Transcript

NC_2024_01_05

[0:00] Music.

[0:10] Is Friday, January 5th, 2024, and this is show number 974.
You're getting the show a few days early this week because Steve and I are off to CES this weekend to learn about as much cool new tech as we can possibly absorb.
You can look forward to both video and audio interviews coming out of the show, thanks to the work Steve will be doing in the coming weeks.
We always have a blast at CES, and it's been a full four years since we've been able to go, so we're pretty darn excited.

[0:36] Last August, I told you about an automated pet feeder from a company called Pet Libro.

Update on PETLIBRO Automated Pet Feeder - Vastly Improved Software

https://www.podfeet.com/blog/2024/01/petlibro-pet-feeder-improved/

[0:41] My goal was to have my two cats, Ada Lovelace and Grace Hopper, get regularly scheduled feedings when we're away from home, but not have the near-infinite supply of food from a plain old gravity feeder that we've been using for years.
You see, Grace will regulate her own food, but Ada seems to balloon up when we go away even for just a few days with that gravity feeder.
While we do have a pet sitter who comes in daily to change their water and remove their waste, controlling Ada's weight had to become a priority.
I explained in that review that the Pet Libro automated pet feeder allowed us to now have scheduled feedings of known portion size.

[1:17] Over the last four months or so, we've come to really like the fact that our cats are fed on a schedule even when we are home.
The seamless operation made us stop even thinking about feeding the cats, which turned out to be a problem. them.
A few weeks after I wrote the initial review of the PLAAF 203 Granary Pet Feeder from Pet Libro, we went on a trip to a cabin in the High Sierra Mountains with our friends Bill and Diane.
Before we left, we knew our internet connection on the trip would be dicey, but we didn't realize it would be completely non-existent during the trip.
We managed to survive this by hiking, playing cards, and eating.
On our last full day, we decided to drive over to the Mammoth Lake ski area to take Diane and Bill up the gondola to the top of the mountain so they could see the spectacular 360-degree view of the Sierras.
It's a bit more populated there, so when we got into the Mammoth area, we had cellular service.
We immediately began ignoring each other like normal people and played on our phones.

[2:14] While we were up in the area, we took the opportunity to take the tram down to Devil's Postpile.
Since I was obviously bored on the bus ride, it occurred to me to bring up the Pet Libro Lite app to check in on the kittens.
From the app, I can watch the cats on video, I can talk to them, and look at the logs to check on their feeding status.
Imagine my horror when I saw that for more than a day, the logs said that the feeder had been out of food. food.
Now, the Pet Libro pet feeder had been doing its job so efficiently and without effort on our part that we entirely forgot about checking the level of the food before we left.
We didn't tell our cat sitter to even look at the feeder to see if the red light was on the front, which would have indicated some sort of problem, like a jammed chute or being out of food.
On the tram, we only had little dribs and drabs of internets, but I was able to finally squeeze out a quick text message to our cat sitter and he raced over and fed the poor things.
While Ada could stand and miss a meal or two, Grace is fairly svelte, so I felt terrible for her.

[3:14] While we as pet parents clearly fell down on the job, the Pet Libro software fell down on the job as well.
I get notifications constantly when the cats, or anyone really, walks in front of the feeder or if sound is detected.
I get notifications when they're fed. I can control when I get these notifications notifications and which ones I receive.
But I never got a notification when the feeder was completely out of food, even all during the day when we were in Mammoth Lakes.
I kind of put this in the you had one job category. It really should have done this.
I began what became an extended discussion with a support person at Pet Libro named Orn.
It's taken a fair bit of time to get to the bottom of the problem, but Orn stuck with me.
And of the two of us, he was actually much better at closing the loop in our conversations.
I was the procrastinator in the conversation.

[4:05] Orn and the team behind him gave me all kinds of suggestions, including uninstalling the app on our phones and such.
And while it seemed improbable that this would help the situation, in my tests, it did seem to solve the problem.
But then it happened again under controlled testing. I was able to leave the feeder without enough food, and I didn't get a notification, even though the log files clearly knew that it was out of food.
I was finally able to articulate to Oren exactly what the problem was in the app.
The Pet Libro Lite app that controls the feeder sends out notifications based on what are called bulletins.
Bulletins notify you that scheduled tasks are completed. deleted.
Log files, on the other hand, contain information about the success or, more importantly, failure of the portions of food to be delivered.
But log file information is never sent via notification.
So I think the bulletins are actually like the mechanism successfully turned, but it doesn't know whether there was food or not.
That information is over in the log file, which is never sent via notification.

[5:06] I sent two screenshots to Orn. The first was of the bulletins and the second was of the log file over the same period.
While the bulletin page happily announced that the scheduled tasks had been completed, the log file showed that the feeder was out of food.
I think the bulletin page, like I said, is just reporting that signal to churn the mechanism, nothing about whether the food was actually dispensed.
I was quite strong in my opinion to Orin that the notification system simply had to be improved.

[5:35] Oren explained to me that the software I was using, as I've mentioned, Pet Libro Lite, was written by a third party, and that Pet Libro had very little ability to modify it for customers with, and I'm quoting here, specialized needs, such as myself.
Personally, I think getting a notification when your pets aren't fed is kind of a mainstream need, not a specialized need, but I didn't quibble with him because I liked his solution to my problem.
Way back when I got the original feeder, I explained to you that one of the weird things things about it was I had to look up the serial number, which is annoyingly underneath and inside the battery compartment, in order to know whether to download the full Pet Libro app or the Pet Libro Lite app.
My serial number required the Lite version. At the time, though, I didn't know the difference between the two apps.
It turns out that the non-Lite version of the Pet Libro app is one that Pet Libro does control, and Oren suggested it would better meet my needs. needs.
Orn's solution included sending me a new PLAF-203 granary feeder exactly like the one I had, but from the new serial number range, allowing me to use the new and improved software.

[6:44] Orn sent me the new feeder back in the middle of December, but I only had the time to set it up now that the holidays are behind us.
This new software rocks. It's very similar in layout to the Lite software, but it's so much better.
Since the hardware is identical to the original one, I'm not going to go through how to physically put the feeder together, but I do want to tell you about the installation from a software perspective.
I attached the double bowls to the bottom of the canister for the food, and I plugged in the USB-C adapter that has a really nice braided USB-C cable on it.
I may actually steal that cable and use it for something else and put a plain one there.
Anyway, I downloaded and launched the full-size Pet Libro app, and I plugged in the hardware. The app asked if I wanted to add a new device.
Why, yes, thank you, I believe I do. It immediately found the new feeder connected to my Wi-Fi, and guess what it did next?

[7:37] You didn't hear me say I'd put food in the canister, did you?
So as soon as it was connected, I got a notification that it was out of food.
Happy days are here again! Now I have confidence that this is the device I need.
I like so many things better in the new app than the Lite version.
In the Lite app, we had to tell the feeder how many portions to feed the cat.
And nope, they don't tell you how big a portion is. We had to push the manual feed button, pour it into a cup, and then compare that to what we'd been giving them before.
The Big Girl version of the app lets you define it in twelfths of a cup, or you can use units of ounces, grams, or even milliliters.
I'm not sure why they use one twelfth of a cup, but it's pretty easy math to figure out that a quarter of a cup is three twelfths, and a third of a cup is four twelfths, so I'm not complaining.
Both feeders let you create a recording that can play multiple times when it's feeding time, and as a joke, I made mine a pig call, and it goes like this.

[8:35] I have to tell you, this makes Steve laugh every single time the cats get fed.
It is worth it for that, but it does make them come running.
Now, I like it even better in the new version of the app. You can name the scheduled feedings. So it's easy to name them, say breakfast, lunch, and dinner.
The new app let me name the feeder and I knew immediately what I wanted to name it. I simply had to name the new feeder pig slop.
Now that makes us laugh too when we open the app.

[9:03] Speaking of feeding time messages, you can create multiple recordings where the Light app only allowed one.
On the scheduling page, you can even control whether the meal call is played on a meal-by-meal basis.
Maybe you have a feeding schedule during your nap time and you don't want to be disturbed, so you could disable the pig call during that feeding.
You can also change how many times it plays by meal.
At this point, Steve and I were pretty excited about the improvements.
He downloaded the full Pet Libro app to his phone and logged in with my account just as he'd done with the Lite app.
To my annoyance, I saw that the app on my phone logged me out.
I logged back in and it bumped him off.

[9:41] Well, I was afraid for a minute that was going to be a non-starter because we both need to be able to manage the feeder.
I started poking around in the settings and found a lot more cool stuff, including the ability to share my feeder. He created his own account, which is much better anyway, and he was able to log in and we can both manage the little piggies now.
I mentioned that the Pet Libro feeders plug into power via a USB-C charger.
But what happens to the little darlings if you have a power outage?
Pet Libro anticipated this problem.
You can insert three C-cell batteries into the base of the unit for just such an emergency.
With the original feeder, we tested the batteries by unplugging the feeder from power.
And not only did the feeder entirely stop working, the darn thing lost all of our scheduled feedings.
I worked with Orn on that ages ago, and their engineering department was convinced my Wi-Fi signal was too weak, even though the feeder is 10 feet and kind of a line of sight to an Eero mesh router.

[10:38] If there's a power outage, it would seem that the feeder would need to have the schedule stored locally, not dependent on Wi-Fi at all.
I argued a bit with Orn and his engineers without success.
I didn't keep fussing around with the batteries again, though, because we have a whole home battery backup anyway, but it concerned me for others considering this pet feeder.
With this new unit, I put in the same three C-cell batteries and unplugged the feeder from the wall. I immediately got a notification on my phone that it had lost power.
Then I got one that said it would soon be disconnected from Wi-Fi to save power.
The Wi-Fi light on the front of the unit turned off and so did the lock light.
Normally you have to press and hold on the lock in order to use the manual feed button. That's so your more intelligent pets can't press the feed me button on the front.

[11:24] With the wall power removed, the unit unlocked itself and I was able to use the manual feed button to kick out a portion of food.
You know Ada came running and ate it right away, right?
But the real test was to find out what happens when the feeding time comes and you're on battery backup.
Without wall power, will the new unit know about the scheduled feedings in its firmware and will it execute the feedings on time?
With the power still removed, I sat and waited to see what would happen when their dinnertime feeding came and the pet Libro feeder fed them exactly on time as you would hope.
While it successfully dispensed the food, it did not make the pig call to alert the cats.
This gave the svelte cat, Grace, time to beat the more Rubin-esque cat, Ada, to the food and get a bigger share than usual.

[12:11] Back on the subject of notifications, you get way more granular control with the full app.
You can set custom notification times, you can be reminded of a defined number of minutes before the feeding schedule starts.
By default, you're notified when the food level drops below 10%.
If you rely on the batteries, you can be notified when they're getting low.
Motion detection has more options. Unlike the Light app, you can even set the area for motion detection.
You definitely get a notification when the device is offline and one when the food outlet is jammed.
There's also so many more options on the device camera itself.
You can have it on all day or custom time. You can change the resolution from from 1080p to 720p.
You can decide whether you want to use night vision.
You can save video to the SD slash TF card continuously all day or at a custom time or just let it record when it senses motion.
I am having a little bit of trouble getting it to recognize my SD card, but Oren's working with me on that.
You can even tell it to record during feeding time. That might be good for us to be able to see whether Grace is ever getting any food at all or if Ada is eating all of it every time.

[13:19] The bottom line is that while I thought the original Pet Libro automated pet feeder was good, the new version of the software makes me so much more confident that if something goes wrong, I'll get a notification so I can do something about it.
If you'd like to get the Pet Libro automated pet feeder, Orin assures me that if you buy through Amazon now, you will get the new version of the software and the new serial number of the hardware.
The DualPet granary feeder is $150 and there's a 5% off coupon right now at Amazon. on.
If you buy it directly from Pet Libro, there's a 12% off coupon bringing it down to $132.
I haven't checked the shipping though. Check out all of the Pet Libro products at petlibro.com and don't tell Steve, but I've got my eye on the Pet Water Fountain next.
It's that lovely time of the year when we make resolutions to do things better.
Maybe we resolve to eat fewer carbs. Maybe we promise to be nicer to people.
Maybe we set a goal to read a certain number of books this year.
Perhaps I can suggest a New Year's resolution that's easy to keep.
You could resolve to help a certain tech podcaster fund the shows you like so much.
If you just go to podfeed.com slash Patreon, you can enter any dollar or euro or currency of your choice that you prefer to support the work we do here at the Podfeed Podcast.
I thank you in advance for making this year's resolution a reality.

I’m Allison, and I’m Not Very Smart

https://www.podfeet.com/blog/2024/01/dell-charger-overnight-shippping/

[14:39] Hi, my name is Allison, and I'm not very smart.
Over Christmas, all of our kids and grandkids came to visit.
It was positively glorious.
Kyle and Nikki and their three little darlings flew in early to spend a full week with us.
They came early to miss the flight rush, and so they had to work for a couple of days on and off while we took care of the little ones.
Then Lindsay and Nolan and their two angels came up on Christmas morning.
You can imagine the chaos that was our house with six adults and five children from ages seven down to six months.
Just the luggage and clothes and toys were crazy. And then add in all of the Christmas presents, and it was just nuts at our house.
Now, when Steve and I visit our kids, we always forget something.
There's only two of us. But both of our kids and their spouses are amazing at sweeping through each room and gathering up what's theirs, even when there there are multiple families at the house.
But this year, the level of anarchy was just a bit too high and quite a few things got left behind.

[15:36] Most of the things left behind were things like parts to toys or a random sock, but one really important thing was left behind.
We have a charging station in the kitchen, and after everyone had left, I found the charger for Kyle's Dell work laptop sitting on the counter.
This was the worst possible thing to be left left behind because Kyle was leaving Texas on an extended business trip on Tuesday, the day after New Year's.
I found the charger on the Friday before.
I packed up the charger in the smallest box I could find and I raced over to the local shipping store that does FedEx and UPS.
I said that I had to get the box overnight shipped to Texas.
The guy said, that's going to be expensive.
I explained that I had no choice because he simply had to have it before he left on his trip. I said I'd pay whatever it cost.
Tell me, what do you think it costs to overnight ship a one-pound, eight-by-two-by-four-inch box from Los Angeles to Texas on a Friday?
Whatever you think, you guessed too low. It was $170.

[16:44] I about fell over when he told me the price. I said, well, okay, it doesn't have to be Saturday delivery.
How about Sunday, two-day shipping?
He said Sunday would be the same price. price.
Then I realized, wait, wait, he's not leaving till Tuesday. So I asked, how about Monday delivery?
Lady, that's a holiday. They don't even deliver on Monday.
I was stuck. I couldn't figure out what to do. The worst part was I couldn't ask Kyle what I should do because his flight was still in the air back to Texas.
So I paid the $170.

[17:16] When Kyle got back home, I texted him the cost and said, boy, I sure hope you could expense this to your company. company he was floored at the cost as well and he said I can't expense it.
You can imagine how thrilled he was about this. Now you might be wondering why I didn't offer to pay but hey I wasn't the one who forgot it right?
As we texted about it he said that he could have overnighted a new charger via Amazon for a lot less money and that's when I realized something that perhaps you've realized already and would have known when you were standing there.
When I saw that Dell logo on the giant black power supply in the middle of two power cable pieces, I assumed this was one of those proprietary laptop chargers from back when I was working.

[18:00] I'm certain the rest of you have guessed by now, it was a normal old USB-C charger.
I couldn't believe it. What a terrible mistake of judgment I'd made.
He probably could have bought a replacement at a grocery store.
Even the official charger for Dell from Amazon, I looked it up, it's only $26.
I felt so bad when I realized this that I told him I'd at least split the cost with him.
Fast forward a few days later, and I was talking to Kyle on the phone, and he said the strangest thing.
He said, we confirmed that Nikki's laptop charged just fine using her dock.
I wondered why he was telling me that, and that's when I realized the only way this story could get even worse.
It wasn't Kyle's charger, it was Nikki's. It never ever had to be overnighted in the first place.

[18:48] I'm Allison, and I'm not very smart.

[18:51] I tell you what, let's hand off the show to two people who are smart.
Bart Bouchats is joined for the first time with Jill from the Northwoods to do security bits.

Security Bits — 3 January 2024 (Bart & Jill from the North Woods)

https://www.podfeet.com/blog/2024/01/sb-2024-01-03/

[19:03] Music.

[19:11] I'm not sure how we should intro this because I'm pretending to be Alison or you're pretending to be Alison or... Anyway, I promised a solo security bits, but I kvetched about how much I don't like them.
And the Nosilla Castaways are wonderful people.
So, of course, a Nosilla Castaway jumped in and offered to help out.
So jumping in as my co-host is Jill from the Northwoods. Jill, thank you.
You're welcome. It's good to see you.

[19:38] Well, I guess since you're pretend Alison and I'm pretend me, I guess you're the host.
Oh, well, that's true. So I got to have a squeaky voice and then say with an ever so slight Apple bias.
What about three more octaves higher than that? Yeah, three more octaves higher and then a plank. Right.
There we are. I guess we should probably jump in.
There was no stories for feedback and follow-up which is very rare for that section to be empty in my show notes but I've just noticed I have an empty bullet point floating in mid-air so I guess that didn't happen, but we do have ourselves quite the little deep dive since last we spoke, so I guess we should always start with the TLD or you know don't panic none of the Nacilla castaways are likely to suffer from this in any way shape size or form but it is nonetheless a very major piece of news.
So I am talking about Operation Triangulation, which my one paragraph summary is, Kaspersky Labs have discovered that they and Russian government officials were targeted by very advanced iOS malware that completely took over iOS devices for the last four years.
Apple have patched all the exploited vulnerabilities and regular users were not targeted. Kaspersky say there is not enough evidence to link the exploit to any particular group or government.

[21:04] So, yeah, four years. Four years. Wow, that's amazing. Yeah.
And these actors are getting so huge, but this is going after big key figures, not us little people, right?
Right. I mean, the best write up I've read by a million miles is Dan Gooden on Ars Technica.
And that doesn't surprise me because Dan is one of the best cybersecurity writers for a general audience out there.
And I've linked to his full article in the show notes if you want the detailed blow by blow but I sort of picked out some bullet points to summarize the whole story quickly um so the first thing is they went undetected for four years which gets to the point that it took so much effort to develop these things that you use them sparingly because if you're caught But the jig is up, as it now is, because, of course, Apple responded, patchy, patchy, patch, patch.

[22:02] So it's already patched or is it soon to be patched?
It is already patched because I guess, well, Kaspersky have just told us the details, but the patches have been in a while.
So I guess it took them a while to figure out the details.
So the good news is if your iOS devices are up to date, you're golden, which is important. And the other good news, of course, is that we, Kaspersky estimate between 100 and maybe up to a few thousand people were targeted.
That's not us. That's just not us. Yeah.

[22:38] The attacks were delivered via an iMessage and it was the holy grail of iOS attacks in that it was a zero click exploit.
So the way it would work is your phone would be lying there without you noticing it would receive an iMessage and without you doing absolutely anything whatsoever, that iMessage would hack your phone.
And it took a chain of four vulnerabilities to do that. Wow.
And they're not simple vulnerabilities. And even after all of that, because of the level of security on iOS devices, a reboot would remove the malware, but the attackers had to work around for that. They just sent more iMessages.

[23:22] Wow, that's something. It is.
So to put a picture on how complicated this is, the thing starts with a bug they found in TrueType, which is a font handling library.
Library and I think one of the lessons from security bits from the last decade is that parsing stuff is hard we you probably remember when pdf bugs were the the thing we talked about every single week well a very close relative of that is TrueType which is a font rendering library and so they found a bug in the font rendering code and then they use that bug to exploit another bug in the kernel then they use that bug to exploit another bug that gets them into an undocumented undocumented hardware feature and then after that they still needed one more bug to actually run their arbitrary scripts on the device which was a bug in safari a javascript book they were able to find so they had to find four zero days yeah so.

[24:17] If you think about how much work that must have been like i i think that's a billion dollar book like i i think that is stupendous resources have gone into this which again is why it's not aimed at us as regular folk when you're talking about state you know it is hacking state actors you know on the russian side or any side of course then it's going to be the big powerhouses behind it yeah yeah it's got to be somewhat really deep pockets and i don't think it's cyber crime which also has deep pockets some of these cyber criminal groups are getting to be as big as countries but given who they went after i don't think we're looking at criminals this time i think we are looking at you know one or more nation states I guess you could say maybe the Five Eyes got together and pooled the resources or something like that.
Maybe. But again, pure speculation. Right.
The really interesting one is this hardware feature. Because...

[25:12] IOS's security has been advancing and advancing and advancing.
One of the things Apple have done more recently is they've added hardware protections, to stop arbitrary codecs, arbitrary menu, sorry, memory writing, even when there's a bug in the kernel.
So the hardware is stepping in to stop even an exploited kernel from writing to random pieces of memory.
And the kernel is the most privileged part of the operating system.
Them so that is like a stupendous feature to have hardware protections from a kernel bug like that's such a big bar to cross for an attacker but they found a set of undocumented registers which can be used to write to arbitrary memory if you know what to do and knowing what to do involves generating checksums and all sorts of things it's not straightforward to figure out what to do, which is why Kaspersky were a bit perplexed and the best they can come up with is our guess is is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake.
And I will just throw in, and the other obvious elephant in the room here, is some sort of supply chain attack.

[26:27] Because Apple designers will have built the spec for the chips they wanted manufactured, and they would have sent that to a manufacturer, and if at some point in between someone added in a few extra bits and bobs, then out comes something like this that makes sense yeah so as you said definitely fully patched, great well one of the things i always think of too is that always talks about you never have to reboot apple things they'll go on and on forever without really reboot but maybe because of my windows experience i reboot all the time at least once a day because i know that if anything is attacking your computer it clears it out yeah and the reason i guess we should say because i i think think we've mentioned a few times on security bits that ios is very i don't remember the last time we had an issue that was persistent in ios and the reason for that is secure boot because each time your phone boots up there's cryptographic checks of the operating system being loaded into memory and so if an attacker succeeds in right in rewriting the flash memory on your phone then the phone will fail to boot so the choice they have is their their exploit goes goes away on a reboot, or the phone doesn't reboot, in which case their exploit has gone away by default.
So the best they can do is reinfect.
And Secure Boot is the key to that.
Which is why jailbreaking is hard and why Apple locked jailbreaking down so heavily.
And that's why there are no jailbreaks on modern iOS that we know of.

[27:57] I've already mentioned this is fully patched. And obviously, the other thing here is that this is very, very advanced.
We don't really know who did it. And I think there's a lot of conspiracy theorizing out there. But I just want to share what Kaspersky have concluded.
They were the people targeted, the people with the skills to check this out.
And they say the following. Currently, we cannot conclusively attribute this cyberattack to any known threat actor.
The unique characteristics observed in Operation Triangulation don't align with patterns of known campaigns, making attribution challenging at this stage.
So they don't know, and they're the best place to know. So if you hear people speculating, that's what they're doing.
Speculating. But again, just remember, none of us are important enough to be worth being targeted by something like this, which I take great pleasure in.
I am completely not interesting. Yay.
Yeah, that's right. Well, and the good thing about it is, I mean, I do work in health care. I'm not interesting, but I have access to things that are interesting.
And so, you know, you feel glad when they fix them. But eventually these things trickle down un-reined in.
They eventually get to us. And so it's good they fixed it.

[29:08] That's it exactly right. Because once the secret is out, then you know the cybercriminal people are putting their resources into reverse engineering whatever information they can get from the patch.
That's one of the big ironies, actually. One of the big ways cybercriminals get in is when Apple or Microsoft patch their operating system, the cybercriminals reverse the patch to try to find what's changed.
And then based on what's changed, they can probably figure out the vulnerability.
Ability and so if there is a patch and you don't have it your exposure has just jumped through the roof right which is why i always say stay patched so you stay secure, which I repeat to myself all the time. I just sit there and say that every time I patch.
So yay, I have a catchphrase. It's not very exciting, but it is a catchphrase.
Unless you have anything else to add, Jill, I think that sort of covers off that rather large piece of news. It's great.

[30:06] So jumping on then to action alerts, just two little bits of patchy, patchy, patch, patch.
Google Chrome fixed their eighth zero day of 2023, and it is now 2024. 24.
So I guess eight is the total for the year. So patchy, patchy, patch, patch, which for Chrome users means doing that thing you hate doing and turning your browser off and turning it on again, because it will auto update, but you do have to restart it for the update to take effect.
And I don't know about you, but I'm Mr. 20 million tabs person.

[30:37] Oh, I try not to. But like I said, that might be a leftover from my Windows life. So I keep them trimmed down.
Well, I guess if you reboot every day, by default, you're forced not to do what I do, which is everything I must remember is a tab.
And it's not just tabs in one window.
It's actually, I'm dead curious. I haven't prepped this at all.
If I go to Safari and click on show me windows, how big is the list?
This should be fun window.
Okay. So my tabs are spread over 15 windows. None of those windows have one tab.
None of them have one tab, I can promise you that. So yeah, I am guilty as charged here, but I am a Safari user at least, so not a Chrome user because unfortunately, having once been the lean mean browser, Chrome is not so lean these days.
No, I always related it as a two-year-old tripping over its own shoelaces, that it tried to be fast, but sometimes it was faster than it could be and it would just fail.
So when you work in enterprise software, you beg people, don't use Chrome.
It's not, you know, going to render your page the way you might expect it to.

[31:44] I'm very happy that Microsoft Edge is now a remaking of basically Chromium without Google's cruft.
And it is now a snappy browser without too much faffing about, which is pleasing. Yeah.
Our second action alert is Apple have released macOS Sonoma 14.2.1, which has one security fix.
So if that is you, patchy, patchy, patch, patch.
There were a lot of other updates from Apple, but they're not security, they're just bug fixes.
So, you know, you probably do want to patchy, patchy, patch, patch because, well, it's nice not to have bugs all over the place, but it's not mission critical.
Great. Worthy warnings then.
I regularly tell people not to pirate software, A, because I think it's evil.
As someone who writes software, it's, how dare you steal that from people?
But B, it's really, really dangerous.
So we have proved that fact by a news story that broke the week before last.
People who were pirating games like Grand Theft Auto, Assassin's Creed or The Sims 4 accidentally ended up with some bonus extras in their download.
Fake VPN extensions force installed into Chrome.
And it happened 1.5 million times based on the download numbers.

[33:13] Yeah, so a lot of software piracy out there and that's not good.
So yeah, don't steal software.
No. I mean, I agree with you. I tried to tell people, it's like walking into a store and grabbing a CT and stuffing it in your shirt.
It's that bad, and no one would believe me until they kind of became software developers themselves, and then they understood.
But yes, one, it is stealing. But two, that was around in the 80s, too, and people would steal games, and it would just be loaded full of viruses.
And that was back before virus protection, so it didn't have a lot of...
And it's been that way forever.
I learned that the hard way when I discovered what a boot sector virus was, having reinstalled Windows 3.14 times before I discovered what a boot sector virus was.
Yeah. I haven't stolen software since. Yeah, don't steal stuff.
Just to protect yourself.
Yeah, I think I was 12 and it was a silly game like Commander Keen 5 or something like that. But, you know.

[34:10] Those of us in Europe are probably familiar with an app called Easy Park because it is probably the widest used parking app here in Europe. It is used by many, many, many cities.
And they had a wee bit of a data breach. I guess the good news is there were no passwords in the breach and there were also no full payment details, so they can't steal your money.
But unfortunately, what was included was your name, your physical and email address, as well as those sort of the last four digit kind of bits of credit debit card numbers and IBANs, which are your banking details these days.
Is IBAN European or global? I can never remember which is us and which is everyone. Do you guys have IBANs?
I don't think I recall that term being used around here like that. Um.

[35:00] In fact, I'm not even sure what it is. So why don't you tell us what it is?
It is, it is a, I think the I is for international.
So you probably have them under the hood, but basically instead of having a short code and an account number, your IBAN is like your all-in-one, this is how you get money to me.
And so European banks have really moved towards IBANs for everything because in the European Union, there's a lot of inter-country trading.
You know, interstate is kind of easier than inter-country. And I think that's why we're so big on our IBANs. But I think if you wanted to send money to Europe, you'd need to find your IBAN.
Sorry, if you wanted to receive money from us Europeans, I think you have one, but you wouldn't know it. Whereas we use them all the time.
And therefore, like you're used to maybe seeing the last four digits of your social or the last four digits of a credit card, the last four digits of your IBAN is a thing here.
And so the attackers have those partial credit debit or IBAN numbers, which means they can make extremely convincing and automated targeted phishing.
Because they know who you are, where you are, that you park, and they know enough to pretend to know your full payment details.
That could be very convincing. We have applications here like Venmo and transfer money systems that way. Do you think it's less safe to have a unified IBAN system or less safe because we're private organizations?

[36:30] Well, we have those as well. So I don't think they kind of move.
I don't think they really meet each other. They solve different problems.
So you generally be using your IBAN or something for direct debit or, you know, corporations would use them a lot for paying invoices and stuff.
But you wouldn't they wouldn't replace a Venmo where you'd quickly throw someone a bit of money or whatever gotcha okay, Interesting. So I imagine the I-bands are there, actually, because Easy Park is big enough that if you owned a fleet of corporate vehicles, you would have some sort of, you know, probably a very large monthly contribution going over to Easy Park for your fleet. It's probably why those I-bands are there.
This is the time of year when lots of people get new iOS devices from Santa Claus. and so it is not surprising at all that this is a time of year when the good folks at Intego have noticed a rise in iCloud scams.
Specifically iCloud free storage click here and hack yourself emails.
So yeah don't do that. You manage your iCloud from the iCloud setting inside system preferences whether it be on iOS or macOS or from Apple's actual website.
You do not manage your iCloud from an email because it's probably not from Apple.
And they're also not big on giving away free stuff.

[37:53] Tim Cook is convinced that services are the future for Apple.
So he's not giving away a lot of that. I know. Who knew?
Who knew? But that's a great point because I get emails constantly from my web host provider.
Oh, I could get free extra storage. I could get free this. And iCloud, I get those too.
And I don't click on any link I get from any email. I go to that website.
Chase wants to talk to me. I log into Chase, you know, I don't. Yeah, exactly.
And I'm guessing Chase and banks are probably like our ones here.
So when I log into my bank, I have a little bell icon in the top corner and any advertisements they want to throw my way are sitting right behind that little bell button where they will tell me all about the cheap loans I don't want, but they want me to want yada, yada, yada.

[38:40] Right. Right. Notable news then. It was Christmas, so I guess I shouldn't be surprised this section is a little on the sparse side.
A whopping two notable news stories.
And one of them is one of those ones that I changed my mind on about five times as to whether or not to include it.
And if Alison was here, I might get shouted at, but I'm going to say it anyway.
I think it's important for people to understand how cybercrime works because it always comes down to follow the money.
And initially ransomware was going after regular folk and saying give us money or we're going to delete all of your family pictures you value so much and then they went oh corporations have more money than people so then they started ransom wearing corporations saying pay us up or you're never getting your data back and then they realized that it would be really embarrassing to leak data so then they started doing what's called a double extortion pay us up or you're not getting it back and were publishing it.
But now there's something called a triple extortion, where they go one step further and when the company doesn't pay, they go straight after the victims and individually extort each of the victims in the data they stole that they were going to hold the company to ransom for.
So I am sorry to say, if you live in Oklahoma, that your largest not-for-profit public healthcare network has been compromised.
It's called Integris Health. They run lots of hospitals and clinics and things.

[40:05] And the attackers have given up on getting the money from Integris because they quite rightly are not giving in to this kind of extortion.
And the FBI and everyone tells you, you do not pay.

[40:16] So now they've started to send ransom emails directly to the victims, i.e. the patients of these not-for-profit health care facilities.
So charming, charming individuals.
That did happen to me. My company that I used to work for got hacked.
They downloaded our HR database with social security.

[40:36] Information about the workers and then they reached out to when the company wouldn't pay they reached out to us and said make private deals with us wow yeah yeah so there you go and it's you know it's all about the money so follow the money and it was inevitable that they would decide that that is a way to go and and extract money but yeah the advice is still the same don't pay because Because you have zero guarantee paying them will achieve anything.
And there is a possibility that in paying them, you're literally breaking the law. Because if they are a Russian entity, you could be in breach of sanctions.

[41:12] They did pay after our information was up on the Internet for 24 hours, which is forever on the Internet.
So it was the worst of all worlds.
That doesn't seem like it achieved anything other than draining the bank balance, because there is no undo button for the Internet.
Well, it turned out they had other information that became juicier for other people to want to prevent that from getting to the Internet.
So we were okay the other information was a little less uh less uh yeah they didn't want that.

[41:47] Gone right yeah then that is another technique of course you leak a little bit and then you threaten to leak more and then you hint that how juicy the more might happen to be ask sony pictures how that feels oh right yeah so yeah these hackers but here's the thing is uh um i think i heard and you can tell me if this is true or not that they started going after the big wigs The companies, the deep pockets, because we're little people.
But then little hackers ended up buying hacks against people.
You know, so now these companies migrated up.
Yeah, well, there's now a thing called ransomware as a service.
So if you're a small operator, you can basically buy ransomware as a service.
Like you would buy Dropbox, which is storage as a service, you can buy ransomware as a service. And the people doing the hard work of the hacking take a cut, a bit like an app store. 30% is quite normal.
And so you get 70% of the hackery you do, and they get 30% for providing you with the tools. And you really don't need any skills whatsoever.
You just need enough operational security not to get arrested tomorrow.
But other than that, you know, it's all you need. You just give away 30% of the profit, and that's that.
So yeah, cybercrime is money, money, money, money, money. And understanding how the money flows is very important.
I literally do an hour-long talk to Mac user groups.
And that's the basic theme, follow the bunny, because it gets you everywhere.

[43:14] So, yeah, these people get everybody. The little people get the little people, and the big people get the big people.
And then the big, big people will go after the big, big people.
Yeah, and, you know, sometimes law enforcement have a big success and they shut things down, so it is a cat and mouse game. But the probability is high that someday, sooner or later, you're going to be involved.
So backup, backup, backup is definitely your friend.
Yeah, and switching from cell phone authentication to two-factor authentication through an app, that's how we got caught, with cell phone authentication.
And, yeah, so as much as you can do to stay secure, pass keys, right, go to pass keys.

[43:58] Yeah, I've started to use pass keys through 1Password, and it is such a magical experience that it follows me from operating system to operating system.
It's just there, you know. Right.
I just say to GitHub, here, use my passkey. And one password pops up, scans my fingerprint, and then, or my face, depending on where I am. That's brilliant.
Anyway, I have a good news story, thankfully.
The other notable news is way less depressing.
Google Chrome, which is still bloatware, but nonetheless, it is safer bloatware.

[44:29] Google have announced that they are expanding what they call their safety check feature.
And one of the things they're doing is having it run automatically in the background all the time. and it will then present any information it finds to you in real time, which is way more useful.
So just two little quotes from the bleeping computer article.
Safety Check compares login credentials against those exposed in data leaks.
It also checks for weak and easy to guess passwords that expose users to brute force attacks.
And so it'll just do that in real time as you're doing your thing.
And then Google are broadening it. So safety check is also going to automatically revoke permissions, such as access to the user's location or microphone, for any websites you haven't visited for a long time.
So if you've granted some random website microphone access and you haven't been there in ages, that access will evaporate.
Which is great, because permanent permissions are dangerous. Evaporation is good.
Is that going to be both on desktops? Is that both on desktops and on mobile devices too?
Or is that the safety checks?

[45:33] From the article it would appear that this automatically always running in the background thing is a desktop feature which may have something to do with how these things are architected um it's not to say they won't get something useful to mobile but there was no mention of it in the article so i'm going to assume if there was they would have you know bragged about it right yeah so we have no top tips this week but i do have one excellent explainer I thought I would link people to.
The good people at Apple Insider have a nice simple article on how to protect yourself from QR code scams.
And I'll give you the quick summary.

[46:10] Remember, a QR code is just a URL. So like any other URL, look in the address bar to see where you have actually landed.
It is now a thing where attackers are going on places like, say, public parking in some cities is done with QR code.
And they are printing out malicious QR codes and sticking them over illegitimate ones.
And then the URL takes you to a website that looks like the city's website, but isn't the city's website. and you see where this is going.

[46:43] So always look at where you end up, right? It doesn't really matter how your browser opens.
If your browser opens and it's on a page where it's looking for you to tell it something, always glance up at that address bar.
Look where you really are, not where you think you are.
And the other really good tip is that if you're an iOS user, the safest way to actually scan a QR code is not with some sort of third-party app you downloaded loaded from the app store because a lot of those are really quite dodgy it's actually to use the camera app because the camera app will detect them automatically as you're pointing it around without even taking a picture just you know turn on the camera and point and it will show you the url and you then have to click on it before you go anywhere so it's a it's a nice little double check and i always like to to use it in fact i used it about an hour ago because here in ireland when we have to pay import duty on something, our post office very kindly gives us the bill.
So we get, instead of getting the package we ordered, we get a little piece of cardboard that says you owe us blah euro so that you can get your package.
But it has a QR code on it. So instead of having to type in the tracking number like we used to have to do, which is always a pain in the backside, you just scan the QR code.
But when using the phone app, I could immediately see it went to onpus.ie forward slash customs.
Great. That's where I wanted to go. Tap.

[48:05] Then I safely completed my credit card transaction.
Then my bank rejected the transaction because, and I found this out when I rang them up, at this time of the year, there are so many fraudulent customs declarations that we block them all automatically, or rather Visa block them all automatically and make people phone in to say it really is them.
So that's some idea of what Christmas is like, I guess.
So anyway. Yeah. Yeah. I know I was at my gas station that used to get those, I don't know, they'd been targets of scams before, but it had a big QR code right on the gas station pump.
And I thought, I wonder what this is. So I went and did it and like, what are you doing? You don't know what that is.
So I put my phone away and put your phone away. Yeah. But as I say, ultimately, they're just links.
So as long as you check the URL where you land, you're fine.
I mean, they're not magic. They are just links in a form the phone can understand instead of the human.
That way the phone can go there instead of you, the human, having to type in www.yaddyaddyaddy.
It was smartly a tiny link.
And so you couldn't really tell what it was, you know? I'm like, no.
That makes no sense, actually. Why would you, if you're going to encode a URL in a QR code, why send, oh no, I know why you send it through tiny link, because that way you get statistics.

[49:25] You get tracking statistics. That's what that's about. Plus it also doesn't say like hacker.com slash.
Right. Oh yeah. The attackers wanted for obfuscation, but a semi-legitimate use is to tracking cookies.

[49:40] And I use the word semi there because I don't think it's legitimate.
If I'm engaging with a company, you shouldn't be doing that to me. I'm your customer.
But, you know, it's not crime. Oh, this was definitely fake.
Yeah, this was definitely fake. Yeah. Interesting.
I just read this article yesterday as I was writing these show notes, and I was out of my cycle, and I noticed that QR codes are now becoming so common that the local secondary school, their welcome board, doesn't have the school's website that says, you know, bloody blast community school and a QR code.
A giant, big, three-foot-by-three-foot QR code.
Not a web URL, a giant QR code. So, yeah, they're everywhere. But they are just links.
So the idea is don't click on links you don't know and don't click on QR codes you don't know either.
And I think the most important thing is that when you get to a web page from a QR code, look up. Like, look up at that address bar.
That advice can never get you wrong because no matter how many redirects you ended up bouncing through, at the point in time where there's a text box saying, please tell me things.
If you look up at that point in time, that's what matters.
And particularly look for the little padlock and make sure that you are at the URL you think you are because if the padlock says hacker.com, well, then you are securely talking to the bad guys.
Yay! I can be security hacked. Oh, wait, no.

[51:10] Now, unfortunately, I have no palate cleansers because I have never seen my feed reader as empty as it has been in the last couple of weeks because all of my favorite websites and all of their staff have like holidays and things. How dare they?
So I guess this is as close to a palate cleanser as we get.
The iOS camera app is great for QR codes. Use it.
I don't know. Well, I did come up with one.

[51:38] Aha, good. So I've recently been, you know, getting involved in quiet hiking.
And I hope I didn't hear this from you. But there's a fellow named Herman Hoke, H-O-E-K. He's on YouTube, and I can give you the link.
And he just hikes places, and he doesn't talk.
You just hear him crunching leaves, you know, as he walks. Right.
And so he's just going on an eight-day hike through Yosemite.
And you just watch it on YouTube.
And so when I'm working, I just have this beautiful nature vista in front of me instead of music or a podcast.
And it's so relaxing. So I recommend Harmon Hoke, who does these amazing silent hikes.
That is a really cool recommendation. It reminds me of a channel I used to be fascinated by as a kid on one of our cable networks.
It was a Scandinavian country. They had attached cameras to the nose of their trains and it was just a TV channel with no sound or it might have been some quiet music or something and it was just the countryside, pootling past you with the difference instead of it being crunching leaves there was always these two parallel lines in front of you because you were strapped to the front of a train but you never knew what you were going to get and it didn't change very quick but it was just a thing to have on yeah.

[52:57] Yeah cool Jill thank you very much And actually, let's do another bonus.
Yeah, since you're not normally here, why don't we use this as an opportunity to plug your various cool podcasts?
Oh, well, thank you. I got started because Allison got me started, and I have Start with Small Steps podcast. And it's productivity.
I try to keep most of my podcasts around 17 minutes, but I'll usually talk about a book.
Someone's famous book, I sort of summarize it and then say whether or not I think this book offers people a lot of good advice and that they should read it too. So it's almost like a book review or I call it a book report, but that's the one that I, that's my first podcast.

[53:37] Well, given the time of year when people are thinking of making improvements in their lives, I think that is the most perfect podcast blog there could be because a small step now is the time.
And for what it's worth, I am someone who has succeeded over the last decade or so in making some in aggregate substantial changes to my lifestyle out for the better the reason i succeeded was because each step was always small and sustainable, and then when you have one done and it's become a habit do another one let it become habit do another one no that's absolutely right and i'm trying to get the whole small steps empire i have small steps with god small steps in the bible and then i'm going to do a nature one which is small steps but it doesn't say small tip but if you're interested in small steps there's a fantastic book by, oh gosh, now I can't think of his name, but it's called Tiny Habits.
And so if you're looking to sort of expand on your small habits.

[54:32] Empire of uh gradually changing your life the book tiny habits is the way to go i'm intrigued by the concept of nature small steps what would you be teaching people well what we're going to talk about is how to see nature outside your front door there are podcasts out there that will talk about how science works the blood of a frog keeps him from freezing in winter but this is really about how to go outside find nature see stars see auroras what's the weather mean and it's just about observational nature so okay you have a subscriber straight away because i i spend a lot of time out walking and stuff and i am always on the lookout for cool and interesting things and stuff to keep an eye out and one thing the pandemic taught me is that there is fun and interesting stuff on your doorstep because you know my world shrank quite a bit but i still had a lot of interesting stuff going on because i was looking more carefully more closely yeah well this one's called buzz blossom and squeak and you can use small steps if you like it is not yet live because i'm working on a friend and we're trying to get our groove you know it's easy to do a single podcast where you're just doing your own thing but obviously getting a chemistry together with someone takes a little bit longer so we're getting there with small steps well excellent what a great call back So look, the very best to look at it. That sounds absolutely fascinating.
And I'm sure you will let us know when it's live. And I'm sure Alison will be so kind as to plug it for you because I'll definitely be your subscriber.
That sounds really cool.

[56:01] Well, and I follow your social media because you post beautiful pictures of nature.
So I love that too. And the thing is, it's all within walking distance of my front door because that is what I do.
I go for two walks every day and that's where those photographs come from.
And so I'm always trying to learn more about what's around me.
And there's a lot, there's a lot around you, no matter where you live.
It's just where you live.

[56:25] Yeah. Cool. Right. I'm supposed to say something. Oh, yeah. Remember, folks, until next time, stay patched so you stay secure.
Well, how fun was that? I'm starting to feel like I'm working myself out of a job here.
Maybe I'm going to be semi-retired from podcasting.
Nah, you can never get the microphone away from me. But anyway, that is going to wind us up for this week. Did you know you can email me at allison at podfeet.com anytime you like?
If you have a question or suggestion, just send it on over.
You can follow me on mastodon at podfeet at chaos.social.
Remember, everything good starts with podfeet.com. If you want to join in the fun of the conversation, you can join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely Nocilla castaways.
Remember, you can support the show at podfeet.com slash Patreon, like Linda Goucher, or with a one-time donation at podfeet.com slash PayPal.
If you want to join in the fun of the live show, you're going to have to wait until January 14th. And when you do, head on over to podfeed.com slash live on Sunday night at 5 p.m. Pacific time. Enjoying the friendly and enthusiastic.

[57:28] Music.