NC_2024_02_04

Discussion on Apple's new fee structure for developers, ransomware attacks, AI voice scams, data breaches, and NozillaCast's podcast series on Richard Feynman.

2021, Allison Sheridan
NosillaCast Apple Podcast
http://podfeet.com

Generated Shownotes

Chapters

0:00:00 NC_2024_02_04
0:00:15 CCATP #785 — Helma van der Linden on Porting XKPASSWD from Perl to JavaScript
0:02:36 CCATP #786 — Bart Busschots on PBS 160 of X — jq as a Programming Language
0:04:20 CES 2024: Cricut Smart Cutting Machines
0:08:13 Tailwind iQ3 Brings Back HomeKit after Chamberlain Removed it From My Garage Door
0:20:27 CES 2024: Skwheel Electric Ski
0:24:13 https://podfeet.com/patreon
0:24:44 Security Bits — 4 February 2024

Long Summary

In this part of the conversation, I discuss the changes in Apple's fee structure and how they affect developers. The changes include a reduced commission rate for developers making less than $1 million per year, which is a positive move for small developers. However, larger developers will still face the standard commission rate. Subscription-based apps will also be subject to the 30% commission rate in the second year and beyond. These changes have implications for the profitability of developers and the potential for them to pass on the savings to consumers. While the fee changes are a step in the right direction, there are still limitations and concerns to consider.

Moving on, we discuss the additional 3% fee that Apple charges for processing payments. Although there are alternative APIs available for payment processing, using Apple's APIs ensures that users are always aware of transactions. There are consequences to leaving the Apple ecosystem, such as Family Sharing not working on a third-party processor. The 3% processing fee is considered market rate and does not significantly impact developers without in-house credit card processing. Therefore, it is economically wise for most developers to stay within the Apple ecosystem. The different fees charged by Apple, including the 3% credit card fee and the platform fee, have caused confusion. It's important to note that moving the processing fee does not affect Apple's entitlement to the other fees. We clarify that sideloading is not coming to Europe and there are no bypasses or changes to Apple's control. Despite the Digital Markets Act (DMA), certain app features remain impossible due to Apple's control. We also discuss the role of third-party app stores within the Apple ecosystem, with Apple relinquishing content moderation responsibility but maintaining control over app security and review.

In terms of updates, we mention that there has been a decrease in ransomware attacks targeting individuals and an increase in attacks targeting companies. Additionally, we retract our argument about sideloading and apologize for any confusion. Notable news includes a law in the UK that could have implications for Apple and Microsoft, the FBI disrupting a Chinese botnet, a fake data breach at Europe Car, a malware campaign in Italy, vulnerabilities found in Tesla cars, and recent patched vulnerabilities by Apple and Google.

Moving on to some interesting tidbits, we discuss tactics for dealing with AI voice scams and ways to securely share information online. We also highlight a major data breach involving 12 terabytes of passwords and how malicious software ads can bypass Google's security measures. We provide an analysis of Mac and iPhone malware and recommend two podcast episodes: one from Unexplainable that explores intriguing questions, and one from Freakonomics Radio that should appeal to listeners' interests.

We then introduce a podcast called NozillaCast, which focuses on Richard Feynman. The host of the show has started a mini-series dedicated to Feynman's life, with each episode exploring a different aspect. We briefly discuss the first episode of the series, which delves into Feynman's investigation of the shuttle and the O-rings. The host expresses enthusiasm for learning about Feynman and mentions the involvement of Feynman's daughter in the podcast series. We conclude by reminding listeners to stay patched and secure and providing ways to get in touch and support the show.

Brief Summary

In this part of the conversation, we discuss Apple's fee structure changes for developers, including reduced commission rates for small developers and the 3% processing fee. We also provide updates on ransomware attacks, notable news, and share tidbits on AI voice scams and data breaches. We highlight the NozillaCast podcast series on Richard Feynman.

Tags

Apple, fee structure changes, developers, commission rates, small developers, processing fee, ransomware attacks, notable news, AI voice scams, data breaches, NozillaCast podcast, Richard Feynman
Edit Transcript Remove Highlighting Add Audio File
Export... ?

Transcript

NC_2024_02_04


[0:00] Music.

[0:11] 2024, and this is show number 978. We have not one, but two Chit Chat Across

CCATP #785 — Helma van der Linden on Porting XKPASSWD from Perl to JavaScript

https://www.podfeet.com/blog/2024/02/ccatp-785/


[0:18] the Ponds this week, and they sort of sound related, and in a way they are.
The first one is a stretch to the word light for Chit Chat Across the Pond.
I'd kind of call it more like a crossover episode of Chit Chat Across the Pond light and programming by stealth.
Helma Vanderlinden joins me to tell the story of how she has successfully started the new version of Bart's fabulous XKPassWD password generation service to move to JavaScript.
You see, XKPassWD.net was written in Perl ages ago, and it depends on very old and outdated libraries.
Bart spent many months teaching the Programming by Stealth students the tools that we and he would need in order to port the code over to JavaScript.
His plan all along was to have the students help him make the new version of XKPassWD a reality.

[1:07] It turns out that Helma is an extraordinary student and has done most of the work to make it a minimum viable product already, all without Bart's help.
In the conversation that we have in Chit Chat Across the Pond, we'll talk about how she did this without, and we try not to get too nerdy.
It's some nerdy, but not too nerdy.
If you'd like to give the very beta version of the new tool a try without knowing any coding at all, I have a link in the show notes to it.
And in a few days, Bart is going to have it up in a very nice URL.
It will be at beta.xkpasswd.net. So perhaps by the time you see this, you'll be able to try out the beta.
Now, the beta version is not feature complete, but it does allow you to create between one and 10 passwords that use the default preset from the original xkpasswd.
You can't choose different presets yet, and you can't make customized passwords, but at least it does create long, strong, memorable, and typable passwords.
Words, and it's really pretty.

[2:05] At the end of this episode, we put out the call for others to come help work on the code.
We have a GitHub repo, and there's a link in the show notes to that.
If you have or create a GitHub account, you can contribute to the project.
If you don't have programming skills, but you do have feature requests, that counts as contributing if you use the issues tab for the GitHub project to post your feature request.
Helma is great fun, and we had a blast talking about what she's accomplished, so I think you'll enjoy the conversation no matter how nerdy you might be.
In our second chit-chat across the pond, it's a traditional programming by stealth,

CCATP #786 — Bart Busschots on PBS 160 of X — jq as a Programming Language

https://www.podfeet.com/blog/2024/02/ccatp-786/


[2:40] and Bart Buschatz teaches us how to use JQ as a programming language this time.
Before we get into the new stuff, Bart takes us through his solution to the challenge, and I have to say I was pretty chuffed when he said that my solution to the extra credit portion was more elegant than his.
To be fair, it did take a buddy programming session with him for me to get the first part of the challenge figured out, but I excelled at the extra credit.
When we get into the programming language part of the lesson, there were so many times that I said, oh man, I needed to know this last week.
But I think finding out these options are available after understanding the problems they solve was a fantastic way to do it.
We learned how to run JQ filters from files, which means no more looking at our filters as all this big, long, giant command all in one line.
We can put in line feeds and indents in our filters. We can even make comments to make them more readable.

[3:32] We can, let's see, Bart tells us about a couple of handy plugins for VS Code that gives us syntax highlighting, and that's going to be swell.

[3:39] My favorite thing I learned, though, was how to add debugging to our filters.
This one is a life changer.
We explore a few functions for looking at data filters that will also make our life easier.
We wrap up with with an introduction to JQ variables, which it's really pretty funny.
The developers of JQ really don't want you to use variables.
It's very begrudging that they let you know about the ones that they do have.
Anyway, you can find this episode of Chit Chat Across the Pond and the previous one in your podcatcher of choice.
This one, you can find it under Programming by Stealth as well as under Chit Chat Across the Pond. The first one, Chit Chat Across the Pond Lite.
Boy, that's confusing. Who named all this stuff?

CES 2024: Cricut Smart Cutting Machines

https://www.podfeet.com/blog/2024/01/ces-2024-cricut/


[4:21] All right, let's get started and listen to one of the interviews from CES.

[4:27] I have a cricket at home, which it's hard to explain what it is, but my new friend, Natasha Adorable, is going to tell us all about what a cricket is.
I do want to say that my daughter and daughter-in-law are both amazing at all the crazy things.
My friend Pat does all these crazy things, and I got to admit, I've done like a t-shirt, and I've got my own logo on my car, and I haven't done much else.
But Natasha is going to explain to us what a cricket is, and then about their newest product.
Awesome. So a Cricut is a smart cutting machine, and we have lots of different models depending on what you want to make, but you can cut everything from vinyl, from stickers, from iron-on, so you can really personalize and make anything.
I know that sounds crazy, but you mentioned your car decals.
You can make car decals, Tumblr decals, personalized birthday cards.
This is great for events like bachelorette parties, birthday parties.
Anything you can think of in your mind, you can go from idea to I did it.
I think of it as it's like a printer, but it's going to cut and it's going to print and it's going to make things more than a printer does.
Correct. Instead of ink, we have different types of blades that can score, that can cut different types of materials so that you can put it together and make something really personalized.

[5:34] Right, right. But it can also print. It doesn't. Like a pen inking.
Yes, it can take pens, markers, so you can personalize and write.
You can also take inkjet, or if you want to make full-colored stickers, you can use your inkjet printer.
We have different materials, so you can make waterproof stickers.
Oh, wow. That's cool. So, the unit that I have is pretty big.
It's maybe 18 inches across.
It's pretty big, pretty hefty to pick out, but today, you were talking about the Cricut Joy Extra, correct?
Yes, Cricut Joy Extra is the newest smart cutting machine that we have launched.
I love this machine, I love them all, but this one is just so practical because you can cut over 200 materials on this machine. And it's tiny.
Describe how big that is. It's like a loaf of bread.

[6:20] This is 8 1⁄2 inches wide, so it fits your standard, you know, copy paper, that type size of paper.
But what I love about it is how portable it is. You can see I'm holding it with one hand.
So when I need to make something and I maybe don't have a craft room, I just have a kitchen table, I can pull this out, whip up whatever I need to make, and then put it away because it's such a nice size.
And you can still make big things. If I wanted to make a big T-shirt, a decal for a T-shirt, you could still make really great things with this machine.
You might not make a wall poster with it, but that's not what we're really making most of the time, right?
So the Cricut Extra, it's XTRA, correct? XTRA, that's right.
And what's your price point on this? This is $199.
Oh, wow. So it's a really affordable entry point as well. Really affordable, yeah.
I like that. Now, I'm going to say what Natasha doesn't want me to say is it's addictive.
I mean, I don't actually use mine very much, like I said, but I have all of these cool little tools. I've got things to score the paper and to bend the paper and little things to pick the stickers apart.
And it's so fun. All the little accessories.
Something called therapeutic. Yeah. Oh, yeah, yeah, yeah, yeah, yeah. My grandson actually likes to be the picker. He likes to sit there and pick it off. It's fun.
He really enjoys it. It's just fun. So it's a fun process. And at the same time, you're coming out with really professional results. And it's a fun process.

[7:37] Very, very cool. So this is the Cricut Joy Extra. Sorry, Cricut Joy Extra.
Joy Extra. I'm going to get it right yet. And is this available today?
It is available today. You can go on Cricut.com. You can find us at most major retailers like Walmart and Target, Michael's and Joann's. So really accessible. Oh, yeah.
Don't go to Joann's or Michael's. Just don't do it. You walk in and just like, I need all of this stuff.
They tell you what you need. Yeah, yeah, yeah, yeah. The boxes, all the accessories.
It's such a fun store. So Cricut, for anybody who doesn't already know, is spelled C-R-I-C-U-T. That's right. All right. Thank you very much, Natasha. This is great.

Tailwind iQ3 Brings Back HomeKit after Chamberlain Removed it From My Garage Door

https://www.podfeet.com/blog/2024/01/tailwind-iq3/


[8:14] Well, you know I love home automation. So when we interviewed LiftMaster, which is a Chamberlain company at CES in 2020, about their MyQ HomeBridge Hub with HomeKit for garage doors, we had to jump on it.
We had a LiftMaster garage door opener already, so we purchased the MyQ HomeBridge Hub just to get HomeKit compatibility.
Eventually, they started selling a garage door opener that included the MyQ HomeBridge internally, but we purposely bought this HomeBridge Hub just to get this HomeKit compatibility.

[8:44] Many of the home automation devices that I've bought are in the life-changing category, but having a smart garage door opener doesn't really quite make that cut for me. It's nice, but it's not life-changing.
It's nice that it gives us alerts if we've left it open for too long, and I like to get an alert on my phone when Steve comes home with coffee so Tesla and I can greet him at the door.
When I'm coming home from my walk, I often decide to use my leaf blower to blow off the driveway.
It's tedious to walk into the house and then turn turn around, and just go back out the garage to open it.
I named our garage door Sesame, and I love to say, hey, yes, lady, open Sesame.
I know that's silly, but I got the idea after Bart named his automations for his Christmas tree lights Merry Christmas to turn them on and Bah Humbug to turn them off.
Now, I did have someone ask me after they saw the article I wrote on this subject, they said, why didn't you name it Open the Pod Bay Doors?
I'll tell you why. Why? It's because Pat Dangler already did that, so I had to choose something else.
Anyway, one day in December, I asked the ass lady to open Sesame and nothing happened.
I opened HomeKit on my phone and Sesame was grayed out.
I was annoyed, but you know, it wasn't the first time something got wonky with HomeKit because wonky is pretty much HomeKit's middle name.
I sighed and I procrastinated for a few days about trying to figure out what was wrong with Sesame.

[10:06] And then I heard on several podcasts that this Chamberlain group had purposely disabled HomeKit, Home Assistant, and other third-party apps in their MyQ Assistant.
According to sources like 9to5Mac, the purpose of disabling HomeKit access was to make us use the MyQ app so we would have to see their ads.
I don't know if that's their motivation, but it's a a logical supposition.
I personally think this is unconscionable. The entire purpose for the MyQ HomeBridge that I bought was to buy this capability, and they summarily disabled the one thing this device does.
I certainly wouldn't buy another product from LiftMaster or Chamberlain, and I'd never recommend them to anyone after this.

[10:50] I started pursuing alternatives to MyQ, and I quickly found the Meros Smart Garage Door Opener Remote Control MSG100.
I'm a big fan of Meros, as you probably know, especially their inexpensive outlet switches, so they were my first choice.
However, in digging through the user manual for the Meros opener, which by the way is really hard to find, I saw the door open-close sensors, and they look very small. all.
We had a bad experience with extreme fiddliness years ago trying to place small sensors from Wyze on our garage door, so we weren't excited about this Meros design.
I have also started to hear from some listeners about intermittent problems with their Meros devices.
I've had good success with the switches, but, you know, so it's not enough to make me turn away from Meros, but I knew I would never be able to convince Steve to deal with even potentially fiddly sensors on the garage door.

[11:44] Pat Dangler, who I mentioned earlier, who's a good friend and Apple certified consultant, she found another option called Tailwind IQ3 Pro from GoTailwind.com and that promised to bring HomeKit compatibility to existing garage door openers for only $90.
She bought a Tailwind IQ3 Pro and Steve agreed to help her install it.
Now my motivation in encouraging this collaboration was that if Steve could see how it worked and understood the complexity of the installation, maybe we could have one too.
Luckily, the installation at Pat's house was a success and Steve bought one for our home.
I'm not going to go through all of the nitty-gritty of how to figure out which tailwind IQ3 is compatible with your garage door or even the details of how to do the installation.
The first reason is it's a bit complex to figure out which one to buy, and they have really good instructions online, and they have a great installation video.

[12:39] So let's talk though about the parts, about how it works, because it's really rather clever. In the box, you get several separate parts.
Garage doors usually run on a track shaped like a J.
The Tailwind IQ3 comes with a sensor that easily mounts to the J track.
You simply squeeze it on and then tighten a little screw.
With the garage door closed, you align a magnet on another bracket right across from the sensor.
The magnet is on a big metal plate that you double back tape to the door.
The sensor magnet arrangement is what will tell the IQ3 whether the door is open or closed, and the alignment is very forgiving because these pieces are really big, so it's not hard at all.

[13:19] Now let's talk about the controller. This is a small black box with a surprisingly delightful velvety interface surface.
You know, like you would, you'd really like to hold this in your hand, except it's just going to be stuck in your garage door covered with spiders and everything. I don't know why they made it so nice.
But anyway, this controller may or may not end up being plugged into your existing garage door, depending on what you have.
When you buy the Tailwind IQ3, you get asked two odd questions.
They ask you whether you have a little yellow learn button on your existing Chamberlain or Liftmaster or Craftsman opener.
The answer was yes for us, we do have a yellow learn button.
If you have a Genie overhead door opener, you get a different question.

[14:03] Now, I promise not to get too nitty-gritty, but that little detail about the yellow button made a huge difference in the way the controller worked and how easy the installation turned out to be.
If you do have a yellow learn button, as we do, when they ship the IQ3 to you, they include a little remote. You know what old people like me call a clicker.
Anyway, it's a more elegant version of the remotes you get with your normal garage door opener.
The printed instructions tell you to download the Tailwind Smart app from the App Store, and it walks you through every step of the way in setting up your Tailwind IQ3.
I mean, really, really good instructions.
The one tricky bit of the installation is that you have to connect a couple of wires from this little remote to the controller.
I'd seen this done, you know, connecting wires like this before, but I hadn't actually ever done it myself because I have a pocket electrical engineer in the house.
You simply twist the wire ends together, and then you screw on what's called a wire net.
With Steve as my supervisor, he made sure I did the initial twist in the clockwise direction so the wire net would be tightening the twist, not unfurling it.
We're We're now done with the electrician portion of our story.
It was easy enough, I think even Bodie Grimm could pull this off.

[15:11] I'm awfully far into the story, and I haven't explained how this controller, clicker, sensor and magnet contraption is actually going to work.
You use the learn button on the existing garage door opener to teach the garage door to recognize the code sent by the clicker remote to open and close the door.
This is just like you would teach any new normal remote or your car's built-in system so that it'll know the code.
Just as a test, we made sure that both of our cars could still open the garage door after we taught it to learn about the Tailwind remote.

[15:44] Once that 15-second procedure is complete, the Tailwind app you've been following along with helps you connect the IQ3 controller to your Wi-Fi network.
It tells you to use 2.4 gigahertz, but it negotiated our Eero Mesh network with a combined 5 and 2.4 gigahertz network without any issues.
We didn't have to disable 5 gigahertz or any of that nonsense.
Sense. It just connected just fine.
Now at this point, the controller's on our Wi-Fi, the remote clicker knows the codes to send to the garage door, and the controller is connected to the sensor magnet setup via cable harness, so it knows when the garage door is open or closed.
None of this ever gets connected to the garage door opener, at least for those of us with a yellow learn button.
Seriously, none of this is connected. It's nowhere near. It doesn't have to connect to it.
So next it tells you to go outside into the driveway with your phone and the app running, and it gets your geolocation, and you adjust as necessary to get your exact address.
I presume that this allows the QIQ3 to know when you arrive home and open the garage door for you if you'd like to have that set up.
I've not quite got my nerve to allow something like that because I picture somebody stealing my purse with my phone in it, which means they can drive my car, and then they have my license with my address on it, and now they can drive my house and the garage door will open for them.

[16:59] I guess if they have my phone, my front door will open for them without needing my car, but hey, well, anyway.
Here's where my genius came into play in this whole plot.
The instructions say to mount the controller to the garage door opener with double back tape and then run the very long but thin cable across the ceiling to the edge of the door and then around the door and down to the JTRAC mounted sensor.
But it occurred to me that since we had to have the little clicker and our controller never gets plugged into the garage dumper at all, why did we need to mount it up in the ceiling and run that long cable?
All the controller needs is power and we happen to have an outlet right next to where we wanted to mount the sensor to the JTRAC.
Since we didn't need to run the wire for that long distance, we probably could have cut the long wire and spliced it to be a lot shorter.
Instead, Steve just put a hook into the wall and hung the steel coil wire and the clicker onto the hook.
Then he mounted the controller to the wall right next to it and plugged it into power.
The next step was to add the device to HomeKit. Within the Tailwind app, if you tap enough buttons in the right order, you come to a screen with the HomeKit code on it.
In HomeKit, we tried to add the device by typing in the code, but it didn't work.

[18:07] Then Steve remembered that Pat had to do a firmware update to the Tailwind IQ3 before HomeKit worked.
Using the Tailwind app, he asked for a firmware update, and it said, I'm already up to date.
But here's the weird thing. After asking for the firmware update that we didn't need, the device showed up in HomeKit when we asked it to add a device.
So maybe you just have to tickle the firmware update screen?
That's all that's required? word? I don't know.
So Steve was the point person on this installation. So he created an account at Tailwind to control the door.
In his app, we found a way for him to share the garage door opener with me.
This sent me an email, an invite via email, and then I could use the Tailwind app to control the door.
However, as a shared user, I didn't have the ability to change any of the settings on the door.
Worked fine, and if you're sharing your door with a neighbor or a friend or anyone else you you don't want messing things up, that's a great way to go.
However, I logged out and logged into Steve's account, so I have full control too.

[19:07] Now, my focus has been on HomeKit compatibility, but let me read you the Tailwind IQ3 compatibility statement.
Works with Apple HomeKit, I'm going to say the S lady, CarPlay via HomeKit, Android Auto, Google Home, the Google Assistant, Alexa, SmartThings, IFTTT, Home Assistant, Hubetet, Crestron, Control I4, and a local control API allowing to create your own integrations. More integrations are coming soon.
Yes, while others are reducing interoperability, we are adding it.
They threw a little shade on the people at Chamberlain there, didn't they?
While the Tailwind IQ3 fits into the category of like a hack, it's a hack in the good sense of the word. It's not using any janky technology.
It's using our home's Wi-Fi and the built-in capability of the door opener to teach your remote to open the garage. And it's all done with HomeKit blessing.
I should mention that the Tailwind IQ3 can manage up to three doors with the same controller, so if you have multiple garages or maybe a gate in front of your garage, Tailwind has your back.
I give a John F. Brown-level fist shake to Chamberlain and a hooray to Tailwind for bringing back HomeKit to my garage so I can say, open sesame again.
At the end of the article, I'll leave you with Pat Dingler's affiliate link, which will give you 5% off your purchase at Tailwind.

CES 2024: Skwheel Electric Ski

https://www.podfeet.com/blog/2024/01/ces-2024-skwheel/


[20:28] If you like to ski, you know it's really hard to find time to get up to the mountains, or maybe you don't live where it snows, perhaps you'd like to talk to the people at Squeal who have something really exciting for the people who like to ski.
I'm talking to Joseph Dajarel here from Squeal. What is this product we're looking at here?
Thank you. Yeah, it's the world's first all-terrain electric ski.
So it's born from a passion for skiing and engineering expertise.
And we spent like the last five years to developing a project that redefines the boundaries of mobility.
So this is a video and audio podcast. I'm going to describe what we're looking at. at, they look like giant roller skates.
But it's two flat platforms with wheels, small wheels at either end, and then a clamp that clamps your foot into it. We've got lights on the front and the back.
And you're saying this is an electric ski. Exactly. I know it's like a world, but we have like a center of gravity very lower than a roller blade.
So we are like very stable when you use it. We have like one engine in each wheel. So it's like very powerful.
You can go up to 50 miles per hour.
How fast? 5.0, 50 miles per hour. Exactly. Yeah.
Wow. The idea is not to go as fast, but we need a lot of couple to go on the sand, on the mountain.

[21:40] Because we love to use it in the beach. you know, it's like a sensation of freedom, just really amazing.
So how does it give you the sensation of skiing that's different, that's somehow different than rollerblading?
It's the first pattern that we create, like a front-pivot system, which first for you, will produce the same feel as traditional skiing, so.
So he's turning the wheel and it's kind of rotating in a lot of different positions.
You know, exactly with the real ski, so you have just the curve.

[22:08] But for the acceleration on the brake, you have the handle in the U-end, So you accelerate, you brake.
Okay, so that's just a handheld thing. Exactly. That you've got, he's got in his hand, that's got a... This is a patent too, because when you finish to use it, you just lock it and you have a telescopic handle for an easy transport.
Okay, so I've got to describe that to the audio listeners. He was holding something, it looks like a controller, like for a VR headset.
Yeah. It's kind of what it looks like, that loops around your hand and he had a little dial where he's dialing the acceleration.
And then he popped it in between the two skis and then pulled out a telescopic handle and that's how you carry these?
Exactly. Wow. How much do these weigh?
The cost? The weight first. Ah, the weight. Okay, it's 12.5 kilo, so it's just like six kilo in each fits.
So you know it's exactly the same way of traditional skiing with the boots on the ski. Oh okay.
So now the entire platform where your foot goes, that's got a lot of friction on it there, that pops out and that's the battery?
Exactly. You have one battery in each bit. You can travel 30 kilometers at a steady speed of 25 kilometers per hour. Not in sand?
No, yeah, it's sand too, but it depends on your weights.

[23:18] But we have a removable battery. So if you want to make more than 30 kilometers, you can change it in just five seconds.
Oh, that's cool. Yeah, we've watched while we've been doing the interview, one of the other gentlemen has just been popping the batteries in and out and in and out as we're talking.
So yeah, it's obviously very easy to do. When is this product expected to be available?
This morning. We launched the crowdfunding campaign this morning on the Indiegogo and we do like a 33% off for the 15 first backer.
So I haven't seen everyone to support us. And how much is it gonna cost?
The wheel cost retailer is $2,400, but for now in the campaign crowdfunding, it's $1,600. So very big discount.
Get in early on Indiegogo, huh?
Yeah, exactly. So where would people go to find out more about Squeal?
Squeal.com. So that's S-K-W-H-E-E-L.com.
Perfect.
All right. Thank you very much. This was really interesting.
It looks fun. Thank you too.

Https://podfeet.com/patreon

https://podfeet.com/patreon


[24:13] Richard Gunther is the co-host of the Smart Home Show at smarthome.fm.
Not only that, he's a great guy.
And I'm not just saying that because he's the newest patron of the Podfeet podcast.
He really is nice. He's in our Slack community at podfeet.com slash slack, contributing and asking questions.
I've met Richard in real life, too. If you'd like to be nice like Richard, head over to podfeet.com slash Patreon and select a dollar amount that fits in your family's budget to help support the work we do here. Thanks, Richard.

Security Bits — 4 February 2024

https://www.podfeet.com/blog/2024/02/sb-2024-02-04/


[24:45] Music.

[24:54] Well, it's that time of the week again. It's time for Security Bits with Barbu Shots. Strangely enough, this bad news, good news stuff is one of my favorite times of the week.
Oh, cool. I think we have quite the roller coaster this week. So strap in.
Put down that little barrier thing that comes down on a roller coaster, whatever you want to put it. But anyway, let's have some fun then.
We have quite a few follow-ups, actually. So obviously, last time's news was very substantial because it sort of rumbled on a bit. So it developed a little bit.
So the first thing I want to pick up again that we've talked about before is stolen device protection is now live on the latest version of iOS, which is 17.3.
So this is basically, I call it the Joanna Stern feature.

[25:40] So Joanna Stern is one of the reporters who led the charge on figuring out and explaining how iPhones were being successfully stolen, despite the fact that people had multi-factor authentication and stuff on their Apple IDs.
And the answer was that they were either observing people entering their passcodes or socially engineering the passcode out of them, then stealing the phone and then using the feature where the iPhone plus its passcode can be used to reset the Apple ID password.

[26:10] And Joanna Stern interviewed a thief, a convicted thief who now regrets their actions, who explained that when you were good at it, you could do it in about 30 seconds so steal phone change password disable to disable activation lock and find my in about 30 seconds when you practice all the keystrokes right so this feature was designed to which surprised all of us it did it really did and probably apple too and they took a while to have a think about it and in the betas of ios 17.3 they started testing out this stolen device mode and that's now gone production.
So it's gone into the released version and it's kind of a simple idea.
When you turn it on, nothing really happens, obviously, unless you try to do one of those really sensitive things like change your Apple ID password or change activation lock or, you know, turn off find my something, something dangerous like that.
And then it will basically go into one of two modes. It will say, are you in a trusted location?
In other words, a place I have seen you many times before. And if you are, it will say, do a biometric, please.
I just want to be absolutely sure it's you. And then it will do whatever you ask.
And if the answer to are you in a place that you usually are is no, it will say, do a biometric, please.

[27:27] Now hang tight for an hour, then do another biometric, and then I'll do what you said.
And that one hour delay is enough to lock out a thief, gives you an hour to basically turn on lost mode and lock the thief out of the device they stole.

[27:44] That's a good point. And you do have to then declare it lost so that somebody are stolen, so that somebody doesn't, so they don't continue with that.
The thing I expected and doesn't exist, and I'm a little disappointed, was I thought we would define where we wanted to be trusted, because they said home and work.
Well, I don't have a workplace, but let's say I go to the gym all the time.
The gym is the most likely place for me to have a shoulder surfer, because I don't go go to bars and, and such.
And, uh, if I go there all the time, I mean, which I don't anymore since the pandemic, but I used to, that's, that's the place where it's, it's the most dangerous for me.
So that doesn't seem like a good, it seems like it's automatically figuring it out. It doesn't ask you, where do you live? Where do you work?
That is true at the moment.
Um, the beta of 17.4 brings us closer, not to exactly what you want, but closer.
There's an extra toggle has appeared, which is always on. So you can basically say that everywhere in the world is untrustworthy.
I didn't want that. Yes, but it's closer. Nothing like what I asked for.
No, no, but it's closer. No, no, the opposite.
No, no, it means that everywhere... It eliminates the bad spot, but it takes away the good space.
Right, but how often do you need to disable find my and how likely is it that you're going to be be put off by an hour's delay.

[29:08] It's not disabling Find My, it's changing an Apple ID password.
Your Apple ID password being the thing you want to protect the most, and I would not want to have an hour delay.
No, no, but only if you reset it by using the passcode on the iPhone.
If you go to appleid.apple.com and reset it by knowing the password, none of this matters.
It's only if you use... Oh, okay.

[29:30] So, okay, that makes more sense. Yeah, I think it's actually... That could be okay.
I think it could be okay. But I think this will evolve. If it's already evolving between 17.3 and 17.4, I imagine there's plenty of feedback coming in.
So I wouldn't assume this is a finished product just yet.
So I would stay tuned. I would stay tuned.
I've long said that I don't understand why there isn't a giant scam of people who break into people's everything using their gym passcodes.
Because at least at our gym, I take my purse and I put it in my locker and I have to give it a four-digit code.
What are the chances that that four-digit code is different from the four-digit code that opens my phone or the four-digit code that unlocks my garage door or the four-digit code on my ATM card?
What are the chances it's different versus the same?
So picture this, you shoulder surf me putting my code in on my locker, then I leave for 45 minutes to go work You walk over, you open my locker, you take my purse.
You now have my home address. You have my credit card. You have my ATM.
You probably don't have my phone, but you've got car keys.
Yeah. Well, not in my case, you wouldn't have car keys, but because I've got my phone with me, but a normal person would have car keys in there.
You have everything to steal everything from me.

[30:52] Right. It's probably the code. It's probably the code to the alarm system.
If I have an alarm system, I mean, it seems to me you'd have like probably a 50, 50 shot of success.
And that's a, that's a high attack factor. Not giving anybody ideas out there, but that's what I would do if I wanted money. You're right. Passcode reuse.
Forget about password reuse. We're getting better about that slowly, but passcode reuse.
Passcode. How many passcodes have you used in your life? If you look at four digits, how many total? I'm going to not answer that question.
I will say one thing. Me neither. I will say one thing.
About 10 years ago, when I started to become serious about security, when I would get a new ATM card, instead of changing the pin to what I had always used, I changed myself to the new pin.
But for most of my life, I did it the other way around. It's like, oh, I have a new ATM card. I'll go to the ATM, push the button to change the pin.
Actually, now that I've changed them all, I can tell you, it used to be 1701. a one.

[31:52] So if you knew you were a Star Trek nerd, you knew the answer to the question.
Yeah, if you knew me, you knew my pin code.
Oh, I know some people I can break into their ATM cards now that I think about it.
And if it's a five-digit code, 74656.
Star Trek Voyager. The five-digit code. Oh, really? NCC. 74656.
Anyway. Alright, well, we're almost through item number one.
Yes, that was the first bit of follow-up. The other thing we talked, or another thing we talked a bit last time, was a lot of accounts by big people on X slash Twitter getting hacked.
We have a little bit more information about what happened to the Securities and Exchange Commission.
They have confirmed that they had SMS-based two-factor auth and they were sim-swapped.
So that is how their account was taken over.
A person in the SEC, not the entire SEC? The SEC's X account. Oh, is the...

[32:43] Oh, okay. Yeah. Which could be multiple people using it.
Exactly. Nice. So that is, that reminds us why we say that SMS two-factor is better than no two-factor, but only just.
And of all the two factors, it is the lowest of the pecking order these days.
Does the SEC get to keep the word security in their name after doing that? Well, they don't.
Securities aren't quite security, right? Oh, okay.
Securities, not security. Yeah, they're money people, not security people, which is a good excuse for me to pop into the show notes that X have started trialing passkeys.
If you are an iOS user in the United States, you apparently can use a passkey for X.
I am not, so I cannot.
But apparently that's true.

[33:35] We also talked about a bunch of federal agencies getting really cracking down hard on data brokers. We had two stories, and you are hoping it would just be data brokers full stop, but there were two specific data brokers being cracked down on.
But it seems to be a trend. There seems to be an appetite within the federal agencies at the moment to do things when it comes to cybersecurity.
So just since last we spoke, the Federal Trade Commission has entered into a consent decree with a company called BlackBud, who had a pretty spectacular data breach last year.
And they are a cloud provider to non-profits, including a spectacular amount of American hospitals and things.
And they have been told you absolutely need to massively change up your security practices or, well, basically they've agreed to this with the FTC. So that is good.

[34:28] Unfortunately, after the barn doors are closed, but it's still better. It'll open again.
Exactly. Exactly. We'll keep them closed. And also, this is a great example of being able to, if you're now in a competing company and you're asking for money from the boss, you can say, do we really want to be forced into a consent degree?
Or how about you give me the budget to do this right from the start instead of all of this expense. So it's good. It's always good.

[34:52] Citibank are headquartered in New York, along with many, many, many financial institutions.
There's this wee thing called Wall Street you might have heard of, which means that when it comes to regulating banks, it's the Attorney General of New York State who's very important, who at the moment is a lady called Letitia James.
And she has sued Citibank for failing to adequately defend their customers from hacks and fraud through not doing the basics of security. So again, good.
In related news, the NSA have been forced to admit that they were buying data from data brokers because of some sterling work from Senator Ron Wyden, and he was was triggered into asking questions by the news story we reported on last week with the FEC taking action against data brokers.
Senator White was like, I wonder who else are customers of these people who've just been sanctioned? Oh, look, we are.
We being the government he is part of.
So that is good to see action being taken on that.
And in some... So specifically the data brokers, it was, they were buying your internet browsing data? Location data.
So physical location data from those same vendors who had just been found to be illegally collecting it.

[36:12] So, okay. Yeah. So it was an interesting question to ask. Oh, right. So these, these data brokers were collecting location data illegally.
Were we using them? Oh, yes, we were. So good question to ask.
Um, now we switched more to the good news column here. So it is coming up to tax season for you guys.
Uh, I believe it's the 1st of April, not a joke where you guys need to do your tax forms.
And I think it's usually April 15th. Oh, 15th, okay. Not the first, unless they moved it.
No, that's better, because I always thought it was hilarious that on April Fool's Day you had to do your taxes, but it's much better that that's not true.
I'm glad I was wrong. It's less funny, but better.

[36:52] Anyway, the Federal Trade Commission has ordered Intuit to stop falsely labeling some of their online services as free when they are not actually free.
When they come with little secret hidden, oh, did we say we're going to do your taxes for free? Well, actually, no, you owe us money now.
So this is this has been a long running thing into it, into it, get federal money to offer free services and they still offer paid services and they have perpetually and continuously tried to trick customers who come for the free that the government have paid for into the paid.

[37:28] And the FTC have jumped in and went, no, you cannot push free stuff that isn't actually free.
You need to do the free stuff the government paid you for and not try to trick those customers.
Imply otherwise. Yeah. Yeah. Let's see. The article you linked to in Bleeping Computer says around two thirds of all tax filers in the U.S.
Could not use TurboTax for free as advertised by the software provider.
Provider so i can imagine it's like if there's a 1040 ez form where it's basically i got a paycheck i don't own a house i don't have a car i don't know you know i have no assets and here press this button that's what you owe and uh uh that's the probably what's free and if you own any property or you know security have any other kind of income and or debt or anything it doesn't work So, yeah, well, good on him. Exactly.
And then in a related sort of, it's not quite a palate cleanser, but it is good content all the same.
So a few days after we recorded last about the two data brokers getting caught up or getting sanctioned by the Securities and Exchange Commission, the Planet Money podcast released a podcast episode with the title, Why the FTC is Cracking Down on Location Data Brokers.
And they go into the economics of what's going on and a little bit of the history there.
So it's actually a really good way to get an understanding of what's going on that led up to that enforcement action. So I thought that was, and they're quite short.

[38:57] It's less than half an hour. So it's a nice tip I thought I'd share.

[39:03] Yeah. And I just realized I like to put my show notes in order where bad news comes first, but I obviously made a bit of a boo-boo here because the last follow-up is 23andMe and I have never said those words and followed it by good news, everybody.
Unless I mean it in the professor, whatever his face is, ironic sense.

[39:22] We now know more about how the whole thing went down.
It was indeed a password stuffing attack, which went unnoticed for five months, which means that no one was monitoring their logs for five months.
Because when you are hit by a password stuffing attack, I know this for a fact, when you're hit by a password stuffing attack, it's noisy.
Because you have to try, say, if you have a data breach with, if you have a thousand passwords that you got from another website, only one or two percent of those will work on any other website so that means that the amount of noise you're making stuffing all of those passwords from the yahoo breach into 23andme or you know whatever it's really noisy for that to go on for five months and to successfully log into, tens of thousands of accounts that's a sign of negligence at best not paying attention at all Yeah, so that is not good news.
The other thing, the other bigger headline is that the attackers got the raw genotype data and the health analysis based on the raw genotype data from the accounts that were compromised.
So this is just a story that keeps on giving in the bad way.
So if you're a 23andMe user, you do need to be aware that this information has now leaked for a lot of people. If you're...

[40:49] There's millions of people who've lost enough information for scary phishing attacks.
And there's tens of thousands of people who've lost their genetic information.
If you didn't get an email from 23andMe saying that you lost your genetic stuff, you didn't lose that.
So if you don't have an email from 23andMe, it's only phishing you're vulnerable to.
But if you do have an email from 23andMe, then I'm telling you something you already know.
Maybe check your spam box for an email from 23andMe. me.
Why do they have health reports? Is that health reports like you have a genetic marker for blah, blah, blah?
Yeah. So they take the raw genetic data and put it into an algorithm to figure out what it means. And then they generate reports.
So one of the reports is what badly based where in the world you're from, which is based on pseudoscientific nonsense.
And another report. Thank you. And another report, unfortunately, is based on sound science, which is the health implications of your genetics.
And that's not pseudoscience, unfortunately that one's real like there are indeed genes that predispose you to all sorts of things but i'm surprised they can do that from spit as long as i have to take a real blood test to have the genetics like we had a concern in the family one of our family members has a uh the genetic marker for colon cancer and so i went and got tested and but it was not a spit test it was not a stick something up my nose test or inside my my mouth it was a blood test.

[42:15] It's possible they were testing for many things at once While they were at it And therefore they wanted the most diagnostic sample possible It's like we don't want to ask you for 20 things So we'll ask you for the one thing with the most in it.

[42:27] Hmm. Yeah. But yeah, either way, that is, I look, that story just keeps on giving.
I thought we would share, but anyway, we're done with that. Let us move on, move on. Okay. We have two deep dives.
Uh, they, so the first one is not in the good news category and the next one is interesting.
So attackers keep on getting more clever. And when I say attackers, I mean, um, meta, unfortunately.
And I just checked in the show notes and I should also put sadly to say, Tik Tok are doing this too.
So I should probably update the show notes to point my finger in two places, not just at Facebook Meta, but Facebook Meta are on the naughty step for sure.
So I'm going to set the scene a little bit before we go into what's happening now.
So we know that iOS is one of the most secure places to do computing because it's a very confined environment.
It's not like a general purpose desktop computer where when you run an app, it can do a lot. inside iOS, the apps are inside a sandbox, and there's been very strict rules on what they can do technologically since day one.

[43:30] And one of the things that was very, very, very tightly controlled on day one was when can an app run?

[43:36] And in the very first versions of iOS, if the app was on your screen, it was running. And if the app was not on your screen, it was not.
And there was no way for code to run when the app wasn't the front most thing on your iPhone.
So when you would multitask away the app would pause and then when you would come back the app would resume but that that was also a battery advantage too right absolutely and processor and ram because those devices those early iphones they were that was amazing what they were doing on limited resources like that was magic right engineering magic but it does have downsides so you couldn't have a third-party podcast app initially because as soon as you did anything else, the music would stop, right?
Oh, right, right. So over time, Apple have added APIs to allow apps to request limited background capability.
And so the first of those was background audio. And then they added background download, where an app could download stuff in the background for a finite amount of time every day.
So your podcast app could have your new episodes waiting for you.
And you could listen while you didn't have the app open.
And one of of the things that was added much later when do you remember push notifications used to be a read only thing the notification would tell you some stuff and your only option was dismiss you couldn't interact with a push notification you couldn't click like or reply like a push notification was a dumb thing.

[45:04] I didn't know they weren't still dumb. A lot of them have actions buttons.
So if you get a push notification from Telegram, you can reply right within the notification.
Oh, okay. Oh, yeah, I see what you mean. Yeah, so they call them rich notifications.
So those rich notifications quite clearly mean that some Telegram code must be running for you to write a reply to Telegram, right?
It means that a part of the app is allowed to wake up at least a little bit whenever you receive a rich push notification. because otherwise it physically can provide the buttons.
And the charming folks at Meta and at TikTok have realized that if they send a push notification, that wakes their app up so they can send your location back to their servers.
And so they are basically sending out as many push notifications as they can to keep as good a terms on your location data as they can by getting their codes to send your location each time they push.

[46:00] Which is slimy. Interesting. So this does explain why Facebook and TikTok are constantly asking me to turn on notifications. Oh, yeah.
I get that pop up all the time. I keep saying no.
They really want it because that is a valuable source of background information.
It lets them track people's location by having notifications enabled.
So they want you to have it on.
A, because it makes you more likely to be a recurring user because you're seeing things. And B, because it lets their code run.
Whenever their code runs, they nab your location. either from gps if you've given facebook or met or tiktok gps access or from your ip address which is still enough to give a decent idea where you are so they're either doing it indirectly or directly depending on what they can so the only solution so it doesn't sound like this is against the the rules or anything no this is just being doing what is technically possible to be that guy Right? This is being, right?
It's not technically speaking hacking. It's just deeply immoral.

[47:10] Right, right. It's immoral, but it's not against the terms of service or anything like that. It may fall afoul of not being clear in your privacy statements.
Yeah. Might do. Depending on what's in the small print that no one's read.
But the answer... So what can we do about it? Don't allow push notifications on any app that you don't fully trust. Right.

[47:30] Now, as it happens, my social media isn't allowed to push for my sanity.
Now I'm going, yay, bonus extra.
They can't track me. I don't let them do badges either.
You remember I did a post a while ago, an article about how I love notifications.
And man, it's gotten even, it's just, it's insanity the way we have our house set up with so many things. Like we get a few blocks away and all of the Eufy cams say, okay, I've switched to recording now.
And then as soon as one of us gets inside the geofence area, every one of them, I think I need like one of them to send a notification, but they all do.
So we get like bing, bing, bing, bing, bing. And you can hear both Steve and my phones going off and the garage doors talking to us and, you know, the ring alarm and somebody's at the door and the Alexa's telling us somebody's at the door and it's just, oh, it's a mess.
Well, I rediscovered how many air tags I have and how many notifications they send when I was visiting my parents for a week.
And my parents' house is not my house.
So when I would say leave, you know, I had two umbrellas with me.
Sorry, I had one umbrella with me. If I left my umbrella at home because it wasn't raining, I would get five minutes away from the house and go, you left your umbrella behind.
Oh, no, I didn't. You left your backpack behind. That was the one I got constantly. constantly.

[48:49] I turned mine back on for home. So when I leave my house, when I get about a quarter of a mile away, I get a notification that I've left four items at home.
And it seems to be learning the ones that I use all the time, the ones that are normally with me, because I have a lot more than four AirTags, but it's these four things that it knows, like my iPad and I don't know what else it is, but no, it's not my iPad, but anyway, there's four things I usually take with me.
But no, but I have my phone with me. Anyway, I had to turn it back on because I left my house to go to San Diego for a week without my purse.
That's a problem. So I can't trust myself not to leave something at home.
So now I have to have them all on so that that's going off when I get out of the geofence area.
Oh, I think my heater tells me it's turned off.

[49:36] Anyway, so that But not TikTok or Facebook. Yeah, so basically, if you've seen stuff about this, this is how it works.
This is what it is. And the solution is no push notifications for apps you're not trusting of.
Deep dive number two then i would assume we shouldn't trust instagram either then right meta too right meta own them yes exactly yeah so this conversation is very much confined to the cyber security and privacy hat so a lot has happened between how between apple telling us how they're going to react to the eu's digital markets act which goes into force on march 1st their press release is huge apple press releases normally have like two paragraphs of information followed by four paragraphs of marketing spin but this was an essay this thing is huge because they're doing a lot there are over 600 new apis have been added to ios to facilitate the way in which Apple are deciding to apply the DMA.

[50:44] And a lot of the discussion you're going to have been seeing elsewhere on the internet, and frankly, a lot of the discussion in general is from the point of view of developers, because an awful, awful lot of the changes are from the point of view of developers. And that is an important conversation.
It's one I have had on Let's Talk Apple, which I have recorded but not yet published.
So depending on the wibbly-wobbly-timey-wimeys of all of this, This, there will be Let's Talk Apple episode 125 shortly after or before you hear this, where I have a detailed discussion on the developer point of view and the economics of what Apple are proposing.
But there are implications from the point of view of, hi, I'm Bob.
I live in Europe. What does this mean for me?
And so that's where I want to focus on for this conversation, because otherwise we'll be here forever.

[51:32] Right. Right. So Apple did make a few changes that are very important for developers that are worldwide.
So there are changes to how developers can do game streaming and there's some extra reports and stuff all developers on planet Earth can get to give a better insight into how their apps are doing in the app store, which is cool.
Great for developers, but of no real relevance to end users, apart from the fact they might get some nicer features, which is yay.
All the rest of it is EU only. and Apple's approach has very much been to do what they believe to be the bare minimum that they are required to and not a darn thing more.
And whether or not that proves to be correct is going to be an interesting test because the way all of these rules work is very similar to how Apple treat developers which is an irony a few people have pointed out.
So imagine Alison you have an idea for an app store app and you have read Apple's rules and you're like well if I read it this way, this is legal by Apple's rules and they'll accept the app and I'll make a fortune and I'm a genius.

[52:35] But maybe Apple will interpret this word slightly differently and they'll reject my app and I'll have spent a year developing an app and I will make zero dollars and it will be a complete waste and I'll go bankrupt.
You have no mechanism to ask Apple to give you an approval in principle or anything.
All you can do is commit a year of work, submit it, cross your fingers and hope you can react to any criticism.
So every developer has lived in this limbo, which is one of the reasons people say that the app store prevents innovation because people are afraid to test the edges because the price of testing the edges is hard, right? It's a high price.
Now, the way the European Commission work with their regulations is that they do not begin to evaluate people's compliance until the law exists.
So until March 1st, the European Commission are not even looking at at Apple's proposal.
They were not going to start the process of checking if what Apple are proposing, is actually sufficient.
They will start that process on March 1st, and then they will come back to Apple with critiques.
So Apple have had to write these 600 APIs and develop this giant big plan in the hope that this is what's going to be allowed. So this may all have to change.

[53:53] So you're comparing this to the limbo that developers go into as kind of like ironic that Apple is going to have to sit in that same chair.
I am, yeah. The changes they're making have nothing to do with the fact that developers have to wait a year to find out, or work for a year and then find out.
They're now in the place where they've had to do all of this work and they have to wait until the EU then checks the work. Yeah, yeah, yeah.
I thought the shoe that was going to drop was that Apple has to change that.
That but no there's no hope for that but ironically we can all enjoy apple having to do all this work and then wait to find out yes which means a a little bit of schadenfreude i have seen from people uh but b what this is is apple's first offer to the commission because the actual wording of the dma is that if the commission decide this is not enough the first step is not court cases and fines the first step is engagement so the way this is almost certainly going to work out is that that the commission are going to evaluate this.
This is going to happen on March 1st. And then on March 1st, the commission will look at it and they will then enter into a discussion with Apple where they're going to either say, tweak this, or, oh, no, no, no, no, this is wrong in every possible way.
We don't know what they're going to find. No one does.

[55:08] But almost certainly... Does it go into effect on March 1st?
Or that's when they give it over and they get to decide and then it goes into effect after you mess around with it.
So these changes will happen on March 1st and then it will be decided.
I don't know what happen means. I'm trying to get you to be more precise. This is real.
Does happen mean we will experience it? Yes, it does. Yes, it does. Absolutely.
So on March 1st, this will become, this description from Apple will become reality.
Whether it gets to stay reality for any prolonged amount of time is completely anyone's guess. guess.
My educated guess is that at the very least this will be tweaked by the end of 2024.

[55:48] Or there may be a very, very tough discussion with the commission where they say to Apple, this is terrible and your whole concept is wrong and you have to start over.
And then Apple will say no, and then it will go to court and then it will be years.
But all of that time, what's described here will be in place until something replaces it.
Why wouldn't the EU review it before it goes into place?
That doesn't make any sense. That wastes everybody's time and energy and every developer going crazy. Except for the commission.
Because they don't have any staff to implement a law that doesn't exist.
So they don't have budget for doing this until the law is real.
And then their budget kicks in. So then they have the staff to go and actually do the reviews.
It's a strange way that the European Union is, I believe, Byzantine is the best possible word for their bureaucracy.

[56:38] What you said doesn't make any sense. The Digital Markets Act is in place, correct? correct?
The law is passed, which means that on the 1st of March, the law becomes active and the resources to enforce the law, that budget becomes live.
So at that point in time... Okay, so on March 1st, they could accept Apple's plan, study it, tell them what they have to tweak before yanking every user and every developer's chain with rules that then they're going to come back and go, no, that's totally wrong.
Well, but how could they? That seems a big waste of everybody's time.
It's a lot of work to evaluate this. So on the 1st of March, hundreds of people in an office... And they shouldn't have asked for it if they can't review it.
But they didn't, right? The Parliament asks for it.
The Parliament asks for it and the Parliament assign a budget to the Commission to police it and the policing doesn't start until the law starts.
That's how the Parliament do these things.
So the Congress critters have decided that a bunch of bureaucrats are going to start working on March 1st and this is the effect.

[57:40] And everybody will blame Apple for these rules being changed midstream, coming up, showing up, disappearing, coming back.
That's unfortunate. Possibly. I am making no comment on the sanity of any of this. In fact, my comment is kind of in line with yours.
Yeah, look, honestly, I think it's nuts.
I agree with you. But this is what's going to happen. This is reality.
So this is what I'm describing. Let's get re-understand. Yeah, I'm sort of preemptively explaining because this is going to be an issue.
It's going to confuse people. So, what is actually going to happen from the point of view of regular old folk who are just users?
So, first thing is, unless you're in the EU, this doesn't happen to you at all.

[58:21] And even in the EU, a lot of this isn't going to happen for very many people because all of the developers get a choice.
Keep doing what you're doing now or move into this new universe.
And unless the developer chooses to move into the new universe, the app doesn't change at all. Nothing changes.
So developers have a choice for the status quo, which is perfectly fine because the DMA is about giving choices.
So developers being free to choose to continue what they're doing now is perfectly fine under the DMA.
They just can't be forced to keep doing what they're doing now.
So choosing to do is fine.
So the chances are most developers are going to go, actually, this is fine.
I get to do the same thing in Europe. I do in America, Africa, Asia. I get to do the same thing everywhere.

[59:06] Keep going. Even if they do updates to their application, they put out a new update, they don't have to follow the new rules.
No, because there are two contracts available to a developer publishing in Europe.
You can use the existing worldwide contract or the special EU contract.
So you have a choice of two contracts. Okay, okay, okay. So it's not a grandfathered thing.
It's every, if I am in the EU and tomorrow I come up with my great idea, I can choose either one.
Every developer gets to make the choice once.
If you choose to, so if you're a new developer, you sign up to contract A or contract B, and that is your contract forever.
If you're an existing developer, you can choose to switch to the European-only contract, and then you can never go back.
But you're in it forever. Forever. It is a fork in the road.
But you are free to go on either fork, and you can come off the Apple road at any time. But once you go onto the Europe road, that's it. You're in Europe land.

[59:57] Do we have any idea of what's going to change? Yeah. Yes, lots.
The whole fee structure changes if you go into Europe land. Like the commission drops to a tiny amount, but you get the platform fee instead.
I go into all that in great detail on S.O.C. Apple. From the user's point of view, different types of apps are going to become possible.
In Europe, if developers choose to take this opportunity, and my money is on, we will see very few of these.
So today, we think we have third-party browsers in iOS, which is kind of true, because when you install Firefox in iOS, what you see as a user is different.
It has, you know, it synchronizes your bookmarks from Firefox in your desktop.
It looks different. But its brain that does the HTML, CSS, and JavaScript is actually Safari's brain. It's actually WebKit.
And at the moment, Apple do not allow you to bring your own browser engine, because because browser engines are hard to do securely and efficiently.
If you get it wrong, you have massive battery drain, Chrome and Mac OS.

[1:01:00] And you get massive security vulnerabilities like all of those zero days that we see patched in all of our browsers all of the time.
So Apple like to keep it nice and tight, but that is anti-competitive.
Say Europe, therefore, in Europe, if you choose the Europe contract, you as a developer can get a new App Store entitlement, which will give your app access to new APIs, which will allow you to build your own browser engine.
So you can have your own browser engine and browser fiddly bits if you choose to, but only in Europe. So who is going to write two brains?
If you're Firefox, do you want to write an app for Europe and an app for everywhere else?
And in one of those apps, you have to do all of the testing to make sure that your Firefox brain works in iOS, but you also have to make sure that your Firefox app keeps working with the Safari brain because you have to use that in America and Asia and Africa and...

[1:01:54] I think that they will.
Okay. And it's because of the headwinds that they're facing in the United States because of anti-competitive things.
And there's very few things that our existing lawmakers seem to agree on.
And it's everybody hates big tech.
So whether they'll succeed at writing any legislation, that's a whole other Oprah. But they all agree that big tech be bad.
So I could see a future where whatever they learn to do in the EU, they could start doing there.
And this makes me even more concerned about something I've talked to you about.
And you keep telling me that I'm being overly worried how many services don't work under WebKit.
How many of the things like Riverside to record video and what's the other one that we use?
StreamYard, you can't use WebKit for it.
And so all these services are starting to come out that we're getting back to the Windows, you had to use Internet Explorer world.

[1:03:02] And if the one thing that's held them back, I think, is the fact that iOS is WebKit and iOS is massive and iOS has a lot of money.
IOS users have a lot of money. So if now you can start running Chromium browsers on iOS, that's the end of the, that's a bad world I don't want to live in again.
I didn't like the ActiveX days.
That's an interesting point. And I would love to be able to say, no, Alison, you're wrong, but I don't think you are.

[1:03:27] Sorry. Shoot. So I, at least until another country copies and pastes this rule, I don't think we're going to see many third party engines.
The risk to users of third-party engines is that while the sandbox will protect you from the browser accessing data on your phone's other apps, it won't stop the browser messing up by accident or on purpose data sharing between tabs inside the browser.
Or the browser gathering information and sending it straight back to the browser author.
So if Facebook do a custom browser, there is nothing to stop them hoovering up all of your browsing habits and sending it straight to Facebook, right?
Because they're running the browser then. it's their engine they can do whatever they like but the biggest risk is you're going to have less privacy possibly or maybe more because brave or whatever could end up running a more privacy forward engine so apple are always reined in a bit because they don't want to break the whole internet but someone like brave could become really brave and make an even more privacy forward browser than safari but the other big risk is your battery will go to hell in a hand cart if you start out running someone else's browser.
That's very likely. I just thought of a more optimistic way to think about the problem that we're facing with not being able to do things like StreamYard in WebKit.
And that is that these companies have figured out some really cool, innovative stuff that doesn't work on Apple's browser, and Apple should get that working.

[1:04:54] A lot of it comes down to APIs, which in hindsight turn out not to be great.
Like there was a thing for a while where there was an API to let apps see the battery status and everyone said, oh, it's terrible that Apple aren't implementing it.
And then everyone took it away because it was used to track people.
Because if you cleared your cookies and your battery level was the same, your IP address was the same, they just reconnected your session and started spying again.
So there's swings and roundabouts on Apple's reluctance to be first with new web APIs.
It's a game of chess. I guess they're getting way behind on this one, though. No, I want them to fix it. Okay.
What is definitely going to affect users though? So forget about new brains, right?
There are lots of browsers that have Apple's brain, but their own front end.
Everyone in Europe is going to be offered a browser ballot in the same way that they were forced to do in Internet Explorer when it was deemed to be a monopoly by the same European Commission a decade and a half ago, or however long ago it's been since Bill Gates was being held up in front of Congress and the US and the EU Commission. mission.
So the first time you launch Safari, either on a new phone or on your first upgrade to iOS 17.4, you will be offered a randomly ordered choice of browsers, which will be based on the country you are in, which will be the 12 most popular browsers on your country's app store.
And then you get to choose which browser becomes your default browser.

[1:06:13] What do you mean 12 most popular on your country's app store?
So they don't exist yet. Oh, no, they do, right? You can go and get some Firefox.
This is not, I'm not talking about the brain now. I'm talking about you can get Brave, you're using ArcSearch.

[1:06:28] Okay. Okay. So I got you. Yeah.
So in Ireland, it will be the Irish app store. We can already change our browser.
So that's not a big thing, but it'll be in your face that you can.
You'll be forced to choose.
So it's not that you will be able to change. You'll be forced to choose.
On first launch, you will have to make a proactive decision one way or the other.
And Safari will be in the list, but it will not, it will be randomly placed in the list and you'll have to pick one so that is not nothing is that a good or bad thing in your in your mind 12 is too many it's going to overload people horribly they're going to make people really cranky and it's going to be like the cookie notice which was intended to be pro-privacy and has resulted in everyone just never reading anything ever again so i think well-intentioned badly implemented is my My hot take. Okay.
The next thing that is going to happen is kind of an easy one.

[1:07:22] So you as an EU user will be able to log in to the... So you already have a portal that allows you to download all of the data Apple knows about you.
So you and I have done it when it was first launched a couple of years ago.
It's a giant big zip file that tells you lots of boring stuff. off.
In Europe, that giant big zip file is going to have a whole bunch of new files about your App Store activity.
And that will be in a format that can be shared with third-party App Stores.
So you could, in theory, take your full search history and everything Apple knows about you to another App Store so that they can make suggestions based on the kind of apps you like, based on your history in Apple's App Store.
So that's a competition thing.
And so that's just a simple enough thing.

[1:08:06] The next thing then is third-party payment processors.
So whether or not a developer who goes the Europe road, whether they stay in Apple's app store or whether they go to a third party app store, they will also be able to choose whether to use Apple for payment or someone else for payment.
Those will become two separate questions.
Which app store am I in and how do do i take payment are being separated as two questions so developers don't have to answer that as one answer for both they get to make two choices and if you choose to go so apple's flat fees don't include payment processing if you want apple to do your payment processing you pay an extra three percent in fees so 15 and 12 17 and 20 are the rates depending on whether you do or don't take the fees if you wait so only so the the regular developer fee didn't change oh it is still 15 but the but the upper one was 30 and now it's 20 no the upper one is now 15.

[1:09:11] For developers who go the Europe route, the upper one becomes 15.
Sorry, the upper one becomes 20. Sorry, 20. It's 2017.
That's what I just said. So 30 went down to 20, but 15 stayed at 15.
I may be... So they just helped the big vendors. I may be slightly wrong about that, Alison. Everyone got a pay cut. Not a pay cut, a fee cut.

[1:09:32] I know it's 3% extra for Apple to do your money. That much I'm sure of in the show notes.
I'm so confused at this stage with all the numbers. I'm not going to pin myself, you know, I'm not going to pin myself on that one.
Which means that there are new APIs for getting payment elsewhere.
And because it's Apple APIs, you can be guaranteed as a user that it will never happen without your knowledge.
If you are in an app that uses a third party processor, you will receive a clear notification provided by the OS that tells you that you are departing Apple's walled garden and you're on your own.
And i'm sure the exact wording is going to be tweaked a bit but at the moment every sample you've seen has been quite oh my god the world is ending the world is ending you're leaving apple's wall garden this is terrible um it has real side effects though because family sharing and stuff like you know the way you can give kids an allowance all of those kind of cool things are also in fact i believe you can set up parental controls that your kids can use their allowance but only for certain types of apps, all of that stuff doesn't work on a third-party processor because Apple are not in the loop anymore.
So there are real effects of leaving Apple's walled garden.
And the 3%... I think family sharing is another one. Yes, exactly.
Or did you say that already? I think I might have. But yeah, just to be clear, family sharing and parental controls are separate but related, and they are definitely all in the mix here. And...

[1:10:59] The thing is that 3% processing fee is not expensive.
That's market rate. That's normal.
Yeah. So I don't see a massive big draw for anyone who is not a massive corporation who is their own payment processor.
And if you're big enough to be your own payment processor, then it's 0% commission for yourself.
So 3% is more than 0%. But for almost everyone who doesn't have in-house credit card processing, 3% is so utterly not an issue that the hassle you save by not doing it yourself means that it is economically wise for most developers to stay right where they are.

[1:11:42] If you want to hear me go on a rant on this subject check out the most recent episode of the smr podcast with allison where uh i specifically talk about the fact that people lost their ever-loving minds when apple said okay fine it's not at 15 it's 12 if you do your payments outside well of course the only thing you moved was the payment processing everything else is the same anyway i'm not going to go into the rant here but i did not lose my ever-loving mind, and I don't understand why people did, you might think 15% and 12% are too big of numbers.
That's a different discussion. They're not for the fact that they only subtracted 3% when they only subtracted the payment processing.
You can't, it's illogical to lose your mind about that little piece.
Agreed 100%. And one of the things that you will hear me say on Let's Talk Apple is that Apple have been forced to name the other percent.
So the 3% was credit card fee. So what do you call the rest?
It is called the platform fee.
Or the core technology fee, CTF, core technology fee.
So it's the fee. Yeah, there's two things in that. There's stuff that costs them money and profit.

[1:12:49] That's what's in that piece, right? That's all that's in there. True.
But the reason they feel they're entitled to it is because it took a lot of efforts to build iOS and to build this massive market. And you can argue whether or not they're entitled to that.
But moving the processing fee has nothing to do with whether they're entitled to that other pile. Exactly.
Completely agree with you. you so that is that is the payment stuff the next thing is that you will hear people wrongly say that side loading is coming to europe no no no no no there is no side loading side loading means you bypass the security settings there is zero bypass of a single security setting through any of this every app no matter what app store it comes from is notarized which means it is checked through all of apple's technological every technological control that stops an app from doing things remains in place.
The apps are sandboxed. The APIs remain the same. The apps can't do anything they can't do now.
The apps don't get a single new power because they are all motorized.
So I think you are redefining sideloading by a definition that's not widely accepted.
The definition according to dictionary.com from the Oxford languages says to install software obtained from a third-party source rather than an official retailer.

[1:14:08] I stand by that definition because the only way you can get apps is through an app in the App Store.
So third-party app stores are actually apps. And an App Store.
No, no. And App Store. But on iOS, that third-party is an app that comes from the Apple App Store.
You're still getting the app indirectly through the Apple App Store, and the control Apple are enforcing is massive.
There is no bypass of, There is no getting around Apple's control.
So I don't think this meets the definition of sideloading at all.
You can't just download an Excel file. Well, I don't know where your definition comes from, but I mean, if you're using an Android device and you use the Amazon App Store, that's called sideloading.
But you can also download an APK file. I think it's called an APK file.
You can download a file from the internet and install it on Android.
You've got to click yes to a few things, and away you go. That is not coming to iOS.
You cannot go to a random website, download an .exe file, and run it. Not possible.
It's only... Okay, then what is your term? You've got to give us a whole new term that nobody else is using.
You cannot run arbitrary code. Because this is common usage.
You cannot run arbitrary code.
No, no, no. Give us a term for when you're using a different app store.
What is that called? Okay, let me put it to you this way. You cannot run an app Apple have not approved.

[1:15:31] Approved in what way? Notarized. It has gone through human review by Apple. If you get an app.
But what is the name of that? Now, I'm buying it from the, I'm going to buy an app from the Facebook app store.
I'm not allowed to call it sideloading. What is it called? You're getting it through a different app store, but it's not sideloading because it's still being verified by Apple. It's not sideloading, according to you. What is it?

[1:15:57] It's the word people use, sideload. I'm using a different app store.
Sure. I can see that there's a distinction within sideloading, that there's two different things there.
But I think the fact that it's in common usage may just be the language changing over time.
Within the security community, everyone is shouting and screaming that this is not sideloading because I can't write an app and give it to you.
I can't write some code and give it to you.
Whereas on the Mac, I can write some code and give it to you.
On Windows, I can write some code and give it to you. iOS remains completely closed.
If Apple don't approve it, digitally sign it, the app will not run.
Approve it in one certain very specific way. They don't approve whether it can do other things.
I mean, they don't approve whether it's porn.
It's actually the inverse. Approve is too broad of a word. The only thing they don't get to do is content review.
All security review remains with Apple.
And no app can run that hasn't been proactively blessed. So approve security review you right but they have the only thing they have to digitally sign the app to allow it to run if they don't do anything the app cannot run so without apple the app is inoperable.

[1:17:10] The car can't start unless apple say you can start the car technologically speaking it's a big deal it's massive control so the point i'm making is control control.
Apple haven't given up control.
That's good information. What they've given up because the DMA says it.
So the Digital Markets Act explicitly says that the sole responsibility for content moderation rests with the store selling the app.
So if you have an alternative app store, they make content decisions legally.
And Apple may not in any way infringe on that because the law it's one of the few things in the digital markets act that's like really clear so content decisions are with the third party all technological control is with apple and they're very clear that they're going to force the app into the sandbox they're going to stop the app using secret apis you still have to do stuff like app tracking transparency so from a practical end user point of view.
Adult content, fine. Gambling, fine.
Something as cool as Audio Hijack, still impossible.

[1:18:25] Yeah, exactly. Because people were hoping that developers could do the things they're imagining, but they can't.
And they still can't. And that's why a lot of people are very disappointed, because people have great ideas.
And they were hoping they could do them. And they can't.

[1:18:47] I wonder whether you know one of the things that uh was a good example of you do all this work on an app and then Apple tell you afterwards that you can't do something you were doing was Casey Liss in the uh the app call sheet he has album artwork for the the movies and tv shows and they came back and said no you can't do that and it's like well no you let everybody do that I mean IMDB does that how could you not let me do that but that was a case of where he got tangled up it took him actually knowing a guy to get that broken loose to where he was still allowed to do that and uh it was it was a big mess but i'm wondering whether that would fall under technological or under content no that's under because that's copyright copyright content operates content that would not be apple's doing except apple owns apple and disney are like this i'm holding up my My fingers twisted together.
And that was the problem was the screenshot he gave them had some Disney Pixar screenshots in it.
So he jiggled them around to where none of them were Disney.
And he got it. I think that's what he ended up doing. And he got it approved.
Well, under the DMA, the way it would work was that Apple would have to sue him through his other app store.

[1:20:02] As if they were Joe Blow, who had a copyright complaint. Oh, okay.
Okay. So, interesting thought. So, those third-party app stores I keep mentioning, they're going to be apps you download from the Apple App Store, which have an entitlement which allows them to install apps.
So, they're apps that have the rights to install apps.
Those apps will then be handed over to the operating system, which will show you information about the app, app which has been digitally signed as part of the notarization process.
So you write an app that's really cool and you're going to sell it through Bart's App Store.
One of the things you have to do when you're compiling the app for notarization is add metadata like this is what the app is, this is what it does, these are the permissions it needs to run.
It goes for notarization, a human checks that your description matches reality and then your description is digitally signed along with your app.
So what comes back to the third-party app store to sell is your app, Apple's verification that the app is not malicious, and your description of what the app does that is unalterable.
And then when you install the app from the third-party app store, the OS will present that metadata and say, this app was written by Bart.
It is a whatever app. Here are some screenshots we took while we were testing the app. We have notarized that it's safe. yay or nay to install it.

[1:21:29] So that means that as you're installing apps, no matter where they come from, their App Store nutrition label is going to come along for the ride, but it's going to be baked into the app instead of it being a feature of the App Store, which is clever because we do still want to know what's going on with our apps. So I like that.
And yeah, that's really, I mean, the notarization is a big thing.
So the fact that Apple will still be reviewing all of the apps for everything apart from content is the really big takeaway.

[1:21:59] So I think a lot of people assumed that we were heading to some sort of a Wild West security dystopia where you would click one OK button and then any app could install anything and do anything the Android way.
A lot of people assumed the only possible answer was a few warnings, the user clicks yes, and then all the rules are gone and you can do whatever you like.
And that's absolutely positively not what is coming here. What is here is the teeniest of the minimalist possible expansion of what's possible to meet Apple's interpretation of the Digital Markets Act.
And how much of this is going to actually be forced to become a little bit wider?
That's all up in the air. But this is the starting point. And it's very minimal.
I'll be sitting on the sidelines with my popcorn. Oh, yeah, absolutely.
We will be talking about this a lot. Yeah. So anyway, that is, like I say, big news month.
So moving on to some quick action alerts. Apple patched everything.
It contains a zero day. Patchy, patchy, patch, patch. It's in Safari.
Therefore, it's everywhere. Oh, that's an interesting callback.
Google Chrome, also an interesting callback, have also patched their first zero day of 2024.
So if you're using Chrome or Edge or any of them, they've all been patched.
Patchy, patchy, patch, patch on your Edge base, or so your Chromium-based browsers as well.

[1:23:20] There is a nasty flaw in a very, very, very common piece of Linux called glibc. It is the GNU C library.
It underpins very, very, very, very, very much software.
It is a local privilege escalation, so it is not good for home users, and you should patchy, patchy, patch, patch, but it's catastrophically bad for cloud providers, so they absolutely have to patchy, patchy, patch, patch.
There is a Mastodon bug that has been responsibly disclosed it has been patched and the details are being kept secret for 15 days so if you run your own mastodon server you have 15 days the clock started ticking a few days ago if you're not patched by the time the details are released the chances are that you will be hacked very very quickly because it's quite a serious bug um people may or may not have noticed i have started to run my own mastodon server i chose software as a service from something called masto.host so when i checked this morning my server had been updated by masto.host which is literally what i pay them for so uh good that is why software as a service is a nice thing to do.

[1:24:30] Worthy warnings then. The FBI have issued a warning that scammers are using a new trick where they're actually starting to bring physical humans into their extortion scams, where they end up getting you to meet a human to hand over cash.
So they're telling you that you need to go and liquidate some gold on one of those dodgy gold liquidation sites.
And then they will pay some low level person to go meet you and take the money off you, basically couriers like you would do for other this was for tech support scams huh yeah so the fbi are now seeing this as the next step in tech support scams which is amazing so be careful, no federal agency wants you to sell gold this vouchers gold they are never legitimate if someone is asking you for them claiming to be part of target gift cards no exactly exactly Exactly.

[1:25:24] Also, there was a bug a year and a little bit ago in December 2022 in iOS that Apple patched.
And there are enough unpatched devices that the CISA, the US Cybersecurity and Infrastructure Agency, are seeing active exploitation of that bug successfully hacking things.
Patchy, patchy, patch patch. patch and all federal agencies in the u.s are under orders to be patched by february 21st legally um there is a scam on facebook to watch out for that bleeping computer say is on the rise i can't believe he's gone the obvious thing is to try trick you into believing someone has died and you're obviously going to click in it because oh my god i can't believe x is gone it's a really common scam be on the lookout for that but what what happens if you click on it they're using people's hacks so you.

[1:26:21] Imagine I break in, imagine you reused your Facebook password somewhere.
I would then take over your account and send out this message to all of your friends who then see something coming from apparently you saying, I can't believe he's gone.
And that would then trigger you into interacting with me.
And that would be my in to start trying to social engineer something out of you. It's my way of making initial contact.
Got you. Okay. Got you. Right, right, right. Because, yeah, you can only trick people if you get them talking to you.
So this is their way of getting the conversation going.
Trello had a whoopsie in their API that they initially pretended wasn't real, but then admitted actually, no, it was real.
15 million people, their email addresses and other information has leaked.
The danger here isn't credit cards and stuff. The danger is targeted phishing.
They will be able to believably be fake Trello because they know enough about you to look legitimate.

[1:27:21] I feel like you told us about this one because I know I went to Trello.com and I looked in my 1Password and I didn't have a password, but I knew I'd used Trello for a little while.
So I went in and I said, I forgot my password. It gave me a new password link and I changed it to something that is now in my 1Password account.
I have no memory of doing so. I can't think I would have known this without you. You may hear things from other people.
I'll just check the date on the story. It's possible. January 23rd.
So I don't think it's possible it was me.
Okay. Maybe they sent me an email.
Oh, actually, that's entirely possible. That's possible. It is possible.
Yeah. I don't listen to anybody but you, Bert. You listen to Tom Merritt. He tells you things.
Oh, look, somebody's trying to break into my Instagram account right now. Oh, yay.
Or pretending to, anyway. I just got a code. Oh, okay. No, I just got Instagram just sent me a code. I get these all the time from Facebook.
People always trying to get into my account.
God bless MFA, or sorry, 2FA in action.
Yeah. Moving on to notable news.
Oh, I'm sorry. I'm sorry. It's a better story about Trello.
Oh. Do you remember I said last week that I thought have I been pwned was a stupid thing because all it does is tell me that my password's been, or that my username has been used?
Yeah. Right after we recorded, I got an email from Have I Been Pwned telling me that I was in the Trello breach. And that's why I did it.
So I have to confess that you were right. It actually does have some value.

[1:28:49] Number of accounts, 15,111,945 people have been affected on January 22nd.
That is where it came from.
So shoot, it did come from you. Indirectly.

[1:29:02] Notable news then. So these stories are important for different reasons.
So there's a lot of English in these show notes, actually, because these need a bit of putting into context.
But basically, there is a law on its way through the process in the United Kingdom, which is going to, which has the potential to cause major headaches for Apple and Microsoft and many other people.
The UK government want to give themselves a veto for software patches.
They want to give themselves the right to tell Apple not to disclose or patch a vulnerability ability that the UK government is using to spy on people or surveil people.

[1:29:38] So if they're using a backdoor that relies on a bug, they are saying that they will have the legal right to tell operating system vendors not to patch.
That would be catastrophic. It's not clear where it's going to go, but Apple are currently shouting loudly about it. We shall see.
Uh on the one hand it's great that the fbi have disrupted a chinese botnet that was using, unupdatable routers so remember i keep saying that when a note when a router stops getting software updates you have to throw it in the bin because it's unsecurable this is evidence of how unsecurable it is there's an entire botnet of them out there uh working for the chinese government or at least there was until the fbi went to a court and got permission to hack into the hacked hacked routers and to install an unofficial unsupported software patch to kick the Chinese out and close the back door, which is on the one hand, fantastic.
It's software patches for free, but it's the federal government being given the right to hack people's private devices.
I'm in favor of it, but that sounds like something there should be a bit of a debate about, but it's kind of gone under the radar. So anyway, there we are.

[1:30:53] Um this next one directly affects me so i fell off my chair nearly because i finally rented a car for the first time in my life and i chose europe car because they would rent me a polestar 2 and i wanted to drive a polestar 2 and then i got a headlines all over the place saying europe car caught up in data breach 50 million users affected followed a day later by europe car denies data breach 50 million users were not affected the data was fake the good news is the the data was fake.
This is not a real breach.
So people trying to extort companies are now pretending to have a data breach to extort silence for not sharing the data they never breached, which is a fantastic way of taking ransomware to the next step.

[1:31:40] What made this catch a lot of people's attention is Europe Car in their press release said this must have been generated with generative AI, to which Troy Hunt and most of the security community went actually no there's lots of tools out there for doing this and this looks just like everything that's been around for years this probably isn't ai but i sort of went yeah but isn't this another thing that ai could do so just because someone claims to have breached your data don't assume you've actually been breached they usually give out um a sample check the sample and that's what the that's what was done here and troy hunt and loads of other people check check the samples and lo and behold they were rubbish so the data breach was invented which is interesting you have regularly said and i have regularly agreed with you that it is a bad idea to take random thumb drives and plug them into your computer this is not hypothetical there is a campaign actually happening now in italy where a whole bunch of businesses have fallen victim to this there is malware spreading in italy targeting businesses on usb drives don't plug in random usb Also.

[1:32:48] An important reminder, and I also wanted to put this in the show notes because this is a good news story that's probably been reported as a bad news story.
So 49 zero days found in Tesla cars. That is a true fact.
It was at the Pwn2Own Automotive Security Conference, which means that Pwn2Own paid security researchers to try hack cars, not just Tesla, lots of cars, gave them money for doing those hacks on the condition that every bug is responsibly disclosed to the vendor who then have 90 days to patch it.
So what's happened here is that some of the best security researchers in the world have been paid good money to make everyone's tesla more secure, so yay is that's it that's a good thing i'm going to correct one phrase that is a fact.

[1:33:44] And i'm going to add a true fact i'm going to answer true that is that is also true True.
And a fact. Anyway, I'm going to end then on one final good news story.
Reporting on how many people are actually paying ransoms is showing that people are not paying ransoms anymore, which means that the financial incentive for ransomware is drying up, which means that people or companies, so ransomware has already shifted from targeting individuals to targeting companies because that's where the big books were and now that is drying up too so the economic case for ransomware is evaporating which means that ransomware is almost certain to follow because cyber criminals are only interested in money they're not doing it for the crack right they're doing it for the money and the money is drying up so this particular phase of evilness is nearing its end.
There will be other bad things, but this one is ending. That's good. Yeah, that is good news.
I'm also going to retract what I said. I just did some more reading on the side here on sideloading, and now I understand what you were saying, that sideloading, even on Android, is where you just download something.
It's not when you go get it from an official app store.
Yeah. So I retract my arguments from before. Everybody put your pencils down.
Stop writing me angry emails.

[1:35:11] It's good we had the discussion though because it's a really subtle point that's important so that was very valuable um i have two tops tips to share uh tidbits they have a good article on some, tactics you can use if you receive an ai voice scam which is now a thing where someone phones up pretending to be someone who really exists saying they're in trouble and asking you to mail them money immediately how should you react well tidbits have some good advice like phone them on on a different, you know, hang up and phone them back.
If they're real, when you ring them, they will say, yes, I really am in trouble. Help, help, help.
But the chances are very high when you ring them, they'll say, what are you talking about? I'm fine.
Or if you can't do that, phone a relative who is closer to them than you are. Is Bob really in Africa?
No, Bob is just down the road getting the groceries. Oh, OK, then I won't mail $3,000 straight away.

[1:36:04] OK, so this is good advice. And that's good.
Also on tidbits, if you're wondering, how do I securely share a piece of information with someone else online?
They go through eight different ways of securely sharing information online.
Line and depending on what you already have there's a really good chance one of these is already covered by something you already have in the cloud because there's so many cloud services so that's a really good one so like post it to facebook would be one oh totally absolutely yes definitely post it on x and facebook with the message saying please don't read this, like in those email footers that says if this email was not for you please do not read.

[1:36:42] I always loved those interesting insights then we talked about the mother of all breaches last time which is this 12 terabyte data set, if you're wondering how do you get 12 terabytes of passwords, because they didn't come from one breach they came from lots of breaches, Troy Hunt has a really good explainer that explains this entire ecosystem of personal stashes, which is where they come from, I learned a lot about how this stuff works from that article and it's troy hunt so it was nice and human friendly it wasn't all techie and geeky, in the bad way it was techie geeky in the good way um and we have talked many times in recent weeks about malicious software ads on google successfully having compromised versions of software and you and i were kind of wondering how are they sneaking through because obviously google are trying to have not malicious ads so how are they sneaking through well brian krebs Krebs and Krebs on security explains one of the tactics currently being successful.
They are being legitimate software download sites 90% of the time.
And every now and then they're throwing in some malware. So they build up a reputation and they're a perfectly normal ad user.
And then they've used that reputation for a while. And that's how they succeed.
They're spitting in our soup. They're spitting in our soup. That's it. Exactly.

[1:38:01] And then last, but by no means least, an excellent piece of analysis from Intego.
Mac and iPhone malware of 2023 and then they project a trend forward to what we can expect in 2024.

[1:38:15] It's a month by month, blow by blow what has been going on in the Mac and the iPhone for last year and what does that imply is likely for this year.
It's a long read but it's some sterling work so I thought that's worth calling out.
Some of our listeners may enjoy that but you know it's a read for when you have a lot of time.
And then I have two palate cleansers. And the second one, I think you and Steve will particularly love.
So the first one sort of caught me by surprise.
There's a podcast I love called Unexplainable that they cover the edges of what we know.
And they basically tell us that this is the thing we don't know.
We almost know this much about it, but here's the question that remains.
And it's really fascinating to know where science stops and what we're currently trying to strive towards. words, but they had an episode entitled the math problem that could break the internet.
And I went, ah, yeah, quantum computing, yada, yada, yada. Heard it all before, but I was too lazy to take my phone out while I was cycling and fast forward on.
I'm really glad I didn't fast forward on because that's not what it was about.
It was a much deeper, a much more theoretical question that I had never even known existed before.
And I learned a lot. How fun. So you may too. too.
And then the last one is one I know you and Steve will love.
So Freakonomics Radio is usually about economics and stuff, as his name suggests.

[1:39:39] But it's kind of a name like NozillaCast. They're kind of allowed to do whatever they like.
And the host is fascinated or has recently become fascinated by Richard Feynman.
So they have started a mini series of episodes on Richard Richard Feynman.
And they're all called the something Mr. Feynman. So the first one is the curious Mr. Feynman.
And it goes into his life story and what made him the curious person he was and what gave him his outlook on life.
And the next episode we've been promised is the productive Mr.
Feynman, which is about his really good science and chromo-electrodynamics.
And I don't know what else is going to be, but it's going to be the something Mr. Feynman.
So there's going to to be, there's at least one out. Oh, that sounds great. Yeah.
The first one's excellent. It starts with the investigation of the shuttle and the O-rings, you know, and it's wonderfully understated.
This may have some bearing on the case as he basically demonstrates how the thing blew up.
So it's fabulous. And unfortunately he got credit for figuring it out, which he did not figure it out.
He did that after somebody at the table said it.
And then he picked up the O-ring and dipped it into a glass of ice water and held it up and they took a picture of him and that went across the news and he ended up getting all the credit.
It's actually, there's a backstory before that backstory because he went to a lot of work to make sure there was ice water on the table.

[1:41:02] Okay. But anyway, that's what he said in the book I read by him about, about him and stuff.
So yeah, there's a lot of fun. He's a, he's a great character to learn about. He is.
Yeah. Sorry. I know we're running really long because of the Apple stuff, but one quick thing, his daughter is heavily involved.
So his daughter is one of the main interviews in this podcast series.
Okay. I think she might've written one of the books that I read about him.
I've read a bunch of books about him and he's, yeah, I'll definitely be checking this out.
This sounds like fun, but yes, we have gone very long. I'm I'm getting hungry. I got to go. Me too.
So remember, folks, the summary for all of this, stay patched so you stay secure.
Well, that's going to wind up this mammoth show for the week.
Did you know you can email me at alison at podfeed.com anytime you like?
If you have a question or a suggestion, maybe a dumb question like Chelsea had, you can just send it on over.
Remember, everything good starts with podfeed.com. Want to follow me on Mastodon?
Podfeed.com slash Mastodon. Want to listen to the podcast on YouTube?
Podfeed.com slash YouTube. Want to join in the conversation?
Join our Slack community at podfeet.com slash slack, where you can talk to me and all of the other lovely NoCilla castaways. Want to support the show on Patreon?
Podfeet.com slash patreon like Richard. Or you can do a one-time donation at podfeet.com slash paypal.
And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m pacific time and join the friendly and enthusiastic NoCilla castaways.

[1:42:26] Music.