Generated Shownotes
Chapters
0:00:00 NC_2023_12_23
0:00:53 Find Any File IS Accessible!
0:01:56 CCATP #782 — Bart Busschots on PBS 158A – jq More Queries
0:03:01 Create GPTs with Bodie Grimm
0:48:01 Security Bits — 22 December 2023
1:26:58 The Night Before Christmas
Long Summary
In this episode, we delve into the recent developments in the tech world. We start off by discussing the use of geofence warrants by law enforcement to identify potential suspects using Android devices. However, Google has implemented changes to prevent access to location data, enhancing user privacy.
Moving on, we highlight the security vulnerabilities that Microsoft has addressed in its print spooler system. These updates aim to strengthen the overall security of the system and protect users' data. Additionally, Apple has introduced a new opt-in feature called Stolen Device Protection, which prevents unauthorized access to Apple IDs, making it harder for criminals to exploit the system.
Shifting gears, we turn our attention towards the exploitation of Face ID to transfer money and make Apple Pay payments, focusing on a criminal's method of resetting Apple ID accounts. To mitigate such threats, we strongly advise listeners to enable stolen device protection on iOS 17.3, offering an extra layer of security against potential thefts.
Commending ongoing efforts, we acknowledge Google's implementation of security checks during code compilation in Android's most sensitive parts, enhancing the overall security of the platform. In addition, Discord is rolling out support for security keys, strengthening account security and safeguarding user data.
Furthermore, we discuss Meta's Threads, a platform that is launching in Europe with enhanced privacy protections and compatibility with ActivityPub. This integration allows users to follow Threads users from Mastodon, providing a seamless experience across platforms.
To end on a lighter note, we mention an episode of 99% Invisible that explores the fascinating history of calculators, offering listeners an engaging and educational listen.
In conclusion, we emphasize the importance of staying patched and secure in the ever-evolving tech landscape. As the main speaker, I express my gratitude for hosting this episode alone and wrap up by sharing a heartfelt poem dedicated to the late Honda Bob, adding a touch of holiday spirit to the conversation. Additionally, I provide contact information for listeners to reach out with questions or suggestions, promising to do my best to respond during the holidays. Lastly, I invite listeners to follow me on Mastodon at [email protected] and join in on the live show at podfeet.com/live on Sunday nights at 5 p.m. Pacific time.
Thank you for tuning in and being a part of this insightful conversation.
Brief Summary
In this episode, we cover recent tech developments. We discuss Google's privacy enhancements, Microsoft's security updates, and Apple's Stolen Device Protection. We also highlight the exploitation of Face ID and commend Google and Discord for their security measures. Lastly, we mention Meta's Threads and an engaging history of calculators. Stay updated and secure in the tech world!
Tags
episode, tech developments, Google, privacy enhancements, Microsoft, security updates, Apple, Stolen Device Protection, exploitation, Face ID, Google, Discord, security measures, Meta's Threads, calculators, updated, secure
Transcript
NC_2023_12_23
[0:00] Music.
[0:11] 23rd, 2023, and this is show number 972. Well, of course we are not going to miss a show because we never miss a show at the NoCillaCast, but there will be no live show this weekend or the weekend of New Year's, so we'll see you in the new year.
But this week we're going to start the show with a very important retraction of something I said last week I was completely wrong about, and then you're going to hear Bodie Grimm of the Kilowatt Podcast teach me how to create a GPT using GPT-4.
[0:40] Then Bart joins us with the solo security bits, which he did by himself so that I could spend time with my grandkids. Very much appreciated.
Then we'll close out the show with Steve's annual tradition of the night before Christmas in honor of Honda Bob.
Before we get started, I need to give a very important retraction from last week's show.
Find Any File IS Accessible!
[0:58] Christian from Germany gave a recommendation for the app Find Any File, and I downloaded it and tested it, and I give you a review of this awesome shareware app.
I tested Find Any File for Accessibility in far too much of a hurry, and my original assessment was that it is not accessible.
This is not true. In my more clear-headed testing, I found that it is accessible.
I only discovered this when the developer, Thomas Templeman, wrote to me asking for clarity on what I had found inaccessible because he wanted to improve it.
I felt terrible at my egregious error.
Over the last week, Thomas dove in and he fixed a few labeling problems I I found with FindAnyFile, and then he had me test his changes.
He has a bit more work to do, but it's nearly there. In any case, it's definitely accessible.
My apologies to Thomas for my initial analysis and to those I misled last week.
You can find the accessible FindAnyFile at apps.temple.org.
And of course, there's a link in the show notes.
In Programming by Stealth this week, Bart Bouchats and I start off by going
CCATP #782 — Bart Busschots on PBS 158A – jq More Queries
[2:00] through the challenges of our previous installment. Remember how I said I was really digging GQ and querying JSON files because at heart I'm really a data nerd?
[2:10] I failed completely at accomplishing the homework challenges.
It was not for lack of trying, though. I worked about four hours on just the first challenge.
Because of a fundamental building block that wasn't properly in place in my brain, I was never going to succeed.
That means that this episode is almost half about the challenges and Bart carefully re-explaining the pieces he taught us in the previous installment in the context of these challenges.
We both agree that it's good work because if I was lost, there's always a reasonable chance that at least one other student was as well.
Because of my questions, we ended up cutting this episode in half, so the show notes are complete for a full story, but the second half of this episode will be explained in Programming by Stealth 158b, which we'll record in a couple of weeks.
You can, of course, find Programming by Stealth in your podcatcher of choice, and Bart's fabulous tutorial show notes are linked in the blog post.
Create GPTs with Bodie Grimm
[3:01] In this next segment, you're going to hear Bodie Grimm teach me how to create a GPT using GPT-4.
Now you probably have a lot of questions about what that even means, but Bodhi goes through and explains what he's going to do in the audio you're about to hear.
If you'd like to watch Bodhi do this, we also recorded the screen, or I should say Bodhi did, he recorded the screen and the audio, and then Steve went through and very carefully did video switching, so you see us and then you see the screen of what Bodhi was showing me.
So the video is linked in the show notes, but you can listen to the audio right now.
Well, I'd like to welcome Welcome to the show, noted expert in creating GPTs, Bodhi Grim. How are you doing today, Bodhi?
[3:42] I'm doing really good. However, I would like to point out, I put a disclaimer at the top of our show notes that says that I am not an expert and I know not even a fraction of a percentage about AI.
So yeah, I just want to get that. I just want to set a tone for people who might actually know about this stuff.
Well, what kind of fun would it be if I didn't yank your chain just to start off?
But you may or may not have heard from Bodhi before. Bodhi is the host of the awesome Kilowatt podcast, which is a podcast all about electric vehicles.
And as I like to say, he's informative, he's intelligent, and he's also ridiculous, self-effacing, and makes me laugh every single time. So, big fan, big fan.
Yes. Well, thank you very much. I'm also a fan of yours. I don't have as many nice things to say about you as you do about me, but we'll get through it.
[4:31] Well, that's good. That's good. Okay, so everybody's heard of chat GPT.
If you haven't heard of it by now, you've been under a rock somewhere.
But I've started to hear about this thing called GPTs.
Not chat GPT, but GPTs. And something about you can make them.
And you said you could teach me how to make a GPT. And I don't even understand what it means to make a GPT.
[4:54] So on a very basic level, very basic. Again, I'm not an expert in this.
But on a very basic level, Well, this is just a chat bot that does something specific for you.
So if you are a person who is really interested in Marvel comics and you upload a bunch of information about certain Marvel comics that you're most interested in, you can create, I don't know, a little game show, a trivia game show.
Or you can just ask it questions and win bar bets or whatever. whatever.
It's really a tool that you can use in your personal life, but it's also a tool that you can use for business.
And we'll talk about this a little bit later, but I created a GPT for the HPV vaccine that gives people who interact with it information about the HPV vaccine and why they should get it.
So you give it information to learn from, and so it's a very narrow, large language model then about that specific set of data that you hand it?
Yes. When we get to the point of actually doing the demonstration, I'll show you that it doesn't, it's not always narrow.
Sometimes it reaches out beyond where it should, and you have to reel it back in. It's like a toddler where you have to set boundaries.
[6:12] So could you give it everything I've ever written on podfeed.com?
Well, it's funny that you mentioned that because I'm in our example today, we're going to create a GPT for pod feed.com.
Sweet, sweet. That was not a setup. That was we actually was not looking. That is. That's fun.
[6:33] Yeah. OK. So where do you start with this whole thing?
[6:37] So I'm going to enlarge this. Oh. Oh, there he goes right away.
He's letting people know that we are recording video.
We haven't, we do not promise to produce the video. If I am going to produce the video, I'll let you know.
But my job is going to get Bodhi to not just say, as you can see here, but describe what he's doing. Because we want this to work for the audio podcast too.
The good news is I only have an audio podcast. So there's little chance I'm going I'm going to do that, but I might.
All right, Allison, are you able to see the screen?
Yeah, so where are we? You're starting at OpenAI, and you're logged in to ChatGPT4, which is the paid-for service that I can't sign up for right now because they've halted subscriptions because they have too many people wanting to throw money at them.
Right. That is a really good disclaimer to start with, is you can't actually use any of these unless you're already signed up. You can't create them and you can't view them.
So it's a little bit of a bummer, but I can tell you since OpenAI had their big AI day presentation, my experience as a chat GPT-4 user went from being incredible to being terrible.
Oh, because too many people are doing it? Too many people, yeah.
Okay, so it's probably good that they've slowed down while they scale up.
[7:59] Yeah, and then they had a little thing where they fired their CEO and then brought him back and replaced the board. They're probably really busy, I'm guessing.
And some people are going to be working through Christmas.
[8:09] Okay, so ChatGPT4 is $20 a month if and when you are able to join back in.
And I'm sure we will be able to eventually.
So what are we going to learn about today? What is a GPT?
Well, a GPT is a...
Okay, let's break down the G, the P, and the T.
G is for generative, which refers to the GPT's ability to generate text.
Not just text that just not like a random text, right?
Like I think there was an app for the Apple II, like Delilah or something like that, that thing could create random bits of text, but this is text that's relevant about the conversation you're having with the GPT.
It's very human-like. And I think this is part of the reason why people are so worried about AI.
[8:59] Next, we have the P which is pre-trained, which means that it's trained on just an enormous data set That covers different languages and different formats of data.
And then you have the transformer part, which talks more about like it's just a neural net.
And that neural net kind of feeds in. And that also helps with the context of the conversation.
Okay, so generative pre-trained transformer. And the transformer is taking, here's all this great data set.
I'm going to generate some stuff. And the transformer is through the neural network. I'm going to spit out some stuff.
According to my moronic understanding of it, yes. Okay, okay.
All right, so why would I want to create a GPT?
[9:44] Well i can give you a few examples why i created a gpt you would want to create one because you're a nerd and you would really enjoy doing it because it's actually a lot of fun um i i created a gpt my first one i created um in my real job i'm a firefighter and one of the things that i struggle with and i struggle with it even as a podcaster as soon as you put a mic in front of my face whether it's attached to a fire radio or whether it's attached to this microphone that I'm talking on, I freeze up, I panic, and I have a really hard time.
So that's honestly been one of the things that has kept me from getting promoted.
It's not the ability that I have as a commander when we go on scene or whatever or to talk on the radio, but it's my panic that happens when I actually address a mic.
And I also have a little bit of a stutter when I get really nervous.
And it's a struggle, to be honest with you. So these are all good reasons to become a podcaster, right?
Oh, yeah. Well, yeah. Also, I don't like being on camera. And I've got another podcast that I'm working on. We're all exclusive to be on camera.
So I'm facing your fears, folks.
There you go. OK, so you wanted to create a GPT, though, for firefighters. Is that right?
Yeah. Yeah, so in the fire service we have, and police service as well, we have something called incident command.
[11:09] So when we go on just a standard house fire, the first arriving unit on scene, doesn't matter if it's a battalion chief or an ambulance or a fire engine, they assume command of that scene, and then everybody has to do what they say.
And there is a certain way to present your information, right?
And you when you when you when you give your on scene report that needs to be done in a certain format.
And then when you address other units that are incoming, that needs to be done in a certain format.
And you can practice that all day long driving in your car, but it doesn't give you any sense of, oh, this is real life.
So I created a GPT that goes through dispatches just like our dispatch does.
It gives pertinent information just like our dispatch does. It assigns random units to the call, and then it also assigns those random units to show up at different times.
And I never know which units are going to show up.
I use DALI 3 in this GPT to give me a view five miles out from the call that we're going to. So sometimes you might see smoke, sometimes you don't.
[12:15] And then I use DALI to show the house that's on fire when you arrive on scene.
Seeing Dolly also shows the interior of the building when you're inside, and it just kind of gives me an ability to practice.
But then also I'm able to hand this off to somebody else in our department, or we're able to do it as a crew, and we can practice and learn as a crew.
Okay, so there's been a big leap here. it was a generative pre-trained transformer so i can type in you know how big is a lump of coal and it's supposed to answer the question in the way the data set has trained it but all of a sudden you're talking about visual pieces and and timing and things like that that sounds like a completely different beast than what i thought a gpt could do oh yeah this thing it your imagination is your only limit as far as i i can tell at this point like you'll bump up against some things like for instance when i was told gpt hey give me a two-story house on that's on fire and and the the gpt will actually or dolly based on the information the gpd gives it will actually um.
[13:27] Create a close enough image to what you get what's described to you in the beginning of the the scenario and um you know it's it's sometimes you have to tell it to go back and go ahead i mean i i understand it can draw pictures dolly three can do can do pictures but i'm having trouble understanding how and maybe that's what you're going to talk through how i uh this this This GPT is going to give us something time-based.
[14:00] Is it a little video I'm going to see?
No. Okay, so, yeah, that's okay. I think I got you. So what I did was I broke it up into phases.
So phase one is your dispatch, and that will give you all of your units and your address. Is this what you're asking?
So you're going to show me a list, a typed-out list is dispatch, And the units that have been dispatched are Engine 101, 102, 103, and Ladder 201, Battalion Chief 301.
[14:32] Correct. Okay. And in MyGPT, it will give you an address that's in Phoenix. It's probably not real.
[14:39] And then when you've obtained that information, you just hit Next.
There's some other stuff below there, Allison, that's only relevant to firefighters, so we don't need to talk about that.
Um and then he's just typing in next next next into this model right so if i don't stop it at each little phase it will run the entire call for you okay which is you won't get to do anything no no it's not it's not so it's not a good way to learn um so in the second phase it'll give you the pertinent information this is the caller report seeing flames from a second story window of the the house unsure if residents are home right so that gives the the incident commander an idea of.
[15:24] Based on the time of day and based on you know um whether it's a weekend or not if somebody is somebody home are they not home we don't know and then it creates this image somebody who's trying to practice uh what is it you're practicing hitting next no so this is something that we do in most of the time we do this in a in a classroom type scenario so we're we are being vocal about okay what we see so when it comes to um the dispatch somebody will read the dispatch to you when it comes to the pertinent information the battalion or the incident commander will be able to to read that pertinent information and then the next phase is it shows uh uh uh.
[16:10] Picture from about five miles out. Now, Allison, if you could do me a favor and explain the picture that's on the screen.
Okay. It looks like a bunch of houses in a suburban neighborhood with what's probably a nuclear explosion-sized fire going on. It's pretty intense.
Right. GPT goes hard on the scenarios.
[16:31] If I saw this, I would be immediately calling a first alarm fire because something else besides a house is on fire.
Yeah. So you have to take all of this with a little bit of a grain of salt, or you just tell GPT, hey, that's too much.
Tone it down a little bit. Okay. But again, if you're training yourself doing this, all I see you doing is hitting next.
Are you saying in your head, okay, I'm going to do a four alarm fire or number one alarm fire, whatever you said on this.
Or are you trying to give responses that you would give in real life, like in your head?
So, yes, for me, if I'm doing this by myself, I will just go through as as if I'm really going to fight the fire. Right.
And I'm saying this out loud as if I'm practicing saying it into a mic.
The next phase for this would be to type it in.
But there's an even better part of this that I was going to get to later.
But we might as well talk about it now is GPT. Chat GPT has an app so I can go into the app. I can turn on the.
The voice to text mode, or just, you can just have a conversation with the GPT.
I don't even know if it's voice to text and I can tell all, I can tell the GPT all of this information and it will give me feedback.
It's at this point, it's not great feedback, but it will give me feedback.
[17:54] Okay. I think I get the sense of what you're doing with this.
It's, it's pretty crazy.
Um, do you want to keep going with the, um, with the fire safety training thing that you've built here? or do you want to start talking about how do you build something like this?
No, I think we should get to how do we build something like this. Yeah, we want to play.
I did practice some things, like I mentioned earlier.
So when you're in the GPT page, on the left side of the screen, you have your GPTs.
Sometimes it's ChatGPT and Dolly and maybe something else that you've used.
It's got what you've used most recently.
[18:37] On the left side of your screen. And then underneath those items is an explore tab.
And then you have all of the GPTs. And these are pretty much all the ones I've created since I have been using GPT.
He's done like 40 of these. One of them had chicken in him.
Oh no, this is like all the way back to April when Sierra, my daughter, convinced me to sign up for the paid version.
Wow, okay. All right, so pretend we're just coming in from scratch here.
We've got a little pencil next to chat GPT at the top, or we've got explore, right? Right. So we want to go to explore.
Okay. This is a build a new one.
Yep. And we want to, at the top, it says my GPTs and then create a GPT.
Okay. For a specific purpose. Yep. Oh, it's beta. Yeah.
It is beta and it's pretty good, but it definitely has some hiccups.
So now that we're in the chat, create a GPT section, you have an option to create or configure.
With create, it'll just ask you questions. It'll like walk you through creating a GPT, which is great because if you have no idea what you're doing, configure is almost completely useless to you.
I don't see create a GPT. I saw you press the button, but I don't see the next page coming up. Oh, yeah, it is. How about now?
[19:57] Here we go. Okay. So you basically just hit Create GPT, and now we've got Create and Configure are our two options.
And it looks like there's a pane on the left for Create or Configure, and then on the right we've got a preview.
So we're looking at GPT Builder for Create.
[20:14] Correct. So it welcomes you, says, hi, I'll help you build a GPT. and basically.
[20:24] All we're going to type in here is we're going to say what we want to make so I'm just going to say I'm going to keep this very simple like three minutes to make a GPT for, www.podfeet.com okay nothing else we don't have to tell it what we want to do with it I mean once you kind of get your head around how these things are made then yeah you add a lot like my my fire uh commander uh gpt it's lengthy and um but this is going to be simple okay so all he all he did was type into a little field uh he said i want to make a gpt for podfeed.com says great how about naming it podfeed helper does that sound good to you how does that sound to you that sounds fabulous so you just type yes as an answer so So you're just having a conversation with it.
Just a basic conversation. Okay.
[21:21] And then it's going to go off. It's updating the DPD. It just went through 18 years of blog posts?
Well, okay. So that's another thing that we have to talk about.
But if you look here on the right, on the preview side, Allison, we have some added things.
It says, tell me about the latest tech news on podfeet.com.
We didn't add this. It did it itself. It says, how do I start a podcast?
Discuss the latest gadget reviews on podfeet. and explain a technology topic from podfeet.com.
So these are suggested questions you could ask the GPT at this point? Correct.
Okay. And it's just a way to get somebody started in the process.
And while we were talking over here about the preview stuff, we go back to the configure side or the create side, and it created a logo for your Podfeet helper GPT.
Okay. One thing I like about this is it clearly knows that it's a podcast blog because podfeed.com, they could have come back and said, okay, you're a podiatrist here.
It obviously went through the data in some way to figure out that it was a podcast.
It's got a little laptop.
It's got headphones and a bunch of microphones. So, okay, that's a cool logo. That's perfect.
[22:42] Okay, so we're going to answer one more question, and then we'll stop this particular GPT.
And the question we're going to answer, it's asking, now let's refine the role and goal of PodFeed Helper.
Considering its focus on podfeed.com, what specific types of information or tasks do you envision it handling?
For example, would it provide detailed summaries of podcast episodes or offer technical advice or both? So, Allison, I'll let you.
So, a summary of podcast episodes is kind of silly since I give everybody summaries of podcast episodes.
Um, what about, um, answering questions about what kinds of things I've reviewed maybe like, uh.
[23:31] Okay, he's writing, answering questions about product and software reviews.
Sure. A lot of people say, I don't know how to find out whether you ever talked about X.
And I always figure, well, there's a search bar. You could stick it in there, but the search isn't that great. So you can.
The GPT doesn't always end up being great, but if over time, I will say it can get better and it can get worse. So in this create mode, we have created this GPT, right?
It's fantastic.
It's going to work great.
However, over time, it's going to expand what it was initially built for.
And sometimes that could be good.
Oftentimes, I've found that it's not. It kind of just goes right off the rails.
[24:24] And you have to create another one. And another negative part of this GPT builder is when we navigate away from this, all of the stuff that we typed in on how we want to set that up, this all just disappears.
Oh, so it doesn't remember that. It might remember it, but you can't go back and be like, how do I answer these questions?
So it's almost easier at that point, rather than going through and trying to figure out out how to change it through chat uh to start all over oh wow okay all right so now it's asking us what should we avoid and i kind of like that last thing it said there it says uh this could include avoiding technical jargon no we love technical jargon how about uh no topics outside of the scope.
[25:14] Of technology and podcasting you could copy that if you want so is that all in this is that that's That's normal for Podfeet, right?
Right. I don't want to talk about anything outside of technology and podcasting.
So this is how I get away with that.
Instead of saying that, it said all questions...
[25:35] Oops. All questions out.
Oh, I got my mic in front of my keyboard. I can't see. Oh, I hate that.
So you're, you're, he's writing out what he doesn't, what this thing should not talk about.
All questions outside of what you'll find on podfeed.com. What are verboten should result in a yo mama joke.
[26:06] So all of my GPTs, except for the HPV one, because we're actually showing that to a client, end with a yo mama joke.
And they are the most polite yo mama jokes you'll ever see.
Okay. Okay. So if anybody asks a vaccination question of podfeed.com, it'll say, yo mama, so whatever.
Yeah. Okay. And they're usually very complimentary. Okay. Every now and again, you'll get one that's not. But it's not even that bad.
So this isn't carrot weather worthy or anything? anything no no no it's not nothing like that so over here allison we have the preview while it's updating that we have the preview if we practice inside this preview it'll work but for whatever reason until you save it and go back into it it doesn't work great so we're gonna save it i mean while you're building it for sure practice it okay so are we gonna lose our create stuff right now, Yep. Yeah, we just lost it all. It's all gone.
Yep. So if we go back into Explorer and we go to edit a GPT.
[27:12] It says, welcome back. Are you able to see all this? Yeah.
It's 10-minute time. It's completely lost all information.
Completely. So if you look over here in the configure part of things, it does have information that it created for you. But you can't edit that?
Oh, yeah, you can edit it. But I found that it's easier just to throw this out and do it the way you do it because it just overruns you.
But that's neither here nor there. We'll start that here in a minute.
Okay, so we're going to go look at the Podfeet Helper GPT. It exists right now.
We're ready. So I need to stop sharing that screen and share a different screen.
So are you going to suddenly spring at me? I've got to think of a good question? Yeah. All right.
What's the best way to use alt tags?
[28:10] Tags so alt tags are the tags you put on images when you post them to social media so that they're available to uh screen readers so let's see pod feed helper says using all tags effectively is important for both accessibility and seo i've never said that okay well this is where this This goes off the rails a little bit.
It's the first question. Okay.
So we said that, and it's given me a big old long answer. Yeah, it's been going on and on. I'm going to ask, did you get this from?
Did you get this from podfeed.com? He's writing to it because it is literally still going. It's writing all kinds of nonsense.
[28:50] It's going, it's doing research with Bing. Now it's searching your site.
So what people can't see is that it's coming up with the, um, like a, like a little, uh, search bar.
I, it's not even a bar, like a search circle. Yeah.
[29:11] And it, it'll tell you what it's looking for. now now it has after i asked did you get this from podfeed.com it has something that looks a little closer to what would be on allison's website yeah so what i love about this is it's like uh you told the kid to write a book report and the kid went to wikipedia and copied and pasted it and you said did you write this yourself and then it goes back and goes okay i'll write it myself Right. Correct.
So now it says things like descriptive content. The alt text should go beyond basic descriptions for instead of just dog, include the dog's color, actions, or other unique attributes.
Sounds like something I might have said. You know the last one was me.
It says incorporating humor.
Because sometimes I like to put in little Easter eggs in my alt tag.
So it very likely could have gotten that from me.
Now, look, if you look down here, we have the little quote marker.
Okay, there's a little quote mark.
Looks like a link you could click. It says where it got the information from, get your content out to more people by adding...
Alternative text. Alternative text. Oh, that's great.
So that proves that it got some of this, at least from something I had actually written. Yeah.
All right. And now we're going to ask it, who won the 1986 Super Bowl?
Oh, we should get a Yo Mama joke. We should. We should.
[30:32] Okay. And it didn't. It's telling us it was the Chicago Bears.
Correct. My favorite team. That was put in there. Did you get this?
Did you get this from podfeet.com? You should have a text expander snippet for that. Yes.
[30:51] Okay. So since obviously it didn't get it from here, now it says doing research with Bing, now it switches it to researching the site podfeet.com.
Correct. Okay, it says it does not appear to be available about the 1986 Super Bowl.
Why didn't it give us a Yo Mama joke? I do not know.
To make you look silly on the podcast? Yeah, well, no, this is actually part of the point is hopefully, hopefully, when we do this the other way, it will be more consistent.
Okay, the other way. Yeah, so we're going to go back to explore.
So the first way we did it was we did create, but the other one's configure, right? Correct.
[31:36] And it's spinning. Live demos. This is the best, right? I feel like Steve Jobs.
Can everybody turn off your phone?
There you go. Okay, so we're back to the create a GPT button, which is going to open this on another screen that I won't be able to see, right?
Correct. So we'll go back. I got a lot of these open. And so we're going to go back and share with you the new one. Okay.
So this time we're going to go with configure. And this is going to be different. Okay.
So we're going to call this one pod bot. Pod bot. A description.
And then instructions. Instructions.
[32:17] Okay, for descriptions, he's putting in all things podfee.com. Instructions?
So I'm just going to say I want to create a GPT for podfee.com.
You don't have to give it all that www nonsense, right? Yeah, yeah.
It's an AI for crying out loud. I can't figure out. You wouldn't think so, but sometimes you do have to be kind of specific.
Not always like i was putting in uh wait wise cameras and it was correcting it uh because in apple's infinite wisdom was connected to ways cameras and it still knew what i meant okay but then i was putting in wise cameras and it had no idea what i was talking about, that was within two minutes of each other so yeah um okay so we've got a name description and then the instructions is going to be essentially like what we talked about before.
So he's got, I want to create a GPT for podfeet.com.
Don't give me any information that is not found on podfeet.com.
Okay. So in theory, okay, now it's going to say if the question is not related, the information requested is not related, give us a yo mama joke.
Correct. Just like what we did before, but it's under instructions.
Okay, so we're just filling out a little form instead of just being completely free form.
[33:37] Correct. And really, this gives you a lot of flexibility if you find out later that there's something not quite right, but you don't know where to go to fix it.
If you have your instructions, I move it all on to a text program, a text editor, so that I don't have to...
Keep recreating it. Well, keep recreating it, But also, if you accidentally delete a section and you haven't saved it somewhere else, you don't get it back.
That makes sense. You could try to Control-Z, but if you've already saved it, you're done.
All right. So now you have to, the next field is conversation starters.
So tell me about Allison.
Well, that's easy since there's a page called About Me. Hopefully it'll figure that one out.
We'll see what it does. Because so conversation starters and what do they, what are they going to do?
Is this just going to be, oh, is this going to be the kind of questions that you would show to somebody saying, here's some typical things you could ask the pod bot? Correct. Okay, got you.
[34:48] Tell me something cool. Why not buy a Wyze cam? Change it to buy instead of but.
Oh. That way it'll make a little more sense. Nope, that's my fault. Okay. All right.
He's putting in a fourth one here. Oh, who won the 1986 Super Bowl? All right.
[35:09] All right. So if we wanted to, you see this section here that says knowledge?
We could upload PDFs. We could upload pictures. We could upload Word docs so that it would be a little bit more accurate.
So for my FHIR GPT, I have the entire volume two SOPs that we use, which is the standard set of guidelines that's about an inch and a half or two inches thick.
Standard operating system. Of everything that we do for every situation.
Okay. So you had a PDF of that or something that you submitted? Correct.
Okay. Yeah. Yeah, so I just submitted that, and that's what it goes off of.
And honestly, when you have that kind of stuff, it actually works a little better as well. I would think so, because it's really specific.
I mean, that's narrow, right? Right, right.
So then we have capabilities, which we want to include. There's only three.
Web browsing, Dolly E, Dolly, Dolly, image generation, and code interpretation.
I don't mess with code interpretation, but folks who are fans of programming by stealth might find this interesting. Okay.
And then it says actions create new actions. What is that?
[36:23] That is something I do not understand. I do not have an authentication key, an API key.
We'll skip that part. Not something for today.
Okay. Did you just back out and lose everything? I hope not. Oh, nope.
You hit the wrong back button. Okay. Yeah, yeah. There we go.
Okay. Share your screen again. It's popped away from me.
Oh. Okay. So we're done with the configurator, which we've done.
We've given it essentially the same questions we had before, but we wrote our own, hey, you might want to ask this PodBot these questions.
But other than that, you've pretty much told it the same thing you did in create.
Correct. Do we get to test it now?
Yes. Actually, let me save this. So he's going to save, confirm, and this should let us see it as a standalone.
All right, here we are. PodBot, allthingspodfeed.com. And he clicked on Tell Me About Allison.
So didn't have to type anything because we already had it in there.
It says, Allison Shurt is the creator and host of the NoCilicasted Technology Podcast at podfeed.com.
All right. You know it for your enthusiasm about tech.
[37:29] Yep, and it's got accessible in there. So yeah, that sounds like me.
Oh, I recommend visiting podfeed.com for more details.
Okay. He's written, based on this information, give me a photorealistic, uh-oh, image of, I'm afraid, and he's going to say of Allison.
Okay, so I did. Huh.
Yesterday, he gave me a- I'm sorry, I can't create photorealistic images of specific individuals. You might want to go to the website. Duh.
This is where you have to get creative. What do you think the creator of podfeed.com looks like?
All right, I'll be curious to see if that works.
Use Dali. Okay, what do you think the creator of podfeed.com looks like? So this actually...
[38:27] This actually worked. Let's see. Say yes.
So it just said, I can create an image based on a general description, but it's important to note this will not be a depiction of Alison Sheridan or any specific individual associated with podfeed.com.
You sure you want to do it? A fictional podcast host.
I did this three or four times yesterday, and it worked every single time.
So that was one day ago.
And there's Alison sitting in front of a mic. She's got a mic. She's got a Mac.
[38:59] She's got two Macs. That looks like pretty close to my microphone style.
Yeah. I'm about 40 years younger, so I'm liking that.
But it's got the wrong pop filter.
And the microphone isn't plugged into anything. It's hanging out in space with no boom arm.
Yes and uh in the back it's got a live uh sign to let everybody know that you're live on the air but it says live so i've noticed that with dolly it can't spell like even when you spell the thing you wanted to to write in there it spells it wrong yeah it can't spell at all like i had it do uh a A logo, I said, have some bare feet, and I wanted to say no silicast, and a technology podcast with an ever so slight Macintosh or Apple bias.
And it misspelled no silicast. It put like four L's in it. Yeah, yep.
[39:58] So I have this other podcast. I don't know if I can talk about it yet.
But we created our logo with Dali. Dolly and I had to, I had to like Frankenstein, like six or seven Dolly photos, uh, logos together to make ours work.
But oftentimes it spelled the name of the podcast wrong, despite the fact that we told it how to spell it.
Okay. So, uh, he just asked it, tell me about wise cams and should I buy one?
And the advice says that, uh, you should definitely buy one cause here's all the great eight reasons you should do it.
So I think that one's, that is not from podfeed.com.
So let's ask. Because that is definitely not my current advice.
It says, as of April 2023, camera, Wyzecams were popular for all these different things.
Okay, it says, I can't access or retrieve information directly from podfeed.com or confirm a specific contest available there.
Yeah, my answer, my responses are on general knowledge. Hmm.
That's kind of interesting. So I can tell you, like I had, I created yours in the morning, and then I created the document that I wrote up for the show in the afternoon.
And the morning answers were not as good as the afternoon answers.
I do not know if it gets better over time.
[41:21] Okay, he wrote, try searching podfeed.com for the answer. And we have now what looks like a religious painting from like, I don't know, the 1400s.
And this guy has got this brush pointed up, but he's pointing at what looks like a little closed window box from Windows. Correct.
So this must be what the Pope sees when he opens the computer.
I guess so. I'm guessing. seen so i mean this was a spectacular failure but over time you could play with this as as you get a little bit more familiar with chat gpt and creating gpts you can play with this and the product that you get um most of the time gets better and better and better like my i showed my I command GPT to my chiefs that met my department and they were blown away by it because that up until now, this is not a joke.
Sometimes people would draw on a whiteboard or draw on a piece of paper what you saw on a fire.
[42:34] It was a very low tech way of doing these things.
So despite the fact that both of these GPTs failed today, don't let that deter you from creating a GPT because it might, if you put the time in, you put the energy in, you might get something pretty magical.
So let's be perfectly clear. They were mostly impressed that it drew cool pictures of fire?
[42:59] Yeah. Well, they were impressed that because it gives you, the biggest thing is you, we have to keep, because when you go into a fire, you have to keep all of the units that are arriving on scene in your head so you're not not only are you uh telling your crew what to do incoming units are radioing in that they're on scene or staged in a specific location and you're assigning those units and at the end of your your scenario or real life fire you need to relay all of that information back to the battalion chief who gets on scene and wants to know what you have and where everybody is.
[43:35] So all of that information is random.
So you can't get stuck in a, you got this engine all the time.
You get this ladder company all the time. You got this rescue all the time. It's all different.
And it, it changes based on GPT's whim and, and the type of fire that changes and the information that you get back changes.
So nobody has to be creative thinking of different ways to ask what feels like kind of the same question they've been training on all along.
And honestly, they're not creative. like we are as firefighters aren't that creative and there's software that will do something similar to this you have to build your own scenarios but it costs five thousand dollars just to start using it and if you want any add-ons it's more than that you got to buy a pretty beefy computer to make it work so do you think that the success of that was based primarily on the fact that you were able to upload this very specific manual and that's what made it have good content to come back to you no i think um let me see if i can go to mine i think the success that is part of it right it stays within those rails but i gave it very specific instructions.
[44:42] When i did my can you still see right i don't want to get too deep back into it yeah or get low on time but but you can see like i said this is what you need to do on dispatch and you can see all the stuff that it's required on dispatch this is phase two this is what you need to do So you were real specific on your instructions.
Very specific. I wanted it to have enough room to be creative and create a scenario that maybe we hadn't thought of before.
But I didn't want it to go off the rails. And when I was using the GPT builder, every single time it went off the rails, you couldn't reign it in.
[45:16] Well, that's interesting. So the lesson is that configure is a better way to go.
Create might be a good way to start just to play with it. But Configure gives you a little bit more control over where it's going to go because you can be so specific in those instructions and edit them and stuff.
Yeah. And the biggest thing is later, if you find out that it's doing something you don't want it to do, you can go in and either create a new GPT and just copy and paste the instructions in.
Right. Or you can go in and you can try to edit it where you think you've gone wrong in its understanding of your instruction set. I wonder whether it gets better over time.
Like right now, did it instantaneously literally absorb all of the data from, I mean, I've written a lot.
I write about 5,000 words a week and I've been writing for 18 and a half years.
It can't have absorbed all that in the time that you hit go.
[46:13] No, I don't think it could have either. Yesterday, it was doing very good.
And this also has to do a lot with how busy it is.
So, I was doing it on a Sunday when I started. It was a Sunday at about 6 o'clock in the morning.
And then when I went back to it, it was a Sunday about 7.30, 8 o'clock at night. So, I don't know how many people were on it during that time.
[46:32] But also in the middle of the daytime it airs out quite frequently so it may just be that we're in a scenario where we have lots of people using it and it's just it just throws up its hands you know freaks out throws up its hands and crawls underneath a weighted blanket and says i'm done for the day well speaking of done for the day i think i'm going to close this out here but this This is cool.
I now understand what a GPT is, how to actually build one, what to start doing to try to learn to give it the right kind of instructions.
And it makes me jealous that I can't get in yet and try it.
But I guess it's good if it's getting hammered so heavily. And of course, like you said, the company's been through a little bit, a wee bit of turmoil over the last couple of weeks. Yeah.
This is very cool. I appreciate you teaching us this, Bodhi.
Hopefully it was informative and not boring. rain?
I wasn't bored a bit. I never am when I'm talking to you. I think you should put that on your CV. Never boring.
[47:29] Well, put it on. Allison is never bored when talking to me. I'll be very specific.
There you go. All right. If people want to check out the kilowatt podcast, where would they go?
Just search for kilowatt podcast in your podcatcher of choice.
It's pretty, pretty simple.
I have an email address that if you want to contact me, because if you have questions and I didn't explain something very well.
It's Bodie, B-O-D-I-E, at 918digital.com. That's great.
All right. Thanks a lot, Bodie. I appreciate it. Thank you, Alison.
Security Bits — 22 December 2023
[48:02] Music.
[48:10] Hi, folks. Bart here with, unfortunately, a solo Security Bits.
And I'm afraid you're going to have to get used to it a little bit because with the silly season being what it is, I'm pencilled in to do at least one more of these and we haven't quite got round to pencilling in further so it's possible I'll end up doing another one even beyond this.
But anyway, for the 22nd of December, which is when I'm recording this, it is just me.
I will do my best to channel my inner Alison as always as we dive into two more weeks worth of security news.
First off, some follow-ups on stuff we talked about last time.
We had mentioned that thanks to the sterling work of Senator Rod Wyden, we were now all aware of a new type of law enforcement system.
[48:56] Spying is perhaps too strong a word, but data acquisition that we were not aware of, that they had basically Apple and Google were prohibited from letting us know that it was possible for law enforcement to request from them the metadata for all of our push notifications, both through the Google Play Store and through the Apple Store. door.
And those push notifications, they contain a lot of data that allows law enforcement to do things we wouldn't have considered possible, such as tie a real world identity to supposedly anonymous messaging services, you know, like Signal and so forth.
So it was kind of a big deal. And once Senator Wyden released his letter, Apple were allowed to admit that it was going on as were Google, and they both promised to tell us more about it.
And it became obvious that there There was a discrepancy, presumably because neither was able to talk to each other before.
But basically, Google had a tighter process.
They required a judge to approve a search warrant before they would hand over data, whereas Apple did not.
Well, very, very shortly after we recorded last time, Apple updated their policy so that they are now in line with Google.
So in order to get push notification metadata, it does now have to go in front of a judge, which seems like a much better safeguard for regular folk.
In related news, should you be interested, there's a link in the show notes to the full process document that Apple published for US law enforcement listing.
[50:26] Everything they can request and how they can request it. It is not a short document.
It's interesting and it's full of caveats, you know, saying, well, actually, we can't do this. You can ask us for this, but we can only, you know, it's all very interesting.
But there's a lot there. So definitely worth a read if you're curious about such things.
[50:46] We also talked a lot about Beeper Mini. The app that was, briefly, was able to give blue bubbles in Android, and it had already developed into a cat and mouse game when last we spoke, and I had predicted it would remain a cat and mouse game until someone gave up.
I had expected it to last a little bit longer, but, well, Beeper have thrown in the proverbial towel.
They have decided they're not playing the cat and mouse game anymore.
More. They're having one more roll of the die and then that's it.
They're saying that if this last thing they're doing is worked around by Apple, then they're not doing that anymore.
[51:23] Now, this is all kind of very interesting. So since last we spoke about this, I now have a much better understanding of where the pitfalls were with this.
So last time we were saying that beeper were absolutely certain it would be very difficult for them to be locked out of the protocol and they They had figured out how it worked and Apple couldn't lock them out without changing everything on every iPhone.
And I don't know if I expressed skepticism on the show, but I certainly felt skepticism if I didn't express what I should have. That didn't smell right to me.
And lo and behold, you know, they were cut off.
And it turns out that the reason they were cut off was because the iMessage protocol requires a device ID to be cryptographically entangled.
I think the correct technical term into some of the steps of the registration process and there's also sort of a periodic check-in where the device has to keep checking in with Apple and again you need the device ID to be cryptographically signed with a bunch of other stuff.
[52:29] So you need to have device IDs. And initially, people were simply reusing the same device ID they'd gotten from somewhere before, and it was one of their own iPhones or something, but they were using the same device ID for everything.
Which is how Apple were so easily able to turn off the speaker when they decided they wanted to.
Because everything done with that device ID could just be removed from Apple's end of the cloud service. Poof, all vanished in an instant.
[52:57] The next turn of the wheel then, Beeper started to use a different pool of device IDs they'd gotten from somewhere and they had sort of figured out that if they do 20 devices per device ID they should be fine.
That also didn't last very long until Apple pulled the plug.
So then they decided that what they would start to do was to use Mac device IDs to register their stuff but Apple seemed to have been able to figure out which Mac device IDs were legitimately being used and which weren't because that was then promptly killed and at that point you couldn't even register the phone number which is kind of the point of the whole thing so the whole thing was already a farce at that stage but it got one bit farcier if that is a word, when the final update which is now what they have said that this is it they're not going any further than this but the final update if you're absolutely positively desperate, then what you need and I'm not joking I'm not making this up what you need to use beeper mini to use blue bubbles and android is a jailbroken iphone and not just once but you need to keep it permanently jailbroken powered up and connected to wi-fi so that it can continuously do that whole device id thing so i am sure someone somewhere will make use of this but it's not going to be a mainstream thing and requiring a jailbroken iphone in order to use Android doesn't seem like much of a runner. So...
[54:24] Yeah, I think this game is over. Now, something, a lot of people got all caught up in the whole anti-trust, anti-trust, anti-trust thing, which as a European doesn't gel with me in the slightest because Apple don't have a lock-in on messaging.
They're, in fact, if anything, what they have done by not being cross-platform is they've locked themselves out.
[54:47] Because those of us in Europe have figured out ages ago how you get reliable, workable, doesn't break every five minutes cross app messaging or sorry cross-platform messaging with all of your friends on every platform.
The answer is not iMessage.
It can be WhatsApp, it can be Signal, it can be Telegram, it can be basically anything, just not iMessage.
And maybe it's a critical mass thing or something but we in Europe don't suffer from this blue bubble, green bubble thing because we don't use blue bubbles or green bubbles.
We just use Telegram, WhatsApp, Signal, etc.
Anyway, I was getting lost there for a second. So I was never particularly caught up in this whole antitrust thing. Of course, Apple has a right to protect their platform.
What worried me was the fact that it seemed to be so easy to bypass the security on iMessage. And that actually I found quite scary.
So I'm actually quite relieved that Apple were able to lock this down quickly because that at least shows that they're in control of their platform, which means this platform actually seems a lot safer than I feared it was.
But again, that's not a particularly popular point of view on these things.
It's a bit like jailbreaking, really. I'm always relieved when jailbreaking is impossible because it means my device is secure.
I have one deep dive.
[56:06] Initially, I thought maybe this would be a panicky deep dive, but it's not quite a fire extinguisher because we're not sure, but it's probably a fire extinguisher-ish.
What am I talking about?
Well, Cox Media Group. Now, as I understand that Cox is an American cable company.
Cox Media Group were found to be advertising a product to advertisers.
[56:35] Offering something they called active listening.
Where you could buy access to customers based on what Cox Media Group heard them talking about.
What Cox were promising was that they could use smart televisions, smartphones, and other connected devices to listen to people in real time, time, translate their random conversations, and then sell ads based on what they were talking about.
Which is proper scary stuff. And they gave examples in this advertisement for advertisers.
Where they said, I mean, just imagine if you could buy advertisements based off statements like, the car lease ends in a month, we need to plan.
A minivan would be perfect for us. Do I see mould on the ceiling?
We need to get serious about planning retirement.
This AC is on its last leg. I don't know that it's supposed to be last legs plural.
Anyway, not the smartest people, clearly. We need a better mortgage rate, apparently they thought people say randomly in their own homes.
Anyway, based on the advert, it was pretty scary stuff.
And once 404 Media broke the story on their blog, the Cox Media Group promptly deleted or removed or blocked this page on their website.
[58:04] And said basically nothing. thing. It's not really clear at this stage whether this product was really real or whether it was aspirational more than it was real.
It may have been vaporware.
Now, we do know that smart TVs are being used to monetize themselves by listening in to what people say.
That's not a conspiracy That's the thing. That is how a lot of the cheaper smart TVs are able to be cheaper because the companies selling those cheaper smart TVs are also selling cheaper.
[58:44] Access to the viewer or data on the viewer as a way of monetizing their stuff.
So the smart TV bit, that seems plausible.
But the smartphone stuff isn't really plausible because our smartphones all have little indicators that show the microphone is active.
And so if there was an app that was booby-trapped, then it could listen while the app was running, but it would show the indicator in the menu bar.
We would also see this constant flow of data from our phones.
I don't believe it's feasible to believe that this is happening at any sort of a scale and no one's noticed because privacy researchers are constantly looking at what is streaming out of our phones across our networks.
And there is no sign of this flood of data that would need for this this product to be real.
So it's probably a paperware. It's probably not real but possibly part of it is in terms of the smart television.
So my takeaway on all this is that I was always pretty sure that I was never going to connect my television to the internet and I am now extremely sure I'm never going to connect my television to the internet.
What I'm going to continue to do is to buy the smarts for my television separate from my television and continue to use Apple TVs in my case, but an Amazon Fire Stick is a perfectly valid alternative as well.
[1:00:11] And basically bring the smart to the television myself, connect the smart bit that I bring myself to the internet, and never, ever, ever, ever, ever let my television anywhere within a million miles of an internet connection.
[1:00:23] Links in the show notes to the original reporting and some various analysis on it.
The 9to5Mac article linked as the third link in the show notes.
Their final take aligns pretty well with sort of my feeling of, I don't think this is actually even vaguely as real as they were pretending it was. I think it was advertisers not being particularly honest.
But it was pretty, pretty galling stuff. tough and Steve Gibson on security now came to a similar conclusion that basically this is probably hot air but the fact that someone thought that this was something they could aspire to is terrifying.
[1:01:01] Moving on to action alerts lots of patchy patchy patch patch here Apple had very shortly actually after we spoke last Apple released emergency updates to fix zero days in older devices so when we last recorded Apple had just released zero day fixes for their current OS's and then And within a few days of us recording, they backported those fixes to iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2.
Google, meanwhile, have fixed their eighth zero day of the year.
So patchy, patchy, patch, patch.
Or in the case of Google Chrome, turn it off and turn it on again so it patches itself.
And should any Nocilla Castaways be fellow PFSense users, users be aware that there are some fairly nasty bugs that have just been patched in pfSense so, be sure you have automatic updates turned on on your pfSense box and that you reboot it I would like you allow it to reboot itself to actually fully apply those updates which you're hopefully doing automatically.
[1:02:03] Moving along then to worthy warnings. We have some potentially relevant warnings from government organizations and public interest groups.
I'm reading my own description in the show notes. Okay.
Anyway, the first thing I want to draw your attention to is that we have discovered a new technique being used by attackers to try to get around two-factor or multi-factor authentication.
Authentication so we've already seen fairly technologically advanced things where you have real-time proxying services where you can basically buy malware as a service and you end up buying the time from a human being in a low-wage country and to in real time be an adversary in the middle and attack two-factor authentication and that's happening for real um actually being sold on the the dark web and succeeding in taking over people's accounts and bypassing multi-factor that way.
But this new campaign is interesting.
Now it targets, at the moment it's targeting Instagram, but it doesn't matter that it's targeting Instagram.
The takeaway here isn't there's a phishing campaign targeting Instagram.
The takeaway for me was that this particular phishing campaign is using a new novel trick to get around two-factor authentication.
[1:03:25] So in fact, not so much offered, you're basically told, save these recovery codes.
Because if you lose your device and you can't generate the six-digit number or whatever, you need these recovery codes to get back into your account.
Well, the phishers are now trying to trick people into handing over their recovery codes.
Thereby, they can remove multi-factor or two-factor authentication entirely and then take over your account.
So do not allow anyone to trick you into to handing over your recovery codes.
That is the keys to the kingdom.
[1:03:59] Another thing you should be aware of is that Twitter slash X has a very silly bug that allows links to lie.
And it allows the links to lie in such a way that it appears that a link is to a tweet, or whatever, a post I guess we're calling it these days, from someone whom it is not from.
So when you see the URL that, you know, when someone shares Twitter slash X post with you, the URL is Twitter.com forward slash username forward slash a big glop of random digits, which is the ID of the post.
And you, you know, you as a human looking at that URL, the random ID on the back is not going to catch your eye.
What's going to catch your eye is the username. username, and you're going to assume that that is the username that posted the tweet.
That part of the URL is purely decorative. It has no actual effect on the functionality of the URL.
You can change the username piece of that URL to waffles, and as long as the post ID is correct, the URL will take you to that post.
[1:05:18] So to maliciously use this, you can email someone a link that quite clearly appears appears to be from a reputable person.
And when you click on it, you end up on a different Twitter account.
And if that different person has been clever about it, they will have adapted their icon and so forth, and maybe their display name to look just like the person they're impersonating in the URL.
And unless you're very careful, you won't notice that you've ended up on a tweet that doesn't match the URL you've clicked.
[1:05:49] I mean, it's not enough on its own to do a lot of harm, but it makes effective phishing darn easy compared to what it should be.
So really, Twitter need to fix this.
The username should be forced to match the post ID or the URL should not work.
And in related news, there was another critical bug in Twitter which would have allowed anyone to take over your account and it ended up being fixed not because Twitter were being proactive and good citizens on the internet of course not it got fixed because the person who tried to report it was told to go pound sand so he reported publicly and then they banned him from the bug bounty program and reluctantly fixed it, this is like if you'd like an example of how not to run a bug bounty program here you have one shock and or horror, Twitter's gone to absolute poop.
[1:06:53] Something which makes me a lot sadder, because they're generally not considered to be absolute poop, there is a company that do very good value networking gear called Ubiquity, and we now know they had a brief database corruption.
And we know it was brief, and we know how many people were involved, and it's all sort of been looked at, but briefly, the database that mapped device IDs to user IDs, got corrupted so other people's cameras showed up in the wrong basically cameras went to the wrong account and so when you went to the cloud interface you could see other people's cameras because they were accidentally assigned to your account and your cameras may have ended up assigned to someone else's account the whole thing was quickly corrected but it's kind of scary and so if you are a Ubiquiti user maybe just be aware, that wherever your camera is pointing, if it's pointing at something sensitive, that something sensitive may have been seen and maybe that means you need to do something.
Probability is low. It was very short-lived. I need to be very unlucky for this to have caused you some sort of harm, but be aware. Just be aware.
[1:08:05] I don't like doing too many data breaches these days because I can hear Alison's voice in my head telling me, yeah, well, what can already people do about it?
But every now and then they're big enough that I think, yeah, I probably should talk about this one. So I have two of these that reluctantly met the bar.
I have about 10 I threw out and didn't meet the bar, but these two I think do meet the bar.
So the first is Xfinity, where I put the major ISP in the United States.
So major, they managed to lose data on 35 million with an M people.
And rather unusually for recent data breaches, they did indeed lose the usernames and passwords.
Now they were hashed, but they'd nonetheless lost the password database. database.
So if your password wasn't particularly strong, it easily could be reversed, or it's going to fall quickly.
And if you reuse the same password anywhere that you use in Xfinity, A, make sure you've changed it on Xfinity, and B, make sure you've changed it everywhere else you've reused it to.
And then another one that sort of reaches the bar of, yeah, you really do need to watch out for this one.
Major, major mortgage company, Mr. Cooper, had a data breach affecting 14.7 million Americans.
[1:09:20] And while this one doesn't contain usernames and passwords, words, it does contain social security numbers, bank account numbers, as well as names and so on and so forth.
So with the social security number and the bank numbers, I actually fear financial fraud may even be possible.
But what's definitely, definitely possible is extremely convincing automated targeting phishing emails.
If you know someone's name and their bank account number, you can create a very convincing phish that pretends to be from the bank and says, says, hi, we're contacting you about your bank account.
Last six digits of the account number are blah.
You can really start to sound very convincing with that kind of information.
So if you got a mortgage through Mr.
Cooper, be very on the lookout for being targeted by clever phishing.
You definitely are at risk.
[1:10:14] Moving us into notable news, I'm going to start with the bad news, get it out of the way first, and then go into better news. news.
So everyone needs to be aware, sorry, everyone who uses SSH, which is a lot of missile castaways, and that includes secure FTP by the way, you need to be aware that a new attack has been discovered that can downgrade the security of open SSH connections to the point where basically an adversary in the middle can break into your SSH connections.
Now the silver lining here is that it needs to be an adversary in the middle.
An attacker needs to get themselves into a position where they are between you and the server you're SSHing into, and they need to be able to not just see the data flowing over and back, they need to be able to manipulate the data flowing between you and the server.
And they can use some interesting interactions between the transport layer security and the OpenSSH protocols calls to basically break the encryption.
And neither technology on its own should allow a breaking of encryption, but the way the two of them work together, basically, flaw found in how these technologies are talking to each other.
It may actually require...
[1:11:32] Substantial change to ssh to fix this permanently so it may actually be the case that the advice will be don't use anything less than ssh3 which is not yet but in the mean in the short term, what does this mean for us well what this means is that we should all be aware that ssh is not safe in a place where you don't trust your internet connection so if you're in a coffee shop or hotel Wi-Fi, you need to be aware that someone else sharing that Wi-Fi with you could intercept your SSH connections. And so my takeaway is.
[1:12:13] VPN, then SSH when you're out and about.
And that should keep you safe. Because again, unless the attacker is an adversary in the middle, this vulnerability doesn't apply.
So SSH through a VPN. That's the way to go.
Right moving on then that was it for the bad news column fairly bad news by the way it's called the terrapin attack if you're curious so first bit of good news comes from google so a particularly, legally questionable um the eff assert that this is in breach of the fourth amendment of the u.s constitution and i very much agree with the eff's assertion what am i talking about well the fourth The 4th Amendment protects from, what's the word they use, it's unreasonable search and seizure.
[1:13:09] What has been happening, because it is conceivably possible with Android, is that law enforcement are going to judges with so-called geofence warrants, where the evidence they presented is there was a crime, and we believe it's reasonable to assume that the person who carried out this crime was carrying a phone, because they're human in the 21st century.
Therefore, we want Google to tell us every single phone that was within blah yards or blah miles of the crime scene at the time of the crime.
And effectively, everyone with an Android phone within a radius of a crime just becomes a suspect.
That is unreasonable search and seizure in my book.
So anyway, the fact that Google had the data meant it was possible for them to be compelled to hand over the data.
Google is changing how it stores location data so that Google don't have access to it anymore.
More so you the user aren't going to lose any functionality but you know with the joys of modern encryption and so forth google are going to be unable to collate this kind of data and answer these kinds of probably illegal warrants problemo solved and they got a pat on the back from the eff and i'm going to say nice things about them even though they should have done this ages ago and this apple don't need to do anything because apple were never collecting this information because apple don't like having information like this because then they could be forced to hand it over, and I do much prefer Apple's approach to these things.
[1:14:35] Another piece of good news, this time from Microsoft land.
Throughout the pandemic, we had story after story about spectacular zero-day vulnerabilities in Microsoft's print spooler.
To the point that the advice for much of the pandemic was, unless you actually need your computer to print, unless you actually have a printer connected to your computer, disable the print spooler because it's riddled with security vulnerabilities.
And whenever Microsoft would patch one, another bug would be found almost straight away.
Like, you know, it was the done thing in corporate land to push out a group policy update to just disable the print spooler en masse.
You know, print servers need a print spooler. Nothing else needs a print spooler.
Push it out by group policy object. Push it out to the whole domain by GPO.
[1:15:27] Train wreck of a mess, the printing system. Probably because it was very old.
Been part of Windows for ages.
Went under the radar of attackers. Attackers started poking at it and once they pulled on one thread, the Wooly Jumper just disintegrated.
That was about, you know, a year or two years ago.
And Microsoft have obviously been busy behind the scenes trying to figure out how to reinvent that particular wheel so that it is not so flawed.
And we now get to see the fruit of their work.
It is called the Windows Protected Print Mode and it is going to be slowly rolled out, but as part of the rollout, it is going to become the default.
And in Protected Print Mode, these nasty vulnerabilities all go away.
Basically, the print system joins the 21st century.
So I am very happy to see Windows getting another important under the hood update to make it more secure.
Meanwhile, again, still in the good news column, Apple gets to join the good news column.
So over there again, last year or so, we have seen reports of iPhone thefts combined with the stealing somehow of iPhone products.
[1:16:45] Passcodes, then being used to disable or to change the password, in fact, on people's Apple IDs and potentially re-register faces with Face ID and make payments using Apple Pay and so forth.
So what was ending up happening was people's bank accounts were being emptied, people's entire digital lives were being destroyed, and people's iPhones were being stolen and then resold on the black market because they were then device unlocked. unlocked.
The phone being lost is almost the least bad of the thing.
The emptying out your bank account and destroying your digital life parts are actually worse.
And this is all to do with one of those very annoying trade-offs where Apple historically had a lot of problems with people losing their iCloud password and losing all of their stuff.
So the solution to that was was to allow proof of control of an iPhone that is connected to the iCloud account to be a mechanism for resetting the iCloud passwords, i.e.
The passcode on your iPhone can reset your Apple ID.
And that saves a lot of people losing their data through, well, let's just call it carelessness.
[1:17:54] And it removes a whole bunch of Apple support calls.
It moves us from the column of, I'm sorry, we can't help you, you've just lost your entire digital life, into the, well, actually the easy fix is to just use the passcode from your phone.
And so on balance, this was actually probably saving a lot more data than it was losing.
But of course, once the attackers got good at this, they were developing techniques where they could, we now know that there were crimes where, you know, 20, 30 phones could be taken in a night with the passcode successfully.
And people's entire digital lives were being upended. So this feature suddenly became a bug.
And Joanna Stern at the Wall Street Journal deserves a lot of credit it for highlighting the abuse of this feature.
[1:18:36] And Apple have now responded to that change in reality.
And iOS 17.3, which is now in beta, will introduce a new opt-in feature.
At the moment it's opt-in, I don't know if in the future they might make it opt-on by default, but it's starting off as opt-in, called Stolen Device Protection.
If you turn this feature on, and if you have done that thing where you can tell your iPhone that this is my home and this is my work, then when your phone is not in one of those explicitly specified trusted places.
[1:19:11] Then if you try to do certain sensitive things like change your biometrics, register a different face, register a different finger, or change your Apple ID password, password, then you will be required to do a biometric, wait an hour, do another biometric, and then you can reset the password.
So in the situations where you have genuinely lost your Apple ID details and you need to make use of this ability to use the iPhone to reset the Apple ID, you still can.
You either need to be at home or at work, or you need to wait an hour.
And that's That's not actually a bad inconvenience, but the space of phone thefts in bars is very much thwarted by this because the trick of swipe the phone, get to the passcode and then immediately reset the Apple ID, that goes away.
Now, very much related to this story is a video Joanna Stern had.
Now, Joanna Stern had actually done this before Apple announced her feature, which is kind of interesting. So Joanna Stern interviewed in prison a man who was convicted for stealing iPhones with their passcodes and blanking the Apple IDs, etc.
And the interview was fascinating for a bunch of different reasons.
[1:20:34] One of those reasons is that the, well, actually, the criminal basically said, I can reset an Apple ID account in about five seconds. And that's the first thing I do.
Then I changed the face registered with Face ID so that I can quickly do all sorts of things.
And a lot of banking apps are only protected by Face ID. So then they can start to transfer money.
They can use Face ID then to make Apple Pay payments.
So they go to the local store and they buy the most expensive things they can.
And that was interesting. And then the other interesting thing was, how do you get the passcodes? and the answer was disappointingly non-technical.
You know, Joanna was like, do you video people surreptitiously?
And then, no, that's far too complicated. No.
Social engineering, you just ask people for it and if you do it right, you get what you need.
Basically, it wasn't rocket science. It was ye olde social engineering and quick fingers.
[1:21:39] So we all thought this might be high-tech crime. Not high-tech at all.
Just informed thieves abusing a feature designed to save people's data and ironically resulting in destroying a lot of people's data.
Anyway, when iOS 17.3 comes out, people who spend time out and about in bars should really consider enabling this feature, stolen device protection, because it does sound like it will provide a very strong protection from the current wave of thefts.
Still in the good news column, and back to Google. Google have released some details.
This is really technical stuff, right? The link is in the show notes if you want to go read the technical stuff.
Clang is a compiler, I can just tell you that. Anyway, the takeaway is that Google have released some details about how they're going to use a very cool security feature in the compiler they use.
[1:22:33] Basically does security checks at the point in time the code is being compiled.
That's a very powerful place to do your security checks, because it means that there is a check going on between the human being typing the code and the ones and zeros that go into the device.
And they are starting to roll this out with the most security-sensitive parts of Android.
And they're going to start to expand this to more and more of Android, but they're starting with the drivers for the base bands, the cellular radios inside your Android phones.
And that is an extremely good place to start this kind of security work and it's great to see Google are heading this way and are going to start rolling it out to more and more of the core OS.
So Google are definitely to be commended for that.
[1:23:20] Also to be commended, Discord is rolling out support for security keys, specifically WebAuthn, which means in practical terms terms, either hardware dongles like your YubiKeys or PassKeys.
So that is a nice way to secure your Discord account. This is important for many of our new SilkCastaways.
Discord is a thing in the SilkCast community.
And finally I get to say some nice things about Meta, specifically about Threads.
First off Threads is launching in Europe with what Meta believe are sufficient privacy protections to meet EU law.
The reason we didn't get it as quickly as America was because we have have much better privacy protections and it took Meta some time to bring their product into line with these privacy laws.
I've seen some people debate whether or not they're fully compliant with EU laws.
They certainly believe they are and I guess some lawyers may need to become involved at some stage in the future, we shall see.
But anyway, privacy tweaks have been made and threads are now available in Europe.
And one of the things that was promised, which again I think was partly to mollify European regulators for the Digital Markets Act and stuff, as opposed to GDPR.
[1:24:30] Meta said that Threads would be an open platform and that it would interact with ActivityPub, which is the open source protocol that powers a bunch of stuff, most importantly Mastodon.
Which means that you can follow Threads users on Mastodon.
Because Threads is now being federated over ActivityPub.
So you can subscribe to a Threads user from Mastodon or anything else on ActivityPub. Kind of cool.
And all of that burst of good news is the end of my show notes, apart from one palette cleanser.
So I'm hoping Alison will like this one, actually.
You know, Excel is perhaps the most advanced incarnation of the calculator.
But we humans have been mechanizing counting for millennia.
And 99% Invisible is one of my favorite podcasts for the design of simple things you don't think about.
And their episode 563 is an interview with an author who wrote a book on the history of the calculator.
[1:25:41] And it really is a fascinating story that starts us off with counting beads and abacuses and things like that and takes us all the way up to electromechanical and mechanical calculators.
Lots of things that Alison will... Oh, the slide rule. The slide rule features heavily because it's kind of a magical device.
I think Alison will love this. I think a lot of Nocilla castaways will love this. It's called Empire of the Sum.
99% invisible, episode 563, LinkedIn show notes.
If while all other podcasts apart from the wonderfulness of the cast are going on hiatus over the holiday season you're in need of some extra listening i would highly recommend all of 99 invisible it is absolutely one of my favorite podcasts right i'm going to draw a line under it here i have noticed i have managed to talk for 38 minutes so apparently as well as helping me to be, more accurate more honest and more clear allison also somehow managed to simultaneously make me be be more brief. Who knew?
Anyway, until next time, remember folks, stay patched so you stay secure.
[1:26:42] Well, thanks so much for that, Bart. I know you don't like doing the show alone, and I don't like missing doing the show with you, but it sounds like there was enough meat there without me asking endless questions to make it take even longer.
But really appreciate you standing in for me on your own there so that I could play with my grandkids.
The Night Before Christmas
[1:26:58] Since Christmas will soon be here, I thought it would be a good time to resurrect the poem that has become a holiday tradition on the NosillaCast.
In 2019, we lost our beloved Honda Bob, a longtime Nosilla Castaway and contributor to the show, and a very dear friend.
But his memory and the silliness he inspired in the Nosilla Castaways will live on.
So grab a hot beverage and some cookies, sit back, relax, and enjoy a slightly modified version of The Night Before Christmas, dedicated to Honda Bob.
[1:27:31] "'Twas the night before Christmas, when all through the house not a creature was stirring, not even a trackpad." Okay, work with me here.
The airpods were hung by the chimney with care, in hopes that all things eye-maker soon would be there.
The no-silicasta ways were nestled all snug in their beds, while visions of eye-pads danced in their heads.
And Potfeet in her kerchief and I in my cravat had just settled down for a long winter Skype chat.
When out on the lawn there arose such a clatter, I sprang from the keyboard to see what was the matter. Away to the windows!
I flew like a flash drive, tore open the shutters, and nearly did a nosedive.
The moon on the breast of the new-fallen snow gave the luster of brushed aluminum to objects below, when what to my eyes seemed very bizarre but a miniature sleigh and eight tiny cars.
With the little old driver with whom Helves hobnob, I knew in a moment it must be Honda Bob.
More rapid than 5G his vehicles they came, and he tweeted and shouted and called them by name.
Now Accord, now Civic, now Fit and CRV, on Element, on Ridgeline, on Pilot and Odyssey, to the top of the porch, to the top of the wall, now drive away, drive away, drive away all.
[1:28:54] As dry leaves that before the reality distortion field endowed when they meet with an obstacle mount to the cloud so up to the housetop the vehicles they flew with the sleigh full of apple products and Honda Bob too and then in a twinkling I heard with a squeal the skidding and sliding of each little wheel as I drew in my head and was turning around down the chimney Bob came with a bound He was dressed in coveralls from his head to his foot, and his clothes were all tarnished with oil and soot.
A bundle of SSDs he had flung in his Scotty vest, and he looked like a geek who was extremely obsessed.
A wink of his eye and a look not too pious Soon gave me to know he had an apple by us.
He spoke not a word, but texted his concern, And he filled all the stockings, and then hit return.
And laying a finger aside his levitation app, A command to his iPad, up the chimney, ASAP!
He sprang to his sleigh, and the autos did they bristle, And away they all flew as if shot from a missile.
But I heard him exclaim, as the poem prescribed, Happy Christmas to all, and please stay subscribed.
[1:30:10] Thanks for doing that every year, Steve. I really do miss Honda Bob, but this brings back some nice memories.
But that's going to wind us up for this week. Even during the holidays, you can email me at alison at podfeet.com.
I can't promise I'll be quite as responsive as I normally am, but I will have some downtime over the holidays.
If you have a question or suggestion, just send it on over to alison at podfeet.com.
And you can always follow me on Mastodon at podfeet at chaos.social.
Remember, everything good starts with podfeet.com. If you want to join in the fun of the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely Nocella castaways.
You can support the show by going to podfeet.com slash Patreon or with a one-time donation at podfeet.com slash PayPal.
And if you want to join in the fun of the live show, you're going to have to wait until 2024. 24, but when you do, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic.
[1:31:04] Music.