Generated Shownotes
Chapters
0:00:00 NC_2024_02_18
0:01:04 Free Video Tutorial: Image Descriptions for Social Media on ScreenCastsONLINE
0:02:22 CCATP #787 — Bart Busschots on PBS 161 — jq: Maths, Assignment & String Manipulation
0:03:48 CES 2024: SLIMDESIGN AI-Powered Compact Body Camera
0:08:22 RICOH OLED Portable Displays are Gorgeous AND Have a Kickstand
0:23:48 Support the Show
0:24:22 Security Bits — 18 February 2024
Long Summary
In this episode, I announce the absence of a live show due to a family event and discuss a tutorial on adding image descriptions for social media. Mentioning the change in ownership at ScreenCastsOnline, I share my experience with portable USB-C displays, reviewing various options based on functionality. We delve into the rising trend of ransomware payments and address misleading statistics. Exploring Apple's privacy measures for the Vision Pro device, we highlight its protection features for user data.
I explain Apple's Vision Pro rules, categorizing them into shared environment and immersive experiences. Shared environment apps have limited access to Vision Pro's additional information, receiving events similar to mouse clicks without detailed hand movements or gaze patterns beforehand. Immersive experiences offer more access but are still restricted through APIs controlling information flow.
Furthermore, we discuss Apple's participation in an AI safety initiative, ExpressVPN's API security issues, and DuckDuckGo's end-to-end encrypted synchronization. Data breaches affecting Bank of America customers and fraudulent activities totaling $10 billion reported to the FTC are also topics of conversation. Lastly, we share a fun space-related anecdote and recommend engaging online content.
Brief Summary
In this episode, I discuss the absence of a live show due to a family event and share insights on adding image descriptions for social media. I touch on the change in ownership at ScreenCastsOnline and review portable USB-C displays. We address the concerning trend of ransomware payments and debunk misleading statistics. Exploring Apple's privacy measures for the Vision Pro device, we highlight its protection features for user data. We break down Apple's Vision Pro rules, focusing on shared environment and immersive experiences. Additionally, we touch on Apple's involvement in an AI safety initiative, ExpressVPN's API security issues, and DuckDuckGo's end-to-end encrypted synchronization. Data breaches impacting Bank of America customers and significant fraudulent activities reported to the FTC are also key points. Lastly, we share a space-related anecdote and suggest engaging online content.
Tags
live show absence, image descriptions, ownership change, USB-C displays, ransomware payments, misleading statistics, Apple privacy measures, Vision Pro device, AI safety initiative, data breaches, fraudulent activities, online content
Transcript
NC_2024_02_18
[0:00] Music.
[0:14] 1980. Before we get into the show, I want to announce that there will be no live show next week.
Steve and I are going to go to our granddaughter's fourth birthday party in Texas, and we'll be gone over the weekend.
We get so little time with our son Kyle and his family that we don't want to miss a precious second, so we're not going to do the show from there.
It would also be an awful lot of gear to carry on a plane, and their house has hardwood floors and three tiny and very exuberant children, so the audio might be a little bit rugged as well.
Now, just in case you thought our nearly 19-year streak would break, I expect to publish next week's show on Tuesday.
That's the day after tomorrow for me right now, and that'll be before we leave.
You're more than welcome to wait until your normal date and time to listen, or you can open your present early.
It's up to you. We'll be back to doing the live show on Sunday, March 3rd.
Free Video Tutorial: Image Descriptions for Social Media on ScreenCastsONLINE
[1:04] Last week, I told you about the tutorial I created for the subscription-based service ScreenCastsOnline. That tutorial was all about how to add image descriptions when posting to social media.
This is essential to make sure that everyone can enjoy the content you create, and it increases your reach to have more people be able to enjoy that content.
[1:23] I got to thinking about how important this subject is, so I asked Lee Garrett, the new owner of ScreenCastsOnline, whether he might consider making this one tutorial free rather than behind the paywall.
He watched my tutorial and he immediately agreed. read.
I put a new link in the show notes directly to this tutorial on the ScreenCastsOnline website, and I hope you'll go and watch it.
I gotta tell you, it's far easier to add image descriptions today than it ever was in the past, but there are some tricks to finding the right buttons in each service, and I try to teach that in my ScreenCastsOnline tutorial.
[1:56] Now, in case you're wondering, Don McAllister is still on board with ScreenCastsOnline, but he's handed the management and day-to-day operations off to Lee.
Don will get back to doing more video tutorials now. I support this 100% because he is the master of tutorials.
Additionally, Lee is a great guy, and he's been teaching at ScreenCastsOnline for a long time, so it was a great fit and a seamless handoff.
We get the best of all worlds.
CCATP #787 — Bart Busschots on PBS 161 — jq: Maths, Assignment & String Manipulation
[2:23] In this week's episode of Programming by Stealth, Bart continues to expand our knowledge on how to use JQ to query and manipulate JSON files.
We learn how to use mathematical operators on data in our JSON files, along with fun functions like floor and absolute value.
I even contributed some to the learning by showing examples of how SEIL, that's C-E-I-L for sealing, floor and round produce curiously different results when operating on negative numbers, specifically negative decimal numbers.
We move on to learning about both plain assignment and update assignment.
That seems like a small deal, but the ability to set a parameter using the plain assignment equals versus the ability to update a value using pipe equals is actually huge and has lots of subtleties to it.
I think one of my favorite parts was when Bark took us back to our JavaScript lessons, it reminded us of how weird it is on one concept, but how JQ is much more in line with other modern programming languages.
I felt like a seasoned programmer because I knew the history of what we'd learned.
Finally, we learned how you can actually divide strings. I know, weird, right?
All right, that's enough spoilers. You should check out Programming by Stealth episode 161, and you can, of course, read Bart's fabulous tutorial show notes at at pbs.partificer.net, and you can subscribe to the podcast by looking for Programming by Stealth or Chit Chat Across the Pond.
CES 2024: SLIMDESIGN AI-Powered Compact Body Camera
[3:48] Let's start off with another interview from CES.
[3:53] We all love cameras, and of course, AI is the center of absolutely everything at CES these days.
I'm in the Slim Design booth, and they promised the world's first miniaturized, affordable AI body camera. That's all the buzzwords.
Anyway, I'm here with Walter Koenigs, and he's going to tell us all about it.
Yes, thank you for having me.
We are a design agency. We develop consumer electronics for a lot of companies.
We've done a lot of cameras. For MSI, a 360 camera.
For Panasonic, another. And we also do body cameras.
So when we were developing the body cameras for the Dutch police, we saw that there's a lot of other use cases and also professionals would like a small camera that's cheap.
But they don't get one because it's too expensive. So like bus drivers and all that.
So what we set out to do is make a very small camera that uses your phone as the hardware.
So it stores on the phone and it also uses the connection, the connectivity of the phone.
So we can make the camera small and very cheap. And that's basically what we set out. Is it over Bluetooth or what is the connectivity?
Yeah, our own connectivity. So and that's just something.
So proprietary network between the two. Okay.
So I'm looking at it right now. Now, this is a video and audio podcast, so I'm going to explain a lot.
So it looks to be about maybe not even two inches across and maybe a half an inch, three quarters of an inch tall.
And it's got a big red oval on it telling people, I'm recording you right now. Yes. Correct.
[5:18] And so how does it work? How do you enable it? What is it? How does it work?
So if you press it for a long press, it starts the alarm.
And the alarm is then sent to a pre-selected emergency contact.
So then it's somebody or your father or maybe somebody else.
Or it can be the back end of a security company that has people watching and here you see a demo of that so it's basically for.
[5:43] Families, persons, themselves or for more professional that they can use it.
So I'm wearing that the the body cam, phone cam and I'm wearing it because I'm gonna walk down a dark alley at CES and and some dodgy person starts coming towards me, I press and hold for the alarm, but I'm also recording at the same time? Yes, yes. So it's then sent to the cloud.
So whenever somebody then grabs it of you, it's still the footage and it's still in the cloud, and you can use it later for in court or anything. So that's it. Okay.
So if it's going to the cloud.
[6:19] Then it's going from there, from the phone cam to the phone, up to the cloud.
And then are there other uses for that data, for viewing it?
I mean, are you going to do a kid's birthday party with this?
Sure, sure. You can also just record things and have it as a GoPro kind of thing.
But also, we see a lot of use cases where people that are working in remote areas and they don't have all the expertise, they can then just press the button.
The call goes to a back-end where there's an expert that can help them then do things that they don't normally do.
So you see now then tasks can be done by less qualified personnel that can then do things that otherwise they wouldn't.
So we can become remote control devices to people smarter than us then. Yeah, yeah, yeah.
Or even when there's an ambulance, the doctor can already look into the patients.
What has to be done, what can they advise the ambulance personnel, and they also can prepare it in the hospital how to… Take care of them in some way. Yeah. Okay.
And so how much is phone cam going to cost? It's $69.
Oh, you're serious about affordable. Yes, yes.
So yeah, basically it's… that's what we set out to do, is to make it as cheap as possible to be able to have all the connectivity that you can.
That's really, really interesting.
So if people wanted to look up PhoneCam, where would they go?
[7:46] PhoneCam.io Oh, very good. Oh, wait, I forgot one question. That was my question earlier. What's AI about it?
We have now low-light enhancements, but we are already now partnering up with a lot of companies that would like, To use our phone cam, because it uses the CPU of the phone, it can do much more than a lot of other cameras can, because it's much more advanced.
The CPU in the phone is much more advanced than normal cameras.
So you're opening up an API where they can get access to the data?
Okay, very interesting.
All right, thank you very much. I appreciate your time. All right, thank you very much.
RICOH OLED Portable Displays are Gorgeous AND Have a Kickstand
[8:23] I started using portable USB-C displays when on travel about four years ago, starting with the tiny 12-inch EOYO 2K display.
When that one died, I upgraded in 2021 to the Cocoa Par 15.6-inch 1080p display.
I missed the higher resolution of the smaller display, but the Cocoa Par was good enough that I was able to do the live show on the road with it.
I liked the built-in kickstand, which gave me enough space on my work surface to fit all of my gear.
For $180, the Cocoa Par is still a very good option.
I showed my daughter Lindsay the Cocoa Par, and I let her use it at her house one time, and she loved it.
Since I'm such a good mom, I really had no choice but to give it to her to support her remote work.
She also runs audits at her company, and having a second display in the conference room is life-changing.
She tells me all the time she should get a commission from Cocoa Par because so many clients have bought their own after seeing hers.
Well, that was great because it gave me the excuse I needed to upgrade again.
In 2023, I bought the KYY 4K 15.6 inch USB-C display for $239.
It's now down to $219.
I was delighted to have that super sharp 4K goodness, allowing me to get a lot more information on my display.
I need every single pixel when I'm on the road doing the show.
[9:44] While the KYY's display is gorgeous, I'm constantly frustrated with its lack of a kickstand.
I know that sounds like a tiny complaint, but it's a very big deal.
Instead of a kickstand, the KYY has a floopy folio case that folds into a stand.
It's held on by magnets, it's much like the folio made by Apple for iPad, except the magnets aren't strong enough so it falls off easily, and the little detents to hold it at different angles are not deep enough, so it sort of slides out and flattens itself if you bump it.
If I can get it balanced just right, the part of the case that sits flat on the table sticks out so far in front that it gets in my way.
I can't get the display close enough to my MacBook to be as useful as it could be.
[10:26] In my review of the KYY, I told you that I bought a little plastic tablet holder that Jill recommended in order to hold it up, but it doesn't really work very well because the display is so wide.
It's really made more for like maybe a 10-inch tablet. This is a 15.6-inch diagonal display, and it's like 16 by 9, so it's really wide.
When I have it on that little stand, it's highly likely to get knocked over while I'm moving things around.
I have searched everywhere for better stands, and I haven't found any.
Oh, okay, there's one more thing that makes the KYY a little harder to use.
It's that the cables stick straight out of the right-hand side, and I prefer my display to be to the left of my MacBook.
That means in addition to being limited by the floopy case, I'm also limited by how much those cables stick out.
And remember, the cables are going to stick out on the left in a MacBook Air, so I have to keep the laptop really far away from the display, which is not ideal.
But I gotta tell you, that 4K looks great right up until it falls over.
[11:23] Okay, now you're up to speed with where we last left our hero a year ago.
Let's talk about the latest display in my life.
At CES this year, you probably heard that I interviewed Scott Francis from Ricoh about two of their portable displays.
They were kind enough to send me one of them for a review.
The two displays Ricoh showed off were the Model 150, which is a wired USB-C display, and the 150BW, which can be used wirelessly or via USB-C.
Ricoh sent me the 150BW, and I was really excited to test it out.
The Ricoh displays are OLED, but they aren't 4K. They're only 1080p.
I had not appreciated why people are so excited about OLED displays until I got the Ricoh 150BW in my hot little hands.
It is bright. The colors are vivid. It is stunning to look at.
Every person I've shown the 150BW to says, wow, I mean, it's really that good looking.
[12:21] I also didn't realize that OLED displays are thinner and lighter than traditional LCD panels.
With a built-in kickstand, the 150BW weighs in just under 1.6 pounds.
The Cocoa Power, with its required floopy case, weighs 2.4 pounds, so it's 50% heavier.
The wired Ricoh 150 is even lighter at only 1.23 pounds.
I mean, that's crazy pants. I mean, that's nothing to lift.
It wasn't until I tried to take a photograph of the Ricoh display for the show notes that I realized this is a very glossy screen, while the KYY is a matte screen.
I like a glossy screen. I think that makes everything look more vivid, but we all know that George from Tulsa does not, so I thought I'd mention it.
The Ricoh displays are a fair bit more expensive than all of the displays I've mentioned earlier in this article.
The 150BW wireless display retails for $675, $75, and the wired 150 will run you $530 on Amazon.
If you buy direct from the Ricoh website, you'll pay even more.
Now, I was super excited to see what it was like to use the Ricoh 150 BW in its wireless mode.
Wouldn't it be glorious if we didn't have to contend with the wire sticking out of the side of our laptops and displays at all? That would be nirvana.
[13:38] Well, there was no manual in the box, so I started fiddling around with the controls on the back right, and I figured out how to get the Ricoh 150BW into a Wi-Fi mode.
I looked in system settings on my Mac, and I tried to connect to the Wi-Fi network that the 150BW had created. It asked me for a password.
Well, I figured it had to be something simple, so I did a bit of the Googles, as one does, and I found out that the password is admin123.
I also found out where to change that. that.
After I entered the password, nothing happened. The display didn't magically show up as a screen for my Mac. It was time for desperate measures.
I broke down and started searching for the manual for the Ricoh displays.
They don't make it easy to find, but I finally found both the display manual and the wireless manual.
Oddly, the wireless manual wasn't as helpful because it had more to do with other types of wireless devices sold by Ricoh like their line of scanners.
But in the regular manual, I found the very bad news about how how the wireless functionality works on the Ricoh 150BW.
To use the 150BW wirelessly with a Mac, an iOS device, or a Windows PC, you have to download driver software called Ricoh Monitor Mirroring.
Notice that word, mirroring. Yep, you can't extend your desktop wirelessly.
You can only mirror your display.
[14:57] Now, this doesn't solve any problem I have, but maybe it would for you.
If you, say, give demos to people in rooms without projectors, I can see being able to pass around a wireless and gorgeous display to them so they can see what you're doing, especially since it's so light.
You can just see passing this thing around like passing around a jar of candy.
[15:16] Now, here's a problem. Most corporate IT departments have locked-down devices these days, so you can't just install any old driver you want.
You might not even be allowed to use the Ricoh 150BW in wireless mirroring mode as a result.
Now, I did test it in wireless mirrored mode on my Mac to make sure I understood how it worked, and I have to say the screen looks significantly worse in wireless mode than it did wired via USB-C.
The text was smeary, and the cursor lagged to a point that I wouldn't even consider using it for that.
I have to say, I can't really recommend the Ricoh 150BW, but don't turn the page yet. Let's stop right there.
I don't want this to be a downer review, you, so I want to set aside the wireless functionality and talk about the 150BW as though it was the 150 wired version.
Even though the one I have is a little bit heavier, everything else is the same about these.
If you're a Windows user, the Ricoh display is a touchscreen with 10 independent touch points.
They sell an active electrostatic stylus, that's hard to say, electrostatic stylus, with 4096 levels of pressure sensitivity and two function buttons.
I really really wish I could test the touchscreen and the stylus, but since macOS isn't a touch operating system, I don't get to have any fun with it.
And the touch doesn't work with the iPad.
[16:39] The 150 series displays have a power switch on the right-hand side, which means it doesn't automatically come on when you connect it to your device.
I can see scenarios where I'd want to leave it connected, but also power it down.
[16:51] Speaking of power, you definitely want to take take advantage of power pass-through with the Ricoh displays.
They have two USB-C ports on the back, and without adding power to the second one, the display drained the battery on my devices at an alarming rate.
At one point I was doing a test with the 12.9-inch iPad Pro, and the battery went from 22% to 7% on my iPad Pro in less than 10 minutes.
The 150BW has an internal battery, since it can work wirelessly, so I think it's charging itself from my device.
I'm pretty sure the Model 150 would not drain your battery nearly as much because I imagine it doesn't have a built-in battery.
In fact, now that I think about it, maybe that's why it's so much lighter.
Now speaking of cabling, I love the way they designed the cable management on the 150 series.
Remember how with the KYY the cables came out of the right side of the display, limiting how close I can put the display to my laptop?
Not so with the Ricoh displays. The display is of two thicknesses.
The top half is only 0.19 inches thick, which is bananas thin.
The bottom half is a little thicker as it contains the electronics.
It also has a cutout for the two USB-C ports.
This means that when the power and data cables are connected, they lay flat on the back of the device.
They also included four little clips that you double back tape to the back, which allows you to hold the entire USB-C cable on the thinner part for for storage.
Not having to find a place to store the cable is genius.
[18:20] The thicker part also holds the built-in kickstand, which is possibly my favorite part of the device.
I mean, having a kickstand is a glorious thing.
It's even got little rubber feet, so it feels really good when it's sitting.
You can set the kickstand anywhere from nearly vertical at 75 degrees down to a very shallow 16 degree angle, which would be great for doing artsy things with that nice stylus.
It's a very wide kickstand, just short of the full width of the display, so it's super stable, unlike that floopy case on the KYY.
You can even use the Ricoh display in portrait because of the great kickstand, which is super useful when reading long-form documents.
In fact, I was doing some programming the other day, and I had Bart's show notes up on the Ricoh, and I put it vertical so that I could see this big section of the.
[19:08] Instructions of his tutorial, so I was able to read along and do my coding over on my main display.
It was actually taller in pixels than my XDR display, which I found really surprising because it's a 32-inch diagonal display, but I was able to get more on screen vertically on the Ricoh than I was able to do on my big display.
[19:31] Now, the Ricoh display has two stereo speakers, but they're pretty tinny.
I don't think you're going to be listening to them for any length of time. time.
In my iPad Pro test, the audio automatically switched to the display's speakers, but with Control Center, I was able to change the speakers back to the iPad.
Now, I've not used an external display on an iPad very often, so maybe I'm acting like I made fire here when I tell you how cool it is to use an iPad with the Ricoh display.
I opened Downcast on iPad, and I played the latest video podcast of the Daily Tech News show.
It automatically opened the video on that glorious screen with Tom full screen on that while leaving the controls of the app on the iPad.
When using an external display with iOS, you choose where apps open using Stage Manager.
You control it using the three dots at the top of the screen in any app.
You get to choose from full screen, split view, slide over, or move to display.
It's also interesting to see display arrangement controls appear inside system settings for iOS.
I don't do a lot of productivity work on my iPad other than pure writing for the show, so I don't have a big need to connect an external display, but it works really well.
And again, the Ricoh display looks fantastic.
[20:45] My primary usage for an external display is when I go to Lindsay's house and I want to do the live show from there.
On our latest trip, I carried the Ricoh display instead of the KYY and it was awesome.
It comes in a very thin zipper case to protect the surface of the display, but I slew that into a thick padded case too because it does feel fragile because it's so stinking thin.
I used the Ricoh display on my grandson Forbes' desk along with a mic on a tripod and a light, not a tripod, a tripod, and a light and a thunderbolt hub and wires running all over the place.
While it's still hard to work with all that mess, the display was no longer a contributor to my stress.
The cables were out of my way, and the kickstand was sturdy and didn't get my way at all. A perfect experience.
If I had to choose again, I would definitely choose the Ricoh 150 OLED 1080p display to take on the road over the KYY 4K display with its awful case.
The weight being so much lower, the thickness, the cable management, the brightness, the vivid colors, and the kickstand all make this display an excellent choice.
[21:49] But my eye wanders. Dave Hamilton of the MacGeekGab and I have been trading ideas on displays for a while now, and after he bought the KYY on my recommendation, he tried out a display from ViewSonic that won over his heart.
The VX1655 4K OLED. It might be the best of both worlds, it's OLED and 4K.
Like the Ricoh, it has a kickstand, which is table stakes for me now.
The cables come out of the side of the kickstand, close to the middle of the display, so I suspect that's a game changer from the KYY.
It's got the kickstand, it's 4K, it's OLED, it's got good cable management, what's not to like?
I looked at the kickstand and I don't think you could do it vertically, so that might be one thing you can't do.
[22:33] At $500, the ViewSonic VX1655 4K OLED is right in line with the price of the Ricoh Wired 150.
But it's 4K instead of 1080p. It weighs 1.8 pounds, where the Wired 150 from Ricoh only weighs 1.2 pounds.
So I guess ask yourself, would you carry 10 ounces more to get 4K?
Like I said, I'm tempted.
Well, the bottom line here is that there's a lot of great competition in the category of USB-C portable displays, displays, and they have options for every budget.
My advice would be to make it a drop-dead requirement that whatever display you buy comes with its own built-in kickstand.
If you're budget-conscious, I would look for the 1080p LCD displays that have a kickstand.
If your eyes are really good so you can appreciate crisp text, or you really need to peck in as much on-screen as possible, move up to a 4K display with a kickstand.
If you're not picky about crisp text, but you appreciate vibrant colors, then move to an OLED display with a kickstand, like the glorious Ricoh 150.
But if you have to have it all and your financial advisor allows it, get a 4K OLED display with a kickstand.
But whatever you do, get one with a kickstand.
Support the Show
[23:48] On occasion, I get to review products sent to me by the manufacturers, like in the Ricoh display review you just heard.
But the vast majority of what I review comes out out of PodFeed podcast funding.
My goal is not to make a huge profit, or, you know, you'd hear creepy ads in the show, but rather, I just want to fund the products I want to use to produce the show or just to review for you.
If you can afford to do it, and you find value in the reviews you hear in the other content we do here, stop what you're doing right now and run over to podfeed.com slash Patreon to help out the shows.
Security Bits — 18 February 2024
[24:23] Music.
[24:40] Well, it's that time of the week again. It's time for Security Bits with Bart Bouchat. And Bart promises we're going to have fun today.
Well, I think so. When I was writing the notes, I was like, there's a really nice mix here of some news, a little bit of follow-up, two little deep dives.
They're sort of perfectly medium, not too deep.
You know, I don't know. It felt nice as I was writing the notes.
And the sun was shining, which may have helped. But either way, I thought they were good notes.
So it is the usual mix of good news and bad news because it's obviously, you know, I'm not coming here to say, and security is solved. Have a nice day.
So on that note, we've talked quite a few times recently about attackers getting the upper hand, at least temporarily, in terms of getting malicious ads into Google search results.
[25:29] And in fact, we talked last time about Troy Hunt explaining how they're doing it at the moment, where they're basically being legitimate 90% of the time and then being malicious every every now and then, which makes it really hard to spot the malicious people.
But I thought it was worth mentioning that it's not only on Google that the cat and mouse game is going the wrong way at the moment.
Another place that has been discovered to be failing to protect their ads is Facebook.
They were pushing ads for a password stealer malware.
They were were doing it in a slightly different technique so on google the lure was fake download sites for real software where they would give you the software and a bonus extra so the installer would also install something you didn't want in this case the lure is a job ad and they use a job ad to trick you into downloading a malicious pdf which if you're not fully patchy patchy patched patched will get you hacked with password-defeating malware.
Oh, cool. Yeah, very cool.
[26:38] And the fight against Pegasus and its ilk took an interesting turn.
The US has announced a visa ban for companies creating commercial spyware.
So for people in companies making commercial spyware.
It's an interesting way to flex your diplomatic muscles.
So I thought that was a clever touch. Okay, you can do that, but you can't walk in here.
Yeah, it's like there are consequences to this kind of carry on.
I like it. it um and an update on some european news a digital markets act uh there was some question as to whether or not iMessage and bing search were in fact gatekeepers apple and microsoft respectively said we're too insignificant in europe we don't have enough of a market share to be a gatekeeper and europe looked the numbers away yeah you're right you're not actually big enough in Europe. Oh, how sad.
So it's, yeah, it's like, yay. Cute little iMessage.
[27:35] But here in Europe, actually, WhatsApp is particularly dominant because there's a lot of Android.
And so there is a very strong pull to cross-platform. So yeah, in Europe, neither Microsoft Bing nor Apple's iOS are gatekeepers, which does mean that those people who were hoping that the dma would force apple to open iMessage up to interoperability that ain't going to happen at least not now i was kind of really hoping for that one you know yeah well rcs is coming so that's something yeah i'll still be crappy but do you by chance remember off the top of your head about whether they ruled that whatsapp is a gatekeeper i do not remember off the top of my head uh okay i have a feeling not actually i have a feeling not because no one is It's quite monopoly level here.
So WhatsApp have a plurality, but they're not like 90 or whatever percent because you also have a lot of Facebook Messenger.
[28:33] You also have actually a lot of Signal. Signal is quite common over here as well.
So Europe is kind of a big market. Nope. Hold, please.
According to Reuters, Meta's Facebook, Instagram, Marketplace, and WhatsApp qualified as gatekeepers under the DMA.
Oh, okay. I stand happily corrected. Well, am I happy?
That means that they do have well either way it's a it's good to be correct it's a thing you it's a thing yeah i don't know if it's a good thing or a bad thing i finally thought to ask you instead of making you sound like you didn't know what you were talking about and asking a question you hadn't researched i thought to say hey do you by any chance know off the top of your head whether this is true.
[29:13] Yes, which I do appreciate that phrasing. And also the fact that you are so good at multitasking that you literally looked it up as I was talking rubbish. It was great.
[29:23] Well, after how many years I finally thought to ask you it in that way. I appreciate it.
So we have two deep dives. The first of them is an interesting lesson that I could have made this a one line follow up in the follow up section.
But actually, there's two lessons here to help us all become better at reading statistics and not not reading the wrong thing into headlines, because it is possible for headlines to be factually correct and utterly misleading all at the same time.
And one of the ways that happens is because human beings i know academically i need to always be very very careful of statistics the question is is it a rate or is it a level and when the rate changes that doesn't actually necessarily mean the level has and when the level changes maybe the rate hasn't so those two things can be very disconnected from each other and that was Are you saying lies, lies and statistics?
[30:25] Yes, statistics can be used to mislead while being entirely factually correct.
So you can lie with facts with statistics, absolutely, or mislead with facts.
And case in point, we discussed the story on the previous installment about a report from a company called Coverware, or Coveware, I may have auto-corrected an R in there, I think it may be Coveware, that only 29% of ransomware victims are paying, which I thought was fantastic.
And I opined that since this kind of ransomware is done for profit cybercrime, if less people are paying, that means less profit.
That means that the end may be in sight because this is purely a crime, a commercial crime.
That was a rate.
[31:19] So, imagine my surprise when a day or two later I was flicking through my RSS feed and I saw a headline over on Bleeping Computer, who is a source I trust quite deeply.
The headline blared that, according to Chainalysis, ransomware payments reached a record high of $1.1 billion in 2023.
2023, which is rather the opposite of what I had been led to believe and led you all to believe two weeks ago.
Is one of these reports wrong? No.
[31:55] Chainalysis are reporting on the level of ransomware and Coveware reporting on the rate of payment. They're not the same thing.
So what is the definition of rate in this context? Context? Like what percentage?
Right. So the actual number reported by Coveware was what percentage of ransomware victims chose to pay the ransom.
Which is a rate, right? The number from Chainalysis was the total amount of ransoms paid.
So that doesn't reduce our joy from last time though because as fewer and fewer companies pay the ransom it becomes a less likely opportunity to make money it sounds like if you make money maybe you make a lot of money but it might mean that not as many people are paying off that's a that should start reducing it i would think i fear not because what's happened is you can now to get ransomware as a service.
So it's now easier than ever to spray more ransomware at more people.
But if more people aren't falling for it, more people aren't falling for it.
Right, but if half as many people choose not to pay, but four times as many people get infected, the market still doubles.
[33:14] So if the fact that you can just get ransomware as a service...
But your chances of a payout as a sleazeball are lower.
Okay right okay the chances are half as low but you have four times as many infections your opportunity for profit goes up not down not percentage wise but, absolute money wise though this is this is the problem so okay well that's what i said so your payout is is more likely to be big not just that it's more likely to be big so you have done no more effort to quadruple the amount of ransomware in the world because you can now just go to a a ransomware is a service provider and you don't have to do any work.
[33:54] Okay, that's a separate thing from whether the rate is higher or lower.
But the point is they're decoupled, yeah.
So if the number of companies falling victim to ransomware and the average payer amount had remained constant, then that drop to 29% payment would indeed have meant all of the joyous things I thought last time, right?
So that leads to two obvious questions.
There's two ifs in that sentence. So did the number of attacks remain constant?
Nope, nope, nope, nope, nope. Up, diddly, up, up, up. Way more ransomware actually happening out there.
[34:32] What about the second question? Is the average amount that is being paid staying the same?
Also, nope. The average payment for everyone who does pay is also going way up because the attackers are going after people people who are more likely to be big enough to pay them big bucks.
So they're not interested in the little people, which I guess from the Silla Castaways is good.
They're getting more effective at focusing on the people with deeper pockets and a deeper need for their data back.
Right, right. So unfortunately, it is both true that a smaller percentage of victims are choosing to pay and that the total market, in other words, the total amount of money that is available for the baddies, has gone up.
So I'm afraid to say I do not believe that the end is nigh.
[35:29] There's another interesting statistical lesson learning in the Chainalysis report because unlike the previous report, the Chainalysis one is fully public, so I've linked to it in the show notes so you can see lots of graphs and things.
And there's another little hidden thing in there. Now, neither Bleeping Computer nor Chainalysis chose to go the clickbait route because they are both reputable organizations.
But the data in the Chainalysis report would have allowed for a factually correct, utterly misleading headline, ransomware payments doubled in 2023.
[36:03] That's not because 2023 was abnormally high. Why?
Because 2022 was abnormally low, which is an excellent reminder that when someone gives you two numbers, you need to ask yourself, are those two typical numbers or have they been very carefully cherry picked?
And if you look at the data for the trend as a whole, what you see is that in 2020, the total market was $0.9 billion, which is a lot of money.
The next year, in 2021, it had gone up to $1 billion in your best Dr. Evil impression.
And then 2022 happened, which was really weird, a large part due to the war in Ukraine, and it absolutely plummeted to only six point something billion dollars.
In fact, sorry, it's 5.67, so I rounded it up to 6, to 0.6.
And then it returned to the normal trend in 2023, going slightly up from where it was two years before.
[37:06] So as i say had either of these two organizations been unscrupulous click click collectors they could have misled us further with that kind of a story you know with that kind of a headline they didn't but they could have and i thought it was interesting to point it out so basically ransomware has been slowly increasing for the last four years and is in fact still slowly increasing, so i'm sorry to say that these two stories have canceled each other out and at best the statistics are a nothing burger at the moment it's just continuing there's no major change unfortunately, if you're wondering by the way why the war in ukraine would affect ransomware it's two reasons um a lot of western countries and the biggest target for ransomware is the united states bigger than europe i don't know why that is because in terms of economies they're both huge economies, but America is getting a way more of a target than it should and Americans became really really really really averse to paying anyone vaguely connected to Russia during 2022.
And the Russian hackers were being incentivized by the Kremlin to focus their attention on political ends in Ukraine rather than profit-making in the United States.
And also being forced into battle.
[38:30] Effectively, yes. Well, not effectively, actually.
I mean, they were literally grabbing men and throwing them onto trains to go carry guns.
In that case, yes, and. Because they were also having to defend Russian infrastructure from very effective attacks by Ukrainians.
So they were both being physically hauled off as actual soldiers, which I hadn't even thought of, but you're dead right.
And they will engage in a digital war a cyber war in fact with ukraine because there is a lot happening hacker to hacker between the ukrainians and the russians they are going at it hell for leather and the ukrainians are making some interesting successes actually um on the digital battlefront but it's no you can't really show it on telly so it doesn't quite make the news as much, right so yeah i'm sorry to say i need to take it back i was like yay the end of ransomware and now i'm going yeah no i don't think so i'm sorry well you're right these notes are fun bart, yeah but the point is it's a good they tell a story yeah yeah it's a good excuse to learn about statistics and i get to say i was wrong in a fun way instead of just an embarrassing way so it's always nice because i do insist it's important i say when i was wrong but i at least like to learn earned from it. Yeah. Yeah.
And deep dive number two goes entirely into the good news category.
[39:53] So Apple released their Vision Pro recently enough, if you're in the United States and have a substantial amount of disposable income.
I do not have one because I am not in the United States and I'm not, well...
I might find an excuse to write one off as a business expense if I'm totally honest.
But anyway, not a question. The temptation's not available to you.
Yeah, not an argument I have to have with myself or my accountant at the moment.
So it's an entirely academic argument. Anyway, now that the device is out there and people are using it, there are questions about, well, hang on a second.
This thing has more sensors than you can shake a proverbial stick at and is permanently internet connected. maybe there's some privacy concerns around this.
Apple didn't go out of their way in the keynote to say that they had designed privacy in from the start and they showed their hand, or they put some wood behind the arrow, as the phrase goes.
They have released a document describing exactly how they have designed in privacy from the ground up.
And I guess the short version is everything you get on your iPhone and your Mac, you get on your Vision Pro and then some.
Because the Vision Pro has unique extra risks and Apple have added unique protections.
And my short version answer is nicely done.
So I gave you a little bit more meat than nicely done.
[41:23] So the first thing that's... Okay, so Apple, basically, their protections I'm seeing as being in five big categories, the extras, right?
So everything you normally have, you have on the Vision Pro. on top of that there are also protections around the fact that the Vision Pro is constantly scanning your surroundings and you tend to use the Vision Pro in spaces within your private life like say your house so conceivably that could give away a lot about you I mean the kind of things in your room could say a lot about your ethnicity you could say a lot about your income it could say say a lot about a lot.
So how that information is protected is very important.
Your Vision Pro also gets to see the people around you because it lets them break into your shared reality and so forth.
So again, there's a need to protect that.
Your Vision Pro, by the nature of how it does its cool UI, needs to know at all times what your hands are doing and where your eyes are focused.
And that has the potential of a bit of a dystopian hellscape if it were to be abused.
This is kind of like the ultimate fingerprint.
Right, exactly. And then you have this 3D persona that can pretend to be you to varying degrees of effectiveness.
Creepiness. Yeah, creepiness effectiveness. You know, the jury's still out.
It's still a beta feature. But nonetheless, it is a privacy concern.
So those five things were addressed by Apple.
[42:51] The first thing that struck me is that Apple have broken the rules into two very distinct categories.
So if you're in the Vision Pro, you're either in what they call the shared environment, which is that sort of that place where you're running multiple apps, each in their own little window or 3D box.
So those apps are what we're going to call normal apps. And they have extremely little access to Vision Pro's extra information.
They basically have no access to Vision Pro's extra information, with the exception that your persona can be used in those apps.
But those apps never get any information about what's going on around you.
They never get any information with the people around you. They never know what your hands are doing. They never know what your eyes are doing.
What they get. Wait, wait.
They have to know what your hands are doing. No. Because when you.
No, no. Let me explain. Can I finish my sentence first? Please.
They know when you tap your fingers together, you have selected something.
So they know what your hands have done.
They 100% do. They don't know what your hands look like or where you moved them around in space.
[43:56] Okay, so that's what I was getting to. What they get is events equivalent to a mouse click. They get told, someone click this button.
They don't know that your hands hovered over the click for 10 seconds, that your eyes were tempted by this for 10 seconds. they get click events entirely equivalent to what a Mac app gets or what an iOS app gets.
So they're not actually getting the extra information about your hands and stuff.
Because how your gaze moves before you decide to click would be so valuable to someone trying to profile you.
But none of that is handed out through the APIs. eyes, they just get effectively fake mouse.
You you're effectively simulating a mouse.
[44:41] Well okay i was about to say now i understand and now you've just reversed it if they know an effective mouse then do they know that the mouse was hovering it went over here it went over there i i had mentally said to myself don't say mouse say trackpad or say touch in fact ios well trackpad's the same as mouse no i mean cursor ios what no touch i touch an ios is a a perfect example right because your finger you how long your finger doesn't touch something because you're hovering over it isn't known to even ios until you touch the glass effectively what these touch what these vision pro apps get is equivalent to tap information on ios, so not like the cursor so not like the cursor with the magic trackpad on an ipad yeah it's actually even less they're getting even less than you get on a cursor or a mouse you're absolutely right um and as a webby person that's kind of important because we get to we have apis for following the mouse around we have apis for hovering over things on the web and those don't work on ios because there is no concept of hover and vision os is like ios so it's actually even less than you get from a mouse like i knew i was going to get that wrong oh well anyway um, The other thing is that...
[46:04] So, okay, moving back. So the...
Regular apps get nothing extra.
The only apps that may get more information are the ones in immersive experiences.
And Apple give you some immersive experiences for free, but third-party developers can create their own immersive experiences.
So any app where you fully go into a 3D space that the app is building for you, those apps have the ability to get more information, but none of it is direct from the sensor.
No app ever gets to go direct to the cameras.
Is all of the apps are accessing the information through APIs, which means that Apple have a point of control where they get to decide what does the API provide to the app and what confirmations are required before the API will pass anything.
So the APIs are like a firewall or sort of the bouncer of the door.
And they are very, very strongly controlling the information that makes makes it as far as the apps.
Oh, OK. OK. So the first thing is that no app at all gets the raw information about your room.
What the APIs present is the post-processing information, which is effectively a mesh.
It's a bunch of textureless, imageless shapes.
[47:25] So it's the ghost of your surroundings, not an actual picture where they can see that your walls are red. they know there is a wall in front of you.
There is a flat horizontal surface in front of you, right?
So they get the geometry they need, but not any detail about it.
And not the images. So maybe you could work out, oh, that must be a picture frame. Look at its shape. But they can't see it. It's just a 3D shape.
And they don't even get that without asking your Express permission.
So any app that is going to get the mesh of your room must have asked you, in the same way that you get asked, can I use your camera? Can I use your contacts?
So it's exactly the same model is now extended to, can I get access to the shape of your surroundings?
Absolutely, positively, no app anywhere ever gets access to the people information.
The operating system handles passing that through.
And it doesn't leave the operating system and no one else gets it.
[48:26] What else have we got here? Another very clever thing is that while you're looking around, the operating system is showing you that you are currently looking at a button.
And so the button will animate. animate but apple makes it clear that the code animating the button is the operating system, not the app and the app doesn't know that the button is being animated so until the point that you make a tap gesture or a drag gesture the app is told nothing it's the operating system is telling you if you make a proactive gesture you will be interacting with this thing but the app app doesn't know that the os has highlighted button one or button two until the point in time you do something and then the app gets told the user has ticked this button or dragged this slider or scrolled this view whatever it is but they're told that in forms of this ui element has had this action performed in it but you the app never knows that you were looking at it before that's the os even though it's within the app's window which again clever clever clever design um, one thing that every every single immersive app knows where your head is pointed because how can you give an immersive app without the app knowing you're looking up down left right whatever.
[49:49] So if if an app is giving you a 3d experience that you can look around in the app knows the the direction your head is pointed on a three-dimensional sphere.
I don't know if it gets it in radians and degrees, but it gets it as a degree by degree.
And they all get that and they do not have to ask for that because that's kind of baked in. That is how it is.
Another very interesting one is your hand gestures.
Apple have sort of decided that developers can ask your permission to get some hand information, but it's a very strong trade-off here.
They do not actually get the raw information of where your hands are.
They get a kind of a wire frame so if you've ever seen a video game before they add the textures on it where all of the characters are these little stick men which have particular joints where they can move your hands are stick hands so the app gets told that you know each knuckle is at a certain position so that they can see things like you've made an okay shape or you've made a heart gesture they can basically see the shape of your hand as a connection of, you know, the knee bones, you know, this joint is in two degrees over and this joint is whatever over, but they don't get to see the image.
Like the wall is a mesh without the image, your hands are joints and phalanges.
[51:12] Without skin and bones or skin. Exactly. Skin particularly.
So what that means is the kind of information that could leak a lot of stuff, like what skin color do you have? of utterly unavailable to apps, even those apps that have permission to track your hand movement, which they only got because you gave it to them. But even then, they don't know what color your hand is.
They don't know if you have tattoos on your hand. They don't know if you're wearing jewelry, because the only thing the AI passes through is the position of the anatomy of your hand, not the shape of the surface.
It's not a mesh. It's a wireframe.
So for your room, it's only the surface. For your hand, it's only the inner structure.
So they've actually done on the opposite in those two particular data points which is very cool again again very very clever and then the last thing why, Why are your hands a privacy thing? Is that because of color of your skin?
Size of your hands tells whether you're a woman or a man or something like that? I would imagine.
Yeah, I would imagine if you could look at people's nails and look at people's skin color, you could make a really good estimation of their gender, a really good estimation of their race.
And depending on the kind of jewelry they had on, you could probably make more inferences.
And, you know, if someone's wearing a giant big wedding ring, it's, oh, they're married.
Someone's wearing what looks like an engagement ring with a big diamond on it.
They're probably engaged. They'd be a really good advertising target for wedding services.
I don't know whether the hands show jewelry.
[52:41] I'll have to ask somebody about that. But if you're wearing a ring, if you're wearing a ring, and if they were getting the raw image data, they would see your jewelry, right?
I just don't know whether that exists. When you hold your hands up, you see your hands in the image. I wonder whether it's actually recording jewelry.
If it's not, then that wouldn't be in there.
Well, it isn't in there because the only thing the apps get through the API is the inner structure.
Okay. That's not what I'm saying. I'm saying if I'm wearing Vision Pro and I hold my hands up and I was wearing a ring when it figured out what my hands look like, I don't know whether it shows the ring or not.
So if it doesn't show the ring at all, regardless of whether they put in protections about that, it wouldn't show.
It wouldn't get through to the developers. I just don't know. It might be there.
Yeah. Are they showing you a rendering of your hand or is it video pass-through of your hand?
[53:35] Hmm. That's a good question. I think it's a rendering because, well, I don't know.
I'd like it to be video pass-through because if I had a tattoo on my arm, on my hand or something, and I use a Vision Pro and it was gone, that would freak me out. Like you wouldn't believe.
Like just imagine if you were used to always seeing, you know, a tattoo on your hand and And all of a sudden, the hand you saw when you had these goggles on was missing it. I think that would really mess with your sense of self.
I think that would be a really uncanny valley. There's a lot of it that does that.
Fair, fair, fair. Yeah, I don't. Yeah, we don't know. And neither of us have.
Actually, I don't know if you bought one.
I don't remember you saying you have. No, but I'm I'm I'm asking Pat Dingler to check into it. We'll get real time follow up, probably.
Oh, OK. I shall stay tuned. So I shall stay subscribed. described.
[54:32] So the last piece of the protection puzzle then is your persona.
And hypothetically, the danger here is that someone could pick up your headset and be you in a meeting and get up to all sorts of nefarious stuff as you.
So if you have, well, always you have to either give your pin or do an optic ID.
But if you have enabled optic ID, then optic ID is required.
So you can't use only the pin to get at the persona you can get into vision pro with only the pin, you can use it and operate it i've done that correct but the persona won't enable unless you also pass uh interesting optic id another point to note is that the the physics model.
[55:21] Driving the persona is created on device and never leaves the device, and there is no API making it available.
What the apps get that are allowed to use your persona, like, say, a third-party video conferencing app or something, is a video feed.
It's effectively a virtual webcam, and the operating system offers the permissions, or makes the app get permission, as if it were your camera it's just a virtual camera so even the apps that you give access to your persona they only get a video stream they don't actually get the 3d model they don't actually get enough to recreate you any more than they would if you're just looking at your normal webcam it's it's a video feed it's just a fake one a faked one so that there you know and then the final point is is that to make it easier to share a vision pro and definitely not leak any information, there is a guest mode available so if you enable the guest mode all of your personal stuff is hidden away and you can give friends and family a fun tour of your vision pro without risking any of your information whatsoever and i'm sure a lot of people are doing that because i know if i had a friend with a vision pro i'd be badgering them for a view you know give me a go No, I think a lot of Mozilla Castaways would.
[56:44] Right. Does all that make sense?
Yep. Okay, cool. Excellent. Okay.
I never know if you're quiet because I've been really silly or because I've just been really clear. I'm hoping it's because it's been really clear.
It's because I'm holding my tongue in this particular case because I have opinions but I don't want to share them yet. They will be shared next week on this exact topic.
Ooh, I look forward. Again, stay subscribed.
Teaser. I like it. Okay. We have some action alerts It has been Patch Tuesday.
There are plenty of patches from Microsoft. So patchy, patchy, patch, patch. 80 vulnerabilities, 5 critical, 2 zero days under active exploitation.
So yeah, do that patch. I'm looking at the show notes and it doesn't say what operating system this is.
[57:29] Patch Tuesday. You're dead right. I've assumed it's Microsoft.
I can add it. I'll add it. Yeah. I've got a lot of edits. I'm going.
Yeah, it's Windows. Yeah, no, I didn't pick up that that was. was what OS that was.
Because we seem to get OS updates more often than any operating system I've ever used in the latest with Apple products.
I mean, it's updated go-go every week and a half right now.
Yeah, whereas in Microsoft land, it's only every second Tuesday of the month.
So they get it easier, I guess.
Anyway, just to underline the point, that patchy, patchy, patch, patch, one of the things that got a patch is Microsoft Defender.
Your antivirus is a very highly privileged app. You do not want to run an unpatched antivirus when it has no vulnerabilities.
So patchy, patchy, patch, patch.
[58:22] Now, myself and Alison are recording on Zoom, but we don't have to worry about this.
The Windows Zoom people, however, do need to patchy, patchy, patch, patch.
Zoom have done a critical update for a privilege escalation flaw.
So patchy, patchy, patch, patch.
[58:38] So in terms of worthy warnings, I've been trying to minimize the number of stories I put in here, unless they're really big news.
But there's three of them here that I do actually think we need to talk about.
So the first, we're off to France.
The French privacy regulator is called CNIL. I could have looked up the definition, but then I would have had some French I didn't understand.
National Commission on Informatics and Liberty.
[59:06] Liberty. Very highfalutin. I just looked it up. Right?
So anyway, the CNIL does what? Yeah, so the CNIL are the data regulators for France.
And they have warned that a data breach at two healthcare payment providers, their names are in the show notes, I'm not even going to have a go, have leaked the information on 33 million, with an M, French citizens.
If you're wondering how big that is, that's half the country.
There are 66.7 million French people.
There are 33 million French people caught up in this data breach. That is substantial.
I want to pick out a quote from the article that probably sums it up best.
It's not clear if they're quoting the actual companies or the company who lost the company's information because the two companies were actually messed over by a third party.
They're healthcare payment providers, by the way, according to your notes. That's important.
Okay. Yeah, it is, yes.
So, although the exposed data does not contain financial information, which is good, it is still enough to raise the risk of phishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals.
[1:00:30] And CNIL add a warning that I think we should all bear in mind when we think about data breaches.
Although contact data was not included by the breach, it is possible that data involved in the breach could be combined with other information from previous data leaks.
[1:00:48] Basically, the digital jigsaw can be put back together.
We have to remember when we have a data breach to also put it in the picture that there's so much data about us out there already that if the data breach is missing one important piece of information, there's a really good chance that can be combined with the existing breaches out there to build a bigger picture of us.
It's not a happy thought, but actually it's a darn good point by C&L that I don't think we have been explicit enough about on this show.
So I thought that was worth pointing out. Yeah.
Yeah. By the way, if you're getting getting weary of all these uh phishing attacks and things there's a a group that john f braun highlighted on the most recent episode of the back geek ab they celebrated their 1k which was 1024 of course uh episode and uh they had john f braun back on the show and he sent a link and i'm gonna add this to the show notes because it's great it's a youtube channel called scammer payback and it's basically these people that try to get scammed and then do things to the scammer.
Like they have actively gotten the scammers to let them into their systems and they go in and just start deleting files and stuff.
And I just thought that was such a wonderful idea that I'll try to figure out a place to stick it in the show notes. Maybe I'll put it right in this.
Is that a palate cleanser?
Well, it's sort of a palate cleanser. I could stick it there if you want.
[1:02:15] It's a bit of a shot in Freud, a palate cleanser, but I don't know, it cleanses my palate, it makes me feel better. Yeah, yeah, okay, I'll drop it down there.
Now, moving over to America, unfortunately.
[1:02:30] Bank of America customers are caught up in a data breach because a vendor Bank of America used lost a lot of data.
We're talking about tens of thousands of people's data.
And the really annoying part is this quote.
It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident.
[1:02:55] So I can't say I can leave this out of the show notes it's because all of the affected customers have been informed.
Because it seems to me that no one even knows who is affected other than a lot of people who bank with Bank of America.
So given how rather large Bank of America is, I think the takeaway should be, if you're a Bank of America customer, your shields should be extra up for people impersonating Bank of America and trying to trick you into doing something.
Thing so if bank of america normally contact you by one means and they suddenly show up by another means extra extra suspicious probably best to ring them on the number on your bank statement, rather than to believe anything coming at you from any sort of even vaguely unusual source claiming to be bank of america because that is the big danger here um you know the baddies have have enough information to convincingly pretend to be BOA and you don't want to talk to someone else as if they are actually BOA. That is not a good idea.
[1:04:03] By the way, we don't ever call it BOA, we call it BOA. Oh, city foreigner.
Exactly. But I don't think you need to narrow that down to Bank of America.
I think you should say that basically on anybody who ever wants anything from you ever, ever, ever, if they call you, call them back.
Yeah, I won't argue with that at all. That is fantastic advice. Yes.
And then the last one, you may initially say, Bart, why did you put this in the show notes?
So we're used to thinking of Facebook as a user of Facebook, but Facebook has customers.
They're the people who buy Facebook ads and Facebook have had a data breach affecting Facebook's customers.
200,000 people who buy ads on the Facebook marketplace have had their data stolen.
And the reason I think that's worth mentioning is because the biggest customers of Facebook's ad platform are local business people, mom and pop stores, one person companies.
[1:05:04] It's not even companies, Bart. It's like if you want to sell a, you know, you've got a used air conditioner, a lawnmower, you put it on Facebook Marketplace.
In fact, if you try to just put it on your on your page, it says, yeah, that's really adorable.
Here's where you put it on Facebook Marketplace. You cannot post on your own timeline. You have to put it in Facebook Marketplace.
So it's basically all Facebook users who've ever tried to sell anything in their neighborhood.
Because it's good for a neighborhood, right?
Right, right. Of course it is, yeah.
Okay, so it's even more important than I thought it was. And I already thought it was important.
So, okay, I now double down and say the likelihood that there is anosilic acid affected by this is even higher.
So if you are someone who has signed up to facebook marketplace have a read of the bleeping computer story and take heed so i want to make sure i'm not misrepresent misrepresenting what the article says your byline says if you sell ads on facebook so is it people who sell ads against facebook marketplace or is it people who post things on facebook marketplace to sell them.
[1:06:09] What i meant was people who are who make things appear on the marketplace okay okay i'll edit it to say that yeah yeah okay i i have to say i assumed it was always going to be people running some sort of small business or whatever but if it's even me hypothetically selling my spare whatever then wow yeah okay and if it's all records it's if it's uh records of people who who use Facebook Marketplace, then it's not just the sellers, it's probably the buyers as well.
[1:06:44] I don't know. Okay.
Yeah, I don't know. I don't know what's the answer to that. But definitely the sellers need to be on the lookout.
So what do they be on the lookout for, Bart? Is this that they, again, more phishing attacks? Or is it something specific?
It's, again, more the phishing attack stuff. It's very easy.
When someone steals company data, they can pretend to be that company with scary effectiveness because they know things that only the company should know.
So you can craft very believable emails.
And normally to do a targeted email involves effort, right?
You've got to learn about your potential victim and you've got to put some work into custom crafting a dedicated attack just for this one person.
But if you have a database of 200,000 records, you can automate it with a script.
Well, I'm sad to say that that database includes Includes names, phone numbers, email addresses, Facebook IDs, and Facebook profile information.
That's bad. Yep.
Sorry. Like I say, I thought it was already important for Nocelle Castaways to be aware. Now that I understand just how big this is.
[1:08:00] Anyway, let us move on to notable news. I have a fire extinguisher next to this story because it is true that ExpressVPN have been leaking some DNS requests for years, but there are so many asterisks about the story that I don't think there's any need for anyone to stress over this at all.
And ExpressVPN's response is, I would argue, too strong.
So when you're using a VPN...
[1:08:28] Like ExpressVPN, where the intention is to hide from your internet provider, whether that be an internet cafe or actual home internet provider, most people just turn it on.
So it's an all or nothing thing, right? All of your traffic goes through the VPN and that configuration, absolutely nothing was broken.
A small number of people, for various very good reasons, choose to have their proverbial cake and eaters with a configuration known as a split tunnel where you mostly vpn your traffic but you do allow some local traffic onto your LAN and this used to be more important because we had to do things like print things and so we had to make sure that our printer didn't why is that still important well how many people print things all the time I mean everybody I know prints all the time people are always talking about their printers people are talking about printing to color printers?
Are they buying laser printers?
I mean, it's very common. Really? Okay.
I guess we move in different circles. I'm not a big printer myself, but I printed something yesterday, so it happens.
But I don't tend to print when I'm not at home.
If you're using a VPN at home, I would think you would absolutely need to do the split tunnel dance.
[1:09:42] You would, but anyway, there's another few few caveats to come.
But most people don't actually do the split tunnel dance because most people use the VPN when they're out and about.
So the split tunnel is actually quite an uncommon configuration on ExpressVPN and stuff.
The other thing is that even if you are in a split tunnel, and the data only leaked if you're using an untrusted DNS server.
So if you're a home user who've configured your home router to use DNS you trust...
[1:10:08] Then the fact that the DNS is going the wrong side of the split tunnel is irrelevant because now it's going to your home router where it's using the DNS you trust.
So there's actually no information leak there. So the only time you're affected if you use a split tunnel and the network you're on has a DNS server you don't trust.
And even then the only information that leaks is what DNS names you looked up, which is not nothing, but it's not an awful lot either.
There so yeah very very few people have had very very little information leaked and then the response has been expressvpn have completely disabled the feature until they have time to fix it so it's like well we will close that barn door good and tight and so that feature is gone until they are happy they have completely nailed it down so i don't you know i'm sure there there were certainly some headlines that were all shouty about how scandalous it was that expressvpn had had made such a terrible boo-boo.
I was like, you know, if you're an ExpressVPN user and you are in any way put off by this news story, I wouldn't be, what I see is a company that reacted really quickly to a very subtle bug that affected almost no one.
So I would not change my usage of ExpressVPN over this at all, if anyone's worried.
[1:11:22] Very interesting development from Google.
So last year, Google added a thing to Android where it would do a virus scan using the Android App Store app...
[1:11:36] It would virus scan side-loaded apps. So apps you get as an APK file downloaded from the web, TrueBlue side-loading, would still get virus scanned by the Android App Store.
And if they failed the virus scan, the OS would say, I don't think you should install this. This is a virus. And then obviously it would block you, which is very sensible.
They've now taken things a little bit further. And it is now, they're trialing this in Singapore, and it may or may not get rolled out worldwide.
Wide but what they are trialing is completely blocking side loaded apps that use a collection of dangerous apis if a side loaded app uses these apis it cannot be installed there is no bypass button the os says no just very what how do they know what uh apis are dangerous i mean is that Is that a constantly updating list?
Probably? Yes, probably. For now, they have picked APIs that their virus scanner from previous year has flagged as being a commonly used technique by the baddies.
[1:12:43] And so this is awfully similar to app notarization. So what just strikes me is that they're not quite meeting in the middle yet.
But when you look at Apple being forced to allow third-party apps, apps but they have to be notarized or they can't get on the phone in europe and you have google now saying even doesn't matter where you get your app we're still going to assert some rules and it doesn't matter where you got the app from you still can't run it if you don't meet these rules, we're philosophically arriving in an awfully similar place even though these two stores set out from such completely different avenues and they haven't quite met in the middle yet but But if I project both trends forward, we seem to be heading to a situation where everyone is notarizing apps and Apple may be forced to allow full sideloading, but with notarization, which is kind of a Mac OS future.
It looks like we're heading to a Mac OS style future on Android and maybe.
[1:13:41] On ios if you project forward i just thought it was very interesting how these are yeah, yeah yeah that is i see how you're explaining it um okay uh somewhat oh i've duplicated my show notes here so yeah so the vision pro stuff started off as a story and then i made a deep dive so you can delete that out of there um a related note then is that apple's walled garden While Apple do tend it very carefully, it is not free of weeds.
[1:14:10] A rather high profile story broke. An Indian developer decided they would cash in on a brand name, LastPass.
They made an app called LassPassed, L-A-S-S-P-A-S-S, with a red logo that looked awfully similar to the LastPass logo.
Logo and it appears now that this was purely brand impersonation it was not in fact a password stealer as it could have been hypothetically it was just counterfeit it was just you know basically run-of-the-mill copyright and trademark abuse i guess it took out yeah it took out a little bit longer than it should have to take it down it was taken down it would appear apart from from some potential brand damage and some potential people having been defrauded some money.
Although Apple may have refunded everyone if they took the app down for abuse.
In fact, they probably did. Yeah.
So all in all, this probably was a straw in a teacup, but it was briefly very, very shouty all over Twitter and stuff.
[1:15:15] Um another not such great news so why do we need to be so careful online why are there so many scans because they work so the latest reporting from the u.s federal trade commission is that they have reported to them 10 billion dollars with a b of fraud that succeeded in 2023 that is 10 that's People have, that's what people have reported.
Reported, right. Yeah. Now, we know that the report rate on online fraud is very low because people assume nothing can be done.
So this is a massive under-reporting, and it's $10 billion in 2023 of Americans' money only, because the FTC is only reporting on American victims.
And just that massive underreporting is 10 times more money than ransomware delivered last year.
[1:16:13] Wow. So that's why there's so many scams out there. It pays big bucks to the baddies.
Okay, that's enough of the scary, scary stuff. So the Federal Communications Commission... Can we bring in pallet cleansers?
Not quite pallet cleansers, good news. So the Federal Communications Commission has ordered American telecom providers that if they discover a breach where there is personally identifiable information involved, they now have a higher reporting standard they must adhere to.
They have to let everyone know within 30 days.
This is more than is required by the current regulations.
[1:16:47] I really like that one because I don't know whether this is true where you live, but in order to get a phone bill, you have to give them your social security number.
[1:16:58] Which, like, to get a phone, to get a cell phone, you have to get, I don't understand why that is necessary. That one really makes me mad.
Actually, let me put it this way. I think that was when it was subsidized, so you were making payments, but that was some way that they would come after you.
But I don't have to do that to subscribe to a TV channel, you know.
Shut me off. You don't have to have my social security number, but they do. They have our social security numbers in a lot of cases.
And a lot of similar stuff here. and I think it's basically a leftover of the old way of doing things when phones were new and that you were subsidized and you could have been paying your handset off for two years.
Right. So it was effectively getting a loan.
Yeah. Yeah. But you can just shut off my phone service and I'll pay up real quick.
They didn't have to have that. Yeah, I know. I know, I know.
Well, anyway, I'm glad they have higher rules now. Yeah.
[1:17:53] Also, Apple has joined Meta, Google, and Facebook in a new U.S.
Government-run AI safety initiative.
So nice to see Apple joining the club. And there's some pretty big names in there.
It can't do any harm that they're all in this organization together thinking about AI safety.
How effective it will be remains to be seen, but it definitely ain't a bad news story. So stick it in there.
And then finally, DuckDuckGo have released a very clever feature for allowing you to synchronize passwords and bookmarks and things between different copies of the DuckDuckGo browser in an entirely end-to-end encrypted way so that no one, not even DuckDuckGo, ever see your data.
And effectively, they're using QR codes for you to share the private key between your own devices with minimal effort.
And so each of your devices is using the same private key to encrypt the stuff on device.
And then the only thing being synchronized is a completely encrypted piece of garbage that no one has the key to apart from your devices and you're moving the key around with QR codes.
I never thought about that. So with Safari, if I have bookmark syncing, which I think it just does by default, does that mean Apple knows what I've bookmarked?
No, because Apple have approached the problem in a similar, but not quite as safe, not quite as trust no one away.
[1:19:16] So Apple synchronize your private keys, and we trust they don't sneak in an extra private key.
If they did sneak in an extra private key, they could then decrypt all of your stuff.
Assuming Apple's key synchronization is not malicious, then you are as protected with your iCloud stuff.
Okay, okay. And there's absolutely no reason to assume any malice here.
It would take active malice on Apple's part or a hypothetically maybe being forced to by a gag-ordered court ruling from a secret court.
Okay, but it's not end-to-end encrypted like DuckDuckGo.
Oh, no, it is. It absolutely is. So the difference is how the key gets shared.
So Apple shared the private keys using their key service, which we have to trust is secure, and there's no reason to doubt it. DuckDuckGo share it with QR codes.
[1:20:13] So Apple's version of end-to-end encryption is more user-friendly.
DuckDuckGo trusts no one. We have to trust Apple.
With DuckDuckGo, it trusts no one. Interesting. Okay.
But they're both very good and both very safe. Right. I have one interesting insight.
This is actually fun to read. I wasn't sure if I should put this as a palate cleanser or an interesting insight because Troy Hunt is a very humorous writer.
He describes discovering what is probably the most insecure insecure and badly developed API you could ever imagine.
And it's a really good insight as a programmer into how not to program.
And he just takes you on this journey where he says, I mean, it will be absolutely stupid if you were to include blah, blah, blah.
Oh, look, here it is. But it couldn't get any worse unless you did blah, blah, blah. Oh, no, there it is. Scroll down a bit.
It's just, it's written in such a fun way, but it's a really good, if you write code, you should read this as a do, you know, here's pitfalls you should sidestep.
Only it teaches it with such humor and fun that you will remember.
[1:21:15] Oh, good. I like that. I can learn from anybody who makes me laugh.
Exactly. And I really enjoyed reading it, even though it's like, oh my God, these developers are morons, but I'll not be that moron in the future. I hope.
Anyway, that was fun. I'll be a different moron in the future, right? Right. Exactly. As proved by our first deep dive.
So I think I confessed this the last time, but just in case I didn't, I'm going to confess it again.
When Bart was talking about have I been pwned on a previous episode of Security Bits, I said that I thought the notifications were silly because I was just always getting them that would go, alicempodfee.com has been breached somewhere.
And it's like, yeah, but you don't tell me where. I can't do anything about it. There's no action I can take. It's like, okay, so?
And then right after that, like the next day, I got an email that was to a specific site saying, you need to go change your password.
And the other one I just got was about Spoutable from Have I Been Pwned?
Because I had an account on Spoutable. So I was like, oh, dang it, he's right again.
I will stop confessing after this that you were right. But in case that wasn't done once, it's done twice now.
It was done once. So thank you for doing it twice. And I guess it's good for the listeners to know.
Yeah. Because I'm a big fan of Troy Hunt's.
He's humorous. He's funny. he's a great interview guest on podcasts and his service rocks so i'm a big fan i have quibbles with his choice of jason data structures but i know enough jq to fix it so it's all good.
[1:22:43] Uh see programming by stealth episode 161 precisely we get to plug ourselves that way i have one palette cleanser um i don't like to always plug uh nasa's astronomy picture of the the day because I could basically do 14 palate cleansers of astronomy picture of the day every two weeks because there's one of them a day and they pretty much all rock.
But one of them from the previous two weeks blew my mind.
So this is a photograph of a rocket launch taken at just the right time of day.
So the ground is in night and the moon is above the ground's horizon and it's a full moon.
The rocket is high enough up that the curvature of the earth means the rocket is in daytime, which means the rocket is casting a shadow.
And because the full moon is directly opposite the sun with the earth exactly in the middle, the shadow of the rocket points like an arrow at the moon.
[1:23:43] Oh, I didn't read it before looking at it. It was okay. Well, that's just kind of interesting.
There's this blue line that goes from the rocket down to the moon, but I didn't catch it. That's the shadow.
That's the shadow. That's cool. So that proves that the reason the full moon looks full is because you have the straight alignment of the sun, earth, and moon, because you can see it as a straight shadow.
And it proves the earth is round because we on the ground are not in daytime.
And the shadow of the rocket plume is in daytime. time it's like this one photograph just proves that our knowledge our understanding of the universe is visibly correct in this one shadow it's so cool so i saw a better proof that the that the earth isn't flat somebody posted on mastodon they said i can prove that the earth is not flat because if it was all the cats of the world would have knocked everything off the earth by now as i was reading that as i was reading that i was i was uh standing i was standing at at a counter and I heard a clatter and my cat had just knocked my glasses off the counter.
[1:24:46] Yeah. As a former cat owner, I still vividly remember that sound of something coming clattering to the ground in the kitchen behind our backs.
Some of the best videos out there are just cats. There was one with, I don't know, some little container and it had a bunch of little things in it.
And the cat was reaching in, grabbing something, throwing it on the floor, reaching and grabbing the next one, throwing it on the floor, like actually pulling it out with his his hand and throw it on the floor.
In addition to the John F. Braun.
[1:25:14] Recommendation about the Scammer Payback YouTube. I have another one and I think you'll support this because I sent it to you and you loved it as well.
If you like history and you like science, you probably find the history of Charles Darwin interesting.
There's a person who goes by the handle OddPride on TikTok and they tell the story of Charles Darwin's early life, how he ended up up on the Beagle in just the most delightful and humorous and fact-filled rapid fire explanation.
And it's absolutely delightful.
It's so much fun. I don't know, it's a couple of minutes long, but it was, you enjoyed it, right, Bart?
I thoroughly enjoyed it. And what just struck me as someone who does, you know, talking into a microphone quite often, the amount of preparation work that must have gone into that three-minute video blows my mind.
Like that was a machine gun of trivia ordered in a way that tells a story delivered with perfect.
[1:26:12] Everything it was oh wow it blew my mind and it was a fun topic and i learned a lot of things i didn't know about so when i thought i knew a lot about and admired greatly anyway it was exactly i i don't know what you call someone who studies dinosaurs but that's who odd pride is that's their field of expertise is dinosaurs ontologist well they they even did one on the The difference between an archaeologist and a paleontologist, they explained the difference between those two, but I didn't understand it.
But I think paleontologist.
So they're really well-read, really brilliant, very, very funny.
I'd subscribe to the channel immediately.
[1:26:47] I can see why. Yeah, you did send it to me, and I'm so happy you did, because you were like, I think you'll like this.
And I was like, yup, yup, yup, yup, totally did. So double thumbs up from me on that one.
Cool. All right, well, that's what I got, apart from the usual reminder that what you absolutely positively should do is stay patched so you stay secure.
Well, that's going to wind us up this week. Did you know you can email me at allison at podfeet.com anytime you like? If you have a question or suggestion, just send it on over.
Remember, everything good starts with podfeet.com. You can follow me on Mastodon. Where?
Podfeet.com slash Mastodon. If you want to listen to the podcast on YouTube, you can go to podfeet.com slash YouTube.
If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all of the other lovely Nocella castaways.
You can support the show at podfeet.com slash Patreon, or with a one-time donation at podfeet.com slash PayPal.
And if you want to join in the fun of the live show, you will have to wait until March 3rd to head on over to podfeet.com slash live on Sunday night at 5 p.m.
Pacific time to join the friends.
[1:27:47] Music.