NC_2024_08_25

This episode reviews the Clix keyboard for iPhone, discusses Termius for remote server management, evaluates the Wahoo RPM cadence sensor, contrasts VPNs with iCloud's Private Relay, and covers recent cybersecurity news and tips.

2024, Allison Sheridan
NosillaCast Apple Podcast

Automatic Shownotes

Chapters

0:04
Intro
1:12
Clicks Keyboard Case for iPhone
23:13
Termius Mobile Terminal for iOS
30:34
Cadence RPM sensor from Wahoo
1:04:45
Dumb Q - VPN Vs. iCloud Private Relay
1:07:02
Security Bits
1:39:08
Outro

Long Summary

In this episode of our tech-centric podcast, we dive into a variety of innovative topics, starting with an honest review of the Clix keyboard for iPhone—a device I once considered unnecessary. Over the last few months, however, I’ve come to appreciate its value as a typing solution, particularly for those who prefer to express their thoughts while on the go. The Clix keyboard, resembling the old BlackBerry keyboards, features a tactile design aimed at touch typists, complete with backlit mechanical keys. I share my experience of transitioning to this hardware keyboard and how it has improved my writing efficiency, especially during walks.

Moving forward, we hear from listener Kurt, who contributes a segment on Termius, a mobile terminal app for iOS and iPadOS that allows users to interact with remote servers through a command-line interface. Kurt explores its features, such as seamless host management, support for SSH and MOSH protocols, snippets for quick command execution, and the ability to securely log in with private keys. He emphasizes how the app supports both free and paid versions, making it accessible for solo users while offering additional features for team collaboration in the premium tier.

I continue the episode with a review of Wahoo's RPM cadence sensor, which has augmented my cycling routine. The sensor provides crucial real-time data about my pedaling cadence, allowing me to optimize my exercise. I explain how tracking cadence has drastically improved my performance by keeping me in a more efficient power band and preventing negative feedback loops when my workout isn’t going as planned.

Listener Linda poses a fascinating question this week regarding VPN versus iCloud's Private Relay, a query that illustrates the difference between privacy and security tools. I clarify that while both have their roles, a VPN offers superior security and encryption for a user’s online activities, making it the more advisable choice in most cases.

The episode shifts to Solo Security Bits, where I take the plunge into recent cyber news despite my apprehensions about flying solo. As I break down various security advisories, including urgent patches from Microsoft and Google, I emphasize the importance of keeping software updated in light of recent vulnerabilities. Additionally, I discuss significant developments in the security landscape, including a staggering 2.7 billion record data breach and new privacy regulations impacting companies like Google and their use of AI.

To conclude, I build upon the overarching theme of security by providing a set of practical tips for listeners on how to protect themselves in light of growing online threats. I urge everyone to stay informed and proactive about their digital security in this ever-evolving landscape, summarizing the need to regularly patch systems and remain vigilant against the latest scams and misleading ads.

Brief Summary

In this episode, I review the Clix keyboard for iPhone, discussing its tactile design and how it has improved my typing efficiency on the go. Listener Kurt shares insights on Termius, a mobile terminal app for iOS and iPadOS, highlighting its features for managing remote servers.
I evaluate Wahoo's RPM cadence sensor and its impact on my cycling performance through real-time data. Listener Linda asks about VPN versus iCloud's Private Relay, and I explain why VPNs provide better online security.
In Solo Security Bits, I cover recent cyber news, urgent software patches, and significant data breaches, emphasizing the need for updated security measures. I conclude with practical tips to help listeners enhance their digital security in an evolving threat landscape.

Tags

Clix keyboard
iPhone
typing efficiency
Termius
mobile terminal
Wahoo RPM cadence sensor
cycling performance
VPN
iCloud Private Relay
online security
cyber news
software patches
data breaches
digital security

Transcript

[0:04]
Intro
[0:00]Music.
[0:10]A technology geek podcast with an ever so slight Apple bias. Today is Sunday, August 25th, 2024, and this is show number 1007. I have what I hope is a fun show for you today. We are going to start off with me reviewing something I used to scoff at, the Clix keyboard for iPhone. Then we have a guest segment very kindly sent in by listener Kurt on the Termius mobile terminal app for iOS and iPadOS. Then I'm back for another hardware review to do with fitness specifically the RPM cadence sensor from Wahoo then we have a lovely dumb question from listener Linda on VPN versus a cloud private relay and we finish up with a solo security bits I'm always a bit nervous about doing those but I've done my best to make do without my wonderful sidekick Allison so fingers crossed hopefully I I have done a good enough job to help you stay patched so you stay secure.
[1:12]
Clicks Keyboard Case for iPhone
[1:14]This is one of those reviews where I kind of start off eating some humble pie. I was definitely one of those people who said that a keyboard on a phone is a very silly thing and Apple is dead right not to have one and only an idiot would want to have a hardware keyboard. I'm sure I said that. I'm sure younger me said that. Either way, I'm going to review a keyboard for an iPhone. So yeah, those of you who remember me being so scoffing and dismissive, yeah, you get to say I told you so. Okay, the silicast rules.
[1:48]After apologizing and eating one's humble pie, one must state the nature of the problem to be solved. What is the nature of the technological emergency? Just thought of that. Anyway, for me, the problem to be solved is that I like to get a fair bit of exercise every day. I don't feel good if I'm sitting still. Also a little bit of ADHD and sitting still isn't my thing. So I actually do better writing while walking. And it's kind of a skill to look simultaneously at your phone and around your phone so you don't kill yourself. But I'm pretty darn good at that skill at this stage. But typing on a touchscreen with no feel while walking, which is an inherently the mobile thing isn't efficient. I think the Allison-approved word is fiddly. It is fiddly to type while walking on an iPhone. A hardware keyboard with actual buttons would be less fiddly.
[2:46]And like I say, scoffed for years. But a company called Clix released a hardware keyboard modeled on the old BlackBerrys. And initially it was US only. And much to my surprise, it got very positive reviews from people I trust online. That surprised me. But it was US only, so I sort of went, yeah, whatever. Okay, so what? Then, two things happened within about 48 hours of each other.
[3:21]Clix announced that they were making their keyboard case available worldwide, and John Gruber posted a follow-up blog post to say, I'm still using mine. I still love mine.
[3:35]Okay. I have yet to go wrong with a Gruber recommendation. I do actually have a problem to be solved here. year and they've literally just become available outside of the US. So I ordered one. So I have for the past three or four months now been the owner of a Clix keyboard for the iPhone 15 Pro Max, basically the biggest possible one you could have, in, well because I'm a founder edition, I have it in bright yellow Founders Edition for my 15 Pro Max. It is neither small nor subtle, but hey, if you're going to do something that you're eating humble pie about, let's may as well make it obvious anyway. The show notes were entirely typed on that keyboard while out walking. A true test of the problem it's supposed to solve. so let's start by describing the core features of this keyboard so it is a flexible rubber case that goes all the way around your phone and on the bottom of it below your phone you have a blackberry style keyboard there's no numbers row you have the absolute bare minimum number of possible physical buttons to allow you to type the 26 letters you need and a few symbols.
[5:01]And it really is intended for a touch typist because the home keys have the little sticky outy nubbiny bits so that you can feel them. So you can actually touch type on this thing. and the keys are very mechanical it's called the clicks keyboard because the little roundy keys have a really pleasing mechanical click they feel robust and solid they're nicely rubberized so they're just they're nice and they're even backlit which you know granted in july and august isn't that much of a thing but you know something no december january kind of is the thing because it's dark by 4.30 p.m., so yay.
[5:45]If you grew up in BlackBerry land, then, or in the BlackBerry days where you had physical keyboards in the BlackBerrys anyway, so basically before BlackBerry's dying days when they failed to do touch, then you're going to feel right at home with the concept of a 1-2-3 key. In effect, you have two shift keys. So every key on this keyboard has three meanings, which is why it's possible to have a usable keyboard with so few physical buttons. So the shift key, so without pressing any modifier, you have A, B, C all the way up to X, Y, Z. And then the shift key gives you uppercase A, B, C all the way up to X, Y, Z. And the 1, 2, 3 key gives you the digits and the punctuation symbols, all of which are shared with one of your letters from A to Z. There are a small amount of additional buttons, but really it is a small amount. There's also a very nice cutout on the back of the device for the giant camera bump on the 15 Pro Max to pop through. They also have versions of this case by the way for the other iPhones 15 and 14. So you need to buy the case to fit your phone because it is a keyboard case.
[7:05]And also as well as the nice cutout for the camera bump there are also overlays for the physical buttons on the iPhone and they work really well. They feel good and they work reliably so they basically are buttons over buttons but they work. So if we swing back to the keyboard we have a small number of non-letter keys and they're all arranged along sort of a C shape around the left bottom and right of the letter key so there's nothing looking across the top of the letter keys, top of the phone, and then the letter keys. So the non-letter keys you have going anti-clockwise from the top left is a shift key for the obvious reason that we want to get our uppercase letters. The one, two, three key I mentioned to give us our digits and symbols. There is a globe button that changes your language if you have multiple languages installed. And when combined with the one, two, three key, it will also toggle the backlight on the keyboard. You have a command key, a ye olde CMD key like on a real Mac, which means all of your keyboard shortcuts work. You can do CMD A, CMD C, CMD X and all that stuff. Could copy paste all there. It's great. You have a relatively big space bar, certainly easy enough to hit. You have a physical tab key. If you're writing a lot of Markdown, a physical tab key is nice.
[8:32]You also have a key to toggle on and off the soft keyboard, and why that's important will become obvious in a moment. You have a dictation button, if you're in a place where that's the thing you want to do. You have a return key, and you have a backspace key. That is it. The case connects to the phone using a USB-C connector that is basically, if you sort of imagine it you you have the case goes all around the phone but actually above the keyboard stabbing up into the phone is this usbc connector so the way you actually connect it is you bend the case back slightly because it's rubber you slip the phone into the usb and then you sort of pop the top over the camera bump side of the phone over the top and then to get it out you push basically push the camera bump through and then pull it's hard to describe they give you a diagram when you onboard it works really well it's very easy uh which i guess the onboarding gives me an excuse to say there is an app you don't need the app if you just want a keyboard just use the keyboard the app serves two purposes it onboards you giving you nice instructions.
[9:47]And that lets you tweak the advanced settings so you the most important setting that i found is you can choose how bright to make the backlight and they will tell you that if you make the backlight really bright you will drain the power from your phone more because you're lighting up the keys more and you also get to have a timeout so how long does the key stay backlight when you stop typing? Do they go out immediately the moment you stop typing or do you have like, you know, a minute or two while the keys are still on because maybe you're just pausing rather than stopping So you get to tweak the timeout, you get to tweak the brightness level, and this does of course affect battery life, so this is the opportune moment to mention that yes, using this keyboard does drain your battery a little bit faster, but in my experience not dramatically so. Not problematically so, certainly not on the 15 Pro Max anyway. So basically, hardware wise, it's a very sensibly defined keyboard.
[10:45]A sensibly designed keyboard case. It's good design. It's genuinely good design. The packaging is also very Apple-like and stuff. So it feels good and it feels appropriate for an iPhone. So my first impressions and my thoughts, I wrote on the click keyboard, literally within the first hour or so of starting to use the thing. So when I say these are my initial thoughts, I tested the keyboard by typing these initial thoughts while I'm walking. Everything is done while I'm walking. So the first thing I typed back then was to say that the packaging really struck me as very Apple-like.
[11:24]Mostly white. The product photo is the only real thing on that cover. So it's a white box with the product photo completely dominating, very uncluttered. And like Apple boxes, it's easy to open. It's got a well-labeled pull tab thing and no faffing about with shrink wrap and having to find cardboard cutters and stuff or trying to find a sharp fingernail and failing or using your keys to stab into the box. None of that faffing about.
[11:52]Very straightforward. Pull this tab here that's really clearly enabled. This thing slides out. It's just like an Apple box. It was really easy to open. The onboarding is fantastic because when you pop, you know, you open the box following the really obvious arrows and you just take out the case, there's a giant big QR code like, Auga, Auga, giant QR code, scan me, scan me, scan me. So you scan the QR code and it gives you the app. And the first thing the app does is it walks you through how to safely insert the phone into the case and remove the phone from the case. And it gives you a little tutorial for those people who didn't grow up in Blackberry land and therefore don't know that you have effectively an extra shift, a shift and then an uber shift or a simple shift or whatever you want to call that one two three key so for people who didn't grow up in that world having that little tutorial is really good and again it's a really simple nice doesn't take forever you don't feel oh my god i'm forced to watch a tutorial no no no it's just a really nice onboarding experience i thought it was very positive and i have no patience for these things.
[13:00]The next point I noticed within the seconds I've started to use this case is that I have a command key on my iPhone now. Command H brings me to the springboard or the home screen. Command space lets me search for an app just like I'm used to. It's really cool having cut, copy and paste shortcuts on my phone these days. And you know something a tab key is actually really useful if you use things like omni outliner and stuff it's fantastic for outlining apps like omni outliner and that tab key so that surprised me how useful that was always always always having a return key is really handy for social media stuff especially in apps that make you hit the one two three key to get to the return key and then you hit it once but you want a blank line then you have to hit the one two three key again on the soft keyboard. Very annoying on soft keyboard sometimes to have new line characters in your social media posts. Not when you have a physical enter button you can just whack away at your heart's content.
[14:03]Also, when you're not using the keyboard to keyboard, like on a Mac, space means scroll. So if you're reading RSS feeds and stuff because you're trying to keep up with the security news, you can just tap, tap, tap, tap, tap on that little space bar or that rather generous space bar and it will nicely scroll you through the article. Called that's kind of cool too and that was me doing you know hey they were my very very first impressions during the first ever use anything but not all of my first impressions were good, and in fact the pain points I hit early on are the only pain points I hit so basically I hit all the pain points almost right away so the first thing I noticed that was not so much to my liking is that I discovered, by not being able to, that I am a spectacularly big user of the press-and-hold-the-spacebar soft key, which then turns the soft keyboard into a trackpad and lets you move the cursor around. I do that all the time! I didn't know how much I did it until I couldn't, because you can't do that on a hardware keyboard. It's not a trackpad. Your software keyboard can pretend to be a trackpad some of the time, A hardware keyboard is a hardware keyboard.
[15:20]The next thing I noticed is this is not going to matter to US listeners and it won't matter to UK listeners, but that small subset of you who speak English but don't live in England, in the United Kingdom, once the soft keyboard sees your language as ENIE or ENUK, basically EN not US.
[15:49]The what is labelled on the keyboard as the octothorpe, the pound symbol is in fact the British pound symbol as in the currency symbol not the two parallel lines each direction at a slight askew angle no the bloody pound sign as in the sterling pound sign. That's great in the UK. Not much good to us Euroland folks who also speak English. So, okay, fine. I get over it. I tolerate it when I need. The apps where I need an OctoSorb, they tend to be my markdown editor, and my markdown editor gives me a row of icons above the soft keyboard, and when you use a hardware keyboard, you still get the row of icons, it's just the software keyboard vanishes, so I actually have my OctoSorb available to me. It took me a moment to notice that, that Actually, this was not going to be a big deal, but nonetheless, when you're in an app that isn't designed to write Markdown and you want to write Markdown, you don't have the bloody OctoSorb. Again, won't be an issue for Americans, because you folk can just use the key labeled as the OctoSorb on the hardware keyboard, but not for me.
[17:05]The other thing is, the only way to add emoji, and I'm very fond of emoji, is to switch to the software keyboard. Keyboard um and the really really silly thing is that if you have the emoji keyboard up there's a search box inside the emoji keyboard and the only way to do that to search in that search box is to use the soft keyboard because if you use the hard keyboard to try to search the emoji in the emoji keyboard what that actually does is dismiss the soft keyword keyboard completely because the The normal behavior when you have any hardware keyboard plugged into an iPhone is that if you start typing on the hardware keyboard, it dismisses the software keyboard to save you the screen space, which is what you want most of the time, unless you're trying to search emoji. So you need to bring up the soft keyboard to get to the emoji, and then you need to continue on the soft keyboard to search for the emoji if the one you want isn't in your regularly accessed folder, which for me, 99% of the time it is. I'm not that imaginative at using emoji. I use the same ones a lot with my.
[18:12]Regularly use is usually okay. And then the other thing that happened to me once, and only once, and I can't reproduce it because I thought, ooh, this could be a feature, not a bug, is once... Now, I have, at all times, because I have family in Belgium, and I speak fluent Flemish slash Dutch, and I can even type in it with the help of a spell checker. So my phones and my Macs have two languages enabled at all times, English and NL, or Dutch, NL-BE. Which is Dutch and once and once only my hardware keyboard ended up in the Azurti layout instead of the QWERTY layout.
[18:54]Freaked me out because I thought for a moment until I recognised the key pattern that something had gone terribly horribly wrong and the whole thing was corrupted but no it was just Azurti. I hit the globe icon and everything was perfect and I thought oh maybe I can use the globe icon to intentionally shift between Azurti and QWERTY. Never made it happen again. and months and months and months of owning this case now it has never ever ever been in a Zerty case ever again but that one time within the first hour of opening the thing it briefly went into a Zerty mode don't know how to do it again so if I wanted to I'm stuck but somehow once I managed to make it happen.
[19:33]Okay, so I've now been using this thing for a few months. So what is my considered opinion? All of that was within the first hour. And the really amazing thing is that within the first hour, I basically figured this thing out. Because when I went to write my considered opinion, I didn't actually have to add in any more pain points or any more cool points. I got those within the first 30, 40 minutes of using the thing. And they were accurate. What I have discovered is a nuance to the use case. When is it worth the effort of carrying around this case and the answer is the clicks case is way better than the soft keyboard for first drafts for writing a lot of text all at once without stopping just flow let it flow you will make the occasional typo you still have auto corrects but it will still fix itself as you type and you just need to learn to trust that just like like with a soft keyboard. So just flow.
[20:34]And what it's not pleasant for, and in fact, the opposite of pleasant, where it gets in your way all the time, is the fine editing. When you're rereading your first draft and saying, oh, I want a comma here, I want a full stop there, oh, that should be a separate sentence, insert a full stop, capitalize that letter, that basically involves moving the cursor. And when you can't do the spacebar trick, that is faffy and fiddly as all heck. So I do not use the case for final edits. I do not not use the case for initial drafts. And that is really, for me, that's the use case. The other thing is...
[21:19]So basically, to give you an idea of how much I like this case, I have right next to my front door a set of a 1x4 shelf, vertical, that has all of my cycling related, sorry, all of my exercise related stuff. And that's a pretty crowded shelf because I have a lot of things and a lot of weathers to deal with, but all of my exercising related stuff is on that one shelf right next to the front door. I made room I found room on that shelf for the clicks case and if I'm going out for a walk I will pop that case into the leg pocket of my cargo pants it's a big case but it's bottom heavy because the keyboard is at the bottom so even though it sticks out of the pocket of my cargo pants it doesn't matter it has never in all of those months come anywhere close to falling out because the keyboard heavy bits at the bottom so into the cargo pants it goes when I want to do, long form text edit in the phone goes into the case and I type away and I'm really happy and when it comes to the fine edit the phone comes out of the case the case goes back into the cargo pants pocket, and that's how it's ended up being what it is so it's a niche product and I would never describe it as a must-have.
[22:30]But it's a really nice to have when you're editing a lot of text and the last thing I'll say if you're listening to this go check out the show notes at potv.com, because I was describing this case to Alison and making the point that it really isn't very small and she was like, what do you mean it's not very small? I said, well, it's about the size of my head. So she asked me to demonstrate and she took a screenshot. And it's a funny shot, so it's in the show notes. So if you want to see my beardy face with my luminous yellow Clix keyboard proving to you that when you have an iPhone 15 Pro Max in this case, it really is the size of my head and I don't have a small head. You have photographic evidence in the show notes.
[23:13]
Termius Mobile Terminal for iOS
[23:14]Hi, this is PDX Kurt with a review of the iOS and iPadOS app called Termius, which is a mobile terminal app. What's a mobile terminal app, you ask? Well, most of us have heard of, and possibly used, The Terminal, which is a utility program built into the macOS environment. The Terminal is what Barton Allison's whole Taming the Terminal educational series was about. It's a way to interact with your computer through a command-line interface rather than a graphical interface.
[23:49]Now, iOS and iPadOS have no built-in functional equivalent to the Terminal. This is where Termius comes in. Termius gives you a streamlined and efficient way to interact with another computer through a command line interface over a network. Much of the infrastructure that underpins the Internet takes place on various servers that have no graphical user interface, meaning no GUI, and so they are managed through a command line interface for the purposes of provisioning, configuration, and upgrade. You could summarize the problem to be solved as, How do I log into my server, remote computer, or network-attached storage device while sipping coffee on the couch in my bunny slippers using my iPad. The first order of business when using a terminal interface is getting connected. For that, Termius needs to know the IP address or host URL, the username, the connection method, and password credentials. This information will then be stored, along with the name that you assigned to it, within Termius as a host.
[25:01]You can create many hosts in Termius. They appear in a list of hosts, and then they're just a tap away. This makes logging into your remote server very frictionless. You can even have multiple hosts active at the same time, and switch between them quickly in the Terminal section of the app. Termeus not only supports Secure Shell, or SSH, which is the standard way to interact with a remote server, but it also supports something called MOSH, which is a more advanced version of SSH that supports better responsiveness and the ability to maintain connections across changes in network connectivity, such as when switching from Wi-Fi to cellular.
[25:47]If you've listened to the Taming the Terminal series, you know that setting up a public private key certificate arrangement is more secure than using a simple password to log in. See Taming the Terminal, Chapter 30. Termius can import a private key that you already have created on another computer, either by copy and paste, or it can grab one stored in a text file from your iCloud drive. Better yet, Termius can create a brand new strong key pair right within the app and then transfer the public key to your server with just a tap on the screen. Of course, this assumes that you haven't already locked down your server to deny password login.
[26:29]All of this key management takes place under the keychain tab heading. Termius also supports something that its authors call snippets. These are really just shell scripts. you type in UNIX commands once to store them, and then they are available instantly to execute with a tap on the screen from the Snippets list. If you've associated a snippet with a particular host during the creation process, you don't even have to go through the host's interface. Just tap the snippet, and Termius will log you into the associated host and execute the script. Snippets can be set to log you out after completion, or leave you logged in to execute another snippet, or to type in custom Unix commands.
[27:15]The Snippets are available in a list via a sidebar that you can invoke with a tap. Some very common Snippets that you might want to set up are a Snippet simply containing the word top to see a live display of CPU processes, or sudo shutdown now to force your Mac to shut down gracefully from a situation where it is completely stuck. Aside from Snippets, Termius remembers previous commands that you've entered, and if you start to type a UNIX command that it recognizes from your previous history, it will present you with a hovering list of history commands consistent with what you've typed so far. So, if you once edited a certain file like.
[28:02]//etc//ssh//sshd__config to tighten up secure shell security on your remote host, and you start to type sudo vi slash etc, Termius will give you the option to tap on the complete command from its hovering history list. It's another way that Termius converts dense strings of Unix into simple taps. The sidebar in the Termius user interface has four useful tabs. The Snippets list, a history of commands that you can tap in to run again, a tab of useful keyboard shortcuts for keys that don't appear in the usual iOS or iPadOS on-screen keyboard. Here I'm thinking of things like the ESC key and the function keys. And finally a palette of visual themes for the current host, so you can quickly differentiate between different hosts. This brings me to my absolute favorite feature of Termius, dealing with pseudo. Pseudo, you might recall is how one elevates one privileges for a Unix command so that it appears that the root user, the most privileged user, is executing the command.
[29:12]Many sensitive actions on a Unix system require you to preface the command with sudo and then the shell will query you to enter your login password before proceeding to execute the command as root. Using Using sudo in a terminal normally forces you to switch apps to your password manager, authenticate to open the app, look up the password in its database, then either copy or paste it, or briefly memorize it long enough to be able to enter it.
[29:42]But recall that you stored a user password when you created a host, so with Termius it just takes as little as one tap to paste in your stored user password. There's a button that says Paste Stored Password right at the top of the keyboard tab in the Termius sidebar. Termius also allows you to transfer files using the SFTP protocol.
[30:09]You can download files from a server to your iPad or iPhone, or even transfer files directly between two hosts. The SFTP interface has two panes. Within each pane, you can tap on folders to drill down, or tap on the path at the bottom of the pane to move up the directory tree. Once you find a file that you want to transfer, you swipe left,
[30:34]
Cadence RPM sensor from Wahoo
[30:34]gently, and you'll get options to copy, change permissions, as you would with chmod, rename, or delete the file. If you select copy, it transfers a copy of the selected file to the other host in the other pane. The reason I say to swipe left gently is because if you do a big swipe, you'll just quickly delete the file.
[30:57]Curiously, the one thing that I could not figure out how to do was end an SFTP session. The built-in documentation tells you how to do all kinds of things in the SFTP interface, but it doesn't tell you how to break the connection. This is kind of consistent with my general impression of the documentation. The app itself is super well thought out and implemented, but the documentation seems to lag a bit behind or is sometimes incomplete. For instance, the February 2024 release of Termius supposedly includes AI support to convert natural language queries to Unix commands, but I could find no reference to the feature in their support documentation. I'm guessing that AI only works with a paid subscription. Termius is available for iOS and iPadOS, but also for macOS, Android, Windows, and even Linux.
[31:55]Are you ready for the best part about Termius? Everything I've described so far, including multiple simultaneous host support, key certificate login, snippets to automate repetitive tasks, SFTP file transfer, pseudo-pasting convenience, and more is functional in the free version of Termius. It's crazy, I know. So, what do you get with the paid version, which by the way is not cheap at $119 per year. Well, the primary feature that you get is the ability to share all these capabilities across multiple devices with multiple team members. You also get some convenience features like a cloud vault for data, synchronized credential sharing across devices, and sharing a terminal session. You also likely get the AI conversion version of natural language queries to Unix commands mentioned earlier.
[32:52]So if you're part of an IT team managing a fleet of servers, you can set it up so that everyone on the team has the same management access and the same snippets using Termius across any of their supported client devices. But for those of us who just operate solo on our cloud instances, remote Macs, or network storage boxes, the free version is incredibly useful. I can tell you that for me personally, the Termius experience is so wonderful that I turn to my iPad before I fire up Terminal on my Mac when I need to do something in a command-line interface. If you do any work in the Terminal, I urge you to give Termius a try. For that, Kurt, that not only sounds like a fantastic app, well, in fact, it doesn't just sound like a fantastic app. I've downloaded and installed it, so you kind of convinced me. But also, you've given me some homework to do, because I'm now off to go figure out what this MOSH thing is and how it works and how to make it go on my server and stuff. So, yay, a review with homework. Ah, well, I have a funny feeling there's going to be a follow-up Taming the Terminal at some stage where we talk about MOSH. Anyway, thank you very much for sending that in.
[34:13]Last summer, I discovered the joys of using a Bluetooth health sensor with an Apple Watch when I started using the Wahoo Ticker heart rate monitor while out cycling. And at the time, I did a segment for the NacillaCast on that. Link in the show notes. So having constantly updating and accurate heart rate information actually helped me to exercise better and I'm happy to say that a year on I still use it every single time I jump on the bike I have my wahoo ticker on my arm and it continues to work well for me I've heard actually from a few nocella castaways that they've had a few of those break so maybe I'm just really lucky that I have mine still working I'll just knock on all the wood here. Anyway, I decided this summer to take things up a step and add a second directly Bluetooth connected fitness tracker to my cycling routine. Again, I'm connecting it straight to the watch. No faffing about with any sort of other stuff. Now, this is the Nacilla cast. So we, of course, are talking about problems to be solved. And the Ticker Maker Fit actually mostly solved a problem which at the time I think I thought it probably fully solved but I've since realised only partially solved it and I now think I've finished solving the problem with this new toy the Wahoo Cadence RPM.
[35:42]Okay so this is like I say an oscillocast so let's actually define the problem to be solved before we dive into what this little sensor does.
[35:53]So what I didn't understand before my fitness journey is that when you exercise well, you actually finish exercising feeling more energized and better than when you start exercising. But this only happens when you exercise well. And well is not a synonym for hard.
[36:20]Now, it's kind of difficult to explain what I really mean by that. I'm kind of left saying, well, you know what, when you feel it. But I basically, that kind of good exercise I call being in the zone. And with the help of the Wahoo ticker from last year, I definitely spent more time in the zone in the past year with the ticker than before without it. But even with the good, accurate heart rate sensor, answer, I still every now and then would have a day on the bike where it just wouldn't happen. I just wouldn't get into the zone. I'd set off about a half an hour in, I'd noticed that my calorie burn was way lower than expected, my heart rate was lower than normal, and I would instinctively try to fix this problem by cycling harder basically push harder on those pedals but it didn't work my pulse would stay too low my calorie burn would stay lower than normal and I would feel crappier and crappier until I got home Home, feeling, drained rather than energized, and on the whole, pretty cranky.
[37:48]And I wanted to stop that happening. Now, I now understand with the benefit of hindsight what was going wrong. And the reason I now understand it is because I got extra data thanks to the Wahoo cadence RPM I'm going to be describing here. What I now know is that there was a negative feedback loop starting. And now I know how to nip that negative feedback loop in the bud. But the reason I couldn't do it before was because I was missing an absolutely critical piece of information. And that's the very, very simple metric of how quickly am I turning those pedals. And in cycling speak, the rate at which you turn the pedals is called your cadence. Hence the cadence RPM measures your cadence. Now, if you learn to drive before the days of EVs and automatic transmissions, you're going to be a little bit more familiar with how a.
[38:48]Internal combustion engine works and if you're sort of younger than that you probably still know about it anyway you're just going to have to use a little bit more imagination here. But when you're using an internal combustion engine to power a vehicle, what do you get to control in terms of what the engine does? Forget about turning left, turning right, stuff like that, right? Just in terms of the engine, you get to control how hard do you make the engine work with your throttle, or your accelerator pedal, and you get to assert control over how quickly the engine spins with your gearing, right? You go into a little teeny tiny gear, your engine spins really quickly. You go into a giant big gear, your engine spins much slower. So you control the throttle and the gearing. And if you want your car or truck or whatever to work well, you need to keep the engine spinning at a rate of spin that it likes. You need to be inside the power band of the engine, which we measure not in revolutions per second or hertz, like we would do today if we were being sensible about it, but no, because it's an old metric, it uses minutes. Minutes, we count it in revolutions per minute or rpm.
[40:01]For those of you who grew up in diesel land, you may know that for a diesel engine you want to keep the rpms between about 1500 up to about 2000. It's quite a narrow power band on a diesel engine so you're always changing gear. And if you're used to what we call a petrol engine on this side of the pond, or in America would be a gasoline engine, you have a broader range to play with. You can go from 2500 rpm to 4000 rpm when the engine is perfectly happy. The key point though is if you want to drive your car efficiently you need to watch the rev counter. You need to keep those RPMs in the right place and if you're really good at what you're doing you can hear the RPM and you do it automatically but basically what you're doing is you're keeping the RPMs inside the engine's happy range or power band.
[40:52]Okay, what does any of that got to do with cycling? Well, there is literally a direct analogy. Your legs are your engine, and just like an internal combustion engine, your legs can only actually work efficiently at a certain range of rates of muscle expansion and contraction. Now, when you're running, those expansions and contractions are strides. But when you're cycling, you can actually measure your muscles expansion and contraction as rpm revolutions per minute how often do you turn that pedal crank every minute now my legs are nowhere near as fast as even the low end of a diesel engine's power band right i am not pedaling at 1500 rpm but you know downhill on a good day i can't hit 110 rpm anyway the key point is what rpm my legs are moving at matters a lot for exactly the same reasons that it matters in a car. So if you go back to my problem, if you go back to those days when it just wasn't coming together, why wasn't it coming together? Well, trying to cycle harder, I was pushing harder on those pedals. I was.
[42:09]As a result, what I now know happens when you push harder is that your RPM starts to fall a lot. What you're actually doing when you psychologically pedal harder is the equivalent in a stick shift car of simultaneously putting your foot on the throttle and shifting up.
[42:35]Now, you want to overtake a car, you do the opposite. You put your foot on the throttle and shift down. What happens on a car if you put your foot on the throttle and shift up? You stall. Turns out what happens on the bike is you feel like you're not exercising well. Because you're not exercising well. well and the really perverse thing is that doing the wrong thing feels like you're working harder it feels like you're fulfilling your mission of exercising harder but actually if you watch what's happening in your body shifting down speeding up your rpm causes you actually because has your heart rate to go up just like on an engine the engine works much better and you end up back in the zone is what happens so you're everything feels like you should push harder push harder push harder what you should actually do is drop into a lower gear and pedal faster but easier and you will actually be exercising more and you will end up back in the zone and you'll feel way better so in order to get out of the negative feedback loop you need to do the counterintuitive thing. And until I had a cadence sensor, I didn't realize what I was doing wrong by following instinct and feeling instead of a metric.
[44:04]So if you want to cycle well, you need to actually keep an eye on your cadence. So what you need in the generic sense is a cadence sensor. So the actual solution to the problem is a cadence sensor, any cadence sensor. If you're using an Apple Watch, then you need something a little bit less generic. You need a cadence sensor like a touchable Apple Watch. So when you're doing a cycling workout on the Apple Watch, you can use a digital crown to scroll between different screens of information. And that actually works even when the watch is locked in recent versions of watchOS, which is a nice touch. So the second screen down is sort of the screen for monitoring cycling in terms of cadency point of view. And by default, when you go to that second screen down, there is a placeholder for cadence, which says cadence blank or little dash RPM, because.
[45:01]Your watch can't know how fast your legs are spinning. Your watch has no way of knowing that without a little help. And that help is any Bluetooth compatible cadence sensor. You can then talk to the watch and then the watch will know your cadence and it will show you on that screen and it will also use it to help you better, more accurately calculate your calorie burn. So that's the generic solution. A Bluetooth cadence sensor that uses the standard Bluetooth profiles I think they're called officially and it will work with the Apple Watch.
[45:36]My specific solution is the 39 Euro Cadence RPM from Wahoo which are the same company who do my heart rate sensor. And this is a tiny little device that you either attach to the pedal crank of your bike or to your cycling shoe. And it has little accelerometers in it that just count how often your legs go round, or rather how often the sensor goes round. And then it talks to the Apple Watch over Bluetooth LE. And when I say little, I do mean little. It's a small black pill, according to Wahoo's website. It has the dimensions of a whopping one and a quarter inches by three quarters of an inch by one inch which is length width and height and just to really mess with everyone's heads with those very imperial widths and heights and depths it weighs seven grams.
[46:34]That's on the EU website, by the way. I don't know why they thought we'd like it in inches. There we go. As I say, a whopping €39 on the EU Wahoo store, so not an expensive device. One of the reasons it can be so small and light is that it is not powered by a relatively inefficient rechargeable battery. It doesn't have a charge port. Instead, it's powered by the same button cell that powers the Apple AirTags, which is basically a CR2032. And those are quite inexpensive and in fact it's very very very like an AirTag because it's an accelerometer and a Bluetooth LE transmitter that's basically all an AirTag is although an AirTag has a speaker so an AirTag actually needs a little bit more power and just like the AirTag has an expected battery life of about a year according to Wahoo's website the Cadence RPM has a lifetime of about a year until you need to change that button cell And now, being very, very fond of my Apple AirTags in this house, we have a lot of CR2032 button cells, so this works out great for me. But I presume because you only need the change of battery once a year.
[47:53]Wahoo's mounting options are a lot more permanent than I was expecting. Connecting so for your 39 euro you do actually get three mounting options which is kind of cool um and if you choose two of the three you end up attaching the sensor to the pedal crank and you're actually going to need some consumables each time you replace the battery because when i say pretty permanent i really do mean a pretty permanent attachment but okay we'll dive into to those details in a moment. So let's back up a little bit. Your sensor arrives and you open the box. What have you got? You have one sensor and three mounting options.
[48:36]Two of those three will attach the sensor semi-permanently to the bicycle side of the pedal crank attached to the front gears. Why so specific? Well, you could try attach it to the other pedal crank, or the other side of either pedal crank, and what you will find is if you attach it on the outside instead of the bicycle side, your cycling shoe and or your ankle will rub off the thing as you're pedaling so actually that's just not going to work so it has to be on the opposite side of the pedal crank as your feet, most bikes have actually a very tight tolerance between the inside of the pedal crank and that bit of the frame that connects the axle where your pedals are to the axle where your back wheel is so if you tried to stick it on the bicycle side of the pedal crank where there are no gears you'd probably whack it off the frame on every spin. So the place where you have a pedal that sticks out from the frame is the place where the pedal is on the outside of the gears. Because, well, the gears have to fit. And so that's the perfect place for the sensor to go. It's basically above the gears. Another option is to attach to your shoe, because your shoe is on your pedals going round, round and round.
[49:56]So on the one hand, if I attach it to the bike then it's a semi-permanent but okay once a year just once a year now if you have one bike and one pair of cycling shoes then I would actually say you're better off sticking it to the shoe because the shoe mount is less permanent than the bike mounts but if you have two pairs of cycling shoes and only one bike I'd go with the bike or you could be like me I have two pairs of cycling shoes because it often rains here so the reason I have two pairs is because I want one pair to be drying while the other pair is getting wet in the winter and I have two bikes as well so I have two shoes and two bikes because I have my hybrid bike for cycling on dry roads mostly in the summer and I have my mountain bike for wet roads in the winter or no road, going off road, going on trails. So I have two bikes and two pairs of shoes. I solved this problem by buying two sensors. Remember they're 39 whopping euro each so my solution was two sensors.
[51:09]So let's talk about those three mounting options. So the shoe mount, you have basically, it's a little plastic caddy, and it's designed to slide over the Velcro strap that your typical road-style cycling shoe has. Your road-style cycling shoe will have two or three Velcro straps across the top of the shoe, and this will slide over any one of those straps. So you slide the caddy over the strap, and then you clip the sensor into the caddy, and this has the advantage that you can clip it out to replace the battery so it really isn't the scary semi-permanent kind of thing you have to do with the pedal crank.
[51:47]But it has to fit over the velcro strap of your cycling shoes my mountain biking shoes have, no straps they have ye olde laces because they're designed to look like plain old they look like a plain old paired track suit or sort of parallel plain old paired trainers they just happen to have the cleats on the bottom i love them because they don't look like cycling shoes shoes. And my mountain biking shorts don't look like cycling shorts, so I don't look like Mr. Middle-aged man in lycra, I just look like a normal dude on a bike. But I can't attach the sensor to those mountain biking shoes. I do have a traditional pair of cycling shoes as my other pair of cycling shoes, and they're a two strap rather than a three strap variety, and what I have is two very wide straps instead of three narrower straps, and And none of the straps are narrow enough for the caddy. So for me, it was a real no-brainer. I was going to end up attaching this sensor to my pedal crank. So that left me with two options to pick between.
[52:49]The option they recommend on the pack is, well, it's definitely the simplest. They give you an M3 adhesive pad. And they tell you to clean the pedal crank, clean the back of the Wahoo sensor, sensor and glue it effectively with the adhesive pad to your pedal crank. I just don't like the sound of that. It's pretty permanent.
[53:12]And you need to line things up perfectly and stuff if you want it to be straight because you get one go, right? You stick the pad on, then you stick the sensor on, and then it's stuck for a year.
[53:22]And you have to buy your own pad because they only give you one pad. So a year later, you're going to need to go find the right shape and size of M3 adhesive pad. And you'll have to get it off as well to get the battery out. That just didn't sound like a good idea at all to me. So I really, really did not want to glue a sensor to my bike. So that left me with the third and final option, which is a very nice little neoprene sort of a covery holdery thing that you pop the sensor into. And this little neoprene case or whatever has little holes through which you can feed these little mini zip ties. And you get two free zip ties and you basically zip tie it to the pedal crank. And this is great because you can stick the ties in, keep them loose, slide the sensor until it's absolutely perfect, double check it's all lined up and it's not going to catch on anything, and then yank those zip ties tight and snip the ends off. And all I have to do in a year when the battery runs out is snip the zip ties and then grab a new set of zip ties. Now, I'm a nerd. My house is full of zip ties of all shapes and sizes, so replacing the zip ties once a year, not a problem. A heckin' lot easier for me than trying to find the right shape and size of M3 adhesive pad once a year. Also, I know how to get a zip-tied thing off. I snip. Not really sure how to get an M3 adhesive pad stuck thing off to replace this battery. So anyway, long story short, if you can, slipping it over your shoe with the little shoe caddy sounds amazing. I just can't. So I went with the zip-tie option. Looks fine to me.
[54:52]Okay, so how does it actually work? We now have this thing zip-tied to our pedal crank. Now what? Well, you wake it up by moving it. You just move the sensor and it will wake up and the first time you use it what you need to do is open the bluetooth settings thingamabob on your apple watch and tap on the wahoo sensor to pair it, and that's it that's it done there are no buttons on this thing by the way if you move it it wakes up the only the only thing it has that approaches the user interface is a single blue led light to tell you hello i'm awake i mean you know you will almost certainly trigger it by unboxing it and you'll see it flash blue at you, and you'll go, oh, that's what it looks like when it flashes blue. And other than that, basically, when you start cycling, it will move, it will wake up, it will repair with your Apple Watch, and it will just work. So basically, the user interface is ignore it. Once you've paired it once, by just jiggling it to wake it up, and then going into the Bluetooth settings app and pairing it, that's it. You don't have to worry about it anymore. It just works.
[55:55]And I should also mention, so I'm using it over Bluetooth because I wanted it to go to my Apple Watch. But this thing is actually, they call it a dual band sensor. It also talks over a different wireless protocol called ANT+. And the ANT plus standard is basically the wireless standard that won out in the cycle computer world. So before we had smartwatches and smartphones, you would have a dedicated little cycle computer strapped to your handlebars, zip tied probably to your handlebars. And you used to have sensors you'd put one on the fork and a little magnet on the spoke that would go by the sensor on the fork and that would count the revolutions of your wheel you'd program in the measured.
[56:37]Circumference of your wheel and it would basically do some multiplication so my wheel went around four times I know that each time it goes around it's one point whatever meters therefore the speed is currently blah and if you had a really nice cycle computer it would have a second little cable that would run down to another little sensor where you'd have a magnet on the pedal crank and the sensor sitting somewhere on the bike frame the pedal crank passes by and it would count the pedal turns. So then you'd have a cadence sensor and a speedometer and you'd have these very thin delicate little wires running from the pedals and from the front fork up to the cyclocomputer and you'd zip tie them really diligently and really carefully to your bike and then you'd snag them on something and snap them anyway. They hated the days of wired cycle computers. So as soon as wireless technology became practical, all the cycle computer makers started making up their own wireless technologies. And initially they made them up. And so every different company would have a different standard. And that was all of the Wild West days. But those Wild West days ended before Bluetooth LE was invented. And they ended with everyone adopting Ant+. So while in the smartwatch and smartphone world, Bluetooth LE has won the day. In the cyclic computer world, ANT plus has won the day. So the fact that this little Wahoo sensor for a whopping 39 euro will talk ANT plus or Bluetooth LE is kinda cool. So that means pretty much everyone can play along with this.
[58:00]So that's kind of, I mean, there's not really much more to review about it. It counts how quickly your pedal goes round, you stick it on, and to use it, you just use it. So to one extent, I could stop here. But actually, I started off by describing a health problem. So let's circle back. Let's actually look at what I learned about cycling RPM.
[58:23]So I had the brainwave of doing zero reading before I started using my new sensor. I was pretty sure I wanted to know my cadence, but I went out of my way not to do any reading. I didn't want to know what was good, what was bad, what was normal, what was advisable. I figured the internet's probably full of people disagreeing with each other. I didn't want any of that clouding my head. What I wanted to do for the first week while I had the sensor was just watch. What do I do when I'm not being self-conscious? What do I do when I'm not watching? You know when I'm not trying to assert control what's my baseline where am I starting from what might I be tweaking what behavior might I be trying to change and what I learned is that, I generally speaking say that in a pretty broad range of 65 rpm on the low end up to 100 ish maybe a little bit higher sometimes on the high end I also noticed that when I was feeling at my best Like I was exercising, not just in the zone, but just spot on perfect. This feels good. I'm really enjoying being out on the bike. My cadence was high. My cadence was actually in a narrow little band while I was feeling good between 85 and 95 RPM. Yeah.
[59:39]After doing that for long enough to understand that, okay, this is a pattern, 65 is my low, 100-ish is my high, and I'm actually at my best between 85 and 95. So then I went, I'll look it on the internet. And like I expected, people argue and disagree. But on the whole, there's a consensus, at least in my research, I came to a consensus, and that sort of breaks things down like this. Beginners tend to pedal slowly. Absolutely. Sometimes beginners will pedal as slow as 50 RPM and they will rarely cross 65 RPM. Now this beginner tendency to pedal slow but hard is not a good tendency. The human power band doesn't really start until 65 RPM. So 65 should be the lowest you ever let yourself go if you're going to cycle even vaguely efficiently. So beginners basically cycle wrong. Experienced amateurs, according to the average of the internet, pedal faster than beginners and they generally stick to sort of the 65 to 85 rpm range. And that's good because that entire range is actually within the cadence range that is good, the human muscles are happy in. Basically we're entirely within the human power band in that 65 to 85 rpm range so an experienced amateur is pedaling in a sensible and sane way.
[1:01:06]Athletes are more clever or more experienced and they don't just stay within the power band they stay within the most efficient part of the power band and it turns out the most efficient part of the human power band is very very strongly biased towards the top of the range. If you were to graph it in terms of efficiency, what you basically get is very, very inefficient. Then you hit the start of the power band, you get a nice jump, and then it climbs in efficiency, climbs in efficiency, climbs in efficiency, and then falls off a cliff. And so you want to, as a well-trained athlete, stay near the top of that distribution just before the cliff. And the cliff is somewhere about 115. So actually athletes try not to fall below 85 and try to, you know, 110 is pretty good target for an athlete. You just don't want to fall off that cliff at about 115. So I decided that what I was, okay, so I was relieved and nothing I was doing was terrible. What was happening on those days where it was going awful is that I was responding by pedaling harder and I was basically falling into the amateur trap, into the beginner's trap. And I was letting my cadences drop too low. So what I've done since is regardless of the weather, regardless of the road conditions, regardless of my energy levels, I now keep my cadence in a very tight range between about 85 and 95 whenever I can.
[1:02:31]And if there's a short hill, I may not bother shifting down and I might, I'll be okay to tolerate my cadence drop when, you know, 77, 78, 79, I won't, that won't bother me too much. I won't shift gears for that. And if I'm going, you know, downhill over the strong tailwind, I'm quite happy to let my cadence rise above 95 and, you know, 105, 106 sort of area. It's still very comfortable for me. And by doing that, I just feel so much better exercising.
[1:03:00]That 85 to 95 rpm band is just so comfortable to be in, my muscles are like, yes, this is where I want to be, this is how I want to work, this is you using me as a good human engine and it's really, really pleasing. And when I'm not feeling great and I look at my watch and it says rpm 72, well, drop to a lower gear. I need to exercise harder by dropping to a lower gear and pedaling more freely, which feels like I'm exercising easier. But lo and behold, heart rate climbs back up. I end up right back in the zone, actually putting down more power and getting a better workout, even though it's easier. Isn't that amazing? I feel better and it's easier. So yes, I am extremely happy to have found that a cadence sensor was exactly what I needed. I am very happy with how easy the wahoo or cadence rpm is to use it you just start pedaling and it works.
[1:04:03]And i'm a little perturbed by the fact that i've been forced to zip tie something with a battery to my bike plural but okay fair enough i've now had them on the bike for two months so i do a lot of cycling i may not get the full year out of these things that the packaging promises but hey at least I'm getting two months so I know for a fact I don't have to do this more than six times a year. Realistically maybe twice a year right? Anyway I am extremely happy that I chose to spend 78 euro buying two 39 euro cadence rpm sensors from Wahoo. They really have made my cycling better and I am very fond of these little contraptions
[1:04:45]
Dumb Q - VPN Vs. iCloud Private Relay
[1:04:43]now zip tied to my pedal crank.
[1:04:45]Music.
[1:04:54]What is? How come I always have to? It's time for Dumb Question Corner. Listener Linda wrote in with a question which I have generalised a little because she'd added a little bit more information that would be appropriate for the show. So the approximate question Linda asked is, I'm sitting in a hotel and my VPN appears to be working fine on hotel Wi-Fi. I am, though, getting notices from Private Relay saying that it is not working due to a software conflict. Which of these would be more secure in this kind of setting?
[1:05:31]So, the fundamental point to bear in mind is that a VPN is a security tool. That's its job in life. It's there to provide security. Private Relay, on the other hand, is not a security tool. It's a privacy tool. It's a totally different thing, and that makes the choice obvious in my opinion, because security outranks privacy. The security is privacy++, so that means the VPN is a more important tool as a security protection than the mere privacy protection of private relay. And of course in this case it's kind of interesting to note that with a VPN you're tunneling all of your traffic securely through the VPN which means that your IP address is obscured. And that's all private relay does is obscure your IP address. So with the VPN you actually get everything you're getting from the private relay and you're getting the extra encryption provided by the VPN. So again if you have to choose between a VPN and iCloud private relay then I would definitely say choose the VPN that is a much more powerful tool than private relay.
[1:07:02]
Security Bits
[1:06:56]Music.
[1:07:07]Okay, so this is the thing I don't like very much, a solo security bits. So given that it's the silly season when there's very little news anyway, and given that Alison isn't around, I've decided to set the bar quite high for inclusion in this installment. And I've actually taken a deep dive that I probably ordinarily would have done this time, and I'm going to do it next time with Alison, because I think it will really benefit from a conversation. Instead of a lecture so bearing in mind i'm not going to be including every single possible story i could but just the really important stuff let's get stuck in so starting with some follow-up from previous stories um we have mentioned a few times the minor little mega catastrophe of the cloud strike bug that took out you know the windows machines and a whole bunch of really major companies and airlines and things.
[1:08:06]When last we met our hero or anti-hero or villain, they had released an initial investigation. So basically very, very preliminary results on what went terribly, horribly wrong. And they have now followed up, as I expected they would, with a much more detailed analysis. If you would like the details, then you will find a link in the show notes to an article on the Hacker News, which has an analysis of, as I say, a lot of detail.
[1:08:39]We also mentioned last time the PK fail vulnerability, where a bunch of PC makers have shipped PCs with a certificate at the very, very heart, the platform key, of the Secure Boot architecture. So Secure Boot is supposed to cryptographically ensure that everything is good from firmware all the way up to the running operating system basically it starts first cryptographically checks everything, and the only way you can get to a secure endpoint is to be secure all the way up verifying every step in the boot process so secure boot depends completely on the platform key and one of a company we're not entirely sure who um who seems to provide many major manufacturers.
[1:09:32]They had some sample code which actually the sample code came from intel but someone used the sample code in real firmware and the certificate for the platform key actually says if you examine it a do not trust do not ship and yet that's what they shipped, so figuring out if your pc is affected but there was a giant big list we posted last time but, it's actually there's a little bit more to it than that thankfully steve gibson has released a free checking tool that you can run on your pc and the first thing it will do is make sure that secure boot is actually enabled at all because just because you have you don't have an affected model doesn't mean that everything is okay well maybe secure boot is just totally off maybe that list wasn't complete so the tool first of all checks to make sure that everything is fine in terms of your secure boot configuration and then it goes and has a wee look inside your certificate checking to see if it is marked as do not trust do not chip and it will basically give you a thumbs up or a thumbs down depending on how your security setup is.
[1:10:41]Jumping us on then to Action Alerts. It has been Patch Tuesday, so of course Microsoft have some presents for us all. 9, 0 days, 6 being actively exploited in the wild, so patchy, patchy, patch, patch. Microsoft haven't fixed everything that we know about. There is a bug which definitely has the corporate world rather worried, which is the ability for some malware already on your system to downgrade Windows back to an older patch level which is interesting, Microsoft are working on remediating that I don't think this is something for home users to panic about well there's nothing really for home users to do apart from don't get malware on your PC and then it can't elevate itself by unpatching Windows.
[1:11:29]So I'm just going to watch that one for a while and a little caveat so this patch Tuesday it has those 9-0 days so you really should patchy patchy patch patch but if you run Windows in a dual boot environment where you have Linux and Windows booting on the same machine and you use Grub2 as your Linux bootloader and your version of Grub2 is not patched against a known CVE issue which actually allows for a secure boot bypass pass, then this Windows update will break your, or may break your dual boot because it includes a security rule to stop insecure versions of Grobo from booting. So Microsoft had intended for the installer script for the Windows update to not, protect systems intentionally running a broken version of grub or an unpatched version of grub but their detection logic was off which is why some systems that were booting fine weren't booting fine after the update there is a workaround um i would say why are you running an insecure bootloader but hey what do i know um anyway two links in the show notes to different articles related to it it's not the end of the world if it happens whereas the nine zero days in an unpatched Windows could well be the end of your digital world so I would say patch and then deal with grub if you need to.
[1:12:56]Google have also been busy releasing updates. We have a zero day in the Android kernel which is being actively exploited. That is one of 46 vulnerabilities patched in their most recent Android update. If you can, patchy patchy patch patch. Meanwhile Google has also Also given us the ninth update to Chrome to fix yet another, or sorry, the ninth update to Chrome, specifically for a zero day being actively exploited in the wild. I should say there's been lots of other updates to Chrome. Anyway, patchy, patchy, patch, patch your Chrome. And if you use another Chromium browser like Edge or Brave or there's a whole bunch of them, you will get a patch soon. Let it apply itself. off. Each browser company will flow this through in their own way, so patchy, patchy, patchy, patchy things you can.
[1:13:53]And finally, if you use Google's file transfer tool, QuickShare, be aware there were 10 rather major flaws in it, which security researchers reported to Google, who have patched it. This is apparently very useful if you live in the Google eco-verse. So if you use QuickShare, patchy, patchy, patch, patch.
[1:14:16]If, like me, you are a happy 1Password user and a happy Apple user, you should be aware that there was a weakness in 1Password for Mac, which would have meant that if your machine was hacked, it would be easier for the hacker to steal your password than it should have been. That has been patched, there's no evidence of any actual abuse of it, but of course now that it's been discovered and patched, now the attackers do know about it, so patchy patchy patch patch, 1Password will ask you to update it. Yes, yes is the answer, you want that update and not to be left out, Apple have given us a patch to a patch, so we had macOS 14.6 13.6 etc iOS 17.6, many more, there's now a .1 of all of those because there was a bug when you were changing your, iCloud advanced protection settings things. Basically the interface may have been lying to you, telling you it was on when it wasn't or that it wasn't on when it was, or when you turned it off telling you it had turned it off but hadn't really turned it off. Basically not good. Not going to affect very many people because it's only people who were proactively changing their advanced protection settings. But nonetheless, patchy patchy patch patch.
[1:15:40]Especially if this whole advanced data protection thing is of interest to you.
[1:15:47]I don't generally, or I have stopped generally, reporting every single WordPress vulnerability that comes my way because there's a lot of them. But I do also know that we have quite a few people who listen who are also WordPress operators, who run their own WordPress in some way. And this time the bugs I'm going to tell you about really do sort of cross a bar where it's like even though I've said I'm not going to tell you about every single WordPress vulnerability you might want to care about yeah these two are you know a little bit different the first is called, GiveWP actually I should say they're both plugin update GiveWP is a very popular plugin for taking donations. So particularly, you know, Naseela Castaways who may be running a WordPress site for something they do on a volunteer basis, this sounds like the kind of plugin that might be handy. One reason it's worth talking about here is that it is popular. The second is that the bug they fixed scores a perfect 10 out of 10 on the CVS scale.
[1:16:52]Perfect, of course, means the opposite of perfect the worst possible kind of bug patchy patchy patch patch while you're in your wordpress settings do remember you can tick a little box that says automatically apply updates next to each plugin consider doing that next to each plugin um secondly light speed it's not a perfect 10 out of 10 vulnerability but it is nonetheless a major vulnerability that allows baddies to make themselves their own mad admin account on your WordPress site in other words completely take it over and it is in the Lightspeed cache plugin which is very popular literally using millions of WordPress sites because it really speeds up WordPress and people like that for very obvious reasons so patchy patchy patch patch if you use either of those two WordPress plugins.
[1:17:47]And finally, I don't know how much of a PSA, I may be talking to an audience of one, me, but just in case your family is as nerdy as mine and you run your own Office 365 instance for your whole family so that you can all share as if you're a small company, or maybe you run a small company. By the way, if you have an Office 365 tenancy, you need to turn on multi-factor authentication for your admin accounts before October the 15th, because from October the 15th onward, multi-factor authentication is becoming compulsory for Office 365 administration panels. If you don't turn it on, you can't administer your Office 365. Now, if you have an individual account where you just have like one single login, then you don't have an admin panel. But if you ever go to admin.office.com, then you're going to need multi-factor authentication to get into admin.office.com. So if you haven't turned it on, turn it on. Article in the show notes, walking you through how to do that, as I say, maybe an audience of one here, but I'm probably not.
[1:19:05]Moving us on to worthy warnings then. Just one, and I'm basically going to stick a flag in this. This is what would have been our security medium or a deep dive at the start of the show if Allison had been around. Attackers have discovered there's a new feature on mobile devices they can abuse, in their attempts to trick you into hacking yourself. In other words, this...
[1:19:33]This is not something that's going to just happen without you taking an action. But they're getting quite clever about how to trick you into taking the action. And the action they're trying to trick you into doing now is installing a progressive web app or a PWA. This is basically a website that appears on your home screen like an app. But it really is a website. The thing is, websites that are PWA's get more access to the phone than traditional websites. Sites they can access some of the sensors and stuff and they're a very useful jumping off point for a more convincing attack which will then trick you into giving more permissions and so forth at the moment these attacks are starting with advertisement campaigns on either search results or social media sites like facebook and they will basically these are advertisements and they will be flagged as an ad on the appropriate platform, which tell you they appear to be from a bank that you bank with, if they're even vaguely likely to trick you, that is.
[1:20:40]And they will basically be saying, Hi, customer of our bank, your app is out of date. Click here to update your app, which will install the PWA. And that's then the start of their process of escalating themselves from there. But the PWA gives them a pretty strong foothold you don't want to give them. For now, the advice is really simple. If an advertisement tells you to do something, don't. Just don't. Because really, if your bank needs your attention about something important, their method of communicating with you is not going to be to buy a search ad on Google or a Facebook ad. They're going to contact you through a more direct means than an ad. So if an ad tells you to do it, don't do it. And as I say, I will dig into this in more detail next time as a deep dive.
[1:21:37]Jumping us along then to notable news. We have a new record holder for the world's biggest data breach. Yay! It is the National Public Database is the name of the company that was breached. In retrospect, an extremely apt name because their database now is public and I'm afraid it really is quite national. If you are a resident of the UK, the United States or Canada you should just assume that your basic information is out there now because 2.7 billion with a B name and address records have been published by attackers on the dark web they are now out the vast vast majority of these have social security numbers There are not 2.7 billion people living in the United States, United Kingdom and Canada combined. So this is not 2.7 billion hacked people, this is 2.7 billion records because most of us have lived at more than one address.
[1:22:46]And this is a record for every name, address, social security number pairing or name and address pairing. And the information in and of itself is not sufficient to do identity fraud on its own and if we lived in a universe where there hadn't been 20 kabillion other data breaches each leaking different little pieces of our identities then this database leaking wouldn't be the kind of problem that it is. But there are lots of other data breaches, and the information here is enough to marry together the snippets.
[1:23:26]Music.
[1:23:33]That you are at risk from identity theft. And no one's quite clear on what the right advice is for the Canadians or the Brits, but there is a very strong consensus in the coverage of this story that I have seen that if you are a resident of the United States, the advice is that you switch your posture in terms of your credit record to keeping it frozen by default. So freeze your record as a matter of course, and then do a temporary unfreeze or a thaw as I'm going to call it as and when you need to apply for credit. And by default, leave it frozen.
[1:24:12]You don't have to outrun the bear. You just have to not be the lowest hanging fruit. When there are literally millions or billions of human beings who can be attacked here, you just want to not be the easiest to attack. If your record is frozen, they will probably move on to the next person who hasn't. frozen their record. If you'd like some more detail about what just happened here, because it's quite a complicated breach, Troy Hunt has a detailed write-up. And if you're wondering, well, how could a company lose this information? There is an anecdote, shall we say, a datum shared by Brian Krabs on Krabs on Security that explains just how little this company care about cybersecurity. Security i don't know if it's incompetence or just not giving out anything but one of their affiliate sites literally had a zip file on their public web page with their admin username and password and in fact a list of all of their account passwords for all of their quote-unquote customers and they all had the same default password this is a company that doesn't know or doesn't care about cybersecurity. So it's not surprising they lost 2.7 billion with a B records.
[1:25:39]Security researchers have also found a bug that we now know has been around for 18 years. It has the fun name 0.0.0.0day. It's not a four times bad 0 day, but it involves the IP address 0.0.0.0. This is not a legal IP address. This is the network address of the entire internet. Net so the legal use of a network address is in a listen directive in an in a piece of software that needs to collect incoming network connections or receive incoming network connections if you say listen on 0.0.0.0 what you are telling your computer is this service this web server whatever is i'm running should be able to receive inbound connections on any ip address configured on this computer. So 0.0.0.0 is basically the IP address of anything.
[1:26:38]It's not actually legal to try to browse to 0.0.0.0 because it isn't a computer, it's arguably every computer on planet earth. So browsers should not visit 0.0.0.0 if you put that into the address bar and hit enter. But they do, or at least they did until they started patching this. And you might say, well, what on earth do you do if you say, in effect, connect to everything on the internet simultaneously, which is actually what you're telling the computer? Well, what these browsers do when they're given this illegal IP address is they mentally transform it into 127.0.0.1, which is a loopback address. In other words, I'll talk to myself.
[1:27:23]The thing is, they fall back on talking to self, but only partially. They fall back on it in terms of where the packets go. They don't fall back on it in terms of what shields to raise. Because attacking locally listening servers, you can run various apps like things for managing Docker containers that present their user interface as a quote-unquote web page running on 127.0.0.1. And an internet site shouldn't be able to run some javascript that goes and checks 127.0.0.1 because if you're running say your docker manager without a password because hey it's only on my local machine it's not exposed to the internet well if javascript from a public web page can access 127.0.0.1 then in effect your browser is acting like a proxy and letting attackers attack a supposedly private thing through the browser so the browsers dealt with this by putting their shields up whenever you try to get to localhost. Problem is when they do the little shim to make the illegal IP address 0.0.0 work, they forget to raise the shield. In effect, undoing years of protections of localhost.
[1:28:39]Bottom line is that all the browsers are working on patches. They're at different stages of that. Some of them are patched, some of them are patching. Patchy, patchy, patch, patch and this will soon be covered but for most nestle castaways you're not running a local server, so while this is a vulnerability that sounds scary and you may have heard about it because there's a cool name zero zero zero zero zero day it probably doesn't affect you if you are the kind of user who does run servers on localhost then you should read the article on bleeping computer to make sure you're not using a browser that is not safe or that you are applying the manual workarounds that are currently available for browsers that aren't yet patched.
[1:29:23]A piece of news which is not cyber security related but has the potential to be privacy related is a major ruling in a United States federal court. A judge has ruled in favor of the Department of Justice in their antitrust case against Google. Google officially, as of right now, have an advertising monopoly. This is step one of two. Step one, does Google have a monopoly? Monopoly step to litigate about how to remedy this monopoly. Well we now have a ruling that yep they're a monopoly so we're now moving on to phase two which is going to take months if not years. Simultaneously Google can and will appeal step one. So Google are going to appeal the ruling that they are a monopoly and they're always going to fight for the least remediating remedy simultaneously in case they lose their appeal. If you want to understand this detailed and complicated case and what all the different possible outcomes are of Phase 2, the best summary I have seen is over on Ars Technica. It is long, it interviews lots of lawyers, it's really good though, so link in the show notes. All possible ways to destroy Google's monopoly in search is the name of the article from Ars Technica.
[1:30:41]Also, in Google News, Google have outlined the privacy protections they plan to build into their Gemini AI on Android. I say outlined because that's literally what they've done. They haven't given us the technical detail, they have given us the heading. The things they say they care about, but not a description of how exactly they're going to do the caring. Based on the, you know, at the moment there isn't that much technical detail, so it's all very woolly. The initial impressions are, this is good. But it's not Apple intelligence good. Thankfully, they have promised a white paper with the technical details, quote unquote, soon. Maybe when that happens, we will have a better idea of whether or not they have reached the very high bar, frankly, that Apple have set with their design of Apple intelligence.
[1:31:29]Moving on then to a story that I don't think surprises anyone. In case you hadn't noticed, there's an election coming up in the United States. In case you weren't expecting it, people who don't like the United States around the world are attempting to use technology to mess with those elections. This is just a selection of the news stories that broke since last we spoke. OpenAI blocks Iranian influence operation using ChatGPT for US election propaganda. As your domains and Google abuse to spread disinformation and malware, Meta exposes Iranian hacker group targeting global political figures on WhatsApp. US warns of Iranian hackers escalating influence operations. Basically, don't believe anything on social media. If it's exactly what you were hoping to hear and it completely reinforces all of your predefined opinions, it's probably propaganda. Think, think, think. Apply brain, basically, is what you have to do. Because it's very easy to churn out propaganda these days.
[1:32:37]If you're on X, remember that you're living in a particularly unregulated digital cesspool, I would go so far as to say. So you need to be double extra aware, because X have some unique and special problems all of their own. There is now, and I find this wonderfully ironic, a new technique being exploited by all of these people trying to influence everyone. Fake content warnings. things. Baked versions of the content warnings that X used to do, I don't think they do them anymore. And they will then take you to propaganda or malware. I don't know which is better or worse really. So my basic advice is if you will insist on using X, behave as if you are living in some sort of post-apocalyptic hellscape because you know something you kind of are. So don't click Click on a darn thing. I am an ex-user, by the way, because I need to publicize my podcasting and stuff. And that's exactly what I do. I don't believe, I disbelieve everything and I don't click on anything. And I hold my nose and I feel icky. But hey, the things you do for podcasting.
[1:33:50]Meanwhile, ex are in a little bit of extra trouble. the pro-privacy campaign group NYOB which stands for None of Your Business excellent name they have filed nine GDPR complaints against X alleging the company illegally used EU users' data to train their grok AI bot without getting the legally required informed consent you know the GDPR says you can't use our data without our informed consent, I don't think In fact, I know Google don't have my informed consent to train their AI on my tweets or exes or whatever we're calling them, but apparently they have done. Oopsie. Just as we went to air then, we have another social media related story that is literally breaking news. I cannot give you any detail. I can just give you the headline. Telegram founder Pavel Durov arrested in France for content moderation failures. That will develop. We will talk about it when we know more.
[1:34:54]Something you should perhaps bear in mind when making risk decisions while you're traveling. Do I leave my camera in the hotel room or do I bring it with me? If I leave it in the hotel room, is it safer? Than if I'm wandering around the streets of wherever I am with the camera strapped around my back. Well, that trade-off has become more difficult because of the news that a hardware backdoor has been discovered in the RFID cards used in hotels and offices around the world. The issue is with Myfair cards, and they are among the most popular brand of these kinds of cards. The one thing I can tell you from my experience with MyFair, because I'm afraid to say I have experience with MyFair. Generally speaking, the brand name MyFair is on the back of the card on one of the lower two corners in very small writing. So if you're in a hotel and you're wondering, is this a MyFair card? Maybe just flip it over and have a look on the back and see if it says MyFair in usually the bottom right corner. Then you'll know that your hotel room isn't secure, which isn't, well, it's good to know. Good to know. Isn't a happy story, but basically bear in mind that those cards securing your hotel room may not be doing such a good job of actually securing your hotel room.
[1:36:17]And finally, because I really don't want to end on that, the post-quantum future has come a little bit closer. The US National Institutes for Standards and Technology have released their first official encryption tools to resist quantum computing. So we've gone from candidate protocols to rubber-stamped, fully approved, this is quantum-resistant, officially approved cryptography from NIST. And NIST basically set the agenda for the world. So this is not really a US story, even though NIST is in the US. This is basically a world story.
[1:36:55]Ireland officially, for example, has its own cybersecurity standards for government agencies and I call it NIST with an Irish accent because you basically do the equivalent of a pull request from NIST. You do a find and replace for a couple of words and you commit an update. Date i mean like the irish national standard really is 99.9 percent nist so i'm kind of happy that nist move forward on things because it means they apply in ireland too and ireland is by no means unique in basically saying hey those nist folk really know what they're up to why don't we do what they say which is as i say excellent advice i don't have a palate cleanser um just Just none came my way. But I do have two excellent explainers to link to. So they're not deep palate cleansers, but they're not scary and dangerous. So yay.
[1:37:51]There is a lovely article on, not a lovely, there is a good article on Intego to keep in your back pocket and share with friends and family when they need advice. What to do after data breach and how to avoid getting hacked in nine easy steps. I'm not sure the steps count as easy, but it's good advice. and what definitely is purely good advice a nice article from Apple Insider how to use built-in network security features for Mac, iPhone and iPad. I would say for a lot of Mozilla Castaways this is just a review of what you already know or what you mostly already know but it's a good little place to collect it all together. It's worth having a read to make sure you haven't forgotten anything and another useful one to keep in your back pocket to share with friends and family only when they come looking for advice.
[1:38:37]Righty-ho, I'm going to draw a line under there for this solo security bits. I hope I haven't confused you all too much. I'm very much looking forward to having my trusty sidekick back with me next time when we are due a deep dive onto why PWAs are now being abused by attackers and some advice for not falling for it.
[1:39:01]Until then, you, of course, know what to do. Stay patched, but you stay secure.
[1:39:08]
Outro
[1:39:10]That's going to wind things up for this week. Did you know you can email Alison at alison at podfee.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, folks, everything good starts with podfee.com. You can follow Alison on Mastodon at podfee.com forward slash Mastodon. If you want to listen to the podcast on YouTube, you can go to podfeet.com forward slash YouTube. If you want to join the conversation, you can join the amazing Nocella Castaways over on the Podfeet Slack at podfeet.com forward slash Slack. You can also support the show at podfeet.com forward slash Patreon with a one-off donation, or sorry, with a regular donation, or you can do a one-off donation at podfeet.com forward slash PayPal. pal. If you want to join in the fun of the live show, you'll have to wait until Sunday September 8th to head over to podb.com forward slash live and Alison will be back broadcasting live at 5pm pacific time where you will be able to hang out with the friendly and enthusiastic Nosilla Castaways. Thanks as always for listening and remember folks.
[1:40:18]Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...