NC_2023_09_03
[0:00] Music.
[0:09] Bias. Today is Sunday, September 3rd, 2023 and this is show number 956.
Well we finally have the announcement date for the next Apple event. It will be 10am Pacific Time on September 12th. And as always, our chat room will be open for everyone to join in the fun of bantering back and forth about what we see and hear. You can join that chat room at podfee.com slash chat. Now there's a little bit of bad news. Steve and I will be on a plane during the announcement and we probably won't be able to join in the fun.
I mean, it's possible we're going to be on a plane, that you can pay for Wi-Fi, I don't know if you can pay to watch the video, and being in the chat room without knowing what everybody's talking about, that might be sad, so I don't know whether we'll be there or not.
But I'm not too sad about it because the plane will be taking us to Texas to meet our sweet baby grandson Teddy for the first time.
As always, we will make sure that people are in charge to keep you all in line, and I think I've dedicated Sandy to being in charge of making sure everybody behaves themselves in the chatroom.
Now, we've never had a problem with anybody misbehaving, anything beyond maybe what Kevin does in the chatroom anyway, but it's good to have someone in there who can moderate just in case.
CCATP #775 — Bart Busschots on PBS 154 — Bash: Expansions & Brackets Redux
[1:19] This week on Chitchat Across the Pond, Bart Buschatz joins us for programming by stealth again with the final installment of our mini-series on Bash.
He explains a few new concepts, but the real value of this installment, and especially his fabulous tutorial show notes, is that he compiles a lot of information into some tables for us to use as a reference for the future.
As with all good programming, Bart is scratching his own itch.
He wanted a single place to go to know which brackets mean which thing and which ones do you have to cuddle versus not cuddle.
He also wanted a table of the order in which Bash processes the seven distinct types of expansions.
So, we're closing out Bash, but Bart has a new miniseries on the horizon for us all to to look forward to.
Why Might Apple Create a Titanium iPhone?
[2:02] Well, it's the time of year when the wild and unsubstantiated rumors about the new iPhone and Apple Watch are resolving into slightly less wild and more substantiated rumors.
In less than two weeks, we'll know what's coming, but the frenzy doesn't slow down just because we'll know soon. One of the rumors is that Apple is going to eschew the stainless steel rumor on the iPhone in favor of titanium. The Apple Watch Ultra comes in titanium, but they don't tell us which titanium. They only call it aerospace-grade titanium.
As a mechanical engineer in my day job for many years, I had the opportunity to choose materials to build things, so I know a little bit about why you'd make the tradeoff between steel, aluminum, and titanium. And better yet, I feel the need to share a bit of what I know.
[2:47] Metals have a few properties to consider. In military devices like what I worked on that often went on aircraft, and in commercial electronics like iPhones, a big consideration is trying to make the devices lighter without sacrificing strength.
Now, weight is a function of how dense a material is, which is mass divided by volume.
In metric units, we use grams per cubic centimeter to define density.
So let's take a look at three materials and see which ones we should use to make our proposed iPhone based entirely on density.
So it won't weigh down our purses so much.
We're going to compare three metals. First, aluminum alloy, which is a blend of aluminum with just a dash of magnesium and silicon. For the nerdy amongst you, I'm going to be using 6061-T6 specifically, but don't worry your pretty little head about that if you're not into material specifications. I like this one because I actually remember specifying 6061 on my drawings back in the early 1980s. Our second material is going to be stainless and in this case I'll be using 301 for the properties I'm going to be quoting.
[3:51] Finally, we'll be looking at titanium, and I'm going to be using TI-6AL-4V.
The AL and the V stand for aluminum and vanadium that help to make the titanium alloy.
Now, as I said before, Apple simply says aerospace-grade titanium, and the ASM folks that I'm going to be quoting say it's good for blades, discs, rings, airframes, fasteners, and components, vessels, cases, hubs, forging, and biomedical implants.
That sounds like it's probably good enough for our uses, right?
My main source of data for this exercise is from asm.matweb.com.
ASM stands for the American Society for Materials, and I gotta say, I bet their conferences are a hootin' good time.
[4:35] Now, I'd also like to point out that I cross-referenced as much as I could from the book my father gave me shortly after I graduated from college.
The book he gave me when my mother wanted to give me a dress of all things. Can you imagine?
Anyway, the book is Mark's Standard Handbook for Engineers, 8th edition, published in 1978.
I think they're on the 11th edition now. The specific table I used for cross-referencing the materials information is on page 6-11. I wasn't able to cross-reference nearly as much as I'd hoped, as apparently materials have advanced since 1978.
[5:09] Okay, with my sources duly referenced, let's get into the good stuff.
If we look at the density alone of the three materials we've chosen to try to find the the lightest one, we find that the aluminum alloy has the lowest density at 2.7 grams per cubic centimeter. Steel comes in at over 8, and titanium comes into the middle at 4.4.
Clearly we should use aluminum for our fantasy iPhone because it has the lowest density, right? Slow down there, Skippy. There's more to the story than just the density. What if.
[5:39] Aluminum isn't as strong as the other contenders for the same volume? Don't you want your iPhone's frame to be strong? One measure of strength is called ultimate tensile strength. I love.
[5:50] That name because it sounds like one of those shows with people fighting for physical supremacy, doesn't it? Well, strength is measured in freedom units in psi, or pounds per square, inch, but in the rest of the world, it's measured in megapascals. Now a pascal is one newton per meter squared, and a newton is one kilogram meter per second squared. I bet But that's way more than you wanted to know, isn't it?
Well, sorry, I couldn't help myself. I did think about multiplying out all the units and figuring out the full thing, but I'm not going to do it because we want to get back to the plot at hand.
Okay, so how do our three materials measure up in the ultimate tensile strength contest?
Our previous fan favorite, aluminum, comes in at a paltry 310 megapascals, while stainless steel comes in at a strong 862 megapascals.
But don't count out titanium yet though, it finishes with a winning 950 megapascals.
It's more than triple the ultimate tensile strength of aluminum.
So now we have a quandary. While aluminum has the lowest density, titanium is the clear winner when it comes to ultimate tensile strength.
How do we decide? Well, the answer is to calculate the specific strength.
You're going to absolutely love this one. The unit for specific strength is kilonewton meters per kilogram. I am not making this up.
[7:11] Now, while the units are clearly getting out of control, calculating specific strength is trivial.
We simply divide our old friend, the ultimate tensile strength, by the density.
Our three contestants, aluminum, steel, and titanium, come in with these final stats for specific strength.
Aluminum alloy 6061-T6 gets 115 kilonewton meters per kilogram, so 115 for aluminum.
Stainless steel comes in second at 107 kilonewton meters per kilogram.
Titanium, though, wins the battle for the materials at over 214 kilonewton meters per kilogram.
Now that we know that titanium is the clear winner in the materials battle, what does this really mean?
[7:55] If Apple chose titanium for the next iPhone, they could keep the exact same frame design and swap out the heavy but relatively strong stainless steel for titanium.
Since titanium is less dense, the same size frame would be much stronger.
Alternatively, they could choose to make the frame thinner while maintaining the same strength.
But the last thing to take into consideration is cost. Titanium is a lot more expensive than stainless steel for a couple of different reasons. First of all, titanium is rarer than the elements required to make stainless steel, so the materials cost alone would make the phone more expensive.
Titanium is also much harder to machine. Machining the same iPhone frame out of titanium would increase the cost of making the device. We've heard rumors of an increase in the base price and this could be one of the reasons why. I don't know what Apple will do with the next iPhone, but I hope you enjoyed my little lesson on why titanium might be in our future for more than the Apple Watch Ultra.
A Tale of Three Microphones — by Jill from the Northwoods
[8:53] Let's cleanse our palate from all of this material science discussion with a little conversation from Jill from the Northwoods. She's going to join us to tell us about three microphones she's been using. Now I want you to listen carefully to this because as she introduces each microphone, she's actually switching to the mic she's telling you about.
Hello, this is Jill from the Northwoods. When I got started in podcasting, Allison was so great, helped me in so many ways, and gave me advice on things I knew nothing about, including microphones. The first microphone I owned came as a recommendation. It was the ATR 2100. This microphone, as she told me, built the podcasting world. It was the one that many people started with, and it was something that was widely available, low cost, and sounded great.
[9:47] I jumped all over that. That was exactly what I was looking for. Am I going to like podcasting?
Am I going to keep up with it? Or am I just going to quit as soon as the pandemic's over with?
So getting a low-cost microphone that is reliable, durable, and has been proven to be great for podcasters was right up my alley.
And so that's what we're going to talk about today. My tale of three microphones that I own, and maybe it'll help you pick the right microphone for what you're looking to do.
So here I am on my ATR2100 microphone, my first microphone. Don't you always remember your very first microphone?
I know I will.
This is made by Audio-Technica and it is, again, the microphone that started the podcast movement.
It has both USB and XLR, that's why I liked it so much too. Allison said I could use it everywhere.
I could plug it directly into my Mac and then when I get to be a sophisticated XLR user, I'll be able to plug it into an audio interface.
So it has everything.
[10:53] This is a dynamic microphone, and honestly it worked great regardless of where I plugged it in. Back in the beginning of my podcast, when I plugged it directly into my Mac, now that to have a Scarlett audio interface, it also works great.
It has a microphone jack right on the microphone so that you can plug your headphones in and monitor, which is important, so that you can hear what noises are coming in, how you sound, and it helps to get rid of all the extra noise that's not directly near the microphone.
So you can hear things that are coming in close to the microphone, but it drastically falls off when I back away or I go side to side. It helps make sure that your podcast sound is very quiet.
Has a nice on and off switch, which is great in case you want to make sure you turn it off.
And again, it's very durable. You know that this thing is just going to outlast everybody.
I felt in the end that it made my voice a little bit pitchy. Maybe we'll hear it on this podcast, maybe it was just my imagination. So I ended up deciding to move to my next microphone, but I also got, based on Allison's suggestion, was the Shure SM58.
[12:07] And the reason I got this microphone is it came with the Shure MVI digital audio interface. This was going to be my next step.
It gave me the ability to plug in an XLR cable. It also had a mute switch, which I really wanted to have. Allison talked about the power of having her mute button, compression, gain control, how much you're you're gonna boost the sound, mute, and that volume.
It also has what is called phantom power, which helps, again, power the mic, which makes sure that your sound is loud enough without boosting the gain too much.
I'm not gonna get too nerdy in all of this.
[12:44] But I wanted the interface, and so this mic came with it. And I did end up in the end liking the sound of my voice with this microphone a little bit more than I did with the ATR.
With the ATR, I thought it was a little bit pitchy, but this one seemed to have nicer tones.
I liked the darker tones of my voice too, and I thought it enhanced those tones better.
Then that led me to buying the Shure MV7 podcast microphone.
The reason I got this one is first of all, it was a lot cheaper than the very high end version, the SM7B, which is probably the most expensive of the Shure microphones used for, at least podcast recording.
But this has a pop filter built into the microphone and it allowed me to get away from all the contraptions.
I felt like I kept whacking into things and making a mess and getting whacked in the face with the pop filters. This doesn't need it.
So this was allowing me now to have more control over my voice.
[13:45] It sounded great. I thought that this had such a good tone to it.
Like the SM58 and the ATR2100, my other microphones, this is a dynamic microphone.
They say it's broadcast quality. I think the other ones were good broadcast quality too, although I did like my voice the best on this one. Again, I'm probably going to listen back to all these recordings on these different microphones and find out there wasn't any difference between any of them. This also has the XLR or USB interface on the back end, so I can plug it in directly to my Mac or I can plug it into an audio interface like the MVI or the Scarlett interface, and that way it will be able to get that better sound, which some people say you have when you're using the XLR cable versus the USB cable.
[14:39] But after doing some research for this particular podcast, I heard a lot of people say they heard no difference between the two. Now again, I'm not an audiophile, I'm not a sound engineer, just a normal nerd trying to put out a podcast. The microphone itself has some level controls on it, some volume. I can see whether I'm peaking directly on the microphone, although it's kind of weird because if I'm looking at the microphone then my face isn't in the right position to actually talk. So I haven't found that to be too useful. And it also has the ability to plug, again, monitoring headphones into the bottom of the mic. The mic also has a mic mute, but it's.
[15:16] Easier for me to control the mute through software than it is through actual buttons on the microphone. Primarily because, again, you're looking at your material that you're talking about on your podcast instead of looking at the microphone itself.
It has an interesting sort of a swivel mount to it.
The other microphones were just kind of your standard stick microphones that go into a bracket.
This one has a little bit of a curve to it. There'll be pictures in the show notes.
And so it allows a little bit more, what they say, versatility because you can kind of tilt it and angle it.
I found getting those other two microphones to be in the right position sometimes a little tricky. that this mount works, I can easily tilt it and angle it exactly how I want to angle it.
[16:01] People say that it has good tones. I thought so too. Again, I thought my voice sounded better in it.
When it comes to all the Shure microphones, the SM7 and this Shure MV7, you can use the Motive app, which comes on Mac and on iOS. Plug the microphones directly into those devices using USB, and you have some onboard controls. You'll be able to change how much gain is coming into the mic, and it even has some EQ settings and doing some other types of voice warming other kinds of settings that you have only when you're using these mics on a USB situation like plug directly into your Mac. And I thought that was neat how you had all these settings but as I was doing more reading about it people were saying specifically not to use those settings primarily because whenever you change a setting on the recording side of things, it's what they call destructive, which means you can't get it back. So if I were to limit my tones, change my tones on the mic itself using the software, I can never get back exactly what it did.
If I change those tones in the editing process using something like the filters that come on Hindenburg, some filters that exist through Apple, and, And something like iZotope, where it allows you to edit your software, get rid of breathing and other types of problems.
[17:31] Those types of edits are not destructive, which means if I went too far, I noticed on some of my podcasts the last syllable of my words were getting clipped, I could go back and fix that and try to make it better without actually destroying the recording at all.
So you have a lot of editing power.
The only time they say that you should use these various sure settings is if you're recording something and you're not going to have time to do any editing.
They're pretty darn good.
So if I'm going to do an ad hoc podcast on the road and I'm immediately going to post it and send it out, those settings on the microphone are going to be great for giving me a better sound without doing any editing.
So this is my favorite mic. I really enjoy this mic, and I have no urge to buy another mic, thank goodness, than the one I have.
So there you have it, my tale of three microphones.
Hopefully it gives you a good idea of maybe what kind of microphones you want.
[18:31] Even if you're interested in other brands, you can see side-by-side what different levels of microphone sound like, what kinds of things a more expensive microphone will give you, and whether or not it's worth taking that leap going from USB to XLR, those are those big thick cables, and whether it's worth your time. And I hope this review helped you in deciding what kind of microphones maybe you want to get. Do you want to spend money or do you want to stick with the microphone you have? It's a complicated and trying dilemma when you're trying to have a podcast. That sounds really good. And if you have any questions, you can always look at the blog articles on Allison's website or.
[19:13] Email me at jill at start with small steps dot com. Thank you very much for listening and let me know what you think. When I normally talk about how to
Support the Show
[19:24] support the show, I talk about the heroes who donate money to help cover the costs of the podcast. But today I want to highlight a real hero, and it's Jill from the Northwoods.
She contributes regularly with content like what you just heard and really comes through for me to be able to make sure that I can take a break from time to time. You just heard her excellent review of her three microphones. She's got another mic review coming up and she's also recorded a segment about a really nifty tool called Notion that she's been teaching to me.
Now, she has two podcasts of her own, and she works full-time, and yet she steps in to help you have a great show when I go off on travel.
If you'd like to be a hero like Jill, pick up a microphone and tell us about some cool tech you enjoy.
I have at least four more mini-trips planned in the next few months, so you have lots of opportunity to help out.
Security Bits — 3 September 2023
[20:16] Music.
[20:32] They are, but a lot of it is basically me having the freedom to put in stuff that was cool, rather than a ooga ooga hair on fire. So I prefer these kind of full tune-outs.
Okay, okay, that's good. I was a little worried when I saw so many deep dives, but you know, I love a deep dive.
I'm focusing on them, actually. I'm giving them, I'm biased towards them, in the good kind of bias.
Well, it's fun because it's context. You know, it's not just a listing of facts, it's context and why do you care and why do you not care?
Yeah, which is kind of more important, I think, because I was thinking about this.
And in the early days of this segment, it used to be the case that there were people in our audience who we had to catch their attention and say, Oi, if you meet blah, blah, blah criteria, you must dot, dot, dot.
It was like, we had to reach people so they could protect themselves.
But nowadays, if you just keep your machine in its default settings, it's out to protect you. And so it's a long time since we've said to people, drop everything.
If you do this, you must do whatever, which is great. It's matured. And so now we have the freedom to talk more generally, which is nice. A lot more fun.
[21:47] We have a section called feedback and follow up where we talk about stories, but I want to feedback and follow up on something not in this segment.
Cheater. Yeah, kind of, but related because it deals with the microphone dropout issue we had and a fantastic segment contributed by one of our amazing Masilla Castaways. So yeah, so it was in last week's show. It was actually already played, so the listeners have already heard it. But I was blown away by just a, by the quality of the presentation would be by how cool the physics is.
So this was by Andy Dolph, by the way, is who he's talking about.
[22:28] Yes. And yes, in last week's show, which is number something. Well, we should link in the show.
No one knows. And certainly not me. Fair. But it's just like, you know, with my physics education, just the experience where you take the signal and you invert it and then you take it away from itself and all the noise disappears. And I was like, oh my God, that's amazing. That's just so clever.
Yeah, I love that explanation because it accounted for two things, not just why your audio dropped by 50%, but why when Auphonic boosted it, why was it so noisy? That didn't make any sense to me. Why didn't it handle the noise floor? Well, it's because it had more noise, it had that induced noise, and I didn't realize that was induced noise either.
[23:14] Yeah, so because you send the signal twice, so one of the two copies goes away, that gives you the half the volume. And because it's not doing its magic cancel the out thing.
Yeah, there's all the noise. And then you're, of course, being forced to amplify the half length, half quality signal. It's kind of hiding to nowhere there. So I, I believe it is not my cable. I believe it was a loose connector, which is of course going to have exactly the same effect because the electrons were not flowing on half of my wire.
Because there's four pins, would it have to be two pins that weren't connected for that to happen?
Maybe Andy will come back and tell us more. Well, would it be if what Andy described was for a channel and there are two channels, wouldn't that mean four pins?
[24:03] Right, but I'm saying in order to cut it in half, would it have to lose two pins?
Or would just one pin not quite connected?
But the way we had the way I do my audio, you only get one channel from me.
I split them in half. I go on the left, you go on the right. So I think there's only one channel coming to you.
I have no idea anyway yeah yeah help even though we're the podcasters were still going to our last now the thing to know is a bird is not being recalcitrant and refusing to buy another xlr cable because they aren't that expensive the problem is that the boom arm that he purchased, And we'd like to try to blame Alistair for it, but it's not entirely Alistair's fault.
Alistair recommended a boom arm and did a review for the show, and Bart bought the more expensive version. But the more expensive version has the XLR cable fully encased.
And I didn't believe Bart. I made him help me, and actually Alistair helped me, find the exact boom arm he bought. And sure enough, the website for this boom arm says, cut the cable off, solder on a new connector. Like, because you cannot get the, you can't get the cable out.
Yeah, it's completely encased and they call this deluxe. Yeah, and they call this the deluxe model.
If I bought the cheap model instead of the deluxe model, I would have had a better arm.
[25:20] Yeah. Yes. Hopefully it's not the cable, because if it is, it does end up being the cable.
And we recorded a full show yesterday and other than some other kind of weirdness involved, no audio dropouts.
So maybe, hopefully it was the just a loose connector.
My suspicion is because I, the day before, while I was in this office for work, I accidentally swung my backpack into my boom arm and I think I actually knocked it, the connector.
And when I went to fix it, what I actually did when it fixed itself was I, I reseated the connector.
So it happened twice in like over the course of a week or so. It did.
But the other thing right next to the connector, like right next to the connector is a twiddly knob for a hardware gain dial. And when I moved that, it felt wrong. It's kind of hard to describe. It didn't feel...it felt like the twiddly correctly. Yeah, it just felt wrong and then it sort of snapped into a new position where it felt not wrong.
As if it was, you know the way they're spring loaded, it was as if when I banged the mic, I had actually dislodged that in a bad way. Anyway, it all feels right, and it was fine yesterday for an hour and a half, and I'm touching nothing. Allison's watching on the mic, I'm being really careful not to stick my face into the mic today. I have coffee, I'll hold my coffee.
[26:46] Anyway, yeah, thank you very much to Andy. That was terrific. I really enjoyed it. And as I said last week. I had to listen to it twice, once alone and then once with Steve. And Steve was just nodding his head the whole time, having a background in signal processing and stuff. So he was like, yep, yep, yep, this all makes sense to me.
And I was cycling along with my physics head nodding along going, cool, cool, ooh. So yeah, nice one. So we have some follow up follow up. More traditionally, we talked last time about the the app Night Owl turning naughty.
And of course, as always happens the day after we record, I read the best summary of the whole saga with all of the detail and exactly what happened.
The bottom line is we were correct.
It's a slightly more nuanced, if you care. It wasn't explicitly a botnet, but it's a really dodgy.
Thank you.
[27:39] Look, we said uninstall it, uninstall it. But if you're curious to know exactly.
It too. So that was that was double proof.
That was double proof. Exactly. He was he was selling access to a service that is officially legitimate, but everyone knows it's not.
So you can buy a service where you get a proxy that is people's home IP addresses, which means it's not easy to block people who use this proxy.
And that proxy, those kind of proxies have one use and one use only.
It's for doing the line of service attacks because you appear to be coming from domestic IPs.
So everyone knows these services are only used for evil purposes, but they are technically speaking legal services. It's just a web proxy.
But anyway, achy, achy, achy, uninstall, uninstall, uninstall.
[28:32] We also have talked quite a few times in recent years about Apple's very controversial and then abandoned sort of attempt at doing a hybrid version of scanning iCloud photos.
They didn't really want to scan your photos on device, and they definitely didn't want to break their end to end the encryption and scan the photos in the cloud.
Cloud. So they sort of said, well, we won't scan them until after you've configured it to send it to iCloud and then we'll scan it on your device between it being sent to iCloud and it actually leaving your device. We'll do it in that little gap, which is technically still on your phone. And it was very nuanced. And they got a lot of people who are pro child protection praising them and a lot of people who were technologically minded and pro security encryption and privacy, shouting stupendously loudly. And in the end they went, yeah, never, mind. And they just, they did other things, but they didn't do that. And now out of the blue, a new group has formed with a fairly substantial budget and they have decided to go make a lot of noise to try pressure Apple into starting it up again. And Apple answered with basically, this was a bad idea. We abandoned it for a reason. We're not starting it up So they went, fine, then we're having a big campaign against you.
[29:51] So we shall see what happens. What's a campaign? Well, they marching around with signs or.
Oh, media and stuff, right? Twitter. Okay. Yeah. So media campaign, contacting politicians.
I am sure it's massive lobbying going on, right? Because that's how you get companies to do things.
You make politicians shout at them, hold them up in front of committees, that kind of thing.
So we shall see where it goes. But yeah, there is money behind it.
So some stuff will happen.
[30:18] Okay, that's what's going on. Anyway, deep dive number one. So there were a whole handful of stories, and this happens every August. None of these stories individually are really all that exciting, particularly when we apply the filter for this show, which is I'm supposed to be telling you things that are useful to regular folk about security. And none of these stories are anything anyone needs to worry about. But all of these stories made the media, they made the media with fairly shouty headlines in some cases.
So maybe people are worried about it because they did hear about it.
And if it was just one, I would have went, yeah, we'll forget about it.
But there's loads of them because August is a special month in the security calendar.
It's when loads of the big conferences are on, including DEF CON and Black Hat.
And so even so a lot of stuff happens at the conferences, but even security researchers who don't make the conference, they still like to release stuff at this time of the year because the media is in a security mindset.
And frankly, there's very little else happening in the world.
It's the middle of what the media called the silly season.
So it seems to be a good time to release security stories. And of course, if you can wedge the word Apple into your story, you will get headlines.
So I thought, well, why don't we look at these stories? And because they are all like, it's really good computer science.
It's not that these stories aren't worthy of an audience.
It's just they shouldn't be in the news feeds of regular folk trying to make them think something scary is happening.
Because there isn't anything scary happening, is just good computer science happening.
[31:48] So if there had been actual stories of bad things happening, these probably wouldn't have made the news, because they'd have had something else to talk about.
Yeah, exactly. It's sort of like, don't believe anything you read on April Fool's Day.
Kind of, yeah. And like I say, these stories are not true. They're just...
There's no need to worry.
And they are often interesting, because again, these are what's going on in the cybersecurity world. some, they develop into a problem.
And if they do, then I will tell you to take some sort of evasive action.
But for now, you know, first takeaway, don't panic. Listen, enjoy, but don't panic.
So the first bug that caught my eye was one in it's one of these bugs which.
[32:36] The the Mac does its very best to protect you even when malware is already on your machine.
So it goes kind of above and beyond normal security you would have in most operating systems and tries to give you an extra layer of protection.
And so a lot of the times when security researchers break Apple stuff, they're breaking this extra layer.
And that's not good because you want the extra layer because you want defense in depth.
But because you have defense in depth, just breaking that extra layer doesn't really end up with an ooga ooga ooga.
So, the actual story here is, if you already have malware on your computer, which is already a very bad start to any sentence, because you kind of already have a problem, but if you already have malware on your computer, it will be no more secure than a fully patched Windows machine, because the extra layer of security can be bypassed.
[33:30] What's not good? And we should, you know, it's good that it was discovered. It's good that it's been detailed. It's good that Apple have the facts to help them improve the design of their future OSs. But it's not set your hair on fire. It's like Apple had extra protection. Now they just have normal protection. Okay, I guess that was the point of extra. So we've talked about that before. Is there being a moat and a drawbridge? And so maybe the moat got breached, but the but the drawbridge was still there.
But why do you say it's only as protected, without that extra layer, it's only as protected as a fully-patched Windows machine? Are you saying Windows doesn't have extra protections?
I would imagine they do. It doesn't have, no, they don't. So the Mac has inherited slowly the iOS-style deep sandboxing between apps, and Windows hasn't inherited that.
So Mac apps- Okay, so just specific type of extra layer. There are extra layers on Windows, certainly.
Sure, but I'm not aware of a layer that Windows has that the Mac doesn't, but I am aware of layers that the Mac has that Windows doesn't, which is why I say extra.
I got you, got you. Okay.
[34:41] So certainly Apple will go, the nice thing about this is Apple will go after it, right?
Right, and the other thing is, so this has now been described, and at the moment there's no actual attacks of any kind against this vulnerability, and should there ever become some, Apple have things in place to block developer certificates and so forth.
So if you make sure to keep XProtect turned on and if you don't install random stuff from random parts of the internet, the chances of this affecting you are effectively zero.
But it's important that this is known about because if it isn't known about, it can't be addressed.
So again, it's good computer science, but don't set your hair on fire.
Another one that's kind of interesting was from the guys over at Jamf.
So Jamf is a company that do powerful, sort of, I would say corporate level, but that's not quite the right word, because they're very heavily used in education as well.
But they do management of large fleets of Macs. If you have many Macs that you need to look after, Jamf is an amazing tool to help you do that efficiently.
And they have a lot of really good nerds, in the best possible sense of the word, working for them.
And they also do a lot of stuff in the area of security, for obvious reasons.
[35:56] And they came up with an interesting set of attacks where they basically poked around inside of iOS, and they found the various unpublished APIs that the operating system uses to control the display of the little airplane icon when you're in airplane mode and those kind of things.
Things. And on a jailbroken phone where they already installed malware, they were able to make it look to the user like the phone was in airplane mode while it still had internet access.
[36:26] Oh. So the theory is if you were doing some really targeted malware against someone who was particularly valuable and you managed to use one of these grayware things like Pegasus to get yourself deep access into this person's phone. They would be the kind of people who would turn the phone into airplane mode when they were trying to do something they wanted to be sure was definitely not being spied on. But you could make them think you weren't leaking any data out when you were actually leaking out their data. So for a very small subset of people, it's important that this be known about. What we don't know is basically the The research starts with, assume you can run any code you want on an iPhone.
Which again is why it's don't set your hair on fire. This doesn't get the attackers to that point, but it is really interesting that it is possible when you get to that point to play these kind of shenanigans.
I imagine Apple's lockdown mode is going to harden those APIs.
Because now that Apple have been told that we can mess with these APIs in ways you didn't expect, well the cat and mouse game just flips over now.
And now it's basically saying, right, Apple, over to you. Now you need to make these APIs more robust so that we can't play these shenanigans when we manage to get arbitrary code execution on the iPhone.
And maybe that's actually the real takeaway. It's a cat and mouse game, and there's batting over and back between the cat and the mouse.
[37:52] So I wonder whether with the yeah that is an interesting one. I wonder whether it just shows the little airplane mode icon lit up but if you went into system settings Wi-Fi would it show the Wi-Fi toggle as being off? I was looking through the article to see if I could tell.
[38:11] Basically if you go into the settings app you won't be fooled but if you only use the pull down so you know the convenient pull down. From control center.
Yeah, so control center is fully fooled, but settings app is zero fooled.
But I'll be honest, I rely on the pull-down. You know, I do, but I swear about 95% of the time I still have to go into the full settings to do something.
I mean, if I had just done that, if I'd set airplane mode, I don't know.
That's an interesting one, though.
Have you discovered that very, very many things in the pull-down, when you press and hold, give you a deeper pull-down?
Yeah, but that's exactly why I end up going into settings, is because it works so badly.
So if you're, let's say my iPhone has connected to the wrong network in my house.
In theory, I can hard press on the little Wi-Fi icon, and then I can press again and select a different Wi-Fi network.
But what it always, always, always does is just turns it off.
[39:11] I mean, I press and hold, I try really hard. I have on occasion succeeded in getting it to give me that menu, but almost every time I try to do it, it just turns it off. So it works poorly.
So I end up going into settings.
Interesting, because I there was a time before I realized that you could tell the Mac had organized the importance of networks where I was going in there once a day, every day. And I did it through control center every day.
And it worked reliably for me to switch networks, you're saying.
Yeah, because basically I come home and it would pick the wrong one.
But if you go into your Mac and reorder them by dragging them around, the iPhone obeys.
Because iCloud syncs it.
[39:50] So once I did that, I haven't had to do it in ages, because now it behaves correctly.
Here's another tip while we're in the middle of that. Press and hold in the middle of that entire box, the one that has the airplane and the cellular and the Wi-Fi and the Bluetooth.
If you press in the middle, then you can see all of them and you actually get more information.
I think I did this as a tiny tip, but that reveals two more, personal hotspot and airdrop.
[40:18] So you can change airdrop to context only or temporarily everybody.
That's actually really important now that Apple have defaulted airdrop to turning off after 10 minutes. That's just become extra powerful.
I got a tip from a tour bus driver in Brazil.
He said, I want to send you guys all this photo of the Iguazu waterfall during three different conditions that I put together. Here's how you turn on AirDrop for everyone." And I just cracked up. I was like, I didn't know that.
That's cool. That's cool. Excellent. It's interesting that someone who deals with tourists is really good at moving files around between iPhones.
That's... Yeah. Right. I see how they would get that expertise.
And very sad for the Android people. The Android people were just sitting there with their hands folded looking sad, not getting anything from anybody. I felt bad for them.
Oh. All right.
Moving on. Next up then, we're back to macOS for this one. So macOS Ventura introduced a new notification that I think most people mentally tune out.
When you install an app that runs in the background, you get a little notice saying such and such just install the background process.
[41:30] And I think most of us ignore those pop-ups completely. Well, it is possible to make something run in the background and not give the pop-up.
Oh, oh, okay.
So, you know, again, Patrick Wardle discovered this one, which is, I love the fact that he's still doing his thing.
And again, it has now been shared, therefore Apple can tighten up that API and stop the leakiness around the edges of the API.
And then the last one is an interesting, The last one is potentially one that everyone should be kind of aware of, but I wouldn't worry about it too much anyway.
So at Defcon, and it's always fun at Defcon to try to do something practical, because everyone at Defcon knows that everyone at Defcon is hacking everyone at Defcon, and so everyone at Defcon is trying not to get hacked.
They invented something called the wall of sheep in the early days when people didn't really realise passwords are floating around in plain text.
And it was a giant big screen where every plain text password on the network was displayed on the screen and you could basically see your username and your password.
And if you ended up on the big board, you were a sheep, the wall of sheep.
It was great fun for awareness of why is an HTTPS everywhere?
So it's always fun when a researcher can do something that affects people at Defcon who have their phones locked down, who are doing their absolute best to be secure because they know everyone's trying to hack everyone and still succeed in making something unexpected happen that will always get attention because it's cool.
[42:57] So you may or may not know that if you bring your iPhone physically close to an Apple TV that's in setup mode, your iPhone will get a pop up telling you to configure the Apple TV.
Which means this is way easier than the old way of doing things, and that's done over Bluetooth protocols and it's triggered by proximity.
So the researcher wondered, how hard would it be to pretend to be an Apple TV?
And it is triggering these pop ups on random people's phones.
And what equipment would I need? And would it be expensive?
Now, it's not pretty, but he was able to jury rig together a rig for about $60 that over a much bigger distance than you would expect because it boosted the Bluetooth signal, was able to make the pop up appear.
Oh, wow. And in theory, he thinks you could manipulate the pop-ups to make it give you the one asking you for your password and to possibly intercept that password.
So hypothetically, if people were inclined to type their password into a pop-up they they weren't expecting and a TV that isn't theirs, Maybe you might get a password.
[44:09] So, imagine planting one of these in a hotel next to a real Apple TV.
That might be a scenario where you have a chance, yeah.
Like I say, with a bit of playing with it, where you're expecting to try to talk to an Apple TV and it says, oh, you got to give me your password first, oh, okay.
I think if you didn't have an Apple TV as part of the intention already, it would be unlikely to... It'd be a little harder.
Yeah, the social engineering is a high bar. You have to be clever, but I like your idea.
Yeah, you're thinking the right way. You're thinking like an attacker now. It's the evil.
Yeah. Well, like I say, yeah, so like I say, no reason to panic.
But this is going on and it's part of the normal process of making all of these things more secure.
This is how it works. Sausage being made.
So deep dive number two is me having a little bee in my bonnet and deciding to, treat this as an opportunity to remind us all that clickbait is everywhere.
And a lot of the clickbait is factually not incorrect, but nonetheless deeply misleading.
And so I picked a story that just made me cranky because if it wasn't the silly season, I don't think it would have been a big deal, but it was everywhere.
[45:26] And it's it's harmless in the sense that no one's going to die and it's not going to be the end of civilisation, of all the things doing the news, that's clickbait.
So much of it is so much more ick. This one is like, this is a good example. Let's just have some, let's just dig into this a little bit. So for a couple of days, I couldn't turn on my phone without reading a headline somewhere that our Apple Watch and our Fitbits were going to kill us all because of bacteria. And the headlines, like they were like, there.
[46:00] There is truth to this story. Some genuinely good science was done and there are interesting results and I'll get to those in a minute, because I actually think we can learn something from this. But I'm going to start with the headlines, because goodness gracious me, are they completely off the wall.
Apple Watch Fitbit Wristbands Carry SHOCKING Levels of Bacteria, colon EXPERTS Now shocking would appear to be what the experts said. So I decided, let's start at the journal paper, because it's public access and we can read the whole thing, and do a little command F and look for the word shocking. It is not in the paper. So the experts did not say it was shocking.
The other word that kept on coming up was hotbed. Apple Watch and Fitbit wristbands are quote hotbed unquote for harmful bacteria. Study reveals. Now they actually use quotation marks around the word hotbed. So do you think when I did a command F in the journal paper, the word hotbed was in that journal paper. Of course it was not.
[47:04] That, to me, is deeply misleading. That must be contagious, though, because we also have quote, Apple Watches and Fitbits are quote, hotbed unquote for harmful bacteria that cause quote, nasty sores, boils and toilet trouble, unquote. Neither of those quotes are from the journal paper.
Does toilet trouble include, like, missing the toilet? But I don't know, maybe you need a stronger flush. Yeah.
Alarming bacteria levels found on Apple Watch and Fitbit wristbands study reveals, sorry, reveals study. Does the word alarm, alarming, alarmist? None of those words. Nothing starting with A L A R M appears anywhere in that journal paper.
Possibly arm. Arm does, because that's where your wristband goes, because it is the normal bacteria that are on your arm. So yes, arm is in there, but not alarm.
[48:05] Is your Fitbit or Apple Watch wristband making you sick? Study says they are a hotbed, again with that word, of bacteria like E. coli.
No, your wristbands are not making you sick. And what is it with the word hotbed? It's just everywhere.
And then the last one is just like, OK, anyway, Apple Watch is a health marvel, but maybe a health hazard too, report claims.
Hazards a bit strong, but as these things go, this one is like the this one is the least stupid of them all.
It's like, well, OK. It was Hazard in the article?
[48:41] No, it was not. I checked that too. So anyway, link in the show notes to the full journal paper.
Now there is actually some interesting stuff in there. It actually is. They did a good study, they did it well and there's some interesting stuff. So I'll now quote from the paper. This is actually what the scientists have to say. Wristbands, often worn daily without routine in cleaning may accumulate potentially pathogenic bacteria.
Bacteria found were common skin residents of the genera Staphylococcus and Pseudomocius and intestinal symbionts like the genera Escherinska contain E. coli.
It's a word of a bunch of bacteria that contain E. coli.
Basically our skin is always full of bacteria.
But some of that bacteria comes from our toilet, because when we flush said toilets, it goes into the aerosols and they sort of go everywhere. And if you didn't wash your skin, it would get very full of bacteria. If you didn't wash your clothes, they would get very full of bacteria. If you don't wash your wrist strap, which is right next to your skin and your clothes, it will be as if you wore the same clothes all the time. They will get icky, Right? It will happen. Now, the paper is very clear to say who needs to ahooga ahooga about this.
[50:08] The ability of many of these bacteria to significantly affect the health of immunocompromised hosts indicates a special need for healthcare workers and others in hospital environments to regularly sanitize these surfaces.
So this paper has a real call to action. Because if you are immunocompromised, if you are taking medication that is disrupting your immune system because you've had a transplant or because you have certain medical conditions that have that effect, then you need to be aware that you should actually take this seriously and take care of your straps as if they were anything else that is around you. Because yeah, there's bacteria there. And for you, the normal skin bacteria could be a real problem. If you're a health worker and you are around people in that situation, you need to be aware that you should not be typhoid marrying your icky sweat into this situation. So definitely, this is important.
[51:13] So if we want to take this seriously, whether or not we're immunocompromised or work in a hospital environment, did they give any guidance on how to clean your watch band?
They do. They do. So we're getting... Yeah, so there's more good things in this paper.
Actually, by the way, just as a tip, if you buy the Apple infinitely adjustable loops, what I do is there's little things you can buy for washing delicates. I don't own any delicates, but they're little bags that are designed to go in the washing machine to hold, like, you know, womeny bits that I don't have to keep them safe in the washing machine.
But if you take your Apple Watch straps and put them into that little holder, you can shove them in the washing machine. And I do them at 30 degrees just in case. I have been doing this for years. They come out clean, they come out un-icky, and they take about two hours to dry. And so every now and then I just throw them all in the washing machine. And then I have, because look, this is the Pride band from quite a few years ago, and it's still nice.
It looks beautiful. Yeah, that's an interesting idea. Well, I used to shower with my watch band on, which I figure that certainly does a lot of good, but then I read that Apple doesn't warranty the waterproofness if soap was involved.
[52:24] Yeah, because I think it's to do with some of the stuff that keeps the seals sealy, may be compromised by that.
Yeah, so I can take a shower with my watch band on, but not the watch.
Yeah, but not to wash. As I say, I just show them in the washing machine because cycling clothes need to go at 30 degrees.
So I put them in with the cycling clothes and they are delicate.
Why do cycling clothes require a temperature? They're all made of lycra and stuff that doesn't like being warm.
So they all say wash at 30 degrees, do not tumble dry. OK, so that's 86 degrees in freedom units.
So not very hot is what that is. Not very hot, basically.
Yeah, and I just put the Apple watch straps in. They'll probably be fine at the normal 40 degree temperature. But heck, I have a washing machine running cold, so let's just chuck them in there. Anyway, all right. Now, the report does not say to put your washband in a little bag.
It does not. Early bits.
It does not. Let's skip ahead to what they do say and then I'll spin back a bit.
[53:22] So they do give some advice on the house. They say common household disinfectants, such as Lysol disinfectant spray, 70% ethanol, and Heinz apple cider vinegar, all proved at least somewhat effective on all materials, quote, rubber, plastic, cloth and metal.
Although, antibacterial efficacy was significantly increased at 2 minutes compared to 30 seconds.
So like washing your hands at the start of the pandemic, two minutes of Heinz cider vinegar.
[54:05] Well, we keep cider, apple cider vinegar. I'll just have to check and make sure it's Heinz before I test this out. Now, I pushed you to read this part, but right before that you said that they also found that rubber and plastic wristbands had a higher bacterial accounts while metal ones, especially gold and silver, had little to no bacteria. But they didn't talk about the cloth ones.
The cloth-y ones, yeah, which is a bit disappointing because that's what I wear 99.9% of the time because I do a lot of sweaty things.
If I could, I'd show them the washing machine. That's why I don't wear them.
That's exactly why I don't wear them, because they get wet and then they take forever to dry and I hate having that icky damp thing on my wrist, even if I've washed it.
I own 32 watch bands. I change mine twice a day.
I take two showers a day most days, but I'm not changing my watch band that often.
Well that's good to know though. I might keep some Lysol disinfectant spray up in the bathroom to squirt them down from time to time.
That's a good idea. And the other thing the paper does say in very scientific ease, there is a need for regular and popular sanitation of these surfaces.
In other words, oi, folks, clean your watches. Popular means regular folk.
[55:18] We are the populous. Oh, I got you. I got you.
Yeah. So everyone should do this. By the way, I really liked the way they talked about this on the Daily Tech News show.
They said they didn't have to say Fitbits and Oppawatch bands.
All they had to say was watch bands. Because there's nothing about this, like if you wear a classic watch with a leather band on it, it's probably collecting bacteria. Leather being a biological material?
[55:46] Yeah. Probably more. nice and absorbent.
Yeah, yeah, apple cider vinegar works on leather. All right.
I'm assuming they're describing what they did, right?
I think basically they're saying we used 70 percent ethanol, Heinz apple cider vinegar. So I think it's it's because this is what they found to be effective.
So, yeah. Anyway, I just thought it was funny that Heinz.
OK, so white vinegar doesn't work. I don't know.
That's a good point. Doesn't it? Yeah, exactly. It doesn't say what doesn't work, right?
They're not making negative statements. It's the only thing that we checked and cider vinegar is good.
It's also tasty. OK, actual alerts, just the one across my radar because it hasn't yet been patched, you say that's coming up.
What I can tell you is that if you are a user of WinRAR, it's probably about time you blew the dust off it and gave it a wee patchy, patchy, patch, patch, because it has some if you open the wrong zip archive, it's arbitrary code execution.
So that's not good.
So for those who don't use this, this is a Windows application that does compression and decompression of files.
[56:54] Yes. Initially written for the RAR format, but because, well, if you're going to install an app, it may as well do them all, it kind of unzips anything you throw at it. And one of the almost never used formats that it happens to support.
[57:11] Probably with code from the 80s that no one's looked at in 20 years is riddled with vulnerabilities and so unnoticed.
But of course, once someone notices, the attackers just put on a website some silly file in a weird format, and if you double click it, WinRAR will open it and bad things will happen.
So patchy, patchy, patch, patch. In terms of worthy warnings then, just two things that sort of caught my eyes.
I think it's worth reminding our listeners about this, because I don't know about you, but during the pandemic, I did not go near an ATM.
I went nowhere near an ATM because I didn't use any cash for about 3 years.
I'm pretty sure the 20 euro note in my wallet has been there since 2019.
[57:55] But anyway. People are starting to use ATMs again. And the problems that existed in 2019 with ATMs haven't gone away.
They are all just as bad as it was in 2019. The naughty people are attaching readers to the devices and they're getting thinner and easier for you not to notice.
So the advice from naked security is grab, hold and give it a wiggle.
And if something on the ATM machine is basically saying that if any of the fittings on the ATM machine look a bit odd, just give them a little shake because nothing should ever come off a real ATM because everything is designed to be, you know, out in the public for years.
So if anything in there is loose or rattly, that's very suspicious.
If you're suspicious, give it a shake.
And I think the real reminder is just that the bad, you know, the naughty people, I'm trying not to gender them and say they're bad guys, that the naughty people are still doing it.
It is still a thing to scan your card and steal your pin.
That is still a thing of value that is happening, not for the better of anyone.
I can't remember the last time I went to an ATM. I still don't go.
I go maybe twice a year.
Like, you know, tips for the gardener or something like that one, or, you know, somebody carries some furniture in, we'll tip them, that's what the cash is for, so it's like four times a year.
[59:20] Yeah, I probably shouldn't say this, but we had a handy person in doing some fixing and they were like, well, the full price is blah, but if you pay me off the books, it's blah.
So I went down to the ATM and paid them off the books. There wasn't a huge amount of money, but the Irish Revenue Commissioners missed out on a few in a few quatloos.
Anyway, that's the last time I use an ATM. You know, so that's how often I use them.
Almost never, basically. The Federal Bureau of Investigation are warning of a way more high tech scheme that is apparently picking up in popularity in the United States, and it needs to be combined with social engineering.
[1:00:00] So the best defense is awareness, because it's harder to social engineer you if you know this is a thing. Hence, I think it's worth sharing. So it is very difficult to get malware into the iOS app store. Therefore, attackers are always trying to find ways around Apple's app store. And one of those ways is beta apps, because there is a legitimate need for developers like you were lucky enough to get to do the beta version of call sheet.
I'm very jealous of you. So you are in a beta program legitimately and you are able to install an app that is not available in the App Store. Now imagine the same thing with malicious intent. So what is happening is bad people are tricking people into joining beta programs on the promise that this is a very exclusive app, and it's so exclusive that it can't be available anywhere else. Therefore, install this developer cert, and then install this beta and a butterfly has just flown into my bedroom. Okay, that's nice of you.
[1:01:03] And so basically, don't install betas from random people on the internet.
And if they're promising you cryptocurrency, NFTs, or frankly, money of any kind, the answer is no.
Probably not legit. Yes.
And it's worthy of the FBI telling us about it. So it's obviously happening.
Yeah. Now, I just moved the thing I wanted to talk about up into this section.
I think it fits better in worthy warnings than tips.
Alistair Jenks alerted our Slack community at podfee.com slash Slack to a thread on Mastodon about a very interesting attempt to hack a guy's bank account.
And it's a pretty long thread, but I'm gonna give you the gist of it because I thought it was fascinating.
A gentleman named Bjorn Toft Madsen said that he got a call from his bank saying they wanted to verify some suspicious activity on his accounts, a transaction.
And he said, they asked him, did you make this charge of 2,900 pounds on a travel booking site?
And he said, no, this was definitely not me. And they said, okay, great, we're gonna cancel that charge.
And then they said, okay, there's another transaction occurring right now that seems odd.
It's for 5,900 pounds at a boat hire service.
And the guy says, nope, that wasn't me here either.
[1:02:25] They then told him, okay, sir, we're gonna send you a verification code, and we need you to read it back to them to cancel the transaction.
So he gets this text SMS message with a six digit code and he starts to look at it and then he realizes the full text of the message says, don't share this message with anyone.
To approve the purchase from the boat hire for 5,900 pounds, use code blah, blah, blah.
[1:02:51] He says, hang on, it says to approve the purchase, and the bank says, oh, oh, right, sir, we've had a few problems with our messaging system, so I'm not 100% sure what the message actually says. We just need the code to get the purchase blocked.
You can ignore the start of the message.
[1:03:06] So his spidey sense is tingling, right? So he says, no, no, I'm not going to do that.
And so they said, okay, that's very smart.
I'm sorry about our messaging system being odd. Let me send you a notification inside your banking app instead." So the notification arrives and he opens his banking app, thinking a hitherto unseen red warning label is about to show me a button that cancels a transaction inside the app.
But again, it just says, to approve the transaction. So now, from what I can follow, this seems to be inside his bank app.
So at this point, he says, I'm going to call my bank directly and naturally the person hangs up.
He calls his bank and verifies that it wasn't them. So very clearly what they had done was they got him to believe that he was talking to his bank by first doing a successful fraudulent transaction.
So they really did do it. They got one through, but they didn't get the second one through and they were going to get him to give that code in order to approve the transaction.
Do we know they got the first one through?
They told him about a transaction and he said it wasn't him.
He verified it in his bank app that the first one had gone through.
Now he says, this is the part I wanted to ask you about though, he says, they got me to read a 3D secure code and I'm not sure what he means by 3D.
[1:04:36] Because he starts talking about banks not using 3D codes. So I would imagine that's the barcode-y thing, right?
Aren't they called 3D codes, the barcodes that are, the QR codes that are, yeah, squares instead of lines.
I would call that 2D instead of 1D.
Yeah, once you're in one dimension and this is in two.
I think I've heard people call them 3D, 3D codes before though.
So I think that might be what, which would be a way of getting you to a URL of their choosing.
Without you typing it. Yeah, maybe.
He said they were able to do this because the first transaction had happened on a site that didn't use 3D Secure.
[1:05:20] I'm not really sure how that part works. No, okay, no, sorry. In that context, so in Europe, we're in the process of bringing in strict regulation on credit cards, and the banks don't do it themselves. They outsource to other companies. And I think one of the companies that does verification for many European banks is called 3D Secure.
Oh, okay. Okay. Okay. Anyway, I thought it was a really interesting thing. By getting one through, they were close to able to convince him to let them do a second one.
Well, what really strikes me, right, so from the point of view of the second transaction, what was happening to him was the normal flow of transaction verification. But they had so cheniered themselves into the middle to try and make the same steps that are the normal process for approval look like the process for disapproval. So what he was seeing on his screen is what what happens when someone tries to use your card without your consent and you should immediately go, Oh, that's not me. Don't approve.
So that is the text message with a six digit code asking me whether I am making a transaction because you're not in Europe.
So we have this new EU legislation. So for me, when I buy stuff online, I, every time it goes above 150 euro, I have to either approve in my bank.
So in the app, which is the other thing described, right? Cause when I opened my banking app, I get a push notification to the app and And there's only one button, approve.
[1:06:46] And so if I can't approve, I have a button on the website saying can't access my app and then I get a text message.
So the first time the attackers did it, they clicked the button, I don't have access to my app.
And he got a text message.
But they were on the phone to him. So that normal text message, they were on a website in real time stealing his money and it was a two factor off was happening in real time.
And they were telling him a different story around the normal process.
I got you now. Yeah, yeah.
[1:07:16] So anyway, under worthy warnings, this guy did everything right.
And yet it got close, right?
It got close. It smelled right, but enough wrong.
And the takeaway I would say to people, if you want to take a one sentence takeaway, read the text of the notifications.
That's what saved this guy. He read the text.
And I was like, no, that text does not say what you friendly person on the phone are telling me.
Oh, I'm sorry, we've had trouble with our messaging system. I have trouble accepting that, yeah.
So that's interesting.
That's very good. Yeah, so good. Okay, so we've rejigged the show notes, so we are jumping to notable news.
I joked years ago when the first Spectre and Meltdown happened that we'd be talking about speculative execution for years.
Yeah, we're still talking about speculative execution. Another one.
This one is called Meltdown.
The same basic story applies. Meltdown last time!
[1:08:19] Where this is from a few weeks ago i didn't cover it last time because i didn't think it was important and then i changed my mind.
Ages ago i thought it was called that but just very quickly my memory of speculative execution is that in at least in intel cpus there's a method where it starts to predict what you're probably gonna do next and that way it's ready for the possible transaction it's gonna be asked to do and that speeds things up but there are flaws in that that cause issues.
It's a side-channel attack, so depending on the outcome of the speculation, something else is different.
So a side-channel is like, if I guess your password right, it takes 10 seconds to come back to me, but if I guess it wrong, it takes 15. That's a side-channel.
[1:09:03] So you haven't been told, but the timing tells you. And so all of these speculative executions, basically, what the computer, whether or not it's a hit or a miss, affects something else the attackers can then use to derive information.
Hence it's a side channel. And usually what ends up leaking out by inference is the content of memory that the attackers shouldn't be able to see.
You can basically infer what is or isn't in the memory by guessing, basically when you guess right, you know.
So you know what's in the memory. And the real danger with all of these is when you have code belonging to different people sharing the one CPU.
Because in our day-to-day lives, we are the only user of our computer, so if we have malware on our computer, that malware can mess with the other stuff on our computer through the CPU. But if we have malware on our computer, that malware can mess with our stuff directly. It doesn't need to faff about with side channels. We have malware on our computers.
[1:10:06] But where this comes into play is if you are renting a VM. You and I have web servers that are sitting in a VM farm. There's not a server with Podfeet and a server with Let's Dash Talk. There is a server with 5000 virtual machines. And so while that server probably has literally hundreds probably of CPUs, it has thousands of VMs, so some of those CPUs are shared.
[1:10:31] And now you have code belonging to potentially me and you in the same CPU, leaking information over and back through these side channels.
That's bad. That's very bad. And so as soon as one of these things comes out, Intel release microcode, which is basically firmware for the CPU.
So it's like firmware so deep down it has a different name because, you know, firmware is usually outside of the chip.
But this is like the CPU's own internal, internal firmware. It's very deep down stuff.
Anyway, Intel have released for co fixes, microcode fixes.
Those microcode fixes get there either by the operating system injecting them on boot, which is how Linux does it.
So Linux has been updated to inject these new microcodes on boot.
Windows is probably going to get that update soon.
The other way to get those updates is by actual firmware that injects the code by the BIOS injecting it as you're booting up the machine.
And so Dell have released firmware updates for their machines to inject the microcode at boot time.
And so the bottom line is, if your operating system or your firm or your computer vendors firmware says install this patch, by all means install this patch.
Unless you're running a server farm, don't set your hair on fire about this one.
[1:11:51] But do know that the people who are running server farms are on this.
And this is one of those things where they've had a terrible month of it and they've been and busy, patching like crazy.
And as is always the case with speculative execution fixes, it's physically costing them money because speculative execution speeds up CPUs.
When you have to disable a speculative execution, you slow down CPUs.
And when your money is selling compute.
It was not insignificant too, wasn't it? Like 15%? It was pretty high, as I recall.
Yeah, 15, I believe, is the number I saw, yeah. So that means if you're the likes of AWS or something, that's not nothing.
That's not nothing. there's crankiness. There is crankiness in the industry, but just patchy, patchy, patch, patch, as and when, and don't set your hair on fire. This one isn't really a big deal for you.
[1:12:40] Intego point out that they haven't been able to get a clear answer on whether or not Intel-based Macs are affected. But again, I wouldn't stress over it too much, even if they, were not running server farms on them. So most home users, the advice is not to enable these these protections because you kind of want all of your CPU. You kind of don't want your computer to get slower.
Yeah, sure, sure. Now, I'd like to, yeah, well, I have to get an M3 right to put myself.
[1:13:12] I like to end these on a happy note when I can. So the FBI took the lead with partners in a lot of countries. France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, all worked together to take down a botnet called QuackBot. And it's great that they took it down.
[1:13:32] They also got permission from a court in the United States to do a little bit more than take it down. They got permission to go in and patch the infected machines, Which on the one hand is being a good Samaritan, but on the other hand, it kind of sounds like innie. A little reachy innie. So I'm conflicted on that one. But anyway, the botnet is gone and that is very much a good thing. The other thing, last year, the FBI entered into a partnership with Have I Been Pwned, where they have low level API access to push data breaches they find into the database so that if they find a cyber criminal, if they arrest a cyber criminal, they can just put that data straight into have I been pwned without a big process.
They just push the data into have I been pwned. And basically lots and lots of people's stuff was compromised with this botnet. It's all in have I been pwned.
So if you check your email address and have I been pwned, it now knows whether or not you were caught up in this mess.
Among all the other things it knows. So basically it knows, which is cool.
And that's I like these kind of systems working like that.
On then to accent explainers. Ah, I've just forgotten his name now. I wanted to call him out by name. Oh, right click on link part. Vamp for a second while waiting. Oh, come on computer. I've even had him on my podcast. I've talked to him.
Okay. And my author of the article.
[1:15:00] Yeah, because my editor app is deciding I want to change the text of the link instead that have just opened the bloody link in Safari, please.
So is this the Intigo link?
The Intigo link? Kirk McElhern? Kirk McElhern.
Thank goodness, Kirk. Yeah. So I've had Kirk on the Let's Talk Photography podcast.
He's actually a photographer and he does another photography podcast as well.
But Kirk is a freelance article writer for lots of people, including Intigo, and he has two fantastic explainers in the last two weeks. What is SMS, how it works, why it's insecure, and why we still need it.
It's a good article. And the other one, again, does exactly what it says on the tin. What every Apple user should know about software updates.
I don't think our listeners are going to be surprised by anything in this article. But But it's a really good one to give to friends and family who are ignoring the red badge.
It's a little nudge. Here's how you'd not have the red badge and why you might not want to have the red badge. If you toggle these settings to automatic, you won't have the red badge and you'll be better off.
[1:16:09] And that brings us on then to palette cleansing. I'm going to go first because Euro 1 is better.
And that way we get to end on a higher note.
So I have been utterly enjoying the JWST, and you'll notice I don't like to use its full name because the person it's named after was distasteful is the politest word I will use for the man.
You're talking about the space telescope.
I'm talking about the space telescope with initials JW. Telescope's amazing, the scientists are amazing, the person they named it after is the opposite of amazing.
What you're talking about, since you're not saying what you're talking about.
I know. I know. It's obscure. Okay. We were talking about the amazing space telescope that was launched that Steve and I got to go see. Actually, and they toured it. They toured a full 100% scale mock-up of it around the world about a decade ago. And I went to see it in Dublin when it was here. So I know what it looks like.
[1:17:03] Oh, cool. Obviously, you saw the real one, which is infinitely cooler than seeing a one-to-one scale model. But even the one-to-one scale model was rather cool. Anyway, Anyway, we all watched with great anticipation while the thing took a month to travel from Earth to its final orbit out at Lagrange 2 and it unfolded its solar panels made of immense origami with great delicacy and we all crossed our fingers and the thing finally got first light and we all celebrated.
And I know I've picked it as a palate cleanser quite a few times because it's done some really cool stuff.
Anyway, it caught my eye again, because...
[1:17:40] If you start off in astronomy, the first thing you look at is the Andromeda Galaxy, sorry, the Andromeda Nebula. The second thing is probably the Andromeda Galaxy.
And the third thing is the Ring Nebula, M57, because it looks like a ring nebula.
It's a perfect little smoke ring in space. Now, through a telescope, when I say little smoke ring, I mean little. It's bloody tiny and there's no detail in it.
When you look at it through a backyard telescope, it's just a star with a hole in it.
It's cool. It actually looks like a ring. Well, the JWST pointed its telescope at it.
[1:18:14] The level of detail in that nondescript little ring I have seen 101 times through a telescope, blows my mind. It puts it into context that this telescope isn't a little bit better.
This is just jaw-droppingly better. It's such an amazing image of the Ring Nebula.
So anyone who's ever looked at the Ring Nebula through a telescope at a backyard astronomy event or something, or on their own telescope. You can notice what this little thing looks like and how nondescript it is. And now look at this. It's beautiful.
That sounds fun. I just sent Stephen Oates saying we need to watch this Netflix documentary on it. You really do. It tells the story of the telescope's launch from the point of view of the scientists.
And the level of emotion in the scientists when they're describing the work it's doing.
I almost teared up watching a science documentary. It was so good. I myself and the better half watched it over dinner the last couple of nights and it was really good. It was really good. So I figured I'd share that too.
[1:19:16] Very cool. All right, so here's mine, found this again on Mastodon, this is such a great story.
There's a wonderful account to follow called Nixcraft, and it's often Unix, Linux, nerdy kind of stuff, and very funny often, but this one was really sweet. Someone named Myesa Raponen, sent in a bug request fix for the Linux kernel.
[1:19:43] And it says, in the body of her email, it says, when I was reading the documentation, my four-year-old niece wanted to see what I was doing.
After telling her, she noticed that something was very wrong and asked me to fix it.
Instead, I helped her to fix it herself. She noticed that in a line of the documentation, there were dashes below a bunch of a set of words to kind of set it off as a heading.
And the last S is sad because all the others have those lines below them and this one does not.
So basically somebody in a, you know, a fixed width type font had hit dash, dash, dash, dash, dash and stopped one dash early. But the best part is they fixed it for her.
So she's a four year old submitted a fix to the Linux kernel. How fun is that?
That is amazing, and what's extra cool is, because it's the Linux kernel, remember, Git was invented for the Linux kernel. She has a pull request.
Forever and ever and ever, there is a pull request from this four-year-old in the Linux kernel's Git repo.
[1:20:48] That is so cool. I didn't think, like, that gives me chills.
It absolutely does, and there is very little to give you more nerd credit than a pull request in the Linux kernel.
And this four-year-old has a pull request in the Linux kernel.
It's, oh, I just saw it so much in your chat. That's just how she goes into computer science, right, and puts that on her resume. Oh, right.
Oh, goodness, yeah, absolutely, yeah. Oh, so cool, so cool.
No, she might actually end up being a copy editor instead because she just noticed a typo.
[1:21:17] Great. We need more people who can write good documentation in nerd space. I'd like to be able to read man pages that don't suck, please.
There you go. It would be good. There you go.
Yeah, I think it's so, it really, really made me smile. I think it's a wonderful story.
And the other thing that makes me smile about it is the Linux maintainers who have so much stress in their lives, they took the time to do something nice. This is well done. Nice work guys. And it was a guy who approved the pull requests. Nice work.
Okay. smile. So yeah, and that is a cool you've linked to that account a few times. You're right. They do very cool stuff. Yep. Righty ho. Well, with that, we have another. Actually, I think this was three weeks worth of news, actually, because we've been all wibbly wobbly timey wimey. And I think it's been two weeks since the listeners heard us, but nearly three weeks since we recorded because we did one at a weird time. Anyway, another another bunch of security news wrapped up. And the advice is always the same. Remember, folks, stay Stay putched, so you stay secure.
[1:22:16] Well that is going to wind us up for this week. Did you know you can email me at alison at podfeet.com anytime you like?
If you have questions or a suggestion or that recording you're going to do for me for the show so I can keep goofing off, you send it to alison at podfeet.com.
You can follow me on Mastodon at podfeet at chaos.social. I'm having so much fun over there.
It's such a nice place to be and it just feels like a good community over on Mastodon.
And remember, everything good starts with podfeed.com.
If you want to join in the fun of the conversation, you can join our Slack community at podfeed.com.
[1:22:49] Slash slack, where you can talk to me and all of the other lovely nocella castaways.
You can support the show at podfeed.com slash Patreon, or with a one-time donation at podfeed.com slash PayPal.
Or, did I mention, you can do a recording like the awesome Jill by consenting it to me at allisonandpodfeed.com.
And if you want to join in the fun of the live show, head on over to podfeed.com slash Live and Sunday nights at 5pm.
[1:23:12] Music.