NC_2023_12_10
[0:00] Music.
[0:13] Show number 970. We have two episodes of Chitchat Across the Pond this week,
CCATP #780 — Jason Howell on Using Android with a Mac
[0:19] the first one being a light version.
Jason Howell, podcaster and producer for the Twit Network and musician, joins me to talk about what it's like to use an Android phone with a Mac.
I live in an Apple-centric bubble, as you know, so I was very curious about how he works with these two different operating systems.
We talk about his origin story on the Mac and his Android hardware of choice.
We talk a lot about how he manages his photos and what messaging is like in this mixed blue bubble green bubble environment.
[0:47] Jason is great fun and he's introspective and we had an absolute blast chatting.
If you'd like to find out about everything Jason does, go to raygun.fun.
He says it rhymes and it's fun.
Anyway, you can find Chitchat Across the Pond Lite in your podcatcher of choice, or you can find it under just plain old Chitchat Across the Pond.
As you probably would have guessed, the second chitchat across the pond is another
CCATP #781 — Bart Busschots on PBS 157 of X — jq: Querying JSON with jq
[1:11] installment of Programming by Stealth with Bart Bouchat.
In this installment, Bart continues his instructions on learning more about how to use the JQ language to query JSON files.
We get into the thick of it as Bart teaches us three important JQ concepts—filter chaining, operators, and functions.
To get there, we learn about the literal values in JSON and JQ and how only null and false are false.
Armed with that information, Bart explains the NOT function, and once we put all of those concepts together, this ridiculous command will make perfect sense.
[1:46] Jq minus n, true and true, NOT, that resolves to false.
I love that so much. I got such a kick out of that when I first read it in the show notes that I posted my enjoyment of it on Mastodon, and one of the actual developers of the jq language commented that he was excited to learn that we were covering JQ in programming by stealth. How cool is that?
Anyway, the any and all functions are not nearly as silly sounding, but they're equally useful.
By the end of the episodes, we can successfully query the Nobel Prize JSON file to show us all of the prizes won by anyone with the surname Curie.
We even have three fun challenges at the end of the episode.
And I got to tell you, I really am a data nerd because I love this stuff.
This is so fun. I can't wait to do the homework.
Anyway, you can find Bart's fabulous tutorial show notes for this episode and all of the Programming by Stealth episodes over at pbs.bartifister.net, and you can look for Programming by Stealth in your podcatcher of choice or under Chit Chat Across the Pond.
Is the New MacWhisper Transcription Software Really 2–3X as Fast?
[2:49] In August of this year, Jill from the Northwoods told us about a terrific Mac-based transcription service called MacWhisper by Jordi Bruin from GoodsNews.
As you may recall, the naming convention for this app is very confusing.
It also goes by Whisper Transcription. So I think if you search for MacWhisper in the Mac App Store, you find Whisper Transcription, but when you download it's called MacWhisper.
Again, very confusing, but just search for MacWhisper and you'll be golden.
No matter what it's called, it's a terrific way to use your local processing power to transcribe audio.
You can do a lot with the free version of Mac Whisper, but I chose to pay the $35 lifetime fee for the Pro version.
It's also available for $15 per year.
You can buy it through the Mac App Store or directly from the developer, Jordy Bruin. You might also be perfectly happy with the free version.
For free, you get the tiny, base, and small transcription models, but with the Pro version, you can use the larger models to get better results.
I put a link in the show notes to the page where Jordi outlines all of the other features that you get with the free and paid versions of MacWhisper.
[3:52] Anyway, in September, just a month after Jill told us about MacWhisper, I wrote an article suggesting that we all question whether or not we need MacBook Pros or whether the MacBook Air might meet even our more challenging computing requirements.
I consider myself a pretty high-end user, you know, with the podcast creation and the video tutorials I create, and I found that even for me, this was a good question to ask.
In the article from just a few months ago, I included some timing tests I ran, comparing my $5,000 M1 Max MacBook Pro to the $2,500 M2 MacBook Air, so half the price.
Even though the MacBook Pro is an M1 and the MacBook Air is an M2, I thought the speed comparisons were still pretty interesting.
[4:36] Now, I chose the highest compute-intensive things I do on my Mac for my tests.
One of those was running audio files through MacWhisper for transcription.
I also tested running audio noise removal using Hush, transcoding audio using Hindenburg, and transcoding video using ScreenFlow.
I ran all of these apps on the M1 MacBook Pro and the M2 MacBook Air and charted out the results.
The $5,000 MacBook Pro was 32% faster than the $2,500 MacBook Air, cutting the 27 minutes of tests down to 18 minutes.
Of the different tools involved in the timing test, MacWhisper's test contributed more than 10 of the 18 minutes for the MacBook Pro and 17 of the 27 minutes for the MacBook Air.
With MacBook Pro coming in over 30% faster overall, it sounded like it was justifiable to buy the more expensive machine if you run these apps.
But when looking at a total of with only nine minutes saved, I wondered if a machine costing twice as much was worth it.
You might also have to do how often you did these kinds of things, right? Anyway, you might be wondering why I'm dredging up all of this old news from August and September.
Well, this week, Jordy Bruin, the developer of MacWhisper, just announced the release of version 6, a free upgrade to people who've paid for it.
In his newsletter announcement, he explained that MacWhisper can now use your GPU if you have a Mac with Apple Silicon, and that you should see audio transcriptions two to three times as fast as before.
[6:04] Well, you know I had to rerun my timing tests on the new version of MacWhisper to verify his claims.
When I ran the timing test back in August, I used an audio recording of my MacStock presentation to test the speed of audio transcription with MacWhisper on the two Macs.
When Shorty released version six of MacWhisper, I used the same audio recording from MacStock.
The M4A audio file is 25 minutes long and weighs in at 56 megabytes.
The original tests were with that file running the large AI model and the small AI model with MacWhisper on both the M1 Max MacBook Pro and the M2 MacBook Air.
I repeated these four tests this week, but this time I used the new version of version six of MacWhisper.
And the results are in.
The M1 Max MacBook Pro transcription of my audio file using the large AI model went from 511 seconds down to 155 seconds.
That's 3.3 times as fast as it was with the older version.
[7:06] That's bananas, right? Well, Jordy claimed two to three times faster and the MacBook Pro with the new version of MacWhisper exceeded his claim.
I just can't believe it. I'm really shocked.
Well, next I ran the same large AI model on my MacStock presentation, but this time I ran the test on my M2 MacBook Air.
On the old version of MacWhisper, it took 845 seconds to complete, but on MacWhisper 6, it finished in only 343 seconds.
That calculates out to 2.5 times faster.
Not quite as impressive as the speed increase on the MacBook Pro, but it still supports Jordi's claim of 2 to 3 times faster.
Since we know the improvement in speed due to MacWhisper is due to MacWhisper now using the GPU, the difference in speed increase is completely understandable.
My 2022 M2 MacBook Air has a 10-core GPU while my 2021 M1 Max MacBook Pro has a 32-core GPU.
[8:03] In all my years using Macs, I have never before been able to actually measure the difference that a GPU could make in my real work.
I always looked at it and wondered, I mean, I don't game, I mean, what am I doing that actually uses the GPU?
Now I know. This transcription software is using my GPU and it does make a big difference.
32 cores versus 10 cores is finally measurable for me.
In a super nerdy way, that's kind of exciting. You can tell I'm really thrilled by this.
Anyway, it's also notable that while the MacBook Pro was already significantly faster in the original test with the older version, it widened its lead from 40% faster overall to 55% faster than the MacBook Air.
Now, the timing differences using the small AI model in MacWhisper were not as dramatic, presumably because the time it took to transcribe was so much shorter.
I don't know. It couldn't get revved up. I'm not sure. Anyway, the M1 MacBook Pro transcribed the same MacSock presentation 2.1 times faster than it did with the old version.
The M2 MacBook Air was 1.8 times faster than its previous speed.
That's a smidge lower gain than Jordi said we'd see, but we'll allow it since the large model transcription speed exceeded expectations.
[9:17] As exciting as it is to finally have justification for this higher-end GPU in a MacBook Pro, So, let's back up and see if I can really justify double the cost of the MacBook Air.
I updated my original chart that included not just the MacWhisper test, but also Hush removing noise from audio, Hindenburg compressing audio files, and ScreenFlow transcoding those large video files.
In my original test, the MacBook Pro took 18 minutes for all of these tests, and the MacBook Air took 27 minutes total.
When I updated the chart with the results of the new version 6 of MacWhisper, the total time for the MacBook Pro was 11 minutes for all of my tests, and the MacBook Air was 17 minutes.
Percentage-wise, the spread between the MacBook Pro and the MacBook Air had widened, but the total time between all of these tests went from a 9-minute spread to a 6-minute spread.
So it's taking me 6 minutes longer to run all of these tests on the MacBook Air than on the MacBook Pro.
[10:17] So if we're going to be rational, we have to look at whether 6 minutes is worth doubling the price of the machine.
Everyone will have to answer that question for themselves, right?
How many times a day or a week do you need to run a large AI model on your audio files?
Are there other things you can be doing with your CPU while the GPU is off doing the heavy lifting?
Do you make more money if you could get more of these tasks done in a week?
All those things are going to change the answer for you. And it could be something like you need a bigger display.
You know, there's a lot of other reasons you might want to go with the MacBook Pro. So I can't answer these questions for you, but I can for me.
I now know that I don't really need a MacBook Pro, and I definitely don't need to spend the money on an M1 or another Max version of the MacBook Pro, even if I do buy another MacBook Pro someday.
[11:06] Now as irritated as I continue to be that Apple have not solved my battery problem on my MacBook Pro after more than seven months, I'm very glad I bought a MacBook Air so I had a computer to use during all of the tests they've made me do.
I love this little machine, and these tests prove to me that I don't gain much benefit from the high cost of the GPU cores and CPU cores in my MacBook Pro.
If you're interested in Mac Whisper, you can find it in the Mac App Store, or like I said, you can buy it directly from Jordy at goodsnews.gumroad.com.
Baseus Blade HD 100W 20,000mAh Power Bank
[11:40] In 2019 at CES, I interviewed a company called OmniCharge about their power banks.
While they have the usual assortment of small power banks, the one that really caught my eye was the Omni 20 USB-C charger.
I bought it for $169 four and a half years ago, and it's been one of the most useful accessories I've ever bought.
The Omni 20 is a 72 watt power bank with two USB-C power delivery ports and two USB-A ports for charging smaller devices.
It also allows pass-through power so I can charge it while using it essentially as a power providing hub.
It couldn't quite charge my 16 inch MacBook Pro at 72 watts because the MacBook Pro wanted 100 watts, but it was a good companion for a long flight back then.
But the main use for this power bank has been to use it as a bedside charging station when we're away from home.
When we were on the ship to Antarctica, my side of the bed had a power outlet and the desk away from the bed had one more, but that was it in the entire cabin.
So Steve didn't have one on his side of the bed.
Two power outlets for two nerds on vacation were definitely not enough.
[12:46] But I gave Steve the Omni 20 and he was able to charge his phone and his watch overnight and be able to use his phone as a clock at night.
By the way, he uses an app that was written by our very own Alistair Jenks as his clock.
Every morning he'd plug the charger into the desk outlet and get it charged for the day.
I should say plug the power bank into the desk outlet and then he would be ready for another day when he came back from our adventures. The Omni 20 is a brick at 5x5x1 inch and weighs 1.1 pounds, so it's not something to carry around like in your purse.
It has a very tiny 3 8th inch by 1 inch LCD display which shows which way power is flowing, at what levels, and how much juice is left in the battery.
[13:28] Now I'm bringing you up to speed on this power bank because I've just bought a replacement for the Omni 20.
I didn't need a new power bank, but I wanted a new power bank.
I chose the Baseus Blade HD 100W 20,000 mAh power bank for $80 on Amazon.
The most important thing about this new power bank is that it fills the exact same need as the Omni 20.
It has two USB power delivery ports and two USB-A ports also for charging.
Like the Omni 20, it charges via USB-C and can be used as a pass-through power delivery device.
Interestingly, both the Omni 20 and the Bassius Blade HD do lose charge while providing power pass-through, which I didn't expect. I thought that was a little strange.
Anyway, I upgraded to the Bassius Blade HD for a few reasons, and they're all about the form factor.
The Bassius Blade HD is 28% smaller in volume, primarily due to how much thinner it is.
It's 0.7 inches thick versus 1 inch thick.
It also weighs 12% less than the Omni. That's a big advantage for something you're carrying around, but it's even more impressive because the Blade HD is a 100W power bank while the Omni is only 72W.
[14:40] Both can charge your laptop, but you're going to get it faster with the 100W charger.
So for this device, I now have something that's 12% lighter than my previous one and 28% less volume, which is fantastic.
But the other reason I wanted to upgrade was for the display.
I mentioned that while the Omni 20 had a lot of info on the display, it was wee tiny and I actually didn't list everything that comes out on that little display.
The display on the Blade HD is giant in comparison, taking up about 25% of the face of the power bank.
It's much more readable and even though it seems to provide less information, I feel like it provides more actionable information.
For example, the Omni 20 packs in the volts and amps at which it's both charging and discharging and includes little symbols for the USB ports through which power is flowing.
It tells you its total battery life and it even tells you its temperature in Fahrenheit.
[15:35] Well, the Blade HD's display text is huge and readable.
It has the total percentage left in giant three-eighths of an inch tall numbers.
While you're charging a device with the Blade HD, you can see how many volts and amps you're providing to that device, and it shows you how many hours and minutes are left until your device is fully charged.
I'm not sure I understand that number, though. I had charged my MacBook Air up to 98%, and the Blade HD was telling me it would be over four hours until it was done charging it.
When the MacBook Air got to 100%, the Blade HD still said 4 hours and 22 minutes.
I thought maybe it was showing me how long it would take to charge the power bank itself back up, but I unplugged it from my laptop and into a charger and it changed to say just a bit more than an hour left to fill it back up.
But back to the volts and amps display.
This sounds super nerdery and I often have to ask my pocket electrical engineer to remind me of why I care. The most important thing to know is that volts times amps equals watts and watts is the measure of power being delivered to your device.
[16:38] What problem does it solve to know that? If you've been around battery powered devices for any length of time, you have piles of little charger blocks lying around.
If you inadvertently grab one from an older iPhone and use a USB-A to USB-C cable to say charge your power bank, it will show you on the big display that it's only charging at 5 volts and 1 amp, or a total of only 5 watts, and the Blade HD will tell you what it takes that it's going to take ages to charge itself up.
If you switch over to the cute little 35 watt USB-C charger Apple sell with the MacBook Air, then you'll see on the display on the Blade HD, you'll see it change to say 20 volts at 1.7 amps, sorry, 20 volts at 1.7 amps, which from our newfound math we know is 34 watts.
While I wondered where that last watt had run off to, you can see at a glance and a tiny dab of arithmetic whether you've grabbed a good charger or not.
I think after some extended use of the Blade HD, I'll be able to just look at the time remaining to charge, and if it looks like it'll take longer than I'm used to, then I'll go look at that volt amp thing.
I should mention that the maximum power in the Blade HD can take is 65 watts, which is a full side charger for all except the largest MacBook Pros and big PC laptops.
[17:53] Now every charger or power bank I've ever seen seems to have a little chart to tell you how much power you can deliver based on how many devices you plug in.
The Blade HD is no different. Their chart shows ports, one port through four port modes with all kinds of combinations that'll make your head spin.
[18:10] But think about this. Both of the USB-C ports can provide 100 watts, but since we know this power bank has a total of 100 watts that it can provide, that can't be at the same time, right?
Very deep in the graphic for two-port mode, it says C1 plus C2, 65 watts plus 30 watts.
Now that gibberish means that the 100 watts gets divvied up into 65 watts and 30 watts.
And again, I don't know where that last 5 watts wandered off to, but what I do know is this power bank could top up both my MacBook Air and my iPad Pro at the same time at pretty good speeds.
I'll leave it as an exercise for the student to peruse the other 10 combinations they give in the graphics.
The Omni 20 has a big power button on the front, and if you forget to push it before plugging in your devices, it will not charge them at all.
Likewise, if you forget to turn it off after charging, it keeps the lights on waiting for you.
In contrast, the new Blade HD has a power button, but you only need to use it if you want to check the battery status when you're not using it.
When it appears to be off, you can plug in a device to be charged, or a USB-C cable to charge it, and the display will light up to show you all the stats I've described.
I've gotten pretty good at remembering to turn the Omni on and off, but if I don't have to, that's one more thing I can offload from my little pea brain.
[19:32] Now I'm a little worried about scratching the display area on the Blade HD because that whole top 25% is shiny plastic.
They provide a little sleeve to slide it into for protection, but it's kind of a creepy feeling felt.
It's really just like you don't really want to touch it.
It's also got a flap, but there's no way to secure the flap closed.
It'd be nice if I could include the two foot provided USB-C cable in that little sleeve too, but without being able to close it, it's just gonna fall right out.
I have a perfect solution for this though. I bet if I whine enough, friend of the show and good friend of mine, Sandy Foster will make me a better one.
The bottom line is that I love having a huge power bank that can not only charge my laptop and big iPad, but also my smaller devices.
I find it one of the most useful devices when I'm away on travel because I never have to hunt for that elusive power outlet beside the bed and have to decide whether to unplug the lamp or the clock radio at the hotel.
The Omni 20 will always have a place in my heart and will probably live out its days as a spare for friends and family in my home.
I'm really happy with the Baseus Blade HD with its beautiful display and especially that it's more powerful while also thinner and lighter than my previous device.
Now one thing you might be wondering about here. This device is 20,000 mAh.
[20:53] Steve has a battery power bank that's also 20,000 milliamp hours.
But it's really good at charging a lot of small devices.
It's not appropriate to try to charge a MacBook Pro or I'm not sure if it could do an iPad or not.
So I'm not dissing those smaller chargers that you might be saying, well, wait a minute, I've got a 20,000 milliamp hour battery and yours is 20,000 milliamp hours, why is yours better than mine?
It's better because I can charge my entire laptop with it. So I wanted to make that clear at the end.
Again, I'm super happy with Abasius Blade HD.
Support the Show
[21:28] I was listening to some folks talk about subscription fatigue, and I get that it's a real thing.
I feel it myself with all of the television subscriptions we pay for, because I'm pretty sure we pay for all of them.
If you're feeling subscription fatigue, and that stops you from becoming a patron of the Podfeet Podcast through Patreon, Boy, do I have a deal for you.
For a one-time only $100 donation by going to podfee.com slash paypal, you can get at least four ad-free episodes of the Nocilla cast, Chitchat Across the Pondlight, and Programming by Self from now until I stop creating the shows.
Yep, it's good for the lifetime of the podcast.
Okay, so technically you can get the same offer for a dollar.
Or for nothing at all. But please think about the value you get from the shows and consider making a donation, no matter how small or how large.
Security Bits — 10 December 2023
[22:22] Music.
[22:30] Well, it's that time of the week again. It's time for security bits with Bart Bouchat. Well, according to what Bart's been telling me, we better buckle up for this episode, huh?
Oh, boy. It's a long time since I've started. OK, I start writing the notes and then I know what I have. And normally it's fine.
Wow. I was so surprised. So surprised. Well, it's been sleepy lately.
That's true. Now, I think there's a reason why it all happened at once is because there's a little thing called Black Hat Europe, One of the most important security conferences of the year.
And while not every paper was presented there, I think the whole community is in sharing mode because the media are on board.
So I think that's probably why it all came at once, but wowsers do we have a lot to dive into. And we have some follow up first.
You were definitely on the more sceptical side last time when I mentioned that Google had promised to eliminate third-party cookies in 2024, and I won't say I disagreed with you violently.
[23:30] But they have put a little bit of wood behind that arrow.
They have released some more details. They are phasing out personalization in some of their ad products.
So if you don't do as much personalization, you have much less need for tracking of any kind.
So, would this mean, if this comes to completion, that cross-site tracking would disappear?
Not completely, but certainly in the current privacy very hostile way, yes.
So Google have some... Within Google search?
Yes. Google have some interesting technology that is a less invasive way of giving somewhat personalised ads that we might talk about when it becomes more rolled out next year.
So I'd be very curious to watch how 2024 develops.
[24:21] Okay. It's all good news though. Absolutely. Yes, absolutely.
We're very much switching tack here.
We've talked about the 23andMe breach already and at the time I expressed some skepticism of my own and shared the fact that many in the security industry felt that 23andMe were not being open, honest, transparent, and that there was a lot more going on than they were letting on.
And we now have confirmation that exactly what we thought was happening is in fact what had happened.
And they now admit that, yeah, well, we said it was only like a small percentage of our users. What we actually meant was 6.9 million.
[25:01] Are you kidding me? No. 6.9 million. Well, how many users do they have?
I mean, if they have 7 billion, like everybody, still that'd be a big number.
No, so like we suspected, the issue is that anyone who used the sharing feature ended up being massively exposed.
So it was actually only 14,000 passwords that were compromised if memory serves.
But because of the effect of all of the different linked profiles that exploded into 6.9 million users.
Oh, OK. So 14,000 people, I'm connected to you, connected to Wing, connected to Steve, connected. Oh, jeez. Yeah.
Now, and then just in case I was judging them too harshly, they decided to prove that I was not being too harsh on them.
They have updated their terms of service. And unless you reply within, I think it's 14 days of you getting the email, you have been forced into arbitration should you, for any reason, be cranky with the company.
Oh wow. So obviously you know if the reason is because they want to avoid being sued over this data breach.
So yay. Charming company.
[26:19] Then briefly, so last time we talked about there was a service I think was called nothing or something that was catastrophically awful in terms of security for android people doing iMessage.
And for most of this week, right up until about yesterday, it looked like we would have the inverse story this week about a company having found a safe and secure method for android people doing iMessage.
And that story has taken a bit of a turn because I feared it would be a cat and mouse game and yep, it is a cat and mouse game.
So Beeper Mini is an app that does exist and depending on when you hear this may or may not be working.
What the people at Beeper did was rather than take your iCloud login details, use them on a Mac virtual machine in the cloud and then sort of relay iCloud messages or iMessage messages to Android, which is how the bad service did it.
[27:18] And that's regular Beeper, not Beeper Mini? Because Beeper Mini did not route you through a virtual machine, or a bunch of machines.
Nothing to do with Beeper did the horrible thing of taking your username and password like the people from last week who we were so scathing about.
Right. But Beeper also had a service like that. But Beeper Mini is the one that was more interesting that we're talking about right now. Okay, I'll be honest, I didn't know about Peeper's history, I just know about the mini one.
[27:50] Okay, so they reverse engineered the protocol.
And so they effectively acted like an iPhone.
And so they sent an appropriately formatted SMS message to the appropriate Apple server to do that thing your phone does to register itself. Now, you don't see this happening because it's all behind the scenes on an iOS.
But they tell you when you enable iMessage that you may end up being charged for one SMS message.
And that's because there's a validation step that happens behind your back using the SMS protocol to prove that you are the owner of the cell phone number you are registering with iMessage.
But instead of you having to manually type it, the operating system does it all for you.
But there's an exchange there. And so the Beeper Mini people figured out all of the specifications for how you do that and all the formatting needed on the private keys, and they basically reverse-engineered the whole protocol.
And they were successfully able to get their app to talk iMessage to Apple's servers.
[28:54] There's even a really fun piece in the middle of that. The person who figured it out was a 14-year-old who posted how to do it on GitHub.
Oh, I didn't know that. That's even cooler. Yeah, it is even cooler. Right, right.
So it seemed like the perfect solution. Apple had that out there in their API.
Beeper Mini's going to talk to it, allow Android people to talk over iMessage.
Now the beeper people... Yay, everybody wins. Yeah.
The beeper people assumed it would be difficult for Apple to change things in the back end to lock them out because they assumed it would mean that every single iPhone everywhere in the world would need to be updated to new software.
And they assumed they would be safe for ages with their reverse engineering prowess.
Uh, turns out it took Apple two days to distinguish between the beeper pretend iPhone and a real iPhone.
I have no idea how Apple are able to figure out which requests are from actual iPhones and which requests are from beeper mini.
But something about how the message arrives tells Apple that they're not really Apple devices and Apple block their access.
The beeper, many people say they're working on a workaround.
Wow, our delay is bad, Alison, because your video is even behind.
[30:12] Well, that'll explain if we talk over each other. I had a little bit of trouble with editing the show from yesterday, so maybe.
Anyway, yeah, so that cat and mouse didn't last very long at all.
No, and initially we didn't know if it was Apple or if it was just something broke, but Apple have confirmed that, Yeah, we blocked it because we consider this to be a security vulnerability because they're reverse engineering our stuff and it opens iPhone users up to being spammed.
You know what I would love to see is if Apple sent them whatever it is, the $30,000 for a bug bounty.
I think there's rules around that. Yeah, it's not quite how it works.
Oh, fine. But they could do it just for the comedy. True. True.
So, yeah, that was the story of Beeper, not the story I thought I'd be writing in the show.
Now, it's probably a good thing I don't have to go into too much detail on it because what we have instead is our first deep dive is a collection of unpatched vulnerabilities, which are the ones that I hate talking about most because you always make my life very difficult when I have to tell you about these because you make me say, well, OK, what can we do about this?
And so I have some advice, right? But the advice is not patchy, patchy, Patch Patch, because what all of these bugs have in common is there ain't none.
[31:24] I don't like those. That's what the word light was for, or security bits.
We were supposed to be... Yeah, but in this case, these are kind of...
I guess it's good to know. Be aware.
Yeah. So what I think the takeaway here is that the reality of our security has changed And we need to remake our judgments.
Do we accept the risk and keep living our digital life as we do now?
Or do we alter our behavior to take account of this new reality?
And I would suggest that for people who are not working in healthcare, or somewhere where they have sensitive data that they actually may have a legal obligation to protect, or Or if they are working in an industry with trade secrets, that someone would be very interested in knowing how the widget works.
Or if they're, you know, doing some sort of activism or lawyering on behalf of someone who someone in power is cranky with, let alone, you know, being a diplomat or something.
So those people actually probably need to change their behavior.
And our nocella castaways, they're probably not diplomats I don't know about.
There are unlikely to be world leaders that we don't know about yet, unless Al Gore listens or something. You never know.
You never know. We got people from all walks of life here.
But thinking there might be someone with medical information and stuff, that seems a lot more plausible. So I thought, yeah, OK, we should talk about these things.
[32:53] So the first off, we have two completely different Bluetooth problems.
And the reason I'm making a point of saying this, too, is because they broke so close to each other.
I think a lot of people think it's the one problem. No, no. We have two whole different sets of problems.
So, the first set of problems has a fancy-pants name.
It's called BLUFFS. B-L-U-F-F-S. And it is a backronym for something, but really, it's just called BLUFFS.
And what makes this one interesting is that it's not a bug in someone's implementation of Bluetooth.
It's a problem in the spec. The spec itself, I hate those, yeah.
The spec itself allows for and a combination of things that no one had quite thought of, which makes the security so weak, it can be brute forced in a matter of a couple of seconds on modern hardware.
So it's not completely open. It's just effectively open.
[33:51] And the effect of this whoopsie in terms of the level of security is that someone who's within Bluetooth range, and this is the thankful saving grace with all of these Bluetooth things, is to attack Bluetooth, you have to be close.
So public transport, a conference, those kind of places, airports, they're all risky.
But your office, you're fine. Your home, you're fine.
Wait, wait a minute. Your office, you could have somebody in the next cubicle over.
Okay, if you're, sorry, generally speaking, if you're in an industry where you're at risk, you're in, you're working in an area that is behind a security barrier, right? You've badged in or whatever.
So the, you're assuming that you're in a, you're in a safe place.
Okay. I'm making that assumption. Well, okay. So I work at a place where we badge in.
So once we're badged in, we're, we're, we're now in a clean environment. So we're not.
Sometime I'll give you a list of the things that people did that I had to fire.
Okay. That were people badged in with security clearances. Well, the insight I tried is not zero, but yeah, it's not perfect.
No, it's all risks, right? That's all we're doing. We're just balancing risks because the only way to be safe is to take your phone, encase it in concrete and throw it in the river.
[35:03] Well, this doesn't have anything to do with phones, though. Well, yes, and?
Well, or does? Actually, we haven't heard what the bug is.
Right. So if the baddies are within Bluetooth range, they can use this weak encryption to inject their Bluetooth device as a machine in the middle or an adversary in the middle between your Bluetooth device and your computer or phone.
So if you're wearing a set of headphones.
[35:29] And you think you're talking a private conversation. The person in the middle can hear everything you're saying and being said to you because their Bluetooth device is between your headset and your phone or computer or probably scarier, their keyboard.
Keyboard, they might inject themselves between your keyboard and your computer, and then they see all the keystrokes coming through because they're proxying those through.
So it's a Bluetooth keylogger.
Yeah, it's basically a Bluetooth anything. So whatever you're doing over Bluetooth, someone can be in the middle and be watching what you're doing.
And I guess hypothetically, even altering it if they really wanted to.
I guess if they wanted to put a city effect on your voice, they could alter it on the way through as well because they are now in the middle so they really could do anything.
Which in terms of keystrokes is actually scarier.
Because it means that you could think...
I have an even scarier scenario, Bart. Our phones are doing a lot to work with our cars, our Teslas, over Bluetooth.
Like security updates and software updates.
[36:36] They could trigger a software update, but they couldn't put malware into the car, because the software update itself is digitally signed.
So nothing you do on the Bluetooth to trigger the update could cause the car to accept invalid firmware, because the firmware is checked itself.
[36:55] Okay. It has to be, if my phone has to be in my car talking with Bluetooth on for me to be able to drive my car.
So the question then is how, like, is the security of that key dependent on, is it built on the assumption that Bluetooth is secure or is the security actually end to end and Bluetooth is just a carrier?
And if Bluetooth is just a carrier, then there's no security implication.
So the answer is maybe. I just wanted to make sure we weren't sleeping at night at all. Yeah, absolutely. Be absolutely sure. But again, it's all within Bluetooth range.
Up to including driving my car. Yeah, so, you know, the key here is within Bluetooth range. So if you're a high risk person, the answer is you turn Bluetooth off when you're in a place where you're not sure that there's no one within Bluetooth range, and that's the answer.
[37:42] And then a few days after that news broke, we got a completely different piece of news, which sounds very similar because this bug allows an attacker not to become an adversary in the middle, but to attach an extra keyboard to your device and inject keystrokes.
They get to pair a keyboard silently without you getting a pop-up saying would you like to pair this keyboard without you basically seeing that a keyboard has been paired an extra keyboard is just accepted by the operating system and whenever they type the operating system goes sir yes sir I will enter those characters.
Wait a minute wait a minute wait a minute I can't even I can't even plug in a power supply without my Mac asking me is it okay to or do you trust this accessory how can it connect and be listened to without being authenticated like that?
Because there's a bug in Bluetooth implementation.
[38:39] Is this the same bug? No, this is our second bug. This is completely unrelated.
So this is not an adversary in the middle. This is an extra keyboard.
And it only works for keyboards. That's awesome, Bart. Yes, it is.
So they can then, if they have a reason to believe that you're in a terminal window, they could very quickly throw in a little command to do whatever the heck they want, and it will just appear on your keyboard.
Now, you will see it, right? So none of this is going to be invisible, because if someone types on a keyboard, you will see it. So if you see these spooky characters appearing out of nowhere.
Either someone's broken into your screen sharing, in which case a ooga a ooga, or someone's broken into your Bluetooth, in which case a ooga a ooga.
But if you see mystery characters on your computer, the answer is always turn it off now, straight away.
Well, check first to see if a cat has walked on your keyboard then.
OK, fair. Yes, yes. Look left, look right, unplug.
So you sort of dropped it in the middle of it on the Bluffs one.
And that was a weakness in the encryption that's in the spec for Bluetooth.
But the second one is something else. The second one is, yes, it's not in the spec.
It's in the actual implementation in a whole bunch of operating systems.
I assume there must be some sort of open source component that's broken, because what else do Android, iOS, Linux and macOS have in common if it isn't some sort of open source library?
[40:01] So not Windows. That's a fair point. So that does actually point the finger even more firmly at open source.
I've just noticed that's missing from the list. Yeah, sorry, my brain hadn't processed that. Yeah.
Yeah. The first one, Bluffs, is that on all of them as well? Universal.
Not just computers. That is, it's in the Bluetooth spec.
So that is everything that has a Bluetooth between version 4.2 and 5.4.
And 5.4 is the current, by the way.
So That doesn't mean that if it's very, very, very new, it's safe.
No, no, no. Anything less old than 4.2.
[40:36] So my Apple TV talking to my HomePod as a speaker. Yeah, hypothetically.
It's in between those. Yeah, hypothetically, an adversary could get in the middle.
Very little value, but yeah, they could inject themselves. But I totally want to do this to Steve.
I'm going to start singing when he's watching CNN and he's broadcasting it to the HomePod. And help me figure out how to do that. You could gaslight some.
Yeah, if you if you inject an extra audio stream, you could have so much fun with people.
That's up there with that, the proxy you can inject onto a public Wi-Fi to make every image go upside down.
It's just a transparent HTTP proxy that uses image magic to only flip the images.
So all of the text comes through fine, but the Internet goes upside down.
It's called the upside down Trinet.
It's a very cool way to mess with people. That's awesome. Yes.
You can run a Raspberry Pi. So nothing we can do about it.
So again, it's a case of, if you see mystery characters, this might be why.
But really, if you're an at-risk person, don't have Bluetooth on in a place where you're not sure that there's no baddie within Bluetooth range of use of, say, 10 meters or whatever.
So separating these two, if we look at the Bluffs one, that's for the adversary in the middle.
[41:53] Do the spec has to be updated and every vendor ever to use Bluetooth would have to update to that new version?
Not quite. They found an interesting workaround.
What the Bluetooth coalition people, the people who manage Bluetooth, what they have said to every vendor is you should do a firmware update to stop using this part of the spec.
It won't actually break anything because it's a part of the spec no one really needed.
That's why we never discovered it was so broken.
So the answer is that you're a iPhone. I thought you said it was encryption.
[42:29] It downgrades. It causes a downgrade attack that allows the baddies to jump themselves into the middle between the two devices. It's about the negotiation.
Like when you set up an encrypted discussion, there is a negotiation that happens to agree the protocol, right?
Because everything that does encryption these days can negotiate the protocol because otherwise you could have, everything would have to be on exactly the same set of cipher suites and stuff. So there's always a negotiation to set up encryption.
And this negotiation allows a really, really, really, really bad negotiation to be possible.
So if you get rid of the feature, you can make it so that but the negotiation can never give this answer.
OK, OK, so but that does still mean everybody has to comment out or whatever it's necessary to expect on every on every single device that uses Bluetooth everywhere.
Yes and no. OK, yes and no. Right. Because in order for a negotiation to work, both parties have to agree.
So if your phone stops accepting that part the spec, it doesn't matter that the cheap Bluetooth headset you bought five years ago will never get the update because your phone has decided it will never negotiate that. Therefore...
[43:49] Right. The chain is broken. So if Apple update iOS and Google update Android, and Apple update Mac OS and TV OS, then actually that's probably fine, because as long as one of the two parties in the negotiation, one of the pair. OK.
OK, so it's not doom, doom, doom, but yeah, at the moment, turn off Bluetooth if you're not sure you're safe.
[44:17] Now, the next one is one of those rare ones where we Mac people get to be smug, because this time it's not us.
It is a problem with many, many, many implementations of UEFI, which is the follow-up to BIOS.
So Apple were first to UEFI compared to the PC industry that stuck around with icky, icky BIOS for years and years and years.
But the PC industry has now moved on. This is firmware, right?
Yeah, this is basically the thing that helps your motherboard to boot.
It's the operating operating system of your motherboard before it even knows what a hard drive is.
And it needs that operating system to find your operating system and then boot from there.
And one of the things you can do with UEFI is put up a pretty logo while your machine boots.
Apple put up the Apple logo, and nowadays Dell machines put up the pretty Dell logo.
And that logo can be changed because maybe your corporation wants to personalize your boot up on your Dell laptop.
So instead of it being a Dell logo, it's my company logo or something, right?
I've never seen anyone use this ability, but like with so many things in it, it's in the spec.
It's there as a function, which means that UEFI contains a library to process images.
[45:37] It contains a parser and parsers are notoriously difficult to write well.
Look at all the PDF bugs we've had.
No one's ever thought that maybe we should be updating that image processing library every now and then so that we're not shipping 20 year old code full of bugs that everyone knows about.
Only that's exactly what lots and lots and lots of vendors have been doing by omission.
When they wrote their first UEFI 10 years ago, they got the image magic might be libpng or goodness knows what, but some reader of image files.
And they baked it into their UEFI and they never thought about it ever again because the logo still looks fine.
But it's full of bugs. OK, so that's problem number one.
Old buggy code. Problem number two is that the cryptographic, so secure boot means that we cryptographically verify your firmware before we boot.
And it does that by making a checksum of the firmware, comparing it to the digital signature and then letting it boot if it passes.
That's why you can't run an arbitrary OS on an iPhone.
[46:41] But the images are not considered part of the code.
They're just awesome stuff that the code reads. So when calculating the checksum for SecureBoot, the image is not included.
So the buggy code passes SecureBoot, loads the hacked image, and is then taken over. So it is an unremovable, permanent, pre-boot malware.
[47:09] So that means a firmware update can't fix it? Firmware update can.
Because... Oh, it can't. But nothing short of a firmware update. You can do a new can pave.
And completely, you could take the hard drive, hit it with a hammer, drive over it with your car, and then burn it, stick in a new hard drive and you're hacked again within seconds.
Because the problem has happened before the machine boots.
It's in the UEFI. Wow.
Wow. So the vendors... So if a firmware update can fix it, then...
That's what's going to happen eventually, but how many people actually apply these things? Very few.
[47:48] When I've had a firmware update, I haven't been given a choice.
That's because we're Mac users. I mean, Apple just goes, yeah, you know, we're upgrading. So they could do that. Couldn't they force it?
Well, no, because on a Windows machine, Microsoft don't control the motherboard because it's not vertically integrated. integrated.
So if you have a motherboard from ATI or someone, how are ATI going to get into the mix or AMI or, you know, Phoenix, all these big vendors?
How are they going to get into the mix?
They can't force you because they're not vertically integrated.
So I think, anyway, it doesn't really matter because actually... Cooperatively.
Yeah. Actually, we need to step back a minute. How does a malicious image get into your UEFI? by.
[48:31] When your machine is hacked, the hackers can put this firmware in.
Wait a second. Maybe we should stop this problem by not letting the malware in in the first place.
So this is a way of malware getting persistence.
But your defense is all of your existing defense is not to get the malware in the first place.
It means that if your machine gets hacked to be Jesus, you now need to make sure that the firmware, maybe just reflash the firmware to be sure.
Just get the latest firmware and just reinstall it.
Because then you've nuked everything in there.
But if you don't get hacked in the first place, no one can just exploit this without hacking you first.
So it's persistent. So yes, it's bad.
But actually the takeaway is it just means that you need to be sure you're not taking silly shortcuts.
Don't download random stuff, which you shouldn't be doing anyway, because you're a high risk person.
So, actually, the message here is carry on and your IT department need to be very aware that if you get hacked, they have to check that there's nothing gone horribly wrong in your UEFI or you'll just be re-hacked and re-hacked and re-hacked.
[49:41] So this brings up something that I've heard a lot of people say, a friend of mine who's been hacked twice, a Windows user who knew that they got hacked, realized it, lost a money.
They take their machine into Bob's PC shop or Sally's PC shop and she says, don't worry, I cleaned all the malware out of it.
And we've always said, you know, a nuke and pave is all you can do, but now there's an extra step. Reflash the firmware.
Yeah, good point. If you're not able to have someone who has the chops to do what we just said, then your answer is, throw it in the bin.
In the efficiently electronic recycling bin. Yeah.
And if you're a high-risk person, that's probably what your ID department are going to do. They might reuse that laptop for an underling.
But you, the high risk person, is not getting that laptop back if it's been hacked.
But you could be a high risk person who isn't. You could be a freelance news news person.
Yeah, then it's your money and then you're having to make decisions.
Yeah, yeah. Risk management. So it's all risk management, Alison, all the way down.
Now, the next one. But I'm glad there is a way to fix it. That is a good point.
Yes. Silver lining found. Well done. It's now medium again. But phew.
[51:01] This next story is almost in here because I think it's funny.
The takeaway here is that we regular folk don't need to panic just yet.
But nonetheless, it would not be news if I said to you, there's another speculative execution bug, because you would say, oh, really? Is it a day ending in a Y?
This one is hilarious because it exploits a feature that Intel haven't got around to shipping yet.
It's a brand new feature in their upcoming CPUs.
AMD have one model of CPU that already contains it, but it's in all of their future designs.
This thing is so new, almost no CPU has it. And they've discovered it's a speculative execution trainwreck.
It makes all speculative execution easier.
So the answer is, we're just going to disable this feature in the OS.
So the Linux kernel already has an update that says don't use that feature.
So, I would have thought Intel, etc. would have learned by now.
Apparently not. You said this is AMD, right? And AMD too. Oh no, no. It's on both. It's on both.
AMD have managed to ship one. I don't think you said the name of it. It's called SLAM.
Yeah, we call it SLAM because the feature is LAM, which stands for something.
It's all silly stuff at this stage. So they've added a new feature to the CPU no one wanted.
Turns out to be a train wreck and then we're going to disable the feature and that's the solution.
[52:27] Anyway, I just thought it was too funny not to mention. Then we have...
You think it should be on the checklist by now, wouldn't you think?
I thought so. Genuinely, Alison, I thought that the end to this eternal nightmare of speculative execution was that the CPU vendors would stop rolling this feature into their CPUs.
[52:47] Nope. Nope. They haven't got the message. So speculative execution, though, can still be useful, right?
Well, I mean, it is very useful. We're not allowed to ever have it again?
Is that the answer? I think the answer is a hybrid.
[53:03] So what's happening now is that what the CPU vendors are doing is they're adding new CPU instructions to temporarily disable speculative execution.
[53:14] And so software vendors, like say you're writing OpenSSH, The point in time when you're manipulating the SSH key, you send the CPU an instruction to disable all speculative execution, you do your secure work, and then you send the signal to the CPU saying we're good, and then the CPU goes back to being efficient and saving you lots and lots of processor time, until you maybe go to log into a website.
And then your Firefox sends a signal to the CPU saying oh, on this core over here that I'm using, turn off speculative execution. It does its thing, and then speculative execution goes back on.
So this isn't, in fact, this isn't even the whole CPU, right?
Because our CPUs are multi-core.
So this is each core at a time is normally doing many things at once.
And there's now instructions to say, don't do that for a couple of minutes here.
Not minutes, a couple of CPU cycles, a couple of microseconds.
Let me do this secure thing. And now go back to your risky behavior that saves lots and lots of CPU cycles. So that is actually what's happening. Got it. Yeah.
Okay. So we're having our cake and eating it in the sense that we do get optimization and we get security.
But the problem is we now have added a workload onto software developers to remember to issue the low level commands to the CPU to say go into secure mode.
So it's a new avenue for vulnerabilities if they forget.
Swings and roundabouts. Swings and roundabouts. markets.
[54:39] The next one is… We're still in the list of unpatched problems, aren't we? Two left, but they both have nice names, if that helps.
[54:47] So 5Ghoul is a collection of bugs in 5G chips made by the two biggest makers of 5G chips, a wee company called Qualcomm and their upstart rival, MediaTek.
Qualcomm dominate the market utterly.
So I was distributed I was disturbed to read that there were lots of CVE numbers, so lots of separate vulnerabilities.
And then I was relieved to read that every single one of them is denial of service.
None of them are remote code execution or anything scary like that. It's denial of service.
[55:24] So, like, as in DDoS? Well, so denial of service, no. DDoS is distributed denial of service.
Denial of service is a broader term for it stopped working.
So if a bug makes something break, that's denial of service.
If you make a web server break by sending it traffic from all over the internet, so that there's no one source, that's distributed denial of service, because the problem has been spread out so you can't defend yourself.
That's the D in DDoS. Okay, so if I've got a 5G chip and it's got a denial of service, Because it just stops working. Yes.
And in this case, most of the bugs just downgrade from 5G to 4G.
So they basically, the chip goes, and it just goes to 4G. And so this has the advantage that you don't lose your cell connection.
The disadvantage is that you are now using 4G, which is a security train wreck, compared to 5G, which is a security pileup.
5G is less insecure.
[56:20] Yeah, 5G isn't great, but it's... I didn't know 4G was insecure.
Oh, yeah. When people talk about the cellular network is not safe.
They mean 3G, 4G, GSM.
5G is less bad because they retired some of the protocols that were written in the 80s.
But there's the problem is a lot of backwards compatibility.
Bad back. Anyway, so one of the reasons you might use this was if you were going after, say, the the press.
Actually, this actually happened. The chancellor of Germany, her phone was attacked.
So if you're going after the new chancellor of Germany who's not female anymore, you could trick their phone into 4G, which would make your job of attacking them easier because they've now gone to a less secure network.
So that's one way it's harmful.
The other, one of the other vulnerabilities is a little bit more annoying.
It basically makes the chip lose its mind so completely that the only fix is to reboot your phone.
So you basically just the entire cellular chip just goes bleh And your phone stops being a cell phone and just becomes a Wi-Fi device.
Because it's not just that it can't use 5G, it just...
So, how does one get this exploited? Unfortunately, you just need to be connected to the cellular network.
[57:42] So, all 5G chips from these two companies, you can just be knocked, your phone stop working? Correct.
Until there is new firmware... Don't tell us about these things!
We can't do anything about this! Well, you kind of can.
You can reboot your phone if you're still going to use 5G, because the most likely way this is going to affect an Acila cataway is a prankster of some sort.
You know the way we have these things where if you're on an internet game and someone's winning too much, you knock them off the internet.
Well, this is a new mechanism for knocking them off the internet.
And so if your phone suddenly loses internet connectivity, give it a reboot.
But I think really the bigger thing is we are going to get firmware updates for all of our phones soon.
Now, for those of us in iOS land, we're not going to have a choice and we won't even know that it is a firmware update, it's just going to be a software update from Apple, we'll get a red badge and we'll do it.
But people in Android land should be on the lookout for firmware updates from their vendor of choice and should apply them, because it's kind of important that your cell phone talk to the cellular network.
[58:40] I wonder whether firmware updates will come to phones that are not supported by Android anymore.
Of course they won't. Well, it's up to the vendor. If you shake your head, people can't hear that, Bart. Yeah, I figured you'd... Bart's answering me by shaking his head. I figured you would fill in for me.
Yeah, it's up to the vendor. They could hypothetically decide that even though we've stopped doing updates, we'll do one for this. I'm not sure I'd hold my breath.
In fact, I'm quite sure I won't hold my breath is actually what I mean.
Right, last bug. Auto-spill.
Password managers in Android that use the official Android API for password managers are all vulnerable to leaking the password to a malicious app.
So here's where we immediately jump to the silver lining here.
If your Android phone is hacked, then the hackers can use auto-spill to steal passwords as they autocomplete by password manager.
They can't read all of your vault, but they can sniff a password that gets revealed as the malicious app is watching.
This is to do with a bug in Android's operating systems APIs.
So Android can fix this, and Google will almost certainly do that and push a software update.
But of course, if you're on one of those Android phones that never gets an update, then you really should stop using password managers until this is fixed.
Or don't let malware onto your phone.
[1:00:09] So is this only affecting the built-in password manager of Android, or is it the real password manager companies?
It's every real password manager company that uses the official API.
Which ironically means Google's password manager isn't affected because it doesn't use the Google API.
I have no idea why they don't use their own API, but they don't.
So one password... But what about one password? Yeah, one pass for top of the list, last pass, key pass.
Yes. Now, 1Password have said, we are deploying our own mitigation that will protect our users even before Google fix the API.
So they're saying, give us a couple of days, we're on this, we're actively working on a mitigation on our end, so we can work around the problem now that we know about it.
So that's actually 1Password is going to get a fix before Android does, which is probably for the best, given how difficult it is to get Android phones patched.
And LastPass, bless their cotton socks, have also said they're on it.
In fact, everyone who the bleeping computer journalists reached out to, they all answered to say, yeah, we're going to do a mitigation, we're on it.
So this is probably going to get fixed quickly. So I think the really big takeaway for our listeners is when one password on Android offers you an update, yes, yes, yes, yes, yes, ASAP.
[1:01:29] Right. And I would suggest if they offered it to you on iOS, you should just say yes to that one too. Fair?
Yeah, to be honest. Whether it has anything to do with this. True.
Although, to be honest, they very rarely have security issues on the iOS updates.
They're usually my app crashes less and my app is nicer.
But hey, I like it when my app crashes less and my app is nicer. Features are fun.
Right. So, Bart, you know, Dr. Gary prides herself on calling herself the crusher of dreams, but I think you're coming in a close second here.
I'm just the messenger. I'm just the messenger.
Remember, for all of these, if you decide to take the risk, you're probably fine.
There's nothing on that list today that is likely to affect a typical person today.
If that ever changes, I will let you know that regular folk need to be careful.
But people who are not regular folk need to be a little more careful and everyone needs to patch everything ASAP. So it's not quite doom and gloom.
[1:02:28] It's not happy. I'm completely doom and gloom. Now, the second deep dive is the one I was expecting to be spending the day on.
So you guys in the States have a wonderful, wonderfully rare thing.
A politician who's good at technology in the form of Senator Ron Wyden.
If there was an award for most commonly praised politician in these show notes, Senator Wyden would win because Because he is very on the ball and I have yet to see him do something stupid when it comes to technology.
No idea what else he gets up to, because I don't care, he's not my politician.
But when it comes to technology and the law, he's fighting the good fight.
Often and continuously.
[1:03:15] And he very cleverly discovered, he became aware of a classified program, which none of the tech companies were allowed to tell us, the regular folk, about because they were under a gag order, because it was technically secret.
But he wrote an open letter, which means it's not a secret anymore.
So now Apple and Google have been able to tell us, actually, there's a whole other type of government request that we haven't included in our transparency reports because we were legally prevented.
So now we know that it is possible for law enforcement to send a request to Apple and Google saying, give me all of the metadata for push notifications, to this Apple ID or this Google ID.
[1:04:01] And the biggest reason they want this is because it de-anonymizes anonymous services.
So if you are using an anonymous username on something like Signal or whatever, your push notifications can tie that username name to an Apple ID, which means you have suddenly, despite the fact that you're using an amazingly secure app, the push notification has outed you and connected the dots and de-anonymized you.
Doesn't the push notification often include, like, Bart sent a telegram?
It can include a lot, depending on the exact nature of the app and the exact content.
I believe it's also possible for some of the content to be encrypted, but I'm not 100 percent sure what is and isn't in the clear.
So it's described as metadata so it may not be everything you see that is always in the clear but it's nonetheless a significant avenue it's a significant amount of information.
[1:05:03] That definitely is being used to de-anonymise things. Because even now, we don't have all the answers.
We just know that metadata is being shared with governments, plural. Don't know which ones.
And interesting now, so the other silver lining here is that both Apple and Google were very fast out of the gate to say, from now on, every transparency report will include reporting on this avenue of surveillance.
So the next biannual, what's the current word we use for semi-annual that isn't confusing? I think it's biannual.
Anyway, six monthly.
I would contend both are confusing, but okay. Semi-annually?
Someone somewhere came up with a new word recently that wasn't confusing.
Twice a year. Twice a year, yeah.
So from now on, we're going to know about these things. We're going to know which governments, we're going to know how many.
So that is a definite positive outcome. You're saying we're going to know who asked for the data and what they got, or...?
Well, like with all the transparency reports, which countries, how much?
[1:06:07] Okay. Because they're always anonymized aggregates, right? So we just know how many.
An interesting tidbit, because obviously Apple and Google, it's very unlikely Apple and Google were able to talk to each other about this program.
So Apple and Google were both forced to accommodate this, and were both forced to be silent about it, but they've ended up with a different process.
Apple were happy with just a subpoena, which means there's not always a judge involved, whereas Google managed to get away with requiring a court order, which means there always was a judge involved.
So they obviously were having separate conversations with the government and didn't know the deal the other had gotten, and they ended up negotiating a different arrangement.
And Apple's one was worse, which is very unusual.
Just an interesting little side note that Apple were just accepting a subpoena, Whereas Google needed a court order.
So, you know, on the whole, we're better off for no one. But we also don't know what else we don't know. If you want to be depressed, if you'd like a reason to be depressed, there you go. But let's not do that.
[1:07:04] Right. We're not done yet. Action alerts.
This is the patchy, patchy, patch, patch bit. This is the bit where there is a very easy answer to everything I'm about to tell you. Patch.
Now. OK, first up, Google Chrome emergency update It fixes 6th zero-day exploit in 2023.
Patchy patchy patch patch. And if you're using another Chromium browser like Edge or Brave, you should also patch because those browsers too have released updates to address these same problems.
Apple have released lots of updates to address two zero days in Safari that are under active exploitation.
So if the Apple stuff is saying I'd like to patch, yes. Yes, yes, yes. Patchy patchy patch patch.
[1:07:54] If you run the very popular app OwnCloud on your NAS, patchy patchy patch patch, because there has been a nasty zero day in that for a couple of weeks and I didn't quite mention on the show before because I was like, I'm not sure Alison would consider that appropriate for security light.
But it's under active exploitation now. And I know people run it on their own NASes.
So if you know the way you can install an app on your NAS, like to do say, what's that media thing people love doing?
Plex. Yeah. Well, you could also install own cloud and then you could have basically a private. Right, right. A private OneDrive, in effect.
Only ownCloud is full of nasty bugs.
[1:08:38] You're such a show for Microsoft. Your first instinct is OneDrive.
Sorry, I would have said Dropbox, but... That's what my brain tried to say, but I mix up names.
I actually meant Dropbox, because it's a much... It's not really OneDrive, it's a Dropbox.
That's even funnier. Yeah. A popular brand of NAS is ZYSL.
Not as popular as the, oh, not Drobos, the new ones we like that you and I both have.
Synology. Synology. Not as popular as Synology, but there are a lot of ZYSLs out there.
ZYSL have patched lots of bugs. So if you have a ZYSL NAS, patchy, patchy, patch, patch, because they're quite serious.
If you have an Android phone, you really want the December update.
So as soon as you're permitted by your vendor, do that.
Because it's got some fairly nasty zero days, including a zero click remote code execution, which is basically browse wrong website phone completely hacked.
Very, very nasty zero click remote code execution.
[1:09:43] Worthy warnings then. A lot of our audience, or no, there are quite a few people in our audience who use WordPress, say me and you for a start, but many more too.
And we have mentioned recently that one of the cool features in WordPress is it can auto update its own plugins, which is why it's interesting to me that there is a new type of spearfishing that has been spotted in the wild by WordFence, who are a WordPress security company.
There are there's so much WordPress on planet Earth that you can actually make a business securing WordPress as the entire reason for your company to exist, which is kind of cool.
So WordFence do that professionally.
And they have a blog and they often do some really cool stuff on that blog.
And one of the things they posted in the last two weeks is a news story warning everyone of a new approach being used by WordPress hackers.
They are sending out fake emails pretending to be from WordPress security, or the WordPress security team is actually the wording in the fake email, telling you that you have a vulnerable plugin on your WordPress site.
And you should patch yourself straight away. And here's a download link.
[1:10:55] Three prizes for guessing what that download link is. And the answer is not a fix to your problems.
The answer is a plugin with a back door.
So you will hack yourself if you do this.
So WordPress don't email you. If you want to update your WordPress, you go into the WordPress app and let it pull the updates for you from the right place.
Don't randomly install a plugin, even if it pretends to be an update that someone emailed you, even if they say they're from the WordPress security team.
That's not how it works. So are you suggesting we don't click on links and install software?
Yeah, yeah, I am. If someone emailed it to you out of the blue, no.
[1:11:39] Right. I have to tell you, since we last talked about this, I did turn on the auto updates to plugins.
And I think Bart might have told me this before because I had a couple of them updating, but What I went through and I turned them all on auto-update and I realized a really big advantage of auto-update is I get an email telling me when they auto-updated.
So if something goes belly up, I know what just changed.
When Allison goes to my WordPress site and I see a red three, I go through and I go update, update, update.
And then I forget completely which ones I just clicked update on.
I mean, to be fair, it's almost always my theme, but man, they're busy over there. They're always updating.
But now I don't have to. I get a little email going, I updated this, I updated that. And now I have essentially an audit log of what got changed.
Yeah. And so I guess you can correlate it in time. Oh, this started happening on the 14th of the month. And oh, look, on the 13th, this plugin was installed. Ha.
That'll be that then. Yeah, exactly.
[1:12:41] Exactly. Right. I'm getting low on energy here, but don't worry.
We are into our final section that has content in it. We are in our Notable News section.
So I don't understand how these things happen. What memes are these strange things where some of them just take off?
And someone in a law enforcement Twitter account in the United States posted a completely wrong headed and factually incorrect warning about the dangers of iOS's shiny new feature namedrop that's been around for months now, telling everyone that it was going to steal their kids data and they should turn off the entirety of that whole continuity.
Just turn all of continuity off because otherwise you're in deep trouble. So not continuity.
The sharing thing we love to hate because it works half the time.
Well, named airdrop or airdrop.
But the setting is for all of airdrop, right? So they were telling people to turn off all of airdrop.
[1:13:41] Anyway, it's just wrong. Like someone walking by you on the street can't just magically through namedrop steal your stuff. Apple implemented the feature really well.
So I have two links in the show notes. one to Cult of Mac explaining how Apple made it completely safe and secure, and another one to Tidbits making the argument that if you see this, you should push back.
If people start saying this to you, you should correct them so that this stupid meme doesn't spread all over the place.
It's just dangerous and bad. It's misinformation.
Stop it. It's fine. This is, yeah, like you say, this is amazing how far reaching that news or the, uh, it was a police department, I think, to start with.
And it just spread like wildfire. But But as fast as it was coming out, I was seeing companies saying, no, no, no, no, no, no, no, no, no, no.
But it still didn't stop it, which is just like, why is this still being spread by other police departments?
It's like a social network of police departments who are like, oh, they tweeted it, we better tweet it too, because otherwise we look bad.
So anyway, it spread far too fast.
[1:14:43] Anyway, next story we have then is a positive example of artificial intelligence making things better, because that is going to happen too. I know we have all these worries and they're not unfounded, but it's not all one way.
So phishing is about fooling humans.
It's not about fooling computers, it's about fooling humans, which means that they do things like use letters that look a bit like other letters and spellings that look a bit like other spelling. So it's all very fuzzy.
[1:15:13] And computers without AI are very bad at fuzzy because they're very algorithmic.
But AI is very good at fuzzy.
Pattern recognition is what AI does.
So Google have reinvented the back end of Gmail so that it's spam detection is now using an AI which looks at email like a human and recognises all of those tricks we humans fall for.
Because it's doing the same sort of fuzzy looking at things.
So the end result is that people using Gmail should end up with way better spam filtering.
Because the spam filter is now looking at it in an analogous way to how humans look at it. So it's just going to be way more effective.
[1:15:53] Oh, excellent, excellent. I heard Tom Merritt talking about this, and I don't know why this just never occurred to me.
He said, you ever wonder why the spam has misspelled words in it?
It's because that gets it past the spam filters.
Which I thought was fascinating because that's one of the things they can do, but I just had no idea that's one of the reasons they do that.
And the other one is what we call homoglyphs, which is letters that look like other letters. so you have Cyrillic letters that are different code points in terms of UTF-8.
But for all the world, it looks like an I to me, the human.
And so the computer is completely fooled. But me, the human, is not. And that's another trick they love doing.
So anyway, this is just a much better approach. Don't do it the computer way, do it the human way.
And yeah, yeah, I like it. Related story, the US, the UK and frankly, 14 other countries who I couldn't be bothered listing, have created a set of development guidelines to help secure AI.
A lot of people got all cranky because this isn't the answer to life, the universe and everything. It's like, we went from zero to this.
This isn't perfect, therefore we should be cranky about it. And my thinking was we went from zero to this. Yay.
Now do the next thing and the next thing and the next thing.
So, you know, Yes, they're multinational. Yes, they're guidelines.
But heck, responsible companies have something to work with now they didn't a week ago.
So yay? Now just keep doing better.
[1:17:23] There you go. And then finally, I get to wrap up on two good news stories about meta.
How's that for an unexpected ending to this show? What? Yeah, I know.
What? So first up, WhatsApp has developed a new feature where you can lock your secret chats with a separate code to your phone's code.
So in that typical scenario where your phone is unlocked and you hand it to a friend to go look at your photos and they go, ha ha, I should go look at all of their secret messages.
When they go into WhatsApp, if you have set things up, there can be messages they can't see.
And to see them, they would need to know a secret code that you would know and they wouldn't.
And what's really cool is you type the code into the search box.
And when you type the magic word into the search box, it unlocks the secret messages.
So it's not even that there's a a giant big locked message for the people to be all tempted by.
It's like obfuscated and hidden. And then you enter the secret code into the search box and magic happens. I think it's cool.
Makes you feel like a spy. Oh, that is nifty.
I thought that was cool. And then part of me was like, wait a second.
I thought this had happened years ago.
But although Facebook Messenger has supported optional end to end encryption, now it's on by default.
And the turning of the default means that all of a sudden, a lot more of the internet has just gone end-to-end encrypted.
So, well done, at long last, meta. Facebook messages are now default end-to-end encrypted for WuntWun messages.
[1:18:48] And that's a miracle. Yeah. Now, palette cleansing.
So I put my palette cleanser in the show notes and I sent Alison a message.
I probably wasn't clear enough. I want to say, please pop yours in.
Nope. I never saw that. Yeah, I sent you a great one.
But I took it out of my brain as soon as I barfed it into yours.
Yeah, and it seems to have missed. I'll do a search. It seems to have missed my brain because it didn't end up in my pocket app, which meant that when I went to look for it, I was like, oh, poop.
There should be one and I don't have it. Anyway, I'll vamp. I found it. OK, I found it.
Do you want to go first since you have it right there? Go ahead.
No, you go. You go first. OK, you go first.
So the Nacilla Castaways are a wonderful bunch of people. Like Alison says, you're our people.
But like us, a lot of you love learning. And so the most recent episode of the compiler podcast was just so up our ballpark.
It's basically a whole bunch of advice for how to continue to learn forever, and some good techniques for doing it and being successful at it.
So I figured that sounds like something our listeners would listen to. So link in show notes.
And over to you, Alison.
[1:20:00] I love it. I love it. Okay. So the thing I found was just, this is just so spectacular.
On TikTok, somebody posted a video of a 1984 RadioShack commercial, and it's showing how they've now got this cell phone in the car, and it's great because the little girl asks her mommy, can she call daddy on the cell phone?
And it's that giant brick that you've seen in the old movies and everything.
But then they talk about a fully portable version, and it's only $2,500.
Well, I ran cost of money on that to 2023 dollars.
That would be $7,400 for a cell phone.
I think you could buy a car for that, let alone a car phone.
[1:20:43] I bought a car right around that time for $2,800, so you could buy like three cars for that.
I was just going to say, yeah, no, my old Fiesta, that was my first ever car, cost significantly less than 7,000 euro.
Significantly less. Yeah. I mean, that is just amazing. It's just a delightful commercial to watch because, you know, it's just everything that's beautiful about that time period.
So there is a link in the show notes if you can stand to watch TikTok. that.
And I shared the video with my darling beloved, and he made a very interesting observation that the period of time when cell phones were so stupidly big is so small that today's youth don't remember it in any way, and they think it's a parody.
When they see these videos, they assume they're parodies because they look so silly.
But I was like, no, that was real. My dad's first cell phone had a handle because it was the size of a briefcase, and and you carried it out of the car like a briefcase, and you put it down, opened it up, and picked up the handset to talk.
[1:21:49] You know, what's funny is they still know what phones look like.
Like, if you hand, my granddaughter, who's three years old, you hand her a, you know, a play telephone, she knows to pick it up and hold it to her ear.
But they look at this and they don't know what it is. Yeah, I guess cartoons or something.
It must be something that gets it into everyone's memory. But yeah, the time period of these stupidly large, portable, with every air quote imaginable phones is so short that we don't remember it, which is kind of cool.
We do have a family video that I cannot share, but it is one of the funniest things I've ever seen.
It's Forbes when he was not quite two years old and he's unfortunately butt naked, which is why you can't watch the photo, but he has picked up the remote control for the bidet, and he's holding it to his ear and he doesn't know how to talk very well yet.
And so he's just going, he's going, mommy, daddy, mommy, daddy, Dodger, mommy, daddy. he, OK, bye bye, waves at the phone and he hangs it up.
[1:22:49] Oh, they do absorb everything. But that looked like a cell phone to him.
Yeah. You know, yeah, they absorb everything. That's wonderful. It's really wonderful.
Really? Right. All right. I think our palates are cleansed.
That was very good, actually. That was the perfect antidote to that security bits worth of news. That's not a security bit. That's much bigger.
Anyway, the message is always the same.
Until next time, stay patched. So you stay secure.
Well, that's going to wind us up for this week. Did you know you can email me at alison at podfeet.com anytime you like?
If you have a question or suggestion, just send it on over.
You can also follow me over on Mastodon, where I'm having a great time, at podfeet at chaos.social.
Remember, everything good starts with podfeet.com. If you want to join in the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely Nocilla castaways.
You can support the show at podfeet.com slash Patreon, or if you have subscription fatigue, remember you can send a million dollars in a one-time donation at podfee.com.
And if you want to join in the fun of the live show, head on over to podfee.com.
On Sunday nights at 5 p.m. Pacific Time, and join the friendly and enthusiastic Nocilla Castaways.
[1:23:58] Music.