected, I was able to download my book in short order.
[13:36] Under the Maximize Compatibility toggle, it says, quote, Internet performance may be reduced for devices connected to your hotspot when turned on.
That's nice, but I got curious about what it was actually doing under the hood.
I don't know why Apple doesn't want us to worry our pretty little heads about such things, but I like to understand things.
I had a theory about what this toggle might be doing, but I wanted to confirm my theory.
[14:02] I looked for an Apple support article explaining it, and while I did explain when to use it, the support article didn't say what it actually does.
I kept digging, and I eventually found a tutorial by Apple that says, quote, Personal Hotspot uses a 5GHz connection by default.
On iPhone 12 or later, you can turn on maximize compatibility for Personal Hotspot to use a 2.4GHz connection.
That confirmed my theory.
I was pleased to be right, pleased to find the answer in writing from Apple, but I was glad I found this for another reason.
The place I found this, I stumbled across this, was the Apple device support tutorials at it-training.apple.com.
I put a link in the show notes because you can't actually go to the main URL, you have to start at one of the tutorials.
If you're an Apple certified support professional, you probably already know about these tutorials, but I sure didn't know they existed.
While this series of tutorials is designed to prepare people for the Apple Certified Support Professionals Test, the tutorials are available to all of us for free.
The tutorials assume you know your way around Apple devices, so they get you that deeper knowledge you might have been seeking about how things work.
I guess that's two tiny tips in one.
What’s the Difference Between a Hub and a Dock?
[15:20] While on the road to MaxDoc, I asked Dave Hamilton a question that's been festering at me for a very long time. What's the difference between a hub and a dock? I've seen a lot of explanations on the web, but in every case, I could counter their theory with an example that proved the opposite.
For example, someone would say docks are powered and hubs are not, but there's also powered hubs and unpowered docks. When I asked Dave, I got a very surprising answer. He said he didn't know a definitive way to explain the difference either. I thought he'd know.
Well, we just happened to be on our way to go on a tour of Otherworld Computing, also known as OWC, at maxsales.com. These people make docs and hubs, so we decided I should ask them. I'm so glad we did because I got a great answer from Rick in sales. He prefaced it by saying this is how OWC differentiate the two terms and that he wasn't saying this This was everyone's definition.
Rick said that a hub multiplies an existing port protocol into more of the same, and a dock adds different ports to the machine.
It's so simple, and it makes perfect sense. So for example, if you buy the Satechi Type-C multiport adapter that gives you HDMI, USB-A, SD, microSD slots, and one bus-powered device, that's a dock.
[16:40] But if you buy the Satechi 4-port USB-C hub that adds 4 USB-C 3.0 Gen 1 data ports, that's, a hub because it multiplies the existing port.
[16:53] Likewise, the OWC11 port dock is indeed a dock because it adds a plethora of ports, from USB-A to USB-C to Ethernet and more.
But if you get more Thunderbolt ports, you need to get a hub, like the OWC Thunderbolt hub. Now I'd be remiss if I didn't point out that while I think OWC's explanation is clear and concise, Satechi seem to use a random set of nouns to describe their devices. Satechi have devices that are clearly docks, and they call them hubs, and the dock I just described is actually called an adapter in their literature. They sell devices they call docking stations, but they only use that term when they're referring to big, powered devices appropriate for a desk. It's no wonder we have trouble knowing which one is which, but I'm going to stick with OWC's terminology because it makes me happy to have a definitive answer to this question, even if it isn't unofficial, and not everyone follows this convention.
[17:50] Music.
Security Bits — 30 July 2023
[17:59] Well, it's that time of the week again. It's time for Security Bits with Bart Bouchat.
And we got some deep dives today, huh, Bart?
[18:05] Well, they're all quite shallow as deep dives go, but you like to get a little deeper into stories.
And so I've been sort of rebalancing the notes a bit to a few meaty stories and then catch up on the other stuff.
And there isn't a whole bunch of other stuff. So this actually works out quite well.
So our first deep dive is one of those stories that's been going on for so long that it's probably worth reminding ourselves how we got here. I guess the big story is, in theory, it has just gotten easier for US companies to work with European data. So there used to be a thing before the GDPR that was called Safe Harbor, where Europe and America had negotiated an agreement to basically say that as far as data privacy was concerned, we would consider US law equivalent to European law, so don't worry your pretty little heads, Microsoft and Facebook and everyone else, it'll all be fine.
I and many others felt that that was a fiction that was there for the purposes of commerce as opposed to reality.
And an Austrian gentleman called Max Schrems also felt the same and went to the European Court of Justice and won, striking down safe harbour and meaning that all of a sudden every American company that was using Safe Harbor was in breach of GDPR.
[19:31] So the European Commission... Using Safe Harbor across the board in its entirety?
[19:38] Probably as an excuse for this. OK, the GDPR Safe Harbor.
So there are many laws use the term Safe Harbor, but this is...
Yeah. Okay, I thought you meant the U.S. Safe Harbor. Okay.
No, no, this is entirely about GDPR. So basically it was agreed that there will be they called it safe harbor, that American companies could just pretend the GDPR didn't exist because American law, sure, that's fine, that's just like the GDPR.
[20:04] Right, exactly. Right. It's ridiculous. Exactly.
Don't make those jokes when I'm drinking my coffee, Bert.
I'm sorry. I need to watch my camera better.
So the European Commission had another go and they negotiated something with the American government that they called, um, oh hang on until I get this wording right.
[20:24] The privacy shield framework. So the idea was that if companies agreed to these extra rules that were above and beyond American law, so American law plus a few extra rules, then American companies could basically say that, yeah, we're de facto compliant with the GDPR.
And Max Reims took one look at the privacy shield framework and went, I don't think so.
And he went back to the European Court of Justice and the European Court of Justice went, yep, you're dead, right, and struck it down again.
So that's that was in 2020. So they've had a third go and they've been very quiet about it, probably because they're trying to be productive.
So there's been a lot of negotiations between the European Commission and the Biden administration.
And a lot of concessions were made.
And now they think they have arrived at Privacy Shield Framework Mark 2, and the Commission have officially ruled that they consider it to be adequate.
They took a vote and they deemed it adequate.
So until there's another court case to check their adequacy, it is now the case that any American company can sign up to abide by this framework, and then that gives them GDPR compliance.
So they have a mechanism for GDPR compliance.
[21:45] Huh. Do we have any idea what's in it that's different? Yes. So the big changes from Mark 1 is that there is tighter language on US law enforcement access to European data. So the language now says it is only, quote, what is necessary and proportionate.
[22:04] Okay, so no drag nets. No drag nets. And the obvious question is, well, who gets to decide necessary and proportionate?
And the answer is a new court has been created through a treaty that the US signed with the European Union.
It is called the... Hang on, where's it gone? It's in the show notes here.
The court of something. I'm sure I meant to put it in italic so I could find that mid-flow.
And I guess I've heard of justice because you already had that.
No, the ECJ. Data Protection Review Court.
There we go. So that is now a thing that exists, which is what will decide if your American companies are protecting European customers' rights and European, as I understand it, the court is in America, but Europeans can use the court.
[22:51] So the plaintiffs will be Europeans and the defendants will be American corporations and it will happen in America, is my understanding of this court, and that is supposed to protect European rights.
So this will undoubtedly be challenged by Max Schremm and Co.
The commission are confident it will stand up to the challenge. And for now, it is assumed to be legal because that's how it works when a parliament passes a law. So for now, we have a mechanism again that Facebook, etc, can use to be compliant with the GDPR and stop getting massive fines.
And they have to still agree to it?
They do, and they have to actually implement it.
[23:33] Oh, that too. Yes, that too. But it should make things a lot easier for American corporations who want to have European customers with data in American data centres. The easy fix has always been to have separate data centres, but this is a fix for companies that don't want to do that. So on the whole, if it stands up, this seems like a positive development.
That could help smaller companies too, right? Who can't afford data servers all over the globe.
I don't think that's so much of a cost. What it really saves you on is lawyer fees.
Because in the absence of a framework, everyone had to do their own paperwork.
[24:12] Whereas when you have a framework, you basically get to go and I accept this framework, sign on the dotted line and we're done, right, instead of having to draft up all of your own policies and everything.
So again, smaller shops do benefit massively, actually, from not having to have a legal department on retainer.
So that's our first semi deep dive. Next up, our friends Apple get to march into the conversation.
So we've talked a few times about Apple's new rapid security responses, which are mini me little security updates that do one thing and in theory do it well, although in practice that doesn't always work out. And are undoable.
Yes, and that did work out. That's the other big feature. Right, yes.
Right. Yeah, so they're designed to be quick to roll out and quick to roll back.
They're very precise in their action. They just do one specific thing and therefore they apply very, very quickly.
[25:03] So if they require a reboot, it will be a normal reboot, not one of those weird software update reboots, and the intention is to have as few as possible of them require any sort of reboot at all.
So we had this is now our this was our second and or third, depending on how one wants to count them. Rapid security response and things went awry. But arguably it wasn't Apple's fault. It's not that Apple broke Mac OS with the security update or indeed iOS. This one was for the Mac and for iOS. It affected Safari, and it was a zero day in Safari, which is never healthy. Remote code execution by visiting a random website. Not a good day.
I hate those.
Yeah, so worthy of a rapid response. But we, Apple discovered some teething problems to do with technical debt and the internet, I think is the best way to describe it. So we.
[26:00] When Apple update a rapid security response, they change the version number of the operating system so you can tell that you have applied the rapid security response.
And they don't change the numbers. So you have three numbers, 10 point something, you know.
You have three digits.
And they don't want to add a fourth digit.
So the rapid security responses appear as bracketed letters.
So you might have, you know, Mac OS 10.15.7a and 10.15.7b, and so forth. And c.
And c, in this case, yes. Although b never reached us. A and c reached us, but b didn't reach us.
Anyway, web browsers also tell web servers what operating system they're running so that the web server can theoretically be clever. Is that the user agent?
Precisely. So the mechanism... that's reported?
Yeah, the mechanism is a single HTTP header called user-agent, or the user-agent string.
You'll usually see it in English.
And this thing is loaded with so much technical debt and history, you just would not believe it.
So, I decided it would be fun to show you what I mean by copying and pasting my user agent from my Mac today.
[27:16] Okay, now my Mac is an M1 series Mac, but the user agent string says Intel Mac OS X.
Which is immediately... So it hasn't been OS X in a long time, and it's not Intel.
Yeah. Now, I was using Safari, yet the very first word in the user agent is Mozilla forward slash 5.0.
It also says Apple WebKit, which is the one true thing so far.
It also then says KML, like gecko.
And then finally, on the very end, we see Safari.
[27:52] Well, it's also, you're not in, sorry, 10.15.7. You're probably in like 13.5, aren't you?
Well, technically speaking, we call 10.15.15 or something, don't we? Wait, what do we, yeah, what do we call these? But we're on 13. We're not on 15. We're on 13.
You're right. We're on Mac OS Ventura 13.4, so why is it?
Yeah, okay, you should be on 13.5, Bart. You're not patched.
Yeah, that's why there's a giant big one. I will be after we record this. I didn't want to Oh, Bart, Bart, Bart, I may have to say your ending line for you here.
So what is going on? In any case, it's not 10.15.7, which is also in the user agent string.
Yeah. So what is going on here? Well, what's going on here is a whole bunch of history.
So when Apple released Safari, no one knew what Safari was.
So in order to make Safari not give you errors all across the internet, Apple decided that they would make their browser behave the same as Firefox.
[28:50] So any website that would work in Firefox, they tested to make sure it would also work in Safari.
So they put Mozilla 5.0 on the front so that websites would go, oh yeah, that's a version, of Firefox. Yeah, sure. I know what to do with you.
But then people, you know, Apple started making their own stuff and they want their own credit.
So later in the query string, you then add the truth, which is Apple WebKit and Safari.
But WebKit wasn't written by Apple. It was an open source project that Apple took on and extended.
And it used to be KHTML was the open source project. So that's why that's still in the query string.
Or sorry, in the user agent string. But when KHTML started, they had the same problem Safari had.
So they had to pretend to be Netscape. And Netscape's engine was called Gecko.
So that's why it says KML. So that's why it says Apple WebKit KHTML like Gecko. Yeah.
Now, the KHTML people, I think, had a sense of humor because they put comma like in front of Gecko instead of just pretending to be Gecko, whereas Apple went with Mozilla slash 5.0.
So this thing is so laden with technical debt, it's not even funny.
Right. This is this is insane. Could they take all of that out now and just say Apple WebKit?
[30:04] No, because the Internet would break. That's why that's why.
So when Apple released their their update, which included a patch to Safari for the first time, Safari started reporting itself as being 10 underscore 15 underscore 07 bracket A bracket.
And all the regular expressions used by Facebook broke.
[30:27] Because everyone tries to pull... There's not a separate field for the operating system and a separate field for the browser.
Everything is munged into this user agent.
[30:40] I don't know what Facebook is doing with this. What do you mean, they're querying?
What does Facebook do with it?
Facebook's web server reads the user agent and for reasons probably to do with spying on you, tries to extract the information. But it's one field, right? It's not that we have a sensible system where there are a field for where you tell it the operating system and a field for where you tell it the browser. The only thing is this ridiculous user agent string. So everyone's web server that cares about what type of web server is visiting, whether that be for statistics, for spying, for giving appropriate...
Sometimes when you go to a website, you see different things on an iPhone versus on your Mac. It's because they're using the user agent string to give you a mobile version of the site and stuff like that.
So there are... So somehow, were these queries from Facebook expected an integer or a floating point number and got a letter?
Right, exactly. So they're using regular expressions to pull information out of this complete mess of a train wreck that is the user query agent string. And their regular expression was too tightly tuned. And their regular expression didn't match anymore when Apple introduced a bracket. Which meant that their website didn't default to rendering some sort of sensible page. Their website defaulted to giant big error message, I don't know what browser this is go away. Which is a silly default, but that's what they did. So Apple broke Facebook.
[32:07] That should have been the headline, Dog Bites Man. Right. So Apple went off and proved that people can revoke them. So Apple stopped pushing out the update and told everyone who had a problem that they could roll it back, which is what everyone started doing. And then Apple had to figure out, well, how do we make our users secure without breaking all these regular expressions built into people's websites all over the planet?
And the answer they came up with... Hang on, hang on.
Right, cliffhanger. The answer they came up with was, so did it break on the parentheses A version?
Because I thought it broke on the parentheses B version.
No, it broke on the A version, which is why the A version was retracted.
We never saw the B version. That was never released to the public.
And the C version did what I'm about to describe.
[32:58] Huh, because I mean, I installed the A version, but I didn't remember seeing it get pulled off.
Is it your... No, you wouldn't have pulled it off unless you pulled it off or unless you installed the C version later, which superseded it.
If you didn't run into an issue, you would never have pulled it off.
Unless you were doing an issue into a website that broke, you would never have removed it.
But I thought you said they pulled it.
They pulled A. They stopped publishing it. So they people who hadn't already applied it, it vanished from their little plus one sign.
OK, but I applied it.
Right. So, yeah, they didn't retro. They didn't reach into your computer and take it away.
They made it not available. I thought they did. OK, I thought they did.
No, they didn't. But they did give instructions for how you roll them back.
So anyone who had trouble.
Could roll it back themselves. How would you give the instructions if you didn't know that's what it was?
I'm sure the Apple Twitter account was tweeting all over it.
Apple support pages were full of it. And the Internet was full of people saying, roll it back, roll it back.
Apple's documentation shows how you roll it back.
Support.Apple.com gives you instructions for rolling back. And also, didn't it break more than Facebook?
It wasn't just Facebook. It wasn't just Facebook. There were a couple of other websites.
I believe I heard someone mention certain features in Zoom.
[34:12] I don't think it was all of Zoom, but I think there were certain web interfaces for Zoom.
But the basic cause was web servers failing to interpret the query, the user agent, and defaulting in a way that broke things as opposed to a more defensive default.
[34:31] So anyway, they decided in the end that they still wanted to communicate to people that the version of Safari visiting the web server had this newer version, because hypothetically, they could end up having to disable a feature as part of a rapid security response.
So if some feature has proved to be catastrophically broken, they could push out a rapid security response to revoke a feature or change its behavior.
And then in theory, a website could need to know, Oh, if I see Safari version, whatever, I can't do X, Y or Z.
It doesn't have support for zip encrypt, you know, whatever it could be, right?
Some features they've had to pull back for security reasons.
So they still want to communicate in the user agent that the browser has updated.
That is the point of the user agent, right? Sure. So where can we add the information without breaking everything?
And they decided they would update the build number for Safari, not the Mac OS number.
[35:24] Okay, so there's no A or C being applied in the user-agent string?
Yeah, so instead the version number of Safari is what changes, which communicates the information.
So when they put C out, it changed WebKit to a different version number?
Yes. WebKit or Safari? I thought it was WebKit.
I noticed the two numbers happen to be the same, so actually it's probably a distinction without a difference.
Yeah, so the WebKit number and the Safari number are the same. Okay.
Yeah. So that is the thing. How do you get to your user agent string?
How did you find that? So there are lots of websites that will echo it back to you.
So if you type into Google... You know the way you can type into Google, what's my IP address?
If you type into Google, what's my user agent, you'll get to lots of different websites that show you your user agent.
Or you could look at the log file. I did not know you could ask...
I didn't know you could ask Google for your IP address. I always go to IP Chicken.
Just because that's fun to go to.
It's got a chicken. Yeah.
[36:30] No, Google, of course, being clever, if they can answer you without sending you to someone else's website, to someone else's ads, they will answer you with their ads.
So that's what they do when you say, what's my IP?
So, interestingly, you and I are both on the same version of Safari, even though you're not up to date on macOS.
That is interesting. That makes sense. That could be true. Anyway, the obscurity of user-agent strings and changing them broke the internet.
I kind of like Tidbits as summary. Tidbits guys are always great for getting to the nub of things.
What's that chap who runs Tidbits who you interviewed who I love listening to? Adam Anking too.
Thank you, Adam. I'm almost certain it was Adam who wrote this.
While Apple's choice of letter for Rapperskery response updates is questionable, Meta and other companies whose websites were affected also bear responsibility for not failing gracefully when encountering unexpected user-agent identifiers.
Yep. Take the blame, spread it around. So anyway, ultimately no harm done.
[37:35] I'm sure Facebook will take action immediately to fix this problem.
Basically, Apple have discovered that when they do rapid fixes to Safari, they need to do this and not that.
So this is... Yeah. Teething problems.
Nothing catastrophic. That's interesting.
I thought I understood this and I understand it more now.
Excellent. So deep dive number three then is some new rules to the App Store that have seen a little bit of news coverage, but not a lot. But I think they're actually important, particularly to people who care about their privacy.
So I guess to prove that this is a big change, it's so big Apple are pushing it out in phases with advanced notification.
So Apple released new rules this week which say that from the fall, which I interpret as from the next version of Mac OS and iOS, that's usually what Apple mean by the fall.
So from the fall, developers who upload an updated or a new app that doesn't comply with these new rules I'm about to describe will get a warning saying, by the way, your app is in breach of what will become the rules in spring of 2024, when all apps that fail will just be rejected automatically.
[38:45] Now that's interesting. Well, your notes say that uploads will be blocked if they're non-compliant, but if you've already got it up there, you're fine?
Yes. So they're not reaching in and kicking apps out of the store. This is sort of Apple's normal thing, that when an app is up, whatever rules were there to get it up, that's what gets it up. And then going forward, every time you push out a new update to your app, you have to abide by the current rules. It's a bit like housing codes. You build a new house, you have to abide by the the newest codes, you have a house from the 70s, you wouldn't pass today's codes.
But they're not going to rip your house down.
Right, right. So what are the new rules?
Well, before I tell you what they are, I'm going to tell you the problem to be solved because this isn't a silicast.
So Apple have spent a lot of effort for a very long time trying to protect users from cross app tracking.
So this is where a third party can know that you are both a user of app A and a user of app B, because somehow they can connect the two U's together.
[39:46] And this is kind of a story over time. So in the very early versions of iOS, this was very easy, because Apple were naive, as was everyone.
This was the early days of these things. We didn't know better.
And there were APIs on the iPhone for all sorts of useful things, like say the serial number of the CPU in the iPhone.
Well, there's your own changing identifier. Ta-da! Tracking people easy.
We all said the IMEI was a big thing too, right?
[40:12] I don't remember if the IMEI was exposed by official APIs, but there were certainly ways to get it, which were then later locked down.
I'm not sure that was ever official, but it was certainly possible.
Apple's first attempt at locking it down was to create a randomly generated identifier on the device, which they called the ID for advertising, the IDFA, And they provided some UI for the owner of the iPhone that they could, at any point when they felt that they were uncomfortable, reset that ID.
And because it was a generated ID instead of a piece of hardware on the phone, you actually could change it.
But it was still pretty sticky, which meant it was still pretty good for tracking people, and that was sort of seen as a reasonable balance.
Well, you can change it if you want to, but we now have a mechanism that isn't indelible and that isn't as icky as your serial number.
So on the whole, the IDFA was a step forward, But it didn't really solve the problem very well, so the next major step forward was app tracking transparency, which we've definitely talked about a lot.
And all app tracking transparency did was that when the app makes a call to the operating as I'm saying, hi, please give me the IDFA.
The operating system now puts up a pop-up to the user and says, this app would like to track your cross-applications. Do you approve or not?
And basically, you have to explicitly opt in.
Otherwise, the answer returned to the app by the API is zero.
[41:38] So unless the user opts in to sharing, to cross-app tracking, IDFA is zero.
So that's all. Technologically, that's what app tracking transparency did.
It. Now, I think you can set it to automatically do that without asking you, but I make it ask me just because I like to know who the dirtbags are that are asking me.
I agree completely. And yeah, so the point being, without explicit consent, the operating system won't hand over the IDFA. It will just hand back zero.
So that's really what's changed.
But the desire to track has not changed, right? There are incentives and companies to do so.
Now, it has always been against Apple's rules, but having something in your rules means that you can retroactively kick apps out if they're caught. But you kind of want a technical control wherever possible, especially when you're dealing with the volume of the App Store.
Millions of apps.
[42:35] So after app tracking and transparency came in, a new trend emerged where developers of shady apps that wanted the track started to use a new technique called fingerprinting.
And this is something that they borrowed from browsers. So the web is another place people like tracking and fingerprinting emerged on the web in response to cookie blocking.
So the idea is instead of having one identifier that clearly identifies you, try find as many innocent-looking things that are not unique to everyone, but do change from computer to computer.
And if you put enough of them together, you will get a unique fingerprint.
So, it doesn't tell me a lot that you're using a Mac, but it tells me more that you're using a Mac with a 2018 screen.
It tells me more that you're using a Mac with a 2018 screen and you have this font installed and not that font installed.
And you very slowly build up small pieces of arguably irrelevant information.
But when you have enough pieces, the sum total is unique.
[43:44] So two things on that. One, didn't Apple stop the ability to track that through your web browser?
They stopped it reporting anything but, you know, you're on a Mac.
Apple takes steps to make it as difficult as possible. And every time they find a way of leaking information, they'd use something to stop it, but there's no guarantee that they haven't found something like a timing delay on a particular JavaScript function.
It is a cat and mouse game and Apple are playing it quite well.
This is also relevant in the security of information, in government security, when I was working in that field where I would need to get a piece of information from a classified program about how many people are using X software, and they wouldn't tell me.
And I was like, well, how could that possibly be classified?
And they said, well, it's not. But if I tell you the answer to that, then you know how many people are doing this kind of work.
And then you find out about this piece of software and how many people are doing that kind of work now, you put those two things together, pretty soon you can figure out what we're doing inside here.
[44:49] And even though I was actually cleared to go in and find out, it didn't matter, they weren't going to report that to the outside.
I really think it was a dodge because I was trying to get to, I was trying to stop paying for as much software, and if they weren't using it, I wanted to stop paying the maintenance agreements.
And so I think they were just being squirrely. But it was, it was interesting, it's this exact same thing.
Little pieces of what appear to be innocuous information, if all strung together, you can start to figure out who someone is in this case.
Exactly. And so a trend has emerged where shady developers were starting to find different APIs in iOS and macOS that gave enough information that if you string enough of it together, you can fingerprint the device and get cross-app tracking.
And anyone Apple caught doing this, they kicked out of the store.
But again, that's not a technological fix. That is an apply-your-policy fix, which is leaky at best.
So they have decided to try to make a more robust fix, which is where the new policy comes in. So they obviously know which API calls have already been abused, right? The people they caught being naughty, they know what they were doing. So they already had a short list of APIs that leak some information. And then they did a review of the rest of their APIs to see, well, if I were a malicious person, what other APIs might I switch to if we were to do something to block these ones they're already using? And so that superset, They have now officially in the documentation, they have attached a label to those APIs that that says that they require justification.
[46:16] So any developer using... Oh, every one of them? Every one of them.
And so the other thing Apple have added recently to the App Store is something called a privacy manifest, which is a metadata file.
It's a plist file, if you really care, which is used to build up those privacy nutrition labels.
So what data are we tracking and stuff?
So there's new fields, which I presume this is why it's happening in the fall, which I presume is when we get new OSes.
There's new fields being added to that file where you have to give a justification for every API you use that's on the restricted list.
So basically it's an array being added to the plist, and you must name the API and give your justification.
And so when you submit an app from this fall, it's very easy to see what APIs an app uses.
So Apple will scan the app to see all of its APIs, it will then scan the manifest, And if the two don't line up, it will give a warning to the developer, saying, warning, from next spring, this app will begin to be rejected because you used this API without justification.
You used this API without justification.
And you basically hand the developer on a platter, here's the things you're doing, these empty boxes, fill them in.
Put them in your privacy manifest.
[47:31] Okay. And so when the app comes up for review, then, if they have all the justifications, they will pass automated review.
And they then end up with a human. And then the human reviewer simply has to go, this is a flashed-out app, it is making use of these APIs, and the justification is whatever, right?
And they're going to go, that's ridiculous. Reject.
So the result is going to be that very few apps are going to have a justification for zero APIs.
But every app is only going to get the APIs they need, and no more.
So the chances of any app legitimately having enough for a fingerprint a fingerprint, fall off a cliff.
It seems that this will probably slow down app review, because, I look, people will.
[48:23] Yeah, every time you have to inject a human, it becomes, and we've seen that the review sometimes is a little less than logical.
Apple have been working hard to automate as much as possible the information gathering so that when it gets to the human, the human is not presented with an app and some rules.
The human is presented with an app and a technical report that says, this app has the following nutrition label, this app has the following descriptions and stuff.
So what the reviewer gets is now quite a rich piece of information.
And this automated scanning of the APIs and the justifications means that it won't get to a reviewer until the ducks are in a row.
[49:07] So you're making the assumption that the non-human part is unaffected speed-wise, and I would challenge that.
I was just listening to Casey List on the Accidental Tech podcast.
He's got an app that is affectionately referred to as like IMDb, but not crappy, not all full of ads and everything. That sounds really interesting. Oh, it's fantastic.
It's called Call Sheet.
It's not out yet. He has gotten approval finally to get it out.
But the first rejection he got said, well, the first rejection was logical.
It was something he hadn't done. And it was like, okay, I didn't know I had to do that.
Great, it was some thing he had to type up. But the second one was, you can't have a video player in this app because you didn't ask for it.
He didn't have a video player in his app.
[49:53] Okay, so he wrote back and went, but I don't have one. And it said, oh, okay, well, you can't use copyrighted material from Disney or Pixar.
Well, what he had was movie art, and every app like this has the movie art, right?
IMDb has the movie art.
And he ended up having to get a human on the phone who then went, oh yeah, you're fine.
But it took two rejection cycles through absurd answers from the automated service, and then what he's assuming is automated because a human would look at it and go, oh, those are just movie posters.
I wonder how automated they are. Yeah, I don't know. Either way, it was a slowdown that was ridiculous. I mean, it had no logic whatsoever. So, automated or not.
Right, but in this case the automation is a simple binary of here are the fields you're missing.
No, no, it's whether or not it's justified based on your justification.
No, no, that's where the human comes in.
Right, the automated bit is going to just be to tell you that you're missing fields, and then the human review will have your justifications ready.
So you're right, there is a little more work for the human, but the automated bit shouldn't...
It's not difficult to ask for automation.
[51:11] It isn't, whether they'll be good at implementing it. I mean, having something that says you have a video player when you don't have a video player, that should be pretty easy to check too.
Yeah, probably isn't because there's probably bad guys using all sorts of obfuscation to sneak video players in. Maybe, maybe.
Anyway, I wouldn't put a password to slow it way down based on what I've learned.
I don't think it's all in our benefit. It absolutely is all in our benefit, yes.
So basically the end result is that you shouldn't lose any functionality because if you have a legitimate reason to use, these APIs aren't being shut down, these APIs aren't being turned off, there's no functionality being reduced.
It's just some extra safeguards to make sure that an app that needs your camera can...
Well, camera's already well covered, but the APIs are sensible.
It's just a sensible balance between human... Well, like, knowing you're on a 5S that doesn't have this graphics coprocessor that you need in order to play this game.
That would, you know, something like that could be in those detailed ones.
That's not for fingerprinting.
It's, I need to know whether they have this graphics card. But a human would have to review all of those.
It is fingerprintable, but it's a good reason to have it.
Yes, exactly. But a human will have to, if those are open text fields?
No, they're not. Dropdowns? They're dropdowns?
They're dropdowns. Okay.
[52:29] And there's a process for requesting an exception. So there's a form for saying- And you could still lie.
Right, it still has to pass most of it with a human, but they are working to make the report that gets the human as easy to vet as possible. Obviously, the reason Apple have humans in the process is because humans add value.
But there aren't enough humans. Well, they are. Look, they are staffing up and then at the same time there's more apps being submitted. They are adding automation at the same time. There's more to be checked for because the naughty people are discovering new ways to be naughty. I don't know if you ever win. But anyway.
But there also aren't enough humans to hire. So staffing up is virtually impossible right now. True, that is true. We are in an employee's world, not an employer's world at the moment.
Right, right. This is very interesting. I appreciate the explanation.
Excellent. Well, that then brings us on to action alerts. Our two big hitters here, Apple, have patched everything, and Microsoft have patched everything.
In the Apple case, it is worth drawing attention to the fact that these are not rapid security responses.
Apple followed up a week or so after the two rapid security responses.
[53:44] With full OS updates, which include those fixes, because that's always the way with the rapid security response. They will be subsumed into the next real update.
They also contain more than the rapid security responses. The updates fix three zero days.
The rapid response fixes two zero days. So there's an extra bonus fixed zero day.
And obviously, the rapid response is only in the very latest operating systems, because it's a brand new feature. These updates are for all the supported operating systems.
So back as far as Big Sur, I see in the list there.
Yeah, Big Sur, did we know that was still being supported? That's way back, isn't it?
Well, all I can tell you is that it's... No, no, that's still just two.
Yeah, it's gone to 11.7.9. So there you go. And yeah, they do pack serious...
I'm a little worried about fatigue on these updates, you know, people are getting, this is how many this month?
[54:41] Well, it's the one real one this month, I guess you could argue.
But the rapid updates, if they get better at these rapid updates and they genuinely become low friction, then actually the fatigue issue should be remediated, not made worse.
But now with these teething problems, yeah, you're right, it doesn't, it didn't feel good this month.
And it did require a full reboot, which I thought the rapid security responses weren't going to.
Right, but not a reboot like with an operating system update, right? When you do a reboot to install an OS update, it's not just, and we're back in 30 seconds, right? It goes into that...
Oh, I wasn't back in 30 seconds. I was definitely not back in 30 seconds. It was significant.
It was more like a real one.
[55:21] That, for other people's experience, was very different. I can't answer why. I'm just saying.
So I heard quite a few people talk about it and they all said that they were amazed at how quick it was.
They turned their back and their machine was, you know, they went to grab a cup of tea and it was done before they were back.
And oh, well, it was 20 seconds.
But there were people who said it was 20 seconds. And look, I'm only saying, OK, I didn't get to it before they pulled it.
And then I did it last thing as I left the office.
I think I don't know how long this will take. Hit the button, walk, walk away.
OK, I guess I should I guess I should time them for so I can have these conversations.
Anyway, there was also Microsoft updates, 130 bugs squished, five actively exploited.
So patchy, patchy, patch, patch in Windows land.
[56:17] Notable news then, it caught my eye that there were two new initiatives on AI safety.
So the first one to break, and I should say to listeners, it's been three weeks since we had a security bit, so we have a bit of news to catch up on. So I think this happened two weeks ago, but the White House released a giant big statement, I believe in the Rose Garden to say that, they had reached an agreement with seven major companies to get their cooperation on AI safety.
So they all basically agreed to work together to make AI safer. And those seven companies are Amazon, Anthropic, Alphabet, Inflection, Meta, Microsoft and OpenAI.
[56:58] Okay. The next week, we had a different announcement from just four companies, Google, Microsoft, sorry, I should rename that to Alphabet, Microsoft, OpenAI, and Anthropic.
And they have created something, sort of an industry body that they're hoping will develop its own steering board and all, you know, a full infrastructure like the W3C looks after standards for web browsers. The idea would be that this would be a sort of a full industry body that will grow over time. They're calling it the Frontier Model Forum, since AI is all about models. And so a frontier model is a model doing something new. So the frontier models currently are these generative AIs. So the transformers, they're currently frontier, because that's at the edge of our knowledge. But the idea of calling it frontier model is that whatever is the next thing, that will be covered too. So whatever AI is doing that's new.
The one that's on the frontier.
Yeah, whatever's on the frontier. And so they're going to create bodies to create, the idea is that they're gonna produce certification, testing, best practices, all those really boring industry things.
But if they all agree together, then it's not a competitive disadvantage to do things right.
[58:19] What is safety in this context? The AI should not violate people's privacy, the AI, basically anything you're afraid of the AI doing, it's very broadly defined so that they're not constrained, but if you've seen it on Black Mirror... I'm afraid of it taking my job.
No, it's not safety. No, that's not safety. It's probably not that.
What about I'm afraid of it taking my intellectual content, you know, my intellectual property?
That might be... It's not safety. That is a different issue.
That's one for the courts.
Right. So that's why I'm asking, what's safety? So safety is more about, we have fears that these AIs will end up having discriminatory effects where you could end up with systematic racism.
Racism, okay.
I mean, we have a long history of AIs doing... Will they follow the three laws?
[59:10] I mean, that's an important one. Yeah, I mean, look, I don't know all the details yet, right?
We have is a press release saying we are going to set up a body.
Our first step will be to elect a governing council. Their first step will be to define the procedures.
It's very bureaucratic, but it is a full on industry body. So, you know, it's forward looking.
And the idea is that they will invite others, but these four companies are doing the setup.
They're getting it all ready.
And then the idea is that over time, others can join this forum and that will become a full industry body.
There has been a lot of digital ink spent pointing out that neither of these two initiatives involve Apple. Which apparently is some sort of thing that is worthy of clicking on. Or it has the word Apple in the headline and is clickbait. I just don't understand why people think Apple should be on these lists. What generative AI that is in any way risky have Apple put out into the world without appropriate safeguards?
None. Whatsoever.
[1:00:18] So the iOS 17 has type-ahead stuff, but that's about it, right?
Yeah, which is extremely conservative. That's a large language model.
Right, it's an LLM, but it's not.
Maybe it's a mini-language model, though. It's a full large language model, but being applied in a very mini capacity.
But it's also on-device, so it's probably not very large. No, no, that's not how large language models work.
So the idea is you spend six or eight months generating a matrix of numbers, and then you put that matrix of numbers onto the end device.
So you use half of the world's computing power to compute this matrix, and then that matrix is actually the model.
And so you've heard Apple talk about their Bionic chip?
[1:01:08] Yeah. That chip just receives the answer to a whole bunch of computing power, And it stores that model in hardware, and then you shove data in one side, and then the numbers make that data get transformed one way and information pops out the other side.
And that's all a large language model is.
So they're quick to apply the work of figuring out those numbers.
That's the hard part. OK, OK. I learned another thing today.
AI is fun. Yeah. So basically, Apple's use of these technologies is very conservative.
So they are very risk averse. They're not doing something like Google, for example, putting Bard out completely half-baked and in their press demo having it lie.
It's just like a lie about some astronomical fact that was trivial to check.
All right. Apple aren't doing any of that stuff. So I don't see any particular need.
Apple are not a glaring omission. Like, you know, Burger King are not here either. So.
[1:02:04] You know, I've been worried about that. Yeah. I'm still surprised at how often wrong these are.
Maybe I'm just lucky, but just about everything I ask it, I get a wrong answer.
Everybody's out there going, this is the greatest thing since sliced bread, but there's another one called FIND, P-H-I-N-D.
It's an open source AI that does programming stuff, and I asked it to write a shell script that did blah, blah, blah, and it was something super simple, like list what's in my current directory.
And it didn't run, it didn't work because it forgot to put quotes around something.
And it was like, I barely know what I'm doing, working my way around a shell script after programming by stealth.
And I looked at it and I went, well, that's not gonna work. And I was right.
And it was just like, it was such a simple question. I always get wrong answers, like every time.
I don't know why people expect anything better Because all a large language model does is it learns the patterns of language and reproduces them. it is a fantastic machine for repeating the mistakes of others.
[1:03:13] Exactly. It's almost as though it's designed in it. I was listening on Daily Techno Show, they were talking about that it looks like the models have run out of open source data to be taught on.
And so now they're learning on themselves. It's not clear what's going on. People are less happy with the results.
That is a measurable thing. People's feeling that the AIs are answering them well is declining.
That's measurable. Right. two hypotheses that are on the go, and the data fits both.
And the answer is probably yes and.
But the two hypotheses are that while they were training the AIs, they were used internally in tech companies with smart people.
Now they are in the world with idiots. The other thing is that initially.
[1:04:05] They're pay on the surface, they're very clever, these large anguus models. At first blush, they do amazing things.
But the more you try to use them for real, the more you realize that their answers have always been terrible.
So they make a great demo, but they've actually never been very good.
And so the other thing that's going on is that people are starting to genuinely use them and realizing that they were never as good as they thought.
So it's probably both of those things that our initial honeymoon period is over and they're probably getting dumber as well.
It's probably both.
[1:04:38] And it does matter the context of this Whisper AI that's in, what is it called?
Shoot, I always forget the name of it because when you download it, it's a different name.
But Joel McKinley's got a review coming out in a couple of weeks.
It's a transcription service.
And it's incredibly good. I mean, phenomenally good.
Now that's taking text or taking audio and translating it into text.
And being able to summarize text, you give it. It's good at that.
You know, there's a lot of things that it's good at.
It's making, when you tell it to make up the answer out of whole cloth, it says, well, my whole cloth just happens to have a bunch of holes in it.
Right. And that is, again, the thing where you can take the same technology and apply it in different ways and get very different outputs.
So the translation stuff, you know, taking sound and turning it into words or taking and the AI is getting quite good at, but they're a very different problem to, here is a blank page, fill it with something that does this.
Which is a way more difficult question. And the big issue at the moment is that we don't have, our AI models are about being able to do a lot of things.
Analysing language, they only understand that these words like to come out of these And we're not able to do a lot of things. So we're not able to do a lot of things.
[1:05:56] Words, they really hate coming before these words. They don't understand, they have no model of truth. They don't have any model of knowledge.
They literally don't understand. Now, there are ways of representing knowledge.
And so the next obvious step is that you take AIs designed to understand knowledge, and you use those to work out an answer, and they exist for mathematical equations and stuff.
And then you use as the communication layer, the large language model.
So its job becomes communicate to this thing we know to be true to the humans, using their language, which you have learned.
And that's where I see the power coming in. But until there is a back end that understands the relationship of facts, it understands that there are facts, what those facts are, and how fact one is related to fact two.
Like, all animals have four legs, my cat has four legs, therefore my cat is a dog.
Wait, no, that's wrong, right? My cat is an animal.
Exactly. So that kind of epistemology, that has to be modeled.
[1:07:01] One of the ones I'm really excited about, I posted this in our Slack, at podfee.com slash Slack, in the Programming by Stealth channel.
Programmers use a tool, a web service called Stack Overflow.
Okay, people post questions and people post answers, then they upvote the right answers, and so the good answers all float to the top.
So it's a fantastic resource to post questions, but just to look at that, any question I have, probably somebody's already asked.
They are writing their own AI, which will go through all of the data they have in Stack Overflow and give you the answer to the question you ask the Stack Overflow AI.
It'll go through all of the answers, but it'll show you where the link to the answer is so that you can get the context for the answer.
So you're gonna get, this is not released to the idiots. It's exactly the opposite.
It's released to the smart people. So I think that's gonna be a really exciting one.
And that's also exciting for another reason, is in order for AI to get better, it needs to have a good quality signal.
And one of the best things about Stack Overflow is their voting model has resulted in them having a database of very good data on this is a good answer, this is horse poop.
And so because they have good data, their AI has a very good set to learn from.
So that's very exciting.
And that thing about showing your work, that's the reason that...
That is the big differentiator for me between what Microsoft are doing in Bing.
[1:08:27] And what others are doing with just a plain, here is the answer and you have no idea why.
So when you search using the... It's OpenAI's large language model under the hood.
So it's GPT-4 under the hood.
But it doesn't just show you the search results, or it doesn't just show you the summary of whatever you asked it for.
It gives you the links to say, here's where I pulled my information from.
And that makes it a lot better at telling you how much faith you should put in the paragraph.
So you've asked it to, you know, summarise the controversy around section 230. Or VI versus...
VI versus...
EMAX. Oh my god. EMAX.
[1:09:11] Right. And it would then give you the link. It would be a good one to test it on, exactly.
So I much prefer this idea where we're...
The other very interesting thing we're doing is we're making the AI by not go straight to the answer, another approach is to make the AI make very small steps and tell you each step.
And so the output will then show you not just an answer, but a sequence of logic.
And you can at any point in time say, whoa, whoa, whoa, back up to step two there, that was wrong, now recalculate.
And so because it means it's not a black box, it's a many, many smaller black boxes that's easier to tell what it's, you know, that's easier for you as a human to deal So there's lots of cool stuff going on to try and make these AIs not quite so...
Actually, there's a great word I heard an engineer use. He said, don't call them hallucinations.
Call them confabulations.
It is constructing facts that don't exist.
It's confabulating.
[1:10:05] I like that. I like that. It's a great word, too. Yeah, yeah, that's much better.
I've never liked the hallucinations because it's not making something up.
It's just wrong. It's building it. Yeah, it's building it out of pieces that it doesn't know shouldn't go together.
It's confabulating.
The name of the application I was trying to remember is Whisper Transcription for the Mac. It used to be called Mac Whisper, and they changed the name, and that's why I couldn't remember the one that Jill's going to be reviewing. And you'll hear about it then.
I have a feeling that same engine is used in a lot of places.
Oh, it is. It's Whisper.
Yeah. Yeah, that's what I said. It's Whisper AI. Yeah. Yeah.
Which is open source. It's the same one that's used. Oh, I didn't know that.
My authonic. So that's where my transcriptions come from on the web.
Somewhere in the back of my head, Microsoft Teams may be using it too, but I could be wrong about that. Yeah, a lot. I think a lot. I know it's popular. Yeah.
Yeah. Okay. That was a fun dive version. That ended up being our deepest deep dive and it wasn't even in the show notes. Where was I in my show notes though?
By the way, I did ask Bing about Emacs versus VI, and it did come up with that the rivalry between users of the Emacs and VI, now usually Vim, or more recently NeoVim, tech says it's a kind of enduring part of hacker culture in the free software community.
It goes on. That's not bad.
No, no, it is good.
[1:11:28] The Holy Wars conducted on Usenet groups, the Flame Wars. It's great.
With citations, like you said.
[1:11:36] Yeah, to me, that's a big differentiator. If I'm going to use AI, I want it to show me its homework.
Show me your work.
Okay, the next one, so that was AI safety initiatives. Another interesting initiative from the White House, they have released a voluntary, so it's an opt-in, But it's a certification process for smart home devices.
And if they pass, they get to put a little badge on the box that says these devices pass a minimum standard.
So that will make it a lot easier to find out which stuff isn't likely to be all broken.
So it's a bit like electronics in Europe. We look for the kite mark.
That means it won't electrocute you because it's passed EU inspection.
This will be a similar thing for it has a baseline of security for smart home devices.
When I heard about this one, I just picture you doing a little happy dance in your house, because this is what you were looking for. This is great. Yeah, I don't know how soon people are going to be doing it, but it seems like it'd be a differentiator on the box, and that's what gets people to do something is commerce.
And even if other people don't, I get to. That works for me.
The next one is a slight personal one here. There is a very interesting development in in the world of web browsers.
There's a browser called Arc that has basically taken the rulebook, thrown it away, and reinvented web browsing as if it was being invented from scratch today.
[1:13:02] Which means no technical debt.
So it's kind of the inverse of our user-agent string, which is full of technical debt.
And it looks interesting. Tom from Ontario did a review of it back in March on the NoSilicast.
[1:13:15] Yes, I remember listening to that review of being intrigued.
Yeah, I also remember listening to that review and asking myself the question, and how is this supposed to make money?
And unfortunately, that's what I ended up digging into. I spent half an hour on my walk yesterday trying to figure out how, actually no, it was Friday, it might have been Friday.
Anyway, I spent some time trying to figure out how this company is making money.
So this new browser is a very polished product. They've just gone 1.0.
So it's no longer in beta. you no longer need an invite, it is now out there.
You can just get the product now. And it's really polished.
It has taken a significant team of human beings a significant amount of time, and they are planning on rolling it out to Windows.
But they're doing something else for free for the community as they go.
They are writing a Windows compiler for Swift so they don't have to rewrite the app.
[1:14:09] So they're basically taking Swift code that works on the Mac and making it compile to Windows.
They're just building the tool chain for that just as an open source project as they go.
Because, hey, if we want to port our app, why wouldn't other people want to port their app? This is not cheap.
This is not something that's being done on a shoestring.
This is a for-profit company and ours technically were unable to find a business model.
No one I was able to find has been able to find the business model And their website does not, in any way, shape or form, give even a hint of a business model.
So it's a for-profit company with no road to profit.
[1:14:49] That sets off all of my alarm bells. They need to make money. How?
Because they're in a privileged position.
What incentives is their business model going to set up? So until I understand how, I am steering clear, and I would recommend people think twice before jumping in, because we don't understand how this thing is supposed to make money.
So we don't know that it's bad, but we don't know what it is, and so why are they not telling us?
Yeah, and well, the biggest thing is incentives drive behavior, right?
Facebook invade your privacy exactly as much as they can get away with without driving you away.
Because if they invade it too much, people run away, therefore they lose money.
And if they don't invade it enough, they can't sell as much data, so they lose money.
Money. So the incentive means that they balance how icky it is versus how much they can get.
And so there are incentives for this company, and I don't know what they are. So I don't know what way their decisions are being driven, what it is they're being incentivized to do. I don't know.
[1:16:02] I just, I can't make a decision on things unless I know where the money's going.
You know, why am I happy to use a free website like Wikipedia? Well, because it's a charitable foundation, I can follow it. Why am I happy to use Firefox? Because it's a foundation, I understand the model, you interviewed their CEO. So yeah, I'm just very worried.
We do know where they have gotten their current funding. That's from investors.
Yeah, but investors won't pay back. It's how they're going to make money going forward.
Well, how do you pay the investors? The investors bought a stake in a company on and the expectation of getting their money back, that's what it means to invest. How?
[1:16:41] So, yeah, that worries me, that deeply worries me. So I figured that was a good opportunity to repeat my little follow the money story.
And in a similar vein, there was a lot of headlines about the realest Mac malware targeting Mac OS Sonoma.
Which is a thing. And my initial reaction was, I'm not going to put this in the show notes because Alanson doesn't want me flooding people with same old, same old that happens all the time.
And on the one hand, this is a very boring story.
There is some Trojan software out there tricking people into installing it, and when they install it, it does naughty things.
That is like.
But I thought it was worth putting the show notes for two reasons.
So the first thing is to remind people that even today, with all of the attention the Mac has gotten from the bad guys, The most common way that icky software gets on your Mac is by tricking you into installing it yourself.
Most Mac malware was installed by the user themselves, who were told that it was going to give them some free Bitcoin, or that it was something that they wanted it was going to do.
A naked picture of a tennis player.
[1:17:47] Oh, yes, precisely. All of these things. That poster sold a lot of malware or distributed a lot of malware.
And the other thing I think that we haven't said explicitly, and this is a really good excuse too.
So malicious software is software.
It can do anything other software can do. It's built in the same ways other software is built.
It's built by programmers who do all the same things other programmers do.
There's no real difference in malicious software other than the intent.
It's not technologically different. It's being written with an evil.
It's like a hammer or a hammer.
Build a house, murder someone. Same hammer, right?
Software, malicious software, it's, you know, compilers, code, it's all the same stuff.
You're using the same APIs. Is it using those APIs because it's writing your Word document safely to your hard disk?
Or is it using those APIs to read all the files in your home directory, find credit card numbers, and send them off to someone else?
The pieces are the same. So it shouldn't come as a surprise to us that anything a normal app can do, malware can do. So Apple have released new betas.
The vast majority of apps work on those betas. You just take your favorite app and run it on Sonoma, and there's a really good chance it either works fully or mostly.
[1:19:04] Which means that most malware works fully or mostly on macOS Sonoma.
Apple have released all of the developer tools to allow you to make your app fully Sonoma compatible? Well, the malware developers have all the same tools so they can make their malware fully Sonoma compatible.
That's good. Yeah. So basically the big headline that was catching people's eye was, oh my God, malware that works on macOS Sonoma, to which the security community's answer was, well, of course it does because software works on Sonoma. So that's the reminder that if you can use your normal apps, the bad guys can make their bad stuff work, too.
So basically, if our friends like that wonderful chap whose name is Steve, who does Reinvented Software, if he can make his app go, if Steve Harris can make his up-go, evil, naughty person can make their up-go too.
[1:19:59] Which is sad, but true. So anyway, I figured that was worth reminding people.
And because it's been three weeks, I've ended up with three palate cleansers and I could have had five, but I decided I would give you quality over quantity. So the first thing I have is a video that absolutely fascinated me. So Bell Labs, kind of important, and they they had a massive big supercomputing center at the time.
Not very super now. It's hilarious now. The Humdell Computing Center.
[1:20:32] And they had a training video for their new programmers teaching them how to basically first off say all the fancy things we have, like, you know, we have one megabyte hard drives and these ridiculous things, right?
These giant big room sized computers and how you submit your program in your, you have to put it on these punch cards and you hand it to this lady and she'll run it through the computer and it'll be in your inbox four hours later.
The output from your program. And we have these line printers that can print 100 lines a minute.
Now, these kind of things. It's amazing to see what has happened to computing infrastructure since the 1970s.
I can tell this is a good video based on the number of people that sent it to me.
Ah, that is a good, it is a good metric.
What slightly got me a little bit worried is for a long time, one of the things that made me cranky in work was that my official job title before it became Cyber Security Specialist was Systems Programmer. That is a title that dates back to the mainframes in that video.
Oh, that's so funny. I love it.
[1:21:37] I never worked on any of those mainframes, but my job title until last year was Systems Programmer.
I'm pretty sure at one point the video mentions, and you can hand your stuff to a systems programmer.
Yeah, and I wouldn't know what to do with it.
But anyway, I thought it was fun. The other thing then is one I've had in my inbox for a while and I've been saying I must get around to reading this. I'm sure it's a great article. Long story short, it's a great article.
It's from the Verge, Designing for Color Blindness.
[1:22:05] It's the first article that explains in a way that's completely unconfrontational and, without being patronizing, just goes back to zero and says, look, I think most people think that colorblindness is a binary thing.
Colorblind people don't see color. That's not how it works at all.
And it has a lot of pictures with sliders to show you this is what you see, slide the slider and this is what someone with my type of colorblindness sees.
Now, for me, some of those sliders did nothing, which was, well, it was expected because I am one of the 8% of men who have reduced color sensitivity.
So, yeah, I can see colors, just not as many of them as other people can.
Or not as saturated. And some of them blend together. Right.
No, it's not about saturation.
It's about a failure to differentiate between certain parts of the spectrum.
[1:22:55] And it's really confined. So in my case, it's certain reds and greens blur together.
Yeah, red and green is the most common, that is the most common. My friend Bill, his dog used to, actually it was his brother, they had a red dog who would hide in the grass right in front of him and he couldn't see it.
So mine isn't to that extent, but you know those blot tests? I fail an awful lot of those blot tests, which are basically colors that are similar but not the same, so other people see the pattern in the blobs and I just see blobs.
And I got very excited when doing the test. I was like, I recognise what it's the number 52.
And then I read the caption, only colour blind people can see this.
Oh, because in reality, this number is made up of a pattern where it's actually lots of different shades inside the number.
So if your eye can detect the different shades, the number is lost in the noise.
But for those of us who can't detect the shades, the number jumps out. Oh, that's cool.
[1:23:57] Yeah, it was cool until I was cranky. But to be honest, it was a science teacher who made me take the test because she had a suspicion that I couldn't tell the difference between two different labels and there were old labels in an old lab.
So they weren't yet properly accessible. And there were basically two chemicals that I should have known were different and I couldn't tell the difference.
Nowadays, all these things are properly regulated. Right. Which is good.
And she sort of went, I think you should look at these tests.
And I was like, oh, yeah, I can tell that one.
And she was like, oh, dear, that's not not the winning. You think it is.
This is interesting in the context of I was showing off to Bart a diagram I did recently that I'll be talking about later about the.
[1:24:43] The layout of all the different tools that I use to create the live show.
And it's I've got a diagram because I love making diagrams.
And I wanted to have the audio and video lines be differentiated.
So I made them different colors and the instant I did it, I said, okay, colorblind people can't tell the difference, so don't ever just use color to differentiate something.
So I made one of the lines dotted and one of them solid.
And so if you just always keep that in your head is never differentiate things only by color.
Just don't do that, then you're fine. I mean, you can use color to entertain those who aren't colorblind, but don't make that be the difference between, you know, delete all my files and keep all my files.
Precisely, exactly.
Yeah, so a classic example is different textures, as well as different colors or different pattern, different background patterns, as well as different colors or different line shapes or different line thicknesses.
Just color and.
Yes, and because some people find color really effective, Like it really helps them see things.
So you definitely don't want to avoid colour.
You just want to do it in an accessible way. So, yeah, I thought it was a really good article.
And the reason the article finally got read is because you shared that diagram.
[1:25:53] And then I was like, I've had an article in my inbox for ages that I think is worth reading and that I think might be worth a palate cleanser.
And then I saw your diagram and you mentioned explicitly the colourblind thing.
And I was like, OK, fine, I'm going to read that article.
And also this gives me an opportunity to tell you in public what I said to you in private.
I take great pride in my diagramming skills.
Your diagrams are better than mine. Your diagrams are a lot better than mine.
They rock. They're amazing.
I sure appreciate that, because it takes a long time. Like, I just put one in my article about my CalDigit dock, and the first thing I did was I drew a little rounded rectangle and I wrote CalDigit hub, actually hub, not dock, CalDigit hub, and then I drew lines coming out of it saying, this one's going to my computer, this one's going to my light, this one's going to my display, that kind of thing.
And I looked at it and I went, boy, is that boring?
So instead I spent two days pulling all of the images in of those things, making sure that they had transparent backgrounds so that the arrows could attach directly to the object instead of going to like some white space around it and making sure the arrows were going the right direction, making sure all the data flow arrows are correct, hopefully, and it takes a lot of time to make them look good, but it also makes me understand how they work, that I really understand what I'm trying to teach.
[1:27:09] It's a fantastic communication tool, but it is a lot of work.
I think people think that it's easier to write an essay than to do a diagram.
It is absolutely not. They are both difficult.
Back on the accessibility thing, if you do run your own website, I've had articles about this before, but there's a service called webaim.org, and they have a web accessibility evaluation.
WCAG is the group that manages the W3C standards for color and for accessibility in general, I should say.
But they have a—if you put your own website in there, there will be a rating for how you did on color contrast.
So and it'll highlight the pieces of your website that, you know, you got to increase the contrast in that for people to be able to tell the difference.
It's one of the hardest things to meet.
It's real easy to go, oh, you forgot your alt tags.
Oh, okay, let me put the alt tag back in. But the ones for contrast, because they don't tell you the answer, they go, nope, guess again.
Nope, guess again. Right, and is there such thing as a right answer?
Arguably not. There are a lot of corners with the appropriate level of contrast. There are levels.
There's double A, triple A, you know, ratings, but you don't want a D.
So you can keep changing it until you get it maybe. I think I shot for double A on mine.
Oh.
I prefer triple A. I didn't say I completely succeeded. There's some stuff built into my theme I can't change. So that's it.
[1:28:31] OK, and then the last one I have is just a nice little article from Cult of Mac.
Hidden Mac keyboard shortcuts you don't know.
Leaving aside the snarky wrong headline, because I knew 80 percent of them.
It's a really nicely curated list that's organized into like themes.
And I'm a keyboard nutter. So, yes, I do use almost all of these already.
But I learn new things I didn't know before. And I am sure that everyone will learn something different to what I learned.
But I think there's very few Mac users who won't learn something from this little nice little curation by Kulta Mac. I liked your your mastodon tooth, though, where you said, sorry, Kulta Mac, your clickbait title isn't true in this case, but but I did learn a few things.
Yeah, I figured be snarky, put a smiley on the end and then you get much more pick up.
And strange enough, that toot got retooted more than anything else.
Toot it all week. Yeah, I think that's fun. Okay, well, that's all I got. Given that I thought there was no content, it was quite a show. An hour and 11 minutes. Wow. Okay.
Well, I don't think you get to say, you can say, do as I say, not as I do in this one.
Yeah, I think so. That's yes, yes. I will wear my dunces cap. Do as I say, not as I do, and what do I say? Stay patched so you stay secure.
[1:29:50] Well, that was a lot of fun teasing him there at the end, but we are going to wind things up for this week. Don't forget, there is no live show next week. We will be back in two weeks, but there is no live show next week. But in the meantime, you can email me at alison at podfeet.com anytime you like. You can send in questions or suggestions or one of those reviews I've been talking about. I still need more content. You can follow me on Mastodon at podfeet at chaos.social. Remember, everything good starts with podfeet.com. If you want to join in the fun fun of the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely nocilla castaways. You can support the show by going to podfeet.com slash Patreon, even though I didn't do an ad about it this week, or if you'd prefer a one-time donation, go over to podfeet.com slash PayPal and help pay the expenses around here. And if you want to join in the fun of the live show, do not come here next Sunday, but wait another week until I think it's the 13th and head on over to 5v.com slash live on that Sunday night at 5 p.m pacific time enjoying the friendly and enthusiastic nocillic castaways.
[1:30:55] Music.