NC_2024_05_26

Discussed AI's energy impact, climate change, M4 iPad Pro upgrades, security, cybersecurity, Google and Microsoft conference insights, LastPass, Zoom encryption updates.

2021, Allison Sheridan
NosillaCast Apple Podcast

Automatic Shownotes

Chapters

0:00
NC_2024_05_26
0:15
Allison on Daily Tech News Show 2777
0:45
Let’s Talk Photography - Bart & Jill from the Northwoods
1:32
CCATP #794 Bart Busschots on PBS 166 of X — jq: Processing Arrays & Dictionaries sans Explosion
2:29
Macstock 2024
3:36
A Pencil with a Gyroscope Inside and More Fun with M4 iPad Pro and Magic Keyboard
24:24
CES 2024: j5create Docks for Mobile Phones
30:07
Support the Show
31:17
Security Bits — 2024 May 26

Long Summary

I had the pleasure of joining the Daily Tech News show where we delved deep into the energy impact of AI, exploring nuances of data collection and ways to mitigate effects on climate change. For further insights, I recommend checking out episode DTNS 4777, Sustainable AI Computing. Shifting gears, Bart and Jill had an engaging conversation on Let's Talk Photography about nature exploration. Bart also shared valuable insights on new array processing methods in Programming by Stealth. On the tech front, the new M4 iPad Pro stands out with impressive hardware upgrades, such as the OLED display and enhanced battery life, though some may find the changes subtle compared to previous models. The Magic Keyboard for iPad Pro offers a premium typing experience with added functions and improved design, although its high price may give budget-conscious buyers pause. The Apple Pencil Pro introduces exciting features like additional gestures and enhanced precision, leveraging gyroscope technology for innovative interactions.

Reflecting on childhood memories, I shared how playing with a bicycle wheel introduced me to gyroscopic effects and how they relate to the Apple Pencil Pro, enhancing software interpretation of actions. I marveled at the shadow feature of the Apple Pencil Pro and shared the experience of using Find My to locate a misplaced pencil. Transitioning to J5 Create products, I highlighted docking stations and hubs for iPhones, showcasing devices that offer expansion and connectivity options. We also discussed the Thunderbolt 5 dock and wrapped up by acknowledging sponsored shows, encouraging support through donations. In Security Bits with Bart, we covered Google's battle against malicious ads, cross-platform anti-stalking warnings, and updated breach notification regulations. Debunking myths about Apple photos being stealthily uploaded to iCloud, we discussed iOS photo storage and management practices.

Exploring the discovery of low-resolution copies during a photo restoration process, we emphasized iOS devices' full disk encryption for robust data security, even after a device wipe. Our conversation delved into Apple and Google's location services, underscoring Apple's on-device data processing commitment for heightened privacy. We highlighted researchers' insights into building databases using MAC addresses for statistical purposes, noting their limited impact on individuals. Addressing security vulnerabilities in Chrome, Apple, and Microsoft software, we underscored the importance of timely updates. Concerns about D-Link routers prompted us to recommend applying workarounds due to unaddressed vulnerabilities, illustrating the delicate balance between technology, data privacy, and security.

In this episode, we examined cybersecurity topics, clarifying terms like "innocuous" and "nocuous." We discussed security vulnerabilities in QNAP NAS devices and emphasized secure access methods. Stressing the importance of keeping Firefox updated for recent bug fixes, we touched on data breaches and the rising trend of ransomware gangs utilizing social engineering tactics. Insights from Google's Code Conference on Android 15 updates and Microsoft's Build conference focusing on security enhancements, such as deprecating NTLM and VBScript, were also shared. Additionally, news on LastPass encryption updates, Zoom's post-quantum encryption, and clarifications on Slack's terms of service were discussed. Wrapping up with VMware's virtualization software being offered for free, podcast recommendations on cybersecurity stories, and a reminder to stay vigilant with software patches for enhanced security.

Brief Summary

I had a discussion on the Daily Tech News show about the energy impact of AI, focusing on data collection nuances and ways to mitigate effects on climate change. Additionally, Bart and Jill engaged in a conversation on Let's Talk Photography about nature exploration. We also discussed the new M4 iPad Pro's impressive hardware upgrades, the Magic Keyboard's premium typing experience, and the Apple Pencil Pro's innovative features. The episode delved into J5 Create products, security updates in Security Bits with Bart, and cybersecurity topics including ransomware tactics and software vulnerabilities. In closing, we highlighted insights from Google's Code Conference and Microsoft's Build conference, along with updates on LastPass encryption and Zoom's post-quantum encryption.

Tags

discussion
Daily Tech News show
energy impact
AI
data collection
climate change
Let's Talk Photography
nature exploration
M4 iPad Pro
Magic Keyboard
Apple Pencil Pro
J5 Create products
security updates
Security Bits
cybersecurity
ransomware tactics
software vulnerabilities
Google Code Conference
Microsoft Build conference
LastPass encryption
Zoom post-quantum encryption

Transcript

[0:00]
NC_2024_05_26
[0:15]
Allison on Daily Tech News Show 2777
[0:15]
Well, I had the great fun of being on the Daily Tech News show again this week with Tom Merritt, Sarah Lane, and Roger Chang. The main topic was the energy impact of AI and whether it's actually going badly or not. We get into the nuances of the way the data is being collected on this subject and what can be done to avoid adverse impact to climate change. Check out the Daily Tech News show in your podcatcher of choice and look for DTNS 4777, Sustainable AI Computing. And of course, there's a link to the episode in the show notes.
[0:45]
Let’s Talk Photography - Bart & Jill from the Northwoods
[0:45]
You know, one of my favorite things is when friends of mine get together. Bart Bouchats had Jill from the Northwoods on his show, Let's Talk Photography, and it was delightful. Jill has been building her podcast empire in small steps. See what I did there? And her latest show is called Buzz, Blossom, and Squeak. This show is about getting off the couch and going outside and enjoying nature by learning about what's around you. Bart has become a huge fan of her show and has combined what she's teaching with his daily walks and his love of photography. Two of my favorite people talking about their passions is the best thing ever. To hear Bart and Jill chatting, check out Let's Talk Photography number 128 at the link in the show notes, or subscribe to Let's Talk Photography in your podcatcher of choice. And don't forget to subscribe to Buzz, Blossom, and Squeak there too.
[1:32]
CCATP #794 Bart Busschots on PBS 166 of X — jq: Processing Arrays & Dictionaries sans Explosion
[1:32]
This week's Chit Chat Across the Pond is another episode of Programming by Stealth, And in this penultimate JQ episode, Bart introduces us to three new ways to process arrays and dictionaries without exploding them first. I know, that sounds crazy. We've always exploded our arrays first. He teaches us how to use the reduce operator, which lets us take an entire array or dictionary and reduce it down to one thing. The map function lets us process every element of in an array or values in a dictionary and return a new array. Finally, map underscore values lets us apply a function against all of the values in a dictionary or an array. It was a bittersweet ending to the primary series on JQ for Bart, but next time he'll do the epilogue where he'll introduce us to some rarely needed but still very useful things you can do in JQ. Remember, you can always find Bart's fabulous tutorial show notes for programming by stealth at pbs.bartofisser.net.
[2:29]
Macstock 2024
[2:30]
I'm getting super excited about MacStock for this year, and I have a special coupon to make it a little less expensive for all of the listeners. It's a little bit earlier in the year this time. It's July 12th, 13th, and 14th in Woodstock, Illinois, which is just an hour outside of Chicago. On Friday, there will be workshops this year where you can get hands-on with an instructor. I'm doing one of the workshops where I'm going to teach you as many of my Tiny Mac tips as I can in 45 minutes. Then there are full-day sessions on Saturday and Sunday. I haven't chosen my final topic yet, but I know it's going to be fun and interesting. I like to kind of keep Mike Potter on the edge wondering what I'm going to talk about. It's going to be great. Anyway, you can get a weekend pass for $299, and if you want to attend the workshops too on Friday, that'll run you $399. But if you want to get $30 off your registration to MaxDoc 2024, use coupon code PODFEET, all capital letters. I'll get $30 too if you use the coupon code so everybody wins. If you're interested in joining us, go to max.conferenceandexpo.com to learn more and sign up. It's awesome. You should totally come.
[3:36]
A Pencil with a Gyroscope Inside and More Fun with M4 iPad Pro and Magic Keyboard
[3:37]
There's been a lot of hype around the new M4 iPad Pro just announced recently, mostly by tech pundits saying how amazing the hardware is and in their second breath telling us how disappointed they are in iPadOS. Apple made it thinner, lighter, faster, and gave us an OLED display, but that isn't enough to hold them over till at least WWDC in June. I'm not suggesting they don't have real points to make, but I for one have grown weary of the lack of celebration of this new device. So to buck the trend, let's talk about the new OLED M4 iPad Pro and the Magic Keyboard and the Apple Pencil Pro without whining about the operating system.
[4:14]
I bought the 13-inch iPad Pro, and this will make it my third of the big girl size iPad. I justified upgrading my M1 12.9-inch iPad Pro because my son had my original iPad Pro, and it was getting pretty long in the tooth. An important reason to have children is to be able to justify handing things down. When reviewing the myriad USB-C displays I've been testing, I told you that OLED was life-changing. OLED USB-C displays are so darn thin and light and provide such dramatically better colors and brightness than their LCD predecessors. The primary reason I bought a new iPad Pro this go-around was to get that OLED display, and for the children. When I first fired up the OLED iPad Pro, I compared it side-by-side with the M1, and I called Steve in to help me assess the difference. I hate to say this, but that darn liquid retina XDR display in the M1 iPad Pro is so darn good, we could barely tell the difference when comparing it to the OLED M4. Even photos taken in HDR, there really wasn't a dramatic difference to our eyes. Now don't get me wrong, the OLED display looks great, but the previous generation to display looks so good, the difference isn't nearly as dramatic as I'd expected.
[5:29]
Now, you may be thinking to yourself, oh, Steve and Allison are really old at 66, so they probably just can't see the difference. But remember, I had cataract surgery a few years back, and I have the best vision of my life. So let's look at this as good news. If you really want to upgrade your iPad Pro and you just can't justify the cost, maybe you'll be happier knowing it's great, but not that much better than the most recent generations. Now, the hardware is fast, but I don't remember waiting for my iPads to do things, so I'm not like blown away by the speed of the new iPad. The battery life on the new iPad is definitely better than a three-year-old M1, so that's swell. The new iPad Pro, as I'm sure you've heard, is both thinner and lighter. I'm a big fan of the iPad Pro Magic Keyboard, and I'll get into talking about that a little bit more in a minute, and it got thinner and lighter too. I weighed both the M1 and M4 with their Magic Keyboards and their Apple Apple Pencils. The new one was 9% lighter than the old one. That's a nice improvement, but the M4 with the keyboard and pencil weighed 2.81 pounds. As a point of comparison, the current M3 13-inch MacBook Air weighs a smidge less at 2.7 pounds. So if you've picked up a 13-inch MacBook Air, it's a little bit less than my iPad.
[6:44]
Now, having the camera on the landscape side is fantastic. It's certainly a big improvement for video calls, but it also means Face ID works so much more reliably now than ever before. I mean, like, it works every single time. I've gotten pretty good at not having my hand covering the old camera on the side, but even at that, it was awkward to get your face in the right place. Now, it never fails. One thing I'm pleased with is the heat dissipation on the new M4 iPad Pro. My previous iPad Pros used to get uncomfortably hot in the bottom right during specific applications. When I'm super bored, I sometimes open a kid's coloring book app and color farm animals and such. In the time it took me to color a single page, the palm of my hand would get super hot and uncomfortable. I tested the app with the new iPad Pro and it never got warm to the touch. So, yay!
[7:37]
I do want to talk a little bit about the Magic Keyboard for iPad Pro. My first keyboard for iPad Pro was the keyboard Folio. I loved it because it was super light and had a decent keyboard for typing. When the Magic Keyboard came out, I bought one for my 12.9-inch iPad Pro, and other than the fact that it was super heavy, I loved it. I didn't think I needed or would even use a trackpad on an iPad because, you know, you got a touchscreen right there. What do you need a trackpad for? But after using it for about a month, I tried the Folio keyboard again, and I found that I was constantly reaching for that trackpad. I also find typing on the Magic Keyboard for iPad to be delightful.
[8:17]
I know people love the keyboard folio, and many are super sad that it's no longer available for the new iPads, and I'm sad on their behalf. Here's one thought, though. I haven't been able to independently verify this, but I heard on one podcast that the weight of the new Magic Keyboard plus new iPad is the same as the old iPad weight with the folio case. So it would be just about the same. So that would take the sting out of the weight of the new keyboard. Still costs a fortune, but we'll talk about that in a minute too.
[8:45]
The first Magic Keyboard I bought for my iPad Pro was black. The second one I bought was white. You're going to think this is nutty, but the white one wore better over time than the black one. You see, the main problem with the black one is that if it gets a scratch in it, the scratch will be white. If the white one gets worn, what's underneath it is also white. I also cleaned it pretty often to keep it looking really nice. Now, the reason I bought a replacement for the black Magic Keyboard and went to the white one wasn't because of the scratches. It was because the caps key on the left side got sticky. It would depress, but it would take forever to come back up. I kept the black one in a box because I couldn't bear to get rid of it. When I gave my son the M1 iPad Pro, I offered him the choice of the black or the white keyboard. I had entirely forgotten by that time that the shift key was sticky. As soon as he tried it, he said nope, and he switched to the white one. But while I was still there, I thought, I wonder if there's a way to fix that sticky key.
[9:43]
Sure enough, I found a YouTube video entitled, How to Fix Stuck Keys on the iPad Pro Magic Keyboard. Turns out those little keycaps can be pried off with a thin blade. The shift key is a little different, but luckily he happened to demo it using the shift key. After I removed the keycap following his instructions, I didn't see anything obvious under the key, but I swiped around with a Q-tip like he suggested, and I put it back together. It's not as good as the right shift key, but it's a lot better than it was. Now Kyle still opted for the white one, but now I have a fully functional black 12.9 inch Magic Keyboard that needs a good home since it won't fit on the new M4 iPad Pro. If you know someone who might be interested, let me know.
[10:25]
Now let's move forward to the new Magic Keyboard for iPad Pro. It's really hard to say keyboard for iPad Pro. I keep wanting to say keypad. Anyway, the typing experience on this is just as great as it was with the previous generation, but now I have an escape key. I know that's an odd thing to be so excited about, but it's great for dismissing pop-up windows in applications. So far, not all apps support it yet, but enough do that I'm still really happy to have it. I'd actually remapped my control key to escape because I needed it so often. Now, they changed the way the volume keys work on the iPad Pro, and I'm very cross about it. IPads have something called dynamic volume buttons. This means that the up volume button swaps when you move between landscape and portrait. I consider that anarchy and I always turn that feature off. That meant that no matter the orientation of my iPad, volume up was always the one closest to the corner.
[11:20]
Now, for some reason, I cannot fathom, the new iPads do not allow you to turn off dynamic volume buttons. That means when my iPad is in landscape mode, the button farther away from the corner is the volume up button. After five or six years of using an iPad, it's driving me crazy that it's backwards now. I cannot get used to it. Well, the good news is that the new Magic Keyboard has a row of function keys, and it includes mute, volume up, and volume down. I'm just going to use those and ignore the built-in hardware buttons. I'm excited about the keyboard brightness controls because no matter how often I tell my Macs, iPhones, and iPads that I always want my screens at full brightness and I don't want auto dimming, the auto dimming feature just keeps turning itself back on. I've given up trying to solve this and I just raise the brightness several times a day. Now I can do it from the keyboard. It's also got a do not disturb button which will be great. One of my favorite things about continuity amongst Apple products is how enabling do not Disturb on one device enables it on all of your devices, if they're on the same Wi-Fi network and logged into the same Apple ID, that is.
[12:25]
Now, I know the trackpad is bigger on the new keyboard because I remember hearing that from the announcement, but to be honest, I didn't notice the change before giving up my older iPad to my son. I guess it's because I never thought the original trackpad was too small. And what is a dramatic change is that the surface around on the keys and where your palm rests are is a nice brushed aluminum. The palm rests on the white Magic Keyboard were a real bear to get clean, and they never really looked perfect after a while. On the black Magic Keyboard, they wore so they were shiny, and they didn't look great over time either. The aluminum should wear much better.
[13:01]
There's one thing I don't like about the aluminum, and it's that the hinge is also aluminum. It will certainly wear better, but it causes a problem when opening the keyboard. With a laptop, the screen is always much lighter than the computer itself. That means with a laptop on a tabletop, it's pretty easy to pull on the screen in the little notch for your finger and open the screen right up without moving the laptop. But with the iPad Pro, the screen is the computer, so it usually weighs more than the keyboard side. There also isn't a notch for your finger to pry it open. The way I've always opened an iPad Pro in a Magic Keyboard case is to stand it on edge on the hinge and pull the two pieces apart with my fingers and then set it down flat. That worked great with a soft vinyl cover on the hinge, but with a metal hinge, it kind of slides around on the desk or table while I'm trying to pry it open, and I'm afraid I'm going to scratch up the surface it's on too. I'm practicing alternative ways to get it open when it's on a surface without picking it up, but I haven't figured out how to do that yet, so if anybody has good advice on a strategy there, I'd like to hear about it. Now, the Magic Keyboard for the 13-inch iPad Pro will run you $350.
[14:07]
Which is a painful price. But I found something that might make it sound more reasonable. It's still not reasonable, but it sounds reasonable after this. Microsoft announced some new devices this week, including the Surface Pro Flex Keyboard. Like the Magic Keyboard for iPad, you connect the Flex Keyboard to a Surface Pro tablet, and it gives you a keyboard with a nice trackpad on your tablet. it. The Flex also comes with a Slim Pen 2, which from looking at the specs appears to be fairly equivalent to an iPad Pencil in capability. The price of the Flex keyboard for Surface Pro is $450, but remember it includes that little Slim Pen 2. So if you add up the Magic Keyboard and the Apple Pencil, you're going to spend $29 more than you would if you bought the Flex Keypad for Surface Pro, so they're pretty close in price. Maybe it doesn't help that both companies are committing highway robbery, but at least Apple isn't much worse than Microsoft. See, don't you feel better now?
[15:05]
Well, now let's talk about Apple Pencil Pro. I've had the first and second generation Apple Pencil, and I really enjoyed using them. I was bummed to have to buy a new one, since I actually have three of the second generation pencils. But since the older ones don't work on the new iPad Pro, I had no choice but to buy yet another pencil. I'm also annoyed that it looks like I need to update the diagram I created just six months ago to try to explain what pencils work with which iPads. At least this time around, Apple have done a little better job than before of diagramming it themselves. They have a webpage to buy Apple Pencil where they show the Apple Pencil Pro, Apple Pencil 2nd Generation, Apple Pencil USB-C, and Apple Pencil 1st Generation, and they show you for all the different features, they have little check marks for which pencils can do what. But that chart doesn't tell you which iPads support which pencils. To get to that information, you have to go to the iPads and click on Compare. Then you can choose up to three iPads to compare, and if you scroll down, you can see which pencils those iPads support. While you're there, you can see which keyboards each iPad supports as well.
[16:10]
I'm not promising I'll do a new diagram, but it sounds kind of fun, so don't be surprised if I do. Let's talk specifically about Apple Pencil Pro. It shares many of the important features of the second-generation Apple Pencil like pixel-perfect precision, low latency, along with tilt and pressure sensitivity. It also supports Hover, which allows you to preview your mark before you make it. This is my first iPad that takes advantage of Hover. I know it's been out for a little while, but I find it really cool. Apple Pencil Pro even supports the clumsy gesture of the earlier Apple Pencil that allows you to double-tap the flat side of the pencil to swap your drawing tool with the the eraser. I don't know if you've ever tried to use that gesture, but in my experience, I often double tap it accidentally and don't realize until I'm suddenly erasing instead of drawing. Or I try to double tap it and I end up triple tapping it and I wind up back with the tool I started with.
[17:03]
Well, Apple Pencil Pro comes with two new gestures. Apple Notes supports these gestures now, and I can't wait for all of the app developers to use the API to add them to their applications. The more useful one to me is the ability to squeeze Apple Pencil Pro, and when you feel the haptic feedback, a palette of tools and an arc appears conveniently close to where you're hovering. It doesn't show all of the tools, so you actually have to swipe in the arc with your finger to expose all of them. The second gesture is that you can roll the pencil to change the orientation of the tool. Let's say it was a flat, thin brush line. Rolling the barrel of the pencil would change the thickness from horizontal to vertical or diagonal. Now, I think it's a real miss that you can't use this barrel roll to move about the palette of tools after the haptic squeeze. The fun of exposing the tools with pencil is a race, since you have to then tap and drag with your finger anyway. It's early days, so entirely possible Apple will add it to the API and allow that gesture to do a lot more than rotate a tool. I was mentioning this to Bart, and he got all excited and said, Apple.com slash feedback, Allison.
[18:08]
Okay, fine, I probably will. All right, let's dig into how that barrel roll gesture is created, though. It's kind of an interesting idea. When Apple announced this new gesture, they said it was accomplished using a gyroscope built into Apple Pencil. Now, my work as an engineer at an aerospace company included work using gyroscopes, so I thought it might be fun to insert a little engineering lesson here. Fun for me at least. I'm not sure if you're going to enjoy it as much as I will. If you were ever a child at one time, you probably played with a gyroscope. Remember winding up the string around the post and then pulling it real hard so the gyroscope would spin as fast as possible? Once it was spinning, you could stand it up and it would balance as long as it was spinning quickly enough. But when it slowed down and stopped, it would fall over. You could even set it on its little pedestal at an angle while it was spinning spinning, and it would continue to balance as long as it was spinning. This was crazy because the center of gravity was way off to the side and it should have made it fall immediately. What appears to be a trick here is actually the preservation of angular momentum. The gyroscope actually resists any changes to that axis of rotation.
[19:14]
When you were a kid, or even an adult who likes to experiment, did you ever play with the front wheel of your bicycle? Maybe you were supposed to be changing the inner tube, so you took the wheel off the bike, but then you had your buddy spin it while you held on to the axle? What you might have noticed is that while it was spinning, it was really hard to rotate it against that spinning motion. You can actually feel the resistance when you do this. I found an article that explains the gyroscopic effects in a pretty nerdy way over at lumenlearning.com, and in that article, they actually show a woman holding a bike wheel, so it wasn't just me who played around like this. But what does all this have to do with Apple Pencil Pro and its gyroscope? Hang on a minute, I'm getting there. Since a gyroscope resists turning in the plane perpendicular to the axis of rotation, and as we talked about it, you can feel that resistive force, it means you can measure that resistive force. If you can measure it, you can use that information. Inside Inside Apple's Pencil Pro, the electronics can measure the resistive force of the gyroscope as you turn the barrel, and that tells the software what action you've taken. Isn't that cool? Maybe it is just me that thinks it's cool.
[20:21]
Speaking of the magic backed by science of Apple Pencil Pro, it has another really nifty party trick. While the previous generation iPads had hover, where you can see where you're going to write or draw before you actually touch the iPad with Pencil, the Apple Pencil Pro with the new iPads actually shows you a shadow of the tool you've chosen. I know, this is crazy in the whole gyroscope story, isn't it? If the developer has enabled the API, when you've got a pen selected for Apple Pencil Pro, you see the shadow of a pen. If you choose the eraser, it looks like a cylindrical pencil eraser. It's so cool! But the niftiest one is the fountain pen. It's spooky, it's so cool. tool. While keeping the Apple Pencil tip near the iPad, if you move the angle of the pencil around, the shadow kind of moves around with it. I suspect our little friend the gyro might be involved in figuring out the angle. There's got to be more to it than that. Maybe it's magic pixie dust. I don't know.
[21:18]
Well, at first, I thought the cool shadow of the actual tool chosen was just a party trick with no intrinsic value. But I start thinking about it. Have you ever gone to draw with pencil and forgotten that you had the eraser chosen so you actually end up removing something instead? It's not that hard to hit undo and switch tools, but what if you could see before you touch the iPad that it was an eraser instead of a paintbrush? That would alert you to the fact before making a mistake. shake. Plus, it's a really cool party trick. Speaking of cool things about Apple Pencil Pro, it now supports Find My. That would have saved me a bunch of money a few years back when I couldn't find mine. I ended up having to pay $129 for a new one after looking for it for weeks, and then when my son-in-law came over, I offered him $20 if he could find my original one, and you know what? He found it in about 30 seconds right where I was looking in my couch cushions. Anyway, Find My with Apple Pencil Pro has a few oddities about it. I tried to find my pencil with my iPhone, and it wasn't listed amongst my devices. When I looked in Find My with my iPad Pro, it was listed. I suppose it makes sense that you'd have to have an iPad if you had a pencil, but I thought the Find My network would show it on any of my devices. That was my first clue that this isn't normal Find My going on here. The second oddity was that after I selected the pencil in Find My from the iPad, It told me it wouldn't work in landscape orientation. And it told me to rotate the iPad into portrait orientation.
[22:44]
Why the heck would that be? I don't really know.
[22:49]
Well, after you obey the instructions to rotate the iPad, you'll get a large set of concentric circles with a solid blue circle in the center. As you get closer to the Apple Pencil Pro, the solid green circle will get bigger and the words on the screen will change from saying far to near to within reach. And while you're wandering around your house looking for your pencil holding a giant iPad in portrait orientation, you won't be given any directional information. It's more like playing that kid's game where your friends would yell, hotter, hotter, hotter, colder, Colder, colder, colder! Unlike Find My iPhone, iPad, or Mac, or Find My Devices with AirTags, Pencil also doesn't make a sound to help you find it in the couch cushions. All of these curious differences suggest they're not using the ultra-wideband chip used in devices like the iPhone to find Apple Pencil Pro. I found a note in a MacRumors article about Apple Pencil Pro that says that they're simply using Bluetooth, not a UWB chip. I guess it's better than no Find My at all, but I did find it kind of curious. To get out of a Find My on my iPad, by the way, you simply put the pencil back on the magnetic connector and it disappears. While the pencil doesn't disappear, the whole Find My thing disappears.
[23:59]
The bottom line is I'm having a lot of fun with the new iPad Pro, and I love the new Magic Keyboard, especially with the escape key and function keys. I like that it's lighter, a bit faster, and a bit brighter. The Apple Pencil Pro has enough new fun features to make it feel really new. I hope you enjoyed learning a little bit about gyroscopes and how they let Apple give us spin control of Apple Pencil. Now, if I could figure out how it draws the shadow, I'd be satisfied.
[24:24]
CES 2024: j5create Docks for Mobile Phones
[24:24]
Well, we've really milked those CES interviews this year, and we're bringing you our very last interview from CES in January.
[24:34]
I like to stop by the J5 Create booth at CES every year because they have a lot of products for the typical Mac user, not maybe the big snazzy stuff that blows you away, the big TVs, but the stuff you can actually use. So they're known for their docks and hubs, and we're gonna talk about some of those, but they do so many products, we don't have time for them all. But Calise Van Phillips is here with me, who's gonna take us through these products. Hi, my name is Calise. I'm gonna show you around some of our newer products that are for iPhone specifically, but you can use them as well for Android or different things like that. Currently, we have some of our docking stations. We do specialize in docking stations. These ones are made specifically for your phone. So they have wireless charging built into it and they use MagSafe right on the back there. And you just plug it into the bottom so it works great with the new iPhone 15s that just came out as well as any other Androids or phones that have USB-C.
[25:28]
So I'm also going to tell you something I didn't tell you is this is also an audio only podcast. gas. Some people are on video, but you did a great job of describing what that was. It's a pack that goes on the back. Now, that's not a battery, correct? It is not a battery, no. But it looks like a small, thin, square battery that's stuck with MagSafe on the back, plugged in through USB-C, but I tested it. It's also still MagSafe after that, so you can stick it to a mount or whatever you have. Exactly, exactly. We do have our batteries available as well, which I would suggest to check out, but we have some other products over here, which are dogs too. I'm actually going to add one more thing so when she said it was a dock it's got usbc on each side, and uh one side says 10 gigabits per second power in and the other side says 10 gigabits per second power in on both sides all right where we go next galise uh so we have a few things right here let's say we have another option where you can put your sd card right here because you know we run out of My iPhone's out of space currently, and I have like the second biggest gigabyte. But we have this option right here, where you can actually put in a USB-C, two USB-Cs as well as one USB-A, and use your computer connected to this as well. So this is the same kind of design, it's the little square block that pops on the back with MagSafe, plugs into the USB-C. Exactly, exactly.
[26:49]
Then moving down here, we have some of our other options. You have this little pack, which is, really smaller than the one that has MagSafe on the back that we talked about earlier. It has USB power in as well as SD card. This is for when you need micro SD and micro SD. Yes, this is when you need space on the go, different things like that. This is more like a keychain device that you just pop on the bottom. That is that is tiny. That's just like stick of gum kind of size device. Very cute. Very cute. Okay. Moving on, we have different things like that, which also has the SD, but I'm going to reach over a little bit and show you one.
[27:26]
So this looks like a desk mount we're looking at here. Yes, so it does look like a desk mount. It's a tiny little docking station that we have specifically for your phone. We also have a version that comes for your Nintendo Switch as well. It has on one side a USB-C port as well as USB-A. On the back side you have an ACMI port as well as audio and another USB-C power in port and then on the left side you have SD and micro SD port and then on the front you have your little cap that you can put over the USB-C plug that plugs directly into your phone as well a switch on the top that you can use. So she just popped it closed where it was a mount originally a stand to sit on your desk but a full hub. That is a very, very slick design. I think that's my favorite thing so far. Yes, I love it so we can connect anything to our devices as well as just have it sitting there so it's not in the way too. Very good. Charging your phone, doing all that. Yes, definitely.
[28:31]
That is mostly most of our products, but I'll show you one more just to get it out there. We actually have, one second, kind of another version of the one we talked about earlier that was a very tiny one. This one you just pop on the bottom of your phone. It's about the same width of the iPhone bottom part. And then you have your micro SD, SD, as well as two USB-C plugs. So one is power in and one is USB 5 gigabits per second. Yes. Very nice. Very nice. Quite a smattering. I'm going to do what I didn't say I was going to do. You guys have the newest, I'm pointing over, what is that over there? We have the newest Thunderbolt 5 dock. We hired Intel just to make this dock, so it's one of the fastest docks that we have currently to date. It's more modern, it's future proof as well because it's backwards compatible. So let's say you have a Thunderbolt 4 at the moment, you can just upgrade to the Thunderbolt 5 dock, but it will still work with your USB Thunderbolt 4. Very good. Very good, very good. I didn't even know Thunderbolt 5 was out. Look at me. Thank you so much. So if people wanted to find J5 Create, where would they go? I would suggest going to J5Create.com as well as your major retailers such as Walmart, Best Buy, Staples, etc. And by the way, I'm looking at boom arms for displays. I can see keyboards. There's lots and lots of docks. There's cameras.
[29:56]
You basically only need to shop at J5 Create is what I'm thinking. Basically, anything that makes your work life easier at home or in the office. Very good. Thank you very much.
[30:07]
Support the Show
[30:07]
I was listening to Bodie Grimm and Rob Dunwood's new podcast, Beyond the Post, and they were talking about different ways podcasters can make money. One way they talked about was by sponsored shows. This is where someone pays you to say something or blog something. Now, I've probably never mentioned to you that I get requests for this all the time. Here's an example I got just this week entitled sponsored post for your blog. This person wrote, I'm reaching out because I would like to provide a quality post on your site and I had some ideas. I think your audience would positively love it. I'm reaching out to see if you'd be interested in featuring a sponsored post. I believe I can add value to your audience and I think it would resonate with your readers for sure. Our content is always unique, relevant, informative, and interesting. Wow, doesn't that sound like something I should do? No, that would be dreadful. I never say yes to these requests or even respond to them. I could make money that way to offset the cost of creating these shows for you. But instead, I choose to rely on your generosity in donating to the show via Patreon and PayPal. If you can afford to do it, please go to podfee.com slash Patreon or podfee.com slash PayPal and help support the show.
[31:17]
Security Bits — 2024 May 26
[31:18]
Music.
[31:26]
Well, it's that time of the week again. It's time for Security Bits with Bart Booth Shots. What doom and gloom do we have this week, Bart? You mean other than the weather? Poor Bart. Yeah, we got some thunderstorms here. There's a giant big red exclamation point in my weather app. Something about severe weather alert thunderstorms. Yeah, yeah, I see why. I see why. For the first time ever, I may have beat Bart on bad weather, but we didn't do it from California. We were in Houston visiting Kyle and his kids, and we drove into what turned out to be a tornado. So, I mean, tornadoing, but it was 54 miles per hour and rain like we've never seen driving on the freeway. But people in Texas know how to drive in rain. They immediately all slowed down, stayed the same distance apart because if you couldn't see the taillights of the person in front of you, you had no idea where the road was. And they all put their blinkers on. They're flashers. They're, what do you call it? They're emergency flashers. You know, the thing that blinks your lights on and off. And that worked really well. And that's why we're alive today. But 200,000 people were without power because of that tornado hitting Houston.
[32:34]
Yowza. Yeah, you know, my warning was only about thunderstorms. We don't, you know, yeah, I won't complain too much. I was also not in a bicycle. That is also a fair point. But yes, it's, yeah, anyway, I had a shower, but I'd like another one because the one I got contains a lot of grit and stuff thrown up from the road. Yeah. All right, now that this weekend weather competition is complete, let's kick in. Yes, so some follow-ups first. I continue to warn that Google are continuing to lose the battle with malicious ads. This didn't used to be true, but for the last at least six months, this feels like every two weeks there's another story of someone succeeding in getting malicious Google ads. What struck me this time is that they're tuning in to the news. So it's a big deal that the Arc browser is finally getting ready to launch its Windows version and so there are now malicious ads hooking a trojanized version of the Arc browser for Windows. And it was news not too long ago that there was a major security vulnerability in Putty and in its variants like WinSCP which uses the Putty engine as its brain. And there There are ransomware gangs using fake ads for Putty and WinSCP to try to trick people trying to do the secure thing and fix their Windows, SFTP and SSH clients.
[34:00]
So be careful on the Googles. Jeez. Yeah. We mentioned before that Google had beaten Apple to the punch in getting cross-platform anti-stalking warnings working on Android. As of iOS 17.5, that is now symmetrical. So if someone plants a Google-y tag near you and you have your iPhone with you, your iPhone will warn you about at the Google-y tag. And of course, it will warn you about an Apple-y tag and vice versa is true now already on Android. So Android will warn you if a tracker is following you that shouldn't be. So basically, you're safer. It means that we now have lots more devices doing the reporting for us. No, I found no evidence whatsoever. I looked really hard to be able to tell you that was true and I found Apple don't claim that's true in their press release and no reporting claims it's true.
[34:58]
Well, how do the iPhones know that the tracker is there then? If they're not beaconing their existence and all that? Well, but they don't have to beacon back to the appropriate reporting authority to be able to tell you that there is something following you. Okay. Okay. Got you. All right. Well, thanks for following up on that before. I usually try to trick you up with a question you don't know the answer to and make you feel silly on a podcast, but you beat me. You knew I was going to ask that one. I did know you were going to ask. And also, I want this to be true. I want it to be the case that it's cross-platform good, you know, cross-platform feature as well as protection. Obviously, protection is more important, but I'd like both, please. But so far, I can find no evidence that we have both. And then another little follow-up. We spoke a few months ago that the Securities and Exchange Commission in the United States had put out a proposal that they were, it was in the comment period, that they would like to make it so that financial organizations have a stricter rule on breach notifications when they have a data breach. Specifically that they would have to report within 30 days instead of I think it was 90 days before. That has now gone into effect. So the public comment period is over and that is now a rule. So if your bank messes up, they now have 30 days to tell the Securities and Exchange Commission they have leaked a bunch of data. Okay, but WISE can still take like nine months to tell you, right?
[36:22]
Not after doing... They'd have to do it 30 days. Financial institutions. So if Wyse is doing finance-y stuff and if they're regulated, they would still fall under it. Yeah, but they're not a finance company. They're a webcam company. Oh, sorry. I was thinking Wyse Transfer. Oh, W-I-S-E. Yeah, no, I was making a snarky comment about W-Y-Z-E's poor track record in security. I was too concerned about getting paid cross-country without problems.
[36:51]
Which is where WISE comes in. We have two deep dives. Let's get the easy one out of the way, I guess. A little fire extinguisher on this one. So you may or may not have come across some stubborn drang on the internet about how photos were reappearing for people in their iOS devices. And there was some extrapolation based on one anecdote, which was deleted by the original poster, which ended up being conflated into evidence that Apple were secretly uploading all of your photos to iCloud against your permission. So let's just nip all that in the bud.
[37:29]
Nothing no one's photographs went to anyone who was not them the only thing that happened is that at some point in the past there was a bug in ios that when you deleted a photo excuse me i managed to get something caught in my throat that's most annoying at some point in the past something there was a bug in an older version of ios that left some debris behind when you deleted a photo and the iOS 17.5 update obviously needed to rebuild the photos library because maybe there's extra features or something in iOS 17.5 and when re-scanning your drive and rebuilding the index it found the debris and I guess failed safe like there is a corrupted entry here should I ignore it or should I recover as much as I can? And the developers went for, well, let's recover as much as I can, which had the effect of bringing back photos people thought were deleted, frightening people quite a lot, and then a whole bunch of hearsay getting very out of hand very quickly.
[38:35]
So, at the root of all of this is the fact that your photos library is kind of a game of two halves. There is a folder on your iPhone or whatever that has the photos in it that are in your photo library. And there's a database file of some sort that has all the metadata. And those two should be in sync with each other. There should be an entry in the database for every file in the file system. Them and there may actually be multiple files in the file system because you could have different sizes of the image cache depending on which device you're on and so forth but it basically those two got out of sync and so you ended up with these basically when you delete a photo it's supposed to go into a 30-day grace period where it's recoverable which means it's still on your device it's still on your file system but the record in the database is marked as i was deleted on this date and so it vanishes from the view, but it isn't really gone. And then in theory, 30 days later, some sort of a cleanup task is supposed to come along and clean the database and the file system up. But at some point in the past, probably a long time ago, because this only seems to affect very old photographs, there was a bug in an old version of iOS and you ended up with that not working. So which wasn't happening? The photo wasn't getting really deleted or, well, the The database must have been working, but the photo was still there.
[40:01]
Well, it looks like the primary photo wasn't there because the version being restored seems to be low-resolution copies from what I've been reading online. So it's like a thumbnail or something? So it's like a thumbnail or something got left behind, which then got reconstituted because, well, I found a bit. So what do I do with this bit? Well, I'll just rebuild it then as best as I can because that seems like the best way to fail.
[40:23]
But this is still not a good story. This is still bad. No, it's still bad, but the important thing... It's not as bad as it could have been. It's a long, long way from as bad as it could have been because all iOS devices have full disk encryption and none of that was broken in any way, shape, size, or form. So if you wiped your device and gave it to a friend, you're absolutely fine. None of this has anything to do with iCloud. So the broken photo wasn't being synced up to iCloud. It wasn't sitting in the cloud. the only way it sort of kind of went to the cloud was that that folder is backed up in iCloud backup which is encrypted so there was an encrypted copy sitting in the cloud and if you change device your detritus came with you because detritus was backed up and restored but it was encrypted, when it wasn't on your device so it was never really if your phone was seized by police enforcement, for example, and they had a subpoena to get inside or something like that, there would be data there that you had intentionally deleted. Yes, that is the edge case. If they were to have done a forensic enough scan of the file system to find it, then they could have found it. And of course, in that scenario, they could also hypothetically undelete a file because even if they have your password to get into the device at all.
[41:45]
Then they could I mean when you delete a file it's not really deleted you just delete the reference to it in the file system table so you can actually undelete files if you can decrypt the drive so forensics tools. Even after 30 days? Absolutely because after 30 days it's just deleted on the file system but once, Oh I didn't know that I mean it takes more work it's way more difficult to do an undelete because you're scanning the file system looking for file fragments and reassembling them and you'll lose things Things like the fall name. And could have been written over. It could have been randomly written over. It will be randomly written over an amount of time between now and the end of the universe. But could be tomorrow, could be never, right? Okay.
[42:24]
Okay, good. I understand a lot more about this. And it wasn't helped that a lot of, there was a lot of parroting going on. And when you followed it down the rabbit hole, it all came back to one post on Reddit that the original poster deleted. That was the sum total of the sourcing for the, this also follows you from one device. This also happened on a device I wiped and gave to a friend. There was no there there.
[42:47]
We can make a legitimate complaint that Apple were very slow to realize that they really should answer more quickly. Because Apple just said, yeah, there was a corruption issue, we fix it. And then people were like, yeah, but can you, you know, home another bar there, you know, tell us a little bit more here. And eventually they reached out to 9to5Mac and gave actually some more detail. But yeah, probably should have done that a bit quicker. Probably would have saved a lot of electrons being wasted on social media. You now deep dive number two is an interesting story that is also apple related and it's one of those ones where i couldn't really put a fire extinguisher on it because nothing that was said is somehow untrue and nothing that was said is somehow not of concern to the relevant people, but i can say that i i don't see any concern for us regular folk because this is one of those things where when you have enough anonymous data, you can still deduce patterns that tell you something about organizations or large groups, which may in some situations be valuable, but it doesn't really tell you anything about you or me.
[44:01]
So it's kind of like, depending on what scale we zoom out at, this is or isn't important information. And 99.9% of the time it isn't. So I'm just going to zoom back out a bit and go right back to the very first iPhone. Way back in time. And Apple made a big deal about the fact that even when you weren't within GPS range, they could still give you location data because they had signed up to something called Skyhooks, which was a third-party database that kept a record of the actual coordinates of Wi-Fi base stations, which all have unique MAC addresses, And then your iPhone could use its Wi-Fi chip to triangulate against, you know, at least three nearby base stations. And depending on the relative signal strength, have an estimate of where you were. That's pretty good, usually. And both Google and Apple realized how valuable that is, because even when you have GPS, you only ever have a very poor GPS receiver. The phone, you have a single channel GPS receiver, not multi-channel. so you're always kind of relying on adding extra data and the gps is kind of battery intensive and you'd like to use it as little as possible so really your iphone tries to sense 90 of its location information from cell phone towers and wi-fi and then it just uses the gps for the little final and now just tweak me perfect here so even today apple still makes very heavy use of that Wi-Fi data to give you more battery efficient location.
[45:26]
And they don't rely on third party databases. Both Apple and Google have built their own because this is so important. And they both provide an API that you can use to ask their servers for where am I? And Google and Apple made very interesting different choices that really show the difference in how the companies think. So, Google's API, you give it the list of Wi-Fi base stations you can see. So, you basically say, I see these five MAC addresses, and here's their signal strength. The Google API takes that from you, does all of the work without telling you any of its homework, and just gives you back, I estimate you are here. Which means that they know on the server side where you are. And so, hypothetically, they could log your location and stuff, because they've worked it out for you. Apple works the other way around. Your iPhone says, these are the base stations I see. I'm not even telling you what their signal strength is. I'm just telling you this is what I see. And Apple answers back with the nearest 400, up to 400, depending on how many. If you're out in the backwoods, it may answer back with none. But it will answer back with, you know, an amount of base stations. And your phone does all the work. So only your phone knows the relative position. And your phone then uses the information from Apple to work it out on your end, which means Apple can't steal your precise location information because they don't have it. Your phone worked it out. And that's Apple's do-it-on-device mentality in action.
[46:52]
So, you said theoretically Google could, I know a while ago there was a talk, people said, hey, look, you can go see where Apple or where Google thinks you go. And I went and looked and it said that three days a week I go to this liquor store. And it turns out the liquor store is right where I start my run or walk down on the beach. It's right across from where the Strand starts. And would that be how the non-theoretical example of what it's doing? I don't know if you could tie that to this feature. I know that in general, their entire location services thing, their apps like to tell Google where you are unless you go out of your way to find every setting if we were to turn it off. So that may be happening at a slightly higher level. Hoover it up, as it were. Yeah, they like to hoover it up. So it's not unrelated, but I doubt it's down to that specific area necessarily. But it does give you an idea that they like to know where you are. That is something they find valuable to know and to track.
[47:50]
Okay, so we've got a difference in the way these two companies are doing it, but do we need to worry about this? Well, so you and I as an individual should actually be happy that Apple does it Apple's way because we have more privacy as an individual. But something really interesting happens when you zoom out. So some security researchers in the University of Maryland ask themselves the question, given that Apple tells us up to 400 MAC addresses with locations every time we ask it a query, Could we start to build up a big enough database of this information to start doing statistics to tell us something interesting? And the answer is yes, because. Hang on, hang on, hang on.
[48:32]
I'm confused. Do these researchers have access to the data of what iPhones are talking to or Android phones are talking to what Wi-Fi? access points? You're saying up to 400? Every time your iPhone asks Apple servers to help it figure out where it is, Apple servers answer with 400 base station locations based to you, to your device. Answer back to your phone? So it's an API call. So you give them the MAC addresses you see and they give you back 400 with location data. So the researchers started feeding MAC addresses into this API over many months and collecting the answers. And so basically, they got to pretend to be all over the world. Wait, they have... You're still stuck on the beginning. How do they know what 400 access points my phone asked for? They're just pretending. How do they... They just have an iPhone and they're just... Okay, so they have a phone, but they can get to the Apple API?
[49:38]
This is a public API. To be honest, I didn't go into that much detail, whether it uses your iCloud ID to authenticate or whether it... But it's just an API that your phone can talk to, so... Okay. Okay. So I interrupted you. So now they're using some API that they can get access to, and they're throwing MAC addresses of access points at this API? Yeah, and every time you tell it, here's what I see, it answers back with, and here's what's near you. So you just do that enough, and you can build up a big database of MAC address locations over time. Here's what's near you. Here's what access points are near you. So you tell it, so the point of this API is to allow your phone to calculate its own position without Apple doing it for you. So you tell it, these are the MAC addresses I see, and it answers back with, okay, here's the GPS coordinates for all the MAC addresses I know about that are near you. And then your phone has MAC address plus geographic location, and it knows what it sees in terms of signal strength, so it can do the math. If it's getting back, this MAC address has this latitude and this longitude. This MAC address has this latitude and this longitude.
[50:55]
Okay, I think I'm with you now. So they just built up a database over many months of all of these MAC addresses. And of course, if you move your base station, then the location data changes. So the MAC address can change location over time. So if you remember everything the API has ever told you, you can start to build up a history of what's going on. The other fact that's important to know is that the first half of a MAC address belongs to the vendor and the second half belongs to the device. So Dell get assigned a bunch of MAC addresses and Apple get assigned a bunch of MAC addresses. So if you've ever installed a network scanner like the iNetwork one that I recommended about 10 years ago, it'll show a little icon that your HP printer is a HP printer and so on. And it knows that because the MAC address is a HP MAC address and so forth. Course well and if you look in your ero app if you use the ero routers it'll tell you hey i think this is from apple yes and that's how it does it what's the mic address ah okay it matches that vendor so unfortunately it often comes back and says something like expressive that's my favorite one that's apparently a chip in just about everything else in my home that i don't know Because a lot of these vendors are, it's the vendor of the Wi-Fi card. So, you know, Apple might roll their own, but a lot of companies are just buying the cheapest off-the-shelf little chip and throwing it in their device. So yeah, you end up with these very generic ones as well.
[52:18]
So if you start to look at these things, you can start to see interesting patterns. So if you look at what do MiFi devices do, you can see that a bunch of these MiFi devices spend most of the week in very expensive parts of New York and the weekends in the Hamptons.
[52:38]
Hang on, I'm going to tell people what a MiFi device is. That's a little box you can get that basically takes cellular data and spits it out as Wi-Fi. There used to be all the rage in the old days before tethering to your phone, but I don't know anybody who uses one now, but apparently somebody does. We have one in case of emergency because myself and the better half are both in the same cell provider who is also our home internet provider. So we have the MiFi as a backup. Yeah, exactly. All the eggs in one basket. Unfortunately, while he was in hospital a lot, their Wi-Fi was awful. So the Wi-Fi was fantastic because we basically picked the carrier that had the best signal in the nearest hospital.
[53:19]
So we still keep it because it's actually kind of useful to have in case of emergency. But anyway, it's kind of interesting that they move, you know, from fancy pants New York neighborhoods to the Hamptons and back from weekdays to weekends, which is, you know, it's information, but it's not dangerous information. It's just well we've done these statistics and we've now found a thing but unfortunately sometimes, you know more like say you know that the ukrainian army uses starlink terminals and starlink terminals are basically mifis but instead of talking to the cellular network they talk to satellites so they work by making a local wi-fi network that gives you the internet.
[54:00]
And until the end of 2023 they had static mac addresses so you could watch the front line in the war in ukraine move by watching the position of sterling terminals on apple's api you didn't know which soldiers belong to which access point but that's not really all that important if you're trying to figure out what's going on with the war if you're trying to get intelligence on troop movements. If you're on one side of the battle and you know where your soldiers are so you can ignore all the base stations that are yours, all the other base stations that are nearby are what the enemy are doing. You have now accidentally caused a giant big intelligence leak because you didn't bear in mind that these little wireless access points are all just beaconing out. They're all basically being caught up in this location tracking.
[55:01]
Interesting. I still don't follow how it goes from some researchers sitting in Maryland to them being able to see where access points are in Ukraine. The API doesn't know where you are, so you can ask it about anything. So if you have a MAC address in Ukraine and you send that over, then it will tell you all the nearby MAC addresses in Ukraine.
[55:21]
So you need a MAC address in Ukraine to start with. How would you get that if you're sitting in Maryland? MAC addresses are known things. You just send it lots of MAC addresses, you get samples from around the world. And then when you have a big enough data set, you do the stats. Oh, and then you start picking it. I got you. Okay. Okay. Interesting. So we fall asleep over this or not? Another little point to make is that there is actually a range of MAC addresses reserved for something called MAC address randomization, which is a new standard that allows devices that are intended to move, to use MAC addresses that are intended never to be tied to a location because they're explicitly mobile. And so your phone isn't trackable through its, even though you can set a hotspot on your phone, it's not trackable because our phones since like 10 years ago have started to do MAC address randomization. That's just a standard range anyone can use. So as of the end of 2023, Starlink is also doing MAC address randomization. And all my Firelight devices should have always done this, but some of them are just too lazy to. And finally, if you really, really think that you do want to worry about this, And if you're prepared to tolerate the inconvenience of adding all of your devices back to your network, which in your case is a lot of devices, you can rename your home network with underscore no map at the end. And then both Google and Apple will not add it to their database.
[56:48]
Well, that's interesting. I will bet more than one person listening to the NoCellicast will do that. I uh I and I can name two of them off the top of my head I I'm too lazy to I don't think this is an issue for me so I I'm not particularly worried because you can't tie MAC address with human beings so this kind of comes down to the fact that if you're a military organization using wi-fi you need to bear in mind that by its very nature wi-fi broadcast things there are signals hanging in the air and those signals are being recorded by things so it's something to be aware of rather than some sort of scandal. Like there's no data leak here, there's no scandal here, there's no one doing anything wrong here, it's just with statistics you can do unexpected things.
[57:33]
And some people need to be aware of that. That's really interesting. Back with my old hat on working, when we worked with secure areas, there was often information as an IT manager that I wanted about use of software and which applications are where and which hardware is where. And security would explain to me that while, you know, whether we're using piece of software A is not classified in any way, shape, or form, if you add that statistic to the statistic of what hardware we're using, what building we're in, what, you know, as you add those pieces up, somebody can say, oh, I know what kind of engineers you have there now. And if you have that kind of engineer, we know that they're doing this. And so you got little pieces of innocuous information can often add up to something that you would be surprised about.
[58:30]
Actually that's a good question anyway so yeah there are two deep dives so we have some action alerts i lost count of how many google zero days uh we we got released in chrome since we last recorded it's at least three but it might be four i'm not a hundred percent sure of the dates of all of them. So basically, if you use Chrome, turn it off and turn it on again, and it will update itself. And at this stage, I'm starting to think that if I was a Chrome user, I'd probably have a little calendar reminder telling me to turn it off and turn it on again, say maybe last thing every evening before I finish work. Just, you know, close Chrome in the evening, open it again in the morning. That's probably the safest thing to do. And I do wish at some point that that. When an update is important enough, Google would have a toggle they could toggle to say auto-apply this update, whether the user likes it or not. But anyway, that may or may not happen at some stage. But for now, just remember to turn it off and turn it on again, and you're all good.
[59:32]
Um apple have patched pretty much everything so wait oh no wait wait this just in the opposite of innocuous is not oculus because there's two n's the the antonym is not or the other word is noxious but that actually means it's not the antonym that means noxious harmful or poisonous so you're bad that's kind of cool to know though let's just find a word for noxious which I find a good use for it. Anyway, if you have Apple stuff, patchy, patchy, patch, patch. It includes zero days. Also, they backported some of the fixes to older iPhones and it includes a fix for one of the responsibly disclosed flaws from Pwn2Own, which is within the 90 days, it's all good, things working as they should, but just picking up that thread and tying it up again. It was also patch Tuesday up the road in Microsoft and Adobe land. So patchy, patchy, patch, patch. And the Microsoft one does include two actively exploited zero days. So yeah, don't dawdle on that Windows patch. Patchy, patchy, patch, patch.
[1:00:38]
And I'm afraid I have two pieces of bad news. So if you are the user of a few D-Link routers that are apparently very popular in Canada, you need to be aware that security researchers have been trying to get D-Link's attention for months and eventually got fed up of waiting and have just released their proof-of-concept exploit against these popular routers because they're afraid D-Link will never fix it otherwise. You can't patch because there is no patch. There is a workaround. So if you have a D-Link EXO-AX4800, you need to apply the workaround, which is turning something off. You need to disable one of the features on the router and then the vulnerability is not accessible. But still hypothetically there. Isn't that the first time D-Link have a lot of their copybook in terms of this kind of thing?
[1:01:36]
No, no, they're terrible at it. By the way, I just said everything wrong about innocuous and nocuous. Innocuous means it's harmless. Nocuous means it's potentially harmful. So it is the antonym. So noc... I got my brain backwards. So for everyone who's yelling at their phones... Innocuous innocuous innocuous innocuous innocuous innocuous just take the in off the find an excuse to use that for everybody who had their emails half written today you know what when you act like that you're innocuous excellent that'll help good old deal all right uh good old d-link ever since i interviewed or i chatted with the uh, CFO? Not CFO, what is it called? Chief Security Officer at D-Link, and the guy was just as irresponsible and took no ownership of anything about security for his company. Yeah, and I've been with you on that, and I remain with you on that.
[1:02:41]
Owners of QNAP are unfortunately not in a much better, they're in a somewhat better situation. There was a third-party audit performed against QNAP NAS devices because they're very popular and they found 15 security vulnerabilities of varying degrees of severity and they reported them to QNAP who decided they'd patch some of them but they were in no hurry to patch all of them and eventually the security researchers got fed up and published the details of all 15 of them even though not all of them are patched yet. So the advice is not to have your QNAP visible from the internet. So if you need to access it remotely, don't do it by port mapping it through your router and having it actually directly visible from the internet. Use one of these fantastic sort of fake private network tools like Tailscale to let you securely access it from anywhere without exposing it to the public internet would be my advice on how to deal with this kind of a thing. And maybe consider not buying a QNAP next time and going for one of the other well-known vendors for NAS devices. But not D-Link.
[1:04:01]
Finally, just make sure your Firefox is patched because Firefox makes use of a third party library called PDF.js, which it uses to render PDFs in the browser. There was a really nasty bug found and fixed. Found and fixed, of course. But unless you actually patch Firefox, that's not such a good thing. And, you know, accidentally opening a URL that goes to a PDF, that could easily happen. So just make sure your Firefox is up to date and you'll be all good.
[1:04:34]
In terms of worthy warnings, there were, of course, a million and one data breaches, but my new rule of only tell you about it if the people involved haven't been notified means that none of them are on our plate today because all of the millions of people's data that was breached has been reported to those millions of people so they know all about it. But what I can tell you is that some security researchers inside Microsoft have noticed a new trend that I just think our listeners should be aware of. There is now a particular ransomware gang, they're called Black Basta, but that doesn't really matter. They're cyber criminals. And their new social engineering technique is to trick you into using the Windows Quick Assistant feature, which is a way to do screen sharing easily without third-party software, where you basically, you open the Quick Assistant app and you type in the code you're given by the person you want to share the screen with and then they can share your screen, which is fantastic for legitimate technical support. But if some random person phones you up and says they're from Microsoft or they're from the internet and they tell you to type in this code in this app, like every Spidey sounds on planet Earth should be going off here at this stage, right? You know, Windows Quick Assistant is fantastic if you engage someone for support. If someone reaches out to you out of the blue and wants you to do Windows Quick Assistant, the answer is no.
[1:05:53]
Right? So we'll leave it at that. Yeah. In terms of notable news, last time we mentioned that Google had released a report about how many billions of dollars of fraud they had prevented with their App Store. Now it's Apple's turn. They have released their latest App Store transparency report, full PDF downloadable. Headline figure, 7 billion in potential fraudulent transactions collections stopped in the past four years. If you'd like more, it's all in there. The first link in the show notes is to Apple's press release. They have little infographics with all of those shiny big numbers. Basically, Apple are very keen to let everyone know how much work they put into the App Store, just to let the European Union know that it's definitely worth that 27% commission. Definitely.
[1:06:41]
And it is, in fairness, right? I'm going to say it is. Well, okay. That's a highly snarky and politicized comment there, I would say. I think it is often unrecognized how much work it is to run a service. Having run a service for, an IT service for my company, and having people go, well, hey, the computer only costs $10,000, how come you charged me all this money to use it? And just to say, my snarkiness was meant that, like, you know, I know that Apple put a lot of extra effort into making this one pretty, because they're very well motivated to rather than me devaluing the work they do because I completely understand and value the work they do. I think they're absolutely right. The pretty part is what had me being snarky. You're just saying the pretty part. It's as much about the PR as it is about the numbers. How understandable, because they're under quite a bit of pressure. And then there were two big conferences since last we spoke. Google had their code conference, and so we found out lots of cool stuff about Android 15.
[1:07:39]
Basically they are you a lot of ai stuff shock and or horror but also just some plain old tightening up of rules and some very sensible things like when they detect that you have a one-time password being sent to you through sms it won't actually show the password in the little notification window so if you're doing a screen share or something it won't actually show you the code or if there's an app running in the background that probably shouldn't be, that's sort of spying on your notifications, it won't see your OTPs. Also some really clever stuff, like if you enable, if you turn on screen sharing, all of your notifications get hidden from the screen sharing feed so that you're not sharing your notifications. That's very clever. There are also...
[1:08:27]
The sensitive data thing doesn't blow my dress up because I think we've had that for quite some time. I know Steve was just trying to share his dad's screen and control it, but he had one password open and part of it wasn't working because of that. Yeah, it's nice to see these things being tightened up. Notifications is cool. They're also making some more APIs unavailable to developers without really, really begging or having a good reason for it. So basically they're adding more things to their list of we think it's suspicious if your app tries to do this and we'll give it extra scrutiny they're also using a bunch of ai to detect apps that turn malicious later and then basically report back to google and say that this app wasn't being weird until about a week after you installed it and then it started being weird and that will flag it back to google for deeper review you know a lot of clever stuff like that and they're also adding what for the most part looks exactly like what we've had on ios for ages which is the ability to remote lock your phone if it's stolen and that kind of stuff. But there's one frisson of coolness here. Nice. Google say that they have added some AI to the motion sensors in the phone because apparently the act of snatching someone's phone out of their hand has a particular, very distinctive shape when you look at the motion. And so they believe they can successfully detect someone snatching your phone and running away with it.
[1:09:54]
What? Yeah, so they believe that someone physically stealing your phone looks different to normal life by a sufficient amount that they can unlock the device when that happens.
[1:10:07]
Okay, that's bananas. I love it. I love it. I hope it's true. I hope it's not full of false positives and random people are, you know, walking their dog and their phone suddenly locks itself. But if they're right, if the data is indeed learnable, that's a cool idea. Oh, I've been snatched. Protect myself. That's very cool. So, you know, hey, I hope it works out. Over in Microsoft land, there was also a conference that's called Build. And to some extent, a lot of this stuff is a little bit on the bring side, but it's still very important because of how much Windows there is on planet Earth. And you know those data breaches that we're not telling everyone about? A lot of those are caused by hundreds and thousands of Windows computers all over boring companies. So it is actually a big deal that Apple, or sorry, not Apple, Microsoft, are finally getting rid of something called NTLM, which is a terrible, terrible, terrible, terrible protocol used to hash in the loosest possible terms passwords.
[1:11:11]
And those hashes allow you to authenticate the stuff across the network and Active Directory. and pretty much the first thing every bit of malware does is go and hunt for NTLM hashes because they can be cracked in minutes these days. So if your network still has LTLM enabled then attackers can just hoover up the hashes and just start wandering around your network as you. So you install you click on one wrong email it reads all of your hashes becomes you and starts to wander around the network stealing stuff. So the fact that NTLM is finally being actually deprecated is He's... It's a big deal, actually, even if it's a boring, minute detail.
[1:11:50]
And another similar big deal, in my opinion, is VBScript is finally being killed later this year. It's going to become a feature on demand, which means only people who genuinely still need it are going to have it. Because most people don't need VBScript, but it's installed by default. It's used by very, very few human beings and lots and lots and lots of malware. Malware so by not having it there by default the malware is going to find its pickings are all of a sudden a lot less rich so good i'm just happy to see those two very sensible changes from microsoft not exciting but good um in news very few of our listeners are going to care about if you're still a last pass customer despite it all you're now a bit less insecure than you used to be because LastPass did this really annoying thing where they only encrypted the password part of their database not the URL part to match the password so you could basically do a giant big privacy breach on people's encrypted LastPass vaults. Well now they're encrypting the URLs too. About bloody time. Already? Yeah, I know.
[1:12:56]
And then we switched to good news mode because I never like ending on bad news mode. Zoom have joined the post-quantum encryption world. World, sorry, Zoom meetings will be end-to-end encrypted with post-quantum cryptography.
[1:13:11]
So, yay? Maybe they're doing it already, Bart, and that's kept either of us from being able to hear each other. We always use Zoom and we are on Skype right now. It happened to me yesterday, I couldn't hear Bart. Today, Bart can't hear me on Zoom. So maybe they've a little overly encrypted it. Maybe that's it. And then finally, there was a little bit of worry for a while that Slack had changed their terms of service to say we could gain our AI on your data. Turns out that was a... Poorly worded paragraph rather than a terrible problem so the guys at tidbits have a nice little breakdown of exactly what is and isn't in the terms of service i read it and i was like oh okay that's grand so i put a fire extinguisher next to it because i think we're all good which is important because podfee.com forward slash slack is full of really cool nosilla castaways so, we like that um in terms of top tips i know there are a few nosilla castaways who are involved with what the American government call civil society. These are basically charities and foundations and similar groups who often do important work on shoestring budgets and they need to protect themselves because they're often actually targeted quite a lot because their work may overlap with something people are cranky about or they may be involved with moving large amounts of money around.
[1:14:36]
So they are a common target. So there is a new piece of very sensible advice released jointly by the American, British, Japanese, Canadian, Finnish and Estonian cyber security agencies with the very useful title Mitigating Cyber Threats with Limited Resources.
[1:14:59]
Resources, which I think is probably a good thing to do. The great thing is the advice is actually really sensible. And I would say that if you are a family and you want to, you know, you're the person who looks after family IT, you could probably learn quite a bit from this advice. Or if you work in a small business, you also have limited resources. There's a lot of really sensible advice in here. So I actually think this is just useful advice for everyone. So that's why I popped it into top tips, even if it's technically, even if it's technically aimed at charities and stuff. In terms of excellent explainers, on foot of all of the talk about those deleted photos, the Eclectic Light Company released one of those fantastic blog posts they do where they tell you more than you probably want to know about exactly why it is that we're so sure that Apple stuff is properly encrypted. They go into great detail about how Apple uses full disk encryption and stuff and how it's really well designed. Lots of nerdy diagrams and things, but all those partitions and stuff on your Mac and how it all works and how it changed when you went from Intel to PowerPC and a T1 and a T2. Stupendously detailed, but kind of cool. T. A lot of fun reading in there. By the way, Eclectic Light is actually just one guy. It's Howard Oakley. Cool. Good on you, Howard. You write really good stuff.
[1:16:20]
Oh, yeah. A fantastic resource when you're looking for stuff about, especially about networking stuff. Yeah. Now, I didn't know if this really should be interesting insights or if I should stick it up on worthy warnings, but you may or may not have heard that one of the other things Microsoft announced at Build was a whole new ARM-based hardware, which is kind of cool, that has built-in AI, including a feature they're calling Windows 11 Recall. Your computer will take screenshots of everything you do and save it for three months, and then use AI to remember everything you did so you can ask the computer what you did in English. As you might guess, there are some privacy concerns with this. Bleeping computer break them down in great detail. They start from the point that Microsoft say, yeah, yeah, yeah, but we're using disk encryption. But that is better than forgetting to do that. I mean, the fact that they're putting it on an encrypted drive is not bad. But that's so far short of the level of protection this kind of data needs, it's not even funny. Because my initial reaction was, but they've thought of everything. They've locked it down. And then I read and I was like, ooh, ah, eep. Now, I wasn't really tempted to turn this on anyway. But if I had been, I wouldn't be. So. Yeah, I heard somebody say it was, it's just like Time Machine.
[1:17:48]
Or, no, the versioning and that kind of thing, or Time Machine. It's like, no, it's not. It's a heck of a lot more than that. Time Machine is just what you choose to save, which can have implications. But everything that ever shows up on your screen, that has a lot more implications. A lot more implications. Yeah. And then just because it's cool, one of our fantastic Nocillicastaways, I think he goes by Grumpy in the Slack. No. No. So this is Oet Gronin, that's Rope from the Netherlands. Whose byline on Mastodon is Grumpy Former DBA, which confused the crap out of me.
[1:18:30]
Oh, OK. So that's why you thought it was real. And I wasn't sure whether to use real names or whether to use aliases. I was like, yeah, I'll just put the link in the show notes. Anyway, anyway, he pointed to a web page on his bank's website, their ING in the Netherlands. And they have come up with something that in hindsight is so simple, we should have been doing it for years. And I hope to goodness every bank on planet Earth is going to copy this. They have added a feature to their app where you can type in the phone number that is currently ringing and it will tell you if that is a call from them. If it is a call from them, it will tell you the name of the person calling you and the department they're from. So if someone rings you up saying, hi, I'm from ING, you just say, well, actually, I'm on my home phone, punching my home phone number. Is anyone calling this? No. Or is anyone calling this? Yes, the fraud department. Ah, okay, well, yes, ING, please do stop that credit card. It's so simple. Like, they know who they're calling because it's through their telephone system. They have an app. Connect the two together. That's all there is to it. It's basically telling you, green, good. It's us. Red, not us. You just hang up.
[1:19:45]
Brilliant. That's interesting. That is a cool idea. I don't know how many people would think to do that. Well, it has to be matched with an appropriate social media campaign and stuff. But, you know, it's, hey, it's a good feature. It's a piece of solid advice that you can give people. And if you are working in the finance department and you are a corporate customer, I know that the training I would be handing out to people in the finance department would say, and if someone rings up saying, please do a bank transfer, you do this. Anyway, it's cool. Cool. So that brings us to some palate cleansing.
[1:20:16]
First off, this, right, so probably the most, the world-leading virtualization platform is probably VMware. And they have historically charged quite a lot of money for their high-end tools. They've had free stuff, but they've also had really expensive stuff. off. Well now they've decided that it doesn't matter whether you use their really fancy pants product or their really simple product if you're using it for personal use you can just use it for free regardless of whether you go for the cool all bells and whistles version or the simplified version. So if you're looking to build up some really useful experience to help you get a job or whatever you can now use the high-end tools actually used in the real world for free or if If you just want to run some cool stuff at home and you want to get into all the nerdy detail because you like running cool stuff at home, you can now use all the really fancy VMware tools for free. So that's just a great opportunity, particularly for our audience, who are probably full of people who like running cool software at home. So wait a minute, you can use the professional stuff, can you use the regular stuff for free? Yes, absolutely. Yes, basically. Everything's free? That's my reading of it. Yeah, that's my understanding of it because they've had a change of ownership and the new owners have basically went, we're going to simplify this. We're not going to charge based on what you're using. We're going to charge based on who you are. So if you're a corporate customer, you pay us. If you're a personal customer, you don't. And you can just use our stuff.
[1:21:46]
So to be clear, this is virtualization software that allows you to run other operating systems on your Mac. Okay. Or your PC, or your Linux. All three versions have been made free. Windows and XMAC. Okay, that never happens when somebody's under new ownership. This is fattening or something, Bart. I don't buy it.
[1:22:03]
I believe it's simplifying their process. Basically, we only care about big business because one customer equals many, many, many thousands of dollars, whereas small customers, it's just a lot of work to collect all the pennies. So this way, it's just easier. Don't bother with the pennies. This is terrible for parallels. Parallels do cool stuff, though. And parallels have the advantage of being extremely human-friendly. So while high-end nerds are going to love getting the really cool, fancy VMware stuff, my dad, who likes to run the odd Windows VM, does not like fancy tools. He just wants really... But I'm not saying... I'm saying not the fancy ones. I'm saying just if the regular VMware Fusion that a home user would use, that was competitive with parallels. Parallels. Okay. That's also, if that's free and the other ones, whatever it was, a hundred dollars or I forget exactly what the price was, that's bad news for Parallels. Okay. I thought there were things Parallels did that Fusion didn't, but maybe I'm wrong about that. I haven't played it in ages. Me neither.
[1:23:08]
And then I have two podcast picks for you. So you and I were both fascinated by the recent Nearly Back Door in SSH that nearly basically had the Chinese government and have access into every server on the internet. As good as. It was a very, very, very close call. There is now a wonderful dramatic telling of the story from Planet Money. So that is linked in the show notes. And Nilay Patel has an interview with a guy who wrote a book about one of the weirdest true stories you are ever going to come across. How the FBI built its own smartphone company to hack the cyber criminal underworld. That's not clickbait. That happened. It is really fascinating.
[1:23:52]
Holy cow. Yeah. It's really well told. So it's just basically, it's about an hour for the Nilay one, about half an hour for the Planet Money. So an hour and a half of quality listening for our security bits lovers. Well, that's super fun. This was quite the potpourri today. It was, wasn't it? Everything from thunderstorms to the FBI making cell phones and all sorts of stuff in between. All right. Well, I think we should let you finally get that hot shower hour that you've been waiting for. I do want that hot shower. But until next we speak to you, remember everyone, stay patched so you stay secure. Well, that's going to wind us up for this week. Don't forget to send in your 1000th episode recordings to Steve by June 23rd by emailing him at steve at podfeed.com. Did you know you can email me at alison at podfeed.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, everything good starts with Podfeet.com. You can follow me on Mastodon at podfeet.com slash mastodon. If you want to listen to the podcast on YouTube, you can go to podfeet.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all of the other lovely new Scylla castaways. You can support the show at podfeet.com slash Patreon, or the one-time donation at podfeet.com slash PayPal. Remember, I don't take those sponsored posts. And if you want to join in the fun of the live show, head on over.
[1:25:16]
Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...