NC_2023_10_29

2021, Allison Sheridan
NosillaCast Apple Podcast
http://podfeet.com

Edit Transcript Remove Highlighting Add Audio File
Export... ?

NC_2023_10_29


[0:00] Music.

[0:09] Apple Bias. Today is Sunday, October 29th, 2023, and this is show number 964.
Before we get started, if you're listening to this thing, say, first thing Monday morning, then today is the day of the October Apple announcement. As is our custom, Steve and I will be hanging out in the Discord chat room, which you can get to by going to podfee.com slash chat. Now, you probably know that it's at 5 p.m. Pacific time, but I want you to realize that if you're in Europe and planning to watch, you might not realize that the United States did not change times on Sunday like most of the rest of the world. While most of the year Bart in Ireland and I are 8 hours apart, for just a short time here we're only 7 hours apart. That means for him the show is only at midnight tomorrow, on Monday. Anyway, I'm not going to do time zones for anybody else, but I hope y'all can join us for the, chatter. As always, Steve and I will not be talking verbally, and there will be no video from us, it'll just be everybody chatting. So I hope you'll come to podfee.com slash chat.

Eufy Security Cameras with HomeKit Secure Video to Replace Wyzecams

https://www.podfeet.com/blog/2023/10/eufy-cams-homekit/


[1:10] Back in the day, I was a huge fan of a company called Wyze, which sold very inexpensive security cameras for like 25 bucks. They seemed to be unstoppable as they came out with pan cameras, outdoor cameras, then they started doing vacuums and even scales. But then a couple of years ago, they confessed to having a security problem with their original Wyze cams that they'd known about for some time, but they never told anybody about it because they couldn't fix it.
Instead of leaving it up to us whether we wanted to throw them away or buy something more secure, they figured they just didn't want us to worry our pretty little heads about it.
At the time, we had four indoor Wyze cams, only one of which had the security flaw, but I threw them all in the bin. We have four additional cameras that view the outdoors, two are indoor cameras and two are outdoors, but point outdoors through the windows.
Anyway, we decided to keep those because they're not looking inside our house.
I swapped out the indoor Wyze cams for cameras from Eufy.
Now, Eufy is owned by Anker, which is a Chinese company that may influence your decisions in this area.
I'll be providing a reason why this still works for me.

[2:14] We went along happily with a mixed camera household for several more years.
We have Wyze cams and rings for outdoors and Eufy for indoors.
Then in September, Wyze messed up again. Wwise provides a browser-based portal through which you can see the feeds from your camera.
Unfortunately, they made some mistakes and for a period of time, people were actually seeing other people's webcams.
It was bad enough that the Wirecutter officially removed them from the recommendation list and wrote a blog post about it.
I still wasn't overly worried about this because, as I said, my Wyze cams don't point indoors.
However, both of my kids were using Wyze cams on my recommendation to monitor my grandchildren.
Because I had suggested this great camera for only $25 a piece, I felt responsible. So I replaced all of their Wyze cams with Eufy cams.
My kids are security conscious, especially when it comes to their children, so they were quite happy that I took this step for them.
And, two weeks later, the Eufy cams I'd just bought for them went on a crazy good sale during Amazon Prime.
Now, while I was annoyed that it hadn't occurred to me to wait for Prime Day to buy all of those cameras, I decided to take the opportunity to replace at least some of my remaining Wyze cams.
I chose Eufy because they're HomeKit compatible, and I'll get into what that means after I explain the models I chose.

[3:33] The first thing to say about buying a Eufy cam is that the model numbers are very confusing and they've been known to change the model number of a camera while not changing the camera itself.

[3:42] My original Eufy cams appear to be identical to my new ones, but they have a completely different model number. The second thing to be cognizant of is that some of their cameras, mostly the outdoor wireless ones, need a hub. I find their explanation of the hub-based models to be very confusing, so I've shied away from them. They may be awesome, but I can't speak to them at all. For my needs, I bought a pair of Eufy Security IndoorCam C120 wired cameras for the standard price of $76, which makes them $38 a piece. Not really that much more than the insecure Wyze cams when you think about it. These are small cubic cameras mounted on a pivot base so you can rotate them into any position you need. The software will accommodate being mounted upside down if that's a requirement for you. These two cameras will replace two cameras that, as I mentioned, faced outdoors but live indoors. One is mounted at the top of our front window and watches for people coming up to our front door. The second indoor but looking outdoor camera is mounted very cleverly. It took Steve, Kyle, and me to get this working, but Steve wanted it to be stuck up against the glass of our garage door looking outward. When the garage door is closed, gives a nice wide-angle view of the driveway. And when the door is open, we can tell because we're looking at the ceiling. The tricky bit was figuring out how to run the cable so it didn't get tangled up as the garage door opened and closed, but with some clever mechanical engineering, we got it working. One caution if you try this method of buying indoor cameras to look outward.

[5:11] You need to disable the infrared light for night vision. Turns out that light reflects off the glass and makes it impossible to see outdoors at night. The advantage of using indoor cameras to look outdoors is you can buy cheaper non-weatherproof cameras and easily plug them into indoor power.
Because the Wyze cams were so inexpensive, Steve mounted a third one outdoors on the corner of the house also looking forward from our house. He snaked the power indoors beside the garage door and figured if it didn't last outdoors, it was only out 25 bucks. As it turns out, the Wyze cam weathered our rainiest year ever. But my plan was to put it in the bin anyway.

[5:48] To replace it, I bought the Eufy Security Outdoor Cam E220 to replace it. However, I bought this wired version so he would be able to do this sneaky of the power cable into the garage thing and it should have worked, except when I started to work on it after I got it on our network, I realized it wasn't HomeKit compatible.
So remember what I said about watching out which model you buy?
The Outdoor Cam E220, which is wired, is not HomeKit compatible.
So we're trying to figure out what to do about that for now.
That Wyze Cam in the corner is going to live another day.
I said earlier that I would explain why I chose Eufy to replace the Wyze cams.
The main reason is that they're reasonably priced cameras that are also HomeKit compatible.
There are a few reasons why that's important to me.
My theory is that companies that have to go through at least a wee bit of vetting in order to qualify to be inside HomeKit might be a little bit better security wise.
Also when you move a camera into HomeKit, many of the controls for the cameras are removed from the vendor's application and moved over to HomeKit.

[6:51] When you have a security camera, you'd really like to be able to retrieve footage from the camera if something unfortunate was to happen, such as a break-in.
You can put an SD card into most of the cameras and hope the thief doesn't steal the entire camera, or you can pay a fee to the camera company to provide you with cloud storage of your videos.
But you're trusting them to store your videos securely. Turns out there's another way to store your streams in the cloud, and it may not cost, you any extra money.
If you're already paying for iCloud Plus, you can use HomeKit Secure Video.
In December of 2022, Bart, in one of his Security Bits segments, outlined some real concerns about how eufy stores its videos, and he also explained that using HomeKit Secure Video was the solution to protect your personal videos.
This is why I'm okay with using cameras from a Chinese company.

[7:41] Now here's a little blurb from an Apple support article about HomeKit Secure Video.
It says, If you subscribe to iCloud+, you can view the last 10 days of activity from one to an unlimited number of cameras.
The 50GB iCloud Plus plan supports a single camera, the 200GB iCloud Plus plan supports up to 5 cameras, and the 2TB iCloud Plus plan supports an unlimited number of cameras.
Note, video content doesn't count against your iCloud storage limit.

[8:13] Well, for the last year or so, we've had our four existing indoor Eufy cameras in HomeKit and it's been lovely.
One of the coolest things I discovered recently is that you can view all of your Eufy cams on your Apple TV using the Home app. I feel like I'm running an official security service with this grid of cameras.
Alright, now that maybe you're sold on this idea, I wanted to walk you through a little bit of the EufyCam setup process.

[8:38] At first I took screenshots of every single step, but to be perfectly honest, I don't think you're going to need a lick of help. You install the eufy security app on your iPhone or iPad, click the plus button, and choose what kind of camera you have from the list. They even give you pictures, so it's not hard. Once you're in the right device family, you'll see pictures of the specific cameras, and you choose the one you have.
The C120 I purchased is a 2K, not 1080p camera, and that's going to become important later in the story. You add a new home name or add to an existing home, and you're ready to follow the step-by-step instructions in the Eufy app. Plug it in, wait till the light turns blue, scan the QR code on the bottom of the camera. It took me a few tries to get the camera to recognize the tiny QR code, but it eventually found it. Next, the on-screen instructions tell you to hold down the sync button on the back of the camera until it beeps. And again, they give you a picture so you know which button to press. I really love that. Now the app will ask for access to Bluetooth to connect to the device, and then it'll show you a list of the Wi-Fi networks it found.

[9:44] It says quite clearly to please select a 2.4 GHz Wi-Fi network.
Like many of us, I have a mesh network, mine is from Eero, and it's a little tricky to get to just the 2.4 GHz radio.
In the Eero app, buried under troubleshooting, you'll find a way to disable the 5 GHz radio for 10 minutes.

[10:03] I decided to test Eufy to see if I really needed to do that, and I charged ahead with my combined Wi-Fi radios. Eufy came through like a champ and immediately connected to my Wi-Fi after I gave it the password, so you don't need to disable the 5GHz radio.
As soon as I connected to my network, I heard Steve say, Hello? But he wasn't home. It was coming out of the camera.
You see, when my camera joined the network, he got a notification from the Eero app, he tapped into the Eufy app and started watching me.
Freaked me out a little bit, but it was good to see it was working, and he had fun freaking me out.
Once the camera's on your network, the Eufy security app will start to help you walk through some of the settings, like how you want to get notifications.
It'll also bellyache about the fact that you don't have a micro SD card installed and offer to sell you some cloud storage.
I suggest you just skip over these steps if you're going to enable HomeKit Secure Video.
Before you can put your cameras into HomeKit, you need to enable Home in iCloud.
On your iOS device, open Settings, tap on your name, and then select iCloud.
You'll see, you'll have to select Show All because they fold up the list and it'll drop down all the different apps, and one of them is Home, and then you can toggle it on.

[11:18] I assumed at this point, I would need to do something in HomeKit to pull in the cameras, but it's actually the other way around. eufy has to give the cameras to HomeKit.
For a given camera, when you see the grid of them in the eufy app, tap once to see the gear, go into settings, and then under general you'll see HomeKit Portal and then add accessory. This is the piece that was missing on that outdoor camera I bought.
I kept looking and there was no HomeKit Portal. Anyway, at this point, the eufy app will explain some of the downsides of moving the camera in that HomeKit.
Now remember I said these cameras I bought were 2K cameras? Turns out Apple only support 1080p for HomeKit cameras.
I suspect it's because of the size of higher resolution videos, since you're not paying extra to share them in iCloud.
But you'll also lose some more eufy features like on-device AI, sound detection, and pet commands.
The pet commands are kind of cool. You can point a camera at your living room, define, say, the couch as a pet zone, and then if your dog jumps on the couch, the camera will automatically play back a recording of you and your voice saying, down spot!
You don't get to do that if you put your eufy cams in HomeKit.
You'll also lose activity zones, which are areas you define in the field of view where you want to monitor for movement.
It's super helpful if you, say, got a tree that's constantly moving in the wind and you want to kind of work around that.
But don't dismay about losing this feature because HomeKit itself supports its own activity zones.

[12:46] Before I enabled HomeKit Secure Video for my Eufy cams, I'd enabled video storage on my Synology using a capability built into the Eufy software.
Unfortunately, NAS storage is also disabled if you use HomeKit to manage your Eufy cams.
It's a good trade-off for me to have storage in the cloud, but if you're using NAS storage, that's something to consider.
And finally, remember that we have the option of using a micro SD card on the eufy cams?
Yeah, HomeKit can't access the SD card's clips.
It really does sound like Apple sandboxes the cameras inside the walls of your HomeKit home, and that's comforting to me since these cameras are from a Chinese-owned company.

[13:23] Now the rest of the steps are the normal ones to add a device to HomeKit.
You know, you name the device, you tell HomeKit in which room you're going to place the camera.
Now as the Eufy software did earlier, HomeKit will start asking you questions regarding under which conditions you'd like to have streaming and recording take place.
I like the granularity in HomeKit. You can set recording differently when you're home versus away, since it knows where your phone is, and you can decide whether it's when nobody's home versus just you aren't home. When you're home, maybe you want to be able to stream on the fly, but you don't want every little thing you do in your home recorded. When you're away, you might want to stream and allow recording. This way, if the cat sitter is there, you'll have a recording to make sure they showed up, but you can also just stream to watch your cat sleep. There's also an option to detect activity, but it can't actually stream and record with this selection. It can, however, use activity detection to trigger automations and send notifications. I haven't fooled around with that setting yet. In HomeKit settings for each camera, you can select whether to record when any motion at all is detected, or you can toggle on specific items such as whether people, animals, vehicles, or packages are detected. HomeKit HomeKit Secure Video even enables face recognition if you choose to enable it.

[14:39] Once enabled, you can see a list of recent times it recognized people, along with these tiny little thumbnails, and it's astonishing how well it recognizes us from these images.
The one thing Steve and I have struggled with in setting up a new eufy cam in HomeKit is how to manage the notifications.
Our existing eufy HomeKit cameras don't bother us very much, but the new one pointing out the window was sending us notifications like crazy.
We set up zones, and you can do multiple zones by tapping on the screen to draw geometric shapes, but it still kept notifying us.
We shut off vehicle detection because of all the cars that go by our house, but the notifications continued to pour in fast and furious.
We noticed there's also a toggle for notifications over in the Eufy app.
It was toggled on, and even though it says it's not able to do much, we turned it off.
Now we're not getting any notifications at all, even when we have person detection on, and I'm waving my arms around like crazy in front of it.
That was true for a while, but I was just noticing today, I talked about this earlier, but I was walking around in front of it and all of a sudden I got a notification that there was a person detected. So maybe it is working now.

[15:49] And I know we'll get the hang of this, but one of the downsides to having this many controls is it's kind of hard to tell which one's controlling things.
At first I had trouble getting the video recording working as well, but while we were away on a little vacation It recorded video when my cat sitter showed up.
So I think it is working, but it was surprising that it didn't seem like it was working.
So if it doesn't work right away, when you get it set up, just give it a couple of days, it gets better.
All right, since I replaced a 1080p Wyze cam with a 2K Eufy cam that was down sampled at 1080p, you might be wondering how does the video compare? Is it about the same?
Before removing the Wyze cam from its front window view, I put the Eufy cam right up beside it and took screenshots of both cameras' video.
The improvement with the Eufy was remarkable.
The main problem with the WyzeCam was that it looks super pixelated, as though the image was moving far too quickly for it to keep up.
And this is kind of like a static view out my window.
To be fair, the WyzeCam was pretty old, so it's possible their newer models have faster video processing, but I'm super happy with how good the EufyCam video looks.
The other screenshot I took was the EufyCam at night. Remember I mentioned that if you're going to point out a window, make sure to turn off the night vision mode?
With the Wyze Cam, the IR light just blew out the view completely.
The effect on the IR light in night vision mode on the Eufy was different, and yet still made it impractical to use.

[17:15] I looked at the camera view at night and I accused Steve of mistakenly putting the camera behind the blinds rather than in front of them.
You see, in the Home app, I could see the back of the blinds perfectly.
When I accused him of placing the camera incorrectly, he laughed and said, no, that's the night vision light causing that effect.
I literally did not believe him. He suggested I toggle night vision off, and sure enough, the outdoors came perfectly into view and the video was fabulous, even at night.
This optical illusion caused by night vision mode was fascinating.
By lighting up the glass with an infrared light, all the camera could do was see its own reflection which included the curtains behind it.

[17:55] The bottom line is, I'm really happy that Eufy supply a camera that I can wrest from their control and put into HomeKit Secure Video.
The video quality is fantastic and they're very easy to set up.
I just set up this fifth Eufy recently and I did crack the code eventually on notifications recordings, but like I said, it took a little while. At $38 a piece in a two-pack, I think they're a good solution to replace the Wyze cams. I am bummed that that outdoor cam E220 wasn't HomeKit compatible, but we'll figure out a solution for that. Now, if you're a HomeKit user and an iCloud Plus subscriber, you might want to look into Eufy for your security cameras inside and outside of your house. All right, one last thing. You can find Eufy cameras on Amazon and at Best buy and if that's an easy way to go for you, you go for it. But if you want to help me out, I have a referral link in the article you just heard and the referral link is inside your podcatcher along with all of the others I use. But you don't get a darn thing out of using this referral link. I get a $40 Amazon gift card if you spend $200.

How Helma Flew 5000 Miles to Sit in My Kitchen and Code

https://www.podfeet.com/blog/2023/10/helma-test-driven-development/


[19:01] In the Programming by Stealth podcast I host with Bart Wuchatz as the instructor, we've covered a lot of different programming concepts. One concept we covered twice is test-driven development. We covered it twice because the tool that was available the first time we covered it, called QUnit, was far too cumbersome. And when a tool called Jest became widely popular, he covered it again. Quite naturally, you may be wondering, why are you bringing up a programming topic outside of Programming by Stealth?
It's because I wanted to tell you a story of what happened when Helma from the Netherlands came to visit Steve and me, and it has to do with test-driven development.

[19:36] When Helma told me she was coming to visit for about a day and a half on her way to an origami convention in San Francisco, I started asking her what she'd like to do while in the Los Angeles area.
We have such a broad set of cool things to do, I wasn't really sure what she might want to do.
I explained we could go to the Getty Museum, which is high above the city giving extraordinary views of the coastline. And I hear there's like art inside. Anyway, we could maybe hike to the Hollywood sign, which is a tradition for us, specifically with people from other, countries. Claus Wolff came here from Germany and he said, I want to hike the Hollywood sign. And that's where that started. We could go down to the beach for a walk and talk.
We could go out to a cool restaurant. The Museum of Modern Art is right next to Disney Hall and that's pretty nifty to look at too. We could drive up into the city of Palos Verdes estates and look at multi tens of millions of dollars homes. I gave her all these different things to choose from and you know what she said she wanted to do? She asked, kind of apologetically, could we just stay home and program together? Why yes, Helma, we could do that and I'd love it.

[20:39] Now you may not remember, but Helma is the third listed author of the book we published called Taming the Terminal, based on the podcast series by that name. Bart had written all of the blog posts as tutorials for the series, I produced the podcast, and I was of course that invaluable stooge in the front row asking questions, but it was Helma who figured out how to programmatically turn this set of blog posts and audio files into an actual book.
She is amazing. Over the years, we've scheduled many a play date over the interwebs where Helma helps me with my programming by stealth homework.
Programming is the basis for our friendship, so why wouldn't we do that when she was here?
Did drag her down to the beach for walks on both days, but after some healthy exercise and a couple of cups of coffee, we sat in the kitchen and coded for hours and hours and it was so much fun.
Now that you can picture two little nerds spending their precious time together coding, I wanted to tell you why test-driven development was such an interesting part of our time together.
I promise, I am not going to get into all the nitty-gritty of programming, and I think I can explain this in a way that'll be interesting to the non-programmers of the audience.

[21:46] I decided a while back to write a program that would help me add elapsed time. Excel, Numbers, and Google Sheets can all add time, but they do it on a 24-hour clock basis. So if you ask these tools to add, say, 5 hours to 23 hours instead of the expected 28 hours, it'll return the answer of 4 because they think it's 4 a.m. These tools think 23 hours is 11 p.m., so when they add 5 hours to it, they give 4am. I covered this problem extensively in a blog post in 2018 and then again in 2021. While you can beat these tools into submission and coerce them into adding and subtracting elapsed time, it is not pretty. Bart says the best programs are the ones that scratch your own itch. Armed with the tools Bart has taught us, I've gotten to scratching.
Imagine you're me and you've been slaving away at your keyboard for months and months and months, and you finally have your little app up and running, and you decide to show it off.
I sent my little web app off to a couple of people, and pretty much the first thing they did broke it.

[22:51] That's exactly what I wanted them to do. My process has been to try to think up every weird thing a human might accidentally do, but my imagination just isn't very good at thinking these things up.
When I asked Bart, how do you think up all the weird things somebody might do?
He said, decades of experience.
Well, until I get those decades of experience under my belt, sending my code to other people to break works quite nicely.
However, this isn't a very robust way to test the code after I make changes.
I'd have to keep torturing my friends and followers to try to break it again.
When Helmut flew over 5,000 miles around the globe to come sit in my kitchen and code with me, we decided to work on a way to help me robustly test my code as I work on it.
Now, I promised to explain test-driven development in a way that normal humans could understand and were finally ready for me to give it a go. We know the problem to be solved, so we'll use my little app as an example. My Time Matter app is quite simple visually. It has two rows of boxes where you type in the hours, minutes, and seconds you want to add together. As you type numbers into these boxes, the total is constantly being calculated at the top. You can type in positive or negative numbers, and you optionally can give each row a title.

[24:02] Now, the people I asked to test my app tried to type in things other than numbers.
They typed in all kinds of letters and punctuation and even spaces.
I fixed my code so now it throws errors with these characters.
For example, if you type a letter into one of these number fields, I pop up a red message that says, numbers, you silly goose.

[24:22] Well, at the moment in time that I fixed the code to tell them not to type any letters, everything's dandy.
But now, time passes and I keep messing up my code to do other things.
Eventually, it's quite possible that I will do something that will break the part that says numbers, you silly goose, when people type in letters.
Most importantly, I could break it and never realize that I broke that part of the code.
The idea of test-driven development is to write tests, which are little programs in and of themselves that record what to test and how to test.
For example, I could write a test that says that letters should throw an error.
In the test, I would also include a sample of doing it wrong, entering letters instead of numbers.
If my code is working properly, and the test is written properly, when I run the test, it should pass if the code throws an error when letters are entered instead of numbers.
I know that sounds counterintuitive, that if it throws an error, that means the test passed.
Are you with me so far?
Now, I save that test, and every other test I can think of, and when I have my code functioning properly, all of the tests should pass.
Now, fast forward to a time when I'm working on a new feature.
After I get done adding the new feature, I can rerun the tests I wrote before, and if I broke something that was working, I'll know it, because the test will fail.

[25:40] Instead of having to bug my friends and followers to try and break my code, I can reliably try to break it myself.
That's test-driven development. work. It's really fun. With test-driven development, you can write the test BEFORE you write the code. That sounds crazy. It sounds like a lot of work. But if your test framework is easy enough to use, it can be really helpful. I'll explain with another example with my little app.

[26:04] Now, I wanted people to be able to subtract as well as add time. I thought about putting big plus and minus buttons in the interface, but I came up with a simpler way. If I allowed negative times to be entered, the math would subtract automatically.
Now, here's the problem. A minus sign by itself is really a dash, which is a letter, not a number. When you start to type in a negative number, you get called a silly goose before you can finish typing the number. If you added a number after the minus sign, the goose error would disappear, but I was afraid people would think they weren't allowed to use negative numbers because they got yelled at before they could finish.
Now, also, remember I said my Time Adder app is always calculating the addition of all values? As soon as the user puts in a minus sign, the math breaks too because the minus isn't a number.

[26:51] Now, before we started writing code to allow people to type just a minus and not suffer this name-calling, Helma and I decided to use test-driven development with anger and write the tests first.
This forced us to think about what the math should do if someone types in a minus sign.
We figured, hey, minus could be the same as zero, and it would be no harm.
So we wrote three tests that put the minus sign in the hours, then the minutes, and then the seconds fields, but we had real numbers in all the other fields.
Then we told the test what the total should be for adding them all up, where the minus signs would be zero.
Now it might be of interest why we had to test the minus sign in all three fields, hours, minutes, and seconds. Why not just test it in one? Don't they all act the same?
Well, the way I do the math to add up the rows of elapsed time is to add the hours from each row together and multiply that total by 3600 so I get seconds.
Then I add the minutes from each row together and I multiply that by 60 to get seconds.
And then add both of those numbers to the regular seconds from all the rows to get the total elapsed time in seconds.
Finally, I have to parse the total seconds back into hours, minutes, and seconds to get, one total elapsed time.

[27:59] Now we discovered that this simple act of multiplying hours by 3600 and minutes by 60 would actually change whether the test failed or passed.
The plain seconds never got multiplied by anything, so they behaved differently.
We started getting test results back where hours and minutes were calculated properly, seconds failed, or sometimes vice versa. We learned that we had to test every field to be sure no funny business was happening. Once we had our tests written, we were ready to start writing the real code. It took a while to figure out how to allow a minus sign to be interpreted as a zero, because we had two problems to be dealt with.

[28:35] When you create an input box like I have in my Time Adder app, you tell the browser what type of input box you want. Since I wanted numbers in the box, I originally set the input boxes to type equals number. That makes sense, right? Well, it makes sense until we got this idea to allow a minus sign, which isn't a number when it stands alone. Helma suggested we change the input box to type equal text. Well, that opens a whole new kettle of fish because now you can type in any old glop and you won't be called a goose. How can we tell it to let you use text, but only certain text? Enter the terrifying world of regular expressions. Seriously, regular expressions are the weirdest and yet most useful concept I've ever seen in programming.
A regular expression is like a secret code, and it filters for specific types of characters.
I'll explain again with our example. We know we want to allow a minus sign, but we only want to to allow a one minus sign, and we want to allow all negative and positive numbers.
In code I will not make you read or listen to, you can create a regular expression that says to allow one and only one minus sign and any number of positive or negative numbers.

[29:43] As we started to write the regular expression, I realized there were a couple of other characters that we could allow that might help people out. What if you accidentally entered a space in one of these little boxes? You might never notice it was there, since it's blank, and you would be, you know, sad face time for you because you wouldn't know why the math was broken in the total.
What do you, what do I care if you put in spaces? Why can't those also be zero?
We added some more tests before we finished our regular expression.
Oh, wait a minute. What if you wanted to put in 0.5 seconds? As you started to type a decimal value, the dot by itself is a period, so that's text too. So maybe I could let a single dot through, but not lots of dots. I could let them be interpreted as zero. Update a go-go on the test to allow for single dot.
Now we're ready to write our regular expression to allow one or more space, only one dot, only one minus, and as many numbers as you like, positive or negative.

[30:38] I tried using ChatGPT to write our regular expressions because I find the way they're written baffling, and ChatGPT got a little bit of it right, but it was wrong enough that Helma wrote out most of it for me from scratch with the aid of a tool at regex101.com.

[30:53] Now personally, I think having someone else write your regular expressions for you is the only way to go. I've even tricked Alistair into writing them for me too. Well, what's that you say? You really do want to know what this regular expression looks like? All right, you asked for it. Here it goes. The regular expression that allows all this to happen is open square bracket, space, close square bracket, star, a pipe, which is that vertical line, minus, question mark, I think that's That's called a forward slash, D, star, open parenthesis, forward slash, dot, forward slash, D, star, close parenthesis, question mark.
I know it looks and sounds like a cat walked across the keyboard, but trust me when I tell you that it works. That glop I just said means one or more spaces, zero one minus sign, zero one dot, and any number of digits.
Now when I say trust me, I really mean trust Helma and trust our test-driven development tests. The bottom line is that I had an absolute blast hanging out with Helma and nerding out.
She repeatedly said she was delighted that we got to code while we were together. I loved getting my code actually working the way I wanted it, and it made me super happy to actually get some tests working so I could truly understand how this test-driven development thing works.
Bart's instructions were fabulous, but without actually doing it, it never sank in until Helma and I had our little play date.

[32:18] If you want to play with my fully functioning but not documented yet Time Matter app, there's a link in the show notes to it over on GitHub Pages.
It could be changing all the time, and it might be broken from time to time, but as of the moment that I'm talking to you right now, it is fully functional.

Support the Show

https://podfeet.com/patreon


[32:35] Well it's panhandling time. Did you know that it costs money to produce the podcast?
Servers, software, and hardware are not cheap.
And I actually think my time is worth a little bit too, don't you?
If you get value from the investment of time and money I put into the show, it sure would be swell if you contributed to the cause by becoming a patron over at podfee.com slash patreon.
Thanks in advance for your generosity.

Security Bits — 29 October 2023

https://www.podfeet.com/blog/2023/10/sb-2023-10-29/


[32:57] Music.

[33:07] What's that time of the week again? It's time for Security Bits with Bart Booth Shots.
How busy are we today, Bart?
Well, it turns out we have a month's worth of news to catch up on. Did you know it's been a whole month since we did this? So yeah, lots and lots and lots of stuff to talk about.
Two relatively deep dives. A lot of news. Yeah, the summer is over. Silly season gone.

[33:29] Silly season's over. Yeah. A little bit of sort of follow up on long running stories. PASCEs continue to slowly march forward. Since last we spoke, Google has made passkeys their new default sign-in method for regular users, and Amazon has given the option for passkeys if you would like them. You do have to go hunting for them, though, but, you know, they're, there, and it's a pretty big company.
Yeah. The CVS is one of the largest pharmacies in the United States, and they've done passkeys.
But I was telling Bart this on the side that I don't quite understand what's going on.
It asked me, do I want to save my passkey in 1Password? And I said, why, yes, I do.
And it said, scan with your phone, blah, blah, blah.
And then it wouldn't do it until I enabled passkeys in iCloud Keychain.
And I didn't want to use iCloud Keychain. I wanted to use 1Password.
But apparently, there's a glitch in the matrix, and I have to in order to use it.
So I'm not quite sure why that is.
I wonder, could it be that the APIs are turned off if you don't have them turned on, and that actually the passkey did go to one password, but it's, you know, the way.

[34:37] On the ios the password sharing even though it's coming from one password is happening through the OS.
Yeah and this is a newly nuked machine so maybe something about it should i be able to see if there's a pesky in a.
I don't have it says there is.
In my house it says pesky created a october twenty fourth twenty twenty three under cvs and my one password.
And if your keychain has nothing, then you're guaranteed that must be it.
Because that would be if you check keychain access, if there's none in there, then mission accomplished.

[35:14] Yeah, interesting. Well, we'll see. The other thing I wanted to explain was that when last we talked, I was complaining about PASCIs getting all weird with Google.
And then I had this extraneous alisonapodfeet.com Google account that no longer existed, and it would always get tangled up in that and get me all scrambled.
When I did the nuke and pave on my Mac, all that was there was the correct Google account, and now it works.
— Aha! Okay, so wherever it was burrowed. — Some sort of caching somewhere in my Mac.
So I have no idea how I fixed it, but it's fixed, so I'm happy now.
— Oh, good. Excellent.

[35:53] Right. Well, let us get into the first of our two deep dives, the eye leakage vulnerability, which made a lot of news. So the TLDR on this one, so they too long didn't read, the threat is real, but at least for now, the risk is low. So on that...
To whom? To regular folk.
Okay. So if I were working for the US government and, you know, might be of interest to the Chinese government, I would not consider the risk to me low. But the risk to us regular folk is low, at least for now. We shall see how this evolves. So that's the TLDR. So with that out of the way, what actually happened? So we have talked for a decade, I think, about speculative execution ever since Spectre and Meltdown first crossed our news feeds all those years ago.

[36:49] And most of the time, speculative execution is only a big concern for cloud vendors or other sorts of shared computers, because the problem happens when two things are on the same CPU, and data can leak between them. So if you're running, say, Allison's virtual machine for Podfeet.com and Bart's virtual machine for BartB.ie, both on DigitalOcean. And if they were to share a CPU in DigitalOcean's cloud, then theoretically, your VM could see data from my VM through speculative execution.
So the cloud vendors have all been forced to disable multi-threading and half their capacity, in order to protect users. So this is a big deal for them. But for us home users, most of the time, The only reason it would be a problem is, if your machine had malware, then the malware could interact with your other processes through speculative execution.
But my argument has always been, if your machine has malware, why bother with the difficult task of speculative execution? You already have malware.

[37:53] It should be, if you have malware on your system, full stop. Yeah, exactly.
So I've never been all that stressed about speculative execution for home users, but this one is a little bit different.
Because this one is a combination of speculative execution with a very deep understanding of Safari.
And the attackers have conceived of a way to make two browser tabs interact, leak information between each other.
And so the attackers can use JavaScript to... you need to visit their website and they need about five minutes of your CPU time to get themselves all set up for the leaking of the data. So you need to have it needs to be a page that stays open for a long time. And then they can start to quietly use JavaScript to make little hidden tabs with say your Gmail and then read the content of your Gmail and then maybe your YouTube and read the content of your YouTube. And so they can use JavaScript to make multiple processes share the CPU, and so normally the browser stops two domains talking to each other, right? So JavaScript running on Google can't talk to JavaScript running on BARTB.ie. It's called, you know, that's a fundamental of the security. But the data is leaking through the CPU.

[39:08] And so because Safari has the two tabs sharing the one CPU, the data can leak if It is an M-series or an A-series chip. So this is Apple-specific speculative execution this time.

[39:24] So, and so when it's an A-series, it's the iPhones and iPads and the M's, well, some iPads and then M-series are some iPads and all the newer Macs.
Correct. So basically everything but the Intel Macs.
And it is very much leveraging a quirk of how Safari works. So this is not a generic attack is very much a safari attack. And the attackers themselves describe it as very difficult to pull off, which is why they're saying, you know, unless you're a very high value target, don't put you don't go. It's not panic stations here for regular folk. But nonetheless, over time, attacks only get better. They never get worse. So this is going to become more of an issue. But there are a few silver linings here. So first and foremost is that Apple have already a fix in development. In fact, they've had it in development for a while.
So we know that there is a secret menu in Safari called the developer menu, which you can turn on by going into preferences and ticking a tick box. There's a super secret menu called the debug menu, which you can't turn on in preferences, you can only turn on with a terminal command. And then you get a new menu that appears in Safari. And in The debug is an option that is disabled by default, which Apple have been experimenting with for segregating tabs into different CPUs.
Which removes the problem.

[40:50] So why are they bearing that, hiding that in a double-secret menu?
Because it's in development and they have a warning on it saying that they can't guarantee its stability if you enable it. So it's baked, sorry, it's baking but not baked.

[41:05] That sort of seems like they're showing their hand a little bit.
They're letting people bang on it?
To some extent. The other thing is, I think one of the reasons it's in there is because we also know that lockdown mode protects against this vulnerability.
So my expectation is that lockdown mode does enable this beta feature.
Because how else is lockdown mode protecting users from this exploit?
Hmm. Okay.
So that's the really big silver lining, actually. I've somewhat buried the lead here.
So if you're important enough to be a target of this attack, you should have been running lockdown mode from the moment lockdown mode was released.

[41:43] Which means you should have been protected from this vulnerability before we even knew the vulnerability existed.
Right, right. So, you know, hopefully Apple will get this fix they have in beta all the way through to the production Safari for everyone. And if you're the kind of person where this is a danger to you, you should be in lockdown mode anyway, but now you've run out of excuses.
Turn on lockdown mode. Okay. So that's our first deep dive. We won't worry our pretty little heads about it as general people, but it'll be fun to to see when they get it fixed. I'm sure you'll let us know.
I will. And the other thing, of course, that could happen is the attack could get better, in which case I will let you know that we do have to take action.
But again, I'll monitor it and everyone else can stop worrying their pretty little heads about it.
For now, we're fine. OK. Deep dive number two, then. iOS private Wi-Fi addresses have been fixed because it turns out they hadn't been working as well as we thought.
So we need a little bit of a history lesson here. I did a lot of deep dive to try to figure out how old these...
There's two related features involved here, and I tried to figure out how old both of the features are.
So we need to go back all the way to the iPhone 5 for the start of this story.
So before the iPhone 5, your iPhone...

[43:02] Well, your iPhone still has a Mac address for its Wi-Fi card, and that has always been true.
Before the iPhone 5... And this is, for those who are new to this, it's not Mac as in Macintosh.
It's... what does MAC stand for? Media Access Controller.

[43:18] Okay, so every network card, if you will, has that, right? Your Wi-Fi radio, your Ethernet card has it. Bluetooth, yeah. Okay.
Yeah. So that address is baked into, it's unique to each network card. And so that is unique to your phone. And so before the iPhone 5, as you wandered around the streets of London or wherever you lived, your phone was scanning for Wi-Fi networks to join. And in the act of scanning, it sends out packets which say, hello, is there a wireless base station here?
Hello, is there a wireless base station here? And that packet has a from address, which is the MAC address the packet came from. So people, the advertising industry, shockingly.

[44:03] Realized they could abuse this to track people around London and have billboards show custom ads everywhere you went. Literally, the ads would follow you around because your MAC address was unique forever. And Apple got very cranky about people being spied on in this way.
So with the iPhone 5, they introduced a feature that before you joined a network, so while the phone was in beaconing mode, is what it's called, it would just use a random MAC address for each beacon. So every time it went, hello, it would just pretend to be someone else. And so there was no way... We were all excited about that.
We should have been. And that feature has never been broken, by the way. So that is a good thing.
So while you are not connected to a wireless network, the beaconing has been anonymous since the iPhone 5, and that is still true today. And it wasn't broken. So that's the good news.

[44:55] So for a long time, it was the case that when you were beaconing, you were anonymous.
But the moment you stopped beaconing, you had your real MAC address so that things like static leases on your DHCP and stuff would work. Because otherwise, if your MAC address was changing randomly and you were trying to have your Mac always have the same IP address it would never work and your file sharing would break and people get cranky and it would be all you know wow wow right. So for a very long time your real Mac address came out the moment you joined the network.

[45:24] But in iOS 14 Apple decided we can have our cake and eat it and they added a new feature where, presumably by taking say the Mac address of the Wi-Fi router or something they would make a random MAC address that was forever tied to that to your device on that network. So it was a Wunsoft random MAC address that's different for every phone and every network. So your phone would always get the same MAC address on the same network but your phone would get a different MAC address in a different network.
Right. Forever. So it was still static. So every one network could give you a static IP address and stuff because you weren't changing. But you couldn't be tracked from public Wi-Fi network to public Wi-Fi network to public Wi-Fi network because you would be constantly changing MAC addresses. So again, the spying on people is more difficult, even on free Wi-Fi where you are connected.
Out that the implementation of that feature, which they called Private Wi-Fi Addresses, that had a bug adjacent to it.

[46:32] So at the actual Ethernet level, so the Ethernet protocol is what drives Wi-Fi, and at the IP protocol level, the feature worked perfectly. The packets were addressed with a randomized Mac address. And so at the low down network level, there was nothing wrong.
But Apple have this legacy protocol called Bonjour, which is used for automatic device discovery.
So when you turn on your Mac, it automatically shows up in everyone's finder sidebar. How does that happen?
The answer is that your Mac sends out a broadcast address saying, Hello, I'm a Mac and I offer all of these services. And every other Mac on the network sees the broadcast and it does the appropriate thing.
It's like, oh, I see you're offering file sharing. OK, I'll pop you in the sidebar of the Finder.
Oh, I see that you're an Airplay speaker. I will show you on everyone's Airplay list.
Right. That's all happening with Bonjour.
How does my Mac know this printer exists?
It's all Bonjour.
And the Bonjour... Can they change the name away from Bonjour to something else? MDNS.

[47:37] That's right. But Bonjour is more fun to say. We'll stick with that.
Yeah. If I say MDNS, no one's going to have a clue what I'm talking about. Yes. And Bonjour is a good name. So the Bonjour protocol happens above the Ethernet level and above the IP level.
They're actually UDP packets. And inside the UDP packets of that, hello, here I am, is some metadata. And one piece of metadata that had been in that UDP packet was the MAC address of the network card, the true MAC address of the network card.
So if you use a network scanning tool like Wireshark, you could intercept the UDP packets on the Bonjour port, find the appropriate metadata field and pull out the real MAC address and therefore track people from network to network.
If you were doing the same scan on multiple networks, you would recognize that this is of the same iPhone, even though it's pretending not to be.
OK, now the interesting thing is that network tools are not going to see the problem because they only work at the lower levels.
So in order to actually discover this Mac address, it's not that the Mac address is being used, it's that the Mac address is in an unencrypted packet.
So it's a way more subtle bug than you might think from the early reporting.
So you're not just going to show up with the wrong Mac address on someone's the network control panel, if you go into your Eero Wi-Fi, you won't see the iPhone with the wrong MAC address.

[49:07] You actually have to proactively become a person in the middle on the network and scan all the network traffic to seek out these MAC addresses in the metadata.
So it's a little more involved than a lot of the reporting kind of implied.
Anyway, they fixed Bonjour, the ancient legacy protocol that they're still relying on.
So it does not embed the true MAC address in the Bonjour metadata.
So they have fixed the problem. And it has taken them until iOS 17.1 to remove a problem that in hindsight has existed since iOS 14 when they introduced the feature in the first place.

[49:43] So does that mean if you're on 16 or 15, which are supported OSes, you don't get this fix?
It does mean that. But again, the danger here is excruciatingly low, because this is one of those nice to have features, because the beaconing before I connect, wasn't and isn't broken. And that's the really important feature, the beaconing.
So unless you have your iPhone configured to automatically join open networks, networks. Hint, do not do that. That is spectacularly dangerous for a million reasons. This is reason million and one. Right. So unless you have your phone automatically joining random networks, you're safe. And even if you do, you're in danger from all sorts of other stuff because you're randomly joining other people's Wi-Fi. But the risk is that the people whose Wi-Fi you join could track you. That's the only risk. So it's a very low risk, even if you you are quote unquote vulnerable and you do wander around connecting to random wireless networks.
Okay. I'm not going to lose any sleep about it at night, but I will. What I was actually remembering was it changed in 2005. It used to be called Rendezvous and they changed it to Bonjour.
Yeah, Rendezvous was a cooler name, but someone else owned it or something, wasn't it?
I forget why, but okay. I need to probably get over that is what I'm thinking.
I'd forgotten it was called Rendezvous.
Yeah, they stuck with the French theme, though.

[51:11] Right, right. Well, that's good. OK. Right. So there are two deep dives.
So now let us get to some action alerts and we have a month worth of action alerts.
So it's not that things have gone to hell in the handcart, is that we've been slow.
So we have a lot on our plate. So first off, security researchers have released details of an unpatched, Vulnerability in a bunch of popular D-Link Wi-Fi extenders.
After the company failed to respond to all of their attempts for responsible disclosure.
So do you remember when I went and met with the CISO of D-Link at CES?
And he was like, Oh yeah, you know, like, I'm really busy. We like don't really have time to like fix these things.
It was a camera that they sold that they hadn't fixed some security vulnerability on, and that's when it went, as Bart would say, into the bin.
Yeah, so I'm afraid to say if you have one of these D-Link extenders, you should power it off until D-Link get their act together, or replace it.
And in fact, if I may give you a bonus tip, a Wi-Fi extender halves your Wi-Fi bandwidth.
So maybe now's a good time to get a mesh network.

[52:25] It halves your... explain that? So, an extender works by basically being an echo.
And so, half of your bandwidth is sent telling the repeater what to repeat, and then half your bandwidth goes on the repeat.
So, the amount of usable bandwidth for every repeater is that your network drops by half.
So, you get a bigger area, but you can only put half as much data through.
And so, I would say... So, with the mesh network, they usually have a separate backhaul radio.
So you're sending in with one and receiving with the other or vice versa.
You're sending it back to the main station. Exactly. So the relaying is happening.
So there's two channels, one for sending all the wireless access points, what to say, and then the wireless access points can all do the same.
So they're not stomping on each other.
So the relaying and the saying are not sharing the same radio waves, not radio waves, frequency. That's the one.
And yeah, you have an excellent episode with, is it with Dave or who's that with?
You have a really good episode on that. It would have been Dave Hamilton. Yes.
So that is why Mesh is great. And so if you're going to do anything, I would say maybe if you need an extender, what you'll really want is a Mesh.
Because you obviously need more than one access point, so get a Mesh.

[53:37] In related news, since D-Link just have their copy book all blotted, they also confirmed that they leaked the names and email addresses of most of their customers.
So that makes you a little bit more prone to some phishing, really.
They didn't leak any payment cards, so yay.
But put a pin in that little theory for later.

[53:56] And our friends at Arm have patched their Mali GPU driver, which rang no bells to me whatsoever, I'd never heard of a Mali GPU.
Apparently, they're the GPUs in lots of Android phones, which is maybe why I'd never heard of them.
So if you have an Android phone.
And you know what graphics card is in your Android phone, and the vendor of your Android phone has deigned it appropriate to give you a security update. There is a critical security update, maybe. I have no idea how to tell you whether you're vulnerable or how to fix yourself, because you're on a train wreck of an operating system. With some notable caveats being, if you buy a phone from Google, you get a really good experience on Android.
So pixels are great because it's like that where did that come from where you getting that from because the pixels is only one vendor so a pixel is like an iphone.
It's google all the way down instead of apple all the way down where is if you have a random phone from show me.
How are you supposed to know what to do when i tell you there's a problem with any android phone with a mali gpu.

[55:06] I bought my phone, my Android phone from Google, and then they said, yeah, it's a Motorola phone, we're not going to take care of you on that.
That is very disappointing. And I don't know if you noticed that they made it a feature of their most recent line that they're promising, was it seven or eight years? I can't remember if it was seven or eight of support.
I think it was seven. So if they live up to that and don't do their usual Google thing of getting bored and sodding off. That would be an impressive feature. But I guess time will tell. And do you trust Google? But anyway, I have more nice things to say about the Pixel in a later story as well as it happens.
Very much a related story. Google have released the October Android security update. It contains fixes for zero days. So hopefully your Android vendor is quick to give you those October patches because you need them and don't dawdle on them.
Now, if we have any smug Linux users, your turn. Two major vulnerabilities for you to patch. There's one called loony-toolables, which is yet another cool name for a bug.
That's a basically it gives attackers root privileges on, you know, without root privileges.
It's a privilege escalation vulnerability. It's quite nasty. So you browse, you know, I think this one was in media files.
So you open the wrong audio or video file and all of a sudden the attackers have root.
That's not good.

[56:32] And then in a similar vein, there was a problem in the very popular GNOME desktop system.
So on Linux, you can have different desktops. You can have KDE or GNOME or XFCE, or a whole bunch of them.
GNOME is a very popular one, and there was remote code execution in GNOME, where if you downloaded a file through a browser, you could end up with remote code execution.
So you don't want that. So the important part of the story is they've been patched, run the patches?
That is it, exactly. So whether you know, apt-get update or yum update, whatever flavor of updating your Linux flavor has, patches are there, patches are out, and Linux is very good about getting them to people. So patchy, patchy, patch, patch, and you're all good.
While we're in patchy, patchy, patch, patch mode, if you are one of the many, many, many, many people who have a Synology disk station, we now know that the security update they released in June fixed the nasty bug that has now been responsibly disclosed.
So you've had since June, if you've been dawdling...
Stop dawdling. Patchy patchy patch patch. But really, you should be good.

[57:35] And again, continuing our theme. If you live in Microsoft Land, it has been Patch Tuesday.
Some time ago as we record this. So if you have been dawdling on those Windows patches, patchy patchy patch patch, because we had four zero days this month, which is more than the three we had last month, which I think is more than the two we had the month before.
I'm hoping that isn't a trend. But anyway, patchy patchy patch patch.
And finally, I used to sneer, you know, turn my nose up at Microsoft having too many patches and too short of a time.
And even though it's good to be patched, it's like, oh, how annoying, I can't believe those Windows people have to put up with that.
I'm no longer sneering at them since we get one every half an hour and it's always everything, right? Yeah.
It's because they're all interconnected. Now it's your Mac, it's your iPhone, it's your iPad, it's your Apple Watch.
So it would help you if you got more than one of those. If I had listed all of the patches, there would be three links here, because we had 17.0.2, 17.0.3, and now 17.1.
I've only listed the most recent ones, so you should now be on iOS 17.1, macOS 14.1, and there have also been lower point updates for the older operating systems, and lower point updates for Safari on the older operating systems to keep your Safari patched on those with older operating systems.
So everyone has had at least one.

[58:59] WatchOS and tvOS didn't get them too? Oh, they did, sorry. They just didn't make it into the headline on the sounds link. All of them. All of them.
OK, because it's watchOS, 10.1 is what I'm running, and hopefully my Apple TVs are pretty good about doing their own.
I'm almost afraid to show you, Alison, but since I went to 10.1 overnight, my weather is working again. I'm afraid to look away from it, but right now I have weather again on my iPhone, or on my Apple Watch.
On your Apple Watch. So people won't have heard what you're talking about, but we recorded a segment yesterday that's going to play later. And that segment in that segment, he talked about the fact that weather was gone again on his watch. And now it's back.
It's back. Touch wood. I'm not going to look at it funny, but so far, so good. I had a whole day of it and it was a very showery day. So it was great to have the warnings again to tell me whether or not to bring the umbrella. The answer is yes. By the way, I should just have a thing on my watch that says yes. Do I need my umbrella? Yes.
I like to compare the fact that he's worried that he doesn't have the weather it's going to rain icon on his watch and complication and mine is the UV index.
Am I going to burn? Am I going to drown or are you going to burn? They're both important.
Arguably yours is more important because rain doesn't give you cancer. Anyway.

[1:00:13] Worthy warnings then. So that was our action alerts for Patchy Patchy Patch Patch, which is basically everyone. So worthy warnings. So there has been a very major breach at 23andMe.
And it's actually quite difficult to figure out for absolute sure what's going on.
We definitely know that People's 23andMe accounts have been broken into.
It appears to be through password reuse because the attackers are simply going in with the right username and password 23andMe insists it's password stuffing, in other words, the password was stolen somewhere else and people reused their password on 23andMe Steve Gibson is convinced there's more going on because the numbers are too big.

[1:01:00] I don't know who's right But there's a very interesting multiplier here If you sign up to 23andMe, they have a feature where you can try to find lost relatives by agreeing to share.
Your security has now become as weak as the weakest person whose DNA matches with you.
So maybe the multiplier effect is from the sharing feature only, and maybe there's nothing more nefarious than password reuse going on.
Now, I would argue that like banks and Google and Apple's iCloud, 23andMe should have been enforcing 2FA or MFA for quite some time now.
They hold very sensitive data in people's accounts.
So I would say that they're not blameless here.
But either way, if you are on 23andMe, no matter how good your password is, if you've enabled that sharing feature, you are as weak as the worst person on that platform.
So disable the sharing would be my advice.

[1:02:07] But if you so if you disable your sharing, but somebody who shares DNA with you doesn't disable theirs, there's leaks, but yours doesn't.
And they can't leak into you. Well, I mean, they can't leak your once you stop sharing their bad password, can't leak your genetics.
OK. So less bad, right? OK, well, that's good, I guess.
Yeah. So it's a difficult story. It's there's definitely bad stuff going on.
Twenty three and me are rightly being castigated for not forcing MFA on something so like sensitive.
It's very hard to find more personally identifiable information.
Like what's more PII than your genetics?
So they're right, right. They definitely deserve a finger wag at the very least.
But anyway, that's going on there. Now, while we're wagging our fingers, the I believe they're a budget airline.
They are Spanish.
They're called Aerioropa.
And they have had a rare kind of data breach, one where they have actually lost all the payment cards.
They've lost the card numbers, the names, the expiry dates and the three digit code on the back.
They have lost the whole kit and caboodle.
And their advice to customers is, Ah yeah, phone your bank and cancel your card.

[1:03:32] And that sort of. Well, that is the answer, right? Right. But not we will give you free credit monitoring.
We're really sorry. Just, yeah, it's up to you to phone your bank and cancel your card because we lost it.
So what? I know this just stank to me of like, oh, come on.
It's been a long time since I've had to say, and yes, the payment data is in it because most breaches these days end with.
And it only contained the last four digits of the credit card or it didn't contain the credit card numbers.
It's been a long time since I've had to say they lost it all.
The whole kit and caboodle. Verification codes and all. And according to the payment standard, you're not supposed to save the verification codes. Like that's part of the standard, if you don't save the bloody codes. But anyway, yeah, spectacular.
So I know for those countries that can't have the Apple Card yet, this is just going to be annoying. But I enabled a feature a while ago that I probably learned about from you, where with the Apple Card, you can have a rotating CVV number.
Yeah, especially your fresh card every time. It's kind of annoying because you have to open up your phone or look on your watch, to get the number every time, but I feel good about it.

[1:04:41] It's the way to go. If it keeps changing, then people can't lose it on you. No secrets to keep, much easier.
The next story rather surprised me. Casio have released a data breach affecting customers in 149 countries. Apparently, pocket calculators now have all sorts of cloud features and stuff.
Casio's still around. Yeah. My darling beloved just started university again as a mature student, which is what we call old people who go to college, which I think is hilarious because he's not very mature.
And he went to buy a calculator and honest to goodness, it looks almost no different to my Casio from when I was a student.

[1:05:23] That's funny. They still have the same scientific calculators. Now his screen has higher resolution and it, can do graphs and stuff. And then he had to go buy a second calculator because he's not allowed to use the nice Casio in exams. So now he has a really crappy one with a terrible screen with no features. It's an owned brand from our local supermarket. It's a Tesco's calculator.
Why doesn't he just use the calculator on his phone? Oh, probably can't use his phone.
Can't use your phone in exams either. That is uber-reporting.
Yeah. Oh, that's funny. When I think of Casio, I think of Steve had a Casio digital watch when that was all the rage. And he needed a battery replaced and he took it into like JCPenney or something like that. They had a little jeweler who would pop it out and and put in a new battery, and the guy's taking the screw out, and all of a sudden we saw him just kind of look up and start looking around, and then brushing his clothes, and looking on the floor, and he'd lost the little screw.
So he found another screw, and he put it in, and then he turns the watch over, and the screw was too long, and it cracked the LCD. So he broke the watch.
So he said, okay, nope, we'll cover this, we'll cover the repair, we'll send it off for repair.
They sent it away. The place they sent it to got flooded and destroyed the watch.
No, no, no. Cursed Casio. As a kid, very sad.
There was only ever the one guy in the school who had the Casio calculator watch and everyone was jealous of that guy and it was not me.

[1:06:45] I've always wanted a Casio calculator watch. Why I particularly needed to calculate with teeny tiny buttons no finger could use, I have no idea, but I definitely wanted it.
Because you're a nerd. Yeah, exactly.
And then they really upped themselves. Didn't they also have the TV remote watch, wasn't it, Casio, as well?
You could change the channel. And by the way, I mean nerd in the most complimentary way. In our world, that's a compliment. Absolutely.
Anyway, so they've had a data breach. From what I can tell, the biggest risk there is phishing.
They did not lose payment card details. So that is good.

[1:07:16] There has been a massive international campaign of SMS based phishing.
And what they are doing is spoofing major national postal services.
So UPS in the United States, but it's actually over multiple countries.
And NL Post was in it. So Helma is potentially in the firing line.
And UnPost, the Irish Postal Service, was one of the 12 nations on the planet whom the attackers went after, and this podcaster here got three of them.
Ah, Steve got one. Yeah, while I was expecting deliveries.

[1:07:53] Oh, that's interesting. Now, luckily, I checked the domain names where I land on things, because always check the final domain name where you land on things.
And the domain name was onpost.secure.com or something. It's like, hang on a second.
Onpost is not the last thing on that domain name. This is fake. And indeed, it was.
Right. Yeah. So watch out. If the postal service, wherever you are, says something couldn't get delivered and you probably owe them a small fee.
It was customs fee this one. Click. You have a delivery.
If you do not pay the customs, we will return it to the sender.
You have one day remaining.
Click this link to pay. And yeah, it was secure-pay.com or something like that.
And then the name of the postal service before the other domain name.
Anyway. Your typical stuff. But they did a good job of faking all the graphics and stuff.
They had really gone to town on being a fake Irish Postal Service.
And other countries too.
Finally, if you're the kind of person who...

[1:08:53] Leaves ads enabled. Don't click on any Google Ads because there is an absolute explosion at the moment of malware successfully spreading through poisoned Google Ads.

[1:09:06] So the attackers are succeeding in placing ads for popular software.
The first one that made the news was KeyPass.
So K-W-E-P-A-S-S which is an open source one password alternative.
You need to self-host the backend and stuff. and stuff. But if you're the kind of nerd who wants to own everything from the ground up and have nothing be trusted by a third party, KeePass is, you know, you have to do the appropriate amount of work for I'm hosting it myself. But it is a good option for the kind of person who wants to own everything from the ground up and run their own servers and things. Anyway, that was taking you to a fake KeePass site, which was using puny code, which allows you to have odd letters and domain names. So they were able to have a letter that wasn't a K but looked like a K, being the key for keypass, in the domain that the Google ads took you to, and they completely copied all the icons and the logos and stuff, and they let you download a copy of keypass that did work... and contained a virus.
And that was the first news story, and then it turns out that the attackers decided that oh, this is working so well, we shall expand, so Notepad++ and a whole bunch of other PDF leaders and stuff are now in the mix as well.
And Google do seem to be trying to shut them down, but they seem to be finding ways back around.
So at the moment, the attackers appear to have the upper hand on this one.

[1:10:29] So don't click on ads, basically. Moving on to notable news, a lot has happened in the last four weeks.
So just in case you needed a reminder that if you have, say, a NAS, or a router, or any other device you plug into your network that has a web interface for configuring it, do not expose that web interface to the internet, and absolutely positively do change the default password.
A scan of the internet by a security company found 40,000 router admin portals where the account and the password were admin, admin.

[1:11:14] On the public internet. It reminds me of when I went to my friend's house and they were having trouble with their network, and I was trying to explain to them that Wi-Fi doesn't go really well through refrigerators.

[1:11:25] They were like exactly on the opposite side of a refrigerator.
But I ended up dragging a wire over it.
And I said, well, let's just log into your router and figure out what's going on.
And they said, oh, we don't know what our router password is.
So I typed in, you know, Verizon Fios router password, and it said, oh, it's admin and admin, and it was.
Yeah. So yeah, don't do that. That was a few years ago. I was hoping those were gone by now.
Yeah, apparently there are still 40,000 of them at least sitting on the internet.
So there we are. Okay.
Security researchers, it was Pwn2Own. It's always fun when Pwn2Own is on. So the Pwn2Own contest is where hackers hack things, responsibly disclose how, so the vendors can fix them before revealing how it was done. And the gimmick is you get to keep what you hack. So Pwn is code word for hack, to own, to own it. So Pwn2Own. So if you hack an iPhone, you get to have an iPhone. If you hack a laptop, you get to have a laptop, etc. So the Pwn2Own competition was on. The iPhone 14 and the Pixel 7 remained unscathed. No one successfully pwned either of those two phones, hence me saying nice things about the Pixel 7. The Samsung Galaxy S23 was literally hacked four ways from Sunday. Literally, four times.
So this was before the 15s came out, apparently? It must have been, actually, yes, it was earlier in the month, because it was very near the bottom of my RSS reader, so it must have been earlier.

[1:12:53] Okay. So anyway, that was good. The iPhone's been hacked before, though, right?
Oh, yes, but this year...
This year, the two flagship phones from Android and Apple are doing well, so that means that they're upping their game.
I would say Pwn2Own is somewhat responsible for these things getting better.

[1:13:13] Yeah, that's interesting. I would say so. I don't see how it could make it any worse.
It's basically a very high-profile bug bounty with a whole bunch of street cred as well as money. So, you know, all good. And the responsible disclosure being a condition of the competition is just such a nice feature. So that makes me very happy.
Less happy news. A reminder of why we need passkeys. So we have talked a few times about the fact that it is possible, if you do it in real time, to bypass many forms of two-factor authentication and multi-factor authentication by, in real time, getting the person to give you the code instead of typing it into the browser themselves. So it involves paying someone in a low-income country to simultaneously attack the person in real time. But.

[1:14:01] That's now available to buy as malware as a service. It's called evil proxy because they're not hiding what they're doing. So you can buy evil proxy to get real-time man in the, basically person in the middle attacks against MFA. Although we now have a new acronym to be more gender appropriate. It is now AITM, Adversary in the Middle. So AATM is now what we say instead of middle.
A, adversary. Yeah, I've been looking for, we've been trying to come up with that. Adversary in the Middle. AITM.
Anyway, this is real, and it is happening to large US corporations at the moment.
It's being used against executives.
The idea being if we can get into your corporate email, we can then do a business email compromise where we send an email saying, by the way, we need to have our vendor just called and we have to change the bank details before the big invoice goes out next week.

[1:14:56] That kind of stuff. And so that is now, because again, follow the money.
It's worth paying hackers $20 per attempt, if you can get a $20 million transfer, 1% of the time.
Right. So this is a toolkit that they're selling to hackers to allow them to do this?
Yeah.
So basically they're paying for someone in India or somewhere in a call center to, in real time, fish people's codes and use them and give access to the bad guys.
Sorry, baddies. I'm trying to be gender nonspecific. Baddies, goodies and adversaries in the middle.
So that's happening, unfortunately.
And no slam on India. Yeah, exactly. You know, it's one of those things. Someplace other.

[1:15:40] Yeah. Now, I think we now switch all the way to good news. I think it's all good news from here. I hope so.
Or could. Oh no, sorry. Sorry, I'm jumping the gun. Another piece of bad news. A report has been released by the US Department of Homeland Security's Inspector General, they confirm that quote CBP, ICE and the Secret Service did not adhere to privacy policies or develop sufficient policies before procuring and using commercial telemetry data.
Translating to English, the Department of Homeland Security and their subsidiaries illegally purchased location data from people's phones and used it to track people contrary to the The Inspector General made 8 recommendations. The HHS will be doing 6 of them.
So, interesting. And for those of you who don't speak American E's, CBP is Customs and Border Patrol, and ICE is Immigration and Customs Enforcement. And why do you need two agencies for customs? Do you collect customs twice?

[1:17:07] Sorry, that just struck me now. Those two acronyms, why do they have a… I'm sure they have different responsibilities. ICE is the ones you think of as breaking down the door to grab you and drag you out of the country. And Customs and Border Patrol is the people you think of that are terrifying as you come into the country, who look at your passport and tell you what to do. But I have no idea if that is the technical definition of the two organisations.
It is certainly a soap set of their duvies, but yes, I don't know what else they do.
The next story starts with the time you're writing. And I do not mean to disparage any of the people performing those duties.
Yeah, they're not making the poli... Well, if they're high enough up to making the policies, I will feel free to disparage them, but the people on the ground doing the hard work, no disparagement from me.
I've worked in government institutions. It is not easy. It is quite difficult.
Anyway, if you are the kind of person who buys things from social media, whether that be from influencers or from ads, you should probably be aware that despite the fact that we think the rate of reporting is 5%, we know for a fact that in 2021, 2.7 billion with a B US dollars was lost to fraud on social media. So it's probably 20 times that.

[1:18:34] So, boy, the ads are really good, Bart. They're really, really, I mean, they're, they're often, I mean, especially like TikTok ads and Instagram ads, they're really effective.
When you think about ads on websites, you think blaring in your face, annoying.
But when you're on TikTok and you see somebody using like this special scrub brush and they're getting a grout clean in the bathroom, it's everything I could do not to reach for my credit card and buy it.
I mean, they're really, really effective ads because there's somebody who maybe even somebody you're following who's done a bunch of funny stuff or music or whatever you like, and then you're like, oh, well, you know, I know I can trust them. I bet that's a good thing.
And I'm sure the vast majority is real, but a lot of that doesn't mean you aren't going to end up with an empty box.
Yeah. Or a box with a brick, as the other classic.
Weighs the right amount. Only it isn't what you think it is.
OK, now, now we're done with the bad news because my next two stories have fire extinguisher, so that must be the turning point.
So there was a rumour that there was a zero day bug in Signal.
The Signal people were very quick to say, absolutely, positively not.
We have double checked everything from top to bottom. We are continuing to double check everything.
There is absolutely no sign of any problems whatsoever.
That was fake news.
So if you heard something about a nasty problem on Signal, it was fake news.

[1:19:58] Also, fire extinguisher, different type of fire extinguisher.
1Password very responsibly disclosed the fact that they were caught up in a data breach at a company called Okta, who are like a provider of multi-factor authentication for companies.
So they're like, you outsource your multi-factor to Okta. And Okta was behind the multi-factor for support forums for 1Password, and 1Password noticed something weird and shut it down immediately.
So no actual damage was done to anything, but in the interest of transparency, 1Pass would disclose the fact that they discovered something weird and stopped it before anything went wrong.

[1:20:38] So that to me is the ultimate two thumbs up. But a lot of the reporting was like, one password discloses incident, or one password caught up in Octobreach. And that is factually true, but it implies a problem as opposed to a good news story of one password on the board enough that they spotted it and nipped it in the bud and all as well. So that gives me, you know, faith in one password. And of course, the related story here— We never said they might not lose data, but we trusted them that it would be OK if they did.
Yeah, and they didn't even do that, right? So we're not even in the region of, and their vaults are properly encrypted, unlike some people's.
So anyway, all good news. It does obviously tell us that if you are running a company and you use Okta as a provider for your company, you probably have some work to do to make sure you're not caught up in the Okta breach.
Shouldn't affect regular home users too much though.

[1:21:35] Now, I was very happy this month to hear two pieces of news out of Microsoft. Because, for years now, two technologies have been used to hack people's Windows machines at home and at work five different ways from Sunday because of legacy technology that just will not die.
It's not dead yet, but the end is in sight.

[1:21:59] Microsoft have deprecated VBScript. It is being turned to a feature on demand.
Which means that if you really want to use VBScript because you've written some macros twenty years ago that your entire company depends on, you can still run VBScript for a while.
But it's not going to be a part of Windows in the future.
You'll have to go fetch the insecurity instead of having the insecurity delivered for free as part of the OS. Why are you so excited about a feature that people really liked being deprecated?
Well, because it's been utterly replaced at this stage. VBScript is very, very legacy.
There hasn't been an update to VBScript. I believe it was 2016 was the last time VBScript got an update. With the death of IE10, all but the most legacy weird systems in the bottom of a giant big industry somewhere have gone away from VBScript, so it shouldn't be affecting any of our listeners. None of our listeners should want VBScript at this stage because you know PowerShell and everything else has replaced it, or Excel formulas, or you know.
Very, very, very legacy now and massively abused by malware, massively abused by malware.

[1:23:13] Another feature that is ancient, it's so old it predates Microsoft. It goes back to, oh, what the heck was it? I've forgotten the name of the company now. They did networky stuff.
Was it Netware or something? Microsoft bought them to make Windows NT.

[1:23:31] Oh, I don't remember who that was. Oh my god. Anyway, bloody ancient.
They had a protocol for authentication called LAN Manager, which became Next Generation LAN Manager, or NTLM.
It is colossally insecure, uses terrible hashes, and is at the bane of security people's life all over the place.
And for home users is a problem too, to have these NT LAN man hashes lying around.
Microsoft are killing it.
Replacing it with the industry standard, so not Microsoft specific, but the industry standard authentication protocol Kerberos.
So Kerberos gets a nice big update from Microsoft. So they're spending money on an open protocol, yay.
And NTLM goes away, double yay.
So bright futures there on those two fronts.

[1:24:18] And I figured since we're saying nice things, we may as well add one more.
The audit logs in Office 365 are being extended in length.
I think it'd been tripled, no, doubled, sorry, doubled, so that it's easier for corporations to retroactively see if security vulnerabilities you would discover later affected you before, they were discovered.
And this is in the foot of the Chinese government having been discovered to have hacked into US government Office 365 tenancies a few months ago.
And they weren't able to get as much information as they would have been able to had the audit logs gone back further.
And one of the things Congress asked, I think it was Senator Wyden asked, was, can we have more logs, please?
The answer is yes, you can. Everyone can. Logs for everyone.
So yeah, all good.
Now nice things about Google, I promised you more of those. Google Play Protect has gotten a nice update.
The main thing to say is that they have found new protections against advanced techniques that are currently being used by the attackers. So the cat is now beating the mouse and these protections extend to side loaded apps.

[1:25:34] So better antivirus on Android and protecting side loaded apps as well as Google Play apps.
So that is, I think, a good thing.
What are they doing that? So if you have the Play Store. Detection on the device?
So the Play Store on your device runs antivirus that scans all software on your device, whether or not it came from the Play Store.
Why don't they just run the malware stuff on their own store before they let you have it?
Well, actually, no, they're detecting malware that changes after it's downloaded.
So they're now protecting from... This is now a new trend where you download the app and it's completely legitimate, and then it uses either a time delay or it goes and fetches something from a server server and becomes malicious after the fact.
So the malicious code wasn't there when you saw when you loaded the app to the store, but it comes later, it's called dynamic malware.
And so now they're protecting against that as well.

[1:26:28] So that would mean the hash, though, of the real software is not the same. Right.
I guess it's unique malware. So it's not like this is a copy of Excel. It's an application to turn on a flashlight or something, and you don't know that it's got malware in it to start with, or it's going to download malware.
Exactly. And these are always throwaway apps. So it might be like, yeah, free PDF reader, and you download it. And for three months, everyone's downloading it, and it's showing showing them all their PDFs, and then it detonates.
And then from that point forward, that hash becomes, you know, marked as bad.
But at this point, it's been downloaded for three months, and it's all over the place, so it's too late, you know, horse barn, etc.
So this way, because the scan is going to be on the device actively, it will catch the malware as it morphs and still nip it in the bud and report home to say what had happened, which means the developer gets booted off the store as well.
So win-win-win all around. So basically, it's a nice update to deal with the current threats.
So that is good to see. And again, talking about making things better for everyone, Google have expanded their bug bounty program. If you find ways to trick its AI into doing things it shouldn't, you can now win a bug bounty.
So if you can engineer a bard to do naughty things, you can win a bug bounty.

[1:27:45] Naughty as in? Whatever it's not supposed to be able to do. So I think Bard isn't supposed to be able to tell you how to make a bomb or something.
So if you can trick it into telling you how to make a bomb, and you can find how to do that, then you can win yourself some money.
I think one of the things that they've got guardrails of, like, if you try to get it to answer a political question, it says, Yeah, nice try.
Yeah, I'm not going into the middle of that. That should win you a bounty, too, I think it's not only, like, you know, blowing things up. It's it's anything that it shouldn't be able to do.
If you can if you can bypass the safeguards, you get your money.

[1:28:20] Yeah. And they've also announced a new feature called IP protection which stands for all the word like iCloud Private Relay.
So that is a feature coming in future to Google's Chrome. So that's all good. Excuse me. Sorry.
Trying to sifle on here. And finally, I think, it has been a good week for the goodies.
No good few weeks for the goodies.
More good news stories. Ukrainian activists have hacked a ransomware gang and wiped all of their servers. Yay. India has shut down a whole bunch of tech support scammers. Taken, them out of business. The United States has taken 17 North Korean scammers off the internet.
And Interpol has dismantled the Ragnar Lokhar ransomware infrastructure which was doing a heckin lot of damage. So really good work there by law enforcement across the world from Ukraine to India to the US to Europe.
So I thought that was a nice way to end.

[1:29:24] We then have two, if your propeller beanie is still functioning after this very long bumper episode, you can exercise it a little bit more. There is a nice how to for the check-in feature in iOS 17 that we've talked about. It's a nice walkthrough from Cult of Mac. They say every parent should know this essential iOS 17 feature. I think that's a fair description, so link in show show notes. And Apple have a nice write-up they have updated recently to help you buy a second-hand phone safely, although they call it pre-owned. So they have a whole bunch of tips for how to check whether a phone you're thinking of buying is safe to buy.

[1:30:05] And one final propeller beanie. This is a really cool article. It describes a new technique researchers are working on to make AI in such a way that it can't go rogue. It's a different way of training AI that basically, as part of the training, it aligns the AI's interest with our interest and stops those two becoming misaligned. Because when they become misaligned, bad things happen. So it's the misalignment problem. It's an interesting concept.
Is misalignment as in tries to kill us all? Yeah. Is that what that means?
Exactly. So the ultimate misalignment is the paperclip example, right? You train an AI to make as many paperclips as possible and it thinks that that's the most important thing in the world, so it kills all humans and steals all metal to make infinity paperclips.
Misalignment. So it's a very, very nerdy discussion, but very interesting. So I'll link that in the show notes.
And then I have some palette cleansing.
It is Halloween in two days and the good folks at the Mac Observer have released a bunch of really pretty wallpapers for people who like those kind of things.
And I have uncharacteristically gone all Halloween-y on my lock screen now, a really pretty wallpaper.
It is number five or six on the list.
They are gorgeous. And this one seems to be aligned so it fits between complications on my phone's home screen.
It's extremely pretty.

[1:31:26] So ten of them. Actually, number three, the Haunted Castle and Blood Moon.
That's the one you have? Yeah, it's very pretty. Oh yeah, that's beautiful.
So these are for iPhone. Now, do you all do Halloween in Europe?
Oh, well, we here in Ireland invented it. And then you guys in America made it cooler.
So we did it and it was kind of like, you know, pumpkin, not pumpkins, turnips and really boring things.
And you guys made it into pumpkins.
And you added trick or treating, which turned it into, instead of bobbing it for apples, we get to eat candy as opposed to bogus.
It was the Celtic, the Celts of ancient Britain and Ireland.
OK, we share it with the other island, too. But yeah, this bit of Europe does it.
The European continent, not so much.
And you guys made it your own. I was going to say, Helmut was like, what?
Helmut was looking around going, what is this here? No, we don't do this.
Yeah. Now you guys really made it your own. And we've imported your traditions back to Ireland.
So it's gone it's gone over the Atlantic and back to us.
And it's way more fun now, so thank you for that. I also then have fun, Bart.
Sorry, I'm just sitting here scrolling through. There's Pokemon ones, but then there's Pennywise, if you actually want to be terrified.
This is so cute. These are really fun. They are. I was really impressed with MacObserver, guys.
If you would like some more longer-lasting media, there is an excellent documentary about the Newton, which has been released for free on YouTube.
I watched it all. It's got interviews with Scully and a whole bunch of really big people.

[1:32:54] It's really nice. It's it's it's a really nice documentary. It's very well made.
And if you're a Newton fan, it's full of lots of little Easter eggs things.

[1:33:03] Oh, that's really fun. Yeah. And then finally, I'm going to recommend a podcast. So in case we have pictures, we have video and we have audio. So whatever your media is, I have something for you.

[1:33:14] Business Wars do little mini-series and their most recent one that they completed, because I only ever listen to them when they're complete, is called The Rise of AI. And it's all about the companies that we've all heard of now that ended up being bought by Facebook and all all these kind of things. So it's kind of like where the AI we have now came from and how it came to be. Very interesting story, given all the developments we've had in the last year or two on generative AI and stuff.
And this is episode one, huh? So the link is to episode one, but they're all out, so you can listen to, you can binge, them, because that's what I do. So I collect them. I have a folder called Work in Progress, and all of these kind of little mini-series, I let them finish, and then I binge them.
And if they're good, I recommend them on the show.
There you go, there you go. Bert spends a lot of time on that bicycle, so he's got a lot of podcasting time.
That is true. That is very true.
Right, I am done. My goodness, that is a record, I think, for a longest ever Security Bits.
This is Stephanie's Security Bites.
That's a bonus, 101. All right, so, well, we had to make up for a month, so that's really just two 30-minute Right? Fair point. When you put it like that, we're bang on schedule. Regardless, though, the most important thing is, as always, remember to stay patched so you stay secure.

[1:34:38] Well, that's going to wind us up for this week. But don't forget to come to the live chat room at podfee.com slash chat to talk during the Apple event on Monday night. If you're listening this after Monday night, never mind that. Anyway, did you know you can email me anytime you like at Alison at podfee.com. If you have a question or suggestion, just send it on over.
We haven't had any good dumb questions in a long time. I like those.
Questions I can answer but maybe require a little bit of thought. Those are the best ones.
You can follow me on Mastodon at podfeet at chaos.social. Remember, everything good starts with podfeet.com.
If you want to join in the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely Nosylla castaways.
You can support the show at podfeet.com slash Patreon, or with a one-time donation at podfeet.com slash PayPal.
And if you want to join in the fun of the live show, head on over to podfeed.com slash live, like Helma did this week on Sunday nights at 5 p.m pacific time. Join the friendly and enthusiastic.

[1:35:34] Music.