Transcript

NC_2024_03_17

[0:00] Music.

[0:12] And this is show number 984. In this week's episode of Programming by Stealth,

CCATP #789 — Bart Busschots on PBS #163 – jq: Lookups & Records

https://www.podfeet.com/blog/2024/03/ccatp-789/

[0:18] Bart Buchatz as usual walks through his solution to the challenge from last time and as usual I learn a lot more about how to use JQ to solve problems.
He takes a bit of a detour to explain a fun email we got from Jill of Kent in which she explained the vast number of headaches you'll run into when trying to alphabetize names no matter the language.
Then we buckle down and learn about how to make trade-offs between speed and efficiency of resources and how JQ lookups can help us with that.
Bart also helps us understand when lookups can help us with querying JSON files.
This episode is more of a lecture, which is fine because he's introducing a new concept and explaining some of the philosophy behind it.
You won't hear me breaking into the conversation very much, but it's only because I wasn't confused.
Don't worry, when we we get to the final example, you're home, we get very confused.
Bart explains it at least three to four times, and you'll finally hear why your co-host was confused. It's kind of ironic, actually.
Anyway, you can find this episode of Programming by Stealth in your podcatcher of choice, and you can find Bart's fabulous tutorial show notes over at pbs.bartificer.net.

Always Negotiate with Your ISP

https://www.podfeet.com/blog/2024/03/frontier-bill/

[1:27] A year ago last November, Steve and I finally cut the cord.
We gave up our cable TV service and switched everything over to streaming using YouTube TV.
That left only two things with our ISP, Frontier, our Fios internet, and our landline phone.
We have saved a fortune from cutting the cord, and by fortune, I mean $1,217 per year. That's not chump change.
When I negotiated the pricing with Frontier, the lovely person who helped me set it up told me I was getting a promotional pricing.
I remember saying to her, so when this promotional pricing is over, I just call back and you find me new promotional pricing, right?
And she said, yep, that's how it works.
Well, two months ago, Steve came to me with our frontier bill and it had gone up by $10 a month.
I looked at it and $10 wasn't enough to make me take on that battle.
So we decided to just let it ride.
Then it went up a little bit more and then even more.
After three months of this, our Frontier bill had gone from $62 to $94, which is an increase of 50%. It was time to call Frontier.

[2:33] I called them on the phone, and I was greeted with those dreaded words, we are experiencing greater than expected call volumes.
The recording offered to have someone call me back in 25 minutes, and I wouldn't lose my place in line.
I agreed, and at 25 minutes exactly, the phone rang, and I was connected to Tiffany.

[2:50] After exchanging pleasantries with Tiffany, I simply said, my bill went up 50%, I don't want to pay that, so how do we make it go back down?
She said she could help, she did a bit of typing on her end, put me on hold, and then I was transferred to Kiandra.
As is often the case with this kind of thing, Kiandra came on with no idea why I was calling.
I was a smidge aggravated, as I always am when this happens, when I have to repeat myself, but then she said, I'm in retention.
Those are magical words because it means her job is to make me happy, so I won't leave Frontier.
I told Kiandra that I would be delighted to repeat what I'd explained to Tiffany just a few minutes ago.
Keandra took just a couple of minutes to come up with a promotional deal that made my new bill a dollar and a half less than it was before they started increasing our bill.
I thought we were done, but Keandra had more for me. She pointed out that we had a landline and I had to apologize for being old school.
She said she was obligated to let me know that landline phones require power to operate and that in the event of a power outage, our phone would not work.
I didn't tell her that we have a whole home battery with our Tesla Powerwalls because I wanted to see where she was going with this.
She went on to tell me that she could send me a battery to put on our modem so we'd still have phone service if we lost power.

[4:10] Well, I wasn't going to do this, of course, because I already had the whole home battery system and actually my modem's on a UPS, but I asked her how much would that cost me.
She told me that since I lived in California, she was required to give it to me for free.
Well, heck, a free battery that I don't need? That sounded pretty good. So I said, sign me up.

[4:30] After I got off the phone, I told Steve about it, and he questioned why I accepted a battery if I didn't need it.
I said, because it's a free battery.
I don't know, he didn't get it. A few days later, a package came from Frontier, but it was too light to be a battery.
I opened it up, and inside was something unexpected. expected.
It was an Eero 6 Plus mesh router with power supply and an Ethernet cable.
The 6 Plus is touted as the most affordable of the Eero lineup, but it's still a dual-band router that supports gigabit speeds and if bought individually, they're $140.
That's way better than a battery I don't need. I thought about calling Frontier and telling them they'd made a mistake, but in my experience, giving things back to companies is often very difficult.
I remember years ago when Nordstrom made a $100 error in my favor on my credit card and I talked to three different people who could never figure out how to take my money back.

[5:26] I was still struggling with the moral dilemma of whether to spend my time trying to give the Eero back when our buddy Ron came over for dinner.
I told him the story, and he said Frontier had sent him a battery a year or so ago, and it turned out to be something he couldn't even use.
So to explain what it was and what it was supposed to be for, I have to do some explanation of terms.

[5:47] FIOS stands for Fiber Optic Service, and it means that the service is delivered to you over fiber optic cables that transmit information as light.
Well, that light has to be separated into TV, voice, and data as electrical signals into your home.
The box that does this translation from optical to electrical energy and separates the signals is called an optical network terminal, or ONT.
The ONT is a box that's often outside the home or inside the garage.
In our case, it's outside our house.
Now, the battery Frontier sent to Ron was for the ONT.
But what they didn't remember was that they had just replaced his ONT with a new version that doesn't require a battery to remain functional in a power outage.
And we're not exactly sure how it does that, but he's had a few power outages and his internet and phone service stayed up.
His ONT does have a circular port on it that says backup, but the cable on the battery they sent him had a completely different size circular port, port or plug, I should say.
Once I heard Ron's story, we imagined, you know, Phil and shipping at Frontier, just grabbing any old box he could get his hands on, shipping them out when he got an order.
I didn't want to get Phil in trouble. So I added the Eero 6 Plus to my network.
So I now have six Eeros flooding my house with the Wi-Fis.
Six seems like overkill, but before this, my cell phone on Wi-Fi calling never worked near my refrigerator till I set up that sixth one in the.

[7:16] And a few days later, another package arrived from Frontier.
I think Phil in shipping, man, he outdid himself on this one.
It wasn't another Eero, and it wasn't a battery for my modem, as Keandra had told me I'd been receiving.
And it wasn't exactly a battery for my ONT either.
It was a plastic box into which I could put 12 D-cell batteries and then plug the box into my ONT.
Seriously, 12 D-cells, right? Well, I didn't even bother to see if the plug would fit into our ONT because there was no way I was going to invest in 12 D-cell batteries, then put the box outdoors just to time how long it would take them to corrode.
Also, there's no room in the box where the ONT lives on the side of my house to fit in another battery box.
Now, I should also mention that in addition to our whole home battery, we already have a battery attached to our ONT.
I would have mentioned this to Keandra if she told me it was an ONT battery they were going to send, but she said it was for the modem.
I thought maybe it was going to be a UPS.
Anyway, I guess I've learned that a free battery doesn't always mean a free battery.
Now, the bottom line here is that you should always, always, always call your internet service provider if they raise your rates, because you might just be able to get them to make it go back down.
Other than the 25 minutes to be called back when I wasn't really inconvenienced, my time on the phone was no more than seven minutes.

[8:41] If they offer to send you something free, say yes, because Phil might just find you some nice Eero mesh router in the back of the storage.
Then again, he might send you something ready-made for the hazardous waste disposal.

CES 2024: Glide Self-Guided Mobility Aid

https://www.podfeet.com/blog/2024/03/ces-2024-glide/

[8:55] I'm going to play another one of the CES interviews that Steve has done so much work to create the videos and audio files for you.
Now, this one is probably really fun to go watch in video because you're going to see me doing something funny with it.
But it's a thing called Glide. It's a self-guided mobility aid.
And in the video, you'll see me with my eyes closed driving this little thing around. And it's really, really cool.
But if you listen to the audio, there's a cool thing about that too because I'm describing to you what I'm seeing, which is nothing at all.
So I'm describing my experience and I think it'll give you a little more insight about what it was like to be the one driving this if you were visually impaired.
Anyway, let's take a listen to the interview with Glidance about the product Glide.

[9:43] I'm with Amos Miller from a company called Glidance and he's going to show us a really terrific accessibility tool that he's the co-founder of the company Glidance, I believe, correct?
I am the CEO and co-founder of Glidance, correct.
So talk to us about what this device can do. All right, so Glide is, first of all I'll just explain that the Glide is the first self-guided mobility aid for people with sight loss.
So really developing a solution that addresses the needs of people who need to get around, who are unable to see, and providing people with a, really with a The third alternative, today people use guide dogs and canes.
And we know that for some people they need some more help, especially people who lose their sight later in life.
So that's the origin of the work that led to the development of Glide.
So why is that important to people later in life more than if they'd lost their vision earlier or if they were born blind?

[10:42] That's a great question. I mean, people who are born blind build a mental map of their world and build the skills and capabilities to navigate in the world from a very early age.

[10:54] And by the way, I'm not saying that people who are born blind would not benefit from Glide. They will.
And I'm sure that they will enjoy the benefits that Glide brings in terms of this really very clear and guided navigation, which we'll talk about in a minute.
But people who lose their sight later in life sometimes are reluctant to take those steps to develop the skill set that's required to be an effective cane user and get out and about independently.
So maybe it's like learning a language later, you're always translating.
If you're born speaking two languages, you know, you spoke two languages, you're not translating.
Maybe it's something like that. It is, yes.
And it's also being alert to the information that you get from your environment and being able to orient based on that.
It's also a mental adjustment. And yeah, like being willing to walk out there and try for a while before you build that confidence.
And I think one of the benefits that Glide can bring to that is that really, very quickly, because it actually guides you, a person who knows their, let's say, how to get around their neighborhood would be able to take a walk very quickly with it.
So I'm going to describe what this looks like to the audience, because there's audio-only listeners as well. And heck, there's blind people listening as well.
So he's got a... By the way, just for the audience, I am actually blind myself.

[12:24] Maybe just worth explaining that I lost my sight in my 20s from retinitis pigmentosa.

[12:30] I've been at this kind of quest to figure out technological solutions for navigation for quite some time, maybe three decades now.
I developed Soundscape at Microsoft for a number of years. So some people some of your listeners may be familiar with that. Yeah.
Yeah, and really I I was Very intrigued to explore a solution that can help people who may not be those confident cane users. So let me I, Why don't you describe what this looks like? Let me explain what it is, yeah. So I'm holding in my hand Glide. I'm holding the handle.
The handle stretches 45 degrees to the ground, and then it rests on two wheels.

[13:14] And the wheels are effectively what guides you.
So I will move the device forward, and the wheels will start steering left and right to guide me, to keep me on the path, to take me around obstacles and just guide me to where I'm going, whether it's to a door or dropped curb, all the way to a restaurant that I set up on my navigation app.
So it can respond to navigation from the phone?
We're working on those integrations so that you can set your navigation on the phone and then it will guide you to that destination.
So you're going to be the first one to full self-driving?

[13:54] Yeah, well, it is self-driving, but it's also, and that's a very important point, it's also, actually the wheels are not motorized, so it's not going to pull me around. Oh, okay. Okay?
I'm moving it forward, I'm pulling it back, and the wheels just steer left and right.
The wheels can also apply the brakes to stop me.
Oh, that's nice. But the agency remains with me. I'm the one that's in control.
I'm deciding, Do I want to go back? Do I want to go forward? Do I want to go fast?
I can even twist the handle to turn left and right.
Okay, I can see the wheels turning when you do that. Yeah, and when I do that, if there's an obstacle, the wheels, the device will not let me turn until it's safe to take that turn.
Okay, so a lot of what a seeing eye dog does, in a way, right?
Inspired by that, but we also have definitely inspired by guide dogs.
I want to agree to that point, I mean, I'm a guide dog user myself.

[14:53] But we also have speakers in the device, so the device will be able to use voice to give you some more information about the environment that you're encountering.
The speaker's up in the handle?
They are in the handle and you'll be able to also plug it into a headset if you prefer that.
Oh, that's neat. Very cool. The speakers are here in the handle.
There's also haptics in the handle so that the device can warn you to slow down or tell you that you can speed up or that there's a sharp turn coming to the left or the right.
So really working together with the device. So there must be a camera on this somewhere.
Yep right up here. So we have we have there's quite a lot of sensors on the device.
Along the bottom there are short-range sensors that really help with the obstacle avoidance and local path planning and then we have a camera right at the top of the handle so that the device has a nice view of all the environment that the space in front of you and help to determine a good safe.

[15:53] To guide you on. Okay yeah I can see how you need to know the obstacles on the ground but also the situational awareness of the wayside.
Yeah and the camera can, I mean we're working on line of sight targets for example so that the camera can detect let's say a door and then work out a path to that door and Glide will guide you all the way there.
Very very cool. So this is an active product development right now is that correct? Correct yes.
Okay and do you have a vision for when this might be a product? I do, of course.

[16:23] One that you're willing to tell me about? Yeah, sure.
No, I mean, we are really expecting to kick off a beta program this year, as in by this late spring or summer this year.
I mean, we'll see how successful we are in hitting hitting those dates.
But the beta program will really give us an opportunity to get devices into people's hands, start to get a lot of feedback from daily use and prepare to launch the product after that.
I heard from one of your other compatriots here that you were having a guy demo it who was blind and he started jogging with it. Is that true?
Yeah, he went a little fast for running in CES. I don't think we saw how crowded the environment was in front of him.
Did he run He did quite well, right at the end somebody just cut across him at almost equal speed.

[17:22] They had a brush, let's say, but no, I mean, the device is definitely working to support good walking speed.
I mean, I say to people, we call it glide, because when you walk with it, you glide, you know, and that's really the experience that we want to empower with this. It's a very smooth experience.
You walk, you're confident, you're upright, you're heading where you want to go, and the device keeps you on a good steady pace and you feel empowered and confident.
Very good. Do you think we can do a demo of this? We absolutely can do a demo.
Should we do a video cut and then move and then go do it? Because I know you're doing it in a little less crowded area.
We can do the demo at the back, yeah. What do you think?

[18:12] Where are my demo guys? We might need to do a cut because we are not quite organized.
We'll do a cut and then we'll move. Okay, okay, so I'm gonna close my eyes I do, Okay, so now it's sitting down, okay Can you pull it down to angle it will be ready to go it okay Oh, okay on its wheels you'll feel it and then when you walk just Just feel where it's going and follow it.
Okay. I'm not good at following directions. Don't let it run away.
It's not going to tell you anything.
If it starts going to the left, just go with it. Don't kind of let it hang on the left by itself. Okay. You know. All right.
You'll get it. Here it goes. I'm closing my eyes now.

[19:07] Tilt it back. Oh, there I felt it. All right, I'm just going to start walking.
I have my eyes closed. Oh, it wants me to go to the left a little bit, a little bit to the right. Oh, I can feel it gliding me.
Going a little bit to the left here. I'm hoping somebody will tell me if I'm going to run into anybody.
Oh, oh, I've got to go this way. It just stopped me. I wonder if Steve's standing in front of me.
I'll bet you anything he just tried to stop me. All right, I'm still going.
This is pretty gentle. I can definitely feel just, yeah?
Okay, Steve wants me to try turning around. You go in front of me though, Steve. All right, okay, I'm turning. It's letting me turn.
It's letting me do a sharp turn. I'm still going around. And I want to start going straight now.
Oh, I'm going to go right, left. A little bit jerky back and forth there.
All right, I'm going to walk a little faster just to make everybody nervous.
Whoop, there it goes. I don't know if I'm going to run into anybody here, but so far so good.
Yeah, I can definitely see. Oh, there we go. There we go. I don't know if I went around somebody.
It's interesting to do this and not know whether I'm just missing people or whether I'm completely alone here.
I can't actually tell. But I think I'm going to stop here and turn around again.
All right. Wants me to turn around.
Should I go back anymore, Steve?
Go back, walk a little bit more.

[20:35] Yeah, this is very natural. You can definitely see how this just feels really comfortable. I don't think I've hit anybody yet. All right, I'm going to stop.
So I'm going to bring it up and a high angle and it just put itself to sleep. There we go.
Yeah, yeah, that was great. All right, let's close it off here.
All right, I'm going to say goodbye to you here because we haven't actually conducted. That worked really well. That was very, very interesting.
I understand exactly what you were describing.
I could feel what it wanted me to do. Now it makes sense. Yeah, it really does. It really does.
Thank you very much. And so one more time, if people wanted to learn more about Glidance and the Glide, where would they go?
So the best thing to do is to go to Glidance.io.
Glidance.io, that's G-L-I-D-A-N-C-E dot I-O.
They can register. We're taking registrations in advance of our pre-order program, and they can just register for more information.
And we really look for feedback. We look for thoughts. We look for people who want to talk to us and engage.
And Alison, I just want to say thank you very much for having this discussion with me. My pleasure. My pleasure. Thank you very much. Bye-bye.

[21:55] Well, this coming week is the CSUN Accessible Tech Conference, and Steve and I will be going there like we do every year and doing more interviews.
And Amos is actually going to be there, so we'll be able to find out how well this beta program is going.
I think he was going to start it in late spring. He might be ready to launch.
And maybe we can get some new information since this was recorded in January.
We might know even more this coming week.

Ember Tumbler Keeps My Coffee Hot But … a Tough Review

https://www.podfeet.com/blog/2024/03/ember-tumbler/

[22:19] I made a rule way back when I started podcasting nearly 19 years ago that I would only review products that were either good or great.
I've gotten comments from a few people that say they really wish I'd review bad products too when I come across them because then people would know to stay away from them.
That doesn't sound like any fun to me at all. If a software or hardware product has promise but doesn't quite hit the mark, my strategy is to send constructive feedback back to the company, telling them what I think they can do to improve.
It seems more polite and friendly overall, and I think it serves the public interest better that way.
Well, this week, I've had a real struggle trying to review something.
The problem is that there are nearly as many pros as there are cons to the products, which you'd think would take it out of the running.
But Steve and I love the products so much, we keep buying them.
It's not a love-hate relationship.
It's more of a a love-you-disappoint-me-intermittently relationship, if that makes any sense.
I've been waffling for two weeks on whether and how to do the review, and I decided the best path was to do the review, but constantly waffle back and forth on whether I should recommend it.
That's really the only honest way for me to do it, and I really do love the products, but it's going to be a smidge more uneven than it would be otherwise.

[23:36] Okay, with that annoying preamble aside, I'll stop being mysterious and tell you that the products are the heated mugs and cups from Ember.
You may remember that we interviewed Jake Singer from Ember at CES this year, where he talked about the mugs, tumblers, travel mugs, and even baby bottle warmers they make.
If you've been around for a while, you may also remember that I reviewed the Ember ceramic mug in 2018, and we interviewed them at CES way back in 2016, three months before they launch their first product.

[24:07] So here's the deal. Steve and I both like our coffee hot, and if it gets too cool, we'll run to a microwave to heat it back up.
But in the six years since we bought our first Ember mugs, Steve and I have been delighted to have coffee that stays hot while we sip it throughout the morning.
Well, so what's not to like? Ember mugs keep the coffee hot by using an internal battery, which is charged by placing it on a little saucer that's plugged into the wall.
The saucer has two pogo pins sticking up that make contact with circular metal rings on the bottom of the cup and that makes the electrical connection to charge the device.
The new containers like the tumblers and the travel mug all use this same basic design to charge the devices.
The problem is that the saucers are highly failure prone.
The little pins have a tendency to get pushed in which makes it impossible to charge the cups.
Early on in our Amber journey, you had to buy a whole new mug-slash-saucer combo, so it was pretty expensive when they failed.
Eventually, they started selling the saucers by themselves, which made it a little bit less painful when the pins inevitably went bad.

[25:14] Now, the regular cup slash saucer combo runs $130 to $150, depending on whether you want the 10-ounce or the 14-ounce cup, and replacing the saucer will cost you $40.
That's an awful lot of money to keep your coffee or tea hot.
But still, we bought the new ones when the old ones failed us because we love having our coffee stay hot.
Now, I have a 10-ounce and Steve has a 14-ounce regular cup, which are a couple of years old.
Shortly around the time we interviewed Amber at CES this year, we started having new problems with our cups.
Keeping your cup at the optimal temperature requires a Bluetooth connection between your phone and the cup.
My cup would maintain that Bluetooth connection and stay toasty hot, but only when the cup was on the saucer.
If I held the cup in my hand too long, it would just start to cool down.
Steve's cup found a way to be even more annoying. Like mine, his cup would not connect to Bluetooth if it wasn't on the saucer.
But even worse, it only stayed connected right after he'd poured in brewed coffee that was hotter than his set temperature of 145 degrees.
So let's say it was 165 when he poured it in, it would stay Bluetooth connected right until it got cooled down to 145, and then it would disconnect.
That's also known as not heating his coffee. You know, it had one job, right? right?
Well, we started looking at the newer offerings of Ember after CES.

[26:40] Now, Bart recently bought the new Ember travel mugs at $200 each for himself and his darling beloved.
These are really cool because they have the temperature displayed on the outside, and you can tap the plus button to increase the temperature without messing around in the app.
It even shows the battery level on a second display.
They're tapered down so they fit nicely in a cup holder, and they also feature your built-in Find My, which is great if you let your mug wander and use an iPhone.

[27:07] Now, the only downside to the Ember travel mug is it's only 12 ounces.
We like to order grande mochas at Starbucks, which are 16 ounces.
We opted to replace both our at-home Ember mugs and our inexpensive plastic mugs for Starbucks with just a 16-ounce Ember tumbler.
Now, the tumbler lists on the Ember website for the same $200 as the travel mug, but Amazon has it for 20% off now, so right now, so it's only $160.
$60, so we got our 16 ounces of happiness.
These tumblers are great. They keep our coffee hot and toasty for hours because they have a big battery.
They say it'll keep the liquid at 135 degrees for three hours, and I'm sure I get at least two hours at 145 degrees, which by the way is the maximum temperature.

[27:54] They come with two lids. One is a screw-on lid with a handle, which is great if you want to carry it around, but it's not great because you can't drink out of it without unscrewing the top.
The second lid is a press fit that's quite snug, and it has one of those sippy cup thingies that you slide back and forth to open it up for the sipping.
It works really well, and we've had no spillage from it.
In fact, if you have the sippy thing closed, it's pretty hard to shove into the tumbler because it's such a snug fit.
I also find it pleasing to drink directly out of the tumbler with no lid at all.
Since it's constantly heating my coffee, it doesn't cool down because I have the lid off.
I tend to drink my first cup of coffee from home with the lid off, but my Starbucks coffee with the lid on.

[28:37] I mentioned the nice long battery life, but that comes at a price.
The price we pay for two to three hour battery life is that the Ember tumblers are heavy.
And by heavy, I mean more than a pound. There's 17 ounces or 487 grams to be specific, and that does not include the weight of the lid, and that's without any liquid in it.
I'm not kidding when I say if you have any trouble with hand or wrist strength, the Ember tumbler might not be for you.

[29:04] Now, the Ember Travel Mug that Bart bought isn't that much lighter.
It weighs 15.2 ounces, or 432 grams.
And remember, it holds a quarter less liquid than the tumbler.
Now, the weight isn't a huge deal for us, and since the tumblers keep our coffee hot and nice and hot, we really love them.
Except on the rare occasions, happen to each of us once in about a month, when the app decides your cup is empty.
When it gets in that mood, there's not a darn thing you can do to convince it that you really do have coffee left and you really would like it heated, please and thank you.
But 95% of the time, it's been rock solid.
The travel mug that Bart bought is designed to fit nicely in a cup holder in your car, but the tumbler most definitely is not.
We can't squish it down into our rubber-lined cup holders hard enough to hold it securely in place, but the bottom of the tumbler is still a a good inch above the base of the cup holder.
Makes me nervous, but we've had no cases where it tipped over.
If you want to measure your own cup holders to see if a tumbler will fit in yours, the tumbler is 3.3 inches or 83 millimeters in diameter.

[30:12] When we repeatedly bought the regular coffee mugs, we bought them in different colors so we could tell them apart.
I'd buy white and he'd buy black. The next time I bought silver and he bought the copper colored one.
The Ember Tumbler comes in any color you want as long as it's black.
I'm going to have to break out my cricket and make a cute little sticker for mine so we can tell them apart.
So do you see why I had so much trouble writing about the Ember Tumbler and all of the Ember products?
At the high prices they charge, their heated mugs and tumblers are definitely luxury items, and you would think that for these prices, you'd get a product that would last longer than they do.
I'm afraid their customer service isn't great either. On their website, they show product reviews.
The tumbler we bought has 220 reviews, 108 of which are five-star, but 53 of which are one-star.
Nearly all of the 53 said they had trouble contacting customer service.
Recently, Steve wrote a lengthy request to customer service for his his little mug, and he has not heard back from them in the two or three weeks since he wrote to them.
I'm pretty sure it was out of warranty, but you'd expect some sort of response.

[31:18] When you buy an Ember mug, you can buy a two-year warranty for the tumbler for $19 from the Ember site, so that might not be the worst idea if I haven't convinced you not to buy one.
Should you buy an Ember mug of any kind?
All I can say is I was really happy when I stopped by a a friend's house for a quick chat that turned into an hour visit, and when I returned to my car, my coffee was still nice and hot.

Support the Show

https://podfeet.com/patreon

[31:43] Did you learn anything so far today listening to the show?
If you did, is it of any value to you? Do you learn things often from the NoCellicast or watching the fine videos Steve produces from CES and other shows?
If so, please consider going to podfeed.com slash Patreon and pledging a small amount to help keep the shows going.
Thanks to to everyone who already does this, it makes a huge difference.

Security Bits — 17 March 2024 ☘️

https://www.podfeet.com/blog/2024/03/sb-2023-03-17/

[32:06] Music.

[32:15] It's that time of the week again it's time for security bits with bart bouchard's and i see a shamrock on the date there bart isn't that cute i thought you might notice that one yeah i like my little emojis me especially since we spent so long getting them working again on podfee.com, yeah i don't know whether anybody noticed but we had for quite some time many many months we had no emoji well actually we had the real simple emoji the ones that were only one character emoji We're working for some reason.
Then Bart and I spent a great deal of time figuring out why and doing encoding and stuff. And now they look beautiful again.
Yes. And what the listeners can't see is I have my Ireland jersey on, which is beautiful and green.
And I have my greenest Apple Watch band on. So I am fully in the St.
Patrick's Day spirit here today.
Well, that's good. As well you should as a good Irishman. Yes.
And I have a day off work tomorrow, which is very pleasing. Thank you.
Really? Yeah, it's public holiday. It's our national day. So it's our equivalent of the 4th of July is St. Patrick's Day.
But because it's a Sunday, we get the Monday instead.
Yeah, they don't make us lose a holiday just because it happens to fall on a weekend.
We get it, you know, carried over, which is nice. Anyway, we have a decent amount of security news. Not a terrifying amount.
Decent amount. And we start with some follow-ups of things we have talked about recently. So the theme of the year for 2024 seems to be ransomware.

[33:41] So two installments ago, we said, yay, the feds have arrested lots of people and killed the Black Hat ransomware gang, but I'm sure they'll be back.
And then one installment ago, it was boo, they're back.
Well, now it turns out they weren't really back. They were sort of kind of back and it looks like they may have been bluffing about the attacks they said they'd done.
And now they appear to have self-destructed themselves in that wonderfully, you know, criminals will be criminals sort of a way.
They have stolen all of the money from their affiliates and sold it off.

[34:17] So what they're supposed to do is give 70% of the money to their affiliates and keep their 30% commission.
What they actually did was... Wait a minute, wait a minute, wait a minute.
A black hat ransomware gang has affiliates?
Oh yeah, it's ransomware as a service is the way this is all done.
This is business. This is big business.
Yeah, so they don't go looking for victims. They leave other people to do that.
They do Apple's business model.
They basically run a malware store. and they take Apple's 30% cut and they let other people do all the work and they just take 30%.
But one of their affiliates got a big one. They got a big American healthcare company called Change Healthcare who apparently paid a 22 million ransom, and they took the 22 million and closed up shop and they put up a fake FBI takedown page and went, oh, I don't know, the feds took us down, we're terribly sorry and they signed it off.
Oh my gosh. Well, you know, So no honor among thieves, right?
Right, exactly. So I think they're gone now.

[35:20] But yes, that's why they keep on giving. Something else I have definitely said is that the focus of ransomware has shifted from home users were the first targets and you get like, you know, $100, $200, $300 a go.
But that's not a lot of money when you could get 22 million from changed healthcare.
Here. So the focus definitely shifted towards the bigger ransoms.
That doesn't mean the smaller ones stopped completely.
So the biggest player in the smallest pond is a ransomware called Stopcrypt, and they made the news this week by upgrading their software to make it harder for antivirus to stop it.
So even home users need to continue the old ever-present vigilance.
Don't download things from random websites and stuff because what you catch could do you a lot of damage, and i mean this stuff is on the previous story maybe you know because i'm a extra double secret optimist maybe a black cat running off with all the money of their affiliates will make other bad guys take pause before signing up for doing something through and through uh uh one of these these ransomware as a service groups and because they might lose all their money.

[36:44] No? Maybe, maybe, but this is actually the third time the same people have run away with the money.
So Black Cat has renamed itself twice and has done this for three times now and everyone is expecting them to show up again with a new name and someone will say, well, what the heck?
Because, you know, they would have paid 99% of their affiliates.
You just don't want to be the last affiliate because then you get nothing.
Things yeah it's yeah no wonder i'm with the 22 million yeah so don't do don't be too successful i guess it's be an affiliate but not a good one uh we talked last time about github enabling by default something called push protection which checks um your pushes for secrets and stops you from accidentally publishing keys that you shouldn't be publishing to the world and you you were wondering how big of a problem this is. Well, we got a little bit of a report.

[37:43] 12 million were found in 2023, pushed to GitHub.
So, okay, that's why they did it. Fair enough.
That makes sense. We also talked about GitHub having in beta a feature where you could stop using your phone number as a way of connecting to people on Signal.
And that is now out of beta. I have now played with it. It works.
They call it a username, but they don't mean a username. It's a very interesting technique they've gone with.
You're completely anonymous on Signal, so you don't really have a username or a phone number.
You just need a token you give someone to connect to you. And in the past, you would give them your phone number, and that would be the way you would start a conversation.
Well, now you can generate this token. I'm going to call it a token.
And you give that to people to start a conversation with you, and that's all it is.
It's not your identity. It's not that your account has this name.
It's just here is a little piece of text you give to people if you want them to be able to start a conversation with you.
And so now they can start a conversation with you without ever knowing your phone number.

[38:54] Okay, okay. So it's a connection token. The amount of friction to be able to find someone you know on Signal is high, right?
You have to already know them some other way where you say, okay, let's pick up and go over to Signal and have a conversation. Here's my token.
Yeah, because it's not a social media. It's a private messenger.
So it really is for two people to choose to connect, not social media so they're not it's a feature not a bug well it's a choice.

[39:25] That that's the product it doesn't have anything to do with whether it's a so it's not social media uh for telegram but well no telegram describes self as social media with their groups and stuff telegram very much describes yeah yeah they want you to they want you yeah so they've designed their features to do that it's always been designed where if somebody you know joins with with their phone number that you have in your address book, then you can be notified that somebody you know just joined Telegram.
I mostly find it's people... Signal's the same, by default. But now you can turn that off.
Oh, okay. Okay, gotcha. Okay. Oh, okay. That's interesting. Yeah.
I've turned it off because I actually... I don't want people finding me.
Just because you know my phone number doesn't mean I like you.
I've had the same phone number since my first cell phone. And that was in 1990-something.
I don't remember 90-what, but the point is it started with 19.
You mean back in the 1900s? Yes, precisely.
Yes, last century, last millennium. I've had the same cell phone number since last millennium.
Anyway, so that's now out of beta, in use. It's actually quite nice.
I'm kind of pleased with it.
We also have some more DMA developments. Digital Markets Act in Europe.
Apple definitely seem to be trickling out their changes. It's like they basically had stuff ready and went, we have this in our back pocket if someone asks us.
But until someone asks us, we're not going to do it.

[40:54] So the let me see. The first thing is they release a document describing how they're determining whether or not you get to play in the EU App Store at all.
So there's a support document from Apple, which is linked in the show notes.
I'll just read out the important bit.
So basically the country or region of your Apple ID must be set to one of the countries or regions of the European Union and you must be you must physically be located in the European Union.

[41:24] Your device eligibility for alternate app store marketplaces is determined using on-device processing with only an indicator of eligibility sent to Apple.
In other words, the app store app on your phone checks if you really are in Europe and then it tells Apple yes or no.
I've lost. Are we talking about companies that want to be app stores?
Are we talking about developers? Are we talking about users? Users.
Users. This is, how do you, I'm Joe Soap European, who as of iOS 17.4 can hypothetically use third-party app stores.
Actually, no, MacPaws is in beta. So yeah, you could actually genuinely be using one.
How come I can take my iPhone and iOS 17.4 and install the MacPaw app store, but you can't?
Right. You can update to iOS 17.4, but you physically can't get to that app store.
How are Apple deciding whether you can or can't? This is how.

[42:21] The one thing I find a little bit interesting is, and tell me if I'm completely outbased on this, is it seems to me that Europeans freely move between European countries.
Sure. You might have, I know somebody who lived in Germany and they moved to Austria, but that means that they don't have their Apple ID in the same country they're living in. Which is fine. They're still in the European Union.
Yeah, so if you read it carefully, that's absolutely fine. Fine, as long as you're physically, your account has to be in a European country and you have to be anywhere in Europe.

[42:53] Okay, okay, okay. In the European Union, not just Europe. Yeah, so in one of those eligible countries.
Okay, I thought it was saying that you had to be at the same country.
Okay, good, good, good. Okay.
Yeah, especially if you live in Luxembourg. If they made you be in the same country, like you couldn't move two yards or you'd be in a different country.
That's what I was thinking, you know, don't lean to the left. Exactly.
So the important thing is it's on-device processing, and all they send to Apple is a thumbs up or a thumbs down, in Europe, not in Europe, which is good.
If you leave the European Union, you can continue to open and use apps that you previously installed from an alternative app marketplace.

[43:34] Good. So there's no time period in that sentence, right? So if you leave Europe, the apps you have installed won't magically stop working because you've left Europe.
That's so far so good. However, now we get a few caveats.
Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union.
And you can continue to use alternative app marketplaces to manage previously installed apps.
However, you must be in the European Union to install alternative app marketplaces and new apps from alternative marketplaces.
So basically, you can't install anything new once you leave Europe, even for like five minutes.
And if you do leave, you have 30 days where you can still get app updates.
But after 30 days, you don't even get app updates.
The only thing you can do is keep using the apps you have installed.
They won't magically stop working.

[44:26] So it could be worse. Could be worse. But if you, you know, you're a researcher going to Antarctica or whatever for a six-month stint, you have yourself a problem.
You can't use these alternative app places.
Now, that's a set of, what, like 50 people or something? Well, you know what I mean. There are people who go away for more than 30 days.
Yeah, 30 days is really short. Do you think you're going to do this, Bart?
Onest is a company I really trust, offering me an app I really, really want. I really have no interest in leaving the safety of Apple's well-regulated store.
I don't, I have, so I need to make a really good case. No?
No, no, I could just install the other app. Before I ask my question.
The developers have to pick, right?
The developers have to choose, but the users don't. So you can be in both.
I could be in infinity many. So I can just go to the app store and download another app store.
And then I have two app stores on my phone and if I download another one I have three app stores on my phone so I can have as many app stores on my phone as I want, I just don't know why I'd want Jumping the gun on something you were going to say but you also are going to be able to sideload Ish From websites.

[45:43] Download apps, that's sideloading Except for the fact that the app has to be notarized and it has to be from a developer with very special permissions permissions so true sideloading is anyone can put software up and it'll just work this is still a really closed okay i'm sorry you said that that on the mac we can sideload and and you can there's there's notarization requirements for the for the mac as well you right click go open and say run anyway and it will run okay it will run okay got you that yeah you have to know the secret The secret handshake.
Yes, which I do because, yeah, I do that. But yes, there is a secret handshake.
The secret handshake exists.
There is no secret handshake for iOS even now. But yes, so Apple also then give three new rules.
So the first one is basically the, oh, fine, then epic rule, as I call it.
So Apple's rule for third-party app stores was that you could run an app store, but it couldn't be only for you. You couldn't have a company shop, right?
So you couldn't have a Microsoft shop for only Microsoft apps or an Epic shop for only Epic apps.
Well, that rule has been, that hasn't stood scrutiny. That is now gone.
So Epic are free to make an Epic game store. Microsoft are free to make an Xbox game store, etc.
So you can make an app store for just your company.

[47:02] The other thing that has changed is that when you moved out of an app to a third-party payment processor, you had to use Apple's predefined template, which was full of scare words, and you weren't allowed to add any content of your own, and that's now fallen away too.
That has gone from a required, from a must, to a suggestion.
So they still offer you a template you might consider using, but the word is no longer a must when you look at the developer rules.
And then the big one you just mentioned is, and there's a lot of caveats on this, if you're a developer with a big enough app, with long enough standing, then you may get a special entitlement that lets you publish your iOS apps straight from your web page so that users don't have to install a third-party app store.
They can just go to your web page and get the app.
Now, this is coming later this spring, and so we don't actually know how.

[48:02] We don't know how. How? Like, what file extension? What happens?
Does it go into the files area on your iPhone? We have no idea of the how yet.
Apple have just said, this is a thing. Here's how you apply.
Here's the rules. It's coming in spring. That one also smells like an anti-epic one because it says you have to be in good standing for two years.
And obviously they have not been in good standing for two years.
No, they have not. They've been in really quite bad standing for two years. Yeah.
But I think this is a big one for, like, if you pay Google or Apple, sorry, Google or Microsoft for your corporate services, Like, groupware, right? If you're, I don't know what Google called it this week.
Is it Google for work? What do they call it now?
The corporate Gmail, whatever it's called. Like there's a button saying get the apps.
And for iOS, it was always kind of weird because you couldn't just get the app.
You had to go to the app store.
Whereas now in theory, you could click a button, say get the apps, and they could just give you the app.
You could be logged into the web version of Gmail or the web version of Outlook.
And you just click the button and get the app.
I think that's really what it's for. Or actually another company would be Adobe, right?
You sign into your Adobe account and you just click the button to get Photoshop onto your iPad.

[49:24] So am I wrong in remembering which one this is?
But it seems to me there is also a requirement that you have to be able to set up this quasi sideloading option from websites that you had to have a million downloads of an app.
Yes, yes. That's what I mean by having a successful app. Isn't that anti-competitive saying we only want big guys?
That seems like super anti-competitive. No, it isn't. Because remember, it doesn't get a lot of coverage.
And I did mention this before, but I'm going to re-stress it again because almost no one mentions it.
The DMA puts two competing requirements on the gatekeepers.
They must be open, but only so open that they don't make a security risk.
And so they are constantly balancing off two things. So Epic think the DMA says we must get everything we want.
The DMA actually says that Apple have two competing responsibilities they have to balance, which is security of the entire platform and openness.
And so this concept of yes, you can, but you must is actually entirely in keeping with the DMA.

[50:29] You're missing my point. I'm talking about specifically the million downloads.
Absolutely. Yeah. What does that have to do with security of the platform?
That doesn't have anything to do with it. Because it means you cannot be a fly-by-night operator who just comes along.
You have to be one of the big players to get this kind of a very serious entitlement.
But big player doesn't define more secure. Let me give you a perfect example.

[50:56] Marco Arment said that his sales of Overcast, Overcast obviously is not fly-by-night.
It's long established. It's downloaded a lot. lot, but he doesn't have to pay the 30% commission.
He only has to pay 15 because he has far fewer downloads than the requirement to get up to above the 15%, which means he would be fewer than a million downloads and yet not allowed to have a sideload to the EU.
To his own webpage, but he could still do a third-party app store.
He could run his own app store.
I'm not talking about the whole DMA. I'm talking about this one thing about a million downloads.
That seems to be anti-competitive that only big guys can do it.
And only big guys does not mean only secure guys.

[51:40] My understanding, based on the reporting I've been reading, is that Apple are in active conversation with the European Commission, and this is flying.
So I would still contend it's highly favoring big players, which I thought the EU was all about not doing that.
So that surprises me, that one. one i mean this is supposed to be about these these big terrible giant tech companies taking advantage of the little guy spotify right it's not quite about the little guy though it's about other big guys it's using their dominant market position right to not allow allow other people to rise up and compete.
Yeah. But allowing you to have your app straight on your webpage without an app store is a big, that's a big permission.
So it makes sense to give that out very judiciously. That's a very dangerous thing to offer out.
I'm kind of, I'm amazed they let anyone do this.
Absolutely. The Mac is an infinitely, absolutely, the Mac is an infinitely more dangerous platform than iOS. Massively more dangerous.

[52:57] So... but it's there. Sure. But we don't want iOS to be the Mac.
I love... You're saying they have to be notarized, right? Right.
IOS is more closed and it remains more closed because the Mac is not covered by the DMA in any way, shape, size or form.
And the Mac is an open platform by nature that's been tightened up a little bit, but it's still way more open than iOS.

[53:23] Okay, so you think cutting it at a million downloads doesn't cut out small, reputable developers that could have a leg up?
I mean, to me, that's the kind of company that would want to have an app available from a website.
But they can still do it on third-party marketplaces. If the only thing that's been cut off is this bypassing... Or they've got to pay somebody. buddy.
And you know, that it just, this one little piece, that's the one piece that seems funny to me.
And I understand it's flying and I'm not in charge of this, but it just seems, that one seems funny to me.
It seems anti-competitive to me, to little companies.
But anyway, keep going. Yeah.
Yeah. The other interesting thing that happened is that Apple had to file their first compliance report, because if you're a gatekeeper, you have to to file regular compliance reports.
Now, the whole report is actually not public, but they have to give, like, an executive summary that is public.
And so the executive summary for their first report is out, and it gives an interesting little tidbit.
By the fall of 2025, not 2024, by the fall of 2025, they will have published a tool to make it easier to migrate from iOS to other operating systems, which is basically Android.
So they're going to offer a migration tool, so a migration assistant to Android by the fall of 2025.

[54:51] Interesting.

[54:54] Apple are obviously not the only people who are making... Oh, actually, sorry, there's one more little related story here.
Brave made a big press release to say that since Apple had to put up the browser choosing ballot screen, our use has gone way up in Europe.
It's like, well, maybe, but I don't know how long that'll last.
But okay, good on you. You know, you've gotten a few new users.
But it wasn't a few. It was a market increase for Brave, I read.

[55:21] Yeah, but a small baseline is easy to make a big change on.
Anyway, look, no harm to them, right? It's nothing but a good thing.
If it's surfacing, people didn't realize they could do it. I'm surprised.
I mean, I would think everybody would go, no, no, no, no, no.
Oh, we're, you know, we're Safari or, you know, where's Google?
That's, I trust Google. I would think most people would.
Yeah, and it's kind of interesting because someone said, oh, it's because they're alphabetic. But actually, no, the order is random.
So everyone gets presented their 12 browsers in a different order.
So it's not just that B is top of the list. Because someone said, oh, it's just because they're B.
And as someone with a B name who was always first to get, like, the injections and stuff in school for vaccinations, I hated having a B.
But in this case, it is actually a random order. order so that's not it so there is something whether it's recognition or whether people go oh that sounds cool brave I'm brave I don't know what it is but yeah the people are actually choosing them from a randomly ordered list so there's something going on there so good on them anyway.

[56:21] Apple are of course not the only gatekeepers and we got a little bit more information from Meta because they are a gatekeeper of messaging apps which iMessage was ruled not to be so Apple Apple don't have to do this, but Meta do have to provide interoperability to their messaging apps, which is something that you were hoping would come to Apple Messages.
And they have released the rules for how another platform should interoperate with them.
And the answer is, thou shalt adopt the Signal protocol and the other open source protocol called XMPP, which is a protocol for passing messages, which means you must have end-to-end encryption.
And again, because the DMA forces both openness and security, Meta have permission to demand end-to-end encryption.
For anyone federating with them. Oh, okay.
Okay. So, you know, Signal is an open source protocol.

[57:21] So this is good, I think. Yeah.
You know what would be really cool is if Telegram ends up doing end-to-end encryption by default because they want to interrupt with WhatsApp and Messenger.
That would actually be fantastic, and it would be a really good outcome because people are nervous about the fact that they roll their own algorithms, if they just flip over to using Signal behind the scenes, I mean, it's not going to make any difference to the features of the app, right? Which encryption scheme they use.
I am curious how...

[57:53] One of the things we talked about last week was that, or two weeks ago, was that you can turn on end-to-end encryption on messages inside Telegram, but they give you a big warning going, yeah, but you're not going to be able to read these on your different devices.
Yeah, because they don't sync the keys. Anyone other? Right, but Signal must, right?
Absolutely. Signal does a face. No, no. As in you're correct.
Signal does not behave like this. Neither does Messenger. Neither does WhatsApp, who all use the Signal protocol.
Oh, but WhatsApp makes you log out of one and into the other every time you change. And that's one of the things I just abhor about WhatsApp.
That's not because they're using Signal. I have to disconnect it.
I have to scan a code just to.

[58:38] When's the last time you did that? Because they had a big upgrade about six months ago without stopping true.
Oh, okay. Well, that's less hate. I mean, it's still ugly and so many features missing. But yeah, okay, that's good.
That faffing about wasn't because they used a signal protocol.
It's because they hadn't fully embraced a signal protocol. So WhatsApp had their own protocol.
And because they had their own, it had some really weird things, like that scanning the barcode carry-on.
And they've been slowly migrating to signal behind the scenes.
But that migration took years.
And while they were in that sort of weird, I don't know what mode they were in behind the scenes, because it's all over the hood and we don't really see it.
Yeah, you still have to do that scan thing. That was so annoying.
I basically decided that WhatsApp lives in my phone. Only my phone and nowhere else but my phone. And that problem solved.
But yeah, no, you're right about that. I may forget that. So if I complain about it again, I have officially recorded that I plan on forgetting that.

[59:37] Perfect. We went to visit our friends, Diane and Bill, and when I walked in and I took my bathrobe and I hooked it on the back of the bathroom door, I said to my friend, Diane, I said, I will be forgetting this.
She said, OK, noted. And I was in the car when Steve came walking out with my bathroom, but I'd forgotten on the back of the door.
I am nothing if not predictable. There we go.

[59:57] A very odd thing has come out. So all the gatekeepers have to have a browser choice screen.
And Apple gave it to everyone who upgraded to iOS 17.4. So the first time you open Safari on iOS 17.4, you get the browser ballot.

[1:00:12] Google are also under the same law, and they are deciding to have a go at a different technique. They're only doing it on new devices.
I don't know if it'll fly, but they're having a go at only offering this choice to people when they get a new device in Europe.
I'm very curious to see how this one shakes out, because like Apple have had to make a few changes.
I'm suspicious this may not stand, but they're having a go, so we shall see.
It's a bold move, Kat, and let's see how it works out for you.
Exactly. Exactly. And then I just want to give a tip of the hat and a link to a fantastic, very long article over on Ars Technica that goes through every one of the gatekeepers and everything they're doing to comply with the DMA.
And that is, it's a long read, but it's actually kind of interesting.
So if anyone wants to know more, that is linked in the show notes.

[1:01:02] We have also said many nice things in recent segments about the US Federal Trade Commission cracking down on online fraud.
A lot of it focused on tax because of the time of year, but they were cracking down on all sorts of other fraud too.
And they're still at it. They're continuing.
They are now going after tech support scams. They have given a $26 million fine to two firms called Restoro and Reimage because they were using scare tactics to basically lie to people to tell them their computers were broken.
Just to give a little quote from the article.
Restoro and Reimage use online ads and pop-ups that impersonated Microsoft Windows pop-ups and system warnings saying that the consumers'.

[1:01:47] Computers were infected with malware, malware had various performance issues and needed urgent attention to avoid harm that's that apparently evilly yeah restore and re-image are probably not the only ones out there doing it since steve's father sent us a screenshot last week going oh my god what do i do and i see a big x in the upper right instead of a red dot in the upper left so you kick that step away step away yeah so it's good to see someone getting their comeuppance 26 million that's not nothing them yeah so now we have one deep dive which is it's not really worthy of a deep dive but it gives me an excuse to explain a term we haven't explained before which is a watering hole attack, so this is half a learning opportunity and there is a real story here too that i do want to make sure people have the skinny on and it's an opportunity for me to explain a change in terminology so basically one story one third of this story is actually a security story and two-thirds is other stuff I wanted to talk about anyway.
So you may see the abbreviation AITM, capital A, small i, capital T, capital M.
And that is the replacement for MITM, which used to stand for Man in the Middle.
And man in the middle has fallen out of favor for two reasons. Why is it gendered?

[1:03:09] And why do you assume the adversary in the middle is a human?
Because in reality, most of the adversaries in the middle are software these days.
So AITM is adversary in the middle. It's basically a body between you and where you think you're talking to.
Why is it AI if it's adversity?

[1:03:29] Adversary in. The I is for in. Oh, geez.
It looks like AI in the middle to me. But yeah, okay.
Yeah, so it used to be M-I-T-M. Now it's A-I-T-M.
So they only changed one letter to try and make it as unconfused as possible.
If you see A-I-T-M, it's what you thought of as man in the middle, but it's now adversary in the middle. And there are a lot of it as software these days.
So the TLDR bit is, if you are the owner of a Tesla, yay, you have a nice car.
Come into this so this is a problem there is a man in the middle sorry ah there is an adversary in the middle attack that allows someone who tricks a tesla owner into connecting to a dodgy wi-fi network to add an extra car key to your tesla silently okay that's the context now you hadn't said tesla before you just jumped in the middle of it okay yeah so that's the security sorry so so pay attention to the security bit now and then we'll get on to the other fun stuff again So researchers discovered that, actually, there's a bit of backstory here.
So when I first got my Tesla and I tried to add an iPhone, I had to be in the car to do it. I had to actually walk out of my house.
Explain to normal humans, what do you mean, add an iPhone?

[1:04:46] So you can have your phone be your car's key, which means that I always have my phone with me.
So I have a magic car. When I am there, it is unlocked.
And when I am not there, it is locked. And it's not magic. It's my phone because it's always in my pocket.
And so to set that up, you had to, in the past, sit in the car with your phone and then say, dear car, this is my phone.
Please be friends with this phone. Are you two friends now? Great. Thank you very much.
Which meant that if I wanted to give someone access to my car who wasn't here, let's say I needed my parents to move my car while I was away on holidays or something.
I couldn't because they would have to be in the car for me to let them in the car. It was a mess. So Tesla made it easier.
And they basically went, you can now do it from anywhere. So I can use the app and just say, yeah, add my phone, please, as long as I'm authenticated on the phone.
So they need my Tesla username and password.
And if I have, well, I do have multi-factor, let's just say that upfront, they would also need my multi-factor code.
What the attackers have discovered is that if you say, add a Tesla supercharger, put up a wifi network called Tesla.

[1:05:55] And then you present a Tesla login screen, Tesla's multi-factor authentication still uses codes, which means it's not phishing proof.
So you're sitting on your, you're in a Tesla place, you're presented with a Wi-Fi network called Free Tesla Wi-Fi or something like that, whatever the name of Tesla's actual network is, and you get a captive portal login screen with the Tesla logo and everything saying, enter your Tesla username and password to get this free Wi-Fi, and then they pop up the multi-factor authentication box.
Well, if you type those three things in, anyone, anywhere on planet Earth for the next two to three minutes can add their phone to your car.

[1:06:33] Because they have your username, your password, and your six digits for the multi-factor.
How are they, anybody on the planet can get to what you're typing into a local Wi-Fi, dodgy Wi-Fi network?
Okay, so the attackers, as long as they, so the attackers, could send that information anywhere, right? That's how these things work.
The attackers have to be there because they have to set up the Wi-Fi network.
Yeah, but they could have set it up last week.

[1:07:03] And left a router? Left. I mean, you can buy them in a little pouch the size of a pack of cigarettes.
You can get a little device that does them. They're used by security testers all over the place. You could just leave them anywhere.
And plug them into power. Or take them on a battery for a week.
Oh, no, these are very common.
They're available as a product for penetration testers. They're very common, unfortunately.
They're banned in Canada because people use them to seal cars, but they're very, very common. They're so common, they ban them in Canada.
Okay, so somebody has to have gone to this Tesla supercharger, put one of these little devices there, and then they wait until they catch a fish. Catch a fish.
And so the reason this is called a watering hole attack is because they're not going looking for Tesla owners.

[1:07:53] They're setting up in a place where Tesla owners will come, right?
Where do Tesla owners go? Why? To Tesla superchargers.
So that's why it's called a watering hole, because you have predators on the savannah, like crocodiles and lions and things, who instead of going looking for things to eat, they just sit next to the water where everything comes for, you know, to get water, and then they have free dinner arise for them. So it's the same attack.
It's most commonly used against developers where you poison things like the Node Package Manager NPM repository or Python's PyPy package repository.
But in this case, it's a watering hole attack against Tesla owners.
The security researchers suggest there are two very easy possible fixes.
The first fix they recommend is to make you have to be in the car to pair your phone.
Tesla are not going to do that. You mean to make the phone be in the car?
To make the phone be in the car to be able to pair the phone.
And Tesla are not going to do that because that's the problem they were trying to solve.
They're not going to go back and undo their work to make your life easier.
The second one they suggest I think is a no-brainer.
Have the car tell you it added a phone. Just the next time you get in the car, just have it say a car key was added. Keep or remove.

[1:09:09] I mean, you get this all the time. Do you recognize this? Exactly.
You get this all the time when you set something new up on your Apple ID, you get an email straight away going, was that you?
So if the car just told you, yeah, I've added a key, here's the button to undo.
Like, you know, if you've added a key, that would solve it. And you'd still have all the convenience of being able to add the keys without having to be in the car.
So I really hope that Tesla do this.
It shouldn't be difficult, certainly not conceptually difficult.
So my fingers crossed, this is how Tesla should handle it. it.
Either way, the takeaway here for Tesla owners is to be very careful that you only enter your Tesla login details on a network you know to be good.
So cellular connectivity or with your VPN connected, but not just into a random public Wi-Fi.
Because until there's something done about this, be careful.

[1:10:06] And that's the takeaway. And I've got to explain watering hole attacks.
And I've got to explain AITM, which you are going to start seeing in more and more security headlines.
Okay. So there we are. I like it. Okay, some action alerts. Apple have patched everything.
So iOS 17.4 is famous for doing the Digital Markets Act thing.
It also fixed two zero days in Safari.
So even if you're not a European, patchy, patchy, patch, patch.
A few days after Apple patched iOS, they also patched macOS, watchOS, tvOS, and HomePodOS, and VisionOS, all of which are full of software bug fixes and stuff, and security vulnerabilities, so patchy, patchy, patch, patch.
I was thinking we got out easy, finally, for once, that it was just going to be iOS, and then, like, two days later, it's like, oh, come on!
Yeah, and iOS was done on the day the DMA came into effect, so I think they just, they had no choice but to go early.
And so they got that one out at the absolute latest they could.
And then everyone else followed a few days later.

[1:11:08] Microsoft have also given us a patch Tuesday. Everyone's reporting it as a light patch Tuesday because it had no zero days.
It's now become a thing where it's a new story when there are no zero days in a security update. It used to be a new story when there was a zero day.
Now it's a new story there isn't.
Either way, there are still 60 patches, including 18 remote code execution.
So, yeah, they're not zero days. But you know something? Now they're published.
The baddies can see them. So patchy, patchy, patch, patch.
Hey, I interrupted your flow. You skipped over the GarageBand one.
Oh, Jesus. Yeah, because it's such a weird one. Yeah, Apple have patched GarageBand because if you open a maliciously crafted GarageBand file, you can get remote code execution.
So patchy, patchy, patch, patch.

[1:11:52] And finally, if you are the owner of a QNAP network attached storage or NAS device, patchy, patchy, patch, patch, because there's an authentication bypass, which is code word for no need for a username and password.
You can just be an admin, which is definitely not what you want on your NAS. On your home server.
Yeah, exactly. So patchy, patchy, patch, patch.

[1:12:16] Moving on to worthy warnings. The good folks over at Apple Insider made me aware of a default setting in X that I was not aware of.
Elon thinks X is going to become the everything app, and one of its everythings is voice calling.
Unless you proactively turned it off, everyone with a Twitter, sorry, an X account on planet Earth can initiate a voice call with you at any time.
Oh my gosh, are you kidding me?
Oh yeah, they defaulted it to on, so I went in and turned it straight off.
But everyone's defaulted to on. So that must be through the app? Yeah. Or your account?

[1:12:57] If you're running the app on any device, it's under account settings, so I presume it's on the account level.
Because I only go to it through the, I have a set of tabs that are all private browsing tabs, and I go in and I spam all of the networks and then I close them all at once, and one of them is X, so I don't have it installed.

[1:13:18] Hypothetically, if they support voice calling on the web interface, for those few minutes you have those tabs open, someone could call you on your computer.
But that's what I'm saying. Is it associated with your account or is it a setting in the app? Those are two different things.
It's a setting in the app, but it's under the section called My Account.
So your guess is as good as mine. Okay.
Either way, I turned it off. I was like, yeah.
So thank you to Apple Insider for that one.
We also have a good reminder from the Hacker News that just because someone sent you a calendar invite invite or something that says it's a zoom call and they've given you a link and you click on the link and it has a zoom icon look up to the address bar it may be a fake zoom page with a fake zoom download or a fake skype page or a fake google meet page because in actual fact there's a large campaign at the moment where malware is making fake zoom skype and google meet pages and when when you download the app, you do get Zoom or Skype or whatever.
And it comes with a friend called Malware.
So check your address bar. Always check your address bar. See where you have landed.

[1:14:33] We talked a few weeks ago about 33 million French people, which was something like a third of the country's population, having been caught up in a data breach by two companies who managed managed basically the public health insurance in France.
And that was like, oh, wow, that is one of the biggest data breaches, I've seen, like a third of a country. Well, try 43 million.
Also in France. This time, it's 20 years of the records from the State Employment Agency.
So anyone who has ever been unemployed in France in the last 20 years is caught up in this.
And it includes the French version of your social security number.

[1:15:21] So everyone in France, pretty much, between those two data breaches, everyone in France needs to have their shields oh so high up.
Oh, wow. Yeah.
And I've raised the bar on this section of the show notes so far, but that was just like, I don't know where I was going to draw the bar, but that's the other side of the bar.
So if we jump out to notable news then, I don't want to talk about every possible WordPress hack because we'd be here forever, ever, but there's a new one that sort of caught my eye.
It's kind of a WordPress worm.
There's malware for WordPress that when it gets into your WordPress because you haven't patched something, it uses JavaScript to attack other WordPress sites to spread itself.

[1:16:10] So technically speaking, it's the browser of every one of your visitors that's hacking other people.
But it kind of feels like a worm to me, right? It's self-propagating through the internet on your WordPress site.
So, Patchy, the real takeaway here, WordPress has a feature where you can turn on automatic updates for core WordPress. That's an easy one.
I'm pretty sure that defaults on these days.
There's a separate toggle next to each and every plugin you install saying that you allow this plugin to also be automatically updated.
Scroll down your list and go tick, tick, tick, tick, tick, and make sure they're all automatically updating. I did after you told me about that. Yeah. Yeah.

[1:16:48] A good reminder to us all, whether we're in France or not, shields up, folks.
Keep your shields up. Ever-present vigilance in your best Mad-Eye Moody impression.
The FBI have released a wee number just to let us know what's going on.
So they are aware of reports that in 2023, U.S.
Citizens lost $12.5 billion with a B to cybercriminals.
This is only what's been reported because most cybercrime goes unreported.
If you're curious what type of cybercrime is successful, business email compromise is right up on the list.
And if you're wondering what that is, the attackers take over a mailbox in your company, they watch the email in an email thread, and then they jump in.
And they appear to be someone you're talking to. And they appear to be in a conversation you're in.
And they drop in something like, and by the way, you wouldn't go and pick up some Amazon vouchers and email them to so-and-so.
Or you wouldn't change the bank account number for that supplier to such-and-such or some other fraud thing.
And they slip it into an existing email conversation inside your business.
So they're in your company.

[1:18:05] Okay. Okay. That's what I was looking for was how did they get in there in the first place?
So basically someone anyone in your company their passwords are in a data breach or something and they get into that mailbox and now they get to look like they belong so they send out emails to other people in your company as if they're one of you instead of an outsider and then they trick you into basically defrauding yourself wow and that is very common especially for large organizations how many mailboxes does a big company have right just takes one right so that's why that works the other one is investment fraud basically tricking you a lot of this stuff is around cryptocurrency oh make this investment it'll pay back great oh thanks we have your money toodle pip that's the last you'll ever see that money uh ransomware comes in third and then tech support scams so yay to the ftc for cracking in on that one if that makes it into the top four good.

[1:19:05] Um so yeah keep ever-present vigilance folks ever-present vigilance even if the email appears to come from someone you know because people's passwords get breached so you know don't change bank details of stuff things like that be careful the u.s house of representatives has passed a bill which if it becomes law would mean that bytance either sell tiktok or leave the united states Now, for those of you who don't know how the US government works, for a bill to become a law, you have to sing about it on something called Schoolhouse Rock.
And then it has to be passed by the House of Representatives, then the Senate, and then the president signs it.
So right now we are one for three. It has passed the House of Representatives.
Biden has said if it gets to him, he will sign it. So you sort of got two to three.

[1:19:56] We'll call it one and three quarters of three, shall we say.
Because the senate could amend the bill stick a poison pill in it that means that suddenly the president goes uh did i say outside that i think not you've messed with it or something so hypothetically something could still come off the rails but yeah this is looking like it might happen so i've done a lot of research on this i will first want to give a plug to know a little more i'll find any excuse to plug know a little more such a great podcast by tom indeed so tom Thank you for another great show about ByteDance.
No little more about ByteDance. So we hear lots of things about how ByteDance are a Chinese company.
It's not that big.
It's really not that simple. It's a fabulous episode. I listened to it twice.
And so, yeah, you'll know a lot more, actually, when you listen to it.
Not just a little more. You'll know a lot more. So hat tip there to Tom.
There's also... There's a lot of episodes of his where I listen to it and I think I understand it. And a few minutes later, I'm like, wait a minute, wait a minute. Do that one again.
I think it was like mini and micro LEDs that I listened to three times and the one on what ARM actually is. That one took a couple of times.
Oh yeah, that's complicated too.

[1:21:15] Now, Tom's shows are short and snappy and to the point. Less short and snappy, but nonetheless extremely good listening.
If you really want to dig into this story, to really understand it, there's a BBC podcast that comes out once a week called The Real Story where they go really deep into one topic making the news.
And it's an hour-long show and they get on true experts experts who have a reasoned discussion without shouting at each other.

[1:21:39] It's very unusual to have a reasoned discussion with people who disagree without shouting at each other online. But anyway, that's what you get from the real story.
It's quite dry, but it's also always insightful.
So if you really want to deep dive into the actual arguments for and against this bill, then this is where you're going to get the deep understanding of what is going on.
And based on all of my listening and all of my reading, I have come to the opinion, which is currently a loosely held opinion that this law won't actually achieve anything and the only thing it's going to do is make politicians look like they're doing something which is this appears to be literally the only thing that is is bipartisan is everybody seems to hate tiktok but i don't hear them talking a lot about why i mean ooh china's scary sure right but i was thinking that you might end end up being able to tell us, yes, there is this big giant security hole of horribleness that has been uncovered.
And this is why the United States government has banned TikTok from government phones or something like that.
I figured there was just something I didn't know.
I'm sorry to say no. Basically, it's really, really, really hard to do something effective against the dangers of social media.
It's very easy to go, China's scary.

[1:22:59] So this is the way to look like you're doing something about a real problem without doing the difficult thing of trying to solve a really difficult problem.
So I'm afraid this is window dressing in my opinion.

[1:23:11] There that's that's my opinion but as i say those two podcasts will allow you to come to your own opinion and i describe my opinion as loosely held if someone gives me a good argument i am prepared to change my mind on this this is not a hill i will die on in any way this is my current loosely held opinion based on what i currently know um google chrome is getting a nice update at the end of the month um they are going to do real-time checking of malicious websites because attackers Hackers have started to become really short-term in their malicious URLs.
So the malicious URL might only exist for, apparently I've seen some as short as five or ten minutes.
So they will use a malicious URL for like a couple of minutes and then switch to another one.
And so it's very, very difficult for that to percolate. So I did a little bit of reading.
Apple don't say how they do things. So Apple just say, we protect you, and they don't say how. So I have no idea how Safari works.
It may be real-time, it may not. I can tell you that Safari only updates every 30 minutes.
What Google are doing is they're going to do a real-time check.
So at the point in time you go visit this website, they will very quickly send the request to Google going, is this one bad?
Get an answer and then browse to the page. That sounds like it could be a security nightmare.
Google were very, very careful to say that they are protecting your privacy by using a protocol called Oblivious HTTP, which is the generic name for the technology Apple call Private Relay.

[1:24:36] You basically use two proxy servers so that no so there's no way to know both what you want and who you are so one of the two proxy servers knows whose you are but not what you want and the other one knows what you want but not who you are and so no one knows both of those pieces of information therefore it is safe for everyone's chrome to be making this request and google haven't just said we're using oblivious http they've actually been really specific and saying we are using fastly's oblivious HTTP service. So...

[1:25:06] This is safe, even though on the surface it sounds terrible.
Wait, you mean Chrome phones home every single URL click?
Yes, but. So actually, this is fine. Good.
And then I want to end on a happy story. Well, happy is a good news story.
The US has done more sanctions against spyware.
In this case, it is five corporations have been sanctioned. It is not the NSO group. They're already sanctioned.
But it's similar companies with different products.

[1:25:37] And so that's more of them knocked on the head and I am very sorry to read that two of them are headquartered in Dublin so I'm delighted they're blocked but boo why are you here?
Go away so anyway I want to back you up a little bit did you already say about Firefox doing it the double proxy sort of thing or fresh block lists?
No so what I said was Firefox gets updates every 30 minutes they don't do it in real time so they don't need to do they don't need to do that thing because they pull not push So basically, your Firefox pulls the latest updates every 30 minutes.
Okay, okay. I just want to make sure you didn't skip over it.
And back on the X and Twitter phone calls nonsense, PCMag says that if you only use a web browser to access Twitter, you better download the app and turn this off.
Because it's not available in the interface.
Yeah. Oh, that's brilliant. I was searching for it and couldn't find it in the interface, and they answered the question. you have to download the app to turn it off.

[1:26:39] Wow. I don't know what else to say. We'll just leave it out. Wow.
Okay, well, we're heading towards palate cleansing. We're taking a stop halfway to palate cleansing.
This is excellent explainers section.
One of my favorite science podcasts is called The Naked Scientists.
I have no idea where the name comes from. I think it's because it's science without dressing it up or something.
I don't know why they're called what they are. Anyway, they're a former radio show that is now a podcast and they are aimed at a general audience and they cover any sort of science and technology topics and they have an entire episode dedicated to understanding cybercrime.
And it is actually the single best explanation for human beings about the dangers in the world today. So it's a fun show.
Naked Security, the episode is called Cybercrimes in Cyber Times.

[1:27:31] That sounds fun to you, Bart. Honest to goodness, it's a good show.
People will, obviously they're not going to say, yay, everything's great, but you will understand what's going on without being terrified, with practical advice, and it's pitched at regular folk.
It's a good show. Genuinely, I listened to the episode, I was skeptical, and I was like, oh no, this is good. It's actually good.
And we do have genuine palate cleansers. I didn't do a poll.
Is it just for me this week? I have three anyway, so it's fine.
Okay, so they're all from me this week. Lots and lots of fun stuff.
So two podcast recommendations.
Alison has a cat called Ada, or Lovelace. You called it Ada, didn't you? Ada Lovelace, yeah. You called the cat Ada? Okay, both names.
So Ada Lovelace was an actual human being who lived a very long time ago, and despite the fact that she lived a very long time ago, she was the first computer programmer.
She was also the daughter of Lord Byron. run.
Fascinating character. If you'd like to know about her story, not from a computer science point of view, but just from who was Ada Lovelace?
Well, the podcast Noble Blood tells her story.
It's the story of her life. It mentions the computer stuff. It gives you an idea of how she got into it, how she met Charles Babbage, all that kind of stuff.
But it's about her full life.
Everything about her life. So if you're interested in Ada Lovelace, you may well enjoy that half hour of listening from Noble Blood.

[1:28:56] And if you want a story, now, I love the Darknet Diaries podcast, but it's generally not happy, happy, joy, joy.
Now, I think you've mentioned before the YouTuber who scams the scammers back.
He's a charming man from Ireland with a fantastic Northern Irish accent.
The entire episode 143 is an interview with Jim, who is that podcaster.
He tells his story. He explains what he does. he is such a fun person to listen to.
I smiled from ear to ear for the entire episode and it's St.
Patrick's Day and he's Irish.
So ta-da, there you go. Have a listen. Great fun.
And like I say, most of Darknet Diaries is pretty dark. That one is just pure fun.

[1:29:43] And then finally, I am a big fan of Glenn Fleischman.
We regularly link to his work when he talks about cyber security and stuff or privacy but he does other cool stuff and one of the things he is fascinated by is everything to do with the printed medium and he is working on a new book about cartoons which obviously, we think of you know the funnies on the sunday paper and so forth and what is the history of that and so he's working on a book there's a gofundme page if you want to support his book but he's written an article about why it is that even today some of the absolute best artists still draw with watercolors and pencils on paper and they also use all the modern tech so basically they start physical they scan and they finish it off digital it's a fascinating story they do not want to do it all digital because it it doesn't work for them they they They need that contact with the paper and the ink and so forth.
It's a really fun read, and it will give you a good appetite for his book, which sounds good.
I wonder whether there's been any sort of analysis by Glenn on the age of the people that he...

[1:30:56] Makes these statements about? Yes, there is. I can picture a lot of people, but are they 20?
Yes. That includes people who started, yes, who literally are the young'uns.
So, because that's actually one of the things he says is, I was expecting to find that there will be an age difference between how people do this.
And I was shocked to discover that it doesn't matter whether you're new or, you've been at this for 20 years or whether you're starting out brand new, it still holds true, the desire to have the best of both and it's so even the old fogies they use the modern tech and the new ones use the old tech everyone does everything they just, combine the two together for the best of both worlds it's a fun article very fun article both my my niece and nephew are both artists and I've I'll have to ask them what they do yeah yeah I'll be I'll be most curious but anyway it's a fun, it's a fun read and you know You know, I'm a huge Garfield fan and so forth.
So it was nice. It was nice. A little bit of history and stuff in there too.
So anyway, there are my palate cleansers. Hopefully that keeps you all entertained for two weeks.
It does. That was a lot of fun, even though some of that was gloomy.
But it'll be real interesting to see what happens with the DMA this week in the DMA.
I think you could definitely set up a podcast for a couple. It wouldn't last long.
You know, for the next six months, you're probably going to have plenty of content and then it'll become a very boring show. Roll the dice this week. Deconned.

[1:32:22] Indeed. Anyway, folks, the key takeaway message, as always, remember to always stay patched so you always stay secure.
Well, that's going to wind us up for this week. Did you know you can email me at allison at podfeed.com anytime you like?
If you have a question or a suggestion or a review, just send it on over.
Remember, everything good starts with podfeed.com. You can follow me on Mastodon.
How do you do that? Podfeed.com slash Mastodon. If you want to listen to the podcast on YouTube or see the fantastic videos that Steve is making, you can go to podfeet.com slash YouTube.
If you want to join in the conversation, you can join our Slack community by going to podfeet.com slash Slack, where you can opt to meet and all of the other lovely Nocella castaways.
You can support the show by going to podfeet.com slash Patreon, or if you want to do a one-time donation, that's always open too, at podfeet.com slash PayPal. Powell.
And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocilla Castaways.
Thanks for listening and stay subscribed.

[1:33:27] Music.