Transcript

NC_2024_03_03

[0:00] Music.

[0:12] And this is show number 982. In this week's episode of Programming by Stealth,

CCATP #788 — Bart Busschots on PBS 162 of X — jq: Altering Arrays & Dictionaries

https://www.podfeet.com/blog/2024/03/ccatp-788/

[0:19] Bart Bouchats is back to teach us how to alter arrays and dictionaries in JSON files using JQ.
Bart went through his challenge solution on cleaning up the Nobel Prize database, and I learned a lot from it.
Maybe he'd already taught all of it to us before, but I sure wouldn't have been able to get there to put the pieces together the way he did.
I had to confess during the show that I did not get my homework done last week, but I used two excuses.
One, I'd been playing with the grandkids, but the other one was that I was having so much fun working on the XKPassWD web app with Helma and Mike Price, and Dorothy's been weighing in on it, and Steve Matan's been doing a little bit of help in there.
So we've been having a lot of fun with that, and I kind of forgot to do my homework.
In any case, for the new content, Bart taught us how to alter arrays.
We mastered sorting and and reversing arrays, how to add and remove elements from them, how to deduplicate the values within, and how to even flatten nested arrays.
From there, we learn how to manipulate dictionaries by adding and removing keys.
It's a very focused lesson that continues to show how powerful the JQ language is.
I think my favorite part of the show, though, was when Bart made an existential philosophy observation, and he said, everything exists with the value of null, Allison.
All right, let's get started with our first CES interview this week.

CES 2024: Pivotal Helix Personal Electric VTOL Aircraft

https://www.podfeet.com/blog/2024/02/ces-2024-pivotal/

[1:40] You see a lot of interesting things at the shows at CES, but inside PEPCOM, I've never been before seen what looks to be a helicopter, but I think Greg Larry's going to correct me immediately and say it's not a helicopter.
This is a personal aviation vehicle, also known as an electric vertical takeoff and landing aircraft.

[1:58] Okay, so tell us about it. I'm just going to get in my own little VTOL and go flying, huh?
You do have the opportunity to fly wherever you want with this aircraft.
It's designed under the FAA's Part 103 regulations, which means that you can fly the aircraft in Class G airspace, which are typically rural or unpopulated areas, which represents about approximately 90% of the U.S. land in the United States.
Nothing where I live in L.A., but everywhere else, right? As with me.
So this is an unusual-looking aircraft. Can you describe it for our audio listeners?
Yeah, so this again is an electric vertical takeoff and landing.
It'll take off directly from this position, pivot straight up, and then convert to cruise flight.
And from that point, then it utilizes the fixed wings or the fixed wing and tilt architecture for efficiencies in flight.
Whereas if you did not have the wing, you'd exert a lot more energy in that forward flight momentum.
So this particular aircraft has been in design for quite some time, about 10 years.
It's built with complete safety with dual redundancy and, in some cases, triple redundancy.
So you'll see that some of the safety features on the aircraft are dual elevons.

[3:17] We put floats on the aircraft, and the FAA gives us a little bit of a weight benefit by doing that.
So in the event of a water landing or an emergency water landing, the aircraft will float.
Not an intentional water landing. Not an intentional one. And we have tested the aircraft to do takeoff and landings from water, but that's not what the aircraft is designed for.
Okay, so across the back here, we've got four propellers.
Yeah, you have four motors.
Again, with redundancies, there's two batteries per propulsor, as we call it.
The aircraft also has radar altimeters below the wings, one on each side.
And that enables the aircraft to self-land and also take off automatically.

[4:05] So two different modes of flight there. So you can take off and command the aircraft to go from cruise, I'm sorry, take off the cruise flight and then take over the aircraft and control it from then.
And then when you come down to land the aircraft, You pitch the aircraft in the landing configuration, and at 15 feet above ground level, you can program the aircraft to automatically land at that point, literally hands-on.
So the tricky parts are better done by machines in this case than they are by the… And again, those are the most critical phases of flight of any aircraft, and we try to make that as simple for the pilots.
Wow. So it took me a minute to put together that you said E before VTOL, so it's an all-electric.
All-electric. That's crazy. That's really cool. The aircraft can be charged on a 120-volt circuit. It'll take about eight hours to charge the aircraft at that point.
But there's also a fast charging option for the aircraft that allow it to, in some cases, charge as low as 45 minutes up to two hours.
And then that allows the pilots to get back up into the air and go have fun.
I was going to say, I think that's faster than my car, that is.

[5:09] So how long can you fly? A little over 20 miles and 20 minutes are the limit.
So, again, under FAA Part 103, we're limited to 62 miles an hour.
So we use 60 miles an hour as the speed.
Okay, and you said 20 minutes you can fly? Yeah, 20 minutes or roughly 20 miles.
So depending upon where you're flying to, if you're going from point A to point B, and you have terrain obstacles, heavy traffic that you can go around in a relatively unpopulated manner, it's a significant commute opportunity for somebody.
Yeah, this could be really interesting. So, this is obviously a prototype we're standing in front of, but when do you expect to actually have this in production?
The aircraft was announced to sail for the general public about three hours ago.
Oh, my goodness. For delivery after June 10th.
All right. Now, I've got to ask you, what's the price point on this?
The base price is $190,000 with the ultimate package, if you will, $260,000.
That's actually a lot less than I expected it to be. So if people wanted to learn about Pivotal, where would they go?
They go to Pivotal.aero, and there's a website.
If somebody wants to purchase the aircraft, there's a nominal $250 non-refundable deposit, and then there's a process that flows from there that secures your shipping window date, and then the aircraft delivers beyond June 10th.
And are there pilot qualifications for the human?
Again, there does not have to be a pilot certification. certification.

[6:39] We train the pilots, and we've already trained some initial owners, some early adopter owners, and that ranges anywhere from 10 to less hours, depending upon their skill sets and capabilities. In some cases, it might take a little bit longer.
Wow, that's really cool. Well, thank you very much, Greg. This is really neat.
My pleasure. Thanks for coming.

[7:01] Now, maybe that is out of most NoCillaCastaways price range, and maybe you live a place where that's not exactly affordable, but it's one of those really fun things to see at CES to see the future that maybe we'll finally have what is essentially like a flying car.

BG’s Tiny Tip - How to Send Project Gutenberg Books to Kindle

https://www.podfeet.com/blog/2024/02/project-gutenberg-kindle-bg/

[7:17] BG in our Slack posted an interesting question, and with a little help from Graham S., he was able to find the solution to his own problem.
BG is a big fan of Project Gutenberg, which is a resource for downloading public domain, free ebooks.
The flashier titles are the classics, such as Little Women, Frankenstein, and The Great Gatsby, but there are 70,000 free books for you to download in Project Gutenberg.
Before we get into the problem to be solved and BG's solution, there's one caveat to using Project Gutenberg, and I'm going to quote from their website.
Project Gutenberg is entirely based in the U.S., and we follow the United States law for copyright. right.
Not all items that are public domain in the U.S. are public domain in other countries, and vice versa.
If you are operating outside of the U.S., you should get professional guidance on how to proceed for things like redistributing Project Gutenberg's content.
For basic information about Copyright Elsewhere, try this link to the online books page.
All right, that's set aside. Now let's talk about the problem to be solved.

[8:20] BG posted that he was having trouble moving Project Gutenberg eBooks to his Kindle using his Mac.
He said it was easy to download and open in Apple's native app Books, but he wanted his downloads to open in the Kindle app on his Mac, not Apple Books, because that would allow him to sync the books across multiple devices.
He said that using a Mac to try to interface with Kindle seems more difficult now than it was in previous macOS iterations. durations.
However, if one uses iPadOS, all one has to do is press the correct format and it automatically downloads to the iPad's Files app.
From there, it's easy to share directly with the Kindle app.
He was trying to figure out how to do the same thing using macOS.

[9:02] While the discussion was going on in Slack about this, I installed the Kindle app on my Mac and downloaded a book from Project Gutenberg.
I right-clicked on the file and chose Open With, and as Bob said, the option to open in Apple Books was right there.
I tried it and it opened up right in Books.
I right-clicked it again, and since the Kindle app wasn't visible in the list, I had to override Recommended Applications to choose the Kindle app to open the file.
The weirdest thing happened, though. As soon as I chose Open in Kindle.app, the file disappeared from my Downloads folder.
I couldn't find it. I didn't know where it was. I ran a search inside the macOS version of the the Kindle app and the book I requested was not there.
I did a finder search and the book had moved to my user library containers com.amazon.lassen.data.documents.

[9:56] Seriously, there were no other Kindle books in that directory.
So as Bob said, something between the Kindle app and macOS is definitely broken.
At this point, Graham S. broke in with a solution that when he said it, I don't think either BG or I actually understood what he was trying to tell us.
We'll kind of circle back how he actually told us the answer, but we didn't get it.
Gram S wrote, I just went to PG, downloaded a book in EPUB 3 format, opened Send to Kindle, selected the file, and Bob's your uncle.
Now, as a quick aside, I love that Gram S used Bob's your uncle because BG's real name is Bob and he's actually Steve's uncle.
All right, back to the discussion at hand.
So, Graham S. included a very helpful screenshot of the Project Gutenberg page where he showed that you need to download the version that says EPUB3, parentheses, e-readers including send to Kindle, not the one labeled Kindle.
The one labeled Kindle is a Mobi format, so you'd think it'd be the right choice, but in November of 2023, Amazon stopped supporting Mobi format on Kindle.
Be great if Project Gutenberg renamed that one for us. BG eventually found a way that works for him, and it's pretty elegant.
I'll let you hear it in his own words, the path he found to discovery and success.

[11:13] He wrote, I finally discovered a better way to download Project Gutenberg eBooks from a Mac.
I complained before about the difficulties using copy and paste configurations because I was not using Finder properly to email it to my specific Kindle devices.

[11:27] Initially, I wanted to do the same thing with my Mac as I do with my iPad.
For my iPad, it's a simple one-click procedure of downloading to the iPad's files and then share with Kindle.
It then downloads to my Kindle library where I can open it with all of my Kindle devices. devices.
But with a Mac, I had to email the books to each specific Kindle device.
Today, I discovered a better way. I downloaded an app from Amazon that makes the process much better.
I installed the app called Send to Kindle that I downloaded from Amazon.
So this is me talking for a second. Let me take a quick break here.
This is what Graham S. was trying to tell us. When he said he opened Send to Kindle, he was talking about an app that he he had downloaded called Send to Kindle. Neither Bob nor I had that app.
Now, I suspect that Graham has been using it for so long that he kind of forgotten that he had to download it for the option to exist in the right-click menu when selecting EPUB books. All right, back to BG's solution.
He says, now that all I have to do with my Mac is a simple download.
I go to my Mac's downloads and simply slide it over to the new Send to Kindle app icon I keep in my dock.
It then then uploads the ebook to any individual Kindle device of my choosing without manually entering an email address for each device.
And it stores it in the Kindle library, which is accessible on all of my Kindle devices.
This is the solution I wanted from the beginning.

[12:51] Now, after Beachy shared this final solution, I decided to give it a try myself.
I downloaded The Importance of Being Earnest by Oscar Wilde from Project Gutenberg in EPUB 3 for Send to Kindle.
You hear that? It's called EPUB 3 for Send to Kindle. Again, there was another hint that there was something called Send to Kindle, but it wasn't obvious.

[13:12] Anyway, I downloaded the Send to Kindle app, and while it's a rather janky looking and clumsy app, it mostly does what it says on the tin.
I don't like to clutter up my dock with a lot of apps, so I tried to follow the directions in the documentation.
In the documentation, they have a screenshot showing Send to Kindle in the right-click menu at the bottom below Quick Actions.
Unfortunately, it's not there in macOS Sonoma, so the instructions are kind of old.
I tried Open With, and Send to Kindle wasn't on the list.

[13:41] All right, let's look in Other. When it showed the list of recommended apps, Send to Kindle wasn't there. All right.
I finally figured out that Amazon's package installer puts Send to Kindle in a separate folder of the same name along with an uninstaller app.
This is really the old school way of delivering software.
Once I pulled the app out of the folder, it was visible as a recommended application.
It also showed the option to always open EPUB files in Send to Kindle.
This would allow you to double click on any EPUB file and simply open it in the app.
When using the right click method to open the book importanceofbeingearnest.epub with the Send to Kindle app, Mac OS did something strange.
You know how if you try to open an app from an unsigned developer, you'll see an alert that Mac OS can't verify the developer?
Well, it did that for the book, not the app.
It said, I can't verify the developer of the EPUB as though it was an app.
It says Mac OS cannot verify the developer of importanceofbeingearnest.epub.
Are you sure you want to open it?

[14:45] Well, a lot of of confusion here. Once I got past that hurdle, the Send to Kindle app showed me the 28 devices I had registered with the Kindle app.
I hadn't cleaned up my devices in so long, there was an iPhone 6 still on the list.
I went to Amazon via a web browser and found the Manage Your Content and Devices page, and under Devices, I was able to clean things up so it'll be a lot easier the next time I use this.
After I beat all this into submission, I found the importance of being earnest and the front page reiterated the warning that I gave up front from Project Gutenberg.
The books are only licensed for people in the U.S., and your mileage may vary if you're from another country.
Now, I have to side with BG here. Something between Amazon and macOS has really made it more difficult to send books to your various devices.
I'll be sticking with using email to send to my Kindles, probably, but I'm glad BG was able to find his solution with GramS' help and that he shared the solution with all of us. The power of the community in our Slack at podfee.com slash slack is really great.

CES 2024: GE Profile Smart Indoor Smoker

https://www.podfeet.com/blog/2024/02/ces-2024-ge-smoker/

[15:49] One of my favorite podcasts is Barbecue and Tech with Chris Ashley and Rod Simmons.
So we had to stop by the GE booth right away to see the GE Profile Smoker.
I'm talking to Andrei Zdanov.
That's correct. Great to meet you. Yeah, and welcome to the GE Profile Smart Indoor Smoker with active smoke filtration.

[16:09] Okay, so I'm going to warn you up front, this is an audio podcast, but some people will watch videos, so describe everything in detail.
What are we looking at here? All right. So this is a countertop oven that is a wood pellet smoker.
So what truly makes it the first of its kind is the active smoke filtration technology that we've brought into the product.
It catalyzes the smoke to remove almost all the particulate and carbon monoxide so that it's safe to use inside the home.
Okay. That was going to be my very first question, but I got to tell you, wafting towards me, nobody on audio or video is smelling what I'm smelling come up in that smoker.
So you get the smell, but you're not getting the particulate.
That's correct. Not the particulate. You're not getting the unhealthy CO.
You're getting mostly just vapor, de minimis, particulate, some CO2.
So it's safe to have in the home, but you are going to smell good home cooking.
Yeah, there you go. So it looks like a tall square microwave oven to me is the way I'd describe it in size.
Yeah, that's a fair way to put it. A bit like a countertop oven, but flipped on its end. So it's a little taller than it is wide.
Right, right. So how does this work? I see some nice displays and a dial that's going around and something delicious cooking. Yes, all I know so far.
So we have about a eight pound pork butt in there. Well, how big is that today chef?

[17:20] We've got a seasoned eight-pound pork butt in there. And so this is a wood pellet smoker.
One of the other things that's interesting about it is because it's a countertop oven, it's electric, it doesn't use the wood pellets as a heat source.
So we consume very few pellets. You're able to dial in how much or how little smoke flavor that you want in the product.
So for those who are watching, this is the pellet hopper where you would load your pellets in the top.
And I will mess with things as I do that. And so we have a nice auger that moves those pellets past the igniter and gets them to just release the sweet aromas and flavors that you just love.
The first thing to burn in wood are the sugars and that auger will move the pellet down to our waste bin here in the bottom right of the unit and we have the user fill that with water.
We extinguish that pellet while it's still in ember and that lets us get all those sugars all those sweet flavors and aromas but not the accurate or sour flavors that you would get if you burn it down to ash.
So we're extinguishing them first. Okay, okay, that makes sense.

[18:20] So I'm going to mess with you here. Chef Dallas McGarrity is on the side here.
What is it we're cooking here?
So we have about an 8-pound pork butt in there. I rubbed it down with my barbecue rub and just popped it in there with some of the Kona pellets, and we got it going.
So I'm guessing that you use a quote-unquote real smoker from time to time, right? Oh yeah, this is for personal use, mainly for me at home, but I'd have the big smoker outside.
But it's a lot more of a mess, and it takes a little bit more of my time to work on it.
So this is easy for me to do at home, and I've got the app, and I can look at it online and all that stuff, so it's easy.
So you can still do the creativity part of making a smoked meat, but not have to go outside and deal with the timing issues as much because this is more automated?
It's more automated, it's also more consistent because the heat is more consistent than what you have to mess with outside.
So outside you're messing with the heat over and over and over.
This it's a very consistent heat so you know it's going to be done in a certain amount.

[19:18] So it helps a lot when you're planning dinner for four people at home, you know?
And so it is about four people at home.
I mean, if they weren't Americans, you could probably get 16 people.
But four of us, I'm thinking you could get off this pork butt.
So this is all app attached and all that kind of stuff?
It is app attached. That's going to allow us to continue to drive continuous improvement to the product.
That's one of the things GE Profile is known for with our smarter products.
The app lets us launch updates and also some guided cooking with some of our products.
But it also really allows you to be kind of the master of your domain because you're going to get alerts as to what's the temperature of the thing that I'm cooking.
We have an integrated probe in there that's sitting in that pork butt.
So Chef knows exactly what that internal temperature is, whether he's multitasking, answering the door, mowing the lawn.
And it'll let you know if you need to empty your waste bin, add pellets.
So it really lets you be in control without having to be as hands-on.
That's a nice compromise. compromise. So you just released this just recently, right?
That's correct. It's just launched at retail here in January.
It's rolling out at retailers nationwide.

[20:24] Suggested retail price is $9.99, and it is a brand new launch for us.
It's really, really exciting. I know we've done a little bit of smoking here.
Steve has done some smoking, inspired by barbecue and tech, going to give them another plug.
But the idea of buying a big outdoor smoker has been kind of prohibitive for us. He's got a question here. You can buy it now?
Yes, I believe you can buy it now. Yes, you can buy it now. It's shipping now, multiple retailers nationwide.
That's fantastic. Well, I'm just going to get off here and find out when Chef McGarity is going to be done. Get me a little bite of that pork belly.
That sounds fantastic. Enjoy the rest of your show. All right.
And where would people go to find this?
It's available at Best Buy, Williams-Sonoma, Amazon, many retailers, Crate and Barrel as well.
Very good. Very good. Thank Thank you very much, Andre. My pleasure. Thank you.

[21:11] Well, I would like the record to show that we did not get to eat any of that wonderful smelling meat that they were smoking.
Another thing, Steve has been doing a fair bit of smoking lately.
He's been talking a lot to Chris Ashley of Barbecue Tech, and he's been a big influence.
And a couple of times recently, Steve made ribs for us, and he did some down at Lindsay's house where she had borrowed her brother-in-law's smoker, and they were absolutely spectacular. spectacular.
So we have decided absolutely positively not to buy a smoker because we would be smoking meat all the time and eating that and it would not be good for us.
It was so delicious that we need to keep that as a once in a while kind of thing.

Support the Show

https://podfeet.com/paypal

[21:54] Are you ever listening to one of my shows or maybe reading one of my blog posts and realize that something I've reviewed solved a real problem for you?
Or have you discovered software that makes your life easier?
Or have have you maybe just been entertained?
Maybe at those times you think, I really should support this free content I'm enjoying so much.
Well, that's exactly what John Murray and John Atwood independently did this week.
They marched over to podfeet.com slash PayPal and typed in a dollar figure that showed their appreciation for the work we do here at the Podfeet podcast.
And they both write very nice little notes about what they enjoyed about the shows. You know, you too can be awesome like John and John.

Security Bits — 3 March 2024

https://www.podfeet.com/blog/2024/03/sb-2024-03-03/

[22:34] Music.

[22:43] Well, it's that time of the week again. It's time for Security Bits with Bart Bouchard's Happy March. Bart. Indeed, yes. It is the third of the third.
Not 2023, though. 2024. So we don't have that many threes.
Still, though. No. All right. Well, let's jump right in. Yeah, we have plenty of follow-ups on sort of stuff we've been talking about before.
So our friends at the NSO group had a bad week. Let me find the world's smallest violin for them.
A U.S. court has ordered them to hand over the source code for Pegasus.
To Meta, because Meta are also suing them. So Apple are suing them in a whole different court case.
But because they attacked WhatsApp, Meta have a court case against them as well.
And it's that court case that has resulted in, as part of discovery, the NSO group having to hand over the source code for Pegasus to Meta, which is nice.
Now, the implication of them handing over the source code is...
Meta will know exactly how it works. We all get to look at it?
I don't know if we will get to look at it, Just because it's being handed over in discovery, it may or may not make it into evidence in open court.
But at the very least, MESA's engineers will be able to tell us what they found in court.

[23:58] So whether we get first hand or second hand, I'm not sure. But the secret is leaving Israel.
So that is definitely good. Good.
Also, Redmond have followed through on the promise they made to the U.S.
Government when they had their nasty... Redmond? Microsoft. That's a city.
Sorry, yes. Like, Cupertino is Apple, Redmond is Microsoft. I keep forgetting.
I need to also say the name of the company. Sorry about that.

[24:25] Okay, so start over. Yeah, so Microsoft have followed through on the promise they made to the U.S. government when they... There were a bunch of US government Office 365 tenancies hacked by what turned out to be China.
About a year ago-ish. And it turns out that the attack left traces in an audit log called Purview, because Microsoft have a brand name for everything.
And by default, you get Purview for 90 days.

[24:58] One of the ways Microsoft promised to do better in future would be to up that to 180 days for government customers. And that is now true.
So would that just be so you can figure out what happened? Right.
It makes it way easier to understand, did they get, like, if something bad happens, I know this from first-hand experience, when something bad happens, the question is, what did they do?
So if you just... Oh, what did they do while they were in there?
So if you discover at 91 days that something happened, you would have lost your logs.
Whereas now you have half a year, basically.

[25:33] To and okay to say this is this audit log is detailed is to put it so mildly this thing is so chatty so many gigabytes per day it is pretty much every individual action in office 365 a user does bart opened this word document they inserted a paragraph here they scroll down here they edited a comment here so with these audit logs if you know an account has been compromised you can can actually say the baddie's got this, this, and this, but nothing else.
It's a very powerful love. Okay, so you can either sleep at night or just hide in the corner.
What is a tenancy? I don't know that. Yeah, it's the word that we've ended up using, right?
Because you think of Office 365, no, no, let me explain.
It's a word that was picked because there isn't a better one.
It's not a sensible word, it's just a word we picked. So when you buy Office 365, you actually get like a little private copy of Office 365 for you.
And then if I buy Office 365, I get a different copy of Office 365 for me.
And so each of our little copies are little islands and they're called tenancies.

[26:45] And all you do, your data is islanded in your tenancy. So the tenancy is like a little boundary.
It's like you're a lot in a housing estate or something. It's like your little backyard.
Everything you do is entirely trapped in your tenancy when you're a corporate customer.

[27:03] Oh, sorry. This is for corporate customers. It's the difference between buying Office 365 for an organization, be it, it doesn't have to be a company, it could be a school, it could be anything, right? But when you buy it as an organization, you get a private copy.
When you buy a one-off license, you and 100,000 people share a tenancy.
But you have no idea you're sharing a tenancy, right?
It's a difference between an organization versus an individual.
When you're an organization, you're an organization. Okay, but when you said Alison buys a copy of Office 365, she has a tenancy. Okay, no.
Podfeet buys a copy of Office 365 because Podfeet has become a big corporation with three or four people. Oh, okay. Okay. Okay. So you said it backwards.
Yeah. Okay. So it's when companies install for a corporation, that's a tenancy. Yes.
And it's a little island where your universe. So when you go into your admin panel, you control that island. I was just trying to get to, this was a corporate word, corporate-y word.
This isn't something regular people would be using. It's organization.
So even a family plan would have it. So our family used this plan.
So anyway, it's organization.
Think organization, which is actually the word Microsoft used.

[28:15] Okay the difference between one password for families sorry to take a long hole i just words that we don't know it's actually very important because a lot of cloud services like this so one password for families versus one password as an individual one password for families you have a little tenancy a little island where your control panel lets you control users and control vaults that's your little tenancy within one password, Is that an analogy, Hope?

[28:43] Sure. I haven't ever heard it used anywhere else like that. Yeah.
Okay. Anyway, it's a thing.
We talked last time about the Federal Trade Commission cracking down on one of those famous tax companies.
I think it's the one that's the most famous one. But anyway, they're cracking down on another famous tax company.
H&R Block have been sued, in fact, by the Federal Trade Commission for deceptive online ads where they offer a free online filing service that costs you money, which obviously is not free.
And this is all in the lead up, obviously, to April when lots of people will be making use of these kinds of services.
So, you know, now is the time. So I'm glad to see this continue.

[29:28] If this was a podcast about filing your taxes, I would have a perfect palate cleanser.
There's a woman on TikTok who does these great things where she's playing two different characters, and one of the characters she is is the federal government, and the other person is the person trying to file their taxes.
And as the human, she says, so why don't you just tell me how much money I owe?
And the government goes, no, guess.
She goes, yeah, but you know how much I owe. Yes, I do. Guess anyway.
Okay, but how am I supposed to answer the questions on these files?
She goes, oh, you mean the pre-prison forms?
These are if you file it wrong you're going to jail and it goes on and on and it's absolutely delightful it sounds wonderful you do know that you're in a country that's in a minority for not giving you your tax forms pre-filled most of the world the government know what you owe them they send it to you you go yeah i agree you sign it and you send it back that'd be lovely so you know we're in the minority or just the countries that you know my understanding based on an episode of of Planet Money is that you're in the minority and apparently it's down to lobbying by the large companies that do the tax filing websites, Intuit and the like, because they make a fortune.
Intuit was the company you were trying to pick up. It was, yeah.
They are exactly the people who successfully lobbied Congress because it was actually an act that nearly passed into law to have the government pre-fill your form and Intuit got it killed. Jesus Christ.

[30:52] Anyway, make me cranky. Okay, stop. I know, yeah, sorry, that was meant to be a palate cleanser, not an opportunity for me to rant.
Anyway, we talked the last two installments about ransomware because first we said, yay, it's going away.
And then we said, oh, no, when you look at the numbers differently, it isn't going away.
But it's been a really busy two weeks in terms of ransomware and a bit of a roller coaster.
So I'm just going to read you the headlines in the order they happened.
But police arrest LockBit ransomware members, release decryptor in global crackdown.
For context, LockBit has about 25% of the entire world market of ransomware.
They are like if you do a pie chart of the ransomware people, they are the biggest piece of the pie.

[31:37] Quite substantially the biggest piece of the pie. They're the single biggest actor.
So seeing Interpol successfully take them down was a big deal.
The fact that they stole the private keys and released a free decrypter so you could decrypt yourself was also particularly nice.
And the fact that they were able to make a few arrests was also very pleasing.
But everyone was pretty sure that in the cat and mouse game you cannot take out one of the largest cyber criminal organizations on planet Earth in one police raid.
But nonetheless, it was a big deal. The United States government doubled down and said, we will give out a $15 million bounty if you can lead us towards some more arrests, which is not insubstantial.
And they discovered the source code to what would have been their next release, which was a redesign of their entire software, which they had actually called LockBit-NextGen or NG.
So the file is actually called LockBit-NG. So they stole their source code for what was about to become their newest release, which is another kick in the whatevers.
And they discovered $110 million of unspent Bitcoin, which was all the good news.
And then midway through this week, LockBit resurfaced with brand new servers and new victims.
So it took them about a week to start up again. Cat and mouse.

[33:03] Still though it's nice to see them get a fairly substantial knockback from police some progress absolutely um we have also talked a lot about malicious advertisers sneaking their way into, various things and you know attacks sneaking through systems that used to not let them through and we were wondering how how are these kind of things happening um i've just noticed my show notes haven't quite been updated this isn't actually malicious ads this is spam getting through google's spam filters it's not ads it's spam in gmail and not just google's ad filters lots of people's ad filters not ad filters spam filters wait could this be my problem.

[33:49] Could this be my problem in Apple Mail, Bart? It is certainly, it is likely one of the sources of your problem.
There are many sources. I'm not sure, I've complained, I complained about it on Programming by Stealth yesterday, but I am barraged with spam in my inbox and real replies to emails I have sent go into spam.
So I sent an email to Brett Sherpstra, he replied, it went into spam.
Spam. I said, moved to inbox.
When I replied, then he replied again and went back to the spam box.
You know. And it's like, I've been going on for six months now.
As much as I would love to say this is why I'm afraid to say that's a false positive. This is having false negatives. This is the opposite problem.
No, it's both, Bart. It's both, though. I sent you a screenshot just yesterday of like obvious spam, something filled with 00 dash dash, 00 dash dash, an entire email.
That's all it is. And that came into my inbox.
And I get them all the time. But then half of your problem could be related to this.
The half of the stuff getting in that shouldn't.
What has been discovered is a massive campaign where major brands have misconfigured subdomains.

[34:58] We have gotten quite good about enforcing the DNS level email protections.
So if you own a domain like podfee.com and you don't have what's called an SPF DNS record, you will now get all of your email will be blocked by the major providers like Google and so forth as being probably spam.
All of your legitimate email will be blocked. Which makes it very hard for the spammers.

[35:29] Okay. And these DNS records, if you don't set them up right, they don't just give permission to your domain domain, they also leak permission onto subdomains.
And so if you're careless... And a subdomain, again, would be like beta.podfeet.com would be a subdomain.
Exactly. And so if you're a major corporation, you will have lots of subdomains.
And you may use a subdomain for some sort of marketing campaign and then forget all about it and stop using it.
And the attackers have managed to rest control of hundreds of subdomains on legitimate companies whose DNS records allow them to send spam.
So they are piggybacking off of the reputation of real companies because those real companies are being careless with their email protection.
So they are literally stealing reputation from large organizations.

[36:29] Really important that you set your settings correctly. So again, it explains why, because I've been trying to figure out how are they getting by really big companies like Google? Well, this is one of the hows.
There are many hows, but this is a new how.
When I saw how it worked, I was like, oh, yeah, that'll do it. That'll do it.
The last bit of follow-up then, we also talked a heck of a lot about the DMA, the Digital Markets Act in the EU going live. and that is rapidly approaching.
It is March. This is due to come into effect on the 24th of March.
The law and Apple are, I believe, are dropping their software update next week, I believe is the date we've been given.

[37:11] So this is all happening. So there's been lots more news about this and thankfully I get to do a TLDR, sort of a rundown of a lot of this stuff instead of going into detail.
So there was briefly a horrible kerfuffle about the almost never used feature of the progressive web app because Apple took it away in the EU in the beta of iOS 17.4 and everyone got very cranky and EU lawmakers said that they were going to fix to make a plan to do an investigation and Apple said well we can't allow progressive web apps to use any browser engine or it's a giant big security problem that's why we took them away for Europe and then people People kept getting cranky, and Apple said, okay, fine.
We'll just leave it the way it is. They're WebKit only.
And now everyone's happy, and everyone's saying that Apple did a U-turn, and what Apple actually did was successfully manage to exempt themselves from having to let third-party browser engines do a pretty scary thing, which is a progressive web app.
So probably. So I'm really surprised that they're okay with that.
I would think that Apple would get, again, another black eye for having anything to do with that. Yeah, they're getting the opposite of a bad guy. Pat on the back.

[38:29] That's crazy. So to make sure everybody knows what we're talking about with progressive web apps, that's where you take a website and you say, I want to save that to my home screen.
So, for example, maybe you want XKPassWD to be available as a web app.
You could just make it as a web app so you don't have to open a browser and you don't get all the Chrome, if you will, around it.
Yes, and your web app that is now sort of a kind of a hybrid-y app can do push notifications.
It can ask for permission to track your location and stuff.
It can, but it can... Yeah, I didn't realize it could do all that until I started reading about this. Yeah, that's what makes them progressive.
Other than that, it's just a link on your homepage. A progressive web app uses extra APIs that only exist for PWAs.
And they have a lot more power, which is why Apple are very keen to not let a third-party engine do that because the engine is responsible.
So imagine you download a PWA for Google Maps, and you give it access to your location.
If a browser engine that is not Safari or WebKit is powering that, if you install a second PWA from a dodgy source, which could be anyone, because any app could just have a button saying, add me to your homepage, then the permission could be leaked by the other browser engine into the other app.
And the only way Apple can protect you is if Apple control the sandboxing of each individual PWA.

[39:53] So I have a question on that. In my reading, I saw them saying you have to have certain entitlements.
And I don't understand how you request those entitlements because you're not in the App Store.
The engine has entitlements. How do you request an entitlement?
The engine has... Sorry?
You don't request an... You request a permission. So the PWA says, I want location.
And then the user gets a pop-up. So it's a user permission it's getting.
Okay, and that gives you the entitlement when they say yes? Yes, exactly.
So the user says yes, and the operating system goes, ah, okay.
The user has said yes to that app.
But all of the PWAs run by a hypothetical Firefox engine would be the one app in the background.
So all of those entitlements are collected together, and it's up to the app to correctly sandbox them, and Apple have lost control, which means the possibility of a bleed between PWAs is impossible for Apple to protect from.
Therefore they are saying we're going to make it webkit only because we know we can enforce these firewalls within webkit because we have been doing it for years safely, Okay, okay, I got it. And at the end of the day, almost no one uses PWAs, so this is a very big straw and a very small teacup.
But Apple got their way, which is interesting.

[41:13] Spotify are still cranky, and Apple, along with Epic, they have written an open letter saying, Dear EU, we don't like Apple's compliance plan with your law.
And the more I have been studying this, the more I think that Apple's compliance is actually pretty darn good because the Digital Markets Act isn't what Spotify wished it was.
It also actually is written into the law that companies like Apple have a responsibility to protect security.
So Apple are both charged by law with allowing competition and with allowing competition in such a way so as not to compromise security and privacy.
So i think apple are more in tune with the law than people realize and the fact that the head of enforcement was over in apple hq about a week and a half before apple made their big announcement, and tweeted about it and including a photo of her with tim cook i i think apple may be on more solid ground than spotify and epic realize.

[42:19] I find it hilarious just because like Epic did you really think they weren't going to do this like I mean hopefully they had their filing papers ready because they knew Apple would do it certainly right they said anyone clever within their legal department had been doing their homework for months right we shall see right right um speaking of writing Apple released a a detailed white paper.
It's 32 pages. I read it all.
I'm not necessarily recommending Nocilla Castaways read it all, but I am recommending you give it a skim because the headings are quite clear and then you can dig into the bits you care about.
But basically, it lays out what Apple is doing, which we already kind of knew, but also the why.

[43:05] And it's full of history. industry we have observed over the last 10 years that attackers like to do x thing therefore we have added y feature to our app store's processes within the eu and so it's all of the whys behind the things apple have chosen to do and they're all backed up with we have experience of this happening example blah blah blah we have experience of this happening example blah blah blah And it's also the most detail I have ever read from Apple about what it is that app review actually does, because they make a big point of explaining the difference between notarization and app review.
And the only way they do that is by describing in detail both. Right.

[43:55] And one is a subset of the other. Oh, okay. App notarization is a subset of app review. Right. They also lay out numbers of employees.

[44:04] Because they also explain that the reason that you need to have a decent amount of money on file is because running an app store is really difficult.
And you are constantly going to be playing cat against a whole bunch of mice who are all trying to defraud everyone because cyber criminals are very real.
And that only a larger organization can do it. and they lay out how many employees they have to do this work and how setting up an app store is not something you do on a whim.
It is a lot of work. And they back it all up.
It is a fascinating read and it is the most under the hood I've seen of Apple.
And it does a pretty... None of their justifications seemed silly to me.
Like you may come to a different conclusion based on the same facts, but it's all reasonable. It's all sensible.

[44:54] So you think it's out there now as a warning to companies who want to create their own app store?
I think it's out there as a justification. Like, don't forget all this stuff.
It's more of a justification for why they have not said anyone can make an app store.
Why are there still rules to be allowed to make an app store? This is the why.
And it's a preemptive strike against, frankly, Epic saying, you're not complying with the law.
And Apple are like, well, actually, no, we have a responsibility to protect users. and this is why these rules exist.
This is the problem they solve.
It's actually a very good document. I was rather impressed. Now, it does contain some extra fluff.
They decided to, I'm assuming with permission, publish a whole bunch of letters to Tim Cook decrying how terrible it is that Apple are being forced to make their EU users less secure.
I'm sure they cherry-picked with the world's finest harvesting companies those emails they chose to put into that white paper.
But I'm sure they are also genuine but I wouldn't read too much into those a lot of the media got very caught up in the emails to Tim but the rest of the document, the dry stuff is the bit that I found absolutely fascinating, so it's a PDF, it's available to all, link in show notes also linked to two stories from Apple Insider giving a bit of a review as well, and then finally, this stuff is real.

[46:18] Setapp aren't just fixing to make a plan.
The beta version of the Setapp third-party app store has launched.
If you are a beta developer running the beta versions of iOS, you can also run the beta iOS app store from Setapp.

[46:36] Oh, that's interesting. It's a lot of betas. That's an interesting maneuver.
Yeah. So it's real. I think that's a Ukrainian company, I believe.
I do believe they are, yes.
Yes, they are. Yeah. That's MacPaw, right? MacPaw, precisely, yeah. Yes, exactly.
So, you know, when people said no one is going to set up an app store, well, there's one.
And also, while being busy writing open letters, Epic are also busy creating an app store because Epic have confirmed that they too are releasing an App Store.
They just haven't done it yet. I'm shocked. I'm shocked.
I hope it costs them a trunkload of money. I was listening to someone explaining it.
Like, we think that 50 cents per user per year, oh my God, if you're a big company, that's millions of dollars.
And someone pointed out, have you seen what the profit margin is for someone like Meta?
They make tens of dollars per user per year.
So 50 cents per user per year is not actually Catastrophic It's probably saving those mega corporations Who are monetizing their users effectively Over the 30% That they would be paying now.

[47:46] Right But they don't want to pay anything Oh yeah, Tim Sweeney wants to pay nobody nothing Yeah, that's epic CEO, But yeah, anyway, that's where things have developed Since last we spoke So that's all catch up And then Apple gave us a little deep dive To dig into to, Apple have announced the post-quantum future for iMessage.
So Apple were one of the early people to the game with end-to-end encryption that's just on by default.
So we as Apple users have had that for ages and ages and ages.
And all of that is based on public key cryptography using standards certified by all sorts of big organizations, primarily from Apple's point of view, the National Institute for Standards and Technology, or NIST, in the United States.
Because A, they are world leaders in this stuff and B, Apple are American and they're American.
And so Apple's current cryptography is very robust.
In 2019, they upgraded from old style public key crypto to the fancy pants new elliptic curves, which means it's actually stronger math.
It's not based on factoring primes. It's based on solving curve, curvy things.
It's elliptical curves. It's a whole different type of math.
I don't understand either, but one is better.

[48:59] But both of those types of math are vulnerable to whole new types of math that can be done with quantum computers, which don't exist.
So right now, Apple are joining... Wait, wait, wait. Just clarify that.
Quantum computers do exist.
There are labs which contain devices which contain a few qubits which can do a calculation every now and then.

[49:27] For all intents and purposes, they don't exist because they can't do anything real.
They are, it's like what those, so.
They're still theoretical-ish? Very, very. It's like, you know, you see that research, like we could use a laser beam to eavesdrop on a conversation by looking at the vibrations of the window from 20 miles away.
It's like, well, in a teeny tiny situation, you can make that and you can publish a research paper, but actually you can't.
It's like that, you know. we are so far off and we have so few qubits and they have this horrible habit of decohering.
So if you observe a quantum system, it falls out of superposition and these things fall out of superpositions in fractions of a second.
So, you know, for the tedious and tiniest amount of time, you can sort of kind of do a calculation and then they literally fall out of being quantum.
Okay, I'm glad I asked. I thought they did. Okay, keep going.
They're not, yeah, exactly. Anyway, the point is the threat now is basically non-existent.
And yet, Apple have rolling this out in iOS 17.4 in a week or two. Why?

[50:35] Well, the answer is because of an attack called Harvest Now, Decrypt Later.
It's become quite cheap to store data for a long time if you're a large organization.

[50:44] So you can build a massive data center and just, you know that there are conversations between between a chinese official you care about and someone you think might be an informant in the united states or you're china and you see oh some stuff going to engineers at intel and i really would like to know how they make their cpu so cheap or whatever you can harvest that now and then when you have your quantum computer you're working very hard to build you can then crack it and go back and read all the stuff and if you've picked important enough people what they have to say is still going to be relevant five years from now and five years from now it's quite realistic that we will actually have some real quantum computers doing actually useful quantum calculations so we can't dawdle about this forever and so actually now is the time and Apple are not first to move on this but they do deserve some credit here because now that they have moved in a very Apple way they have now leapfrogged the first movers and right now they are doing some stuff that I don't think anyone else is.
So I was a little sceptical at first because Apple sometimes oversell a little bit what they've achieved, and I wasn't sure if they were really ahead of the curve, but no, they actually are taking things one step further than the other leaders in this pack, which is the open-source Signal app.
They actually already have post-quantum cryptography deployed now.

[52:13] But their deployment isn't as powerful powerful as what Apple are about to release in a week or two.

[52:19] So they have leapfrogged Signal, which is cool. Right, so let's dive in a little bit too.
So they've called it PQ3, which I infer based on their blog post they released, which goes into amazing technical detail.
Actually, they deserve credit again, because the blog post at security.apple.com, they are not hiding the details.
They are being extremely open and transparent about how they are protecting people's privacy and stuff, of, which is how cryptography should be.
The algorithm should not be secret.
The only thing that should be secret is the secret keys.

[52:54] And they have really, really shown us their homework. Really shown us their homework.
It's even longer, I think, than the white paper. This is Bard in heaven reading this, isn't it? Yeah, I did. I spent my entire lunchtime walk today reading all of it. I read it all.
I don't recommend the listeners read it all, but I do recommend you read the opening few paragraphs and the closing few paragraphs and skim the headings in between.
Because actually, if you do that, you'll get a really good idea of what's going on and why.
But anyway, in order to, I think, the engineers to explain to management what they wanted permission for, Apple have created their own categorization for encryption in messaging apps.
And they say very explicitly, we have invented this crude categorization.
They actually call it a crude categorization. So this is not some sort of formal standard.
This is Apple have made four boxes and everyone has been put into a box and they're called level zero to level three.
And Apple are the only company to be in level three.
No one else has made it there. And the reason it's called PQ3 is post-quantum level three.

[53:59] So level zero is no encryption or encryption, but not by default.
So unless you have encryption by default, you don't get to leave level zero.
And I'm kind of amazed that in 2024, the list for level zero is not empty.
The list for level zero includes Skype, hardly a small app. Go Microsoft. Yeah.
QQ, Telegram. I don't know who QQ are. I'm going to guess they're Chinese.
And WeChat, who are definitely Chinese, and therefore I imagine why they don't have default encryption.
I don't think the Beijing government are very fond of default encryption.

[54:37] So we already knew that about Telegram. We did. We've known that since we started using it, Bart. We know that you can enable it or not.
In my mind, I thought they had joined everyone else and gone to on by default, but they haven't. No, they haven't. That's always been so.
Anyway, there are levels. It doesn't mean you can't. It just means it's not on by default. So there are level zero apps.
Level one apps, encryption by default, but it's not quantum safe.
It's just ordinary encryption by default.
And there's a lot of apps in that category, Line, Viber, WhatsApp.
WhatsApp, obviously the biggest one there. Level two then is when things get fun.
Level two is the first apps that are quantum safe.
They have used quantum safe cryptography. And that is a category of one at the moment.
That is Signal. So the Signal app is the only level two app.
And Apple are saying we're better than Signal because not only are we using quantum proof algorithms like Signal are, we are doing regular quantum safe key rotation.
And this is the bit that's genuinely novel.
So we are pretty darn sure that you can't cryptographically crack one of these quantum safe keys, but you can leak a key.

[55:54] There could be a software bug in the app that accidentally puts the key in a part of memory it shouldn't be, and then it ends up falling in the hands of an attacker.
So just because you can't crack a key doesn't mean you can't lose a key.
And so while Signal successfully negotiates a key in a post-quantum world safely, the key remains with the conversation for the entire conversation's history.
I don't know about you, but I have had a chat with my parents for years.

[56:22] Right? Years! Right. So that key actually could be very long lived.
So if it leaks, it's actually a big deal.
What Apple are doing that makes their algorithm or their implementation level three is that as part of the standard process, every few messages, the keys rotate and there's no relationship between the previous key and the next key.
So cracking one key or stealing one key or losing one key is very, very limited in damage. They call it self-healing cryptography, because the thread becomes safe again very quickly.
So that is why they get to be level three.

[57:04] And why they're genuinely better than what's going on before.
If you go into the paper, you will know that they are using the Kyber algorithm, which is one of the ones that NIST has given candidate status for being the officially approved post-quantum stuff.
Lots and lots of detail there. The other thing, right, so I have lots of good things to say about this paper.
I think Apple have done a really good job of explaining why, what, and they have given due credit to their competitors, which is so pleasing to see.
And they haven't hidden it away in the bowels of the article no one will read.
The first line of the paragraph that is the conclusion, and you know everyone reads two things, introduction and conclusion.
They are the two things people read. The first line of the conclusion is, end-to-end encrypted messaging has seen a tremendous amount of innovation in recent years, including significant advances in post-quantum cryptography from Signal's PQXDH protocol and in key transparency from WhatsApp's auditable key directory.
That's their opening sentence. Basically, WhatsApp beat us to key transparency that we now added this January into iMessage and Signal were first to post-quantum.
We've just made it better.
And that's nice to see the engineers acknowledge that reality.
So I, as I say, I'm really pleased with this, this description from Apple of what they've done. And they really have done something original.

[58:27] They're also running... Is there any downside to them being transparent?
It seems like there's only upside to that, because they can help teach other people how to do it, and yet they haven't given away a secret.
They've just said, you know, here's a good way to do it.
Precisely. Follow me, or tell me what I've done wrong. Yes, exactly.
A hundred percent agree. You're absolutely spot on.
I also want to draw attention to two of the things I learned from my deep dive.
So they have given their algorithm to mathematicians, which is what cryptographers are.

[58:58] To mathematically test the validity of, basically to do a mathematical proof on their algorithm.
And they have two major researchers in pretty big institutions basically go, yep, we have analyzed this to the best of our ability, and this thing is sound in our judgment, which is cool.
And they basically have citations, who these people are, you know, all of that kind of stuff.
And they have also explained how they're running the two in parallel, for a while.
So the algorithms we're using now have had decades of testing and had all of the rough edges knocked off and we know they're secure because they have been tested in the field.
Without a time machine, none of these post-quantum algorithms are that robust because they simply have not had the decades of eyes and bits that these current algorithms have had.
So there may be problems found in the Kyber algorithm.
What Apple have done is they have chained the post quantum algorithm with the current elliptic curve.
So to crack a message you need to crack both the elliptic curve and the Kyber.
So cracking one doesn't get you into the message.

[1:00:21] Is the ordering important? So what that means is that if you have a quantum computer and you can break the old elliptic curve, then you still don't get into the message because you haven't gotten by the Kuiper.
If it turns out that Kuiper is fundamentally flawed and we haven't noticed yet, we are no worse off than we are today because the elliptic curve is just like it was yesterday.
Is anything about this, this is just a naive question, Is anything about this likely to make it harder to get into your own messaging?
Unless Apple make a terrible whoopsie, which they could do with elliptic curve crypto, right? They could make a whoopsie with the current crypto.
Nothing about this makes it inherently more fragile or anything.
If Apple mess up their crypto, they will break people's messages.
But that was true yesterday. It will be true tomorrow. It will always be true.

[1:01:10] Okay. Okay. Okay. That's good to know. So for this year, they're going to be running in parallel.
So if everyone in a conversation is on a new enough version of iOS, which is iOS 17.4, iPadOS 17.4, MacOS 14.4, and watchOS 10.4, then you will get PQ3.
But if any one person in a conversation has one device that is not new enough, the whole conversation has to fall back.
Because otherwise the one device that isn't new enough can't decrypt the messages in the chat, which means the chat isn't a chat anymore. Right?

[1:01:45] So, for this year, one-to-one conversations will probably end up being upgraded quite quickly for a lot of people, but bigger group chats will probably be slower.
But Apple have committed to finishing the transition period by, quote, end of 2024.
So, I imagine in the fall, we'll get another message from Apple saying, on blah date, you must have updated to blah version of blah OS, or iMessage will stop working.
They may backport this to cover older OSes. In fact, they probably will backport it. They better.
Likely they will. But they want to get real world usage now.
So it's rolling out now. And when I say they better. They bloody well better.
I just mean from a, well, I just mean from a publicity standpoint, I'm sure it'll be, look, they obsoleted my device. Oh yeah.
Garbage. Oh yeah, they would go very badly. So they have to.
I think so. Yes, I think so.
So all in all, I was really pleased. I don't know how far back.
Yeah, so I started off a little skeptical.
Ah, yeah, or Apple just being Apple and claiming more credit than they deserve.
But no, they really do deserve a pat on the back here. This is really good work. So...

[1:02:55] Right. Action alerts. Just the one, but it's not good news.
If you are a Linux desktop user, so not a Linux server, but a Linux, you know, a laptop or a computer computer or an Android user, there is a software update you really, really need.
If you're on Linux, that's not a problem. You should have it.
But if you're on Android, your guess is as good as mine.
There is a thing that is part of your Wi-Fi system on any open source platform called WPA Supplicant, which I've always found a weird name.
I come across it with my work hat on quite a lot because when it doesn't work, your Wi-Fi breaks.

[1:03:33] But the WPA Supplicant in Linux and Android has a very nasty bug, which means that if you know the SSID of a network the user's device trusts, trusts you can trick the device into giving you the password for that network so if you go to, the lobby of a company and you can see the ssid of the company's wi-fi network you can make a malicious network with the same ssid and you can get the password of the real network to be leaked to you by anyone using a vulnerable linux or android device i remember you telling us about So that is not good.
There is a workaround, but it's awfully cumbersome. You can manually force your device to use a specific certificate authority and not to accept untrusted certs.
It's not easy to do. So really, patchy, patchy, patch, patch as soon as you can is very much what we're hoping we get out of this.
If you can. And that's the bit that I always hate about these stories.
If you're under a device.

[1:04:36] Yeah. Yeah. And in related news, just in case people think I'm being too easy on Apple or something, the App Store is safer than the Play Store.
But it doesn't mean you're perfect, because actually this related story should be plugged into a completely different story now that I look at it.
But anyway, now that I've started, I'll finish.
If you're installing more risky stuff, even from the Apple App Store, like say cryptocurrency apps, even there, be careful.
So malicious stuff briefly made it into the app store, but of course with cryptocurrency there is no undo button because there is no central authority, that's the point.
Briefly was enough for people to lose $100,000.

[1:05:19] So that's real money. So be careful. Yeah.
So we'll find somewhere else in the show notes where I had meant to put that as a related story, by the way. I'm sure we'll come across it.
Okay, when we get to it. I was looking at it going, oh, I get it.
But what's it got to do with Linux and Android users and WPA?
There's a story somewhere about something malicious getting into the Android App Store.
That's where it should be hanging off. But anyway, we'll find it.
Okay, we'll find it. It'll be correct by the time you see the show notes.
Indeed. Worthy warning.
There is an active attack targeting Europeans who run Android.
And they have succeeded yet again in sneaking their malware into the Google Play Store.
Again, briefly, but nonetheless, 150,000 downloads before they were discovered and gotten out.
And the last few of these have been targeting Eastern countries, sort of Singapore and that neck of the woods. But this one went after European users.
So I think more Nosilla castaways are more likely to be caught out by this kind of thing. So just be extra careful about banking apps on Android at the moment.
There is an active campaign to sneak malicious banking apps into the Google Play Store, and some of them are getting through some of the time.
That is not happening. Would that be a good place to put that related item?
Actually, that's exactly where it should be. It's literally an out-by-one error.
Yes, that is exactly where I had meant to attach it. Okay, I'll drop it in.

[1:06:46] You have unfortunately against your wishes been converted from a fan of wise to an anti-fan of wise.
You have more ammunition They had another little whoopsie where they managed to give 13,000 people access to the wrong camera.

[1:07:03] Oh Bart, is that that big of a deal? It's just your children and stuff.
Yeah, it's just secret internet connected cameras in your house Why would you need to trust a trustworthy company with that kind of a thing?
That is... Yeah. Eufy for the win. Actually, yes, and I like Eufy. They're a good company.
20 million users of a service called Cutout.pro have had their data leaked and the company has been spectacularly unresponsive to security researchers.
Users have not been informed that they have been caught up in this data breach, which is why I'm telling you about it.
It has been added to Have I Been Pwned. So if you are subscribed to Have I Been Pwned, you will have been notified.
Or you can go to have I been pwned and check. The breach did include passwords.
They were salted and hashed, which made me go, oh, that's not too bad.
And then the next word in the sentence was MD5.
That is an obsolete hashing algorithm. That is not strong enough to protect you anymore. So MD5, You nearly did it right. You had all the right buzzwords, but then you went and used an obsolete hashing algorithm to implement your buzzwords.
Or fell asleep. Or haven't changed it. Hey, look, we made this cool web-based tool to cut out backgrounds on photos. Okay, what else can we invent?
That might be it, actually. I set that one up. It's making us money.
Let's move on to the next shiny thing we want to build. That's actually quite plausible. I think you've hit the nail on the head there.

[1:08:29] Also, I don't like to tell you about every dangerous WordPress plugin, but sometimes they reach a level where I think I probably should mention it to our community because we have a lot of WordPress users.
200,000 websites are threatened by a vulnerability in a very popular plugin for managing memberships called Ultimate Member.
If you use Ultimate Member, patchy, patchy, patch, patch, it is patched, but you just got to be sure you are.

[1:08:52] And a very popular web server these days is something called Lightspeed because it's built into cPanel and it's way more efficient than Apache, way more efficient.
There is a plugin to make Lightspeed and WordPress best of friends, and that plugin had a nasty bug, and I thought 200,000 websites, yikes.
Try 5 million websites.
So, patchy, patchy, patch, patch on that one. and then lastly if you have an any cubic 3d printer patchy patchy patch patch at the moment the vulnerability is being used by sort of kind of good guys to print to 3d print a warning that your device is vulnerable to hacking which is i was trying to picture what would the heck be would Would it be like you're a Star Wars fan and it starts printing Star Trek characters instead?
I believe it actually prints the text as a 3D thing.
It's a bit like the equivalent of the old printing a message on a printer, this vulnerable thing, but in 3D.
So patchy, patchy, patch, patch, if you're an Anycubic user.
And that brings us on to notable news then.

[1:10:08] Oh, so that subdomain story we already talked about that had the wrong description on it, that's because it has the right description down here.
So you can delete that one from up above, Alison.
Okay, you'll have to tell me afterwards what we were talking about.
I'll delete it afterwards and do a push notification. So I knew I had corrected my description, but I forgot to delete the wrong description.
So anyway, I fixed it as I talked live, but I have the right one down here.
Signal have rolled out the feature to allow you to use a username instead of a phone number, but only to their beta users.
On the one hand, I really want this. On the other hand, I don't want to run a beta, so I'm still in the waiting pile.
But it is coming. I can see it on the horizon. Me and half the planet.
And so that will be a nice improvement to Signal.

[1:10:54] Bitwarden, who are the, I would say, the world's leading open source password manager, have improved their autofill to make it phishing resistant.
I read the description of how it works and I went, that sounds like how 1Password works.
But if you're a Bitwarden user, becoming phishing resistant where you weren't before is a big upgrade. I don't think they're doing anything 1Password isn't, but they are doing something they didn't used to be doing, so yay, and upgrade yourself.

[1:11:23] GitHub, also get a little pat on the back, they have been testing a feature to protect all of us against one of the most common sources of data breaches in the last couple of years.
It is very, very, very easy to accidentally put an API key into your source code and then then go git commit and push it up to git on your open source project.
You should not have secrets hard-coded into code.
Your secrets should exist as environment variables in the OS, not as text files in your source code.
But the amount of source code on planet Earth with hard-coded secrets in it is large.
So GitHub have been, I'm assuming they're using AI. I'm going to guess this is one of the things that Copilot has been learning.
But they have had a beta feature for a while that will scan your push, your git commits, looking for secrets.
So they know that an Amazon key looks like this, and a Microsoft Azure key looks like this, and an SSH private key looks like this.
So they're proactively scanning your source code looking for keys.
And if you turn this beta feature on, it would stop you doing a push until you fixed it. it.
They have now said this is going... How does it recognize an API key?
Because they all have the same shape, right?
An API is very specifically formal. They do.

[1:12:48] Because every company has their own different rules on them.
So if you see a hexadecimal string that's exactly 33 characters long or whatever, you can be pretty darn sure that's a key.

[1:12:57] So with a little bit of intelligence, and they've been tweaking this while it was in beta.
And now they're confident they don't have false positives, or if they do have false positives, not enough of them, or not too many of them, shall we say, that they are confident to make this the default on all new repositories.
So they're not going to backport this to existing repositories and make people's heads explode.
But from now, if you make a new repository, it will have this feature by default, which they call push protection.
So basically, when you do a push, you are basically virus scanned.
To check your push before it goes actually into the repository.
I just think it's a really nice feature.
And this allowed me to pop a little hook here because neither of these two stories are worthy of the Nosilla Castaways on their own, but there has been a constant background noise for the last year and a half that I have wanted an excuse to tell everyone about, but none of the stories individually are worthy.
But there is a class of story and there are two examples of it this week.

[1:13:59] Attackers are proactively trying to trick developers into downloading the wrong thing when they go looking for open source software so you go to a place like node.js sorry the npm repository and there will be malware a typo away from the open source library you actually want to use and that has been a proactive campaign for some time now and this between now and our previous previous recording, Hugging Face, which is basically a node package manager for AI models.
They have had malicious code snuck into models in Hugging Face.
And Python is a very, very major language. And they have a repository called PyPy.
And the Lazarus group, the state-sponsored hackers from North Korea, successfully poisoned PyPy with a bunch of malicious repositories that are just a teeny tiny typo away from really popular Python packages.

[1:14:57] So be careful. Okay, so what is a developer to do? A developer is type careful. Yes.
Don't just do a quick search on the repository.
Actually go to the homepage of the open source project and get the link from them.
So if you want jQuery, go to the jQuery page and follow their link to the package.
Don't go to the package manager and search for jQuery.
Because if that search is poisoned, you'll get the wrong jQuery.
But if you start at jQuery.org, you're going to the right place.
So it's like, don't click on the link in an email, go to the bank and follow their number, go to the package you want and follow them to the repository.
Don't go the other direction. Okay.
Okay, we probably shouldn't talk about it too much because most of the audience doesn't know what we're even talking about. But thank you for that advice.
I also wanted to make sure I had an easy answer before I put this in the show notes It's because I knew you were going to ask.

[1:15:56] I'm ready for it. I have two more American stories that I think fall in the good news category. Two finishes up for the day. The Federal Trade Commission again. Very busy people.
They have banned Avast, the antivirus company, from making a little bit of extra money from their for-pay antivirus because they were selling your browsing data to make a bit of extra money.
Your antivirus was spying on you and selling the data.
The one you're paying for. The levels of wrong here just defy belief.
So they've been told not to by the FTC. Thank you.
And the president has signed an executive order which gives the FCC the right to label certain countries as being problematic.
And then that institutes a ban on the transfer of personal data from American companies to those countries, shock and or horror, that would be China and Russia at the moment.

[1:17:01] That's the sale, not just handing it over, but selling to those countries.
Yeah. Wow. Well, I like that one. So as I say.
These are all terrible, though. It's like, wait, they were going to do what?

[1:17:14] Yes. So anyway, you know, good news there. So I also have two stories in the Just Because It's Cool section.
And I very, very, very, very intentionally put them down here. year.
So remember I said earlier that there are security researchers who do amazing attacks that work in theory in the lab and that make your head explode.
Like how could you possibly do that?
Well they work in a lab and they're completely impractical in the real world but they're very cool science.
These two stories fall into that category so do not set your hair on fire but wow is this cool science.
So some researchers have discovered that in very carefully controlled control situations, you can use a charging pad to issue the appropriate type of interference that will cause sound waves inside the microphone inside your phone to make the microphone think you said, hey, voice assistant person, do X.
It's not real sound. It's magnetic fields making the magnet inside the microphone think it heard something it never heard.

[1:18:21] Which is cool which i already thought was cool but then they went oh there's other circuitry in there for controlling how much charge this device takes from this charging pad if we can start to mess about with the em stuff and send fake messages could we trick the charger into catching fire yes is the answer in their very controlled lab situation they could trick the controller inside the phone into taking so much power over Qi that it caught fire.

[1:18:52] So Qi, not MagSafe? Well, yes and, right?
Because MagSafe 2 is Qi 2, so... Well, but if it wasn't Qi 2, then no.
Yeah, but Qi 1 is compatible... Sorry, MagSafe is compatible with Qi 1, but not all Mag...
MagSafe is compatible with Qi, but Qi is not compatible with MagSafe.

[1:19:11] It doesn't really matter, right? It's just not the same thing.
MagSafe and Qi 1 are not the same thing. So if they weren't doing it with the MagSafe adapter, adapter, then it didn't affect it. But it doesn't matter.
We don't know. It doesn't really matter because, again, this is really cool science in a lab.
This is not... Still fun. Exactly. Don't panic.
The other one, which has... I just pictured the nerds in the room at the time going, oh, look what we can do.
This is cool. Yeah, I mean, they started off with, can we make S-Lady do something?
And then they went to, can we set it on fire?
Of course that's where they went next, right? Can we set it on fire? Yes, we can. Yay.
And then the other one, which is very, very low success rate, but a success rate enough to publish a research paper.
If your app has microphone access and you can make the user do enough swipe gestures, then the subtle vibrations that your finger, as it moves in perfectly across the glass because you have greasy fingers, those vibrations are picked up by the microphone.
And if you do it long enough and you're prepared to accept a low enough success rate, you can guess a person's fingerprint from their swiping on the screen.
It's like five percent success rate it's like five percent success rate but i thought that would be zero i didn't think that would be five.

[1:20:29] Yeah i don't know i've got some i've got some doubts thinking on that one like how much of the fingerprint could you enough to trick a fingerprint reader five percent after about an hour of data right i might have to go look it's very low success right but it's not zero i thought I thought this would be zero, but it's not zero.
So the fact that they can do it at all in a very controlled situation was kind of like, wow, that's pretty cool.
I'm almost certain that one involved running it through AI. I don't remember exactly how they did it, but I'm almost certain it involved running it through AI.
So some palate cleansing. I'm going to let you go first because otherwise I'll forget. Yay. Okay.
So the best thing about the Podfeet Slack, podfeet.com slash Slack, is the channel called Delete Me. And that's where people just post funny stuff.
And basically, Alistair Jenks owns this channel. Whenever I see something's come into Delete Me, I go, yay, there's going to be some joy and fun in there.
And he posted the funniest one. This is from Mastodon. And I've got to read the whole thing for you to get the whole flavor.
So someone posted on Mastodon who, it sounds like they might actually be from Google, or they were describing something about Google, but it gets funnier all the responses after that.
The first person says, we're introducing a new offering called Gemini Business, which lets organizations use generative AI in workspace at a lower price point than Gemini Enterprise, which replaces Duet AI for workspace enterprise.

[1:21:53] Somebody responds, hey, Thomas, can I pay for it with Google Pay and Google Wallet, which replaced Google Pay, which replaced Android Pay, formerly known as Google Wallet?
Somebody else oh and then they responded if not can we jump on a call and discuss billing i'll send you an invite on google meet the enterprise google chat previously duo which replaced aloe the replacement for hangouts the rebrand of hangouts plus which replaced talk and voice, to that someone else responded just to clarify do you mean you'll send an invite on google meet or google meet original and there's a screenshot in the google play store both exist google meet and google meet original the final response was great question michael as a google workspace user user formerly G Suite, otherwise known as Google Apps for Work, previously Google Apps Premier Edition, a.k.a.
Gmail for your domain, which would you recommend? That's brilliant.
None of that is fake. I know. Every bit of that is true. Those things all existed.
My pet peeve is that Microsoft changed the name of everything every week.
Every time I look at the control panel, it's different. But I'd forgotten how bad Google were.
Maybe, I mean, I'm still cranky at Microsoft on this one. And every time they say, would you have some feedback? I always say, I don't know what anything's called.
But if I was a Google user, I think I'd give the same feedback more vocally.

[1:23:08] Yeah, well, but in this case, these are not just changing the names of things.
It's abandoned change name, abandoned change name, abandoned change name.
So it's both happening at the same time.
Microsoft's just renaming. That's true. But the thing's not necessarily abandoned. Yeah, that's true.
Yeah, they're just rebranding it because they're on a vision.
Yeah, I laughed so much, especially because it started off as a serious thing and it just went down. It just went downhill from there. I love it.
Now, I have a follow-up. Actually, I have two things. So I have an easy one first. It was a leap year this year, which means that we had a 29th of February.
And how we got to do that every four years, unless it's a century, but if it is a century, we do it anyway if it's divisible by 400.
It's quite a complicated rule. How did we get there? The answer is it starts with Cleopatra.
And there's a few popes involved and the English messed things up for a while because they were Protestant.
It's actually fascinating. And History Daily is a podcast.
It's very short. It's only about five or 10 minutes every day, but it's every day. And it's something that happened in history on that day.
And so the episode for the leap day was the history of leap years.
Five, 10 minutes of fun. Highly recommend. Not at all what you would expect.

[1:24:22] Added to Overcast, 16 minutes of 59 seconds to learn that. Excellent, as I say, it's good fun.
Now, the last time I was on, I told you that one of my favorite economics podcasts had decided to do a pod feat and say, well, we named our show Freakonomics so we could talk about anything we like.
And they dedicated a mini series to Richard Feynman. And they had promised a three part series and then they made it a four part series with a bonus extra episode, which is cool.
So the first yay is that all four episodes are out and linked in the show notes which is yay but if you listen to those four episodes you're going to hear lots and lots of clips recorded.

[1:24:58] Quite near the end of Feynman's life when he sat down to do a traditional face-to-face interview with a friend in the United Kingdom and they made it into a documentary for the BBC, that no flashy graphics, it's almost 100% Feynman talking to the camera.
I don't even think you hear the interviewer. I think it is 100% Feynman's voice.
And every now and then a screen pops up and says, when he was 20, Feynman went to work on the Manhattan Project.
And then we cut back to Feynman. It's like almost all Feynman.
It is fabulous. And I found the whole thing on Vimeo.
So you can just it's from 1981 so it's in the wrong aspect ratio and it looks like poop because it's 1981 and they didn't have any more pixels back then it was 480 lines if you've.

[1:25:51] If you've never heard Richard Feynman talk, one of the most brilliant minds in the history of time who can also explain everything to anyone at any level.
He could explain to school children how astrophysics works.
I mean, he was a phenomenal instructor and kind of a wild character.
But yeah, definitely a favorite of mine. I'll be checking that out.
Imagine someone who's as good at explaining science as Neil deGrasse Tyson, who's as good at actual science, that he genuinely won a Nobel Prize.
Like, how rare is that superset of those two things?

[1:26:30] And not with the overblown understanding of his own amazingness as Neil deGrasse Tyson.
Right. A very, very humble man. Very, I love him to bits.
And actually I had... It wasn't about him. I had, the documentary is called The Pleasure of Finding Things Out.
That sums up Feynman perfectly and I had so much fun because I discovered to my shock that my darling beloved didn't know who Richard Feynman was, oh how fun to be just learning about him so we watched the documentary together and I got to see Feynman for the first time, through his eyes it made it even more fun and it was already a lot of fun so yay yay yay I just really wanted to share that I had so much fun I think I've told the story a few times before but I did get to sit in on a lecture he was giving at my work.
There was a program manager I needed to get something from, and he was in the class, so I snuck into the room.
And for the time he was talking, I understood 100% of what he said.
And by the time I got out the door, I was like, wait, what?

[1:27:36] He's a magical speaker. And I've read, I actually, our physics textbooks were the The Feynman Lectures on Physics.
And that was rough. Let me tell you, that was rough reading.
But I've read a bunch of books about him as a character. And he's a fascinating person.
My favorite is Surely You're Joking, Mr.
Feynman. It's a fantastic book. Which was written by a friend of his who was a schoolteacher, I believe.

[1:28:04] Oh, I forget. It was a long time ago that I read that. I have it in my closet.
I might just reread it. Blow the dust off and have a read. But anyway, there you go. So that is some four podcast episodes and a feature-length documentary.
Or not a feature-length, though, an hour-long documentary from the BBC.
There you go. There's your Feynman quota. A lot of fun.
That should hold us for the next two weeks, Bart. Absolutely.
And until then, folks, remember, stay patched so you stay secure.
Well, that was a mammoth show, but we're going to wind things up for this week.
Did you know you can email me at alison at podfeet.com anytime you like?
You know, a friend of mine once asked me, what's your email address again?
And he listens to the show. I say it every week, alison at podfeet.com.
If you have a question or suggestion, just send it on over.
Remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash Mastodon, where you can see the cool telescope pictures I posted this week.
If you want to listen to the podcast on YouTube, YouTube, You can go to podfeet.com slash YouTube.
If you want to join in the conversation, you can join our Slack with people like BG and Graham S at podfeet.com slash Slack and talk to me and all of the other lovely no-seller castaways.
You can support the show at podfeet.com slash Patreon, or you can do a one-time donation like John and John at podfeet.com slash PayPal.
And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly.

[1:29:28] Music.