NC_2023_08_05
[0:00] Music.
[0:08] Like Apple Bias. Today is Saturday, August 5th, 2023, and this is show number 952.
What's that time of the year again where you have to pay attention to when the podcast comes out to figure out whether there's a live show that week or not? Since this is a show on Saturday, there will not be a Sunday show on August 6th. Now next week we'll be off all week playing in the mountains with Lindsay and Nolan and our two adorable grandchildren, Forbes and Sienna. But we'll be, back in time for me to host the live show along with Steve on Sunday, August 13th. It's, going to be pretty much pre-recorded with some help from our friends. That means it's going to be a relatively short live show, so be sure to get there early. And it also means that I get to goof around in the chat room like everybody else.
Did You Know There’s a Newsletter called the Podfeet Press?
[0:54] I don't know if you realize this, but there's actually a newsletter called the Podfeet Press.
It's very simple. It gives you all of the show notes links for each week's Nocillicast.
It comes out automatically right after I publish the show, which makes it a handy-dandy reference guide for the links to all of the blog posts.
If you subscribe, you don't have to dig through the show notes in your podcatcher of choice on a tiny little iPhone screen to find the things we've talked about on the NosillaCast.
It's super easy to sign up.
At podfeet.com, look in the upper banner on the upper right-hand side.
You'll see a link to the Podfeet Press signup.
If you follow that link, you can enter your email address and any first and last name you'd like, real or imaginary, and then choose whether you want an HTML or plain text email to be sent to your inbox every week when I publish the show.
Now, if you're on the fence about whether to sign up, on that same page, you can preview previous campaigns, and that'll let you see if it looks useful to you.
I didn't name them campaigns, by the way. That's what MailChimp, the automated service that creates these and sends them out for me, calls them.
But here's the best part. At the bottom of every email from the Podfeet Press is a red underlined link that says, unsubscribe from this list.
If you decide it's not for you, you can unsubscribe, and I promise it will actually stop the emails.
Unlike the Marriott Bonvoy email list that I've unsubscribed from, I think it's 238 times so far, and they keep spamming me, which is awesome.
[2:22] Now you might be wondering why there's no newsletter for Chit Chat Across the Pond.
Well, those podcast episodes, Both Lite and Programming by Stealth are really just one link, so it seems kind of unnecessary to send you an email that tells you an episode is up and pretty much nothing more.
If you sign up for the Podfeet Press, though, each week's Nocillicast has a link to that week's Chitchat Across the Pond if there was one.
Give the Podfeet Press a try and see if you like it. And if you don't, that's totally cool too.
Macstock 7 — What Did I Learn?
[2:50] Last week, I promised to tell you a little bit about the Mac Stock Conference and the Midwest Mac BBQ. I promised it wouldn't be my summer vacation, but rather I'd try to give you a feel for the conference and maybe you'd consider going next year. In case you're not familiar with the conference, it's the brainchild of Mike Potter of the 4 Mac Eyes Only podcast. Barry Fulk is the host of the Midwest Mac BBQ, along with his lovely and welcoming wife, Bobbi Ann. The barbecue is close to Chicago proper, while Maxtox is north about an hour in the little town of Woodstock, Illinois. This year was Maxtox 7, but I think it's been 10 years since Maxtox started. For the years before the pandemic, the conference took place at McHenry College, which is a beautiful theater that could house probably 300 people or maybe more. Maxtox was never a big conference, with maybe 150 or 200 or so people attending. But what Maxtox has always had is a very high percentage of the attendees being friends of the Podfeet podcast.
[3:49] This year was the first year the conference was backed with no restrictions since 2019.
As the conference date approached, it was obvious to Mike Potter that we weren't going to have the numbers back up to pre-pandemic attendance.
Rather than take a bath financially, he chose to move to a small theater called Stage Left right in the town of Woodstock, Illinois.
It's an adorable little town made famous as the site where the movie Groundhog Day was filmed with Bill Murray. The best way to describe stage left for the crowd we had is cozy. Mike, had to cap the attendee list at 75 people because of the size of the venue, and that was kind of sad to me because there were people who wanted to come but weren't able to because it filled up too quickly. While it was really swell to be able to walk to the local wine stock to hang out after the show, I'm hopeful that we'll grow back to our previous numbers so we can be in a larger venue.
[4:39] Now that I've set the stage, let's back up to the barbecue at Barry and Bobby Anne's house.
This barbecue is open to all and any who want to attend, even folks who couldn't make it to Macstock. It was purely a social event, and for those of us who've attended in the past, we all said it felt like coming home again, or being with family, but family you actually like.
For those who hadn't ever been there before, like Jill from the Northwoods and Penelope, who flew over from England to attend, they both said that they found a warm and welcoming community of fellow Apple nerds. Dave Hamilton and Mike Laplante even performed some live music for us. The conference itself was really good. Because of the size, it kept that tightly-knit feeling of camaraderie. Mike likes to have a theme to his conference, and this year the theme was simply Learn. I'm not going to give you the full lowdown on all of the speakers and what they talked about, but just a tidbit or two that I got from each of these speakers. My arch-nemesis, Chuck Joyner, entitled his talk, Learn and Live in the Future, or Get Stuck in the Past.
The big takeaway I got from his talk is the idea of giving yourself a learning budget.
Not just a budget for the money to learn, but for the time to learn.
I think that's brilliant, and as much as it pains me to say anything he says is brilliant.
[5:56] Probably the big surprise speaker of the show was Rachel Schmitz. Her husband is Mike Schmitz, who's pretty well known in the Apple community and a fellow ScreenCastsOnline tutor.
When Rachel got up to talk, she explained that she's actually not very technical, and that kind of set the stage for low expectations from us.
She's the homeschooling mother of five, and she talked about how we might want to think about our consumption of information through our digital devices.
She suggests that we might have information obesity.
Think about that. That's a great phrase. You probably know what that feels like when you start kind of vibrating with too much mental stimulation.
She suggested setting yourself some limits on consumption and turn to creating with your tools. She told us great stories about how her kids are doing exactly that.
For example, one of her sons is actually her audio editor for the podcast she does.
He learned how to use Ferrite on the iPad and he loves having that job to do.
She was really, really compelling. She was probably one of my favorite speakers of the week.
[6:56] Dave Ginsberg gave us an overview of cloud services and how they fit into both our business and personal lives. One of my takeaways from his presentation was that Dropbox and iCloud are tied at 300 million users, with Google Drive and OneDrive pretty far behind. That, kind of surprised me.
Dave Hamilton is a big fan of network-attached storage, and he talked about how to supercharge your network with these tools. I took some notes on how to better use Synology Drive to access data on my Synology rather than always using the web interface, and I made a note to add another drive as a hot spare. I actually hadn't thought to do that.
You may remember the fabulous Kirshen Sia, who used to contribute a lot to the show.
She walked us through shortcuts on iOS, not just teaching us how to make them, but she started with the foundations of why to use them and how to use them, and then worked our way up into actually creating some shortcuts.
[7:48] Wally Czerwinski took the stage next with the MaxDoc Film Fest Day 1, where he showcased videos created by attendees just for the show.
Steve created a fabulous video he called Learn About Iceland, and it's filled with fun facts to know and tell, including such things as an Icelandic Santa named Sausage Swiper. There's a link in the show notes to Steve's video. It's fantastic.
Mac Geek Gab Caucus at Macstock 7
[8:11] The final event of the day was great fun. Dave Hamilton hosted the Mac Geek Gab Caucus, on stage where all of the people who had ever been on the show. Of course, there was John F.
Braun, host emeritus, along with new co-host Pilot Pete, but also Adam Christensen of the Mac cast, Jeff Gamet, and little old me. Dave called it the caucus because he posed a series of topics to us and we had to come to a consensus on whether we think the state of these things are better today or were better in the early days of Apple. For example, we talked about backups and automation and more. It was a lot of fun and Dave has released the audio as MattGeekGab993 so you can hear the brilliance of us all for yourself. After an evening of tomfoolery at dinner and back Back at the hotel lobby, where Jill and I did push-ups for unknown reasons, we started day two of MacStock with a brief talk by Bob Wood about why, if you like MacStock, you might really like your local user groups.
[9:08] This was followed up by my talk, entitled The Power of Learning by Teaching.
It was kind of funny, but just about every person on day one referred to my topic in their own talks.
Even Chuck Joyner said it pained him to say something nice about my topic.
It kind of stole my thunder a little bit, but it also emphasized how much people resonate with this idea of the power of learning by teaching.
I know you're terribly sad you didn't get to see my talk, but I have good news for you.
In a few minutes, I'm going to be playing the audio of that presentation that I did, and Steve also recorded the whole thing for you in video, and you can watch it at a link in the show notes.
[9:45] Brittany Smith's talk was entitled, Save Your Brain, Work Smarter, Not Harder, and she explained some of the tools she uses to help in her consulting practice.
She figured out that she has a string of workflows that she goes through with every new customer, and so she figured out how to automate these workflows. For example, she can automatically create a worksheet, an outline for meeting notes, and even calendar appointments, all without doing anything manually.
I especially enjoyed Jeff Gamet's talk entitled, Decoding the World of High-Res Audio.
He started by explaining just what the heck audio bit rate and sample rate mean and why we might care.
I've studied this so many times and it took his talk to really cement the concepts in my noggin.
[10:27] He moved us on from there to get into digital audio converters, also known as DACs.
He told us why we might want one, depending on what Mac we have and what we wanna listen to.
And he even gave us a couple of recommendations we could buy.
Our very own Joe from the Northwoods was up next. Now, you know I'm a big old fangirl of hers, so don't take my word for it on how well she did.
After the conference and Jill had already gone home, we were hanging out with Dave Hamilton, and out of the blue, he leaned over to me and simply said, Jill crushed her presentation.
I mean, hey, that's not me talking, that's Dave, so you can believe him.
The title of her talk was Learn New Technology with Stix. It's hard to explain the Stix in a brief explanation, but she artfully wove two totally disparate subjects into one set of lessons to learn.
The two topics were how she gets people to learn the medical software that she supports and how she converted herself from Windows to the Mac.
I know, those are totally disparate topics, right? What do they possibly have to do with each other?
But it was fascinating and somehow she was able to blend the two subjects perfectly together with her lessons.
[11:34] Another well-known Nocilla Castaway in our live chat room is Professor Marty Gentzius, and he was the next speaker.
He started his talk called Apple of My AI by saying that when he first thought of his topic, nobody was talking about AI.
And by the time he got to Mac stock, that was pretty much all anybody had been talking about lately.
In any case, he had a very interesting lesson on how he uses AI.
He explained how with repeated and well-constructed prompts, he's able to create a syllabus for a course, you know, kind of an outline of what needs to go into it.
He used the example of, let's say you wanted to teach a course on Final Cut, and he showed how you could use his method to make sure you had a good outline of everything you need to teach and not forget and leave anything out.
Mike Schmitz, more commonly known now as Rachel's husband, talked about PKM or personal knowledge management.
He explained how he uses tools like Obsidian to gather all of his knowledge that he really deems important.
He made sure to clarify that every note you take and resource you find isn't necessarily knowledge you need to retain, and he talked about how he filters things down what he wants to retain.
[12:42] Now, I really enjoy watching Mike present because he always does something interesting in the way he presents. At the first Mac Stock where I met Mike, he did a live demo.
Live demos are fraught with danger. I mean, Barbie dragons just barely begins to say it.
Not only because you have to be able to flawlessly execute the demo, which is hard enough, and you have to be able to explain it while you're executing the demo, but you're also really likely to have dodgy Wi-Fi. So how did he do a live demo?
[13:10] It turned out it wasn't a live demo at all. He had tricked us.
He creates video screencast segments and he puts each segment on a different slide.
This allows him to just hit the spacebar on the keynote and the video advances.
It was genius and I've occasionally stolen that technique from him.
This year, the cool thing he did was that all of his graphics in his presentation were hand-drawn by him.
Remember how Rachel said we might benefit from learning something creative instead of of consumption obesity?
Mike's thing that he decided to do to become more creative was he wanted to learn to draw.
His icons were playful and eye-catching and I loved them.
Now the slide that stuck with me most was when he said that learning to do things takes practice and you will fail a very long time, very, very, very many times before you succeed.
But his slide is what cemented it to me. It showed three hand-drawn poop emoji followed by a hand-drawn diamond.
It was perfect. Well, Wally finished out the conference by showing the second half of the inspiring videos from show attendees in MacStock Film Fest Day Two.
We went out for tapas and wine at a lovely place called Winestock, then out to dinner together on an outdoor patio where we talked and laughed until they closed the place down.
Well, technically, we stayed well past when they closed the place down.
They said, we're turning off the lights on the patio, but you guys can just stay because we were swelling fund for them.
[14:34] The bottom line is that MacStock is one of my favorite events of the year, and we missed it terribly over the past four years.
Getting to see Barry Fulk and his lovely wife, Bobbi Ann, Joe from the Northwoods, seeing John Ormsby, also known as NASA Nut, in the live chat room, Marty, also known as Drunk Nick Nolte, in the live chat room, Brett Kennedy, who used to come to the live chat show, but, you know, we have been missing him in there lately, we got to see Troy Shimkus, who finally made it for the first time, And we got to see Tim Jenevick again, also known as Dr. Tim, in the live chat room.
Tim, by the way, won t-shirts when he showed up at the Midwest Mac BBQ wearing a Podfeet shirt.
Finally, the wonderful Corky chauffeurs us around all around town the entire weekend, and that is always delightful. We got to hang out and see his amazing dogs.
He's got these giant English Mastiffs. It was just fabulous. Loved getting to see him again.
[15:29] Now, the one sad part was that Bruce, also known as UseTheData in the pod feed Slack, and very participative there and you've heard him on the show, he was supposed to be there but unfortunately fell ill and that was a real bummer. We were really looking forward to meeting him in real life.
[15:43] Oh wait, there's one more story I absolutely must tell. At MaxTax 7, I got to hang out with Reverend Barry Gin.
Would you believe he was my office mate back in 1989 when I was working for Hughes Aircraft Company?
Somehow stumbled across the NosillaCast online and figured there probably aren't two Allison Sheridans out there.
He made contact a few years ago and he decided to come to MacStop this year to meet up with me after 34 years.
How cool is that?
I am 100% certain that there are people I forgot to mention who are listeners to the show and were at MacStock and I really apologize, but my memory is only so good.
So these are the people that I know participate a lot in the show and that's how come I'm able to remember their names.
Anyway, I loved seeing absolutely everyone, old friends and new.
If you count Steve and me, the no-silica castaways were more than 10%, probably close to 15% of the attendees, which is pretty much how high it usually is even when there's a bigger crowd.
So if you want to come to MacStock and get to meet people who are loving the same show and loving all of the other shows of the podcasters who were there, I got to tell you, MacStock is the place to be.
As long as MacStock is still going on, Steve and I will keep going.
I hope this has helped to encourage you a little bit to keep an eye out for the dates next year so that you can join us too.
The Power of Learning by Teaching – Macstock 7
[17:04] Now, I just finished teasing you a little bit by telling you during that overview of Mac Stock that you could go watch the video of my talk about the power of learning by teaching.
The video is really cool because Steve did a great job editing in my slides that weren't actually visible by the camera. I am very proud of my slides.
You see, my slides don't have words on them. They're mostly pictures.
I'm a big believer in not making people read when they're watching a presentation.
Anyway, I also thought it might be fun for you to get to hear the talk right now in the podcast.
So I went back and I cut out the lovely introduction by Mike Potter.
I cut out all of the long pauses when I tried to figure out how to transition to the next story.
I cut out all of the ums and ahs, or at least most of them. I also cut out the Q&A section at the end.
Would you believe after all that cutting that I cut it down from 43 minutes to only 24?
That was a lot of ums and ahs.
Anyway, with that, here's my talk on the power of learning by teaching as presented at Mac Stock 7.
[18:03] What I wanted to talk about was to think about there's a lot of different ways you can learn to do things.
A lot of people like to take classes and they like to have an instructor who stands up and spoon feeds them the information and that's a great way to learn, but it isn't how I like to learn.
People like to read online tutorials and I'm really glad people like to read online tutorials because I write online tutorials. So I really want you to keep doing that.
You know, when Rachel was talking about stop consuming so much and produce, No, do not listen to her. I need consumers.
I don't want you all producing. Just go back and read and listen to what I'm doing here.
A lot of people like to watch videos to learn. And you could watch YouTube, of course, but you probably really want to watch ScreenCastsOnline.
Big disclaimer, I work for ScreenCastsOnline as well. So videos are a great way to learn, but I actually don't learn that way either.
And there are some people out there, Anybody out here read manuals?
[18:57] Yeah, I've heard about that, but it's just not my way, it's too slow, I want to get in and start doing stuff and then get stuck, that's kind of more my strategy.
An example, I write blog posts that are full tutorials of things that I know how to do.
It might be just introducing you to a new app and the way a new app works, and I'll, go through and explain step by step how it works.
They're really in-depth, you've noticed I talk a lot, I write a lot, I write about 5,000 words a week.
But then the other thing I do is that same content is what you hear on my podcast. And I remember somebody telling me once, why do you let people have the blog posts if that's what you're going to talk about on your podcast? They're going to read instead of listen. And.
[19:39] I said, oh gosh, you're right. It'd be terrible if they got the content the way they wanted it. I should stop doing that right away. So I do both. So you can consume it any way you want and pick and choose what you want to listen to or what you want to read and you get both for the same price of free. And I thought I'd go through an example of how I learn in order to put stuff onto the podcast. My friend Pat Dangler, she sent me a link to this app called Shotter. And it's a screenshot app. Well, I've got about 12 screenshot apps.
I'm addicted to screenshot apps. I love screenshot apps. And I was really enamored with CleanShotX.
But she said, no, no, no, try this one. At the time it was free. It is now the grand total of $8. Not per month, not per year, $8. That's how much this app costs. And I I thought, well, how good could that be? It's free at the time.
You know, I thought, ah, that's not gonna be very good.
[20:24] But I thought, I'll go take a look at it. The first thing I do is I push all the buttons.
I just go around and push all, because again, I don't read the manual.
I don't wanna know how to do it. I wanna just push all the buttons and see what it does.
And I'll give you an example here, and you don't need to be able to read what's up on screen there.
And there's a row of icons across the top.
And I take a look at that and I go, well, I see a, you know, I see a save icon, a copy icon, a pin, that's all pretty obvious.
But the next button over is a piece of paper with like six braille dots on either side.
Wonder what that is. And you click it and it turns out it's how you drag images out of it right into another document.
Well, that's kind of cool. And then I go, well, that next button, what is it? It's an arrow.
So it sort of looks like a selection tool, but it's also got like a little crop symbol.
What does that do? Well, it turns out it selects and it crops.
And that's an unusual way to do a tool. As I keep going across, you see an arrow.
Well, it's going to put an arrow and T is going to be a text.
I don't care about those.
But the next one over says one, two, above a line with like two vertical lines next to it.
What does that do? It turns out it's a measurement tool. If you hold down the one key and you drag your cursor around, it tells you the horizontal distance between any two elements on that screenshot.
So somehow, and there's probably somebody real smart here who knows how it does this, but somehow it's actually looking at the images and the text on screen.
It can measure the distance in pixels.
And so if you're a designer that's trying to do layout, it can be really, really helpful.
You hold down the two, it does vertical distance.
So anyway, I'm just sitting there banging at these buttons, just poking them to see what they do.
[21:50] At this point in the process, I need to take a critical eye and really look at this and see whether, is this something I'm going to want to do a review of, I'm going to want to teach how to use.
So my first question is, does it solve a real problem? If it doesn't solve a problem, then don't go talk about it.
Now the problem can be, I'm bored and I want to be entertained.
Like I did a review on an app called Clack. Has anybody heard of that?
It's a menu bar app and its whole job is to make your keyboard sound like a clicky keyboard.
I love this app. I love it.
It makes me happy every day. the dumbest thing, but it makes me happy.
So that solved a real problem.
I might ask, you know, is it unique? Is it actually gonna do something that I can't do any other way?
And you look at Shotter, well, not really, right? Because I can do my clean shot X, I got all these other ways to take screenshots and annotate them, but maybe it's like something else, but it's better.
Or in this case with Shotter, the conclusion I came to was it wasn't better, it was just different.
And it was fun and it was playful and I really, really liked it.
So that actually made the cut in that one.
[22:47] So I don't bother doing the review unless it meets that criteria.
So one thing I never do, people say, well, you should tell us about apps that are bad, so we don't accidentally buy them.
And I say, that doesn't sound very joyful at all. I'm not interested in that.
I'm not going to slam somebody. If I do find a bad app, by the way, I write to the developer and I say, I have a few suggestions for improvement.
So at this point in my learning, I start digging a little deeper.
It's time to just really dig into the app and get into it. Here's another shot of Shotter.
And when I clicked on the blur tool, I noticed at the top it says blur, blur text, erase and erase text.
What is this sorcery? So I selected a region and you can see that there's still a little gear there under the region I've selected, but the text is gone.
[23:29] So right away, I mean, that's eight bucks, right? I mean, to be able to do that, so obfuscating information that's private that you don't want to have shown, you can do blur, you can do the regular kind of blur in it, pixelates it and things like that, but to be able to just erase the text and leave the graphics, that's magic right there.
But when I get to this point, now it's time to start writing.
So what I'll be doing is I'll be writing, you know, use the blur tool to select an area, blah, blah, blah, and I'll actually start to write it out at this point in the process.
[23:56] The next thing I do is I just start poking all the buttons in the settings or preferences.
And to be honest, I don't poke every button.
I may look at it and go, ooh, that sounds too hard.
So one of the things Shotter does that's really cool is it does scrolling screenshots, and a couple of apps do that.
But what this one does is when you select the region, it auto-scrolls.
So you don't have to guess like how fast to go, which is really cool.
But it has an option in here, it says scrolling screenshot max height, 20,000 pixels.
I have no idea what would happen if I changed that to 10. No idea.
So after I'd done poking all the buttons, invariably, I'm stuck. I find something I don't understand. So when I get baffled, I've got to figure something out. How does this button work? What am I supposed to do?
At this point, I do the unthinkable. I look at the user manual. But I only really like user manuals where they're very specific and great. And I put up the gold standard. Rogamiba in general is the gold standard of basically everything. And their user manuals are spectacular.
The best thing in there is there's a search box, so I can search for the thing I want so I don't have to read the manual, which is what I really don't want to do.
But they also give great screenshots and that, like, have you ever used, oh, there's a tool, Dave loves this one, it's at Pixelmator, I think.
When I tried to learn Pixelmator, they would say, okay, touch the color picker tool.
[25:13] What's it look like? And there were like no tool tips back then.
There might be now, but the user manual's horrible on that.
But in this one, it's really, really good.
But invariably, I don't get to the point where I actually understand how do you use something.
So what I do is I contact the developer.
And you would be amazed how much developers actually like to write back to you about their tools if you approach them correctly. So my approach is, so I'm probably an idiot, but I don't understand how to do this. This doesn't make any sense to me.
And I always tell them, I hope it's a mistake I'm making because it's easier to fix me than it is to fix software.
So if I tell them that, then they're like, oh yeah, well, you know what you could do is this.
And every once in a while you get somebody who's snarky and gives you a snarky answer and that's good to do.
But what's fun is you start to get to know them. Have some fun, you know, be playful when you write to them because they can help you and make your life easier and you can make them happier.
You know, start by telling them all the stuff you love about their software.
In fact, put that in the title and then put the part you're mad about inside there.
And if you bother them long enough, sometimes you get an app like Feeder from Reinvented Software.
This is a guy named Steve Harris.
This guy is one of the funniest, most snarkiest, sarcastic people I have ever met in my entire life.
I asked him a lot of questions, so for the people who can't read it from here, in his About Me page for Feeder, it says, thanks to Alison Sheridan for use of her feed and screenshots and for being generally annoying.
[26:35] Steve and I had an opportunity to go to England to meet up with Don McAllister, and he did a tweet up in Liverpool.
Steve Harris drove two hours to come to Liverpool to go to that tweet up.
And I got to meet him in real life. He was hilarious. And I'm talking to him before he left.
I said, God, it means so much to me that you drove four hours just to meet me.
And he goes, no, I came to meet Don.
I actually, I wish Adam Christensen was still here because he's the one who pointed this out to me.
It was up there for two years before I ever noticed it. Steve never told me.
[27:06] Now if I really want to learn something, I sign up to do a ScreenCastsOnline tutorial.
There is no better way to learn a tool than to have to demonstrate a tool.
That's where you realize that you've been kind of skipping over some parts and just using the parts you know. But with the ScreenCastsOnline tutorial, you really need to do it in depth because people pay for this service. It's a podcast, but you subscribe to this because you're learning stuff. It's a tutorial service. So you can't just do a half-baked job when you're selling something to people if they're actually paying for the content.
I gotta tell you, I did one on RetroBatch, which is a really cool tool for image manipulation, super fun automation stuff.
And doing the video for ScreenCastsOnline was way, way, way, way, way, way harder than it was to do the blog post and talk about it on the show.
Because I have to practice it so many times so that I can fluidly go from step to step.
And I can, you know, seriously, can't hand wave.
You can't have anything jumping on screen, going, oh, let me back up.
Because you can't back up Once you've laid that down on tape, you have to keep going. So when I want to learn it really well, I'll sign up to do a tutorial.
And the thing that really brought it home to me, thinking about learn by teaching, was that if I do a ScreenCastsOnline tutorial on something I already know how to use, I learn it so much better.
Audio Hijack is a tool that is just essential to my workflow, doing the podcast.
I'm using it all day, every day.
I couldn't believe how much I learned by teaching it on ScreenCastsOnline, even though I've been using the tool forever.
[28:32] A couple years ago I did a mind mapping tutorial, what's that, iThoughts.
Yeah, it's on iThoughts. It's a great mind mapping app.
And what I start doing to do the videos is I start taking notes in just little bubbles.
You can rearrange them real easily to tell the story in the way you want to go.
Because I like to start my tutorials with, Why do you care?
Am I ever going to need this? Because I figure I've got about 20 seconds for somebody to go, I don't care about that, you know, that's a banking app, I don't have any money, whatever it is, you know.
I've got to catch them, I've got to give them a hook, so I work on how to tell the story to get them to go, oh, you know, I might do that someday, I might try that.
And so I really work hard to get a story in a cohesive order.
And one of the other things you have to figure out when you're teaching it is where do you teach the settings for a given application? Because you can bore the heck out of people if you start in settings, But a lot of tools, you have to start in settings, and Shotter was a good example.
[29:22] If you didn't set things up in settings, you couldn't actually use the tool well.
So you have to figure out where do you feed it in. Usually I try to make it at the tail end.
I don't know, is the end the amuse-bouche? No, that's the middle.
Anyway, Dessert is where I usually put that in. But sometimes you got to put it in the right place.
So I use a mind map to help me learn. And I just, I could not believe how much I learned about Audio Hijack when I did that tutorial.
News story. I'm really interested in accessibility. Accessible tech is so much fun.
People with challenges, man, they get some of the coolest stuff.
And one of the things I wanted to learn was VoiceOver, which is the built-in speaking tool for the blind in macOS and iOS.
And I was really interested in this from a little kid. I've always been interested in Braille and things.
For some reason, Braille just really blew my dress up. I was excited about learning about it.
So I had played around in VoiceOver and I just, I couldn't get the hang of it.
You know, I would play with it a little bit and I would just kind of shy away from it.
So in a moment of madness, I volunteered to do a presentation at Macstock blindfolded.
[30:22] And I love what Don McAllister, sorry, Macworld, what did I say?
Macstock. Yeah, no, I'm never doing this again.
I am never doing this again.
It turns out the iPhone's actually not that hard to use in voiceover because you've got this constrained area. It's only this big. You can't be that far off.
And it's always in a little grid. The back button in almost every app is always in the upper left.
And the APIs that Apple gives you in developing tend to make it automatic to label the buttons.
And when you get over to the Mac side, it's free range. I mean, you don't know where anything is on the page.
You don't know what window you've got in front.
Don't even get me started on how hard the web is to navigate, because every developer is designing everything differently.
So I think I rocked the iOS part. I crashed and burned when I did the Mac part.
How many people know the rule, never change anything in your presentation at the last minute?
I moved my presentation to the desktop right before I went on stage.
[31:18] And I got it stuck to me. And it was like I was like this, I was going around in a circle with this thing stuck to my foot and everybody could see that I was, everywhere I went the presentation was just following me around on screen.
But I didn't know I actually had to take the blindfold off and I was crushed because I had worked so hard to do it perfectly. I practiced it a thousand times and I didn't get it right.
But what I liked was the audience said to me afterwards, they said, no, no, you showed us how hard it is.
That's what, if that's what you were trying to teach, you definitely got that message across to us.
So another fun story about that, I enlisted a bunch of blind friends.
The cool thing about podcasting is blind people can listen, right?
So all these blind people listen to my podcast, and I talk about accessibility in the middle of mainstream podcasting, and so I have a lot of blind friends, and so I enlisted them all.
How do you do this? How do you do this? And I remember I called a blind audio engineer who has a studio out in New York, and I called him up and I said, do you think I can really do this? And he goes, oh, Allison, it's not that bad.
It's great. You're going to be able to do this. Piece of cake.
[32:12] I called him afterwards and I said, you liar. And he says, yeah, I know, right?
It's really hard. Why did you do that? He says, well, I didn't think you'd do it if I told you how hard it was.
All right, so that was really fun. I enjoyed doing it. It was, again, I was crushed that I didn't just nail the whole thing. But the audience was very, very nice.
I believe you guys were very forgiving afterwards.
[32:36] But learning that skill, because I did that tutorial, is now what I can do is I can test apps for accessibility.
So whenever I'm, I try to remember every time, I don't remember every time, but when I'm going through an app, about three quarters of the way through, I'll go, ooh, I wonder if it's accessible.
And I know enough to stumble my way around to tell you if it's inaccessible.
I can't tell you if it's great, but I can tell you if like, nope, nothing's labeled here, or you can't navigate this at all.
I came across an app recently that I won't call out, but they came out with a new version, and the old version was accessible, and the new version isn't.
Like nothing was labeled, couldn't navigate. I mean, train wreck, bad.
And I wrote to the developer and I got an email back in 17 minutes.
And the guy said, I didn't do it before the new version. I'm going to work on it now.
I take responsibility and I'm ashamed that I didn't do it right.
Now that's almost as good as if you'd done it right.
I also found out recently that MacTracker is not accessible. It's just a table.
But on the Mac, you can't use it at all. There used to be a web version, but that's gone.
But the iOS version is pretty good.
It's not bad. That's what I'm talking about. On iOS stuff is a lot easier to be accessible.
But I use this all the time. And what I was able to do was write a tutorial for all y'all to learn how to do it.
I walk you through. Okay, hold down these buttons, do this arrow key.
And then I give an example of how to walk through and try to do it.
And actually, MacTracker's the one I call out in there because I was really surprised that it wasn't.
It's been around for 140 years. I thought it would have been. Older than the Mac.
[34:02] Older than the Mac, yeah. Probably, yeah. all the iOS stuff in there too.
Steve and I got solar panels. Shortly after we had solar panels installed, we had a whole home battery system put in. And we found that a lot of people are interested in the topic, they want to know, and they're usually like, oh, it's never going to pay off, is it? Well, batteries aren't for us, but the solar panels will in seven years. But we had a lot of people asking questions. How does it work? How do you manage it? What happens? What are the different scenarios? And we started thinking about, well, okay, if the sun is out and the.
[34:31] Grid is down, what can I use in my house off the battery? Because when you get the battery, you get kind of a budget of, I don't know, amps or watts or kilowatts or something, Steve would tell me.
He's a double E, M and M-E. You have to decide what circuits are going to go on the backup battery. In our house, our electric vehicle charger can't be on the battery, and our oven can't be on the battery. So those two are off, but everything else in our house can be run off the battery.
Well, we started getting these questions about how it worked, and so one of the tools I used to teach is I create diagrams.
I'm always giving Dave a hard time. I'm always saying, hey, could you diagram that for me?
I'd really like to see that.
So you don't have to understand anything on here. This is just a representative of what we do.
We probably made, what, 25 versions of this, Steve? I think as we went through, we made like 25 versions of this because we couldn't figure it out.
[35:15] We realized we didn't understand how it worked. If you could see it and if you cared, it tells you what happens when the grid is on, up, but when the grid is off, is the sun out, is it nighttime, how much battery is left, how does the energy flow?
Like, the energy always flows to your house first, no matter what, and then it tries to fill the battery, and then if it's got excess, it sends it back to the grid.
If the grid is out, we can't use our oven or our cars. However, well, we can use the cars.
We just can't charge them. However, we discovered in drawing this diagram that if the grid was up, we could use the battery power and keep from using grid power.
We're like, whoa, that's interesting. But we figured it out.
We learned it because we did this blog post and this diagram and wanted to teach how it worked.
So that was a really great example of learning by teaching because we learned something we actually didn't know.
I also test drove this on some friends of mine who are real smart but know nothing about this, and their questions were really invaluable because they're like, well, I don't understand, what's that line mean? Oh, if I made it dotted, maybe that would help.
[36:11] So I love doing diagrams. This is done with the free diagrams.net is a website.
You can also download it locally and it's got a different name, but I won't confuse you with that.
Really good free diagramming tool. I use it all the time. News story.
So we do a show live on Sunday night. Steve produces it and I'm the on-air talent, as it were.
What it really is, it's not like MacGeekAb where you're actually getting to see the real show.
You're seeing the making of the podcast. So I stop and start and chat with the audience and goof around and they pay no attention to me in the chat room at all.
Marty, I'm looking at you, where's Marty?
Yeah, that's drunk Nick Nolte in our chat room.
He's definitely, oh, and John, where's Nassanite? He's really annoying.
Did John leave? Oh, there he is. I just get a creepy feeling when he looks at me.
So he's always making snarky comments. But anyway, these people, and Jill is on Team Allison, so she's one of the good ones here. There's Joe Beck.
[37:03] She says she learned how to podcast by watching my live show.
The setup of this is somewhat complex because we're piping a lot of different things around.
So again, I diagrammed it to make sure I learned how it worked.
So at the top, you can see that my audio and my video both go into StreamYard, which goes to YouTube for the video, but also my recording software called Hindenburg, which gets a lot of laughs every time you say, you expected that would work out well.
It's actually a great application. But anyway, I need to learn it better, so I really need to do a ScreenCastsOnline tutorial about it, because I don't know how it all works.
I taught Jill how to podcast. She's teaching me how to use Hindenburg, because you know what she does?
She reads the manual. I'll say, Jill, how do you do this?
I don't know how to do this. She'll help me.
Oh, that was another thing I was going to put in here, is just get friends of yours to read the manual and tell you how to do stuff. It's a great way to learn.
You just got to find the right people.
But separately, we pipe Steve in, and we've got the video and audio going different places, Discord has the audio, but not the video.
And so piping that all around is difficult. So I keep diagramming, and I put down all the settings.
This is Audio Hijack and Loopback.
And I've got a button there, Important to be Unchecked. I can't hear the audio from Hindenburg if I forget that one button.
And I forget that button, sometimes it gets flipped back, so.
[38:18] I diagrammed that and I took diagrams of what the way Hindenburg is set up and the way StreamYard is set up. And once I've done these diagrams, I know that in the heat of the moment, we're trying to get ready. It's three minutes to five. And man, there is heck to pay if I don't start at five o'clock on Sunday nights because that's what time we start.
If anything goes wrong, I can just flip up these charts and go, oh, OK, there's the button.
I didn't check that. I didn't check that. Something got flipped the wrong way.
So I find diagramming things to be a really good way to document it, learn it, and then you have it as a resource to go back to when things go wrong.
I used to use a different piece of software that had literally a 15-page document to go with these kinds of settings.
Don't use it anymore and I'm so happy we're on stream now, it's so much simpler.
Now I'm going to flip over to doing examples from other people.
I wanted to learn to program when I retired.
I thought that would be fun. I talked to a buddy of mine who was a programmer and I said, I want you to teach me to program.
He says, I'll get you a book.
[39:08] I don't want to read a book anymore and I want to read a manual, so I'm not going to learn that way.
So I was talking to Bart Buchatz out of Ireland, who's a programmer, sysadmin, security specialist, to Vine that he does a segment called Security Bits on my regular podcast, The Nosylicast.
And he said, well, I'll teach you, what if we do it in an audio podcast?
That sounds like a really silly idea. An audio podcast to learn programming.
Imagine reading shell scripting out loud. You will hear that, but that's a dense language.
But what he does is he writes perfect tutorial show notes. So you can choose not to listen to us at all.
You can read his tutorials and go along, or it's even better if you hear him explain it, And the value he says I bring, and I argue with him all the time that I don't bring much value because he does 98% of the work, is I'm that idiot in the front row going, I don't understand, can you repeat that? I don't get it.
And he says, that's where you make me step back and I have to explain it better.
And that's the tiny contribution I make other than producing the show.
The interesting thing was just a couple of weeks ago, he told me, like I said, we're doing the shell scripting section. He said, Alison, what you don't understand is I am one week ahead of the class understanding this.
[40:10] I am learning as I'm going. So he's been doing shell scripting forever, but he knows that if he has to teach it, and I'm in the front row, and I'm gonna ask, he said, you're gonna ask the wrong question.
I said, I would say I'm gonna ask the right question, but that can really throw him off his game.
If he, he's not like me, he's not just gonna make something up.
He has to, he's like all factual and right and stuff. And so he has to know exactly how it works in order to teach the class.
And so he's been learning more and more about bash programming than he ever knew before.
A funny thing about this show is I was just telling somebody over here today, the people who take this class are mostly programmers, people who already know.
And they end up going back to try to refresh their memory and get deeper into it, which is really depressing for me because I'm the junior programmer going, I don't know anything.
And these people are like, well, I've been doing this for 38 years and I just learned this.
But the good thing is I have a whole bunch of people to help me with my programming.
So it's good for me too. Last example, my friend Linda was just telling me a story.
She wanted to get this teaching job, and it was like earth sciences, something like that, that she was going to teach. And in the interview, they asked her, do you know what the tectonic plates are?
And she says, yeah, those are those dishes I keep in the top of my cabinet for company.
And she said they thought she was just being flippant because it was such an obvious question.
She had no idea what the tectonic plates were.
[41:26] But she faked her way through by being funny. But what she said was she was one week ahead of the class, just like Bart, reading the book, understanding it, and then being able to teach it to the class.
Because of course they're probably not reading the book.
But it was just another great example, but learn by teaching.
She says, I know all about the tectonic plates now, because I had to teach the class.
The final thing I wanted to say is that as a result of the work that I've done to teach other people, I now have over 3,200 blog posts.
So when I need to know something and I go out and I Google it, I cannot tell you how many times the answer is at podfeet.com.
And I know it's because I'm logged in as me for a long time.
I thought, oh, I'm famous, you know, but then I logged out of Google and it was not nearly as exciting, but I didn't stay logged into Google. I can always find the answer because it's at podfeet.com.
And it's like, whoa, I knew how to do that at one point, huh?
Well, that's good, it's in here, I'll just figure it out. So I learn by teaching, and then I've got documentation of that, and then I can go back and I can learn it for myself.
So learn it again, because, you know, memory is bad.
I'm out of time, thank you very much. Well, this week, the very lovely Owen Harris.
Support the Show
[42:35] Went over to podfeet.com slash PayPal, and he made a one-time donation to the Podfeet podcast.
I wrote back to him and I told him it means a lot to me that he's out there either reading or listening and at least enjoying the content we create here.
I thank him for his generosity in supporting independent podcasting.
I hope you appreciate Owen as well for his help in keeping the NocillaCast ad-free.
Security Bits — 5 August 2023
[42:57] What's that time of the week again?
[42:57] Music.
[43:07] It's an early Security Bits with Bart Bouchotte. Hopefully not too much happened in a week, Bart.
Strangely enough, no. The show notes were looking stupendously short, when then luckily, of all things, a report came out.
But it's actually kind of a nice report, so I turned it into a whole bunch of security medium, or a deep dive as we're calling him. Yeah.
Very good, very good. We have one little follow-up of the never-ending story that is the NSO Group and Pegasus and all that shenanigans. The FBI went off to investigate why it was that, well, basically the FBI discovered that the FBI accidentally bought Pegasus software, sorry, bought NSO Group software after the US government embargoed the company in retribution for them being up to all sorts of naughtiness, which was deeply embarrassing.
Yeah. Who did that? Oh, bleep. It was us.
[44:07] That's horrible. They did stop straight away, though, when they discovered. And it wasn't Pegasus. It was something called Landmark, which is for location tracking as opposed to turning on the mic and stuff. So ick, but a bit less ick. Yes.
Okay. I'm actually kind of glad that did happen. It's interesting that they confessed it.
Well, to me, this is a good sign, right? This is how transparency is supposed to work, and you're supposed to learn a few mistakes and stuff. So yeah, I mean, people make mistakes. This is the right way to do it.
[44:42] So that then jumps us into our deep dive, which is a report that hit the news feeds. It is called the top of vulnerability, sorry, the most exploited vulnerabilities of 2022.
And it is by what sounds fun. Well, it actually kind of is interesting to see.
Well, so there's lots of things that are theoretically dangerous and there's lots of things that the bad guy could be going after, but what is actually happening for real?
Right. You know, if you have a bad front door lock and you live out on the Rocky Mountains or if you have a bad front door lock and you live in New York City, it's a very different thing.
So where are the actual, what's actually happening instead of just the possibilities?
Because we always talk about, you know, this could happen, this could happen.
So I thought it was interesting.
Now, it's by what might sound like a random collection of countries.
Australia, Canada, New Zealand, the United Kingdom and the United States.
[45:38] But they're not random. That is the Five Eyes group. Okay, okay.
So this is a report by the various intelligence and cyber security agencies from the Five Eyes.
And so they have very good insight into what's actually happening in the real world, because they're very interested in protecting the most important economies in the world, let's be honest.
Right, right. Right. So the report is not too long, most of it's appendices.
So it's actually it's a bit they didn't think of, like, diagrams or graphics or any of that. They put their logos in.
So it's not completely free of color. Their logos are at the top.
But other than that, it's kind of just text.
Pretty dry. It's pretty dry, but it is it is accessible. Anyone who's listening to this could read it.
But I think that the best thing to do is to jump to the list of 12 most exploitative vulnerabilities on page 9, which I'm going to translate into human ease for you, because I think it's much more interesting that way. So at the top of the list we have login details leaking from a widely used and very expensive corporate firewall, otherwise known as 40OS and 40Proxy from a from a company called Fortinet, and we have a long-running joke in work.
They call everything 40.
They actually have a backup solution called a 40 Fort.
[47:06] I've never heard of this. This must be a corporate thing. It really is.
The number of zeros on these people's invoices will make your eyes water.
This so log in details leaking from what is basically the front door to your corporate network.
Of course, when such a vulnerability came out, Everyone attacked it because this is like they provide like VPN access.
Yeah, right. Exactly.
That is where that is the front door of major corporations.
Of course, that's where they went.
The next three together are basically there are different vulnerabilities, but two, three and four are all remote code execution and the ability to bypass login in self-hosted versions of the single most popular groupware product on planet Earth.
Microsoft Exchange.
[47:58] Microsoft Exchange can be self-hosted. Exchange is the self-hosted product.
What you're thinking of is Office 365, which is Exchange migrated to the cloud, but...
I don't know what Exchange actually is, Bart. I think of it as a corporate product for email.
I don't think of it as anything else. But self-hosted sounds like it's a home-use thing.
Self-hosted in the corporate sense. So it is your groupware, right?
So it's your email, your contacts, your calendars.
Okay. So is this all going to be corporate-focused stuff?
Mostly, because that is where the money is. That is what's mostly attacked, right? But this is what's going on in the real world. So in the real world, what's going on is people are going after people who's self-hosted exchange servers where you can run any code and log in without a password into anyone's inbox. Do you think why the bad guys might want to do that?
Maybe. Next time we have a wonderful one, a remote code execution and the ability to bypass authentication on a third-party provider of multi-factor authentication.
[49:00] So you pay these people to put multi-factor authentication in front of your in-house websites and stuff you built yourself, only they have an authentication bypass and remote code execution in the two-factor authentication you put in front of your stuff.
I hate when that happens. I think that's just, well, hilarious in all the worst possible ways.
We have arbitrary code execution in self-hosted versions of the most popular project management software suite out there, Confluence from Atlassian.
You've probably heard Atlassian ads all over the place. So that's how you're managing your big corporate projects.
[49:37] So of course that's where the, if you're a bit of corporate espionage, of course you want to see how the designs for the latest fusion reactor are going, right?
[49:48] Right. Eight and nine then come together in a little thing called VMware.
So why not just go in and grab all of the, you know, oh, sorry, I've skipped one.
We'll go back to seven. Eight and nine are in VMware. Basically, you go in and steal all the virtual machines running all the companies.
I'm actually going to skip back to seven at the very end. The last one, then, is basically looping us back around to the start.
There's actually a bunch of firewalls called big IP, big firewalls.
These also cost money, house payments per month from F5 networks.
So they're all really big corporate things, protecting the front door of the corporation, protecting email contacts calendars of the corporation, protecting the project management of the corporation, protecting the two-factor authentication for the corporation.
Number seven that I accidentally skipped, but probably should have skipped on purpose.
[50:41] Good old log4j. The old Log4J vulnerability makes it in at number seven. I remember that one.
Yeah, that was supposed to be a lot of fun. That was a month of buying coffee for our sysadmins.
It really was. So Log4J is an open source library for adding in string processing into your in-house Java apps.
Corporations love Java. So there's Java apps all over the place, and of course, apps all have logs.
Therefore, Log4J was everywhere, so it was a backdoor into all of those little apps corporations build to make themselves go. But it's noteworthy because of everything I've mentioned, that's the only open source one.
[51:20] Everything else was lots of big corporate stuff. So I thought that was kind of interesting.
So in terms of real-world threats.
[51:29] That's, A, I wouldn't say too scary, because they're the kind of things we'd expect people to be going after. So it's pretty obvious stuff.
They also then, if you want to continue reading on the report, if you skip ahead, actually, no, before we skip ahead.
So I sort of went, well, what do I make of those? So I've already said they're going after what you think they'd go after.
Just the one open source project, little log for J. And again, almost everyone on that that list is a really big hitter.
And I'm going to apologize to the poor people at Zoho because I don't think they count. They are not in the same league as your VMware, your Atlassians, your Microsofts. But, you know, everyone else has really big names.
Yeah, yeah. Well, but the big names write big software, more software, more mistakes, more humans, more mistakes.
Makes sense, right? And also they're a bigger attack surface because they're everywhere.
So even if they were harder to attack, they could be 10 times as difficult to attack, but it's 100 times as valuable to attack them.
So you still do. So it's all about the money, right? I keep saying this, follow the money.
But the last thing that jumped out at me is that five of those 12 vulnerabilities were in what is arguably considered to be the legacy approach.
So.
[52:52] People in general, Microsoft wish no one would run Exchange.
Microsoft Wish Exchange would vanish and everyone would use Office 365, which is their software as a service version.
Atlassian are trying to get everyone onto Confluence Cloud because that's their software as a service version of Confluence Data and Confluence Server, which is the compromised products.
So if you're still insisting on running your own data centers with your own servers and stuff, you're actually putting yourself at more risk, because the customers of the cloud services were never affected by these vulnerabilities.
Yeah, that's easy to say if you're thinking about student record data of what time their classes are.
It's a little different if you're talking about the IP of your company or, I don't know, national security.
Well, it is. There isn't any way you're going to convince a company. You say that.
Have you ever heard of Google? No, I didn't actually get to say it because you spoke before I finished.
I don't think that you're going to convince a company like Raytheon to say, I don't know, warhead secrets on a cloud-based service.
[54:02] I thought you were going to say that. That's not hosted locally.
Well, there's actually a thing called Gov. There's a whole separate version of Microsoft's cloud for government use, that has been certified and the encryption keys are managed by the agencies.
And so it's like a different copy of a hardened version of the same cloud.
So there's actually two clouds.
[54:21] There's a government cloud, which is used by the US government, and contractors and those kind of people.
Okay, so that's different than what we were just talking about.
Well, no, because it's the same product. So you just basically, when you go to sign up, you go to say, am I GovCloud or am I Public Cloud or am I China Cloud? There's three versions of the cloud.
One of them is not a good thing. Don't go to China Cloud.
Unless you're in China and you have no choice. And the other thing that people might find interesting in there is the list of advice, or what you do to protect yourself. And what I love about this advice is that none of it is earth shattering.
One of it is like, oh, I'd never thought of that. It's all the basic stuff, which sort of gets back to my favorite side ever, which is that doing the cyber security basics well protects you from 98% of threats.
Just it's not about rocket science. Just do the basics well.
And so if you read through the report, you're basically left with, actually, I love that they started the very first piece of advice they gave these fancy words, but basically make management responsible for your organization's security.
[55:26] They have to be the ones where the book stops. They have to be responsible in the true meaning of the word responsible.
I thought that was great to put that as your first piece of advice, because if they're responsible... I bet they'll get right on that, Bart.
Corporate governance, we are actually heading that way.
It is it is now considered to be a negative thing if there is no one with cyber responsibility in your C-suite.
If there's no... Sure, sure. So that's progress. That's the CISO.
[55:55] Nowadays, it's usually a chief security officer, so it's usually a CISO these days.
[56:02] That's literally what I just said. It is, isn't it? You said, that's your CISO.
Yeah, never mind. Never mind. that.
The other thing that they really focus on is secure by default and secure by design.
And they're two sides of, I guess, arguably the same coin. You have to design things to be secure, but also secure by default means if something fails, does it fail open or does it fail closed?
And there used to be a thought of, oh, no, make it fail open, because what if we end up being locked out of our system or what if there's an outage? And now the answer is, oh, goodness me, no, fail secure, fail secure, fail secure, because otherwise all you have to do to get it, It'd be the equivalent of having a security system where when the power goes out, all the doors unlock.
What do the bad guys do? They go, snip! Yeah, so maybe not.
Yeah, so I thought that was kind of interesting. The other thing that was really obvious was that if you haven't yet jumped on board to train Zero Trust, and you're still thinking the old molten cancel approach, really, you need to change that.
You need to get onto the Zero Trust train. I think we did an entire segment on Zero Trust, I think.
[57:08] I think so, yeah. So basically it's MFA everywhere, always make your devices prove their identity, which is really important, right?
Should this laptop be allowed onto the network? Well, until it has proved that it really is one of ours, no is the answer.
It's called network access control.
That's really important these days.
And regardless of how fancy pants your corporation, patch early and patch often, which, of course, is given the fancy pants name patch management, is right up there.
That is, whether you're us or whether you're big corporate, patch early, patch often.
The other one I really... That does sound pretty obvious.
Yeah, the other one I think that people often forget about because it's really boring, is you actually need to capture your correct configuration, which we call a security baseline configuration, which is really fancy.
But you basically record your configuration in an auditable way, and then you audit against it.
So that could be as simple as taking a checksum of all... Imagine taking all of your settings files, all of your plists, and doing a checksum on them, and if the checksum changes, oh sugar, there's one of your configs that's wrong.
And you just need to have something that says, a ooga, a ooga, this is not...
This should be set to A, and it's set to B.
[58:21] Because that is one of the most common ways where bad stuff happens, right?
A setting gets flipped, often because, oh, this isn't working.
What if I turn the firewall off for a second? Does it work now?
Oh, it does. I really should go back and fix that firewall. What, it's five o'clock?
Oh, okay, I'll get to that tomorrow. Nope.
Classic, classic. Well, and another thing that that does for you, this is something that Dave Hamilton talks about all the time.
He says, go look at your router right now and look at what the lights are doing.
What's blinking, you know, or your modem, what's blinking, what's on, what's off?
Go see what your current state is. And in fact, he he's got another one that I don't think is actually practical.
But he says, go look at your console log right now.
What's it look like? What's flying by? OK, so now in an emergency, when you see these these these warnings, don't go awooga, awooga, because those are always happening.
But the problem is there's too much in console to actually easily do that.
But looking at the blinky lights. Yeah, that's a good one, right?
Yes. And I wish I had thought of that when we moved house. we changed internet service provider, we changed router.
And the first time the internet went down, the better half was like, go down and see if it's our internet or if it's something else. And I was like, well, I don't know what normal is, but the lights are this shape now.
[59:40] There's some red ones and some green ones. How's that do for you?
Yeah. And then I remember thinking I should have taken much more interest in what it really looked like.
I'm going to actually piggyback off that excellent suggestion with another suggestion. A lot of routers have an option to export their config as a file.
Sometimes it's an XML file, sometimes it's a JSON file. But you can often export the config as a file.
Well, yeah, I've done that before. Not lately, but I should.
Yeah, I stick mine into Git.
And then if I ever need to get my router back to the last time I knew it was working, I can just go back and go, well, I know that worked. I was missing half of these new features, but at least it worked.
[1:00:23] You know, anyway, a little bonus. But that is, technically speaking, a part of your secure baseline configuration management. So it's very fancy we're being here.
And the other bit of advice they gave, which is, again, sort of bonk bonk on the head, of course.
But you actually have to audit who you give access to, because usually the way this works is a one way system.
Yeah, Bob, an account needs access to that system. OK, Grant, give Bob access.
Now Joan needs access to that system. Give Joan access.
Five years later, Bob and Joan still have access. But Bob is now over not in accounts anymore.
He's now over in, I don't know, some office in India or something.
And he's completely exposed in a dangerous place.
But he still has access to all the Farnham systems.
Or he moved from finance into quality, and he no longer needs that.
And you did a long segment on the way Microsoft sets up those kind of controls to get you the right access at the right time to the right people, and only for as long as they need it.
[1:01:19] I still think it's impossible, and no one will ever do it, but I think it's a wonderful idea.
Well, there are tools there to bring you closer.
There are tools to make it, you know, because you're right. It's you're never perfect, right?
You're never going to be perfect, but gosh darn it, you should do your best.
It's called identity governance. Yeah, it's called identity governance at the buzzword.
The other one they really harp on about is you should be scanning your network to, notice when something shows up that didn't used to be there.
[1:01:50] Because either your processes are leaky and you need to tighten up your processes so that you actually know when stuff is supposed to arrive or it's not supposed to be there. But either way, you really should know what's on your network. This is called asset discovery in fancy puns terms. And then the last thing is basically lug everything, shove it in a giant big pool of data and throw AI at it. And if anything weird happens, the AI will go, a-ooga, a-ooga. It didn't used to be like this. Just a bit like your blinki-light.
How does just dumping the data into AI tell you that it's a-ooga?
Oh, there's slightly more to it. You're paying someone for something called a seam. But basically you put all the data in a place and then you tell the AI, you have a month where you're hoping everything's normal, or at least. Oh, okay. And you tell it, this is normal.
This is normal. And then you give it later and it'll tell you what's going on.
And then after that, you turn it from learn mode into shout mode. Not really the technical terms, but you know, you get what I mean, right? You tell it from, you train it and then you let it go. And it's actually surprising how it doesn't have to understand why it's wrong or anything. It doesn't have to understand any meaning. It's just like it used to be this shape and now it's this shape. Auga. And then the human beings come in and go.
[1:03:10] Oh, well, actually, that's completely normal. And then you tell the AI, no, no, no, learn this. This is normal. And then the AI goes, oh, OK, then those triangles are good. Fine.
OK, great. That shape is normal. But it's shockingly effective because almost nothing doesn't leave a trace.
Like, you can't do anything on a network without it being a log somewhere.
[1:03:28] Right, right. Anyway, I thought it was interesting to see a report from the real world.
You know, and none of it's rocket science. And none of this is, like, I haven't mentioned anything esoteric or weird.
It's just, could I do the basics? Not some weird mysterious effect we didn't realize was happening.
It's remote code execution vulnerabilities exploited on corporate services.
Yeah. And notice it's not weird zero days and really esoteric, you know, lead Hacksaw stuff. It's just the basics. It's just the basics. Which that in itself I think is interesting.
Okay. I also did manage to find some news. I worked very hard. I found you two stories.
[1:04:12] So the Securities and Exchange Commission of all people are being mentioned in security news. Which is, at first glance, weird. But this ties back to me saying it's all about the money. Follow the money, follow the money, follow the money. The Security and Exchange Commission care about share prices and of investors not being defrauded. If you are a publicly traded company and you suffer a data breach and you hide that fact and it, then gets discovered, all of your shares will plummet in value and your shareholders will be defrauded. Therefore, it is now a new requirement that within four days of any publicly traded company determining that there was any cyber security incident, they determine to be material, which is their word for could cost us share price. They have four days to report from, when they know it's happening. Bye for now.
[1:05:16] That would be lovely if that that isn't what happens normally, right?
It is not, and that is largely because at the moment, I believe they have to report quarterly and they have to mention in their SEC filings that if they've had any data incidents, but it's only every quarter.
And we often actually do find out that for the first time that a breach happened in an SEC filing, which I think is terrible.
Like, that's not how we should find out in an SEC filing by last pass.
But, you know, I'm I'm 80 percent sure we did. I think you're right, Alison.
I think that is one of the there was definitely a recent one where I was extra cranky because they didn't even tell us nicely that, you know, popped it into a.
They buried it, right? Yeah, exactly. It's like, yeah, I mean, there's a risk that I notice.
Yeah, there's a risk our CEO gets run over by a bus.
Oh, by the way, we had a big data breach.
You know, it didn't. I think it's a look over here. Shiny thing. Yeah. Yeah.
Yeah. So I thought it was interesting. Good to see the SEC making it clear that it actually is an existential issue for a publicly traded company. You really do have to be honest about these things for the health of your shareholders.
Now, I would say, how about your users?
[1:06:26] But you know, not all companies have users, so I guess shareholders do come into it.
The other thing I just wanted to put a fire extinguisher in because there's a story doing the rounds because it's clickbaity. Chat GPT finds dangerous Mac malware.
That's the headline I saw all over the place. I couldn't possibly phrase it better than Joshua Long.
So I'm just going to quote from Joshua Long's summary of the grand total of this non-story.
The research group essentially asked ChatGPT, hey, do you think there's more Mac malware out there?
ChatGPT basically answered, yeah, probably. And the researchers were like, okay, cool.
We'll go back to doing our jobs now and try find some.
I saw the transcripts. More malware than what? Do you think there's more Mac malware out there than there was yesterday?
No, they asked whether there was any... Windows malware than...
Sorry, not more as in a greater quantity of, more as in that has not yet been discovered.
So they actually, they asked ChatGPT, is there undiscovered Mac malware on the dark web?
And ChatGPT said, probably.
So they weren't looking.
I think that the answer to that would always be, yeah, probably.
No matter what you put in the subject, right?
Right. Whether Chats GPT was confabulating or not at the time.
Yeah, probably.
[1:07:46] But it was amazing how much traction Suri got. I thought once there were screenshots of the conversation, it would be obvious there was no story here.
[1:07:55] But I saw stories with those shouty headlines with the screenshots.
And I'm thinking to myself, have I lost the ability to comprehend English?
Is there something in these screenshots that I can't comprehend?
But no, it was just the biggest non story I've ever come across.
So anyway, I'm guessing that had this come out and not the silly season, maybe it wouldn't have gotten the attraction that it got.
I don't know. It hit two hot button clickbait issues. Mac malware and chat GPT.
That is guaranteed a headline. There you go. Put those two together.
And I did I say I managed to find you managed to find the palate cleanser, which you sent to me, and therefore I consider that I found it because it was in my inbox.
[1:08:35] Which is not how it works, but anyway.
I found a second one, too, I've just added that, while I'm describing this one, I will send you the, in the chat, in Zoom.
You should be able to follow along. Let me see if I can find that in the interface.
Oh, there we go. The first one is the classic books that people learn nerd stuff from are the O'Reilly books, and they always have an animal on the front, and then they've got the subject of like, learn Python in 30 days or whatever.
This screenshot from, let's see, phpc.social posted this on Mastodon.
The names of the books are hysterical. It's copying and pasting from Stack Overflow.
Googling the error message, trying stuff until it works.
And every one of these, they've got like, you know, a cow or a stupid cat or a chicken or something on it.
They're so perfectly in the style.
[1:09:27] Yeah, the animals are just so perfectly O'Reilly.
I because I thought they were real for just a moment. Then I was like, wait a second, I don't recognise those.
I like blaming the user, a pocket reference, essential, changing stuff and seeing what happens.
I mean, those would actually be great books.
They really would actually be quite useful. The O'Reilly books are such an institution that the book about Pearl had a camel on the cover and people still talk about the ultimate guide to Perl being The Camel Book.
It's not known by the author. It's not known by anything else. It's The Camel Book.
[1:10:06] That's awesome. To this day, we've done some cool podcast series together and stuff.
But my proudest moment is still the fact that there is an O'Reilly book on Apache Tomcat, where when you go to the acknowledgements page, it says Bart Bouchot, because I contributed.
Really? Really. I wrote the chapter on installing Apache Tomcat on Mac OS.
Wow. That's pretty cool. It is pretty darn cool. No one reads books anymore, but I still have a copy of the book, and I have a baseball cap that is O'Reilly that they sent me.
And unfortunately, the really nice hoodie.
Well, I wore it a lot. but now it is in a really nice hoodie.
[1:10:49] Well, after I do our second palate cleanser, I'm going to say what I'm most excited about that you, I made your day the other day with a post, but let me do the second palate cleanser.
Somebody called Math with Bad Drawings, apparently these people actually do books.
There are books called Math with Bad Drawings, but they did a post that I found it on Mastodon.
There's a link in the show notes, of course.
Is a handy guide depicting STEM majors. So it's a traditional flow diagram. It says start, and the first thing says, are you good with things like physical objects? There's yes and no. If you go down yes, it says, what are your feelings on safety? If you say you're for, you should go into engineering. If you're against, you should go into chemistry.
I ended up in completely the wrong field here, according to this diagram.
If you go into ambivalent, you get to chemical engineering. That's like, I could go either way on safety.
The other path is, do you like math and or money? And it gives you choices.
You end up in economics or environmental science, biology, finance, computer science, depending on how you answer these.
It's much funnier if you see it in the link in the show. I'm trying to find how does one get to be a computer scientist?
[1:12:07] So, do you like math and or money? Yes, comma, both is what gets you on the path towards computer science, which is already interesting. Do you prefer to perform overt, immediate evil or slow, indirect evil? Overt, finance, indirect, computer science.
[1:12:28] Is that fabulous? That is absolutely wonderful. I just love it. I'm telling you, I find the best nerd stuff on Mastodon. That's for Also from Jeff Atwood, who is speaking of Stack Overflows and stuff, Jeff Atwood is Mr Stack Overflow.
I did not realize that. So there you go. Tied it all together in a neat little package.
Well, I'm going to close this out with yay us, and us is you, me, and Helma.
The Mackey Gab has a Discord chat room, and they've got different things like cool stuff found and a lovely gentleman named Chicago Tom, and I don't believe Bart or I know this person, wrote this. I thought some of the listeners might be interested in this very extensive tutorial that I found called Taming the Terminal. I actually am not unfamiliar with using the terminal as I worked on a Linux system for about 10 years before switching to the Mac, but I never really systematically learned all the little nuances and tricks that came with working in the terminal environment.
This tutorial has been wonderful as it starts at the beginning and walks you through all of the things that you miss when you just jump in and start hacking around.
The tutorial is available in many different formats, there's a podcast of the same name that is available on Apple Podcasts, and probably other places to go with it, so you can listen, read, or listen and read.
[1:13:50] Did that make your day or what, Bart? I believe my answer to you was, if we'd written this ourselves, we couldn't have written a more perfect review.
You know, it is a real book, and you can buy it. Well, I've got a copy of the physical book, and so do you, and so does Alma, which I never actually publicized how to do this.
But we should make that the inserted testimonial by Chicago Tom. Why you should buy this book.
No, it really, really brought a smile to my face. I was like, Oh, that's why we put all the effort in. Yay! And it's proving very evergreen.
It definitely is. Well, they picked a good topic for it, that's for sure.
[1:14:26] All right, Bert. Well, we're actually going to be back in a week.
Or you're going to be back in a week. I'm going to be back on my own. I've completely lost track of when we're doing what. But anyway, yes, I will be back to you soon. There will be more security bits. I'm hoping stuff happens.
Actually, no, I'm not. I'm hoping I give you a really boring file where I read the phone number the phone book or something to you. Yeah, we're okay for content, so if it's a short one, make it a short one. Understood. And remember folks, like the five I's tell you, stay patched so you stay secure. Well, that's going to wind us up for this week. Did you know you can email me at alison at podfeet.com any old time you like? If you have a question, a suggestion, or even a review, just send it on over. You can follow me on Mastodon at podfeet at chaos.social.
Remember, everything good starts with podfeet.com. If you want to join the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely Nosilla castaways. You can support the show at podfeet.com slash Patreon, or you can be cool like Owen and do a one-time donation at podfeet.com slash PayPal. And if you want to join in the fun of the live show, don't go there on August 6th, but you can go there on August 13th, by heading on over to podfeed.com slash live on Sunday nights at 5 p.m pacific time and join the, with a friendly and enthusiastic...
[1:15:44] Music.