NC_2024_08_04
The discussion includes personal updates, network troubleshooting, security updates, data sharing partnerships, tech giant breaches, and French government interventions. Recommendations are a tech jokes Twitter account and an Apple sounds podcast.
Automatic Shownotes
Chapters
NC_2024_08_04
Mac Power Users #756: Exploring NotePlan with David Roth - Relay FM
Cleaning Up Apple Contacts Using Smart Lists
Make Over-the-Shoulder Videos with Amorus Hands-Free Magnetic Phone Chest Mount
A Surprise Ending to a Networking Problem
Support the Show
Security Bits – 04 August 2024
Long Summary
Today on the show, we start by celebrating our daughter Lindsay's birthday and sharing our excitement about the upcoming trip to Africa. With the next live show scheduled for September 8th, we encourage our audience to join our Sunday chats at 5 p.m. Pacific time. We dive into the topic of efficiently organizing contacts, offering insights on dealing with duplicates and sorting contacts into categorized lists. Furthermore, we explore different methods for exporting contacts for future use, including utilizing Apple Numbers or saving in PDF format. Lastly, we highlight a convenient solution for recording hands-on demonstrations, such as knitting tutorials, using a magnetic phone chest mount.
Moving on to the next segment, we discuss a hands-free magnetic chest mount and a networking challenge we recently faced. The chest mount proves to be a practical tool for securing a phone for video recording, providing flexibility in placement and ease of operation. Additionally, we delve into our troubleshooting journey regarding network issues stemming from various IoT devices and Eero routers. With the help of friends' advice and thorough testing, we successfully pinpointed faulty equipment like Mocha adapters and a problematic power supply in an Eero router. This experience underscores the significance of meticulous problem-solving techniques and unwavering perseverance.
Transitioning to Security Bits with Bart Busschots, we address recent audio problems and my need to replace a microphone. Delving into a recent incident involving CloudStrike's sensor update causing system failures, we stress the importance of distinct update processes for defense rules and sensors. The discussion also touches on Google's backtrack on third-party cookies, shedding light on the inherent conflicts of interest in proposing alternative solutions. Moreover, we examine the repercussions of browser-level cookie blocking and the intricate nature of online tracking mechanisms. Stay tuned for in-depth insights into cybersecurity and tech updates.
In the subsequent segment, cybersecurity takes the spotlight as we explore partnerships among websites for data sharing, browsers' limitations in enforcing privacy, challenges with cookie consent pop-ups employing dark patterns, recent Apple device software updates, breaches of laws by tech giants like TikTok and Meta, new security enhancements in Google Chrome, and a notable intervention by the French government to thwart thousands of hacked devices. The episode wraps up with recommendations for a humorous tech jokes Twitter account and a podcast episode on iconic Apple sounds from '20,000 Hertz.' Finally, we provide information on contacting us via email, joining our Slack community, supporting the podcast, and details on future live shows.
Moving on to the next segment, we discuss a hands-free magnetic chest mount and a networking challenge we recently faced. The chest mount proves to be a practical tool for securing a phone for video recording, providing flexibility in placement and ease of operation. Additionally, we delve into our troubleshooting journey regarding network issues stemming from various IoT devices and Eero routers. With the help of friends' advice and thorough testing, we successfully pinpointed faulty equipment like Mocha adapters and a problematic power supply in an Eero router. This experience underscores the significance of meticulous problem-solving techniques and unwavering perseverance.
Transitioning to Security Bits with Bart Busschots, we address recent audio problems and my need to replace a microphone. Delving into a recent incident involving CloudStrike's sensor update causing system failures, we stress the importance of distinct update processes for defense rules and sensors. The discussion also touches on Google's backtrack on third-party cookies, shedding light on the inherent conflicts of interest in proposing alternative solutions. Moreover, we examine the repercussions of browser-level cookie blocking and the intricate nature of online tracking mechanisms. Stay tuned for in-depth insights into cybersecurity and tech updates.
In the subsequent segment, cybersecurity takes the spotlight as we explore partnerships among websites for data sharing, browsers' limitations in enforcing privacy, challenges with cookie consent pop-ups employing dark patterns, recent Apple device software updates, breaches of laws by tech giants like TikTok and Meta, new security enhancements in Google Chrome, and a notable intervention by the French government to thwart thousands of hacked devices. The episode wraps up with recommendations for a humorous tech jokes Twitter account and a podcast episode on iconic Apple sounds from '20,000 Hertz.' Finally, we provide information on contacting us via email, joining our Slack community, supporting the podcast, and details on future live shows.
Brief Summary
Today on the show, we discuss personal updates, contact organization tips, and a magnetic phone chest mount for demos. We troubleshoot network issues and cover security updates, including third-party cookies and cybersecurity challenges. We explore data sharing partnerships, tech giant breaches, and French government interventions. Lastly, we recommend a tech jokes Twitter account, an Apple sounds podcast, and provide contact and show information.
Tags
personal updates
contact organization
magnetic phone chest mount
network issues
security updates
third-party cookies
cybersecurity challenges
data sharing partnerships
tech giant breaches
French government interventions
tech jokes Twitter account
Apple sounds podcast
Transcript
[0:00]
NC_2024_08_04
[0:00]Music.
[0:08]Apple Bias. Today is Sunday, August 4th, 2024, and this is show number 1004. Well, that's a lot of fours in one show introduction. And guess what? Four is our daughter Lindsay's favorite number. And you know what else? Today is her birthday. Happy birthday, Lindsay, the daughter. Well, Steve and I are getting really excited about our upcoming trip to Africa. We leave this coming Saturday, the 10th of August. That means I need to get next week's show out early. I'm shooting for Wednesday, but definitely no later than Thursday. That means there will be no live show on Sunday, and it means there will be no live show until September 8th. I know, it's a really long time. I'm going to miss you guys. Well, if you want to go to podfeet.com slash chat on Sunday nights each week at 5 p.m. Pacific time, there's nothing to stop you. You know, you can still do that and hang out. According to Kevin, I'm just that annoying woman in the corner anyway, so feel free to hang out and enjoy each other's company while we're gone. Now, we have gotten a couple of contributions of audio and associated text for the shows. Thank you, Mr. Ed. And they're great. But remember, if you want to help out Jill, Alistair, and Bart, please send your files to me at alisonatpodfeet.com as soon as you can, no later than Wednesday, August 7th, to be sure I can forward those recordings on to them.
[1:25]
Mac Power Users #756: Exploring NotePlan with David Roth - Relay FM
[1:25]As you all know, I started the podcast on May 13th of 2005. Exactly one week later, I attended the All Things Digital conference put on by Walter Mossberg of the Wall Street Journal. For the first session of the day, I raced down the aisle to get a good seat in the very front row. As I tend to do, I started chatting with the person next to me. That person was David Roth. David is an Apple fan extraordinaire, and he became one of my very first podcast listeners, if not possibly the very first. Now, David and his lovely wife, Jennifer, have become very close friends of Steve and mine over the years, and they even let us swim in their pool with their two golden retrievers at their home in the Houston area. Now, David is a lawyer, which is not a very friendly environment for an Apple fan, but he's managed to wrap his job around using Apple products anyway. Now, you've heard me talk about David hundreds of times. Usually, I make fun of the fact that he doesn't like it when I do math on the show, but the reason I'm telling you all of this now is that he is the latest guest on the Mac Power Users podcast. He joined David Sparks and Stephen Hackett to talk about how he uses the app NotePlan to organize his work life. Maybe his home life too. I haven't heard the whole episode though, because it only dropped a couple of hours before showtime. So I've only just had time to start listening to it. But what I heard was already great. Now, even though it feels a little bit like he's cheating on me by being on somebody else's show, I hope you'll check out Mac Power Users number 756, exploring NotePlan with David Roth.
[2:52]
Cleaning Up Apple Contacts Using Smart Lists
[2:52]While I was at MacStock Conference and Expo, a lovely gentleman named Bob asked the table for advice on how to clean up his contacts. He explained that he had a few things he wanted to fix. The first was that when he chose the resolve duplicates option, it showed that he had over 500 duplicates. He wanted to click that button, but it kind of gave him pause. The second problem was that he has many contacts from his previous employment. He doesn't want to lose those contacts forever, but he also doesn't want him cluttering up his personal contacts file. Finally, he has many contacts who have passed away. He definitely doesn't want to lose that contact information, but he also doesn't want to face them daily in his contacts. While I've been working on the instruction to help him clean things up, I happen to hear the folks on the Accidental Tech podcast talking about how maybe we should have an archive option in contacts, and maybe a deceased date field, so we wouldn't be reminded, say, to wish someone a happy birthday when they're gone. Sounds like a lot of people would like to solve the same problems Bob is experiencing.
[3:50]I've written up a series of steps that will ensure he preserves the history and gives him what I think is the easiest way to clean up his contacts. At least it's the easiest way I can think up. I had a whole set of instructions done earlier that were way harder, so these are at least easier than what I came up with at first. Now, he's still going to have to do some tedious work, but my solution is not technically difficult. I thought I'd share the solution with the audience. The very first step in this process must be always, always, always back up your contacts first. In Contacts on the Mac, select File, Export, Contacts Archive. Now, this is going to save a file in the format, well, with the extension .abbu. Now, put this file in a safe place and then make up a backup of that.
[4:35]Only after you've done that backup, you want to start verifying that you're only using iCloud. It's not uncommon for people to end up with some contacts in iCloud and some that only live on your Mac. Before cleaning things up, I would ensure everything is only in iCloud. I suppose it could also only be on the Mac, but I prefer them in iCloud. Now, I recently helped someone with a crazy number of duplicates, and it turned out he had the same person multiple times in both iCloud and on his Mac. And that's why you want to make sure. So if you don't use iCloud for your contacts, you can skip this step. But if you do, open Contacts on your Mac and select the On My Mac section. If it's empty, you're golden. If there are any contacts in there, drag them to the iCloud section and then delete them from On My Mac. This might create even more duplicates, but we'll get to that soon. There's no danger in doing this step because you did back up contacts first, right?
[5:30]All right, to prevent contacts from getting added locally to On My Mac, in Contacts, open Settings, General, and then Default Account, and make sure it's set only to iCloud for the future. Now we're ready to attack those duplicates. In Contacts on your Mac, go to the card menu and choose Look for Duplicates. You'll be told some number of duplicates have been found with an offer to merge them. Select Merge. Now this is scary, but remember, you did back up your contacts first, right?
[5:58]Now, believe it or not, after it's complete, again, choose card, look for duplicates. In my experience, it's quite likely that it'll tell you there are more duplicates to resolve. I know that makes no sense, but keep repeating this step until Contacts finally tells you there are no more duplicates. As your next step, I would suggest creating some lists to categorize your contacts. Apple used to call these groups, and in fact, you'll run across cross-references to groups throughout the Contacts app that they never bothered to call lists, but they're really the same thing, so they just haven't cleaned up the app. Now, the list categories that would make sense for Bob to create would be deceased, keepers, and old work. If you already have lists in your Contacts, I'd suggest putting an underscore at the beginning of those three names so they sort up at the top, because you're going to want to be able to get to them quickly because you're going to be using them a lot. Now, as a side note about lists, it's important to remember that contacts can be in more than one list. For example, I have a list called Family and another one called Christmas Cards, and my family members are in both lists. So to create a list, go to File, New List in the menu bar. This will create an untitled list in the sidebar waiting to be renamed. As soon as you rename the list, you'll be taken into this empty list.
[7:12]Now you're going to go through your contacts one by one and drag them into one of these three lists. This kind of process is tedious, but it's the most important step to be sure you preserve your contacts the way you want them. One thing that makes this process difficult is it's hard to remember which names you've dragged into these lists. When you look at all contacts, they're all going to still be there. But I have a trick that will make it easier and will allow you to see your progress. I would suggest creating a smart list that contains only those contacts you have not yet triaged into one of the three folders. In the file menu, choose new smart list. This will open a window inviting you to name your new smart list. I suggest naming it something like not triaged. Below the name, you're going to see a dropdown that says card and one that says contains, and there'll be an empty field next to that. Change the contains dropdown to is not a member of. This will trigger a third dropdown to be displayed, which will be blank. But in the dropdown, you can choose, for example, underscore deceased.
[8:12]Tap the plus button to the right of the drop-downs to add another condition to our smart list. Repeat the steps and this time set it to card is not a member of underscore keepers. Add another condition and set it to card is not a member of underscore old work. When you're done, you'll notice a new line was inserted below the smart list name that says contain cards which match any of the following conditions. That drop-down can be changed, but we want to leave it at any. This will create a smart list that will only be contacts that are not in any of the three lists. When you hit OK, the smart list not triaged will show at the bottom of all the other lists under smart lists.
[8:51]Before you start the hard work of moving your contacts into one of these lists, I suggest scrolling to the bottom of your not triaged smart list to see how many total contacts you have to triage. Knowing this number at the beginning of the project can help kind of scope out the work. It'll be helpful to set up reasonable goals on a project like this. So let's say you have a thousand contacts and not triaged just to start. You could set a goal of triaging maybe 50 contacts each day, and that way you wouldn't lose your mind. You could create a recurring reminder to just triage 50 contacts a day, and in three weeks you'd be done. If you did more than 50, you'd be ahead of the game, and you could take a day off now and then. Personally, I'd probably create a nice little number spreadsheet cheat where I recorded each day's total left and not triaged and then graphed my progress, but that's me. I should mention that if you drag a contact into the wrong list, you can select the card in the incorrect list and hit the delete key. You'll get a prompt where the default is to just remove from list so it doesn't delete the entire contact. When you're triaging, you may also find contacts that you don't need anymore at all, and you can use the delete button to truly delete them.
[10:01]Now that you've spent a couple of weeks triaging your contacts, it's finally time to clean things up. Select one of the lists you no longer want to keep in your contacts database but want to keep for posterity. Let's say it's the old work list. There are a few ways to export contact cards from contacts. You could select all of the contacts in this one smart list and then from the menu bar choose File, Export, Export vCard. This will create one vCard file with extension .vcf with all of the contacts smashed into that one vCard. Now, I don't think this is a good option because to bring back one contact or even view just one contact, you'd have to bring them all back in. So let's abandon that whole path. The second option is to choose File, Export, Contact Archive. Unfortunately, even though you've just chosen this smart list and just the contacts inside this smart list, near as I can figure, the contacts archive is your entire contacts library. I tested exporting contacts archive from a three-person smart list, and again from all contacts, and both archive files were about the same size of 45.8 megabytes. There's no way three contacts would take up 45.8 megabytes, so that's also not a good option.
[11:14]A better method to export these folks you don't need in your contacts is, believe it or not, to send them into an Apple numbers file. Now, believe it or not, again, this is one of the ways Apple recommend you export contacts, but it's pretty clumsy in my opinion. I assumed they'd have an export to CSV, you know, comma separated values file for import into any spreadsheet program, but I was surprised to learn this option does not exist. Here's how Apple suggests you export contacts to numbers. You open numbers to a blank spreadsheet so you can see numbers and contacts at the same time. Over in Contacts, select the Smart List and select all in the list using Command-A, or you could go to the menu and choose Edit Select All. Now, drag all of the selected contacts from the Contacts app into the numbers spreadsheet and let go. It doesn't matter where in the spreadsheet you drop the contacts, numbers will sort it out very nicely. Now, when you let go of the contacts, numbers will auto-create column headings for each of the fields that were in the original contacts and drop in the contacts below those headings. In the mini example I created with three of my imaginary friends, the titles of the columns are the superset of what information was in my imaginary contacts. I had an image in one, last name, first name, home, and work email, so those are all of the columns imported into Numbers.
[12:35]I also tested this on my personal list of over 1,200 contacts, and the columns went all the way out to GD. You know, it starts out at A1. It was GD, or sorry, it starts out at A. So I asked ChatGPT to do the math for me to figure out GD is out 186 columns. Hopefully, you'll have a manageable number of columns when you do your export. I want to make one comment about the exported images in the first column of the number spreadsheet. I'm really glad that Apple preserves the image in the export, but it's rather hard to extract that image out of Numbers. It's wee tiny by default, but you can view the full-size image by stretching the column width and the row height for that given image. Even though you can see it in large form, you can't copy the image out of Numbers. Or I should say, I can't figure out how to do it. I tried a right-click and copy, I tried copy snapshot, which was another option, and yet nothing copied into my clipboard. I was unable to drag the image out either because dragging just started to select more rows and columns. The best advice I can give if you really want that image is to embiggen the image as much as you can by increasing the size of the cell and then take a screenshot of the image and save it. In any case, you now have a handy-dandy spreadsheet of all your former work colleagues and it's outside of your contacts.
[13:53]Now option Option four to export is to export to PDF, which is easier and might be all you need. The format of the PDF is a little bit cramped, but it's not terrible. It has a super wide column for the person's name and then a very narrow column that contains their physical and email addresses, websites, and any notes you may have put in their contact card. The final column is for phone numbers, but it truncates any custom names you may have created for any of their numbers. The column is exactly the width of the word iPhone and no wider. Luckily, the iPhone numbers don't get truncated, even if they do have an extension listed, but that tricky custom name might get truncated. Now, this is a searchable PDF, and it even supports data detectors, such as if you hover over an address, it will give you a downward chevron that, when clicked, will show you the address on a map. However, the images aren't expandable or retrievable in a bigger format. Now, overall this might be the simplest way to keep a list of former colleagues for future reference.
[14:55]Alright, so now we've triaged all the contacts and we've moved them all into either a PDF or a number spreadsheet, whichever you like better. It's time to delete unwanted contact. And this is scary. But let me ask you one more time. You did create a backup of your entire contacts database, right?
[15:13]So do not delete the list first or you'll undo all the hard work you did triaging into this list. So open this smart list. I'm sorry, the regular list for old work. Select every card in this list. and hit the Delete key. As I explained earlier, you'll be prompted first to remove from list, or this time we actually want to hit Delete. Once you've deleted all of the contacts in the list, now you can delete the list itself. If you discover that you've made a terrible mistake and deleted someone you didn't mean to delete, there is no recently deleted as there is in applications like Photos. However, if you use iCloud, you can restore your entire contacts database back to an earlier date. Apple explained in a support article that you can log into iCloud.com, scroll to the bottom of the page, and choose data recovery. This opens a page offering to restore files, bookmarks, contacts, and calendars. I chose contacts, and I was shown a list of 10 archives with the dates of the archives. The page explains when you restore to a new archive of contacts, the archive of contacts you select will replace place contacts on all of your devices. Your current contacts will be archived so you can get them back if needed. Now, we already made our own backup, but just in case there is that secondary backup you can get to at iCloud.com.
[16:33]Now, the bottom line is this is a big task, but it's probably a task we should all consider doing to clean up our digital lives. I highly encourage you to follow my advice to set a daily or weekly goal of how many contacts to triage so you don't give up on the task and never finish. And don't forget to export a backup of your contacts first. Good luck to Bob, and I hope you keep me posted on how all of this works for you.
[16:57]
Make Over-the-Shoulder Videos with Amorus Hands-Free Magnetic Phone Chest Mount
[16:57]Have you ever wanted to demonstrate something you're doing with your hands in a video? For example, Mark Lowewald and I were treating videos back and forth trying to troubleshoot a problem he was having with a memory card and different adapters that he was plugging into to his new iPad Pro. It was quite the feat while holding the phone with one hand to record while also then single-handedly inserting the memory card adapter and unplugging it again without ever dropping anything. Another example is that I want to learn how to knit socks and Jill from the Northwood says she'll teach me. We live a few thousand miles apart so we've been trying to figure out how she could somehow watch me knit from her house over a video call and tell me what I'm doing wrong. But how do I hold the phone to record an over-the-shoulder view while also knitting. I don't do a lot of product demo videos, but when I do, it's really hard to show something while holding a phone steady to record.
[17:48]A few months ago, Pat Dangler wanted to show off a little box she'd made with her 3D printer. Rather than just take photos of it to send to me, or to try to show the little compartments in a video while clumsily holding the phone in her other hand, she put on her meta Ray-Ban glasses and made a fabulous over-the-shoulder video to show off her creation. I've been really quite impressed with the photos and videos Pat has been able to capture with the Ray-Bans, but I'm not interested in dropping $350, not counting putting a prescription in it, on a pair for myself.
[18:18]This did get me thinking about how there must be a solution to creating over-the-shoulder videos without spending much money. What I wanted was some way to hold a phone, maybe around my neck, but pointing the camera lens away from me. I tootled off to Amazon, typed in some random search terms, and I immediately found the solution. Clearly, I was not the first person to think this product should exist because a whole pile of companies sell products that go around your neck and hold your phone in a magnetic mount. The one I chose is from the company Amorous, A-M-O-R-U-S. It's called the Amorous Neck Holder Hands-Free Magnetic Phone Chest Mount for the grand sum of $23. The basics of the design are a bendable metal band that goes around your neck and then joins to the phone mount at your chest. The metal band is covered in a velvety soft rubber of your choice of boring gray, classic blue, or the flaming orange color I chose. When I opened the package I gleefully tried to put the loop over my big noggin, but it didn't fit. I noticed a prominent and easy to push button on the side of the piece that sits on your chest. When depressed, one end of the loop slides out nicely to allow you to put it around your neck. It makes a very satisfying click. Let's see if I can do it for you here.
[19:34]Wasn't that satisfying? Makes a satisfying click when it's reset into the chest piece. It feels really well made, very, very solid. The piece that sits on your chest is a soft rubbery lozenge that takes away any worry of this being uncomfortable to wear for an extended period. On the piece that sits on your chest, there's a substantial magnetic ring suspended on a series of three articulated joints. The joints are fairly stiff to rotate because you don't want your phone, you know, flooping around or slowly rotating by gravity while you're trying to record a video. The joints each rotate about 180 degrees, which means you have a lot of flexibility in how your phone gets positioned for recording. With my iPhone mounted via MagSafe to the Amaris' magnetic mount, the phone is only about four inches away from the tip of my nose. It's comfortable, and with some work on the stiff joints, I can angle the phone until my hands are clearly in the field of view of the camera. The only problem is that I have trouble focusing on the camera when it's this close to my face. If you're under 40, this may not affect you, and even if you're of the bifocal generation, it's not as big of a problem as it sounds. I found it comfortable to first switch the camera to the right mode, set the field of view before slapping it onto the Amaris' magnets. From there, you only need to be able to identify the big button to start and stop recording, and to make sure your hands and the thing you're demoing stay in the field of view.
[20:56]I'm really happy with how well this works. I created a little demo using the amorous of a nifty little USB-C charger that Pat Dingler gave me. The charger is called the Charge Retro 67 from charge.com. This Charge Retro 67 looks like a tiny original Mac, and it's only two inches tall and one and a half inches square. Because it's so adorable, I thought it might be good for just, I mean, sitting on a shelf. I didn't think it'd really be that useful, but it turns out it's become Steven my favorite travel charger. I bought him one too. It'll supply 67 watts of power via three USB-C ports. When the charger's plugged in with nothing plugged into it, the display on the little Mac shows green dots and dashes falling, you know, just like in the Matrix. When you plug in any device to set it to charge, it will show you the power transfer level in amps. And it's only $39. This was a perfect object to explain using an over-the-shoulder video with the amorous neck holder. Considering this was my first attempt, I think the video I created with it came out pretty well. I did let the charger go a little high at one point, so if I had it to do over again, I'd work on rotating the magnetic holder to a better position to keep it even more consistently in view. You can judge my work by looking at the video in the show notes. In the video, you'll hear me say the Charge 67 is $50 on on Amazon, but $33 on Prime Day, which was true when I recorded the video, which is why the link in the show notes is direct to charge for $39.
[22:25]When I describe the materials of the Amaris' magnetic neck holder, I emphasize to you the soft texture of the loop around the neck and the chest piece's soft spongy feel and how it's designed to be comfortable. I don't take any of that back, but this is not the lightest thing in the world to have around your neck. While the weight of the Amaris is only 8.7 ounces, if you had an iPhone 15 Pro to it, the total weight is just under a pound. It's 15.3 ounces. After wearing it for 10 to 15 minutes, I have to say it was a relief to take it off. The bottom line is that the Amaris hands-free magnetic chest mount solves the exact problem I needed it to solve. It's very well built, it's inexpensive at $23 on Amazon, and it's as comfortable as a device like this can be for the weight of the iPhone. If you need to make videos while using your hands to demonstrate anything, I can highly recommend this solution.
[23:18]
A Surprise Ending to a Networking Problem
[23:19]I've got a networking adventure to tell you about that has a very surprising ending. While the specifics of the story will be recounted purely for your entertainment, there are some steps along the way that might help you in diagnosing technical problems. Remember, we have two engineers with master's degrees in the house, so you should expect rigorous, controlled experiments to eliminate all variables. Some of the elements of this story were reported earlier in an article I wrote entitled Eero, Mocha, ONT, Not a Happy Networking Story. I'm not going to repeat all of that previous story, but parts of it must be interwoven for this story to make sense, because this is an extension of that original story.
[23:56]Steve and I have embraced the smart home promise. We're on the HomeKit bandwagon, and our computers plus IoT products add up to just under 70 devices on our network. I figure no silicast ways, we're all probably in that kind of range. Now, if you look at our device listing, you'd think that I'd employed a strategy of choosing as many different IoT OT vendors as humanly possible, but I promise I didn't do it on purpose. We've got switches from Wemo and iDevices and Meros. We've got lights from Hue and Elgato and Nanoleaf. Door and window sensors and external cameras from Ring. Internal cameras from Eufy. External cameras from Wyze. Water sensors from Ring and Ambient. Let's see, a lock from August. A smart pet feeder from Pet Libro. Dykin thermostats. Smoke alarms by Google Nest. A smart sprinkler system from Rachio. A a tailwind garage door opener, and a weather station from Ambient. This entire mess is controlled by an Eero mesh network. Over the years, I've upgraded or added Eeros here and there, which left us with a bit of a mixture of versions of Eeros over time.
[24:55]Starting about maybe six months ago, things started to go wonky on our network. The canary in the coal mine throughout this entire story has been the Eufy cameras. We'd know things were going wrong when we'd get a notification that said, dining room Eufy camera has gone offline, followed surely by another notification saying, dining room Eufy is back online. In the earliest days of our naivete about how complicated this problem would become, our solution would be to unplug the errant Eufy cam and plug it back in. As soon as we did this to the dining room Yuffie, the living room Yuffie would go offline. We chased the problem around the house, and eventually it would stop happening. Only to start up again a day or two later. At one point, we realized the way to solve the problem was just turn off those pesky notifications. Band-Aid successfully deployed.
[25:42]But then other things started to get weird. We use YouTube TV as our cord-cutting solution, but we hate the interface. I set up our Synology as a channel server a while ago, and that lets us use it as a DVR with a much nicer interface. We started noticing stuttering and jankiness of the video. Then the Tailwind garage door opener stopped responding to Siri. The August lock stopped opening when we got within range. No Band-Aid was going to help this solution. Our good friend Pat Dengler has a lot of experience working with Eero, and I called her to get advice. Her best piece of advice was to call Eero and ask them to help out. I thought, this is a crazy idea. Who calls the vendor? But I gave it a shot, and I actually got some pretty good help. When I got tech support on the phone, they scanned my network, and the tech helping me noted that I had our oldest and worst Eero set up as the gateway connected to our Fios, and the best one was downstairs in the dining room. The dining room was an Eero Pro 6e, while the other three were Eero 6 Pros. rows. I remember I'd been uncertain whether it worked to put a new one in as the gateway, because with 70-ish devices, I did not want Steve to have to go back in and rename everything. The tech assured me we wouldn't have to go through any of that. They had me shut everything down, swap the 6E in as the gateway, wait for it to come up, and then bring the remaining Eero's back online. Things seemed stable, and we were hopeful we'd solve the problem.
[27:04]Our joy was short-lived. This is the part of the story you may have heard before. I had a call with Bart, and my video was hot garbage for him. While the Eros were reporting they were getting the full 500-500 symmetric megabits per second that we were paying for, they were lying. At one point, I measured speeds of less than 3 megabits per second. As I explained in my previous article, we don't have wired Ethernet in our house, we have coax cable. So down at the Frontier Optical Network Terminal, the ONT, where our fiber comes in, there's a Mocha adapter that turns the Ethernet out of the ONT into Kodaks. Then upstairs near the Gateway Eero, there's another Mocha adapter that converts it back to Ethernet. After many controlled experiments, Steve got the idea to unplug the Mocha adapter on the ONT end and plug it back in. Boom! Our network was back up to speed. This is where my previous article ended with joy that we'd finally solved our network woes. Bless our little hearts. Well, a few days after I posted that article, the network went into the pooper yet again. While unplugging the Mocha adapter fixed the problem the second time, this was clearly not a sustainable solution. I called Frontier and I asked them to send a new Mocha adapter, but they said they had to send out a tech. I thought that was overkill because it's pretty hard, easy for me to just plug in a new one, but they were hard over that this was the best path forward.
[28:26]I'm very glad they won the argument because the lovely Frontier tech not only replaced the recalcitrant Mocha adapter connected to the ONT, but he also replaced the one inside our house. And then for good measure, he replaced the ONT itself with a shiny new one. All right, yay, all was great in the Sheridan network. Until a few days later when the living room Yuffie camera went offline again.
[28:49]Now back before we figured out that the Mocha adapter was misbehaving, I decided to throw money at the problem and drove over to Best Buy and I bought out a three-pack of Eero Pro 6Es. I didn't install them right away because we thought the Mocha adapter was going to solve all of our network ills. While we're still uncertain, I'm sorry, while we're still certain that the Mocha adapter was a problem, we clearly hadn't solved the original problem. Steve was also having a fight with the hue carriage lights on the front of our house, and the switch in the living room wasn't working either. It was time to deploy the new Eero Pro 6Es. Adding to our one existing 6E, we could have maintained four total Eero's. But we thought perhaps adding one more Eero to the garage would fix all of our problems, so we kept the newest of the old Eero's. Our final layout by then was four Eero Pro 6Es and the one older Eero Pro 6 in the main bedroom. We have a 2800 square foot house, so three Eero's should have done the trick, but why not have five?
[29:48]Well, things didn't get any better. While the carriage lights and the living room switch miraculously started working when we added the garage Eero, anarchy started moving from device to device. One of my favorite symptoms was that while my studio is right outside the room where the gateway Eero is, my devices insisted on connecting to the garage Eero. Now, it's not the dumbest choice as my studio is also above the garage, but I was getting terrible speeds with the signal going through the garage ceiling. feeling. I talked to Pat again, and she told me she's convinced that having too many wireless routers actually starts to cause problems. I thought they should be designed to do all the handoffs gracefully, but at this point, we were ready to try anything. We unplugged our beloved garage Eero, and things stabilized. But of course, that joy was also short-lived with the Eufy cams going off and online again. We plugged the garage Eero back in because we might as well have the carriage lights and living room switch working if something else was still wrong with the network.
[30:46]We decided to abandon our house, abandon this network, and take our kids on vacation to Hawaii. While we were gone, I went to check something on our network. I think it was the automated Pet Libro pet feeder, and to my surprise, I could not connect to it. I tried my tail scale network, and I couldn't reach the Synology or the Mac Mini that are both always online. Our entire house was offline.
[31:10]I was pretty concerned about the cats not getting fed, but I hoped that the Pet Libro would still portion out their food at regular intervals, even without a network. I asked our cat sitter and their dad to check out our house and see if they could find anything obvious about the network. They confirmed that the Synology had blinky lights on it and that the cats were being fed, but they were not able to connect to our Wi-Fi. I knew we'd gone to the limit of their nerd skills, so I contacted our good buddy Ron and asked him if he could go over and do some diagnostics. You've heard Ron on the show before. He's easily as nerdy as us, if not more so. By the way, Lindsay, the daughter, questioned why I cared so much whether my house network was up, but I do check a lot of things. I do like knowing my network is up. So, okay, fine, Lindsay. Maybe I should have just had another Mai Tai and not worried about it, but I wanted it fixed. Anyway, Ron goes over the house. He took one look at the Gateway Eero, and he said, it doesn't have any lights on it at all. Well, that might be the problem. So, the Gateway Eero is plugged into the battery backup side of our CyberPower 1500 volt amp uninterruptible power supply, also known as UPS. Ron reported that the Synology was up with its blinky lights, and it was plugged into the same UPS also on the battery backup side.
[32:26]My only thought was to suggest Ron unplug the Eero from the UPS and plug it directly into the wall outlet. Now, I knew that we had just plugged our new color laser printer directly into the wall outlet, so I told him just unplug that because I don't need to print while I'm gone and plug the Eero directly into the wall outlet. To everyone's surprise, the Eero turned right back on and the network came back up. Ron was our hero. He went home and we went back to sipping our Mai Tais and going down the lazy river with our grandkids.
[32:55]After almost enough Mai Tais and Lazy River rides and quite a few water slide trips, it was time to face the network music at home. When we arrived home, the network was technically up, but things were jankier than ever. Our ring alarm was on cellular backup rather than having picked up the Wi-Fi. Our motion detection Hue lights would not turn off automatically. Those pesky front carriage lights from Hue were also not responding. Channels wasn't working at all on the Synology. I turned a critical eye towards our gigabit network switch because it's pretty much the only thing I hadn't looked at. The Hue lights go through a hub, which is connected via that switch, as does the Ring alarm system. The Synology is also on that same switch. However, the lights looked okay on the switch, so I was pretty sure it wasn't the root cause. Now, all of these devices get their power through the UPS. The Ring and Hue hubs had power, as did the Synology. A closer inspection, though, we noticed that the display was blank on the UPS. Steve suggested pressing the reset button on the UPS, and that brought it back to life. The ring alarm went back to using Wi-Fi instead of cellular, and all of the hue lights started responding again. I still think it's very weird that that fixed it, because they did have power.
[34:08]Anyway, we plugged the Eero back into the battery backup side of the UPS. We also plugged our new laser printer into the UPS for the first time, but the UPS started screaming at us, so we plugged it directly into the wall again.
[34:21]Even though we had things working again, we weren't sure what had caused the Eero to shut down in the first place. Pat was highly suspicious of the UPS at this point, but we weren't sure. It's only six years old, and we had replaced the UPS battery only two years ago. It's also frustrating to deal with this because we have a whole home battery system, so we essentially have our entire house on a surge protector battery anyway, but it seems like another belt and suspenders to have a UPS. Now, we thought we finally had everything working properly, but then the Eufy cameras started going off and online again. Yes, we did consider throwing them all in the bin. But again, remember, they're just the leading indicator. And that's when we came to the final solution. Or as of right now, we think it's the final solution. I hate to say final because, you know, I've thought that before.
[35:08]Steve noticed that the older Aero Pro 6 in our main bedroom had a blinking amber light. Now, we thought we'd seen every light combo before on the Eero's, but this was a new one. I looked it up and it means, quote, unapproved USB-C power source used, unquote. I looked closely at the power brick and it clearly said Eero on it, so it was an approved USB-C power source. However, the connection point of the cable into the power brick had a crack in it. I went to Amazon, bought a replacement 27-watt official Eero power brick for $30, and I replaced the plug. The blinking amber lights went away. And guess what? It's been over three weeks since we replaced the power supply in the Eero Pro 6, and not once has a Eufy cam gone offline or a Hue light refused to react correctly. The Tailwind garage door is even opening with Siri 100% of the time. This is by far the longest time in six months that we've gone without that canary singing in the coal mine, or dying in the coal mine, I should say.
[36:11]All right, but what about that UPS? Now that the network is stable, or at least we think it is, it's time to talk about that pesky UPS. Quite a while ago, we had a power outage, and I remember that same UPS didn't fail over to the battery. I forget why I didn't address it back then, but this week we did a controlled experiment on it. The display said it was providing power and had five full bars of battery. I gracefully shut down the Synology first, and then I yanked the UPS power cable from the wall. It screeched at us and showed us error 21 and fault on the display, and all devices connected to it powered down. Steve did a bit of research on the UPS and found out that error 21 could be a bad battery or could be a bad motherboard. But he also found a really interesting note. It said, never plug a laser printer into a UPS. Well that would have been a good information bit a long time ago to have noticed that. I don't think we blew out the motherboard of the UPS when we briefly plugged in the new laser printer because it had failed us on vacation before we did that, but I'm pretty sure it wasn't working correctly for a long time before this.
[37:20]I gotta say, though, we did have a previous laser printer that could have caused the original problem. I don't actually know. I don't remember. Anyway, Steve looked up the specs on our new laser printer and the UPS. The laser printer draws 960 watts peak. The UPS is rated for 900 watts. Well, a new CyberPower CP1500AVRLCD3 UPS was delivered today to the house. We haven't plugged it in yet. The bottom line is that we're a great many failures to track down on this. We definitely had dodgy Mocha adapters. The UPS was no longer capable of doing the one job we hired it to do. Today I learned that you can't run a laser printer off a UPS either. But to me, the most interesting root cause was the dodgy power supply on the Eero. I don't know how the mesh software works exactly, but I suspect it might have been constantly readjusting which devices went on which routers.
[38:16]The Eufy cams never could have connected to this particular Eero, or never should have, I should say, because it's the farthest one away from them. But if all the other devices were getting shuffled and going back and forth on and offline, I could see maybe that was a problem. Somebody who read my article about this suggested that perhaps the Eufy had enough power to broadcast the SSID, but nothing else. It couldn't actually send it any kind of Wi-Fi signal, so maybe they were connecting to it and not actually getting Wi-Fi. We'll never know, but I'm pretty darn certain that it was the power supply on the Eufy that caused the original problem.
[38:52]
Support the Show
[39:13]I'm gone. You never miss an episode. That's got to be worth some. You learned about this networking thing. You just learned about that. How cool is that? You learned about that thing I put around my neck to make videos. You learn stuff every time. If nothing else, you actually are entertained. So consider becoming a patron of the Podfeet Podcast.
[39:28]
Security Bits – 04 August 2024
[39:30]Music.
[39:38]Well, it's that time of the week again. It's time for Security Bits with Bart Booth Shots. Good morning, good afternoon, and good night, Bart. Good afternoon. Hey, it sounds like, are you on a new microphone? Well, there is a new microphone on its way to me, but it's currently a few hundred miles away, so it's not picking me up pretty well just yet. After us having a lot of audio issues, maybe at least half of them are down to the fact that my very trusty mic, which you actually bought for me now I think about it, may finally be at the end of its tether because I had to redo my off-the-cuff Let's Talk Apple in about six different small recordings, which was a disaster. I uttered the immortal words, I'll quickly go record my podcast, dear. And then was not seen for three hours. What exactly happened? It just starts to randomly, first it goes, it makes me sound like a Cylon, and then it just goes silent. So you had replaced the cable because we thought that was what was wrong, but you think maybe the mic itself was failing. Well, now that we have a shiny, very brand new cable, yeah, I do. Or maybe both.
[41:01]It's possible both were broken. At this stage, I know for a fact that there has been some software weirdness. I know for a fact the cable was bad, and I now also think the mic was bad. So I think maybe we had three problems, which is why nothing ever reproduced itself. Because whatever we did, there was never any consistency. It was just, oh, Bart's audio is weird again. Yeah, yeah. So we're hearing you through your AirPods Max, and it's causing an interesting effect. There is a significant delay between, I actually see your lips moving before I can hear you talk, which is really weird. So it actually would be better if I wasn't looking at you because you're responding appropriately, but it's got a weird delay.
[41:39]Well the the most bizarre thing for me is i'm used to having my microphone in front of my face which makes me think i'm on and then my microphone is not in front of my face and it's like i've forgotten something i feel like i've left the house without my trousers you're in a car without a seat belt or something right yeah it's not right or on the bike without a helmet i've done something wrong done something wrong anyway well the good news is we have lots of dog way we can hear you we can understand you there's no cyborg uh but as you said before we started he said oh man i'm gonna sound like one of those noobs their first day podcasting with some terrible mic but uh hey it's it's understandable so we're good that is the most important thing so let us start with a little bit of feedback and follow-up um let's just quickly revisit apple intelligence um apple have said that they will share the results of their ai tests with public and government, I don't know what the tests will be. I don't know how exciting this will be, but we will see something. And when we see it, we will talk about it. It's an appropriate thing for Apple to say they will do.
[42:51]Much to my personal surprise There is now A beta of iOS 18.1 Not to be confused with the public beta Of iOS 18.0 Which is also running in parallel The iOS 18.1 developer Beta contains the first Few Apple Intelligence features, Right Which means we're now getting some real work Security angle to that though Is there? No, it's just that now we actually get to see if there is any real-world privacy issues they can start to trickle out. Okay. Definitely privacy rather than security. But I didn't think we'd have any real-world experience of what this was like for months and months and months from now. So it's kind of interesting. The text rewriting is already in place, which is definitely interesting. And the other thing that is very interesting is that during the earnings call, Tim Cook said that Apple are actively talking to regulators in the EU and China to get Apple intelligence over there, basically without them having to be sued afterwards, but get it launched in agreement with the regulators, which seems like a better approach to me. This is me holding my breath. Relieved.
[44:05]We shall see. Well, I'm using Meta as my one previous example, because Threads is the only new service of any importance to roll out after the launch of the Digital Markets Act. And that had about a six-month delay and came with a bunch of privacy improvements for Europeans as a result. So if the same happens here, I won't be sad.
[44:32]But, you know, hey, an N of one, what a great thing to base anything on. Right. Of course, last time we had a lot of news last time. We had very little news this time. So we're going to spend most of our time on deep dives. And I think even though we spent a lot of time talking about CloudStrike last time, last time it had the disadvantage of being extremely recent. Right. And we were reacting to news that had happened, what, 72 hours before we recorded? I think it was Thursday into Friday and we recorded on Sunday. So we now know a lot more. And I need to visit the Department of Corrections to correct something I said to you. I don't remember if I said it off the air or on the air, but either way, I'm going to correct it on the air because I was either wrong in private or in public. But nonetheless, let us discuss reality because that's way more interesting.
[45:27]If people just wanted the highlights, there are three new pieces of information that cross my radar. The first thing we know is a little bit more detail about the error. So this product is designed to observe the world for new and unknown attacks, detect them by sending lots and lots of data to AI in the cloud, which goes crunchy, crunchy, crunch, crunch, it spits out, mauga, new weird, and then send a protection rule back down to everyone. Obviously, you want those protection rules to be updated ASAP. So I was very much saying that if you're running cybersecurity, you don't want to say, oh, no, I'll stay three updates behind on my cloud strike, because then they know about an attack that's happening and you're sitting there going, no, no, no, no, no, no. That's not a good idea. Defeating the purpose of it. Yeah. But it turns out that the update that broke everything was not a defense rule. It was not a protection rule. It was an update to the sensor. It was a new type of information they wanted to start hoovering up to feed into the AI.
[46:38]And that's way less forgivable that they push out their sensor rules with the same level of urgency as their protection rules, which I agree need to be pushed out ASAP. So what actually happened was in March, they very carefully released a whole new sensor. So a whole new data type. And they tested that really quite carefully, but it's only been around since March. So it hasn't had as much real life experience as some of the sensors that have been around for five years. Wasn't March when it affected Linux? Yeah.
[47:12]It was, actually. I wonder if that's... I don't know. I don't know. But that's an interesting... I don't like coincidence. It may not be unrelated. It may not be unrelated. Interesting. But what they pushed out on that Thursday to break everything was a new pattern to ask this new censor to look for. And that pattern had to be processed by a parser. One of the most difficult things in all of computer science not to get wrong is parsing. That is why PDF readers have been responsible for more software bugs than you can shake a stick at. And their parser was running in the kernel. So they pushed down a new pattern for their new sensor to look for. And when processing the pattern, they had a blue screen of death over and over and over again.
[48:05]So the first thing they've been asking, I've been waiting because I didn't want to interrupt the flow. I want to make sure it wasn't a typo of voice. You said to hoover up and put into the AI. Did you mean AI? Yeah. Oh, okay. Oh, yeah. Absolutely. So the magic of their system is a cloud-based AI that effectively has remote eyes on all of those endpoints. So when some new South Korean or North Korean starts to do something weird on one machine in one basement of one large multinational company, that gets seen by the AI. And then everyone who is paying the very, very big bucks to be a CloudStrike customer gets protection from that one thing spotted by that one sensor. So the magic is that they see and they act. Okay. And AI is at the heart of it. Okay. But AI wasn't lame here. AI wasn't to blame. What was to blame was a symmetric update process for two asymmetric things. Updating your eyes is way less important than updating your shields.
[49:12]And they had been, and probably still are, doing their shields at the same update rate as their sensors. And that's silly. And so the definite thing that I think they need to do, because it turns out there is a setting already in CloudStrike to say, I want to be one update behind, or two updates behind, or three updates behind. But no one wants to be behind on cybersecurity protection. So I think there needs to be two buttons.
[49:43]Yeah, precisely. So I should be able to say I want to be up to date on the protection and one, two or three behind on the sensor. Do the sensors updates, do they go through the same rigor, do you know, that the definitions, I'll call them, go through? True as i understand that the process is the same at the moment which is kind of the problem that they have one process for updating both aspects of their product and they probably need to have two, and they should balance the risk yeah the risk reward differently on the two because they're a different risk profile yeah uh but what they are going to do which is i think the minimum they can do is they are going to start to roll out their updates in tiers so like apple do in the app store like when when marco arman hit publish on the big new version of overcast some people didn't get it for days and days and days unless they proactively went looking for it and some people got it straight away and that's because apple by default released stuff in in tranches and the effect is that the developer has a chance to hit the emergency stop button, when the first complaint comes in from the first unlucky customer and it doesn't have to break everything for everyone.
[51:02]Okay, right, right. They're now going to do that on these rolling updates and they only really need to put in a delay for 10 minutes. That's probably enough, right? If you put something out and 10 minutes later, all of your sensors go dark because your machines are bee-sodding, well, you don't need to do that to thousands of machines to figure out that's a problem. You don't have to wait half a day to figure out that's a problem. That's pretty instant. So this shouldn't have a dramatic reduction in protection, but it should have a dramatic reduction in the blast radius should something go wrong. You're on point on your wording today. I love it. Blast radius is a good way to describe it. So has this all come out because CrowdStrike did its outbrief of what went wrong? Yeah. They have released their initial, they had a nice word for it, but basically this is the early bird, first draft summary of what happened and a more detailed post-mortem will come later, which is reasonable. And that more detailed post-mortem needs to come with a description of details of how they're changing things. That's going to take more work for them, more engineering, but they've released an initial incident report, which is reasonable.
[52:17]So I'm more interested actually in the deeper technical question where I get to visit the Department of Corrections. So you asked me, could this happen on the Mac? And I think it was before we hit record, but I'm just going to pretend it wasn't. And I said, well, yeah, of course it could because making people digitally sign everything that goes into the kernel gives you accountability, but it doesn't stop stuff from the kernel taking the whole system there. And that is not incorrect, correct, but I was one macOS feature behind in that description. So it is true that everything that goes in the kernel must be digitally signed. And it is true that right now today, you can still add a kernel extension to the Mac, a kext file, as it would have been known to the nerds. And you absolutely have to digitally sign it, but you have to jump through a lot of hoops to get a kext into a Mac these days. And that's because the hoops are the stick, but Apple have provided a carrot.
[53:14]There is actually a dedicated type of system extension, which is a replacement of Kext, specifically for cybersecurity products called the Endpoint Security System Extension. And this API allows apps like CrowdStrike to get handed all of the events they need access to. So every time a process is started, every time a network packet arrives, every time a piece of RAM is read, everything that they would be doing through their kernel driver, they now get handed those events by the operating system. But they get to listen for those events as a regular app. So the operating system is doing the privileged part. So they don't have to have the privilege. So if their code crashes, it's like any other app crashing, not take down the whole operating system. So basically, the operating system has become a person in the middle, handing them the information they really needed. And these cybersecurity companies don't want to be in the kernel because they, better than anyone else, understands the danger that comes with being in the kernel. But on Windows, there is no equivalent API. So they literally don't have a choice on Windows. Either don't get the events they need to do their job.
[54:26]Or running the kernel. And in Linux land, depending on which version of Linux you're on, and depending on which version of which distribution of Linux you're on, there is an answer in Linux land too, which is a really cool answer. It's something called EB, hang on, EBPF. I always get these letters wrong. It used to be an acronym for the Berkeley Packet Filter, but it's been expanded. And it started off as purely for firewalling, but it's now been expanded to cover process creation and every other event you could care about. So they've decided instead of renaming it, they're just going to say EBNF now stands for nothing. So it's not the extended Berkeley network or packet filter. It's just nothing. EBPF is just EBPF. But nonetheless, it is exactly equivalent to what Apple have provided, an API for not kernel apps to have full access to kernel events related to cybersecurity so they can do their job without sitting in the kernel, which means they can crash without taking the system down. Yeah. So Linux land has EBPF. Apple land has the system extension for endpoint security. And Windows has bupkis. So they could do EBPF though.
[55:50]They could because it's open source and they could absolutely implement it. Or they could duplicate Apple's work and roll their own. But right now they have no alternative. of them. So literally the only way CrowdStrike can work on Windows is to be a full kernel driver. And the fact that they have updated their software on other platforms not to be a full kernel driver shows that they're perfectly willing to. It's not that CrowdStrike are unwilling. It's that on Windows, they are unable. Okay. And so that actually puts the finger back at Microsoft.
[56:28]So we don't know that they aren't working on that or that they are working on that. We only know they could be working on that. I i have heard from sources within the open source community that there is activity within microsoft experimenting with eb brickley packet for ebpf for windows but whether that has management buy-in i have no idea i just know that there are techies in redmond experimenting with it, so i don't know but if the outcome from all of this is that someone lights a fire under it maybe Maybe as part of a supposedly really important security thing that has just been announced by your CEO saying it's the single most important thing on the whole platform, maybe now's a good time to fix this rather large issue. So, yeah, I initially didn't want to point too much of a finger at Microsoft, but having read some more detail about the deep down nerdiness of it all. Yeah, Windows genuinely is more vulnerable because it genuinely is missing a feature that other modern operating systems have. So that needs fixing. Okay. Well, I like that your instinct is to go light on blame until you know what for sure and then point where appropriate. Yeah, I'd much rather say I was wrong about a nerdy technical detail than I pointed my finger at the wrong people. Right, right. That's a lot easier to back off on.
[57:55]Exactly. Now, deep dive number two does not make me even vaguely happy whatsoever. And I think you may get and I told you so here because I said, no, no, no, Google, well on track. They're absolutely going to get rid of third party cookies. They've just been a little bit delayed by some regulators in the UK. I'm sure this will happen in early 2025, just like they say. Right where's where's the humble pie uh because i gotta go have myself a big feast, and google have changed their mind on second thoughts we're not gonna stop doing third party cookies i always wondered what their they had no no motivation all 100 of their motivation is in the other direction i don't know about that because google is google google is an organization with many different people in it with many different points of view with much internal strife. Obviously, the ad arm of Google is no more keen to see this change than the ad arm of anywhere else. It's still the money pipe. You're right, it's the money pipe. But it's not the nerd pipe. Oh, I know, right? Ultimately, I think in the show notes, I use the analogy because I used to say that incentives are like railway tracks that inevitably companies follow. But that's not quite true. you can you can not follow an incentive so incentives are like a highway.
[59:15]You can ignore the highway and just drive straight on when the highway turns. But in reality, realistically, most vehicles stay on the highway. So incentives are where most companies go most of the time because they're staying on the highway. And you're right. You follow the money and that's right where you go. So what they have said is they're going to provide some sort of a UI, which they promise will give users some sort of informed consent where users would then have the option to disable third-party cookies themselves.
[59:47]They're also going to keep working on their technologies that are alternatives to third-party cookies their so-called privacy sandbox which is a brand that has been consistent which they have used to label all of their attempts at fixing this problem and their success rate hasn't been great and flock was a disaster they abandoned but honestly if their current attempt at solving this problem without cookies, in other words, to allow.
[1:00:20]Reasonable ad targeting without invading privacy, if anyone on planet Earth other than Google had designed their current offering, which is the Topics API, I think it would float. I think it would be quite popular. The problem is Google are such a compromised actor here with so many gapingly obvious conflicts of interest, that they can't be the people offering the solution because it's so easy for the ad industry to say, hey, regulators, see that person over there who has over 65% of the browser market share with their next closest competitor having only a third as many clients and who are one of the biggest players in the ad industry who are our biggest competition.
[1:01:08]They're the ones trying to change the rules and forcing us to change everything. That's an easy message for the ad industry to wield. And they wielded it with great success because that's how this died. This died by UK regulators pushing back. And they weren't pushing back because it wasn't protecting user privacy. They were pushing back because the ad industry said that the balance was wrong between user privacy and the ad industry. And if the W3C in collaboration with the EFF and the Apache Foundation had come up with the Topics API, it'd be a winner. But Google came up with it. And Google tried to universally enforce it on the industry. And that's not going to float.
[1:01:56]So it is my analysis, and it's purely my opinion so it's not fact but my analysis is the only way we get rid of third-party cookies is if google shut up and just let someone else take the lead and row in behind which the ad of google is not incentivized to do and they've clearly already won because they've said nope not going to do it right yeah so i i think the only thing we can hope for is that this supposed proposed explicit opt-in is as successful as app tracking transparency if it's as auger and as clear of a button that is as explicit about what your choice is then users will say uh no, why on earth will they do that if users say no then the incentives flip and the ad industry suddenly thinks that actually that topics api idea that's a fantastic idea and then this could it all flip around. There's a few ifs down from here. So I'm going to stay tuned before I make any more predictions. I'm going to be very, very careful about saying things out loud for a while as I sit back and watch. Can I ask a dumb question? With great disappointment. I'm not sure there's such a thing on this topic.
[1:03:20]So Firefox and Safari have been blocking third-party cookies for a while, right? Right.
[1:03:28]Then how come every time I go to a website because I'm in California and there's a law about it, it asked me, do I want to allow third party cookies? If they're blocked, why aren't they just because I have to keep answering those annoying questions.
[1:03:42]OK, so. Cookies are one mechanism for tracking you. They happen to be a mechanism that happens on the client side, which means they happen to be a mechanism the browser can protect you from. You can also do the tracking on the server side.
[1:03:59]It's more work. It's more effort. It's less universal. But if you have a partnership between your website and another website, you can do all of that information sharing on the server side and none of it on the client side, and the browser is 100% powerless to stop you. The only thing that stops me is the law in California, and in the EU you have the same thing that protects you. GDPR. Gives you a pop-up. Okay, question two. That does answer the question. Thank you. Question number two. I thought there was some sort of body somewhere that fights people who do dark patterns. And I have a suggestion for that body if it does exist and it's not just in my fantasy. If you give me a pop-up to turn off the evil cookies, you shouldn't be allowed to always have it scroll so that I can't see the switches and I have to scroll to get them up on screen. Some of them are real good. They pop up and they just go, only necessary cookies. So it's click, click, and I'm done. But the other ones, there's one, and I don't remember which one it is, but it scrolls so that you can see like half of a switch and you have to scroll and you hit the first one and it scrolls back down again. So you have to scroll up and hit the second one. That should be by that regular body of don't do dark patterns because that's really evil, right?
[1:05:24]Agreed. And the GDPR says that consent must be freely given and must be easy to opt out. So those websites are in breach of the GDPR. The thing is, there are so many bigger problems out there that enforcement hasn't gone to that level. Yeah. Yeah. Okay. Well, go GDPR. I'm a fan Agreed, and you're right, I hate those signs The one I'm so happy with is.
[1:05:57]Stack Overflow Used to be one of those and they changed it So it pops up and there's a button that just goes Don't track me, you mean people, It's like one click fix And it used to be two And I was hesitating to go to Stack Overflow links as a result, Yeah. The ones that really, really drive me nuts are the ones where they give you a button of yes and manage. And then manage brings up a thing. Only sometimes manage brings up, here's what our security policy is, and I'm not actually giving you the option. And I don't understand those. Those are even worse. And they're definitely, definitely not in keeping with the law. But yeah, like I say, there are bigger fish to fry for the GDPR at the moment, which is not a good sign. But anyway but yeah that hopefully that answers that one yes thank you so unless you have any other questions or thoughts i think it's time to move on to business as usual.
[1:06:54]So patchy patchy patch patch time and if you live in apple universe and if you have an even vaguely modern apple device patchy patchy patch patch we have safari 17.5 which goes back quite a few operating systems. We have iOS and iPadOS 17.5, as well as 16.7.8. So we have two layers of iOS and iPadOS back. In the Mac, we have three layers back. We have macOS Sonoma 14.5, Ventura 13.6.7, and Monterey 12.7.5. WatchOS and tvOS are just one update back for 10.5 and 17.5. But that's a lot of patchy, patchy, patch, patch for people.
[1:07:41]And the other bit of news is just a really, really annoying story. By the way, your title was in July. July 2024? Oh, I guess it's just August. Yeah, because this happened a few days ago. It's the 4th of August, yeah. Just looking to see exactly how far behind I am. Well, I think we last recorded it, was it the 21st? So, yeah, that's all these 10 days of July that were in this show notes. So this next story, I already could hear you shouting at me before I started writing the show notes. So I've done my best with playing why it's in the show notes. There is thankfully a list of all affected devices. So at least there's a way to check if this is you. I warn you that the list is disappointingly long. Wrong, particularly if you built your own PC using one of the most popular brands of motherboard out there from Gigabyte, because they seem to be patient zero of this particular mess.
[1:08:47]So what has happened is that... At the foundation of Secure Boot is the digital certificates that ship as part of your motherboard's bio, not BIOS, UEFI. They are the anchor of trust for all of the chain of trust that builds up from there to securely boot your PC. And Intel released a sample driver as an aid to help hardware vendors implement SecureBoot. And in that sample, they included a certificate literally labeled, do not trust, do not ship. Like, you can't really be clearer. This is not a certificate that should ever be in anyone's trust store, and it should never be shipped anywhere. That is a certificate that is baked into these hundreds of devices. And the private key has leaked. So that certificate is worthless. So all of those devices can have malware in their UEFI, which is a ye olde BIOS virus like we used to get in the PC days where the answer was you take the PC, you go to the trash can and you replace the PC in the trash can because every OS you install will get re-hacked every time you reboot because, the baddies are in the BIOS. Well, now the baddies are in UEFI.
[1:10:11]And the fact that this happened because some some very overstressed probably software developers were rushed into releasing a really crappy driver that has a certificate label do not trust do not ship and then shipped it to millions of people so basically a firmware is needed so like yeah if you have hundreds of devices from popular vendors like dell and lenovo it's got to be millions of PCs. Wow. Wow. So yeah, look at the brands. No people don't know how to do UEFI firmware updates, right?
[1:10:49]I believe, no, I don't live in Windows land. I don't live in Windows land a lot, so I don't know how this is for everyone. The small bit of Windows land I live in is Dell land. And in Dell land, Dell will proactively push you for more updates in the same way that the Mac does. You do have to say yes, but it will at least offer them to you. So I think the vendors do make this possible these days compared to the bad old days? I don't want to do it. The takeaway here, though, is it is actually important in PC world to keep an eye for firmware updates for your hardware, especially if you've built your own PC. If you're the kind of person who goes out and buys a really cool motherboard and a really cool graphics card, A, your graphics card particularly may need updates to make it not be all crash happy and to give you better performance playing your games, which is probably why you built your own PC. And B, there are really good security reasons at the moment because I don't know if it's that cybersecurity researchers have become really interested in UEFI, but there has been a lot of UEFI problems flagged in the last six months and a lot of firmware updates as a result. Okay, okay. I'm going to word this question more poorly than most of my questions. Okay.
[1:12:16]Setting expectations low that this is going to make any sense. On Daily Tech News Show, they've been talking about hundreds of thousands, millions of PCs that have actually been permanently somehow broken. I'm wondering if it's this or if it's conflated with CrowdStrike. What is that? Okay, so what has happened is Intel had some firmware that caused some of their CPUs to actually overheat. So when that firmware failed to protect the CPU from overheating, it physically broke the CPUs. Oh. And they have now fixed the firmware, so they're going to stop breaking more CPUs. Oh, jeez.
[1:12:59]But you can't use a software update to unbreak a CPU. An overheated PC. An overheated piece of electronic that has basically melted. So they now have a massive recall problem because they have all of these chips out there that are broken and they broke them and they're going to have to fix them. And this was Intel? Intel. So it's across the hardware vendors. They're having a very, very bad time right now. They really are. And where I live, I am not quite within a stone's throw of one of Intel's most important campuses, but I am within five kilometers of one of Intel's most important campuses. Many of my friends and colleagues have family working in Intel. And things are not going well. Things are really not going well over there. They missed the AI trade. 15,000 people being off in a year. Jeez.
[1:13:54]Yeah oh there's a sting in the tail on that one i discovered um they gave everyone a pay cut last year on the in exchange for some shares that would vest in a year's time and those shares vest after the deadline for voluntary redundancy so either get the shares for the pay cut you've already suffered or take your chances when the shares are probably not worth anything either because they're probably underwater of when they were.
[1:14:23]There's a fair point as well. Yeah. But they were free shares, but a year delayed. So they cost nothing. So they are worth something. But if you take the voluntary redundancy, that pay cut you've had for the last eight months, you're not getting the shares you were promised in exchange, which is just mean. I was like, well, maybe they didn't know. I was like, maybe they didn't know. And I just got this look of, Oh, Bart, don't be so naive. So, yeah. Jeez, having lived in a, we worked for Hughes Aircraft Company when it was purchased by General Motors. And we were a 60,000 person company when they bought us. And when they sold us five years later, we were a 30,000 person company. It is not a way to live. Five years. Five years, 50% cut. To be fair at least 30 of that should have been done in my opinion retroactively but right but even that doesn't make it a fun experience oh no it's as my brother described it when he worked for a company that was under huge layoffs he said you'd go to the bathroom and yell cover me.
[1:15:31]Yeah you're fired while you're gone i i have friends doing the math going if i take redundancy see, can I pay off the mortgage, and then can we live on one income instead of two? It's not good times. Anyway, that happy news. What have I got next? Some notable news. I'm sorry, I'm going to back you up one more time. The article that you linked to, your text is correct, but they're incorrect. They say watchOS 10.5. I already have watchOS 10.6 installed automatically. So I think they had a little typo, so I might edit the show notes just to say that. Brilliant, yes please Probably not a big deal but.
[1:16:12]I wonder if the tvOS is off by one as well because don't they usually come together? Maybe not. Maybe the watch is one out. Maybe that's why they were wrong. Maybe. I don't know. Okay. Anyway, thank you. Right. So the US Department of Justice is assuming TikTok for breaching COPPA in the past.
[1:16:36]And I'm sort of paraphrasing TikTok. the oh it's a u.s law that basically says you can invade the privacy of adults but not people under 13 okay yeah it's children's online privacy something protection act i knew the pa at the end there we go we've got there together children's online privacy protection act it's a very old law, rather poorly written because it's a very old law but anyway it does protect children under 13 And as best as I can work out from reading between the PR lines, TikTok's responses, but we stopped, which isn't really the world's best response. I mean, it's better than, oh, we're still doing it. But I don't think that's going to get you off the hook. I think you will be paying some money to the DOJ in response for that. Which is a really good segue into meta who are indeed paying 1.4 billion with a b dollars to the state of texas because up until 2021 they were breaching texas's rather strict laws protecting biometric data with their very controversial feature for automatically doing face recognition and tagging people in photos they finally abandoned that in 2021 when the whole world was like enough already but they had been breaking the law until 2021 and that is going to cost them 1.4 billion with the b dollars.
[1:18:01]So that is a settlement, which means officially they're saying we did nothing wrong. Therefore, we're paying $1.4 billion officially.
[1:18:10]So with all of that out of the way, two nice little tweaks for Google Chrome. Google is giving an improvement to the malware scanning they do on downloaded archives, zips and RAR files that are password protected, which is now a thing attackers are using to sneak by virus scanners because if it's password protected, even if you put the password right next to it in the email or whatever, it still stops the automated scanning. So now Google in their little download pop-up will let you enter the password there and then and allow Google to scan the file before you open it basically with your help to give them the password. In a corporate environment, you can block this behavior because there may be corporate secrets that you would be giving to Google to virus scan. But in the home environment, it seems like a perfectly reasonable thing to do. And so the fact that it's all built into the UI and that you could very easily do it seems like a good idea. So I think that's a nice feature.
[1:19:07]And purely for Windows people, the Windows version of Google Chrome is getting an update that will make use of a relatively new Windows API called App Bound Encryption, which sounds very fancy. See, basically, it gives equivalent protection to what the key chain provides on Mac OS and what the various credential managers and Linux provide on the Linux end. So when Chrome needs to save secret things, other apps on the system can't see those secrets. They could before. Which is just what you want. Yes, they could before, again, because Windows is a little slow to the party with security APIs. Hmm. Okay. So Apple have had their key chain, For as long as I remember being an Apple user, which means it goes back to at least Mac OS 10.3, and I'm sure it actually goes back to 10.0. I'm pretty sure the keychain came with the first version of Mac OS X, to be honest. But either way, Windows has been quite behind on that. So now they have app-bound encryption. Good. And Google are using the API. Good. So yay. Nice little feature.
[1:20:19]And the last story is a really interesting one, because this is one of those eternal questions in cybersecurity. If you know that devices are hacked, taken over, enrolled in a botnet, and are currently not doing anything, they're just waiting to pounce, and if you know of a way to reach into those hacked devices and clean them up, is that okay to do? And as a cybersecurity company, it is not okay to do. But as a government, you can maybe balance things differently. So the French government in the lead up to the Olympics, because they were afraid someone might sabotage half their country, which is not, it turns out, an invalid fear, given what happened to the train network. They reached in and unhacked thousands of devices that were infected with the botnet. Really? With the help base. Yeah. So there was a plug X malware on a whole bunch of devices. And with the help of a cybersecurity company who figured out a way to hack back, but refused to do it themselves because that would be illegal. But the French government basically went, you give us the code and we'll click the big scary button. And they did. So they only two French IP addresses, though. So an interesting one.
[1:21:41]But as I say, they weren't wrong to be worried about someone trying to sabotage their country, because they did have a few interesting episodes at the start of the Olympics. So anyway, I then have what we're kind of in the semi-palate cleansing, but I didn't think this was worthy of calling a palate cleanser, because who listens to an interview with privacy specialists for fun? So I've put this under interesting insights, but it is a fairly detailed, tilt. I think it's at least half an hour long. It might be four to five minutes. It's a video interview with two senior Apple people responsible for privacy. We have Apple's user privacy engineering manager, Katie Skinner. So that's obviously a technical person. And Apple's privacy product marketing lead, Sandy Parakilas. I'm going to probably butcher the poor lady's his name, which is obviously a marketing exec, two very different points of view, both interviewed together, resulting in a very interesting conversation, actually. So that is a YouTube video linked in the show notes.
[1:22:51]That sounds... Not quite. Yeah. Close to palate cleansing. Yeah, it's interesting, but not quite palate cleansing. But I have a real palate cleanser. Okay. Okay, and I've added one too that you don't know about. Oh, yeah, good. Good. Well, do you want to go first then? Well, sure. I've got to give Alistair Jenks credit for it. Alistair owns the Delete Me channel in our Slack. I try to compete, but he owns it all the time. He posts the best stuff. And he posted a message from a Mastodon post from a guy named Jason Eckert. And I don't know where this guy's been hiding. He has 22 people following him, and he's following 29 people. He has posted 172 times. 95% of them are hysterical nerd jokes. And they're just absolutely absurd. Like, oh, God, where's a good one? Oh, things like this. Whenever someone is feeling down, I always tell them to update their Microsoft Office software. That should certainly improve their outlook. look or i saw all of my dad jokes in an sql data database database get it uh the one that he posted was the first step in solving any problem is to dramatically underestimate its difficulty oh yeah that's true that's that was very true he posted a picture of a lightning cable and the and the all the he said next to it was very very frightening.
[1:24:20]Even i got that music joke how about parents introduce your kids to arch linux and they'll never have time to buy drugs.
[1:24:28]That's wise advice. Okay, so I want to see us double Jason Eckert's numbers. Within a week, I'm going to check, and I want to see him up to 44 followers from 22. At least 23 after we finish recording, because he's getting one from me straight away. Come on, folks. We can do this. All right. He's going to go, where did all these people come from? In fact, you can also mention him and say, thanks to an amazing plug on the Nacilla cast. That could be interesting. There you go. You may even get a retweet. Anyway. And we'd get a retweet to the 44 followers he'll have. Oh, yeah. Okay. Wait. Yeah. The last person, when we get his numbers really high up, they should do a retweet. Anyway. A retweet. Retweet again. Anyway. So I have a palate cleanser of the podcast variety. Not surprising for me.
[1:25:24]This is another excuse for me to plug a show I adore. door. It's called 20,000 Hertz, which is a reference to the range of frequencies we hear with our ears. And it's one of those podcasts that is very low in volume. There might be six episodes a year, but they're very high in quality. And the most recent episode is one Apple fans will adore. It is the story of some of the most iconic sounds that we know, including that tritone ding that started life as the your CD is ready in iTunes sound and has made it all the way to the iPhone where it became the iconic you have a new message sound. Oh, really? Yeah. The story of who discovered it, a dad, and how much joy he takes in telling his kids every time he hears it from their iPhones. I made that. It's really quite fun. A lot of it is interviews with the actual creator, but there's also the story of other iconic sounds like marimba, which we've all heard of. So it's very interesting, and as an Apple listener, you're going to hear all the sounds. You also get to hear the sounds that nearly made it, the alternative universes where these could have been the sounds of our iPhone. I think they chose well. I think our phone sounds better with the choices they did make rather than the rejects that made it on the cutting room floor, but it was fascinating to hear the process and the rejects, which are particularly cool to hear.
[1:26:50]And that's all I got. Well, that sounds fun. This was reasonably light. I guess we are in the end of the silly season here.
[1:26:58]Oh my God, are we in the silly season. So that episode of Let's Talk Apple that was such a train wreck to record, there was almost no news, which is really ironic that what should have been the shortest episode of the year turned into a three-hour epic on my end. But yeah, the same has definitely spilled through here on Security Bits. There are no conferences. There's nothing happening. Everyone's on holidays. Even the baddies are sunning themselves. Apparently you get good perks in cybercrime these days and they're all off having a good time. Or maybe they're all off watching the Olympics.
[1:27:25]Maybe that's what's going on. Either way, it's all quiet now, but that does not mean that you should not absolutely stay patched. So you stay secure. Well, that is going to wind us up for this week. Did you know you can email me those reviews for Bart and Alistair and Jill? You can email them to me at alison at podfeed.com. If you have a question or a suggestion, though, just send it on over. I will be checking emails while I'm gone. Remember, everything good starts with podfeed.com. You can follow me on Mastodon at podfeed.com slash Mastodon. Heck, maybe I'll post pictures of like, I don't know, elephants or tigers or something. I don't know, whatever animals I see. That's probably where I'll be posting them. If you want to listen to the podcast on YouTube, you can go to podfeed.com slash YouTube. If you want to join in the conversation, you can join our Slack community at podfeed.com slash slack, where you can talk to me and all of the other lovely Nosilla Castaways. You can support the show by going to podfeet.com slash patreon, or with a one-time donation at podfeet.com slash paypal. And if you want to join in the fun of the live show, you're going to have to wait until September 8th to join the friendly and enthusiastic Nosilla Castaways. Thanks for listening, and stay subscribed.
[1:28:33]Music.
[1:28:43]Wait, the live chat room's telling me there's no tigers in Africa.