NC_2024_03_31

Covering solar eclipses, programming, Mac tips, iOS tricks, and using MKDocs for documentation. They discuss Python setup, Git, deployment on GitHub pages, CES talks, and cybersecurity concerns, emphasizing importance and insights on tech vulnerabilities.

2021, Allison Sheridan
Chit Chat Across the Pond

Automatic Shownotes

Chapters

0:00
NC_2024_03_31
0:38
CCATP #790 — Bart Busschots on PBS 164 of X – jq: Working with Lookup Tables
1:30
Tiny Mac Tips 2024 on ScreenCastsONLINE
2:43
Allison on Double Tap
4:14
Siena’s First Tiny Tip – How to Quick Unmute a Video on iOS
5:47
Make Beautiful Online Documentation with MkDocs
22:33
CES 2024: Aqara Smart Home Devices
27:36
Support the Show
28:55
TikTok About xz Utility Backdoor
29:32
Security Bits — 31 March 2024

Long Summary

In this episode, we cover a wide range of topics, starting with the anticipation of an upcoming total solar eclipse and the latest insights on creating and deconstructing lookup tables, experimentation with a Programming by Stealth dataset, and a fresh tutorial series on Mac Tiny Tips. The discussion extends to experiences with the Double Tap podcast and a useful trick for unmuting videos on iOS. Our primary focus is on mastering the mkdocs tool to streamline the development of user documentation for XKPassWD. We encounter challenges like struggles with Python setup and version control hiccups with Git. Wrapping up, we explore the deployment process of documentation utilizing GitHub pages, showcasing a blend of technical hurdles and inventive solutions.

I delve into the advantages of utilizing MKDocs for documentation creation, highlighting features such as search functionality and intuitive navigation buttons. I walk through setting up keystrokes in a concise tutorial format. Furthermore, I reflect on testing various static site generators and emphasize the adaptability of Markdown for content migration. Shifting gears to CES, a discussion with Jennifer unfolds around Aqara's smart home devices, spotlighting cutting-edge automation aspects like AI-powered facial recognition. The conversation meanders through smart sensors, pet feeders, and a notable prototype retrofit valve for flood detection. I express gratitude for the increased support from our listeners and segue into Security Bits, scrutinizing a potential vulnerability in Apple's M-series chips and dispelling exaggerated reports. The dialogue concludes with a critical analysis of sensationalism in technology journalism.

Moving on, we delve into an array of cybersecurity concerns, including speculative execution, recent updates from Apple and Linux, a supply chain attack targeting a prominent Linux utility, and vulnerabilities in AT&T's data security practices. We underscore the criticality of updating systems to mitigate potential risks and advocate for precautionary measures like crafting robust passwords via beta.xvapasswd.net. Touching on a recent breach at AT&T and the necessity of proactive security measures, we stress the significance of safeguarding systems.

Expanding on cybersecurity themes, we discuss Troy Hunt's efforts in validating data for Have I Been Pwned, cautioning against malware and phishing attempts on cloud service providers, susceptibilities in hotel smart card locks, router infections by malware, and the perils associated with free VPN services. Our exploration also delves into the unscrupulous tactics of Facebook's Onavo VPN, the Rowhammer exploit affecting AMD's Zen architecture, a novel malware targeting Asus routers, and the EPA's initiatives to fortify water systems against cyber threats. Additionally, we offer insights on enhancing privacy settings in Safari and provide a detailed breakdown of the cybercrime ecosystem. Wrapping up, we touch upon new tutorials for app development by Apple, an enlightening interview with Margareta Vestager on tech regulations, and a dialogue with the iFixit founder on the right to repair ethos. Our parting advice is to stay vigilant with cybersecurity protocols and engage with fellow podcast enthusiasts across the various platforms facilitated by the host.

Brief Summary

In this episode, we explore a diverse range of topics including updates on a solar eclipse, lookup tables, Programming by Stealth dataset, Mac Tiny Tips, experiences with the Double Tap podcast, and tricks for iOS video unmuting. Our main focus is on using MKDocs for documentation, addressing challenges like Python setup issues and Git version control hiccups. We discuss the deployment process on GitHub pages and share tips on utilizing MKDocs features for creating user-friendly documentation. Additionally, we delve into CES discussions on Aqara's smart home devices and cybersecurity concerns like speculative execution, system updates, and precautions for safeguarding against cyber threats. Throughout the episode, we emphasize the importance of cybersecurity measures and provide insights on various technological developments and potential vulnerabilities in the tech landscape.

Tags

solar eclipse
lookup tables
Programming by Stealth dataset
Mac Tiny Tips
Double Tap podcast
iOS video unmuting
MKDocs
Python setup
Git version control
cybersecurity
Aqara smart home devices
speculative execution
system updates
cyber threats
technological developments

Transcript

[0:00]
NC_2024_03_31
[0:00]
Music.
[0:12]
And this is show number 986. Well, before we dig in, I want to let everyone
know there will be not be a live show next Sunday, April 7th.
We're going to be traveling to Texas to see this total solar eclipse,
along with, what, 12 to 18 million of our closest friends.
All right, don't worry about the show, though. It's going to come out early on Wednesday.
Let me repeat for those who weren't listening, no live show on April 7th.
[0:38]
CCATP #790 — Bart Busschots on PBS 164 of X – jq: Working with Lookup Tables
[0:38]
In our previous episode of Programming by Stealth, Barbu Shatz taught us how
to create lookup tables with jq from JSON data using the from entries command.
Just when we have that conquered, this time he teaches us how to do the exact
opposite, disassemble lookup tables.
I think it was a really fun lesson because taking data apart,
reassembling it the way you want it, and then putting it back together again
is a great way to really understand what we're doing with jq.
I got much more comfortable as I started to recognize the patterns in what Bart was doing.
We also get to play with the a new dataset, the Have I Been Pwned data gathered by Troy Hunt.
If you're a data nerd, and I mean really, who amongst us isn't,
you'll love this episode too.
You can find Bart's fabulous tutorial show notes for this episode and all of
the other ones at pbs.bartificer.net.
And of course, you can find Programming by Stealth in your podcatcher of choice.
[1:30]
Tiny Mac Tips 2024 on ScreenCastsONLINE
[1:30]
This week, I'm pleased to tell you that I've created the third in a series of
Screencast Online tutorials filled with tiny Mac tips.
If If you're new to the Mac or even a seasoned user, it's always helpful to
learn more ways to become a master of macOS.
In this third series of Mac Tiny Tips, I use playful and interesting examples
to teach you how to master the Mac.
Even if you are a seasoned Mac user, you're sure to learn new tips,
and the ones that maybe you'd forgotten about, you're going to remember because
you saw it here, or the ones you already knew, you can say, I knew that.
In this tutorial, I teach how to add keyboard shortcuts to menu items that don't
already have them, how to do super advanced spotlight searches,
how to paste and match style, how to browse versions of a file and bring back
that elusive save as option,
how to control which apps open specified file types, how to change and copy
icons for files and apps, how to collapse and expand all in list view,
and some easy keyboard shortcuts for finder views.
I do want to tell you that ScreenCastsOnline is a really terrific tutorial service
focused on software for Apple Apple products and operating systems.
You can get a free 7-day trial over at ScreenCastsOnline.com where you can watch
my tutorial and all of the current back catalog.
[2:43]
Allison on Double Tap
[2:43]
I started listening to the Double Tap podcast recently, hosted by Stephen Scott and Sean Preece.
It's a podcast about blind accessibility, and it's fantastic.
The two gentlemen, and they would suggest I'm using that term loosely,
have simply fabulous voices.
Stephen is from Scotland and Sean is from the UK, and I am such a sucker for those accents.
I also really like the show because there's a warmth in the way they approach
the world, along with lots of good-natured ribbing and self-deprecation.
On a recent episode, I heard them mention CSUN's Assistive Tech Conference,
and so I wrote to them before the conference, introducing myself,
telling them how I talk about accessibility on a mainstream show,
and asking them if there were maybe any interviews they'd like me to give for their show.
[3:25]
Stephen and I got on a call together to discuss how we could have some fun collaborating,
and a friendship was born.
The next day, Stephen and Sean had me on on their show.
Their website is woefully behind, not their fault, but that means I can't give
you a podcatcher agnostic link to the episode that I'm on.
I can link to it in specific podcatchers like Overcast and Apple Podcasts,
which are both in the show notes, but it might be more listener friendly to
have you search for the Double Tap podcast in your podcatcher of choice and
then look for the episode from March 20th.
It's an hour long and I come on right around 29 minutes into of the show.
They're also going to be playing some of the content that we've created from
CSUN on their show so that's gonna be fun too.
I had a lot of really good time talking to them and like I said the show is
fantastic so I hope you check it out.
[4:14]
Siena’s First Tiny Tip – How to Quick Unmute a Video on iOS
[4:15]
Music.
[4:24]
Know when you're flipping through photos on your iPhone or iPad and you come
to a video and it starts to play, but it's muted?
I think we'd all agree it's a good thing that it defaults to muted,
but when this happens to me, I don't want to miss anything in the video,
so I don't try and fiddle around trying to hit the on-screen mute button right away.
Instead, I frantically find the pause button first, and then I try to grab the
video progress scrubber to get the video back to the starting position.
Inevitably, though, I end up grabbing the home indicator app switcher bar,
you know, that little bar down at the bottom that's right near where your fat
finger is trying to get to the scrubber, and I end up switching apps instead of doing the scrubbing.
I eventually get the video back to the beginning, and only then do I unmute
with the on-screen mute button.
It drives me nuts every single time.
This weekend, I was watching my four-year-old tomorrow granddaughter,
Sienna, play around on my phone looking at photos.
She got to a video that was muted by default and she instantly hit one of the
volume buttons on the phone and the video unmuted.
I have had every single iPhone ever made, I've done every operating system,
and I did not know you could do this.
Sienna is hard of hearing and I think volume up for her is an instinctive move
on her part, but she sure did school me.
I hope you like her tiny little tip on a quicker way to unmute on your phone
when watching videos on iOS.
By the way, she also takes a wicked selfie.
[5:47]
Make Beautiful Online Documentation with MkDocs
[5:47]
This week, I taught myself a new tool, and I'm really excited about it.
Let's start with the problem to be solved, shall we?
As you may already know, the Programming by Stealth community is working on
porting Bart Bouchat's XKPassWD secure, memorable password generation service to modern web tools.
Bart originally created the service using Perl when that was all the rage,
but unfortunately over time, many libraries on which it depended were no longer
being kept up to date. It was time to port it to modern tools. tools.
In the Programming by Stealth podcast, Bart has been teaching us all of the
tools to help him port the project to JavaScript.
You've heard the saying, give a man a fish and you feed him for a day,
teach a man to fish and you feed him for a lifetime.
Well, Bart has been teaching us to fish for the last few years and it's paying
off in a big way for Bart and all of us.
Bart taught us HTML, CSS, and JavaScript, which let us create functional web services.
But he also taught us to use Git, the version control system that would allow
us to work collaboratively with others. He taught us to use Bootstrap,
which makes our web services pretty without a lot of work.
He knew he'd have to document all of the functions in the new XKPassWD,
so he taught us to use JSDoc.
He even taught us test-driven development using Jest.
[6:58]
Bart kept thinking he'd have time to start the port of the project himself from
Perl to JavaScript, but higher priorities kept taking over.
Finally, the most awesome Helma van der Linden asked if she could start the
project, and Bart happily said yes.
She has been an absolute beast getting it off the ground, using much of what
Bart taught us, along with what she already knew how to do.
A few of us have been working on the project with Helma, including Mike Price and me.
I've done some HTML layout work to make it more responsive, and I've found a
few issues with accessibility, which we collectively fixed.
I'm also pretty good at breaking things, so I've gotten quite good at posting
issues to the repository in GitHub for Helma to fix.
This week, Helma mentioned that she was going to start working on a user guide for XKPastWD.
Clearly, Helma's time could be better spent on all that heavy lifting,
so I asked her if I could write the user documentation.
I fancy myself a pretty good writer. I mean, I better be since I write around
4,000 words per week. On top of that, I actually really enjoy writing.
[7:57]
One of the reasons I wanted to take it on was that I'd seen some delightful
documentation recently that was made with a tool I didn't know how to use.
I had been looking for an excuse to learn that tool.
The tool is called mkdocs from mkdocs.org.
Probably the quickest way to appreciate mkdocs is to go to their user guide,
which is, of course, written in mkdocs.
From a top level, you create your documentation in a set of markdown text files,
and then mkdocs pulls them together into a pretty easy-to-navigate format for the web.
This means anyone can write the docs themselves, but it takes someone a bit
higher up the nerdy scale to pull it together with mkdocs.
This type of tool is called a static site generator.
The very first step to using mkdocs to make documentation is to use the pip
package manager for Python from the command line.
If I've learned anything about being a nerd, it's to just try stuff I don't
understand. I don't know a lick about Python, and I'd never heard of pip,
but that didn't stop me. It was a disaster.
Apple quit installing Python by default a few years ago, and I knew that,
so I installed it from scratch.
[9:04]
Unbeknownst to me, Xcode had also installed Python, but a lower version.
I'm not positive about this, but I'm pretty sure there was a third version of
Python lurking around in my system somewhere else as well.
The other fun thing is that Python wasn't called Python on my Mac.
It was called Python 3, and pip wasn't there either, because it was called pip 3.
With all of these conflicting versions, things were getting pretty messy.
At one point, I sent a desperate plea for help to our Slack community at podfee.com
slash slack over in the PBS channel.
And while both Alistair Jenks and Steve Matan tried to help me,
I seemed to make more of a mess of it.
I thought maybe I'll just go see if the Homebrew package manager could install
mkdocs and it worked like a champ.
So I stopped playing around with Python.
So now that we successfully escaped that scary snake, let's talk about how delightful
and simple it is to write documentation with mkdocs.
Every page of documentation is
a simple text file written in the markdown language, like I said before.
[10:06]
Mkdocs software does all of the rendering and assembling of these individual
markdown files into these pretty webpages that are going to be easy to navigate.
For our documentation for XKPassWD, I created the following pages.
About, Help the Project, Home, Varby Dragons, User Guide, and XKD and XKPassWD.
I told you those page names in alphabetical order on purpose because that's
not how they appear in our fancy new docs.
The display of your documentation is controlled by by what's called a YAML file.
YAML is a configuration file format that's pure text, but where things like
colons and indents have actual meaning.
I don't know YAML, and I've only heard Helmut talk about it from time to time,
and yet the instructions from mkdocs were super easy to follow.
In case you're wondering, some say that YAML stands for yet another markup language,
but others say it stands for YAML ain't a markup language. So that's helpful.
[11:03]
To create the ordering and viewability of the Markdown files in mkdocs in the
YAML config file, you just type nav colon.
On a new line, you indent two spaces, not a tab, not four spaces,
two spaces, and then you start entering the names of the pages in the order
you want them to appear in the navigation.
Each line, after the two spaces, starts with a dash, and then a space,
and then the pretty name you want people to see, followed by a colon,
and then the name of the text file.
This sounds very clumsy to describe, but easy to read and easy to type.
For the XKPassWD user guide, my nav section has simple lines like dash about colon about dot md.
[11:44]
Before we dig into mkdocs any further, we better talk about themes.
Mkdocs comes with two built-in themes, mkdocs and readthedocs.
You tell mkdocs which theme you want to use in that same yaml file we've been
talking about that defines the navigation.
Again, this syntax is super simple. If you're not going to add anything extra
to the theme, you can simply type theme colon mkdocs.
The mkdocs theme has a pretty blue bar across the top where the navigation elements live.
Almost immediately, I realized that having seven pages in the navigation bar
was going to be completely untenable.
On small screens, it would collapse to a hamburger menu, but it still wasn't very user-friendly.
The read the the Docs theme is much better for documentation with a lot of separate pages.
Instead of navigation across the top, this theme uses a left sidebar.
I really like how this element works in MKDocs. The name of each text file is
listed on the left side in the order you entered in the nav portion of the YAML file.
More importantly, if you use headings in your text files, each page in the sidebar
can be expanded to show the internal headings.
Clicking on a heading jumps you immediately down to that section of the file.
It's like an automatically generated, navigable table of contents with close
to zero work on your part.
[13:00]
While I love the navigation and usability of the Read the Docs themes,
the colors don't really blow my dress up.
The sidebar is super dark and menacing looking.
I started looking for new themes, and I found a list of awesome themes and plugins
on a repository run by the MKDocs folks over on GitHub, so I decided to install them using Homebrew.
And that's when the real madness of Python began.
It turns out that the themes for MKDocs are only available through PIP.
I beat pip into submission and got it to work to install the themes I wanted
to try out, but mkdocs kept saying those themes don't exist.
As Helma is my witness, we had a Schrodinger's cat problem going on.
I finally had an explanation online.
[13:44]
Mkdocs, installed via homebrew, simply can't see any plugins you download via pip.
The only solution was to try to get a Python installation of mkdocs working. working.
After literally two and a half hours of Helma and me fighting with multiple
versions of Python and pip and problems with path and inconsistencies of error
messages, we threw in the towel.
But I came up with a good rationalization for giving up.
Everything about xkpasswd is open source and we welcome contributions from the
community. That's really what we're all about.
If I want people to help with the documentation, it would be just plain mean
to make them have to go through the agony of dealing with Python and pip to install a custom theme.
Now, if you think I'm just complaining because I'm new to the installation of
Python, even though I did have Helma helping me, I can prove it's not just me.
There's even an XKCD cartoon documenting the nightmare I experienced.
[14:42]
So Helma and I decided that I'm just going to stick with the built-in read-the-docs theme.
We can still affect styling using CSS, Cascading Style Sheets.
To tailor the docs, I merely had to create a directory in the project called
docs underscore dir, and then create a file inside that directory called style.css.
I then needed to add a configuration to our little friend the YAML file to tell
it to go look for that CSS styling.
So far, I've only messed around a little bit with styling code snippets using
CSS. I plan to get back to it to make it more pleasing and match the color palette of XKPassWD itself.
So far I've resisted the urge to play with that styling and rather I dedicated
my time to actually writing the user documentation.
[15:25]
Working on a tool that creates pretty webpages isn't very fun unless you can
get immediate feedback on how your changes affect the site.
With mkdocs, you issue a very simple terminal command, mkdocs serve. serve.
This starts a little local web server and then you can find your rendered documentation
at localhost colon 8000.
Now don't worry about remembering that port number because the serve command
reminds you of it every time you run it.
The best part about this little server is that mkdocs is constantly watching
for saves to files for the site.
As soon as you save one of the markdown files, the yaml config file or the extra
css file, if you have one, you'll see the site update.
I really like that instant gratification.
[16:10]
Now, I made my next heading. I'm rather proud of this little joke.
It says, let's get this party started.
All right, if you're a nerd, you'll know why that's funny. At this point,
I had the docs working pretty well on one of my Macs, but I live a two Mac lifestyle
these days, and I wanted to work on the documentation on both of them.
I also wanted other people to be able to suggest additions and edits to what I'd written.
The The obvious solution was to put my documentation under version control with Git.
I would create a local Git repository, and since the programming by Stealth
Crowd is settled on GitHub, I'd need a repo up there too.
It was easy enough to use the command line to initialize my mkdocs directory
as a Git repo using the terminal command git init.
Then I pointed my Git client GitKraken to that directory, pushed it up to my GitHub account.
It's available right now at github.com slash podfeet. you'll find it called
user docs xkpasswd and of course there's a link in the show notes.
[17:06]
Now, I've gotten pretty comfortable with Git over the last few years,
since Bart and I use it for all of the show notes, for programming by Stealth,
as well as his security bit segment on the NosillaCast.
And I use it for my own development projects like TimeShifterClock and TimeAdder.
Working with Git is not as easy as saving things locally, but it's not all that hard.
I just have to remember to pull from GitHub before I start working and push
my changes back up when I'm done, so I'm always sure I'm working on the latest
version no matter what Mac I'm on.
I kept poking around in the mkdocs documentation and I found another super cool
awesome thing about mkdocs.
With a single simple command on the terminal you can create a github page in
your repo for documentation.
Now if you're not familiar with github pages it's a way of hosting the static
website on github servers to be publicly viewable.
It's a free way to make our documentation viewable to users.
Okay you ready? Here's the entire process.
In the terminal, you type mkdocs gh-deploy.
That's it. That's all you do. mkdocs will do some churning and then ask you
for your username and password to GitHub. This will not work.
GitHub disabled this method of login ages ago, I presume since it doesn't support
multi-factor authentication.
[18:24]
Once it gets to the login prompt, you simply use Ctrl-C to back out of the command,
but it's already created the page for you.
Back in your Git client, you'll now see the gh-deploy command has created a
new branch called gh-pages.
If you check out that branch and push it up to GitHub, in a wee bit,
you'll be able to see the rendered web page for your documentation.
[18:47]
Now, if you haven't seen GitHub pages before, you'll need to go find the URL to tell people about it.
Log into GitHub, navigate to the repo for your documentation,
and then use the dropdown down on the code tab to change the branch from main
to this newly created gh-pages branch.
In the same menu bar where you see code, issues, etc., over at the far right there's a settings tab.
In the left sidebar, now you should see near the top, your site is live at and
a URL that starts with your username.github.io followed by the name of the repo.
So for our xkpasswd documentation.
It shows that the page, you can view this amazing documentation now yourself.
It's currently available at podfeet.github.io slash user dash docs dash xkpasswd.
And of course, there's a link in the show notes.
Now, don't memorize that location for xkpasswd, but you can use it for now,
because we'll probably be moving this into the Bartificer org eventually eventually
to make it part of the xkpasswd family.
I started it in my own repo so I could demonstrate it to Bart and Helma without
borking anything up in Bart's organization.
I presume the URL will change when we move it, but you can view it at my repo for now.
[20:03]
Now, you get a couple of other cool things for free when you create documentation
with MKDocs. It automatically adds search capability for the site.
Works reasonably well, but I've seen it not return any search results at all
and later find the exact same things from the same search later.
But hey, it comes for free.
Another feature of MKDocs is a next and previous button at the bottom of each
page and at the bottom of the left navigation sidebar.
It might not be that useful for this kind of documentation, documentation,
but it can be super handy if you've got sequential documentation,
you know, like a tutorial.
If you're a fan of keystrokes, you can set them up in the YAML file.
It's part of the theme section, and the tutorial on mkdocs gives you the format and some examples.
It suggests keystrokes for help, next, previous, and search.
I don't quite understand the format, but I copied it and pasted it from the
mkdocs documentation, and it worked.
However, as I was writing this up, I went to test the keystrokes, and they did not work.
I was very confused, and it took a lot of searching on the interwebs before I figured out why.
Some themes don't support shortcuts, and the read the docs one is one of those themes.
I thought I was losing what little was left in my mind because I swore it used
to work, but I had been using the other default theme, MKDocs, when I first tested it.
[21:21]
All right, the bottom line is that I'm thrilled with MKDocs and how easy it
was to make beautiful documentation with it.
It's a smidge nerdy, but the instructions are super clear and easy to follow at mkdocs.org.
Well, except for that Python pip nonsense. But I gotta tell you,
I can't really call a bottom line just yet.
That evil temptress Helma just sent me links to several more static site generators to try out.
Some of them look even prettier, so now I'm going to go down the rabbit hole of trying them all.
The good news is that they're all JavaScript, not Python, so maybe I can have more fun with themes.
You might think that changing horses right now after all this work,
having to do it all over again would be a big problem.
But remember, the real work is writing the documentation itself.
The reason Markdown is such a powerful tool is that it's completely portable
because it's just plain text.
This means that after I figure out these other static site generators,
I can simply plot my Markdown documents into them and see how they look.
Who knows, maybe I'll come back to my first love, mkdocs, but I want to test
these other options before settling down.
I'm really excited about this, as you can tell, so stay tuned for more fun about
how to create pretty documentation.
[22:33]
CES 2024: Aqara Smart Home Devices
[22:33]
All right, let's head back to CES and learn about some cool smart home devices.
[22:39]
I really like the Internet of Things. I've got my houses littered with them,
but I won't buy anything that's not HomeKit compatible.
And I've heard a lot of people talk about a company called Aqara,
and I found Jennifer Biana-Gellman here at the Aqara booth, and she's going
to kind of do us a quick walkthrough of the HomeKit compatible devices.
And, of course, they also work with Alexa and Google and do the IFTTT thing,
right? Yes, definitely. Definitely.
Yeah, Akara, we create smart home solutions.
We have a diverse range of products. We have smart locks.
We have video doorbells. We have LED strips.
We have thread-based. We have a thread-based line. We have camera hubs.
We have pet feeders. And we have different sensors like FP2 radar sensors,
water leak sensors, door and window sensors, everything your smart home needs.
And Akara is different because of the automations.
You can create a plethora of automations. And And because of our diverse range
of products, you can really just, with a car, have it all.
For example, our Camera Hub G3 and our G4 video doorbell, they use AI facial recognition.
So if your daughter walks into the room and the G3 recognizes that,
the LED strip will turn her whole room pink.
[23:49]
Or with our FP2 presence sensor, if you walk into a room
and the presence is detected, the lights turn on. When you leave,
the lights turn off, which saves you so much energy and money on your energy bills.
And I got to tell you, my favorite automations are the ones I'm not telling it what to do.
People love to say, Alexa, turn on the lights.
It's like, no, I want the lights to know when I want them to come on.
I don't want to have to tell them when to come on. I don't have that kind of time.
Yeah. And that's why the FP2 presence sensor is so revolutionary.
And we actually have three new features for the FP2 presence sensor.
We have fall detection, so if you mount it on the ceiling and you have a grandfather
who falls, then it will alert you that your grandfather has fallen and the alert
alarm system will turn on.
The lights could flash red, there could be a sound on the G3 that yells,
all of that type of stuff.
How does the sensor know that grandpa fell? It's a millimeter wave radar sensor.
[24:46]
We also have a feature where it's sleep detection, so it can detect your heart
rate, your sleep schedule, and there's people counting, so it can give you live
real data on how many people are in a room or not, and you can see it all on a screen.
Wow, and you're saying the name kind of quickly. Say the name of the sensor
again. The Aqara FP2 presence sensor.
And is that visible here on the counter,
or is that something just in the background? It's right there. Okay.
It's our most popular sensor. I didn't know about that
now the other thing is that I think you your products don't cost
a fortune either is that right we're actually like one of
the most affordable brands actually how I heard about you
first home kit and that well this is very cool you've even got a pet feeder
yeah let me show you she just oh she just held her fingers in front of the baby
camera and we got M&Ms kind of coming out of the the pet feeder?
Just a fun, silly automation. So you do the automation through the Akara software
then? Yeah, yes. You do it through the Akara home app.
[25:49]
And obviously, it works with HomeKit and Alexa and all the other platforms as well.
I like the idea of doing the automation in your app, though,
because to be honest, I'm a big fan of Apple HomeKit. But man,
it's weird to work with the automation there.
So having it in a car sounds really good. So how would people find these products?
We are available on Amazon and we're available globally through distributors.
But we are very easily accessible on Amazon. All right. And the name of the company is Aqara.
It's spelled A-Q-A-R-A. There is no U after the Q.
[26:22]
Yes, AQARA. All right, thank you very much, Jennifer. Did you want me to talk
about the retrofit valve? Oh, yes, yes, yes. Talk about this. One more thing.
So she's got a water leak sensor down here on the table.
Yes, so with our water leak sensor, it's been out for a while.
If you put it in a basement and there could be a flood detected and a drip,
you know, just a water drip, then this will notify you that there could be a
potential flood in your home.
And this is a prototype, so this is not released yet. Yeah, it's still a concept,
but it's our retrofit valve.
And if that little drip is detected, then your whole system will turn off.
And it could potentially save you from a flood.
Wow. So this is a smart valve controller that's in line on the pipe and will
actually mechanically shut it off.
Okay. So prototype. Yeah. You were wondering whether there was interest in this product?
Why, yes. Yes, everybody is interested in this product would like to know.
I know two people who were off on vacations, had floods in their home and destroyed
everything. Destroyed the neighbors downstairs.
That became their fault. Oh, it was just a big mess. So, yeah,
that's a great idea. Do that.
That's why it's important to always know what's going on in your home.
Absolutely. All right. Thank you very much. And I'll check out Akara when we
get home. Thank you. Thank you.
[27:36]
Support the Show
[27:37]
Last week, I talked about doing my taxes and finding out I actually lost money
doing the podcast, and I suggested it would be swell if more people chose to
donate to the show using Patreon.
What I didn't expect was that listener and good friend in real life,
Lynn, who's already a generous patron of the Podfeet podcast,
I didn't expect that she would increase her pledge.
She's already helping to shoulder the load. Of course, I accepted her generosity.
And then darn it if Mike Price didn't do the same thing, doubling his Patreon pledge.
Like so many others, he contributes in so many ways, it seems criminal to take
his money, but I'll also graciously accept his money.
Then listener Emmy became a new patron of the show by going to podfee.com slash
Patreon and pledging an amount of currency, of her own currency,
that reflects the value she finds in the material we produce.
She was also very, very generous. Now, she was playing right.
See, she wasn't contributing before, and she started contributing.
That was what I was trying to get happen. But then both longtime donors,
Janet Chesney and George from Tulsa, sent in PayPal donations to help out even more.
I thank Lynn, Mike, Emmy, Janet, and George for their support.
I hope those of you who have not yet started supporting the show will consider
helping shoulder the load, like I said, to make the shows we produce here a success.
[28:55]
TikTok About xz Utility Backdoor
[28:55]
You're about to hear security bits, and in this installment,
you'll hear Bart and me discuss at length a backdoor that was found in an open
source library called XZ, or as he said, XZ.
After we recorded, I was fooling around on TikTok, as I often do,
and I found a wonderful video by a guy who goes by the name Nate,
where he explains that nerds saved the internet this weekend,
and it's all about the XZ backdoor.
I put a link in the show notes before the security bit section so you can watch
it. It's absolutely glorious.
The guy does a great job of explaining it, but talks about how nerds save the internet. I loved it.
[29:32]
Security Bits — 31 March 2024
[29:33]
Music.
[29:41]
Well, it's that time of the week again. It's time for Security Bits with Bart
Booth Shots. Anything big shaking this week?
Yes. Yes, that's why we are recording.
Little and big. We have everything today, a plethora to play with.
We do. Quite a few fire extinguisher icons, though, so that at least is something. Good.
I did want to mention a few little quick updates of things we've talked about before.
So we mentioned last time in a bit more detail about this concept of a watering
hole attack where you go after people where you know they're going to come and
that at the moment, developers are really being hounded.
There's lots of things going after developers at the moment.
And to prove the point, the PyPy Python repository have suspended new account signups.
It's like we cannot deal with the torrent of bad packages being installed.
We're just going to press pause until we get to the bottom of this
so if you're a developer and you're
getting libraries from third-party repositories like
i said last time start at the home page of the library you
want and follow them and then
you're not going to get a typo squat right you're not going to get a nearly
the same name of the library so you want a jquery but you got jquery with a
letter missing or something so just start at the jquery website and follow it
don't start on node or PyPy or whatever.
[31:09]
So, oh, that sounds tiresome. I mean, I can't just say brew install blah?
Unless you're dead sure blah is really blah. If you do a brew search and then
there's five or six packages that look vaguely like the right name,
now you're in the danger zone.
Okay. Okay. I tend to be doing big things that are fairly obvious,
so I should probably be okay.
But I like that you're bringing up Python right after I will have just spoken.
And this is a timey-wimey, wibbly-wobbly thing, but I will have already just
talked about using the pip package manager for Python.
But this is the PyPy package manager, but it could also be having the same problems, right?
[31:50]
Well, right, they're all being targeted. It's just, this is the story that made
the headlines this week. So I thought, well, I should mention it in the feedbacks
and follow-ups. But yeah, this is still a thing.
Okay. Continuing the topic of this is still a thing, um
the bodies are still getting one
over on google they are they are still winning the
cat and mouse game on getting malicious ads to sneak into google and i am sure
the google people are working very hard to get those mice but they are not winning
at the moment so just in since we last spoke there have been malicious ads sending
progenized versions of clean my mac the arc browser notion and putty,
so oh wow again start at the project's home page rather than going straight
to a download link from google i think this is again your best bet or certainly
not on one that's under the advertisement space you know google does mark which
is an ad and which is not right so don't click in the ads.
[32:45]
And surprising absolutely no one on planet Earth, the European Commission is
not 100% sure that Apple, Google, or Meta have completely complied with the
Digital Markets Act. There is an official investigation.
Hands up if you're surprised. Oh, look, no hands.
I would like to throw in just some commentary here is on the Accidental Tech podcast.
They very often, especially Marco Arment and Casey Liss,
like scream into the microphones about how frustrating Apple is to work with,
where you can work developing a product, an app for years and submit it to the App Store.
And then they go, no, guess again. You did something wrong and we're not going
to tell you exactly what it is.
And they are laughing their fannies off at what's happening to Apple with the
DMA, where the DMA is going, OK, guess how to comply. So Apple throws something
out there that's in their best interest and they go, nope, guess again.
Instead of just tell me what you need me to do or work with me together to put this together.
Well, that's exactly what every developer wants and Apple does not do with you.
So they're just sitting back eating popcorn watching this whole thing.
Whether they agree or not with the DMA is irrelevant.
It's just, it's comical to see the schadenfreude that's going on.
Yes, indeed. Turnaround is fair play.
I've heard a few developers taking some perverse pleasure, shall we say.
[34:12]
Yes, anyway, so that will go on. So we have a deep dive.
It was just one I promoted to a deep dive. And it's because it got so many such
shouty headlines that I thought maybe we should put the fireworks in. We should on this one.
You may have heard of something called Go Fetch, which is an unpatchable flaw
in the hardware of all Apple's M-series chips.
Yeah, everybody's been talking about it. Well, there is a kernel of truth,
because there is always a kernel of truth.
But it's very technical and very dense. And so if you read the original journal
paper without a degree in computer science, you could very easily come away
with an inappropriate understanding of what's going on.
And then you take that and you feed it through a headline editor who then reads
your translation of what the journal paper said and puts on a headline they think will get clicks.
And the game of Chinese or game of telephone or whatever we call it very quickly
gets you to, oh, my God, the world is ending. It's doom.
[35:17]
It's not nothing, but it's not what people think it is. Okay, tell us what it is.
If you want the nerdy details, Steve Gibson did a real Propeller Beanie episode
on the latest security now, but I'll give you the quick version.
In cryptography, some algorithms absolutely must be implemented in something called constant time,
where the amount of time it takes to do the crypto can't change depending on the content of the key.
So no matter what key is randomly chosen, it should always take exactly the
same amount of CPU cycles to do the work.
Our modern CPUs are full of optimizations.
[35:59]
What has happened here is a collision between an optimization and these cryptographic algorithms.
And so the M-series processors by default enable some optimizations that break
the assumption of constant time. They go and pre-fetch things based on the content of the key.
It's like, oh, I think I know where to go fetch that hardware address.
I'll go fetch that for you.
And it's not constant time anymore. It's optimized.
And therefore, if you hammer at it over and over and over and over again by
watching the timings, you can begin to infer the bits of the key slowly.
So over an hour, you can end up determining a key.
And we're back to the old, these are Spectre-style side-channel attacks. attacks.
So if your computer is already hacked and you're using this type of cryptographic
algorithm and the malicious process and the cryptography get to run on the same CPU core for an hour,
then the attackers get to steal the cryptographic key.
So that's not a very realistic scenario, is it?
Well, yeah, if I've got a 16 core M1 or M3, what are the chances it's on the same CPU?
[37:17]
They may have to do some engineering to try trick it into definitely being in the same CPU.
And if they have root access on your computer, I'm sure they could achieve that.
But if they have root access on your computer, you have a way bigger problem.
So again, if you're hosting servers on an M series Mac, then you do need to
pay some attention to this.
But even if you are paying attention to this, it's not catastrophic.
So the second problem is with calling this an unpatchable
flaw because actually it's very
easy to fix there is you just tell the cpu
not to do that optimization while you're doing the crypto and
then and then it's fine again so you basically say that
while this function is running turn off that feature and then
the function runs in constant time and then you let the feature come
back on so one piece
of this that i don't understand well there's i'm glad
i said one since there's probably many but one piece
i don't understand is what it what process is running
this cryptographic process i mean am i
initiating that is is the operating system initiating it
is some application some web service the attacker would basically try to do
something to make your computer use a cryptographic key that they know you have
that they're interested in so they might think oh this person has ssh installed
i want the ssh key therefore i will sneak your process on that will trick their
computer into doing some SSH connects and then I'll watch the timing on the CPU. Okay.
It's just not practical.
[38:42]
It's really cool science. It's really cool research.
And the takeaway here is that the implementers of cryptographic algorithms need
to be careful that their code, when they compile it for the Mac,
ticks a little box that tells the M-series Macs, turn off this speculative feature
and then turn it on again at the end.
So basically, there's a way of telling the M-series processors that this piece
of code shouldn't use optimizations.
And so you just need to update your functions to say, tell the CPU that you're
one of those funny secure type processes, and then the CPU will stop being all optimized.
[39:20]
And so that brings us to another kernel of truth behind the other shouty part of the headline.
The only fix is a massive reduction in performance of the CPU.
Which is true in the teeniest of tiniest of ways in that the function processing
the cryptography will need to not use those optimizations.
Everything else you're doing can. So it's not a binary like that we disable
this feature for the entire CPU forever. And now Photoshop is slow.
Right, exactly. So I can understand, having read the abstract of the journal
paper, I understand why this was poorly reported, because the abstract of the
journal paper was very computer science.
And I understand the clickbait for saying Apple is doomed.
So even when a responsible journalist, say at Ars Technica, writes a correct piece,
when that goes to the Ars Technica headline editor, who is not the person who
wrote the article, that's something we often forget, that the person who writes
the headline is not the the person who writes the article.
And that makes a lot of journalists very, very, very cranky.
Steve Gibson used to be... Steve Gibson hasn't written a...
[40:26]
A regular, not a, ah, what's the phrase, a regular column in years.
But even when he did it, he was regularly cranky with the headlines on his articles.
And that's decades ago.
I think the other problem is so much of what is considered journalism these
days is regurgitation of other people's articles.
So it could be, and I'm going to make up websites, but, you know,
It could be that it starts with a journal article, then it's Ars Technica who
does a fairly good job. Now we've got a bad title that's clickbait.
And then Mac Rumors adds to that one, and then John Gruber adds to that one.
And each time, the telephone is getting worse and worse and farther away from the real truth.
And usually it's fine, but not when – yeah, then it's a tweet.
[41:18]
And usually it's fine or at least you
know within you can squint and see the original article in it
but in this case uh i definitely heard it
reported much differently than the way you've explained it but uh
okay so we're not gonna worry about that
it just seemed like speculative execution is the most common
thread that we've run into in a
technical thing that you have taught us over the years we've heard
this over and over and over again i'm thinking it's a bad idea we
shouldn't do it no i thought
that initially right when specter and malta came out but i've i've
nuanced my opinion cryptographic code
needs to just get into the habit of telling every cpu
to turn them all off so all of the cpus the intel ones and everything you could
turn these features off and i think all cryptography should just get in the
habit of saying don't optimize me in any way and then even the optimizations
we don't know are bad just turn them all off just no yeah we can we We can wait at that millisecond.
We have that kind of time.
Exactly. That's good. That's really, really interesting, Bart.
Thanks for telling us about that.
[42:23]
That's why we're here. Jumping into action alerts then.
Last time we spoke, Apple had patched iOS, their shiniest operating system.
They had been very vague in their patch notes for iOS, just saying it fixes
some security stuff, don't you know?
And the reason they were being vague is because they didn't have time to get
the updates for the Mac out because they needed to get the ones for iOS out
in time for the Digital Markets Act to go into effect.
So now they have retroactively updated the notes for iOS and released the updates
for macOS and older standalone versions of Safari and another update for the iPad as well.
So a few more updates to follow. They're basically the same updates we got on
the iOS last time, just rolled out everywhere else.
You know what's really sad, Bart, is I was so happy when it was just iOS.
I was like, finally, some patch that's only for one of my devices or that category of device.
And then all of a sudden, the rest of them come out. It's like, ah, you're killing me.
Yeah. As is normally the case, there was a bit of a problem in WebKit because
WebKit just does everything these days. So that's why it affects everything.
Yeah. WebKit. As my mother used to say, everything goes when the whistle blows.
[43:37]
Now we have another news article that we're going to add a little bit more color
on than it currently has in the show notes.
So if you're running a version of Linux, and there's an asterisk we'll put on
this at the very end, but I'm just going to leave it at, if you're running a
version of Linux, that is what they call one of the more bleeding edge versions of Linux.
So different Linux distributions have a different attitude towards being cutting edge.
So if you're running in the
red hat world then the latest version of fedora will
be using the very very latest versions of every package and running
into all of the problems and then red hat won't bring any of that to red hat
enterprise linux until a year later or so and so if you're running the fedora
one you're getting all the latest updates whereas if you're not then you're
not and in the debian world there's something which i think is a wonderful name
they call it Debian Unstable.
So the version of Debian that gets all the new hotness is called Debian Unstable.
And the version of Debian that most servers are running is called Debian Stable,
which is basically Debian a year old. Yeah.
So if you're running the stable OSs, you're fine because what's happened here
is someone has succeeded in taking over the Git repository for a popular utility
and putting a backdoor in. It's called a supply chain attack.
It's the XZ utility library.
The malicious code looks for SSH stuff going on in the computer and basically
tries to create a backdoor on your computer using SSH.
[45:06]
It was discovered by i think was the microsoft security
team were investigating some weird stuff they had seen through
gate and they were like what the who the what and
they discovered it and then red hat released a pretty shouty headline going
if you are running uh was it fedora 41 or fedora rawhide you absolutely positively
must patch immediately and it's one of the weirdest patches because when you
install the patch your version of xelibs downgrades so normally you patch to update.
But now you're patching to downgrade, which feels really weird.
Like, yay, I'm patched. I have an older version.
So in Linux land, unless you're running those beating edge distros,
you're probably not affected.
But a yum update or an app get update will fix you on Linux land.
But then, of course, as Alistair pointed out in the Slack over at podfiet.com
for us at Slack, Linux packages aren't only on Linux.
Some of us bring the Linux universe into our Macs using tools like Homebrew.
So if you use Homebrew to install something which has a dependency on XE Utils,
then you may have gotten a copy of XE Utils.
And that may be a new copy.
So you may have to downgrade.
[46:22]
Yeah, so Bart and I took a look at this. There's an Ars Technica article that
actually highlights the fact that you may have XZ utils just because you're using Homebrew.
And so I looked on my two Macs. I've just recently been messing around with Homebrew.
And on one of them, it did have XZ.
And I've never intentionally installed that. But you install stuff,
you get all kinds of library dependencies. That's just the way this kind of thing works.
And so I had the newest version, which was 5.6.1 on one of my Macs.
But on the other Mac, I ran brew upgrade, just upgrade brew,
everything that's in it.
And now I have the downgraded one, 5.4.6.
So I'm going to fix the one on my second Mac today.
But Bart looked in his and he didn't have it. So he didn't have XE.
So it's not necessarily that you get XE just because you're running homebrew,
but you may have it installed.
And you know what? It's not the worst thing in the world to patchy,
patchy, patch, patch, just run brew upgrade and you're going to get a bunch
of new stuff that's patched. So go. Yes.
[47:32]
And just you and I both ran into this subtlety,
If you read the brew docs, you're going to be no better off here.
There is a difference between brew update and brew upgrade.
Brew update effectively updates brew's opinion of the universe,
and brew upgrade applies this new opinion to your computer.
So if you just run brew update, it knows how it should fix everything,
but it won't actually fix things.
Whereas if you run a brew upgrade, it will actually upgrade all of your packages.
So brew upgrade must do a brew update and then a brew upgrade. Correct.
It's one of the supersets of the other it was interesting
seeing it get downgraded so i know that it worked but uh thanks alistair
for highlighting that uh i don't want a backdoor utility on
my mac no idea if i could be exploited but i'm not going to i'm not going to
do that so brew upgrade done the attack surface may be small or difficult to
get to but let's not have it there let's just not have it well yeah and it's
super easy to fix it's what is that like 12 digits i I got to type. Exactly.
[48:35]
Somewhat similar. I have a fire extinguisher on this one too.
There's a lot of shouting about a big, big bug in a very, very common package
called Linux utils. That might be in a few places.
And I sort of chuckled because the bug is in a command line command I haven't
played with since I was a college student.
It's called wall, which stands for write all. It's a way of sending a message to every terminal.
So if you're ever logged into a Linux computer and someone else does a shutdown
minus H now, everyone gets a message saying this computer is shutting down.
That's written to everyone's terminal using the wall command, write all.
And we used to have great fun writing messages to everyone's terminal going,
hee hee, you're a poopy pants wall.
You know, we were big children. But that's the point of being at university.
Anyway, seeing wall made me chuckle. I was like, oh, I remember that when I was a kid.
There's a bug in how wall handles escape characters. So you can write to people's
terminal and then make it send special characters.
So people have been experimenting with how do we abuse this.
One way to abuse it is to write a fake...
[49:49]
Pseudo prompt to someone's screen so
it looks like pseudo is asking them for
the password but actually it's just a normal bash prompt and so
they type in the pseudo password and then if you're running debby
or if you're running ubuntu if you type a terminal command
that makes no sense it tries to give you a hint about what you might have meant
did you mean blah blah blah which means there's a log file that shows it trying
to figure out what you asked it to look up so the attacker can check what failed
to run, which is your password. Oh.
If you're running Ubuntu, which tries to do that helpful tip.
And someone also found a way to make it mess with your clipboard.
So hypothetically, if there's something sensitive in your clipboard,
you could use the wall command to snake someone's clipboard.
Again, the attack surface is tiny, but the fix is trivially simple.
Just update your Linux. Whether it's a YubUpdate or an AppGetUpgrade or whatever
it is on your particular version of Linux, just update your Linux and you're
absolutely fine. So it's a nice, simple one.
Some people were getting all shouty about it. No, it's difficult to exploit.
Kind of fun, though. So just update.
[51:04]
Now, in worthy warnings, I've actually gone and dug up the emoji for two exclamation
points, because there's a big one. So, CrowdPersonal Security was the first to warn about this.
There are real-world attacks targeting Apple users at the moment,
and it appears that at least a week ago, it was true that the rate limiting
on the resetting of Apple IDs was not working on Apple's server end.
So, if some random person on planet Earth tries to reset your Apple ID,
Apple will send a push notification to your devices saying, is this you?
Do I allow this password change or not?
And that should obviously be rate limited, so that someone can't send you 500 push notifications.
But that rate limiting was broken a week ago. And some people in the cryptocurrency
world were being bombarded.
And if you rubber finger even one of those 500 messages and accidentally click
allow instead of deny, say maybe on a small Apple Watch screen,
then you have just lost control of your Apple ID.
[52:15]
And there's no way to dismiss these. They're modal dialogues.
So you must click through them all. So you have an exhaustion attack where someone
might just get fed up and think, oh, fine, whatever, allow.
Or you might accidentally click one allow out of 500 denies.
So either way, if you suddenly get swamped in messages about your Apple ID, it's a real attack.
Do not, under any circumstance, click the allow button. No matter how frustrated
you get, no matter how cranky you get, do not click allow.
The hope is that Apple will fix the rate limiting and this will not be a thing.
But if it happens to you it's really
important you click deny i'm one
thing i hadn't heard was whether rebooting the phone would
be a better way to deal with that nobody said anything
about that i would think restarting the phone rather than trying to make
sure you hit don't allow you know a hundred times these people said it was like
a hundred i don't know if the message would be queued up i'm just waiting for
you and the phone came back it's certainly worth trying i promise you if it
happens i don't want to tempt fate but yeah it sounds like it's worth giving it a go,
so what can apple do about this well the push notifications are coming from
apple servers so they could say that the same apple id can only have a reset
sent to it five times an hour and then the problem becomes a very manageable
tonight that i deny a good day.
[53:41]
Okay it's a rate limiting thing like you shouldn't be able to to,
if you get your password wrong on Google so many times, they stop accepting you for an hour.
If you try to put your pin wrong on your iPhone for so many times,
it says, yeah, go away for an hour.
It's a rate-limiting thing. So it should be fixed before the server ends. So they can fix it?
Yeah, yes, because it's coming from their server, so they should be able to
fix it without an update on our end. They should be able to fix it on their end.
You think they're going to tell us if they fix it? Nope. So I think this will
just silently stop happening.
But the reason I want to say it is so that if this happens to you,
and I'm hoping it doesn't, then it probably won't, but if it does,
it is really important that you do not click Allow.
Okay. Forewarned is forearmed. That's two exclamation points.
One exclamation point. If you use Twitter slash X, you need to be aware of a
fact about a design decision they made with how the preview of a link is calculated.
It is trivially easy for a naughty person to make the preview of the link look
like it goes to a domain it doesn't actually go to.
So the URL you land that when you click the link may be completely different
to the one the preview shows.
[55:00]
And if you're on a phone, you won't have an address bar if you open a web page from within the X app.
It will just be a blank screen. So if the preview says you're going to GitHub
and if the page you land that looks like a GitHub login page and you can't see
the URL bar, you do not know you're being phished.
How could you? You couldn't possibly know.
So, there is a setting where you can say links open in Safari.
And it means that every time you click a link in your X app,
it does that Swaparoo thing where all of a sudden you switch to Safari.
Turn it on, because at least then you'll see the URL bar, and you will know,
or you will have a fighting chance of noticing that the domain name is wrong.
Okay. Or don't do that.
[55:52]
I'm trying to see how this is any different than always, right?
So on other sites, they use a completely different method for calculating the thumbnail.
So the preview of a link is calculated differently in the other social medias,
so they're not vulnerable to this.
It is just a design decision X made. The technical detail is in the link to
bleeping computer. I read it and I slapped my head. It's like, oh God, no, they didn't.
Well, didn't they get rid of their entire security team?
Yeah. It's the kind of error an undergrad on their first day would make.
Because there's no adults in the room. Yeah. I mean, it's that simple.
Now, this next story is one that I dread having to talk about because it's confusing.
I thought the story I was going to be telling you was that the entire security
community thinks there has been a massive breach in AT&T and AT&T insists there hasn't been.
The development is that a few days ago, AT&T finally went, ah, yeah, it is our data.
We were hacked, but it's our data.
Now, that may be true. What may have happened is they have so many partners
that their data is probably not only in their hands.
So their data is quite likely elsewhere too. And so one of those elsewhere's
may well be where the data was leaked from.
[57:21]
But what AT&T are saying is that two weeks ago, there was a data breach,
which is depending on your choice of definition, you could wiggle it to be factually true.
But I would argue that's misleading because what happened is that two weeks
ago, the data came up for sale on the dark web.
But analysis of that data
by people like troy hunt and others quite clearly
shows that it's 2019 data it's real
it really is at&t data it the last time it was accurate was 2019 because they've
basically been contacting people on the list and going when was the last time
this was your home address when was the last time and if you do that with enough
people you end up basically with a time span actually i moved house in 2020
so it must be before 2020 oh well i moved house in you know whatever, right?
You zone in on it pretty quickly if you ask enough people to verify the data.
So they've zoned into it being about 2019 data.
It also seems pretty clear that the data set of exactly the same size purporting
to be AT&T customer data that was offered for sale in 2021 on the dark web is
probably this same data set.
And at the time, AT&T insisted they hadn't been hacked and the data was fake.
[58:33]
Do you think that's, does that smell like, this is just idle speculation,
but is it incompetence or malice or, you know, subterfuge on the part of AT&T?
I think it's a case that we don't know we were hacked.
Therefore we're just going to do the easy thing and say, well,
we have no evidence we were hacked. It's just a default deny.
Our default attitude is to deny everything always. ways
i think it's the lawyers running the place would be
my interpretation just a guess
of course so a lot of the data is
of former customers because it's probably 2019 data that's five years ago now
so we as the community the security community understand it there are 7.6 million
records of current at&t customers in the breach uh 73 million records in the breach in total.
And those 7.6 million current customers also seem to have lost their passcodes,
which may or may not mean that actually there's been a second breach.
Maybe the data in the first breach was used to do some sort of more recent attack.
And maybe one data breach has led to a second iteration of the same data breach.
And now we have these passcodes because either way, AT&T has reset 7.6 million passcodes.
[59:59]
So AT&T also say they're going to contact everyone who was affected.
And if your passcode was reset, well, you must know, because if you try to log in, you won't be able to.
And I imagine when they reset your passcode, they would have sent you an email
saying, hey, we've reset your passcode.
So I think those 7.6 million people should know, No, I think. Best to tell.
Well, the only data point we have that we know for a fact in that is that I
am an AT&T customer and I did not get a passcode reset email and I was able
to log in with my passcode today.
Would your advice be change your password anyway? Yeah.
Yeah. I think there's so much going on and so little communication.
They're grudgingly admitting to the least possible they can get away with.
So I would say let's- So there's probably other shoes to drop.
Yeah, I think there's shoes hanging over our heads here. So yeah,
if I were you, I think that seems like a solid approach.
Yeah, I know what I could do, Bart. I could use the new beta.xvapasswd.net to
generate a new password that's long, strong, secure, memorable, and typable.
Thanks to Helma and others for putting that together. Yeah.
[1:01:13]
It's so easy. You open it up, you click the generate button,
and you go, there's a big password. You shove it into one password, boom, done.
Easy peasy. Yes, indeedy. I've been having so much fun because it's my favorite.
Strange enough it's a password generator i use all the time but i'm having the
experience out of the community i've completely run with this that i go to the
website that hypothetically is my website and i go oh cool that feature is implemented now.
[1:01:42]
Well this is the best case of bart uh you
know taught people to fish and then he's just sitting back eating the fish he's
just like i don't have to cook anymore the uh the thing i one of the the things
I enjoy is because of contributions by Dorothy McClurker basically saying,
I want it to work this way.
And me saying, no, I want it to work that way between Mike Price and I think
it was mostly Mike Price generated a way that I can copy the way I want to,
and she can copy the way she wants to.
It's just beautiful. It's, it's a wonderful thing.
Dorothy's wrong. My way's right, but we're both allowed to have it,
have what we want. And it's not clumsy at all.
I'm actually, I think you're both right, because there are times I want a bunch
of passwords and there are times I want one.
And so when I want a bunch of them, I want it Dorothy's way.
And when I just want one, I want it your way. But why choose?
[1:02:37]
Yep. It works. It works great. It's a beautiful thing.
Yes. So anyway, the story that would have been the story had we not had an actual
admission from AT&T is Troy Hunt's description of the work he did to verify the data is correct.
[1:02:54]
So that is now in the show notes as related use.
I think it's interesting to see how Troy Hunt does his work.
How does stuff that gets into Have I Been Pwned get validated?
How do we know it's not just a bunch of hooey?
So I always think it's fun to read his description of the work that gets put
into, you know, figuring out if it's true before stuff gets added into Have I Been Pwned.
Let me peek under the covers. Yeah. Yeah.
Well, we're in the section called Worthy Warnings. So cybercrime is a thing.
There's money being made. And there is a new product for sale.
That product is a malware as a service or sort of phishing as a service targeting
fake Microsoft 365 and Gmail login pages.
So it doesn't really matter who your cloud provider is. if it's Microsoft or
Google, baddies can buy fake login pages to phish you.
And unless you're using passkeys, this will get by multi-factor authentication
because it's a real-time proxy.
So if it's multi-factor where you have to type in a code, they're yoinking the code in real time.
So they're getting to be you for the length of time your session lasts.
So they don't get to be you forever.
They get to be you for the length of time you can stay logged in.
They're stealing a session not your account but i don't want anyone with a session.
[1:04:19]
Any amount of time so when you're on a google login page look at the url when
you're on a microsoft login page look at the url if that url is not login.microsoft.com
or google.com forward slash login i think it's a google one if you're not on
the microsoft of the google domain,
stop run away that's not
the real login page and again
if we combine this story with the twitter story you see why the
twitter story terrifies me so much oh yeah yeah
another thing i
regret to have to tell you because i wanted to be able to triage this story
out of existence but i don't think i can i think it's fair to say that many
of our nosilla cast listeners may occasionally visit a hotel and you may be
laboring under the false assumption that the lock on your hotel room door has a meaning,
that it provides some form of security.
I think you should remove that assumption from your brain.
In 2022, a major flaw was discovered and responsibly disclosed to the vendors
of one of the most common types of smart card locks used in hotels around the world.
[1:05:31]
And now, in March 2024, about to be April 2024, the patch rate is 30%-ish.
About a third of hotels have bothered to
upgrade their hardware so two-thirds of affected hotels
are still running the trivial to
clone smart cards it's basically
when you read about how easy it is for someone to clone a
card it's terrifying so don't leave any valuables in your hotel room just assume
your hotel room door is broken you know that's really disappointing disappointing
since it's like 30% of the time that my smart card doesn't work to open my door
at a hotel and I have to go back and have them clone it, make a new one.
Maybe I should just download this, uh, this, uh, Uniflock thing and do it myself.
Yeah. You might have an easier time hacking your own room and getting a key
card to actually work. Yeah. That is ironic.
[1:06:30]
And I, in addition to the possibility that people who listen to this show go
to hotels, the chances that you bring tech gear with you that's worth a lot of money is fairly high.
[1:06:42]
That's a really good point. Yeah, we don't just go to places.
We go to places with cool stuff. So yeah, keep in your backpack.
[1:06:49]
And then finally, I keep on telling people that when your home router is unpatchable,
there's only one place it should be. It's called the recycle bin.
As in, you know, off to electronic waste recycling with it because it is not safe.
To prove my point, a new piece of malware called The Moon,
which is an interesting name, succeeded in infecting
6 000 asus routers in 72 hours
to spin up a new botnet which they were using to power
a proxy as a service on sale
to malicious types which gives
me an excuse to talk about one of the other ways in which the cybercrime industry
makes money so as well as being able to buy phishing as a service to get into
google accounts you can also buy a malicious proxy service where what you're
buying is the ability to send your malicious traffic through random people's
home internet connection.
So it's really hard to block a denial of service attack when it's coming from
random people's AT&T connection or random people's Verizon connection or random
people's Vodafone connection if you're in the UK or whatever.
And this relies on having hacked software and hardware in random people's houses.
And then you buy access to this hacked software or hardware and you root your
malicious traffic through the hacked traffic.
So that's what these 6,000 routers were doing.
They were being the front end to a crimeware system for rooting your malicious
traffic through people's houses.
[1:08:18]
Similarly, there was a free VPN app on Google Play that was turning your Android
phone into one of these proxy services because, hey, free VPN,
what could possibly go wrong? Let me list the ways.
Don't ever get a free VPN. It costs money to route traffic. Traffic is expensive.
Bandwidth is expensive. A free VPN, there's a catch. It could be a different
catch. It could be your privacy. It could be your security.
A free VPN, there is a catch. Just don't.
Right. Moving on to notable news.
And I need to, you say this every time, so I'm just going to say it anyway.
This is not a bad news story. It is very tempting for people to spin the pwn
to own competition as a bad news story. Oh my God, all of these big things were hacked.
That's not the correct interpretation at all. A bunch of ethical security researchers
were paid millions of dollars to, well, a million and a little bit dollars and a Tesla Model 3.
[1:09:23]
To responsibly disclose vulnerabilities to vendors who now have 90 days to fix their stuff.
This is a really good way to incentivize the goodies to out-compete the baddies.
All of these vulnerabilities would have been found eventually.
The question is, would they have been found by cybercriminals or by the good guys or the goodies?
Sorry, I don't want to gender that because why assume only guys can
fix these things so the goodies so this is
fantastic and this is a great success so the
winner managed to earn
in this case it is himself manfred pretty
sure that's a boy's name um 202 500
for hacking safari chrome
and edge and since that
happened firefox was was patched that
was how firefox got hacked by someone else and chrome
have already been patched the 90 days are like we're like
five days in or something but those two are already
patched so this stuff works uh the tesla was hacked on day one but again that's
a good news story because that's been responsibly disclosed so now tesla have
90 days to fix it before it gets released to the public also fixed where a window
or on the way to being fixed shall we say windows 11 Ubuntu, VMware,
VirtualBox and Firefox so yay,
I noticed you didn't say Safari was patched though.
[1:10:50]
Not yet, but, you know, the 90 days are young. Sure.
[1:10:57]
So that's that, you know, that's a good news story. Masquerading as a bad news
story. And then we just have a bad news story.
So I remember us talking about something called Onevo quite a few years ago.
So I was like, yeah, what's the news here?
Why is this? Why is this being talked about again? We already knew that Facebook
had this fake VPN product.
Like they were paying teenagers to use so that they could spy on what the
teenagers were doing and they were using that to figure out
who to buy basically of all the different
possible apps we could buy to not have to compete on our
merit who should we buy and that's how they ended
up buying was it whatsapp i think the outcome of all
of this right and i thought we knew everything but there's a court case ongoing
because there's a bit of an antitrust issue this and we have now got some documents
in that court case and it turns out we now know that it's as bad as we all suspected
and we have the quotes to prove it.
So I don't think I didn't think this was happening but I am galled at how blatant this is.
So if you're wondering oh maybe this wasn't their motivation maybe they weren't
trying to be anti-competitive we now have it in Mark Zuckerberg's own words.
[1:12:09]
Whenever someone asks a question about Snapchat the answer is usually that because
their traffic is encrypted, we have no analytics about them.
Given how quickly they're growing, it seems important to figure out a new way
to get reliable analytics about them.
Perhaps we need to do panels or write custom software. You should figure out how to do this.
[1:12:28]
That's that's in order to be anti-competitive just okay
and in case mark was
just innocent his head of
security wrote an email with his opinion on
the matter i can think of a
good argument i can't think sorry negative
i can't think of a good argument for why this is okay no
security person is ever comfortable with this no
matter what consent we get from the general public the general public
just doesn't understand how this stuff works yes yes
yes yes you cannot in small print somewhere say is
it okay to install a fake vpn that decrypts
everything before the https bit kicks in because they
didn't break encryption they snuck in before
the encryption and so they basically stole the
data on device before it got wrapped in the
https wrapper and one of their small things
so it was called project ghostbusters because obviously the
snapchat icon is a ghost hence project ghostbusters
right just in case it wasn't clear from mark's quote
what was going on we also know that they did it
against amazon and youtube as well so they were they were basically stealing
pre-encryption people's traffic to amazon youtube and whatsapp or not whatsapp
sorry yeah snapchat to spy to figure out how popular these services were and
how to be anti-competitive and stop them from becoming as popular as they would otherwise.
[1:13:54]
It's just sick all the way down. Like I say, I already knew Onavo was slimeware of the worst order.
[1:14:02]
But it was revealing. The way Facebook used Onavo was even slimier.
Yeah. So I thought I already knew how slimy this was. But no,
no, it's worse than I thought.
I remember I sent you the article and you said, didn't we already know this
from from a few years ago, not in writing.
Yeah, the more I read, the more I said, yes, yes, yes.
[1:14:29]
I am very sad to report that Mozilla's latest attempt to get a little bit more
solidity under their financing has backfired spectacularly.
So they've had a VPN product for a while, and that was kind of an interesting
idea that, well, we market ourselves as a safe-to-use browser,
so how can we give a value add?
Why don't we do more security tools? And so they started doing a VPN,
and I'm happy to say that I'm not about to tell you something awful about the Firefox VPN.
But that same logic led Mozilla to release a new product where they offered
a service where you could pay Mozilla to have your details removed from those
sort of grayware websites where you can buy intelligence on people.
But they all have to offer an opt-out page because otherwise they're illegal.
Then they go from being gray to black.
And it turns out that the partner they chose was someone of very dubious Eastern
European origin who was proven by Brian Krebs to be playing both sides of the field.
The same person runs services that steal people's privacy and sell the information
and sell the right to pay him to remove the information from the other websites he runs.
And they're the partners Mozilla chose. And I'm sorry to say that even the tiniest
bit of due diligence should have revealed that.
[1:15:54]
I don't know if it was naivete or desperation, but it shouldn't have happened
that Mozilla do not look good out of this.
And that makes me stupendously sad because I want a non-Chromium web rendering
engine to be successful.
[1:16:13]
And there's two web rendering engines left standing. There's Chromium used for
almost everything, and Firefox.
I really want Firefox to do well, and this made me very sad.
Yeah. Yeah. I mean, we don't know that they did anything bad with that,
or we do know they did something bad with that.
Well, they paid someone who makes their living by breaching people's privacy.
So they helped to temporarily... Is it BlackEye?
It's BlackEye. It's not... Okay. It's just, it may end up making it more difficult
for them to launch other security products. Because people have lost faith.
Yeah, and that's kind of the area that they have the best chance of getting
some good independent finances that is not the Google search money.
That's kind of what's keeping Mozilla afloat is the Google search money,
and that's uncomfortable. Yeah.
[1:17:08]
So, yeah, I was just sad. I was just sad, really.
Another thing I just want to advise people against, Telegram are offering a
way to get free premium service, which sounds cool.
But it's not free because nothing's ever really free.
So the exchange is not your privacy. The exchange is use of your cell phone number.
If you sign up for the service, you get free premium Telegram in exchange for
Telegram routing the SMS messages for other people's two-factor auth through your cell phone.
What? So you pay the SMS bill. Yeah, you pay your carrier to send SMSs on behalf
of Telegram to random people you don't know, and they will see your cell phone
number because you sent them the SMS code.
It's like, let me count. Well, I think it's to people. Not a good idea.
Just one little correction.
It's just as horrible as you said, but it's not to random people you don't know.
No, it's to friends' email addresses you give them, right?
Or no? No, no, no, no, no, no, no. You become a service provider.
[1:18:11]
You become a service provider. Yeah. So they use you to send their SMS messages.
They're currently paying someone to send.
Wow. No, it's too good to be true. It's not free Telegram premium.
It's a terrible idea. Don't do it.
Yeah. Okay. That's terrible. The second last major news story has a fire extinguisher again.
[1:18:35]
Apart from Spectrum Meltdown, our other eternal friend is Rowhammer.
Oh, yeah, yeah. Good friend, old Rowhammer. They take me for flipping bits in
memory by writing adjacent memory over and over and over and over and over again.
And the electromagnetism basically leaks into the memory between the two rows
you're hammering and you get the changed data in a piece of memory you should have no access to.
This immediately falls into the, if your computer is already hacked,
then the attackers can category, which we already know.
If you're a cloud provider running a service where 500 people share a computer, that's bad.
If you're a home user, the only person on your computer is you,
unless you're completely hacked, in which case you have a much,
much bigger problem than Rowhammer. You're already completely hacked.
So for home users, this is a complete fire extinguisher. for sure.
But even for people running data centers, there are far more updates on the
way, and it's a spectacularly difficult attack to pull off.
The only thing that's changed here is that everyone thought that AMD's architecture
was immune because they had put in mitigations against Rowhammer.
And the smart people in the University of Zurich have discovered that if you
do it very cleverly, you can actually do it on Zen architecture from AMD.
So they called theirs Zenhammer.
So if you heard something about Zenhammer, that's what it is.
[1:19:59]
Even Bleeping Computer, who tends to err on the side of telling everyone to
do everything you can possibly do to protect yourself.
No, I'm making that sound negative and I shouldn't. Their audience tends to
be sysadmin, so they would tend to be giving warnings to the people who run
servers for other people. And even they say not to stress about this one.
Okay, good. So really don't stress about this one. And then the last server
we have is one of those ones where it's like, okay, good.
[1:20:30]
Because cyber war is a thing, and our world is a bit topsy-turvy.
So it makes me happy that the EPA have formed a task force to protect water
systems from cyber attacks.
Water is important. It needs to be protected from being full of Chinese and
Russian malware. So, good.
And that then brings us on to a nice little tip. So Cult of Mac did a nice little
rundown of all Safari's privacy features with advice for how to,
as they put it, crank up Safari's privacy to the max.
[1:21:05]
So Safari features just keep appearing and a lot of them don't default to on
because that would change things.
So I don't know about you, but I don't go into the Safari settings all the time.
So every now and then I read one of these articles and it reminds me,
oh, I haven't poked around in Safari settings in years.
What's in here? And so this is my little reminder to everyone to have a little
poke in Safari settings and see if maybe you want to toggle a few more things to on.
Because Safari is pretty good about protecting you, but you do need to toggle something on.
In the excellent explainers universe, I talk a lot about the fact that cybercrime is business.
You need to think of it as an economy. and bleeping
computer have an excellent article that explains
the economy who it is what
they're doing how money is made so basically how does the
money move that is powering the malware we all
have to worry about and that really helps you understand what's going on so
if you want a good understanding i highly recommend the linked article from
bleeping computer uh it's a it's a sponsored articles but it's one of these
sponsored articles that's good so a lot of sponsored articles articles on Bleeping
Computer are terrible because they're just a sales pitch from start to finish.
This is a really intelligent person who happens to work for a company who wrote
an amazing article with one paragraph at the end that says, by the way,
we write a product that helps with this.
But the whole article is fantastic. And just know that in the last paragraph
was a sales pitch for something of no value to a home user.
[1:22:34]
Enjoy okay um and i
have three palette cleansers um i didn't get one from you
alison unless i forgot which also happens sometimes
you send me stuff on telegram and i'm bliss like oh yeah listen i'll put that
in the show notes and then i forget i don't think i did so if you have been
wondering how do i make an app for the mac maybe i should get into that is now
a good time to start learning that skill well apple have just released a bunch
of new tutorials over i guess in preparation for WWDC.
So if you've been thinking and humming and hawing, why not check out Apple's new tutorials?
They walk you through it from soup to nuts, how to install Xcode,
and take you from there. So some people may enjoy that.
Yeah. With all of the talk of the Digital Markets Act and fines against Apple
over Spotify and all of this European stuff, a name you've probably heard over
and over and over again is Margaret Vestager.
[1:23:30]
Or Vestager. believe is the correct pronunciation. If you're wondering what
the human being sounds like behind all of those headlines, Cara Swisher did
a fantastic interview with Margareta Vestager, who's coming near the end of her term.
And I don't agree with her on everything, but she is an extremely eloquent person.
And I really, Cara doesn't, you know, Cara asked the important questions. She's not shy.
She doesn't feel like, oh, I must ask softball questions and the poor guest
might be cranky with me. Cara just asked the question. So it's a wonderfully open interview.
And Margaret Fessier is Scandinavian, so she has that Scandinavian thing of,
don't sugarcoat things, just tell me what you think and I'll do the same.
And so having two frank people have a frank discussion is very enjoyable.
And it will make sense.
[1:24:18]
Is she a regulator or just a like
just a tech person who is she no she
is one of the european commissions commissioners so
she would be in the part of government that is a political appointee in the
american system so you know the way the person who heads up nasa is appointed
by the president right they're not elected but they are political ish so she
is appointed by politicians competitions.
I'm confused by the text of what you wrote. You said she's a lead tech regular.
Do you really mean she was a regulator?
[1:24:52]
Yes, I do. That was an auto-correct that went terribly wrong.
Yeah, yeah. No, that's fine.
I was just trying to go like, she's just like one of those people in the know,
but no, she's a regulator. Got it.
She's a regulator, but she is also one of those people in the know and you've
probably regularly seen her.
But anyway, and very
different for an interview um there's a podcast one of
our nasilla castaways recommended to me many
many many years ago called the change log it's very
nerdy um it's a bunch of javascript developers who
talk for you just talk they just get together
once a week and talk you sort of feel like you're sitting in on a conversation
down the probe or something and sometimes their guest is someone i care about
and sometimes it isn't so i i dip my toe in every now and then but there are
often people who have a big impact on the stuff I care about,
but who I would never have known as a human being.
So I fix it. They're always coming up on our headlines, right?
They're very big proponents for the right to repair.
And they love stripping apart every new Apple product before you even had the
chance to buy one to use it. They've already destroyed one and taken pictures.
Yeah, they've been known to fly to New Zealand to get it before,
like the first, when the thing drops.
Right, yeah, because they beat the time zone like it's New Year's Eve, yeah.
[1:26:13]
So, iFixit was set up by a guy. Well,
That was the guest on the changelog. It's an hour to two hour conversation with the iFixit guy.
His passion, it's just a really fun conversation.
And given how often I see that iFixit name, I thought, oh, I'll have to listen
to this. I did. I thoroughly enjoyed it.
I still don't agree with him on where the balance lies between right to repair and right to secure.
[1:26:41]
He is of the opinion that all parts pairing should be illegal.
And I'm of the opinion that most parts pairing should be illegal,
but stuff like the face ID sensor, the touch ID sensor, that should be not only
not illegal, but maybe it should be mandatory that it warn you if that's not legitimate.
But I agree with him on 90% and it was a really fun interview.
That sounds really interesting. I know a lot of people are big fans of iFixit.
Yeah, exactly. So anyway, that's it. That is my three pilot cleansers.
But of course, the summary version of our entire conversation is always the same.
Remember, folks, stay patched so you stay secure.
Well, that's going to wind us up for this week. Did you know you can email me
at allison at podfeet.com anytime you like.
If you have a question or a suggestion, just send it on over.
Remember, everything good starts with podfeet.com. You can follow me on Mastodon
by going to podfeet.com slash Mastodon.
If you want to listen to the podcast on YouTube, you can go to podfeet.com slash YouTube.
If you want to join in the conversation, you can join our Slack community at
podfeet.com slash slack, where you can talk to me and all of the other lovely Nosilla castaways.
You can also support the show, did I mention that, at podfeet.com slash patreon,
or with a one-time donation at podfeet.com slash paypal.
And if you want to join in the fun of the live show, don't look for it on April
7th, because there is no live show on April 7th.
Instead, you'll have to wait till April 14th to head on over to podfeet.com
slash live on Sunday nights.
[1:28:06]
Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...