NC_2024_06_23

[0:07]So slight Apple bias. Today is Sunday, June 23rd, 2024, and this is show number 998. Well, Steve has been getting a lot of great things, apparently, great recordings from a lot of people about our thousandth episode coming up. He's not letting me listen to them, and it's killing me. But if you haven't already sent one in, it is too late now because today was the deadline. And he's got a big old spreadsheet going and he's having all kinds of fun listening to these. So very much looking forward to hearing what people said. I do want to remind you before I get too far stuck in that there will be no live show on Sunday, June 30th, because we will be on vacation. So you're going to get a show in about two days. Hopefully in two days should come out on Tuesday. And that's why there's no show next Sunday.

[0:59]

Don’t forget about TouchRetouch for Photos

[1:00]Listener Kim wrote in a fun little contribution. She said, I was listening to your recent podcast as you discussed the upcoming iOS 18 features. Like you, Allison, I take many photographs a week and I often edit them to get rid of trash cans, telephone lines, waiter's heads over my shoulder, etc. I've been using this app Touch Retouch for many years now and I've recommended it to all of my friends. It's even got a tab especially for removing lines and it does an awesome job. It's inexpensive and it fits itself right into my edit tab in my photos. Until Apple comes out with their version, this is a great solution. Thanks for all the great info in your podcast, Kim. Oh, thank you so much for the kind words, Kim. And the great tip, a good reminder. I am a huge fan of touch-retouch for exactly this use case. I live where power lines are above ground, so nearly every photo I take on my long walks are marred by them. I've used touch-retouch to remove them, and it works as well as you say it does. I immediately thought of the TouchRetouch folks when I saw the improvements in Photos announced at WWDC. I suspect the dedicated app will still excel at some things better than Photos, but normal people don't want to launch a helper app or even know how, so the Photos implementation will be more useful to the masses. I also hope that the ability to autofill backgrounds will be better accomplished with Apple intelligence. Thanks again for reminding people about TouchRetouch Kim, and I put a link in the show notes to an article I wrote about it in September.

[2:26]

Notability Foundation Tutorial on ScreenCastsONLINE

[2:26]One of the apps I'm passionate about is Notability. Eight years ago, I created a ScreenCastsOnline tutorial about Notability, and we've done several little update and tip videos about this great software. Notability has only become more and more capable since 2016, so we decided it was high time for a bottoms-up tutorial. But as I started mind-mapping it out using MindNode, I realized it was far too capable to explain in just one video tutorial. So I'm excited that my Foundations tutorial on Notability was just published at ScreenCastsOnline. I was on such a roll, I also recorded Notability Advanced, which will be following in two weeks, so I think it was July 5th it's going to come out. I'm passionate about this tool, as you can tell, and it really comes out in both the Notability tutorials I just created. I put a link in the show notes to the full Notability Foundations tutorial at ScreenCastsOnline, and I've embedded the teaser video in the show notes as well. You can get a free seven-day trial of ScreenCastsOnline where you can watch all of the current back catalog. But beware, you'll want to subscribe for real after you watch a lot of the videos.

[3:33]

MacVoices #24165: Road to Macstock - Allison Sheridan of The NosillaCast

[3:33]This week, Chuck Joyner of Mac Voices asked me to come on his show for a series he does every year called Road to MacStock. He interviews all of the presenters about their upcoming talks, I think kind of as a teaser to try to convince you to come to MacStock. A few years ago when he had me on, I wasn't really very enthusiastic about my topic as I described it to him. As we talked about it, I explained my process of using mind mapping to storyboard my talks. Chuck observed that I was a lot more excited about mind mapping than I was about the topic I'd chosen, and he suggested I talk about mind mapping instead. He was right. I changed my topic and it came out great. Now, Mike Potter, the fine gentleman who runs MacStock, was not quite as pleased since it was just a couple of weeks before the show and he'd already printed up programs and my topic talk was incorrect.

[4:20]Well, anyway, this year Chuck and I had a lovely chat where I explained both my presentation on the main stage during the show that's on the weekend and the workshop I'm going to be conducting on Friday. You can check out the video of Chuck and me chatting at macvoices.com or, of course, you can subscribe to Mac Voices in your podcatcher of choice. Now, I don't know if it's live yet, but I know that Jill from the North Woods is going to be one of the speakers and she was also on the road to Mac Stock, so look for that one too. If this gets you excited for MacStock, remember to use my coupon code PODFEET with all caps to sign up and you'll get $30 off the price of a weekend pass or the full three-day pass, which includes the workshops. I get $30 back too if you do. On the MacGeekGab, Dave Hamilton described MacStock as being like camp. I think that's a perfect description. MacStock is summer camp for Apple nerds, and I hope to see you there.

[5:13]

CCATP #796 – Bart Busschots on PBS 168 – Introduction to YAML

[5:14]In Programming by Stealth this week, we've completed our series on the JQ language, and now Bart Buschatz brings us a two-part mini-series about the YAML data format. He takes us through the history of data formats that we've enjoyed, such as fix-width, text files, comma-separated values, all the way through to JSON and XML. All of them had their place in history, but also had their downsides. YAML promises to be human-readable, yay, and computer-readable, also yay. Once we're bought into how YAML is the data format of our dreams, Bart explains that there are only two kinds of data, scalars and collections, and that collections can be sequences or mapping, and all of these data types go into a document. Luckily, this is all of the jargon we'll ever have to learn, and there are useful synonyms from other languages. For example, sequences are really just arrays. I found this lesson enjoyable and not too hard on my little brain, so I suspect you'll enjoy it as well. You can find Bart's fabulous tutorial show notes at pbs.bartofisser.net and of course you can subscribe to Programming by Stealth in your podcatcher of choice.

[6:18]

Making Physics Shorts – by Physics Nerd Graeme

[6:19]Physics nerd Graham here for a mini-series on a mega-project I embarked on recently. For the Nosilla cast, I will go into the details of the three steps, talking about Type Aura for text, Audio Hijack and Isotope RX11 for audio, and finally Keynote as a powerful video content creation tool. I recently embarked on a project to create videos for the rest of the A-Level Physics course to go on my YouTube channel, Physics Shorts with Dr. Shepard, having done half of them a while back. I spent some time developing my process, so I thought I'd write it down and share. In developing my process, my goals were as follows. Produce videos with clear, correct information presented in my style, with my structure for my students to refer to before or after my lesson, and to make them freely available to any student. Make the whole process relatively quick, so I can feasibly complete the whole course. Ensure my written material is in a simple format that could potentially be fed into generative AI in future to produce new formats for students to consume as they wish. Record high professional quality audio and video. Create videos that could be edited if content needs to be corrected, augmented or removed, unlike my older lesson videos.

[7:42]After much consideration, I ended up with writing notes in Markdown and LaTeX using Typora since generative AI can pass both these formats and they are lightweight, easy to type and reasonably human readable. Recording audio only with Audio Hijack since video required a permanent studio with camera, tripod, lighting, screen as well as the microphone and I needed it to memorise what I wanted to say to make it look professional.

[8:15]Audio only just needs the microphone and the ability to talk from the notes, and iZotope RX11 to produce a final WAV file. Creating the video and keynote, since it will be easy to update in future and produces extremely high quality output. I will go over my reasoning for each of these decisions separately, giving you details on how to get the most out of them. For context though, my old process was making longer content I called lesson videos and had me writing out full scripts in BBEdit, recording the main audio in Audio Hijack and talking head intros on a big boy camera. Playing the audio at half speed as I wrote notes by hand using Explain Everything on my wife's iPad and then combining and editing it all on my Mac using Final Cut Pro, which took ages. The results looked great if I took care of my handwriting, but it was ridiculously lengthy, and going back to fix something, well, I never drummed up the energy. So, on to the new process. With the new physics shorts, I decided I didn't want these to take over my life, so unlike my previous videos, they are not 5-10 minutes, they are 2 minute overviews or reviews intended to be used alongside actual teaching.

[9:42]I've taught physics for many years, so I have a style and a preferred way to approach explanations. So I went through my scheme of work, the lesson order, so to speak, looking at the syllabus content, and I just wrote. I looked at lesson one, open type aura, and wrote out the key aspects I wanted to teach in my voice but in bullet or note form. Since I've done this in the classroom for 20 years, it didn't take long.

[10:11]When I needed a formula, ChatGPT helped me learn LaTeX to do this, or simply provided it for me. I then edited the notes down to remove unnecessary waffle, because I can always waffle to my heart's content in the actual classroom, and I saved it. I then record the audio, about 2 minutes worth, in one take doing a bunch of them in one session. For the video, I take my markdown notes and put them in Keynote. I'll chop them up a bit, add images as needed and animations if they help, then export as a video which can be uploaded straight to YouTube.

[10:51]A couple of final niceties are that I'll create a thumbnail for each video using a standard format in Keynote, and I'll use Mac Whisper to get subtitles from the exported video. I could rely on YouTube's auto-subtitles, but doing this myself allows me to make any corrections to technical terms easily, and make sure the symbols in equations are correct, such as changing lambda being written out to the Greek letter lambda. For the Nozilla Cast, I will go into the details of the three steps, giving a partial review of TypeAura for Notes, my workflow for Audio Hijack and iZotope RX11, and finally describe how to use Keynote as a powerful video content creation tool. all. So stay tuned for my partial review of Taipora next time. If you want to know more, you can always find me with the other Nozilla castaways on Slack. So head over to podfeet.com slash Slack and say hi.

[11:51]Well, thanks for that, Graham. And to the audience, I am super excited about all of the pieces of this. He's been actually sending me the scripts and recordings ahead of time. So I know what he's going to say on most of it. And I'm really enjoying what I'm I'm learning from him. I'm especially looking forward to the final piece, which will be how he uses Keynote to make videos. So that should be really, really cool. I also want to give him a big thumbs up. I don't think anybody has ever given me better organized text files in Markdown, the images named so, and pointers to where they go in the file, and giving me the alt text to put into the images. And nobody's done it as good as he's done it. It is just, it's a beautiful thing to see. and the images are all high quality, large, large images. So the blog posts are great. And the text is great. And the audio is great. And I'm loving every minute of it. So stay tuned for for next time when he's going to be talking about Typora.

[12:46]

Ice is a Strong Contender to Replace Bartender App

[12:47]I talked a few weeks ago about the bartender kerfuffle when developer Ben Surtees sold it to a company called Applause. While I've not taken up the alarm bells, many still remain skeptical of this new company that's taken over the app. You'll also remember that physics nerd Graham reviewed Hidden Bar for us as an alternative to bartender. This week, I'd like to tell you about another alternative to bartender called Ice. Jordan Baird is the developer, and he provides a couple of ways to get ICE. You can download it from his site, icemenubar.app, where you can download it for free. You'll be invited to, but not required to give him a donation for his efforts. He also distributes ICE as an open source project through GitHub under an MIT license. This license allows others to fork the code, improve upon it, and even distribute it themselves. On the GitHub page for ICE, you're also invited to sponsor his efforts. If you end up liking ICE, please consider supporting Jordan's efforts. So let's talk about who ICE is for. If you're a hardcore bartender user like me and use all of the features, including context switching and the secondary bar, making groups of menu bar items with their own icon, then ICE may be too limited for you. But I encourage everyone to try it out because it might do everything you really need in a menu bar item manager.

[14:03]Hidden Bar is a good little app, but after listening to Physicnerd's Gram's review and testing it myself, I find Ice to be more polished and with more capability in terms of styling. It's also under active development with the latest release just two weeks ago, where Hidden Bar hasn't been updated in a couple of years. One of the things that freaks people out with Bartender is that it asks for screen recording permissions. Ben went to great lengths to explain why that privilege was required by Apple for him to be able to do his magic even though he's not actually recording the screen. Like Bartender, Ice requires screen recording permissions. Jordan specifically says in the request screen, Ice needs your permission to apply custom styling to the menu bar. Ice does not record your screen. You're going to hear about custom styling later that it's much like what you can do with Bartender and which you can't do with Hidden Bar.

[14:55]Like Hidden Bar, ICE separates your always-shown-from-your-hidden menu bar items using a little chevron that points to the left. Using the standard method of holding down the command key to rearrange menu bar items, you can drag the ones you want to see all the time to the right of the chevron and the ones you want hidden to the left. This chevron separator is also a menu bar item, so you can drag it left and right too with the command key held down. Hidden Bar had a problem where the separator disappeared into the menu bar, but ICE doesn't suffer that problem.

[15:24]After I organized my menu bar items a little bit with ice, I just happened to right click on its menu bar icon to do something else when I noticed in the drop-down menu an option to show the always hidden section. When I selected that option, a second chevron separator appeared at the far left of the menu bar. I was then able to command drag any menu bar items I simply never wanted to see over to the left of that chevron. Now, Bartender has three sections too, but you you have to drag the menu items into three different sections in the settings pane. It works, but I actually like the way Ice does it even better. Now that we've got things organized a bit, let's take a look at the settings of Ice and see how it'll allow us to tailor it even more to our liking. On the general tab, we can choose an icon for Ice, and there's a bunch of cute ones built in. On top of that, you can even choose your own image for Ice. I changed mine to Podfeet as a test, but the high contrast black icons ICE offers you are easier to see than my little orange feet. Stay tuned because there's going to be something about that a little bit towards the end.

[16:29]Now, since ICE is hiding a lot of icons, we need to tell it how to reveal them to us. In the general settings, we can choose to click on an empty area of the menu bar to show hidden items or simply hover over an empty area to have them revealed. If neither of those suits your fancy, there's an option to scroll or swipe across the empty area to reveal your menu bar items. You swipe from left to right to get the menu bar items to fly out to the left. You put them away by swiping back to the left. Seems sort of backwards, but it works.

[17:00]Once you've chosen a method to reveal your hidden menu bar items, you repeat the same action to hide them again. You can choose to have them automatically re-hide, and with that toggle turned on, you get a new dropdown for the strategy you want ICE to use in order to hide them. The first strategy to choose from is a smart algorithm, and I honestly don't know what rules it follows. You can also choose timed, which reveals a slider for how long you want it to wait before hiding from 0 to 30 seconds. I tested it at zero seconds and sure enough, it disappears instantly when you pull your cursor off the menu bar. Finally, you can choose to have the menu bar automatically re-hide when the currently focused app changes. Interesting option and it works as advertised.

[17:41]As I worked my way through all of the settings, I took a pause to see if these settings for ICE were accessible. With one exception, I found that they were accessible. That one exception was a tint slider that we'll talk about in a moment. I suppose if you're a voiceover user, you might not care that much about changing the tint, but you know, sliders are pretty easily made accessible. Then I got curious about how one would arrange menu bar items with voiceover. I couldn't figure it out on my own, so I asked for help on Mastodon, and Robin Kipp responded. I want to give you his full response because he was very kind after I explained I was a low intermediate doing my best to test apps for voiceover. He wrote, as a blind voiceover user, I first of all want to seriously thank you for doing this. It doesn't matter, honestly, if your experience using VoiceOver might be limited, as long as you test what you can and keep an open ear for user feedback on accessibility issues. That already goes a super long way and is significantly more than what some other devs and companies out there are doing. Great job!

[18:41]Unfortunately, it's true there is not a reliable way of rearranging status menu icons using voiceover. However, it is possible to navigate to all of the icons which are in there by pressing the voiceover keys, either control option or caps lock, plus the M key twice. That will move voiceover focus to the first icon. You can then navigate through the various icons by pressing voiceover plus right and left arrows and activate the focused icon using VO space. Hope that helps. Well, I appreciated his words of encouragement, and I was also truly surprised to find that Apple doesn't let voiceover users rearrange menu bar items. Using the keystroke combinations Robin gave me, I discovered an advantage voiceover users have over the rest of us. Remember, the whole point of Bartender and these other alternative apps is to help us deal with too many menu bar items? Well, guess what? VoiceOver users get to hear all of the menu bar items, even if there's way too many to be seen, because they're hidden under the applications menu on the left, but VoiceOver doesn't care. It can still see them all. They're there for VoiceOver to find. Isn't that nifty?

[19:51]Well, it's kind of funny. While ICE is nearly completely accessible, it solves a problem blind people may not need. And since they can't rearrange things with VoiceOver because of missing capabilities in macOS, they really won't care. It's still fun to learn about. All right, back to learning some more about the settings in ICE. In the most recent version of version 5 of Bartender, Ben added some really nice visuals to our menu bars. Jordan appears to have borrowed the new aesthetic elements heavily from Bartender, or maybe was it the other way around? Anyway, let's go through what you can do to tailor the look to your desires. tires. You can add a tint to the menu bar with either a solid fill or a gradient, and you can add a shadow to the menu bar. I really like a contrasting tint on my menu bars with ice and with bartender. You can add a border of varying thickness, but I find this gives the menu bar kind of a coarse look to it. But if you like it, you do you.

[20:46]One of the coolest visual effects in Bartender and in Ice is the ability to split the menu bar and shape the two sides. Splitting the menu bar gives you two distinct menu bars, one on the left for the apps menu and then another one on the right for all the menu bar items that are normally over there. So you get two separate menu bars. In Ice, once you split the menu bar, you can choose the shape of both ends of the menu bar. You can make either end squared off or pill-shaped, and I like to have the split menu bar with a pill shape on both ends with that nice gradient and the drop shadow. Really looks nice. Now I'm going to skip over hotkeys and settings because it'll make more sense if I walk you through the advanced settings first. The first advanced option hides application menus when you show hidden and or always hidden menu bar items. This feature collapses the active apps menus down so you only see the Apple icon in the the upper left. This makes it more likely that you'll be able to view the menu bar items you need on a small screen. On my 14-inch MacBook Pro screen at its default resolution, I was able to see 42 of my 44 menu bar items all at once when the left side was collapsed. I normally keep eight of those always hidden and a lot of them hidden except when I need them. It was around this time in my testing that I realized Ice has one weakness and it's multiple monitor support.

[22:07]We're going to to hear about this in a moment too. As I started modifying settings, like hiding application menus, the graphics got messed up in different ways on my internal and external displays. The menu bar got too short vertically to hold the text on the internal display, but too tall on the external display. As soon as I unplugged my external display, the internal display looked dandy with ice. That's where we really need ice to perform well, so that's good, but having janky displays your menu bar items when you plug in a big display is still a problem. I think I found a solution to the problem though. In display settings for a given display, you see just a few standard resolutions, but you can also select show all resolutions and see even more. In the standard list for a 14-inch MacBook Pro, you'll see the default of 1512 by 982, but in the longer list, you'll see 1512x945.

[23:01]That's 37 pixels shorter in height. As it turns out, the notch is 37 pixels tall, so if you choose 1512x945, you will not have a notch on your screen. As soon as I changed my internal display to 1512x945 and the notch disappeared, both display's menu bars managed by ICE returned to normal. Sounded like I'd found a wee bug. Since ICE is an open source project, it's super easy to report a bug in the GitHub repository under Issues. You don't even have to find it yourself because ICE includes a button to report a bug on the About tab of Settings. You'll also find a support button to send some financial love.

[23:42]Now, still in the Advanced tab, you can choose whether to show the section dividers, you know, those little chevrons that mark which items are hidden or always hidden. The main advantage of turning the section dividers off is they take up slots that can be used for menu bar items. Remember, I can only see 42 of my 44 menu bar items on my internal display when showing all items. I would actually be able to see all 44 if I turned off the section dividers. Now, you don't really lose functionality with the section dividers gone on because you can toggle them back on while you rearrange things and then turn them back off if you like. Finally, you get a toggle that will let you option click in the empty area of the menu bar to see your always hidden items. If it's hard to find an empty space, you can option click on the ICE menu bar item to toggle it always hidden. This feature works very well and predictably.

[24:31]Now that we understand the advanced settings, we can back up to the hotkey settings. You can record a hotkey to toggle the hidden section and another one to toggle the always hidden section. If you want to manually remove the application menus out of the way, you can assign a hotkey to that function. In my experiments, I found that the hotkey would quite reliably toggle off the application menus on my external but not my internal display. Kind of weird. Finally, you can record a hotkey to toggle section dividers on and off. The bottom line is that ICE is a lovely replacement for Bartender, and it's free unless you choose to support Jordan's work, which you should. I still miss the secondary bar of Bartender, but hang on to that too. And I have to say the ability to make split menu bars with pretty rounded corners and a nice tint is quite pleasing to me with ICE. It's easy to arrange menu bar items, see hidden items, and even see always hidden items. Bartender doesn't let you see always hidden items on demand. You have to manually move them into the secondary or primary bar to see them. I like the way Bartender lets me make little menu bar item groups, like all of my cloud services under a tiny cloud emoji icon, but I can live without that if I have to. Remember, ICE is in active development, so after you push the support button for Jordan, remember, you can always ask for enhancements. If you like what you've learned about ICE, check it out at icemenubar.app.

[25:55]Now, after I finished this review, writing it up, I posted in the discussion area of Jordan's GitHub repo for ICE to tell him about it, and he responded with some really interesting comments. After saying that he liked the review, he said, the display bug you mentioned is sadly one of the more common issues. I may have come up with a fix for it, but unfortunately I can't test it myself as I don't have a MacBook with a notch. The bug doesn't occur without one. Then he said, as mentioned in your comments, there is a beta available that has a secondary bar, although be prepared for some bugs. On a final note, if you choose a custom image, you can actually have it display as a monochrome image as if it were a default icon in the menu bar. You just have to check the option to use template image. Maybe it could use a better name. What I really like that he did in his letter back to me is he showed me a monochrome pod feet in his menu bar. How awesome is Jordan?

[26:52]

CSUN 2024: Sony OTC Hearing Aids

[26:52]Let's switch Switch gears and listen to another interview from CSUN's Assistive Tech Conference.

[26:58]I'm with Lauren Reynolds at the Sony North America booth, and they've got a booth here about over-the-counter hearing aids. Now, from what I understand, a couple of years ago, the FDA allowed us to now buy hearing aids over-the-counter. So instead of being $5,000, $6,000, $7,000, they can be brought in a lot less expensive. Is that correct? Yes. From 2022, these have been FDA-approved over-the-counter hearing aids. So we have two different versions. We have the CRE-C10s. These are going to be battery operated with a battery life of around 80 hours. So this is the traditional little tiny hearing aid battery. But I'm looking at this thing and this is absolutely minuscule. There's a picture on the box here too that shows when this is inserted in the ear, you aren't going to see it at all. There's nothing behind the ear. It just goes straight in, right? It's quite small. There's a little piece that sticks out so you can pull it out with ease, but the idea is that it's supposed to be quite discreet so you don't notice it's there. Right, right, right. So, and then the other model here is? This is the CRE E10s. These look a lot like sort of AirPods or, you know, the Bose ones.

[28:12]And they have a feel of an earbud, quite deep in the ear with replaceable nibs for a size of your liking. And then that goes back into the classic recharging box, just like you would AirPods or Beats. Yeah, so you're able to recharge these as you need. The battery life is going to be 26 hours, so you can use it every day and then charge it overnight while you're sleeping and then put it back in. Since they look like earbuds, they just look like earbuds, not like a hearing device. Yeah, so these are going to be less discreet, but they're still comfortable because they sit comfortably in the ear canal. Yeah, they're still pretty small. So you need to somehow tell the hearing aids what you can't hear because maybe what you can hear is different than what I can hear. Right, right. Is that done through an app or something? So we do offer an app on the App Store.

[29:04]It's available for both Android and iPhone. So the app basically takes a hearing profile test and you get to figure out what parts you're lacking so that way it can compensate for the parts of hearing that you don't have. And then what happens is it's going to take a while for your ears to adjust so you can adjust your profile on the app anytime you need to. You can turn down the sensitivity if it's ever too loud, or you can turn it up. Okay, that's pretty cool. Now, what is the price point? So the CRE-E10s are the bigger ones that look like earbuds? Yeah. And how much do those run? So these are $1,300 right now, but I believe they're $200 off on sale. So $1,100, but you'll have to check on that. All right, and then the CRE-C10s, the little itty-bitty things that nobody can see? Yes, these are $1,100, and they might be $100 off right now. All right. Right. Yeah. And where would we go to find out more about the Sony over-the-counter hearing aids? Well, you can just Google them and you'll find them. We have it available on our Sony website and we have a whole accessibility section where you can read more about it. Oh, fantastic. Thank you very much, Lauren. Yeah, of course.

[30:12]

Support the Show

[30:24]A week of that money to help support the work we do here. Sound good?

[30:26]

Security Bits – 2024–06–23

[30:28]Music.

[30:36]Well, it's that time of the week again. It's time for Security Bits with Bart Buchatz. What fresh new horrors do you have for us today? I think we're low enough on horrors. We have a really nice deep dive. Oh, good. That's fun. I won't say we're free of horrors. That would be a lie. This segment would be cancelled if that was true. But, you know, we do nonetheless have some stuff to get into. Now, we have loads of little bits to follow. You know, I love being a deep dive. Well, that's why I kind of do them, and I like doing them too. So we talked last time that Microsoft was getting a lot of pushback for their somewhat half-baked recall feature, which, while functionally rather cool, we were all a tad worried it might, well, be a bit of a privacy nightmare. They've decided that maybe this needs to go back a little to the beta stage, or in Microsoft lingo, the Windows Insider program. So that is going safely back where it belongs in the let's get it ready phase instead of the, oh, let's go phase. That was good. You know, I would almost forgive a small company for this, but shouldn't they have known better? Well, especially when Satya Nadella made a giant big point about telling everyone that if the question is security or features, the answer is security when he, you know, got in all that trouble for the recent security stuff and announced a whole big change. And then like a week later, they do this. That was needless. That was silly. That was an unforced error. And the own goal, as they say. Yeah. Oh, I would have thought you would have come up with the sucker analogy. but yes, absolutely.

[32:04]So we used Snowflake as an example of the dangers of supply chain problems, because if you hack a company that provides services to companies, you get like a multiplier effect. And so we talked about, I think it was three breaches we knew at the time were tied back to Snowflake. They were, oh, there was a car company. Basically, there were three different breaches, each of which had a lot of outcome. And we sort of thought there might be another shoe to drop. An amount of customers of Snowflake have been breached. What is an? It was at least three. Unfortunately, it is 165. Now, they're all going to be of varying sizes, so some of those could be giant. Oh, thingy, Ticketmaster. Ticketmaster was one of those 165. Oh, that was it, yeah.

[32:51]Wow. So, yeah. I think we knew about Ticketmaster last time, right? Absolutely, we did, yes. So 165, I was giving Bart a hard time. I asked him, why are we reporting on a hack that affected 165 customers. And he said, oh, those are 165 companies. Oh, yeah, I forgot. Yeah, slight multiplier effect. We also mentioned last time that Meta, I was going to say Facebook, but Meta were updating their terms of service and that I didn't think it was going to hold water in the EU. What they were basically saying was, no opt-out in America, we're hoovering your data up for AI. And in Europe, you can raise an objection and then we can tell you no. And I was like, I predict developments. There have been developments. They've decided, after having spoken to the European Commission, that they won't do that in Europe, actually. But they're still going to trade in on the US data, though, right? Good. I'm sorry to say yes. Yes. And a somewhat related story that I was in two minds as to whether or not to pop in the show notes. Sonos have removed the line from their American terms of service that says they will not sell your personal data. They haven't replaced it with something. It's just gone. It's still in our terms of service. It's gone from yours.

[34:06]That's lovely. Sonos is on the poo-poo list right now for sure. I don't know if you heard about what they did for accessibility. Their new app came out and it was inaccessible. I mean, can you imagine paying thousands of dollars for hardware? And I mean, to me, they stole the hardware from people. I mean, that's what it was. It was like, we just took it away from your house because it didn't exist for them anymore. For every blind person, nobody could use their Sonos devices. Devices i thought it was bad some of the stuff they'd fix some of the stuff uh here and there but there's a lot of stuff you can't you still can't do and and it's way way way harder to do like you can't set alarms or no i'm sorry you can set alarms now but you can't turn them off the only way they can turn off an alarm is to disable voiceover and hope you're correct at tapping the right button and you feel the haptics and then you can turn voiceover back on oh my god Okay, I have first world problems. I have a house full of Sonos, including two other portable battery-powered ones. And the only thing I use the app for is to look at the status of my batteries because there's no battery indicator on the hardware devices. And in the old app, you open the app and you saw your list of devices. On the new app, you can't get a list of devices. You can get all the music they want to sell you, but you can't get a list of devices. And when I do find the devices deep down in the settings, the battery indicator's gone. You have two Sonos Roams. What their battery is?

[35:35]When it runs out, the light will go red and the music will stop. Plug it in. So there's no button sequence you can do to get tones or anything like that? No, it has a red flasher that comes on when it's really quite low indeed. And then you have like 20 minutes. My little wonder booms will tell me what their battery life is in tones, but not the expensive Sonos. No, it was always open the app and it was right there on the first screen, straight in front of you, a little red sign saying battery low, all gone because they want to sell you content. I am, I will not be recommending Sonos to anyone. And I was a, I was a really big Sonos fan. No. Yeah. I mean, it just works was their main thing, right? Right. It's like Evernote. You had a great note taking up and then you tried to make it do everything and it was rubbish. Well, you had a great speaker system. You tried to make it do everything and now it's rubbish. Right. Anyway, off that little side diversion. On the Sonos website, it says in the Sonos app, open the system view by selecting your system's name at the top left of the screen. The battery level will appear in the listing for your Roam. I don't see a date on this article. A little lightning bolt is added to the battery indicated when Roam is connected to power to show that it's charging. So your system view. So at the moment, your system is not showing any of my Roams. Your system thinks I have one speaker. I have four. Oh, good.

[37:05]Good job. Good job. Okay. Good job, Sonos. Right. Another thing we talked about last time was that attackers have found a new way to trick people. Put a web page that pretends to be a browser error, but not like in a separate pop-up window, right in the body of the web page. And we talked about it, but we didn't have an actual example. If you'd like a screenshot of what it looks like, Like the day after another story broke of a specific attack, so that's now linked in the show notes, basically it looks like a Google Chrome error message, but it's right in the middle of the page, and it wants you to run some PowerShell. And if a web page says copy and paste this into PowerShell, no.

[37:46]That's not how it's going. It doesn't matter what icons they put in it. No. So there we are. Copy fix. Yeah. Don't do that. Wow. We talked a lot about the 23andMe breach. And up until now, there's been no consequences for 23andMe, apart from obviously bad press. And I guess they might have lost some customers. Now there is an official investigation, both in the UK and Canada, which could end up with some steep fines. So fingers crossed. And finally, Max Schrems' campaigning organization in Austria have filed a formal complaint against Google's Privacy Sandbox, which is their way of having more privacy than third-party cookies, but less than full privacy. And Max Ramp's like, I don't care if this is less bad than third-party cookies. It's still not okay. So depending on how the Austrian Data Protection Authority feel, this may or may not delay the end of third-party cookies even more. So ironically, Perfect may be the enemy of the good. Right.

[38:49]Keep an eye basically right well that brings us to our deep dive so this deep dive comes about because of a story and later i discovered it would have come about a few weeks later because of another story so i guess we get to do it twice so microsoft had a big announcement as part of their security push that they forgot to do for recall um to say that they are tightening security for non-enterprise, so for what they call home users of their email services. So Outlook.com, Live.com and Hotmail.com, which still exists. So at the moment, those users can still use what is called, well, Microsoft call it basic authentication. I call it legacy authentication. And Microsoft said that coming at, what does it say, September 16th, 2024, if you want to use a mail app it has to support modern authentication or you will not be able to use it with outlook hotmail or live.com what is modern authentication the subject of this deep dive oh okay good.

[39:53]So quickly just want to get the microsoft news and that gives us the context to actually explain what are they talking about so if you're a user of those things and you use a mail client instead of the web page then your mail client has to authenticate to microsoft servers and it may or may not be doing that the old-fashioned way or the new way. If it's doing it the new way, no problem. If it's doing it the old way on September 16th, it won't work anymore. And if you're using the standalone mail and calendar apps in, I think it's Windows 10 has these standalone apps, that is ending in the end of this year and you have to move to Outlook, or a different app completely like Thunderbird or whatever you like. But those two apps are going away.

[40:34]Full details in the show notes. But that gives us an excuse to explain what is modern authentication. And I discovered later that if you're a Gmail user who uses third-party apps rather than just a Google web interface, you have until September. Actually, no, the autumn. They don't have an exact date. It's the autumn. And then this will apply to you as well. So that might line up pretty closely with September 16th for Microsoft, depending on when they decide autumn is. So this may be something that affects Gmail users who use mail apps as well. So really good reason to talk about it.

[41:08]So modern auth is two things. It is a general industry term that's a little bit on the vague side. And it's a very specific piece of Microsoft jargon that means very, very specific things within Microsoft's universe. We are taking the broad umbrella view of things. So when I say modern auth, I don't mean Microsoft specific thing. I mean the concept within the industry as a whole. So it applies to Google and to everyone else. I mean the broad idea. you. And the only way to explain modern auth is to start with legacy auth and then say how it's different.

[41:41]So the old way, what I'm going to call legacy auth, you have one account, it has one password. And every time you or an app acting as you, your calendar app, your mail app, your chat app, whatever it is, whenever you or an app acting as you tries to talk to the server, it hands over your username and password because you've typed them into a settings page somewhere and it has them on file, maybe in the keychain if it's a good app, but it has access to the actual username and actual password, hands them to the server, the server validates them, and then the server decides whether or not to talk to you. So that doesn't sound too bad, right? What's wrong with that? That's how we've been doing it for decades. Well, every app has to be given a copy of your username and password. So we now have to trust that the app is going to store that well. Is the app just going to stick that in password.txt sitting on your hard drive where the first little bit of malware that comes along can just hoover it up? Or is it going to do the right thing and use Keychain? No way to tell. Is it going to phone home to the developer and just hand over your username and password? You've typed it in, it really could.

[42:50]If you have one dodgy app, let's say you're experimenting with Mastodon because it's new, you've tried 20 different apps one of them is sold to someone who does something naughty with and you now have to get fix that because it has your password well your only choice is to kill the one password you have and re-enter it everywhere you can't only kill the naughty app right you have a button that is all you have right one button okay um and if the apps are using username and password, there's no place to connect in two-factor authentication. Like when you hit send and receive on your mail client, there is no mechanism to do two-factor authentication because the protocol for this stuff is all baked in that it's a username, a password goes over the wire. There's no place to hang these new features. There's no way to use a passkey to check your email with legacy authentication. There's just no hook to hang it So that's why there is modern authentication.

[43:55]So, modern authentication breaks the job that your username and password are actually doing in those apps into two completely separate pieces and makes them different people's problem. And what it splits apart is authentication and authorization. And they might sound similar, but actually they have very importantly different meanings. So, when I authenticate you, I am proving you are you. When I authorize you, I'm already assuming authentication, and I am saying you have permission to read my inbox. You have permission to read my calendar. What you're allowed to do is different to who are you. That makes sense. That makes sense, exactly. So that is the first thing, is modern auth splits those two apart.

[44:41]There's a couple of different protocols, but it doesn't really matter. The way they work is all the same. So what you do is you have one single server that is going to act as the identity provider for every single service offered by the company that's providing you with the account. So if that's Google, there is one single Google identity provider or an IDP that is checking your authentication, whether you're using Gmail, Gchat, whatever that's called this week, your calendar, Google Docs, sign in with Google to some of the website, whatever it is you do with your Google account. It doesn't matter what it is. The moment in time where it says prove you are Alison, at that exact moment in time, you are talking to the IDP and only to the IDP. So the IDP is the only thing that does authentication, and the only thing it does is authenticate you, prove that you are Alison.

[45:34]What it will then do is it will build you a token, and that token will contain a little bit of identification information that says this token belongs to A Sheridan or some sort of numeric ID. I mean, it'll depend on the different company, what they decide to put in there, but basically a user ID or a username or an email address. Some information to say this is Alison goes into the token. An expiration date goes into the token. And a list of what permissions the token gives you access to go into the token. And then the whole thing is digitally signed so it can't be messed with. And then the token is handed back to the app. And so what your mail client has saved is a token, not your username and password.

[46:16]And then when the mail, okay, I can see you. I was just going to say, and that does preclude.

[46:24]Poor developer saving your username and password in a text file? Right, because they never got it. Okay, okay, cool. If they never have it, they can't do anything with it. So what they get is handed a token. And they can abuse the token, at which point you log into your Google or your Microsoft or your Apple account, and you go to the list of authorized apps, even Twitter. Actually, you can even do this on Twitter, because Twitter uses modern authentication.

[46:47]Or Mastodon. Mastodon uses modern authentication. You go into all of your authorized apps and you get a list of every app you have. And you just go... Where did you say that authorized list is? If I go into Apple ID that Apple... Actually, maybe Apple is better. But if you go into Google and you go into your My Account page, it'll list all of your applications. Or if you log into your Mastodon account, it should list all of your applications. Ah, okay. Okay, yeah, I have seen it there. So it's on a per app basis. Yeah, every identity provider gets per IDP, per company. Think of it per company. And every company has an identity provider. So Twitter will do things the Twitter way. They might make you click on this page and then this page, and then you get to the settings. Microsoft will do it, myaccount.microsoft.com. Apple will do it their way. Okay. So it's a service and clients. And in the service, it tells you which clients you've authorized. So you can check your mail with five different mail clients. Correct. And they'll each have their own token. And so if one of them is naughty, you get rid of it. So if you're trying 20 Mastodon clients... Right. So it's the service that has to provide this modern authentication. Everyone has to take part. Both. Okay, both sides have to. Okay. Yeah. Which is why it takes a bit of time to roll out. But both people will speak this language to each other. So instead of username, password, chitter, chatter, the chitter, chatter is going to be tokens.

[48:12]And the other nice thing is, let's say you authorize a Mastodon app and it's some sort of app that just makes a silly avatar, right? It will ask for only the permissions it needs to do that and it won't have permission to post as you. Like maybe it's just purely a widget for your desktop. It may only get read permission on your account. And so if that token is stolen or lost and someone tries to abuse that token to toot as you, well, the token can't be used for that because the token is a read-only token. So that means that you have a real limiting of the damage done by each token. It's just a mail app can only mess with your mail. A calendar app can only mess with your calendar. You know, the token is going to have specific permissions baked into it, which is better. And you can go in and revoke them one by one. Cherry pick what it is you're destroying if something goes wrong and they never get they never get the thing to lose in the first place the username and password which is so important so how does this look to you and me because i've described something i've just told you twitter uses it google uses it microsoft use it mastodon use it so we have been using mod or not but we may not quite have twigged that we were because from our point of view it's not always that different from a username and password but subtly so let's let's walk through with an example. So let us imagine that we listened to Jill's review a few weeks ago for Fantastical. We've decided we absolutely want Fantastical and we're Google users. So we want to talk to our Google calendar from Fantastical.

[49:41]When you go to Fantastical and you click the button to add an account, it doesn't say within Fantastical, enter your username and password. What it does is it bounces you to Google's web page where you log into Google. That is the Google IDP.

[49:58]Once you've proved you are you, the next thing you'll see is a list of permissions. You're about to authorize Fantastical, and then it'll give you a list of permissions. And then you click a button that says authorize. You'll have seen this from Mastodon accounts as well. And then the moment you hit authorize, the token is created. And then usually there's a button saying click to return to the app. And that hands the token to the app. And now you're back in the app and the app has your token. Okay. And that's it. You're done now. So when you now try to use that app, the app never had your username and password because you were on Google's web page when you entered it. You didn't enter it into Fantastical. Fantastical now tries to talk to Google to do your calendaring and it hands the token over.

[50:41]Google receives the token, checks it out. Does this match? Yes, it does. Does it have permission to read the calendar? Yes, it does. Yeah, sure. Here you go. Bart is doing five boring things on Monday morning. Right? Whatever it is. Right? And it just works away. And that happens every single time. And then the token has an expiry date. So a lot of tokens like for Mastodon have an expiry date of basically never. My Mastodon client has never asked me to refresh the token. But in work, we do not allow tokens older than a few days. So in work, pretty much every, oh yeah, Fantastical makes me reauthorize three or four times a week. But all that happens is I bounce. No, no, because it reauthorizes not starting from scratch. I just have to sign in and it bounces me straight to Fantastical. So it's just page pops up, I sign in, it bounces me back. That's too much work. I wouldn't use it if I had to do that. I mean, it's not Fantastical's fault. Correct, right? That's the choice of our corporation to protect our corporate data, which is why Mastodon is way more liberal because it's a social messaging app. So basically your Mastodon token is good until you revoke it. It might be good for five years. There may be a limit somewhere in there, but I have never had to update my Mastodon tokens. I have three Mastodon accounts. I have never updated any of them.

[51:52]Okay. But that is how they're all working under the hood. And if you then go in and you revoke a token, well, then you have to start from scratch. Then Fantastical would try to use its token and it would make you go right back to the start of the process, list the permissions it wants and authorize, make a new token. Yeah. Okay. So that workflow that you see where you get listed a set of permissions with an authorize button and it bounces you back to the app, that's modern auth. So you have been using it on lots of things. I do like seeing that because, well, there's something similar to that on macOS where it'll say, hey, this app wants to talk to other stuff on your network. And you're like, no, I don't think you need that. I know you want it, but I don't have to say yes. And, you know, sometimes it's like, okay, this is what won't work if you don't do it. Oh, okay. Yeah, you do need that. All right. I'll let you have it. And it can be very obvious. It's like if I'm installing a client whose only job it is to show me a widget of my upcoming next five events and it says would like send as permission. No. Or, you know, read your entire OneDrive permission. Heck no.

[53:02]I don't think so. Exactly. So it's very powerful. So how does this enable better security? Well, all of the apps are going to have to. Right. Because authentication is now only done in exactly one place, the IDP, there's only one place where changes have to be made to add support for something new. If you are a company running your own website and you say, oh, I think, you know, we're using modern auth. I've decided I want to support passkeys. Well, you don't have to do it on every single one of your web interfaces or whatever. You just do it on your IDP. And now Now, all of your users have that access because the apps are only talking tokens. So the token doesn't know or care how the IDP made the token. All of the worries about supporting new technology are now concentrated in one place. So it's way, way easier to add support for hardware FIDO dongles or Google's two-factor authentication with the code or whatever it is you'd like. Good old passkeys, right? All of it can now be handled just by the IDP. So in order for modern auth to work every single app you use has to be updated once to support modern auth and then forever more they're good because the problem has now been split in two and it's not their problem anymore.

[54:22]So our clients don't have to keep being updated to give us better security. The IDP just needs to be updated, which, you know, Google will roll out pass keys, Apple will roll out pass keys, everyone will do it at their own rate. But that's how that's hanging together.

[54:37]Now, the really good news here is that none of this, this is new to home users.

[54:42]But this is well trodden ground because this has been in the enterprise for so many years, at least a decade, which means that the protocols to make this go, there's only three of them, and for a home user, it's almost all OAuth 2, which is also, by the way, what powers sign in with Meta, sign in with Google, sign in with Facebook, all of those things. They're actually OAuth 2. They're actually ModernAuth as well. They work with tokens. But instead of the token being from one Facebook thing to another Facebook thing, it's a token from Facebook to a third-party site. But it's the same principle, one IDP handing out tokens. And if you're in the enterprise, you may hear two other buzzwords, SAML2 and OIDC. They are for doing first party to third party authentication in the enterprise instead of, you know, us to ourselves. But this stuff's been around for years. It's really well bedded in. It's SAML2 for a start. It's OAuth2 for a start, right? We've been around enough to get to a second version of these protocols. So also to really make sure that many, many, many apps are updated, Two years ago, for all education and corporate customers, Microsoft blocked legacy auth. So if you have a school or business Office 365 account, you have already been using nothing but mother not for two years, which means all the apps have been forced to update. So now that everyone else is coming along, the road has been paved. Right.

[56:08]So is this a nothing sandwich then? If all the apps have already been updated, then are people even going to notice? They may be forced to re-authenticate. So you may be asked, hey, I need you to update to using this, log in here. So you may be basically told you've got to jump from this way of doing things to that way of doing things. But I think it should be a pretty smooth ride is basically the bottom line here.

[56:31]I did notice then, as I say, Google are about to follow suit. And one other little note, because I thought you might ask, and the listeners are maybe shouting at their iPad or iPhone or whatever they're listening. How does this tie into passkeys? Well, the answer is passkeys are interesting because they fit into modern authentication twice. There are two valid modern auth ways of using passkeys. So you can either use WebAuthn directly so that your website talks WebAuthn straight to the web browser, in which case you have modern auth through WebAuthn and you have passkeys only. So you don't have 20 different choices. It's just passkey. Or you can put the passkey support on the idp and then your apps are talking.

[57:14]The you know modern auth protocols and the idp is talking web auth and either way it works so passkeys can slot in directly or indirectly both are just as good i'm gonna give my uh every bi-monthly i really hate passkeys thing i i literally do not understand how to do them anymore. They worked originally, but now, like today, I went to some website, I forget what it was, and I got the little pop-up that said you need to open 1Password for Passkeys to work. So I clicked on it, nothing happened. I clicked on unlock 1Password, nothing happened. So I opened 1Password, it was already unlocked. I went back to the website, I said, okay, use Passkey, and it said, okay, scan this QR code with your phone. Well, how is that easier than just using one password. That's way harder than using one password. And I get that all the time, where I get this conflict where it acts like it's going to use one password for my PASCII, but then it makes me use my phone to scan the screen.

[58:16]Something doesn't sound right, because my experience is I unlock one password and it just works. But I don't know where the difference is between us, whether it's that you're on a site that doesn't do it right, and I've gotten lucky. But I've gotten it so many times. I haven't successfully used a Passkey in quite a long time. Like, they were cool for a while, and now they've degraded to where I can't use them. I don't want to jinx it. I try. I don't want to jinx it. But right now, today, touching all of the woods, it's working great for me at the moment. I don't want to jinx it. I feel like I'm pushing the wrong button. I mean, should I be pushing the button that says unlock one password? It's a big blue button in the upper right. Oh, you definitely have to unlock one password. It's after that you may be pushing on...

[59:00]Grab me a screenshot next time, because then I can give you an actual answer. And I will say, I will pay more closer attention to what I'm doing, because I'm doing it on autopilot now that I literally couldn't tell you what I do because it's just sort of working. But I'll pay closer attention to what I'm doing and see what I'm doing. All right. I thought about it today and I thought, oh, I was in a hurry. And now I'll dial back and try to remember what site I was on. Okay. Well, that's, as I say, no hurry. I'll be more mindful of what I'm doing. And if you grab me some screenshots, we'll figure out what's going on. Right. Well, that is our deep dive. I'm hoping that was insightful. Like I say, it was mainly an excuse to explain Modern Auth because it's been in the background for so long and we're kind of using it. But I don't think we understand why it's so much better than the old way.

[59:47]And so I hope you do now. Yeah, definitely. Okay. So that brings us on then to Action Alerts. It has been patched Tuesday. Tuesday 51 flaws fixed 18 remote code executions no zero days so yay also 51 is a low number by patch Tuesday standards so yay um then unfortunately a slightly less yay um arm our warning of a widely exploited flaw in one of their GPU kernel drivers they put into that are used by many Android phones and you are going to ask me to tell people how to know they're affected and I'm going to have to say, I haven't a bloody clue. And I'm just going to quote what bleeping computer saying due to the complexity of the supply chain and Android, many end users may get patched drivers with significant delays.

[1:00:39]If your Android wants to update, let it, let it, let it. There is an important one. I hope it's coming to you soon.

[1:00:48]Okay. Easier one. Google have patched an actively exploited zero day in their pixel devices. That is easy. Google provide the pixel. Google provide the operating system. Patchy, patchy, patch, patch. Jobs are good. So that's easier advice. Slightly more difficult advice again. Phoenix UEFI. They are one of the biggest makers of the UEFI in motherboards used by lots and lots and lots of PCs. PCs they had a bug in their firmware code and it is exploitable they have patched it months ago and they have been quietly telling hardware vendors about it so in theory if you have a PC from a good vendor there's a software there's a firmware update either with you or nearly with you but don't you have to do something extra to do firmware updates I mean, like a reboot doesn't apply a firmware update, usually. Don't you have to do some sort of incantation with your fingers when you reboot? My understanding is that now that PCs have moved from BIOS to UEFI, they've joined us in the Mac community where software update can update our firmware without us having to do anything fancy. It's just the reboot takes a bit longer. Yeah.

[1:02:06]Okay. I didn't notice that we didn't have to do that anymore. But now that you mention it, I haven't had to do a firmware update in a long time. Well, if you pay very close attention, some of your software updates take a little longer than usual, and they may reboot your computer twice, but it's pretty quick for us nowadays. That's the UEFI update. So the PC users should have the same experience now that they're off BIOS. And do we have UEFI or just EFI?

[1:02:32]Sorry, no, it may depend on whether we're an M or not. We definitely definitely have EFI we definitely definitely don't have BIOS that happened that happened a long time ago yeah yeah so whether we have UEFI I'm not going to bet on one way or the other but either way UEFI and EFI both can do the firmware update thing without faffing so okay PC users should be in a better place than they were in the BIOS days ASUS have warned of a critical a typical remote code execution in 7, sorry, not a remote code, authentication bypass. Basically, take over your router without knowing your password. On 7 of the routers, the firmware is out, the routers are listed on the web page, patchy, patchy, patch, patch. This is not a mystery one. So no throwing in the bin. No throwing in the bin. That comes now for Netgear users. So Netgear have a router called the WNR614, for, which was apparently very popular with more advanced home users and small businesses. It's out of support, has been for some time, but there's still loads of them online. There is a really bad vulnerability in them. Bintime, they're dead. Unsupported. Unsupported, gone. And I know we have a lot of developers who listen to us. If you are one of those people and you are a PHP developer who uses Windows, patch your PHP on Windows ASAP.

[1:03:59]Notable news then This story was about to be an icky one But it got very simple So the first thing that hit my feed was Signal Foundation warns against EU's plan To scan private messages for CSAM Basically, plan to ban end-to-end encryption Again, That was followed two days later By this wonderful headline Lacking votes, EU postpones vote on CSAM law, So, for now, mischief managed. Let us hope it stays that way. After sort of acting against Kaspersky within the government, as in you can't be a government employee using Kaspersky for US government stuff, well, the big guns have come out. The US government have now said you have until September to stop using Kaspersky anywhere in America because basically they're not allowed to give you any updates anymore from September. So Kaspersky is basically gone from America. And just in case the point wasn't obvious, 12 of their execs have now been sanctioned for working in the Russian tech sector.

[1:05:08]Okay. So they're serious. Sanctioned in the US. Right, which is all the US have power to do, right? Right, right. I just didn't want anybody to think they were sanctioned in Russia. No, they're the opposite of sanctioned in Russia. I'm sure they're loaded. And for the many of us listening who are 1Password users, there are some new account recovery options. This is of most importance to people who don't have a family account, who just have a one person account, because for you to recover your own account all by yourself was quite difficult. You now have a new option to make it easier for you not to lock yourself out of your one and only account. For those of us with family accounts, we can now help each other get back into each other's accounts more easily, which is also good. But the single, the people who were on their own had it more difficult. So this is bigger for them. Okay. But by within the family, you're saying, so if, if, uh, let's say Steve was incompetent at security, he could change whether I could get in if I was the owner. Cause you, it used to be that I was the only one who could do that. I thought. Right, so in the past, you had to have certain rights within the family to be able to reset other people's passwords. Yeah.

[1:06:25]In our family, we both have those rights, so I didn't dig too deep. But now there's a new mechanism to make it easier to recover each other's passwords within a family. Okay. Go read the link in the show notes. Yeah, I didn't want to dig too deep in because it's one specific product. That didn't seem the best thing to do. Now, again, going back to those developer types who like to listen to us, if you are an AWS user, you should be aware that, A, you now have the ability to protect your cloud stuff with passkeys, which is cool. B, you should be aware that if you don't enable MFA on your root passwords, you're going to get locked out of your servers. So you can be really, really secure and you have to be at least MFA secure. So make sure that your Amazon stuff is well secured. And this is really important for us regular folk because an awful, awful lot of data breaches are caused by misconfigured Amazon backend stuff, where companies throw something together in AWS and don't secure it right. The fact that Amazon are tightening the baseline requirements for their security makes all of us safer from data breaches. So cool. Good. Now I have something in the top tip section, which is sometimes empty. The good people at Intego have given a really nice breakdown of the top 10 online scams that are currently popular, if that's the right word.

[1:07:45]It's a great article. Yeah, all the rage. It's a great article to share with friends and family, right? Those of us who who listen to this segment every two weeks, we know this stuff. Although never any harm to see a refresher about what's actually the most dangerous right now. But this is the kind of thing that's really good for sharing with less technical savvy people because it's written for that audience. So I thought that was worth linking to. I have it bookmarked in my for reference folder so I can share it with people who ask me questions. Oh, good, good. Now, in terms of excellent explainers, then I figured this was the appropriate place to hook in the Apple stuff from WWDC as an optional extra. So Apple announced loads of cool stuff. A lot of it very good from a security point of view. We will dig into it as it becomes live to us in September, I think, well, fall officially. But if you want a sneak peek of what's coming, Ken Ray gives a nice breakdown on the SecureList, or sorry, the checklist podcast from SecureMac episode 379.

[1:08:45]Very good. Now I'm going to very slightly indulge myself here and I'm going to give you some interesting reading because it made me stop and think and I know at least some of our audience would benefit from reading this too but probably only a percentage of our audience. So it is now a legal requirement for large organizations to do fake phishing attacks against their staff. It's in order to be certified, we know like in order for us to get cyber insurance, but also if you are in a regulated industry, you actually are legally mandated to have your IT department attack your users with fake phishing and report on the success rate and stuff. And Google's security blog has a very interesting take on this. And they sort of point out that this is proven to be a silly idea.

[1:09:37]Really? Oh, Lindsay loves it. at her company. She doesn't always succeed, but it's very gamified the way they do it and they really like it. Well, I love doing it because in my role, I get to be the person doing the tricking and it's really good fun. I'm sorry, I have really good fun devising these fishing schemes. But if you compare it to fire safety, early fire drills were about the individual getting out as quickly as possible. And it was a test and you would grade people on how quickly they got out. What you ended up with was more injuries Climbing over people. Right. You had more injuries caused by the fire tests, and they were called tests, than you did from actual fires and stuff. And the answer was a fire drill, which is subtly different. Everyone has walked through what they should do and practice what they should do, but not as a test, as a practice. And so instead of trying to trick people with a phishing email, you send them a message that says, I am not a phishing email. Pretend I am. You should report me by clicking this button, doing this thing. And then you register what success rate you have of people doing the drill. And then you maximize that instead of maximizing tricking people.

[1:10:54]I thought it was a very interesting way of looking at things. And legally speaking, we have no choice. But I'm wondering if maybe it's a yes and. Maybe you should do one of these drills. A little bit of both. Well, what if you did one of these drills a month before you did the tricky one? It might make you look really good on the tricky one.

[1:11:12]Hope you get your stats up. Hope you get your stats up. I have to give a little plug for fire drills. I worked in a 10 or 12-story building that was connected through an underground tunnel to another building. The other building was a parking structure with some offices on the top couple of floors, but it had a basement where it had some machinery shop stuff. And a fire broke out in that basement of the other building. We were never in danger in my building, but the head of fire life safety was a buddy of mine, and he told me they let us evacuate. So we smelled smoke, like a lot of smoke. And we were all like, what? You want to get out of here? And they let us get out because we had practiced so many times and they knew that we would be able to get out without hurting ourselves. But it was only because we had had these drills and we had successfully gotten ourselves out. We all knew the path. It was just second nature. If your purse is right there, grab it, walk out. If it's not right there, walk out. That was it. And here's the better stairwell to go down for where you are, that kind of thing. And they let us get out and go home. So woohoo. But yeah, it was successful. I mean, not as dramatic as that. We didn't have a real fire, but it was something I really noticed when we moved into our new building. The first fire drill was a mess. None of us knew where the fire exit was. None of us knew which the nearest door was. It was a complete mess. We were a train wreck. And where to collect after and everything.

[1:12:37]And we did the drill and we were basically told, yeah, this is your first one in the new building. We expected this to happen. Now let us walk through where we went wrong and then a few weeks later we had a second drill and we were better and then we had another one and now when the fire alarm goes whether it's a drill or a false alarm on autopilot straight out all the right exits no problem no stress yeah it does work hey back to the show notes i think you skipped over the item before the um fire drills and fishing tests did i secure mac no we did that one you would secure mac oh no there's one about kids and phones. Yes, you're very right. You're very right. How could I miss the Irish story of all things to miss? So we often hear it said that I think the kids are being damaged by their phones or I think social media is destroying kids or I think kids would all be better off if they didn't have smartphones. And everyone says, but no one parent can fix this problem because if I don't allow my kid to have a phone, but all of their friends have a phone, the peer pressure is immense, let's face it, that's going to make my kid's life miserable and I'm going to cave. Because they're going to make my life miserable. So the only way this works is if the whole school gets together and does it all at once.

[1:13:52]What if a whole town did? All the schools in the town all got together and all agreed to do it. A year and a bit ago, that happened in a little seaside town in County Wicklow in Ireland. And it's going really quite well. And the Global News, the Global Story is a half hour podcast from the BBC World Service where they look at one story in depth. And they did a special on that experiment. And it was really interesting to listen to. It's a little under half an hour long. And it is certainly an interesting point of view of a real world place that's actually tried it not for a week it's not an it's not about what they plan to do this has been in place for a year so we're getting real experience from the teachers the students, interesting actually it's very funny the students were like miss are you on telly again.

[1:14:42]Because there was so much media attention at the start of it all it was like oh more journalists okay that was cool anyway so that thought it was interesting So I have some palate cleansing for us. And Bart asked me before we started recording, do you have any palate cleansers? And I said, no, but I lied. So I have updated the show notes on my end that you can't see yet. And I'll still do mine after yours. Oh, okay. So my first one is every now and then XKCD do a cartoon that I know is going to be a classic, right? Pseudo make me a sandwich. We'll go down in history forever. That one of open source resting on that one teeny tiny project in the basement in Delaware. That one's a classic. There's a new classic. And I have bookmarked it for everyone who tells me I'm an idiot for driving an EV. Electric versus gas. Electric motors and gas engines. Wait, it's two characters talking to each other. One is explaining something to the other. Yeah, with Mr. Professor Guy, if you know XKCD, with the funny, the straw hat, he's always the explainer. Oh, it's a guy, is it? Guy, dude, stick figure. Person. Person. Okay. Person works. Prison words. Anyway, electric motors and gas engines each have their pros and cons. On the one hand, electric motors are cleaner, more efficient. On the other hand, electric motors are more powerful. So it's hard to see which is better overall.

[1:16:05]I had to read it twice before I got the joke, but it took me a lot. Wait a minute. Those are both why electric motors are better. Yep. Yep, yep, yep. and the hover text is a bit, and, you know, gas motors stink and ruin the atmosphere and give you slower performance.

[1:16:23]I love it to bits I sent it to all of my family who all drive EVs and they all went oh my god I'm sharing that with everyone so yeah no one's bookmarked and then I have two podcast recommendations for you so first off I have been looking for an excuse to legitimately recommend a very fun podcast called stuff you should know it is simultaneously factually very well researched and yet it sounds like two people having a chat off the cuff the tone of the podcast is so playful and so casual and so fun you might be forgiven for thinking they're being fast and loose they're absolutely not being fast and loose it's just a really fun show to listen to which is great i love having them on when i'm cooking or whatever they're fantastic so they talk about pretty much anything and i figured at some point they're going to talk about something i can use as an excuse to recommend them here. They have. They have done an entire episode on Wikipedia. And it is fascinating. I learned quite a few things I didn't know about the early history of Wikipedia.

[1:17:26]And I just subscribed. This sounds awesome. Yeah, you'll love it, Alison. You'll love it. It's a great show. And their back catalog is really fun to look through for topics you like. Lots of fun stuff in there. And then the next one is, well, I think a lot of us here in the community are GitHub users. And a lot of open source software we all use is hosted on GitHub. So it's kind of important that GitHub have good security. So I was heartened to hear a long hour and a half interview with the head of GitHub security on the Change Talk podcast. And I liked what I heard. It was a fun conversation, quite informal again, but lots of interesting stuff.

[1:18:09]Yeah, it was fun to listen to. So link in show notes if anyone wants to know what's going on there, how they're thinking about keeping all of us and all of that open source secure. They're very aware of the responsibility, which is good because they have it. I love it. I love it. For the audience, and because Bart's going to find this out as soon as we stop recording, it was GitHub that won't let me in. I just double tested it with the passkey. So, yep, they've got it secure. Well, that's interesting because GitHub is where I use my passkey all the time. Yeah. Well, maybe I messed something up. I used it about an hour ago to do some stuff with XKPassWD, which I have been trying to not say wrong when trying to talk about actual XKCD for the last five minutes.

[1:18:50]Right, right. Oh, yeah. We're having some fun over there. Helma woke up. Holy cow, did she do a lot in the last couple of days. Yeah. Which is always fun. All right. My turn. Your turn. If you think you're too old to learn, I put a link in the show notes to an article about a 105-year-old woman who just got her master's degree from Stanford. She walked out there on her own two feet. She had a cane, I think, standing tall. She started on the campus in 1936. She got her bachelor's degree in education in 1940, and she was working on her master's degree so she could teach. But her then-boyfriend, what was his name, Hislop, he was called up to serve in World War II. So they got married, and she didn't go on to finish her degree. She went back, did her thesis, and got her degree. And she walked up to the mic and said, I've waited a long time for this. Wonderful. 105! Wow. Just love that story. I'd hope I've, I'd love to finally get my master's at 105.

[1:19:57]Exactly. Maybe I should get it before. But anyway, that's fantastic. What was it in? What's her qualification? I think it was teaching, right? I know she wanted to be a teacher. It's in education.

[1:20:11]Excellent. Well, yeah, I'd listen to her. At Stanford. referred. I'd listen to her. She could teach me anything she likes. I bet you she'd be very good at it. All right. If that isn't a palate cleanser, I don't know what is. Consider it cleansed. Thank you, Alison. And remember, everyone, until next time, stay patched so you stay secure. Well, after Bart and I finished recording, I did a screen share with him where I showed him how borked up it was trying to use a passkey, especially, and the example I used was GitHub, and that's something Bart goes in and out of all the time. Bart noticed on my screen that the 1Password icon on Safari had a lock on it even though I had showed him that I'd unlocked the 1Password app. He said they should stay in sync and I agreed, they should. I'd noticed this problem quite a while ago, but I hadn't realized it was related to the problem with passkeys. I also demonstrated the pop-up asking me to scan a barcode and he said that was Safari itself trying to help. He had me quit Safari, delete 1Password for Safari, download a fresh copy from the App Store, and guess what? Now PASCIs work flawlessly. Just like they're supposed to. It just says unlock 1Password, you tap your finger, and boom, you're in. No putting in a username, no putting in a password. It worked great. Now remember, I said they used to work. This explains why they stopped working. I am so happy now I had to share the solution.

[1:21:34]Well, that's going to wind us up for this week. Did you know you can email me at allison at podfeed.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on Mastodon at podfeed.com slash Mastodon. If you want to listen to the podcast on YouTube, go to podfeed.com slash YouTube. If you want to join in the fun of the conversation, you can join our Slack community at podfeed.com slash Slack, where you can talk to people like physics nerd Graham and all of the other lovely Nocilla castaways. You can support the show by going to podfeet.com slash Patreon or with a one-time donation at podfeet.com slash PayPal. And if you want to join the fun in the live show, you're going to have to wait two weeks, but in that two weeks, it will be the 1000th episode. So you should come and you do that by going to podfeet.com slash live at 5 p.m. Pacific.

[1:22:22]Music.