NC_2024_06_09

Allison Sheridan covers tech topics with an Apple focus, addressing WWDC chats, Apple Pencil compatibility, privacy concerns, data breaches, and industry advancements in a concise episode of the NoSilicast podcast.

2021, Allison Sheridan
NosillaCast Apple Podcast

Automatic Shownotes

Chapters

0:00
NC_2024_06_09
1:13
Magic Trackpads Really ARE Made of Glass
5:27
Which Pencils Work with Which iPads? The 2024 Edition of My Handy Dandy Diagram
10:25
My View of the Bartender App Kerfuffle
14:18
Hide Your Menu Bar Items with Hidden Bar – by Physics Nerd Graeme
24:19
Support the Show
25:05
Security Bits – 2024 June 9

Long Summary

In this episode, I, Allison Sheridan of the NoSilicast podcast, delve into various tech topics with a slight Apple bias. I begin by announcing the opening of the live chat room during the WWDC keynote and excitingly mention the upcoming 1,000th episode of the podcast, encouraging listeners to submit short audio recordings. I share my experience with a cracked Magic Trackpad and the smooth mail-in repair process with Apple, simplifying the compatibility of Apple Pencils and iPads with a helpful diagram. Additionally, I address the confusion surrounding the sale of the Bartender app, review a user's experience with the Hidden Bar app, and stress the importance of staying informed about different tech solutions.

The conversation on the podcast centers around the Hidden Bar software feature that enables users to conceal menu bar items on their computers. We explore the feature's settings for automatic icon hiding, global shortcuts, and an "Always Hidden Section," sharing our setup experiences, challenges faced, and workarounds implemented. We compare this feature with Bartender, another application offering similar functionality with some distinctions. We also discuss the potential privacy concerns related to Microsoft Recall, where the operating system saves detailed user activity information. We analyze initial security flaws in this feature and suggest possible improvements. The episode concludes with a call for listener support and transitions into a security news segment, alerting listeners about the cautious use of Microsoft Recall.

Shifting focus, I discuss the significance of hardware-level protection and the idea of not recording private tabs to enhance privacy. I introduce the concept of an OS-level API for app developers to label sensitive content, ensuring a secure environment for data like passwords and financial information. We examine recent data breaches involving major companies such as Coolmaster, Ticketmaster, and Santander Bank, underscoring the vulnerabilities inherent in such incidents. The conversation progresses to cybercriminal tactics, including a supply chain attack on Snowflake, a cloud provider utilized by several companies. We touch on the importance of multi-factor authentication, software vulnerabilities, and the escalating threat of fake browser update screens and malicious software targeting developers. The segment concludes by stressing the careful installation of plugins and evaluating the reputation and history of extensions to mitigate security risks.

I proceed to discuss Facebook's revised terms of service, granting increased access to user data, particularly in Europe, with concerns raised about the lack of an opt-out option and projections of potential legal actions. Cybersecurity issues are highlighted, including the takedown of a significant botnet and the necessity of avoiding free VPN services. Positive advancements are noted, such as Google's restructuring of location data storage and the UK's implementation of regulations for IoT security. I share palate cleansers, including a logarithmic map of the universe, a book detailing FBI surveillance on cybercriminals, and a humorous technology-related quote. Wrapping up, I remind listeners about podcast milestones, methods to engage with me, and ways to support the show.

Brief Summary

In this episode, I, Allison Sheridan of the NoSilicast podcast, focus on tech topics with an Apple perspective. Covering live chats during WWDC and repair experiences with Apple, I simplify Apple Pencil compatibility and review app confusion. I dive into Hidden Bar software and address privacy concerns with Microsoft Recall. Highlighting the importance of hardware security and data protection, we discuss recent data breaches and cybersecurity risks. I touch on Facebook's revised terms, positive industry advancements, and end with podcast milestones and support information.

Tags

Allison Sheridan
NoSilicast podcast
tech topics
Apple perspective
WWDC
Apple Pencil
repair experiences
Hidden Bar software
hardware security
data protection
data breaches
cybersecurity risks
Facebook's revised terms
podcast milestones
support information

Transcript

[0:00]
NC_2024_06_09
[0:00]Hi, this is Allison Sheridan of the NoSilicast podcast, hosted at Podfeet.com, a technology geek podcast with an ever so slight Apple bias. Today is Sunday, June 9th, 2024, and this is show number 966. Well, before we get started, we got a couple of housekeeping notes. This may be kind of late notice, but the live chat room will be open for all during the WWDC keynote on Monday, June 10th at 10 a.m. Pacific time. If you want to come, just head over to podfeet.com slash chat, where you can log into our Discord server. It's great fun, and I hope you'll join us. Secondly, we have a quick little message from Steve. Hey, Nocella Castaways, this is Steve. As you may have heard, Allison's podcast is coming up on its 1,000th episode soon. Now would be a great time to send in a short audio recording if you'd like to acknowledge Allison's accomplishment, or say anything interesting about any of the Podfeet podcasts. We'll be playing your clips on the 1,000th episode, so please send your input to steve at podfeet.com by June 23rd. Looking forward to hearing from you.
[1:08]All right, well, enough housekeeping. Let's get started with the show.
[1:13]
Magic Trackpads Really ARE Made of Glass
[1:12]Do you remember back in 2010 when Apple first came out with the Magic Trackpad, and they were all excited because they said it was made of glass? Well, I can prove that the Magic Trackpads are made of glass. Last Friday night, I opened my M2 MacBook Air, and I saw what looked like a hair across my trackpad. Now, with a dog, two cats, and my own long hair, finding a hair on something is a pretty familiar experience. But unlike all of the other times, blowing on this hair didn't make it go away. So I brushed it with my hand, and it stayed stubbornly in place. And then I realized it was a crack in the glass. But get this, when I ran my fingernail across it, I couldn't feel it. The trackpad had actually cracked from the inside. But at the time, I texted Jill from the Northwoods, and she found a Reddit thread from a year ago with people talking about this happening to them. I searched the interwebs, and I found some threads in Apple Discussions about it too. Now, I would definitely not call this a widespread problem, but it was kind of comforting to know I wasn't alone.
[2:13]I always buy AppleCare, so I gave them a call. all. Saki from First Level Support answered my call for help. She asked the obvious question, did you close it with something in the hinge? Well, I pointed out that I had just told her it was cracked from the inside. How could I possibly have caused that? I suggested that it would not make me happy if Apple came up with some scenario where they decided this was my fault. At this point, Saki asked whether I could hold for a minute or two while she asked someone else, what code am I supposed to use for this one? That's another indication that maybe this isn't a widespread problem, so it isn't anything to worry about. She came back pretty quickly and said they'd be sending me a box to ship my Mac in for repair.
[2:56]And the main reason I'm telling you this story is to illustrate how much easier and faster it is to use this method than to take it into an Apple store, even if you have one close by. Steve and I have both used this service several times, and it's always been way faster to ship it away ourselves. On Monday morning, the box arrived at my house. After making a full backup with Carbon Copy Cloner, I packed up my baby and I dropped it off at FedEx at 11.30 a.m. on Monday. They told me I'd missed the pickup time for that day, and I was bummed about that. However, at four in the morning on Tuesday, Apple Repair in Tennessee sent me an email telling me they already had my device. Later Tuesday afternoon, they sent me another email, but it kind of gave me pause the way it was worded. It said, We're returning your device to you along with a letter that provides more information. If you have any questions after reading the letter, contact Apple Support to discuss your options.
[3:52]Now notice that letter didn't say they'd fixed it it just said they were returning it the letter also suggested i might have questions when i get it back i was very concerned that they were refusing to fix it because they somehow thought it was my fault but even if they thought that why wouldn't it make more sense for them to contact me and ask for authorization to pay for the repair that would make sense i looked at the status of my ticket on apple support and the communication there was slightly different. It said, your repair is complete. I did wonder if that meant they'd repaired it or if it was kind of a nice way of saying they were washing their hands of it. On Wednesday at 12.35 p.m., barely more than 48 hours after I dropped the laptop off at FedEx, it was delivered back to my house. Even better, the trackpad was replaced. Apple had just unnecessarily alarmed me with their poor communication.
[4:47]I mentioned that I did a full backup on my laptop before shipping it off, which is always a good idea. In previous repairs, I've had the SSD either replaced or wiped, so I wasn't taking any chances. As much fun as it has been to do clean installs and running Migration Assistant lately, I was not in the mood this time. The bottom line is that I continue to be a fan of the mail-in process for hardware repair by Apple, and I continue to be a fan of buying AppleCare. I believed Apple when they said our trackpads were made of glass, but now there's no doubt in my mind. It would have been interesting to know what stresses caused it to break from the inside, but for now that mystery remains unexplained.
[5:27]
Which Pencils Work with Which iPads? The 2024 Edition of My Handy Dandy Diagram
[5:27]Back in October of 2023, I tried to demystify the hot mess that Apple had made with so many different iPad bottles and so many different Apple pencils. It took me days to even figure out what all the options were to make one of my world-famous diagrams to explain it. One of the things that made it harder to diagram was that I had also tried to clearly denote which ones had Touch ID on a button, Touch ID on the Home button, and which ones had Face ID.
[5:52]Well, it's June of 2024 now, and Apple made it even more interesting by introducing a fourth Apple Pencil. Surprisingly, they made enough other changes to the iPad lineup that it's significantly easier to explain which iPads and Pencils work together. My new and improved handy-dandy 2024 diagram only includes currently shipping iPads. These are the two sizes of iPad Pros, iPad Airs, the 10th generation iPad Nothing, and the now three-year-old 6th generation iPad Mini. My previous diagram, as I said, also identified which iPads had Face ID and Touch ID on a home button versus Touch ID on the power button, but I don't think it's as much as big of a differentiator any longer, so I left that completely off the diagram, and that really helped to simplify the information presented. Now, one of the tricks of creating a diagram like this is to find the simplest way to display the information. You don't want a bunch of arrowed lines crossing all over each other in a tangled web, or you've kind of defeated the purpose of the diagram, which is to simplify the information for people. To solve this, I put the pencil with the most cross-device compatibility in the middle with the iPad surrounding it.
[7:04]Now, you also want your diagram to be accessible to as many people as possible. If you just use color only to provide information, anyone with trouble distinguishing the differences between colors can't play along. So I used different colored arrowed lines going from the various pencils to the iPads with which they were compatible, but I also made them solid, dashed, and dotted with various spreads of those dots and dashes. Finally, I made a table that explains which pencils and iPads go together so those with visual impairments can play along. long.
[7:34]Starting with how the most cross-device pencil should go in the middle, the winner of that position is clearly the Apple Pencil USB-C. All four iPad models have USB-C ports, so all four of them can use the USB-C version of Apple Pencil. Now that's the end of the lack of complexity, though. If you've got a first-generation Apple Pencil, that's the one with the lightning connector on it, you can only use it on the 10th gen iPad Nothing. And since it's USB-C, you need the adapter.
[8:04]I don't have an explanation for why none of the other iPads can use that pencil with a USB-C to lightning adapter. You'd think that if any one of them could do it, it would be the oldest one, the iPad Mini 6th generation, not the newer 10th gen iPad. If you have a second-gen Apple Pencil, it will now only work on the 6th-gen iPad Mini. And then finally, we have the fancy-pants new Apple Pencil Pro, which works not just on the Pro model iPads, but also on the M2 iPad Air. Now that wasn't too bad, right? Since that diagram wasn't too challenging, I decided to throw in a bonus diagram this time and explain the iPad keyboard lineup. Many people expressed dismay when Apple came out with the new iPad Pros and iPad Airs when they discovered that their beloved keyboard folios wouldn't work on these new models. While I'm a big fan of the Magic Keyboard myself, not everyone has the same taste, so nobody's right or wrong about what they like. Can you tell it's a pet peeve of mine that so many tech podcasters say, this keyboard is bad, or this keyboard is good? I prefer to say that I favor a certain one, and I leave everyone else to make their own decisions. I'm not going to judge.
[9:14]I made a new diagram, as I said, but it's really quite simple. The iPad Mini 6th Gen only works with Bluetooth keyboards, as always. This is one of the reasons I've bought iPad Minis twice and then abandoned them. I gave them to my kids. Without an attached keyboard, I just don't find a use for the Mini. Note that I didn't say the iPad Mini was a bad device. I just don't favor it myself. Next up is the 10th Gen iPad Nothing, and it's the only one that gets a folio. Specifically, it's called Magic Keyboard Folio for iPad. Now, you'd think Apple would have simplified the Magic Keyboard lineup, but the iPad Airs with M2 use the Magic Keyboard for iPad Air, while the M4 iPad Pros can only use the Magic Keyboard for iPad Pro. I guess it's well that they say which iPad the keyboards go with in the name now, but why are all three of these called Magic? What's magic about the Folio? What's magic about... I don't know. Anyway, my diagram in the table for the keyboard options per iPad is pretty simple, but I felt for completion's sake I should include this valuable way to present the state of affairs. I'm sure I'm going to be back next year with a new installment of Fun with Pencil and iPad Diagrams.
[10:25]
My View of the Bartender App Kerfuffle
[10:26]You may or may not have heard that there was quite the kerfuffle this week about the beloved-by-many Mac app, Bartender. If you're unfamiliar with Bartender, the problem it solves is to help you manage your menu bar items. My most recent article about Bartender was just in November when developer Ben Sertiz came out with a massive upgrade with version 5. Well, the short story is that Ben sold Bartender to a company called Applause. The kerfuffle happened mostly because of the fact that Ben and Applause didn't announce the sale and that lack of disclosure made things look very suspicious. When the transfer occurred, a new certificate had to be issued to Applause per Apple's signing requirements.
[11:06]Now, if we'd known it was being transferred, it might not have raised any red flags. Applause also included Amplitude's digital analytics framework in the new release, which is a system designed to analyze user behavior on a platform. The new user analysis, coupled with the seemingly under-the-table way the software ownership was transferred, caused the service Mac updater to raise the alarm. Now, only after the world was on fire about this did Ben issue a public statement explaining that this was not a world on fire situation. In his post, he explained that after the release of Bartender 5, he realized that as a solar developer, he could no longer support the users at the level he wanted to. He explained the sale to applause and described them as a company sharing his vision for Bartender and that he believes they're the right company to carry the vision forward. He went on to apologize for the lack of communication and for any confusion or concern it may have caused. Now, after Ben's post went up, I dropped him a note thanking him for all of his hard work over the years. While I was working on the ScreenCastsOnline tutorial on Bartender 5, he was very attentive to my questions, and I really enjoyed working with him. He wrote back to my note to him, and in tongue-in-cheek form, thanked me for finding so many bugs for him in Bartender. or I do tend to unveil a lot of bugs when I'm doing these videos.
[12:26]Now, while I'm certainly sad to lose another developer friend right on the heels of Craig Scott throwing in the towel on iThoughts, I wish Ben a less stressful life now, and I hope he made bank on the sale.
[12:37]I've got a little more information later. Adam Angst on Tidbits also reached out to Ben, and he got a bit more info on the data analysis part of the story.
[12:46]Adam said that Ben said that he had spoken to Applause about the addition of the Amplitude Digital Analytics Framework, which he believes they added purely to get an idea of the user base. He didn't believe they thought it would cause that much of an uproar, which it probably wouldn't have without the signing certificate issue drawing attention. Now, Adams also reached out to Applause and would update his article if he hears anything back.
[13:11]I hate to quote a Reddit thread with no backup, but one user requested a refund from the new owners of Bartender, and in the email back where they explained that the user was outside of the four-week refund window, they also said, quote, We've removed Amplitude from the latest test build, version 5.0.53.
[13:30]I find it interesting that people are alarmed about this unknown company. It's interesting because I'm willing to bet 99% of the people who used Bartender in the the past had no idea it was written and supported by a solo developer. The transfer of power was certainly bungled by any objective measure, but knowing what we do now, would it be better to have a solo developer buried under a mountain of feature ideas and requests, or a company with more than one developer working on it? Now this company might be a disaster, but we have no way of knowing right now. For the time being, I've chosen to stick with Bartender, but I'll be definitely keeping my eyes and ears open for anything nefarious applause may do to this application. The problem is I simply can't use a laptop without a tool to manage the silly number of apps I have that use menu bar items to control their interface.
[14:18]
Hide Your Menu Bar Items with Hidden Bar – by Physics Nerd Graeme
[14:19]Whether you share my view on the bartender kerfuffle or not, it's always a good idea to keep our eyes open for different solutions to the same problem. Physics nerd Graham decided to give an app called Hidden Bar a try, and he send in a review for us about hidden bar. In this review I want to look at hidden bar.
[14:38]Now the problem to be solved is basically from the fact that bartender was a great app for hiding menu bar items and it may well continue to be a great app for the myriad things it can now do for the new proprietors. But I felt it wasn't the right fit for me now so I went looking for a replacement. The function I want is to have a way to hide menu bar items because I have so many of them that they do not all fit on my MacBook Air.
[15:08]A menu bar tool like this provides a button on the menu bar that expands and collapses items, both providing a neater look and, in extreme cases, making the icons visible at all. Hidden Bar is available from the App Store for free or directly from Github. I went with the App Store. When you first open Hidden Bar the settings screen appears and you'll see how little there is to this app, which is a good thing. The screen has a nice big image in the top half that explains how to use the app, or at least it tries to. It shows an example menu bar with standard icons for control centre, spotlight, wifi and the battery reading from right to left. Then there's a chevron pointing to the right. Then a solidus, or vertical line if you prefer. Then some less well-known icons representing a controller a battery maybe and a water drop, underneath that solidus is a big pointy arrow and to the left is written hidden in big letters and to the right is written shown it doesn't take much to figure out that you're going to put the things you want to hide on the left and everything on the right will stay visible.
[16:30]It even has text explaining in your max menu bar hold the command key and drag icons between sections to configure hidden bar this is all super intuitive and works as described.
[16:47]So let's look at the settings there are six settings that can be adjusted First is Start Hidden Bar when I log in, which is happily unticked by default, making it the user choice. I checked it straight away. Below that is Show Preferences on Launch, which is handy when you get started, but I unchecked that one straight away. Use the Full Menu Bar on Expanding is an option that hides the current app's menu bar items when you expand Hidden Bar. Which is useful on a laptop because it gives you a bit more real estate.
[17:27]Skipping ahead, at the bottom is automatically hide icon after, which is set at 10 seconds by default. This means that if you expand the menu bar to show all your icons, hidden bar will automatically collapse it down again and give you your zen back. Over on the right is a setting to enable a global shortcut, which obviously works to expand and hide the menu bar items. Though you still need to move the cursor up to click them. Perhaps this will be useful if you have a bunch of info up there like home kit temperatures or something. Saving the confusing one for last, we have Enable Always Hidden Section.
[18:08]Not Always Enable Hidden Section, but Enable Always Hidden Section. It has a question mark button next to it, which gives us this hint. Use the Always Hidden feature to keep your icons tidy. Here's how to set it. Steps to enable 1. Enable the always hidden solidus, which they call a translucent colour bar. 2. Hold and drag it on the left hand side of the normal bar, then move any icons you want to disappear on the left of that bar. 3. Finally, please right click on the collapse chevron icon to make it disappear. Steps to view always hidden icons one you right click on chevron icon again to view and repeat the action to enable the feature enjoy now that was actually less helpful than i'd hoped for but i think i have things figured out now the app has at least two menu bar items it has the chevron and the solidus the chevron is purely hidden bars interface item it's what you click on activate the hiding and unhiding, It can be put anywhere you want, so it could be on the right, the middle or the left of all your other menu bar items.
[19:27]This means that not everything to the left of it gets hidden. That's what the Solidus is going to be for. I admit I got confused by this for a while. Oh and yes, you can even place this chevron to the far far left so it should get hidden by itself. But luckily it gets disabled in this state. The solidus unfortunately is invisible on my mac i don't know why but it appears to take the same color as my menu bar i know it's there because i can drag it around and it bumps things out of its way but i cannot see it and this is what prompted me to write this explanation so my layout what makes sense to me is to have the chevron as far left as I can then put the invisible solidus immediately to the left of that and this means that in effect everything to the left of the chevron will get hidden.
[20:28]I then command-drag other icons that I want to hide to the left of the invisible solidus. And if you're doing it correctly, there will be a gap between the chevron and the icon. If you find that your chevron and icon are right next to one another, you've probably shoved the invisible solidus off to the left somewhere. Once I'm happy, I enable the always hidden section, and that gives me a new solidus which I can actually see this time to the far left of everything else. Now, I can drag icons I really don't like over there to the far far left. Once settled, I can click on the chevron and everything to the left of it disappears. And I click on it again and everything reappears. Now did I just say everything? Yes. Even the always hidden icons are visible. So don't know what that's doing really, but at least they are sectioned off a little. tool. So my settings I've ended up with are that I only have three options ticked. Start when I log in, enable always hidden and hide after 10 minutes. Now the app hasn't been updated for a while and has some little quirks, but once set up, it seems to do the job well. And it has that sense of can't be too naughty that comes with the apps from the app store. So I'm going to stick with it.
[21:51]Allison here. I'm going to make a few remarks about Hidden Bar after Graham's terrific review. I decided to give Hidden Bar a go just for fun. If you're the target audience for an app that hides menu bar items, it's probably because you have too many menu bar items to fit in your menu bar. But if you have too many to fit, then Hidden Bar simply won't work for you. As Graham described, to get menu bar items into the hidden side, you have to drag existing menu bar items to the left of the vertical line icon that Graham is calling the Solidus. But when HiddenBar is initially launched, the chevron to get to the Solidus is to the left of all of your existing menu bar items. So if you have too many to fit on screen, that means the Solidus isn't on screen because it's the last icon. I discovered this when I tried to use HiddenBar on my 14-inch MacBook Pro.
[22:42]Now I did figure out a way around the problem, but it may not work for you. I connected my laptop to an external display, and only then was I able to see the last nine menu bar items that hadn't fit on the 14-inch screen, including the chevron at the very end on the left. I put a screenshot in the show notes in an attempt to illustrate this problem, but it's pretty hard to read because it's so wide but thin where I was actually able to see it. Anyway, once I dragged a whole slew of menu bar items to the left of the Solidus, I was able to collapse and expand my menu bar items. But think about what I've described. When I expand, I still can't see all of my menu bar items on the screen because it's too small. You might suggest I just use the second solidus to move some items to the Always Hidden category, but I was never able to find the second solidus.
[23:32]Bartender solves these problems by giving you a secondary bar that drops below the standard menu bar. This allows you to have two substantial menu bars on screen, one above the other with no compromises. In Bartender's settings screen, you can also move menu bar items to an always hidden section and you could group icons together so they only fill up one slot in the menu bar and then they have a little drop down. You do all of this moving around of the icons in the settings screen, not in your menu bar where things don't fit. it. Now, Hidden Bar is free, and it does what it says on the tin, and it does not have screen recording permission to function like Bartender does. But if you have too many menu bar items to fit on your screen, I'm not sure it's the best option. Finally, if you're a voiceover user, Hidden Bar is not accessible.
[24:19]
Support the Show
[24:20]Recently, I got a delightful treat. It was a notification that the lovely Neil Gilmore had sent me a spot of money via PayPal. It was a lift to my day, not just that he was supporting the work we do here at the Podfeet Podcast, but it let me know he's out there listening. It's easy to think of the audience as just being those folks who've chosen to communicate with me in some way, so it's nice to be reminded that the vast majority of you are out there listening without providing commentary back to me. Speaking of commentary, the wonderful George from Tulsa made yet another donation through PayPal as well. He contributes content, sends me adorable photos of his granddaughters, and supports the show. He is awesome. If you'd like to be lovely like Neil and awesome like George, just go to podfee.com slash PayPal and show us some love.
[25:05]
Security Bits – 2024 June 9
[25:07]Music.
[25:15]Well, it's that time of the week again. It's time for Security Bits with Bart Bouchat. How are you today, Bart? I am dry-ish and I am very heavily democratized. I had a week of democracy this week in stretching across two countries. I got to vote in national elections in Belgium by post. I got to vote in European elections from Ireland and in, for the first time ever, local elections where I actually live. I finally transferred my vote from my childhood home where I haven't lived in decades to where I actually own a house now. So I can now vote for people who actually matter to me. So, yay. OK, that's that's been a long time. Yeah, well, there's only there hasn't been an election since we bought the house. It was when I bought the house I transferred my vote. OK, I got you. Got you. Got you. That makes sense. Yeah. Well, that's good. Good on democracy. I'm a fan. Me too, me too. Anyway, we have a whole bunch of security news, shock and horror. The world hasn't stood still in the past two weeks.
[26:23]And we have two deep-ish dives, which I guess we've no feedback or follow-up, so straight into deep dive number the first. And I'm just going to say straight up, my advice for now is to avoid Microsoft Recall for now. So I don't know how much this made your radar, but Microsoft had their Build Conference, which is technically a developer conference, so it's like WWDC. But they do also do that Apple-y thing where they throw in some hardware announcements. Why not? And the big announcements were new CoPilot Plus PCs, both Microsoft-owned brand and third-party, which are really cool because they use ARM-based CPUs. And that means that they have onboard AI chips, which is also very useful. Where things become a bit less cool, in my humble opinion for now, is a feature which they have called, what did I call it, recall.
[27:26]And this is philosophically a very good idea. So.
[27:32]Windows 11 on these Copilot Plus PCs with their ARM chips is going to have AI capability at the OS level, which is good. But one of the things it's going to do, initially it was on by default. They've had a rethink about that and it's now an opt-in instead of an on by default feature. But the operating system can see everything you're doing with a level of clarity nothing else can. And with recall it's going to save what they call snapshots of what you're doing which some people have misinterpreted as screenshots but it's actually at a much lower level so you know the way when you do screen recordings using a really good tool it doesn't actually just capture the pixels it kind of knows more about what's really going on inside the windows and you can highlight things and stuff well the same is true in windows if you're using the windows apis, Windows knows that the email app has said to write the words hello Bart this is whatever so it's not saving dumb screenshots that you have to OCR later it can actually save the real text in all of your emails the real text in all of your word documents the real everything it can save the real information and so the idea is that recall will save everything you do all the time and then you can say to your computer hey who emailed me three weeks ago with something to do about Apple Watch straps. And then Copilot could go into that database of everything you've done and tell you and show you, which is cool.
[29:00]But of course, that's the crown jewel. Like we describe your email as your crown jewels. Well, in this kind of a world, your crown jewels have just been upgraded. It's not your email. It's this database of everything that's appeared on your screen in the last 90 days, which is what is going to be in recall. all. So obviously for this to be worth the fantastic convenience they must do amazing, amazing effort to protect those crown jewels. And I am horrified at the first draft that Microsoft felt was worthy of putting into what they call preview release, which everyone else calls beta release. But in Microsoft land, it's preview.
[29:44]And especially since they just made a big announcement of how security first. And if the question is, should I do this? Yes or no. And the answer is security. No, then it's no. Well, I don't think the co-pilot team got Satya Nadella's message. Because their first version was weak. So I'm going to say what they released first and then the good news is I do have some updates to give you. So initially it was on by default and you had to go into the control panel to turn it off, which of course means that no one would because if it's on by default, that's 99% of people will just use it. It's going to be neither on nor off by default. You're going to get an onboarding experience where they're going to basically ask you if you'd like to turn it on. So technically speaking, that's off by default because until you answer, nothing happens.
[30:33]From day one, there were two types of data exempted from being captured in recall. The first one made me laugh. DRM-protected content is not going to be captured in recall. Oh, God. That's what they spent their energy and time looking at. Yeah. Content creators, they matter. Your privacy, nah. So that made me chuckle and cry a little bit. And the other thing that is mildly smart and is definitely on the right path here is that private tabs in Edge will not be captured. So that's good, but that hints at a lot more to do. The data is stored in a simple SQL-like database, and their first draft of this was that they would pop that in a disk partition and protect it with standard Windows disk encryption as if it was any other system volume.
[31:31]Shock and or horror, within a day or two of the preview release, there was a project on GitHub where you could download an extractor tool that could read a recall database and pull out sensitive data. Of course that was going to happen. So that was take one, and it got very royally slated by privacy experts and security experts, both, because it's neither secure nor private. Microsoft have had a slight rethink. So like I said, it's now opt-in instead of opt-out. The SQLite database is going to get encrypted. Encrypted. Who would have thought that might have been a good idea to encrypt the data? So they're going to do that. And they're actually going to tie the encryption not into the standard disk encryption features, which are basically designed to decrypt on boot and stay decrypted until you shut the machine down. That's disk encryption, right? So you don't notice your disk is encrypted. So any malware on your machine doesn't notice your disk is encrypted. They're changing it to encryption tied into Windows Hello, and they're describing it as just-in-time decryption. Which I understand as being similar to how the keychain works, where stuff is actually kept encrypted until it's read, and then it's decrypted while it's being read, and then re-encrypted as soon as you stop reading it. So that sounds like a much better API to be using for this encryption than disk encryption, which is definitely the wrong answer.
[32:55]So definitely better. We're definitely heading in the right direction here. But this thing is nowhere near ready for what Microsoft called general availability. So what everyone else calls beta, they call preview. View and what everyone else calls version 1.0 microsoft called general availability or ga so this thing is not ready for ga not even nearly um for what it's worth most interest about this part is uh a hundred years ago i went to a conference where somebody on stage talked about this this cool new technology they had developed that would record everything that you were doing on your pc and store it in a way that it could be played back and when i heard this i thought boy boy, that's the worst thing I've ever heard of. That sounds like a terrible idea. And my company bought that company and put it on all of our PCs at work. Now I've been retired for 11 years and that was a good 10 years before that. So this isn't a new concept. This has been around. But they basically did it so they could see, our employer wanted to see what we were doing. Right. And you didn't have the ability to, or they didn't have the ability to maximally use that data without the modern AI revolution. So now that data would have required manual work. Whereas now, you throw an LLM at it, right? So let me ask you a question. If this is, even if it's encrypted data.
[34:21]And encrypted in the way you described, if someone is on your computer with admin privileges, they also have access to it. Yes. So they would need to get admin privileges. They would need to get more of an exploit than just running as you.
[34:39]Oh, really? Well, right, because the Windows Hello stuff is protected from just a normal app running as you. So they would need to do, but they would need to elevate privileges. So they need to get some code running and privilege elevation. So the bar is now two exploits. Why does it have to be above you if you can get to it? Because you don't actually, the Windows Hello stuff you don't get to, it's got to on your behalf by the operating system. So there's a level of indirection.
[35:12]That's above your privilege level. Yes, because the operating system is the boss. It's like with the keychain.
[35:20]When you open keychain access, you can't see the password until you re-authenticate yourself, even though you're running as you and you have access to those passwords for autofill, because the operating system is intermediating it. Okay. All right. That answers my question. But I don't think that's enough. So for what it's worth, my opinion is, like, I kind of love this concept because I'm a forgetful fella. And I would really like to be able to ask my computer questions like that thing someone emailed me about three weeks ago. I vaguely remember the vaguest outline of things. And I know it. I often know something exists. And then I'm very frustrated that I can't find it anymore. And this happens to me all the time. So I'm not against the concept. But for me to be comfortable using it, I would need to see two things happen. So. So.
[36:09]We would need to have hardware separation. So not relying on an OS level like we are with Windows Hello, but actually take the model of the secure enclave. There is a separation of hardware there, and there are only data lines to allow private keys are write-only in a secure enclave. And the only thing you can get out of a secure enclave is the answer to a digital signing request. So it's physically impossible to get the private key out of a secure enclave. That's what makes it a secure enclave. And so we would need an AI enclave where you can push data into the model and you can send it questions and it can give you answers, but you can't say, vomit up everything you know.
[36:56]Okay, okay. So I would want hardware level protection. The other thing I want is this concept of, oh, I won't record private tabs. Good start good start there needs to be an OS level API for any app to mark some or all of any window as sensitive and then enough time has to go by that every app I care about has been updated to use this API and then I can be confident that every password field in every app is going to be marked as sensitive. That my entire banking website can set an HTML meta tag at the top of the page that says, this entire domain is sensitive.
[37:44]So forgive me if I'm being naive here, but I assumed that that was... That code had already been cracked. For example, if I'm doing a screen recording on iOS and I enter a password, it doesn't show. Password fields are the one thing that that's done for, assuming they use an actual password field. Which is the example you just used.
[38:07]Okay, bad example. Okay, I just want to make sure I wasn't misunderstanding the other thing. No, that's fine. No, no, no. But there could be something that's my home address, whatever. Whatever well even just the entire when i log into my bank every single thing on that window is sensitive when i log into my health care provider right it's all sensitive my my pension right all of that stuff right so yeah at an app level like the health app just that should never go into windows into recall right that entire app is off limits entire websites are off limits Certain spreadsheets, I should be able to just mark a spreadsheet and say, not this one, right? My VAT returns for my accountant, right? So we need OS level support for apps to mark content as being sensitive and then time for those APIs to be adopted. So five years from now, I could see myself being a big fan of this type of technology.
[39:05]Right now today you could not pay me because i was listening to one of the many podcasts i listened to and someone said yeah and don't forget that data leaks are a one-way valve once you leak something you can't pull it back so if you give it to open ai you have given it to open ai right so yeah so yeah i thought there were also lots of links in the show notes to other people's more considered opinion. The article from The Verge is very good. That's the first one. Basically, everybody on Earth is talking about this right now.
[39:41]Yeah, exactly. Right. Moving us on then to my second deep dive, which is there's a TLDR version and a slightly more version. Basically, there were a whole bunch of big data leaks and that was suspicious. And then the answer arrived. It was not suspicious. It was not coincidence. It was the same cause. It was a root cause problem. So this is an example of something called a supply chain attack. There is a cloud provider that you or I will never use because they provide services for enterprises. But they are used by companies you and I may use, like, say, Ticketmaster.
[40:20]And there was a problem with Ticketmaster's account on Snowflake. And there was a problem with Santander Bank. Is Snowflake the service that you're talking about? Because you didn't say the name of the service yet. Oops. Okay. Sorry. Yes. So Snowflake, which I'd never heard of. I'd never heard of Snowflake. I had to go read what they are. But anyway, so the TLDR version, I'm just going to say there are four data breaches of note that I just want to, if you're going to pick up nothing else here, just these are the four data breaches and then you can tune out. So if you're into PC gaming, you've probably come across a company called Coolmaster. They do all of those really cool cooling kits to make your game or PC not melt. My darling beloved has a Coolmaster kit. Everyone does. They have LEDs and stuff. They're cool. They were spectacularly breached. I'll just read the quote. This data breach included Coolmaster Corporate Vendor Sales Warranty Infantry and HR Data, as well as over half a million of their fan zone members' personal information, including name, address, date of birth, phone, email, plus plain, unencrypted credit card information, containing name, credit card number, expiry, and three-digit code, which is against the bloody rules. You're not allowed to save that code according to the actual rules of the credit card industry.
[41:48]All right anyway that's uh everything that's everything what doesn't take it passwords, no not your password password are not on the list just your credit card yeah another another reason you should get an apple card and use the rotating uh three digit code right yeah it's annoying as heck to use but i feel safer right uh ticket master breach contains full customers full details name home and email address and phone numbers as well as ticket sales order and event information they also contain customer credit card information including hashed credit card numbers the last four digits uh credit card and authentication types expiration dates with financial transactions from 2012 to 2024. So with Ticketmaster, they can't steal your money, but they can make a very convincing fish.
[42:47]So that's the danger with the Ticketmaster breach. Advance auto parts. 380 million customer profiles, including name, email, mobile, phone, address and more. 144 million orders, which again, fishing heaven. And 44 million loyalty card details, including customer details. And then two weeks earlier, which didn't quite make the show notes last time because Santander, which is the bank in question, and had already notified affected customers. But we now know retroactively that the Santander breach was in fact part of this same story. So that was actually the first of the breaches to come to light. So the rest of this story is borderline security bits because I can't tell you how to protect yourself because you can't. But I do think it's important to understand how cybercrime works these days because it's all about the money. And so this is an example of why we need to follow the money. So you can or can't tune out. Before you go on, you didn't ever tell us what Snowflake does. I'm about to. This is the optional bit. So I'm going to start there. That's my next sentence.
[44:01]Ish. So, okay, I'll jump to what Snowflake is. They describe themselves, because I didn't know, I'd never heard of them before, a single, fully managed platform that powers AI data cloud, I don't know what the hell that is, Snowflake securely connects businesses globally across any type or scale of data to productize AI applications and more in the enterprise.
[44:27]Cloud services for companies. That didn't tell me anything. Something to do with moving your data around and shoving it into an AI. Okay, good. That is the best I can make of it. So, and they have some high profile customers. You may have heard of Adobe, AT&T, Capital One, DoorDash, HP, Instacart, JetBlue, Kraft Heinz, MasterCard, Micron. I could go on and on. They're big. So, cyber criminals are interested in making money. And they would like to do so in the most efficient way possible. Least effort equals maximum profit. So it has now become the thing to outsource your IT to software as a service. And so that means that a lot of the IT heavy lifting is being done by companies that you or I don't have a relationship with. I choose to be a customer of Apple. I don't know who Apple outsource to. I choose to be an Adobe customer. I didn't know I was also a Snowflake user because I didn't choose that. Adobe chose that. And so this is a fact we can't change. And this is also why companies like Snowflake are really, really tempting to attackers.
[45:48]So, in this case, we know that Snowflake accounts belonging to those four big data breaches we just mentioned were compromised by attackers who used them to steal some really sensitive information out of Snowflake. And then the details become fuzzy. So, Bleeping Computer have reporting saying that this attack goes all the way back to October when the attackers succeeded in getting info-stealing malware onto a staff PC within Snowflake, and then they were able to leverage that information to break into other accounts belonging to people with Snowflake accounts. Ah, okay. And bleeping computers. To the, what is it, bag of mostly water?
[46:36]Yeah, yeah. I mean, that was how LastPass, it was an unpatched version of Plex. That's how LastPass got breached, right? A developer working from home had an unpatched Plex. So according to Bleeping Computer, the initial attempt by the attackers was to extort Snowflake. They were looking for 20 million to give them the data back. And Snowflake wouldn't play ball. So then they went, fine then, we'll go after the actual customers of yours. And so they then went on to sell the data on the black market. So they didn't go and do an extortion against Ticketmaster. They just went straight to, we'll just sell the Ticketmaster data on the black market. And then we all discovered it because we saw the ads for the data on the black market. I say we, security researchers. Now, Snowflake don't agree with Bleeping Computer.
[47:27]Snowflake are entirely blaming their customers. What? Their customers being Ticketmaster and the auto parts place? So I'm just going to say what Snowflake say. We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake's platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel. Threat actors are actively compromising organization's Snowflake customer tenants by using stolen credentials abstained by info-stealing malware and logging into databases that are configured with single-factor authentication.
[48:09]I think there's probably truth in both stories and i have absolutely no doubt about that last sentence because an info stealer shouldn't be able to do anything with the info if there's multi-factor authentication if someone steals your username and password they shouldn't be able to get to every credit card number you've ever had as a business without being presented with a two-factor prompt.
[48:33]But they were. So at the very least, I think that's true. So basically, this is going to become more and more of a problem. The cyber criminals are behaving much more like nation state actors, like advanced persistent threats. And for goodness sake, everyone, use multi-factor authentication. Like, you know the way in the health industry you have a legal requirement to do your best not to kill people? Shouldn't we have like a fundamental baseline of if you're going to provide digital services you must at the very very least use multi-factor authentication like you know can we do something to set a baseline under this no credit card numbers this might come at a really opportune time as uh ticket master and its uh parent company are under massive scrutiny by the uh, I don't know who it is. Is it the FTC? Yeah, the antitrust stuff. It's like, okay, right in the middle of this, you lose everybody's data. And you have it all. Yeah, and you have it all because you're the only one. Because you also own the concert venues. Yeah, nobody had a choice. Yeah. Good. I hope so. That'd be great.
[49:41]So yeah, that's our security medium deep dive that sort of kind of meets the definition, but doesn't really. So now we're back to our normal scheduling. Everyone pay attention. We have some patchy, patchy, patch, patch. If you're the owner of the popular C5400X gaming router from TP-Link, critical remote code execution bug patched. So make sure your specific gaming router is patched. If you're the owner of a Zycel NAS, remote code execution patched. So make sure your Zycel NAS is patched. If you're a user of google chrome last we left our story there had been five zero days in 2024 now there have been eight so i said you should probably get into the habit of turning chrome off every evening and turning it on again every morning yeah do that and in fact if you're using any browser that is not patched as part of the core operating system like safari or edge, on windows then you should do that so firefox all of these things turn them off and turn them on again so they have a chance to patch themselves because they do that on startup. Why did you specify and say on Windows? This is true on the Mac as well. No, sorry. Edge on Windows is like Safari on the Mac. So for update we'll take care of it whether or not you restart the browser. Okay, but Edge on the Mac is not like Safari on the Mac. Precisely. That's what I was trying to say. Okay, got you.
[51:06]Badly. Thank you for clarifying, because I didn't say that very well at all. Okay, just want to, I love it when we don't get the pain, but when we are getting the pain, we need to take the pain, right? Yep, absolutely.
[51:21]Thankfully, M-series Macs are very quick to restart apps, so this isn't as bad as it used to be. Yeah, I used to ask Bart to restart because of some problem on his Mac, and he would just say no, and it's been seven and a half months, Alison, I'm not doing it, it wasn't that long, but it was forever. And now it's like, hey, why don't I just reboot? Click, bye. Okay, I'm back. It's amazing. It's just amazing. I love my M-series Mac.
[51:44]Moving on to worthy warnings then. We have a new technique being used by those evil baddies, and they're using it to target regular folk. So I just want to make you aware of this. There is a space of malware attacks using fake browser update screens. So web pages made to look like Chrome is offering you a browser update. But of course, Chrome doesn't offer you browser updates in the web page. That's like in separate UI that is not embedded in a web page. So if you're on a web page telling you it's your browser, no, it isn't. Web pages aren't your, you know, your browser will not tell you through a web page. So don't believe it. Don't click the download button. Don't click the installer. It's not what you think. Also, we have on the one hand, And it's not news that baddies are targeting developers. I think I've said it in the last six installments in a row. But they keep on becoming more imaginative. The latest one makes me very sad in the why can't we have nice things category. Security researchers have discovered attackers creating identities on Stack Overflow, building up reputation and then spending that reputation to point people at malicious Python packages.
[53:01]Oh, geez. And just as we were about to record, I checked my feeds and security researchers in Israel discovered a whole bunch of malicious VS Code extensions with millions of installs. So we need to be careful installing plugins there as well as plugins everywhere else because baddies don't want us to have nice things. This story bothers me because telling us to be careful doesn't give us any information. And when I'm looking at the Bleeping Computer article, it says they found 1,283 with known malicious code.
[53:37]So I can't do anything about this. How do I know if the marketplace extension that I've chosen is one of the 1,283? What you can do is install no more than you need and to favor plugins with history and reputation. Reputation it's not a guarantee but what is really really really dangerous is plugins with no history and no reputation so sometimes you have the ability to see what the history and reputation is and sometimes you don't i don't know yeah i mean i guess i just typed in markdown for an example to see what i could find and yeah i guess inside vs code it does show you oh look Look, well, it says 348,307 downloads. That sounds pretty good. Two stars, but only seven people rated it. It's on version two and it started in 2018. So that to me, that at least is some history, right? Like your typical malicious plugin will be three weeks old or something and downloaded by 50 people or whatever. So, I mean, like I say, I can't give you, do this and you will never be in danger. But I can tell you to not unthinkingly install plugins.
[55:02]You know, you say that. I don't think anybody ever unthinkingly installs plugins. I think people install plugins because they need them, not just willy-nilly. Like, I think that... That's okay. That's not what I meant by unthinking, though. What I meant is when you're presented with a choice of possible plugins to solve your very real problem, look more deeply at the plugins. not just do they solve my problem but look deeper than that. Yeah.
[55:30]That makes sense. But saying only install what you need well, who installs stuff they don't need? I used to. No, but I used to do that kind of thing where someone would say, hey, this is cool and I'd go, oh, cool. It's cool. Whereas now I will only install a plugin if it's like a pain point. And that goes for lots of things. I used to install lots of browser plugins just because they were cool. I just we can't anymore and it's really sad you know why can't we have nice things why can't we be nerds but you know so looking at my my plugins i did do a little analysis here there are things that i installed because i needed them but i may not be using them right now so i'm disabling them without uninstalling them and i think that might be a way to go that's a really good suggestion actually yeah, Yeah. And if you disable them, then if you need them again, you're not going, oh, sugar, what was that plugin? Yeah. Which one was it? I found that worked. Yeah. No, that's good. That's really good advice.
[56:29]Continuing on worthy warnings, one last one that also makes me rather sad. Facebook have updated their terms of service to grant themselves more access to your data. And from what I can tell, you can't opt out. The headline from Intego implies that if you're in Europe, you can opt out. But actually, when you read the detail of the story, when you're in Europe, you can ask for an exemption where you need to make an argument that you are somehow special and you should be exempted, which is not the same as actually opting out. So as far as I'm concerned, when I read the detail, you can't opt out, period. And my European hat, I'm expecting a lawsuit because what they are doing in Europe is they are saying that we are collecting this data as part of doing business. So basically.
[57:20]Essential business operations are one of the reasons you can collect data under the GDPR. And they are saying that training AI is an essential business purpose. I didn't say that's what it was about. I didn't. You buried the lead there. Okay. Okay, so this is so they can train their AI, they're going to use your data? Yes. And they're just basically saying, and our terms of service now say we can. And in Europe, in order to do that, they've had to say, under the GDPR, you have to say what justification you have, and the justification they've chosen is essential business need, which is, to me, arguable. You can argue that training AI is an essential business need that definitely should not be an opt-in. So I think this is going to court. I imagine Max Schrems is sharpening his pencil and he's back off to European court. They could make an argument that training AI is an essential business service, but making the argument that using your personal data to do it is not an essential business service. Yeah, like I say, I think there's room for some litigation here. I think this is their opening bid. Well, it does say this means that you have the right to object to how your information is used for these purposes. If the objection is honored, it will be applied going forward. Maybe that, oh, that's only in the UK.
[58:36]UK and probably maybe EU. This says UK. Yeah, it's kind of difficult to know because the UK have adopted GDPR-esque. They've taken GDPR, tweaked it a bit and called it their own regulation. So it's now getting really complicated. God bless Brexit.
[58:56]I think this is the start rather than the finish. But I'm afraid if you're outside of Europe, this is very straightforward. forward. Facebook is hoovering up your data to train their AI. Either continue to use Facebook in the full knowledge or sod off. They are your choices. Moving on to notable news, and I have very much taken an effort here to start with bad news and then switch to good news. And then we have some fantastic palate cleansers. So starting off, the first story just makes me go, why? So three years ago, it was noticed that you could bypass the parental controls in Safari to get around safe search. So you could basically browse to anything you wanted with a very easy little trick. And parent groups have been trying to get Apple to fix it for three years. Apple have finally said, yeah, we will, because Joanna Stern made a big deal on her very, very large platform at the Wall Street Journal. If Joanna Stern hadn't taken this up, I don't know if this would have been fixed, which makes me very sad.
[59:56]If you are a lover of TikTok, TikTok and you noticed some famous influencers saying things you wouldn't expect. It might be because they had a zero day bug that allowed for some account takeovers. Because this was such a valuable bug, it was used with precision because it would be fixed by TikTok. So regular folks' TikTok accounts probably were not taken over. Just really effective influencers. So just be Beware that if you saw something odd... Any government representatives? I don't know if they were targeting... I don't know who they were after, but basically people with big followings is who they were reported as targeting. I've seen government, US government people who have really big followings. True, actually, yeah. A lot of politicians seem to be taking that up as a way of getting the youth vote because they don't read the New York Times, don't you know?
[1:00:53]Or much else. Anyway. Anyway, it was user accounts belonging to Sony, CNN and others. CNN was taken over. Yeah, CNN worries me more than Sony. Just from a danger point of view. Yeah, exactly. This next story straddles the borderline. So good news. Law enforcement successfully wrapped up a spectacularly large botnet. Depending on who you believe it may actually be the biggest botnet we've ever found and they mainly use the botnet to sell anonymizing services for malware so basically you sell proxy services so that malware can route its evil traffic through regular houses so it looks like ordinary people so that's the good news biggest botnet wrapped up the slight tinge of bad news is that this botnet was developed by offering free VPN apps. So if someone says, hey, get this free VPN, it'll protect your privacy and it won't cost you a penny. Okay.
[1:01:59]Be really, really, really, really, really suspicious. Why would anyone do a VPN for free? And this is why, because it's not for free. They're turning you into a giant big part of a botnet. I wouldn't call this the bad news part of this story, Bart. I would say that this is just further supporting don't use free VPNs. And they did shut this down. So those ostensibly that they had were not active until five seconds later when somebody else started doing it. Right yes okay okay no fair enough in that case we have crossed over we're on the good news page next up on the good news page google are redesigning how they store your location data it is moving from the cloud to on-app storage and they're doing the technical changes between now and the end of the year so you will continue to have the ability for your google tools to know where you've been to help you find stuff without all of that data going onto google's cloud so win-win in my opinion that is the apple playbook of keep the data local so that the local device can use it intelligently and it's not all sitting up in the cloud to be abused so yay.
[1:03:11]Uh we i have i have said not so nice things about uk regulations since brexit but i'm going to say a nice thing uh the uk introduced a not very excitingly named law the product security and Telecommunications Infrastructure Regulation, or the PSTI, it sets a whole bunch of ground rules for internet connected devices. And one of the ground rules is you have to tell people explicitly how long you will give security updates on your internet connected devices, which means that we now have actual numbers which are legally binding for different smartphone manufacturers. So we know that Apple update their stuff for ages, but they've never actually told us how long. Well, now they said officially at least five years and Samsung and Google are at least seven years on some of their devices. And this is being reported by some as, oh, Samsung is better than Apple. But just bear in mind that Apple have gone above and beyond the guaranteed five years many times. So Apple are not saying five only. They most recently did the iPhone 6S, which was nine years old, they did a security update. Exactly. So they're guaranteeing five, which is a great baseline, but they have a history of doing more. And they've now had to nail their colors to the mast at five years. And I really hope this triggers a little bit of competition. I'd like to see some healthy competition where they all try to outdo each other on how long they'll guarantee support. That would be lovely.
[1:04:39]So, yeah.
[1:04:42]I don't know. As long as you buy from Samsung or Google. Or actually when I bought a phone from Google and Google didn't support it after two years. Yeah. I think they may be getting better at it than they were then.
[1:05:00]I certainly hope so. I've just realized I pasted a story in the wrong place. There are still malicious apps in the Google Play Store. Be careful what you install. Next. Oh. Yeah, I'm sorry, Alison. I mispasted two stories here. Is nothing sacred? Bleeping Computer has found a hacked version of Minesweeper used to send malware. Minesweeper! Come on! We really can't have nice things. Yeah. And finally, here's why this made me genuinely happy. We have said many mean things about many American ISPs. Two thumbs up to Cox. They were responsibly disclosed news about a really bad security vulnerability. They immediately fixed it. And now they're telling us, yeah, by the way, we patched a really nasty bug. All good. Nothing for you customers to do. Good. So that made me very happy. That's not one of the good ones, by the way. That's good they did something good. This they did well.
[1:06:04]Reacting, sorry, two top tips. Tidbits have some really good advice. If you get an out-of-the-blue multi-factor authentication code that you didn't ask for, go change your password on that service because it means someone is attacking you and they have your username and password and the only reason they don't have your account is because the two factors in the way. So if you're right if you didn't ask for a twitter code and you get a twitter code go change your twitter password basically what it boils down to um and also mac observer have done a nice article describing how should you ever need to you can check if someone else is getting your location data from your iphone because you have enabled some sort of sharing hopefully you never need this this is i have a folder in my bookmark manager called for reference this has got into for reference should i ever need it i will be able to use it and i would advise people to just you know keep a copy of this somewhere safe in case anyone in your family is ever the victim of this kind of thing what kind of tracking do you mean like find my type tracking yes so there are various things where your iphone you can end up sharing location data through a few different mechanisms.
[1:07:17]For example, having someone's device on your Apple ID would be one way to do it. Explicitly sharing your location data with someone else's Apple ID is another way of doing it. So it goes through some various steps, just a few little things to check, full of screenshots and stuff. Useful. Alrighty.
[1:07:40]So on to palette cleansing. Do you want to go first or do I go first? We have lots of palette cleansers. Oh, I'd love to go first. That would be swell. well. So I've put in a link to a logarithmic map of the entire observable universe. Let me say that again. Logarithmic map of the entire observable universe. It was created by a gentleman named Pablo Carlos Budassi. And let me explain first, if you're not familiar with logarithmic scales, this is a method that allows you to display numerical data that spans a broad range of values, especially if there's significant differences between the magnitudes of the the numbers. So like the logarithmic scale for earthquakes, you know, it keeps going up by 10 times bigger, but you can't, these are things you can't really map on a linear scale. So on UFO feed, Pablo created this beautiful logarithmic map of the entire observable universe. So if you start at the bottom of the image, you see a very large picture of the earth. As you start to go up in the image, you'll see things like the Hubble Space Telescope. Then shortly after that, the moon. all of a sudden things start to get closer together you get the sun and some planets and then uh you go through you travel through the kuiper belt and then the oort cloud all of a sudden then you're past the milky way you go through gobs of galaxies finally you see the cosmic microwave background and finally you see the big bang at the top it's really really cool it's just beautiful too yeah did you get a chance to look at it yet bart.
[1:09:04]Briefly enough to go oh that's cool it's very pretty now i do want to make a point steve says there's a mistake in it there's tons of information this there's like a million little tiny things that you got to read all these little labels you can zoom in on it but he pointed out there's an arrow up at the top that says unreachable like above this it's unreachable and we interpret that as meaning unobservable but it's pointing before the farthest visible galaxies when it should He says it should really be pointed to the yellow line that separates the cosmic white wave background from the Big Bang. I would agree with Steve. Okay. Okay. So I wasn't willing to take a position on this issue, but... The cosmic microwave background is the surface of last scattering. Basically, everything before then is the ball of explosion that was the Big Bang. And the first time light could travel without being stopped was when that cloud of explosion stopped being a cloud. And that last bit of cloud is the cosmic microwave background. Background i'm not explaining that very well but i'm not a physicist no no i did anyway i was going to say i'm not a physicist but actually my degree says otherwise so i should i have no excuse.
[1:10:17]You have some identity identity crisis problems i think i do that's what happens with a joint a joint degree in experimental physics and computer science i don't know what i am half the time anyway well and with a lot of interest in astronomy so throw it just mix it all together other true true true so i have a follow-up pick i don't think i've ever had a follow-up pick or palate cleanser before so i last time i recommended a an episode of malicious life about the true story when the fbi ran a cell phone company making hacked devices and sending them to cyber criminals to spy on them with the fact that that's a true story is kind of like head-blowing steve was actually talking about that very story last night at dinner that was from darknet diaries right well the first one was from malicious life and then it turns out the reason that came out was because the one of the people involved wrote a book and that book has inspired other podcasts but the thing is the other podcasts do it really differently so it showed up on planet money a week later and their focus was on the actual business of trying to run a successful company targeted at criminals to successfully exploit them.
[1:11:32]Without them noticing and keeping the business going and so they looked at it as a business problem which is completely different to how malicious life looked at it of course planet money did yeah it's fascinating and then darknet diaries took it on and they looked at it from a whole other angle it's like well hang on a second this raises all sorts of fourth amendment issues because they were definitely tracking american stuff and so And so they looked at it from an almost EFF style point of view. Wait a second.
[1:11:59]Are you sure this was a good idea? What precedent has this just set? And I was too busy thinking how cool it was when I was listening to the Manusius Live episode that it never even occurred to me how terrified it is. So those three points of view on the same story were really interesting. So there you go.
[1:12:15]That's fun. That's fun. If you would like some reading instead of listening and you have a lot of time, it took me 35 minutes to read this. Large language models explained with a minimum of math and jargon. It does exactly what it says on the tin. I have never understood LLMs as well as I do now. And I have never been as fascinated by their potential as I am having read it. And I've never been as sure that we don't have a clue how they work as I am now that I've read it. Oh, great. We know that they work and we can measure what they do, but we don't know how.
[1:12:57]It's really quite fascinating. They are fascinating devices. And then finally, I just want to end with a quote. John Gruber happened to mention this. Douglas Adams was an amazing author who, due to a car accident, and was taken away from us much too soon. But just as a little snippet, I've come up with a set of rules that describe our reactions to technologies. Rule one, anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Rule two, anything that's invented between your 15th and 35th birthday is new, exciting and revolutionary and you can probably get a career out of it. Anything invented after you're 35 is against the natural order of things.
[1:13:49]That's fabulous. That is so good. I love that. It couldn't be a better place to end the show today. I think that's just a lovely thing. I think I'm going to make a copy of that and just use it on people. Because of course, I'm not like this. I was going to say the way you can tell a nerd is that for us what changes is the 35. That's a variable. And for us, that variable is like 65 or 75 or 85. That's the only thing that's different between a nerd and a normal person is that that second number is taller.
[1:14:21]That's probably right. One can only hope, right? One of my goals in life is to not, is to fight the lack of plasticity in my brain as I get older. That's my goal. And I share that with you 110%. And the fact that you continue to be so excited about new tech is an inspiration to me to make sure I'm like that. Oh, well, thanks. Plus you irritated Jill of Kent just now by saying 110%. So we got all the jobs done. There we go. There we go. And with that then, folks, remember, stay patched so you stay secure.
[1:14:59]Well, that's going to wind us up for this week. Don't forget to send in your 1,000th episode recording to Steve by June 23rd by emailing him at steve at podfeet.com. And hopefully we'll see you in the chat room for WWDC, what will be tomorrow for me, and hopefully you'll have heard this to be there to join us. Did you know you can email me at allison at podfeet.com anytime you like? If you have a question or a suggestion or a review like Graham did, just send it on over. Remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash Mastodon. If you want to listen to the podcast on YouTube, you can just go to podfeet.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all of the other lovely Nocella Castaways in there. It's so much fun. You can support the show at podfeet.com slash Patreon, or with a one-time donation like Neil and George from Tulsa. And you can do that by going to podfeet.com slash PayPal. pal. And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocella County.
[1:16:05]Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...