NC_2024_09_15

In this 1010th episode, Allison Sheridan joins to discuss iPhone photography, programming, and community building. They share live show mishaps, audio editing challenges, and Philips Hue automation tips.

2024, Allison Sheridan
NosillaCast Apple Podcast

Automatic Shownotes

Chapters

0:00
NC_2024_09_15
0:20
LTP 132: Phone Camera Wishlist – Let’s Talk Podcasts
1:39
PBS 170: Model View Controller (MVC)
2:46
Appearance on “Beyond the Post” Podcast with Robb and Bodie
4:36
A Rusty Podcaster Makes Mistakes
21:05
Philips Hue Programming, Off the Charts (Part 3 of 3)
30:39
Support the Show
31:16
Security Bits — 15 September 2024

Long Summary

In this episode, we delve deep into a fascinating conversation with Allison Sheridan of the NoCillaCast podcast, which focuses on technology with a specific inclination towards Apple products. This week marks a significant milestone as we hit show number 1010, a moment that leads Allison to reflect on the implications of reaching a four-digit episode count.

The discussion kicks off with accolades for Bart Busschots and his exceptional podcast, Let's Talk Photography. Recently, Bart shared his transition from a digital SLR photographer to primarily using an iPhone for his photography needs. This change prompted interesting reflections on desired features for mobile camera technology, especially in light of forthcoming iPhone announcements. Allison urges listeners to check out Bart’s podcast for a more comprehensive view of the discussion.

Continuing with podcast recommendations, Allison shares her recent return to co-hosting Programming by Stealth with Bart after their summer hiatus. They explore the importance of having frameworks in software development, specifically focusing on the Model-View-Controller architecture. This rich exploration sets the stage for the next episode where a guest will share insights into real-world applications of MVC within their own software projects.

Allison also recounts her foray into the Beyond the Post podcast, hosted by Rob Dunwood and Bodhi Grimm. In an engaging two-part conversation, she shares her experiences with building communities around her podcast and her passion for accessible technology. She highlights a free tutorial she created about adding descriptive text to images for social media.

Shifting gears, Allison reflects on an amusing mishap during last week's live show, where she mixed up episode numbers and recording processes, providing a humorous insight into the behind-the-scenes chaos of podcasting. Her reliance on automation tools like TextExpander led to quite a few comical errors, demonstrating that even seasoned podcasters can encounter hiccups.

The episode transitions into a technical discussion about her experiences with Audio Hijack and automation in podcasting production, emphasizing the importance of robust processes to manage various aspects of audio editing, including recording multiple tracks for live shows. She dives into her experience of accidentally muting tracks and the trials of ensuring every detail is correct before going live.

This episode also features a segment with Alistair Jenks, who continues his programming tutorial focused on Philips Hue lights. His detailed scripting journey showcases the intricacies of creating user-friendly automation, highlighting problem-solving efforts concerning light control from multiple locations. Alistair emphasizes the importance of usability in developing such scripts, echoing a theme that resonates throughout the podcast.

As the episode wraps up, Allison encourages listeners to support the show through Patreon and highlights upcoming segments, including a deep dive into pressing security issues and exciting developments in the tech world. The conversation intersperses humor, personal anecdotes, and expert insights, making for an engaging listen that caters to both tech enthusiasts and general audiences alike.

Listeners are urged to engage with various segments of the podcast community, from real-time discussions on Slack to exploring the vast resources available at podfeet.com, ensuring they remain informed and connected to the world of technology.

Brief Summary

In this episode, we celebrate our 1010th show with Allison Sheridan of NoCillaCast. We discuss Bart Busschots' transition to iPhone photography on Let's Talk Photography and reflect on desired mobile camera features.
Allison shares her return to Programming by Stealth with Bart, focusing on Model-View-Controller architecture, and highlights her experiences on the Beyond the Post podcast about community building and accessible technology.
We laugh over behind-the-scenes mishaps from last week’s live show and dive into technical challenges with Audio Hijack and audio editing practices. Alistair Jenks features with a tutorial on Philips Hue light automation.
Listeners are encouraged to support the show on Patreon and engage with the community for upcoming segments on security and tech developments.

Tags

1010th show
Allison Sheridan
NoCillaCast
Bart Busschots
iPhone photography
mobile camera features
Programming by Stealth
Model-View-Controller
community building
accessible technology
Audio Hijack
audio editing
Philips Hue
Patreon
security
tech developments

Transcript

[0:00]
NC_2024_09_15
[0:00]Hi, this is Allison Sheridan of the NoCillaCast podcast, hosted at Podfeet.com, a technology podcast with an ever-so-slight Apple bias. Today is Sunday, September 15th, 2024, and this is show number 1010, or should I say 1010? Man, I've got to rethink this whole thing now, going to four digits.
[0:20]
LTP 132: Phone Camera Wishlist – Let’s Talk Podcasts
[0:20]You know I'm a big fan of everything Bart does, and I've mentioned many times how much I enjoy his Let's Talk Photography podcast. It's not about gear. year, it's about the art and craft of photography. But in his most recent show, he got a little tiny bit on the gear side. He talked about how he's converted from being a digital SLR photographer to almost exclusively an iPhone photographer. He dusted off his big boy camera to help him think about what he wished he could have on a camera phone, not specifically an iPhone, so he wasn't, you know, talking flame wars about Android versus iPhone, but he's talking specifically about out using a camera phone, and what would he like to see? His conclusion after much explanation was that he'd like to see a dedicated toggle to expert mode. Now, I highly encourage you to listen to the episode because it's very thoughtful of not just photographers, but the rest of us as well, who just like to take snapshots. He recorded this before the iPhone event, and I think it's really interesting in light of those recent announcements about the dedicated camera control feature on both the iPhone 16 and 16 Pro models. Go have a listen at let's-talk.ie and look for LTP132 phone camera wishlist. Or of course, you can add it to your podcatcher of choice.
[1:39]
PBS 170: Model View Controller (MVC)
[1:39]Well, Bart and I are back in the saddle on Programming by Stealth from our summer hiatus. It's funny, we actually scheduled it for the first time ever, even though pretty much every Every single year, we have actually taken a hiatus in the summertime. This time, it wasn't an accident. We told the audience. In this week's episode, Bart takes on the task of explaining the philosophy behind why having a framework for software development is useful and even crucial as projects get bigger and more complex. We chose this topic because the XK-PAS-WD project has already started using a framework called Model-View-Controller. We get the barest understanding of Model-View-Controller in this explanation from Bart, and the next episode of Programming by Stealth will be the wonderful Helma van der Linden and explaining the details of her implementation of ModelViewController for the XKPassWD project. In the first episode of its kind, I will not be the only student in the class. Bart and I will be learning together. You can find Programming by Stealth in your podcatcher of choice, and of course there's a link in the show notes to pbs.bartificer.net.
[2:46]
Appearance on “Beyond the Post” Podcast with Robb and Bodie
[2:46]Shortly before we left on our Africa adventure, venture, I had the great pleasure of being a guest on a relatively new podcast called Beyond the Post. The show is hosted by Rob Dunwood, who you may know from the SMR podcast and the Tech John, along with the infamous Bodhi Grimm of the Kilowatt podcast. The idea of Beyond the Post is to explore the strategies and visions of folks creating digital content. One week, they'll talk to a guest maybe knowledgeable about social media strategies. Another week, it'll be about monetization, and another might be about the nuts and bolts of podcasting. Maybe it's because the three of us are such good friends, but my conversation with them had to be broken up into two episodes because we talked for so long. In episode four of Beyond the Post, I talked about how consistency has helped me keep going after a thousand weekly episodes over 19 years. I also explained how accidentally building a community around the show has been my greatest motivation. Not accidentally building it, but the community itself.
[3:43]In episode 5 of Beyond the Post, we changed gears a bit and talked about my passion for accessible tech so that everyone can play. I managed to squeeze in a plug for the ScreenCastsOnline tutorial I did about how to add descriptive text to images on social media so that screen reader users can enjoy your content. You may remember that Lee Garrett, owner of ScreenCastsOnline, saw the value to the world at large of this tutorial, so he made it free for everyone. There's, of course, a link in the show notes to that as well. Now, I adore both Rob and Bodhi, so it was lots of fun to swap stories and ideas about how to navigate the landscape of producing digital media. As you can imagine, we got a little bit silly from time to time too. I hope you'll check out Beyond the Post in your podcatcher of choice and look for episodes four and five where we had so much fun. And of course, there's a link in the show notes.
[4:36]
A Rusty Podcaster Makes Mistakes
[4:35]At the beginning of last week's show, you probably heard me say that the live audience heard the intro three times because I kept making mistakes. While Jill, Bart, and Alistair flawlessly executed their three shows, I could not stop messing things up last week. And that was only the beginning.
[4:52]Now, I'm going to blame automation for some of this. When I open a new item for the next NoCillaCast post in MarsEdit, my blogging software of choice, I run a text expander snippet that sets up the standard information you see for the podcast posts. I've talked about this text expander snippet before, but let's walk through how it's awesome and also my greatest chance for error. When I start the latest post in MarsEdit for the NoCillaCast, the title always starts with NC space and a hash, and then it's followed by the episode number. Now, we all know I find it nearly impossible to add the number 1 to the previous episode number, so Rosemary Orchard wrote me a shortcut that finds the most recent NocellaCast, adds 1 to the number for me, and then tells me the next NocellaCast episode number. Given that critical crutch, when my TextExpander snippet gives me a pop-up asking for the episode number, I know the answer. I type it into the field, and TextExpander fills out the rest of the standard info you see on the posts for the Nocella cast. But let's stop right here and realize that despite Rosemary's best efforts, there's still a human ready and fully capable of making a mistake. Last week, her shortcut told me it was episode 1009, but when queried by TextExpander, I typed in the number 2009.
[6:08]Well, when I started recording with the live audience, I dutifully read what my script said out loud, which was that it was show number 2009. Luckily, I caught myself on that mistake and I re-recorded it. But the second flaw is that my text expander snippet automatically enters the current date. That's because most weeks I start the post for the show on Sunday, so it's efficient to have it auto-filled for me. But more and more often I start writing the show post on an earlier date, which means it's completely wrong when the automation runs. So in addition to saying it was show number 2009, instead of saying the date was Sunday, September 7th. It said it was Wednesday, September 4th. Other than that, things were going swimmingly. After I realized this was all messed up, I edited the content in MarsEdit to correct the episode number and the date and then re-recorded the intro. But the date isn't just in the part I read out loud. It's also in the enclosure file title and its description and the transcript URL and the description of the transcript URL. I have to remember to fix it in five different places. I'm starting to wonder whether I should make my text expander stip it asks me for the date instead of assuming I've created the draft post on the right date.
[7:18]Well, there's an additional problem with me typing in the show number and making a mistake like last week. My TextExpander snippet also auto-fills in something called the post slug. In blogging with a server tool like WordPress, every article has the same beginning part of the URL, but then it's followed by what's called the post slug that identifies which post you're reading. My format is the site URL, podfee.com, followed by slash blog, then the year and month separated by backslashes, and finally the last bit that identifies the post. In this case, which that should have been slash NC-1009, but instead it said NC-2009. Now, this isn't catastrophic. It's not really that big of a problem because I don't think anybody else ever looks at it, but it bugs me to have it wrong. Once I post the show, that post slug gets propagated all over the place too. It goes in the feed file and it goes in all the online spamming I do on social media. So once it's already out there, I have to leave it be. As I was writing up this article, I realized, you know, I really do start the post early pretty often. The reason I know it's five places I have to fix it is I've had to do it so many times I have that number memorized.
[8:31]Inspired by my idea that I could alter the text expander snippet to reduce the probability of this problem reoccurring, I decided I would fix it. Assuming I didn't make any mistakes in the fix, which that's a long shot, I think it will work better. It's still going to default to dropping in the day, date, month, and year, but the format will be slightly different. In the new and improved version of the snippet, the day of the week is a pull-down with the default set to Sunday. On occasion, I may produce the show a bit earlier, or sometimes later, so now I'll be able to tap the pull-down and select an earlier day. I even made the days of the week go backwards, so if I do it a day early, Saturday is the next one down.
[9:11]In the original snippet, the month, date, and year were autofilled and I had to change them after the snippet dropped in all of the text into MarsEdit all five times. In the new and improved version, it'll still autofill, but I made it a single line field for each one of those values. This means it'll be visible and editable to me when the snippet is up on screen before it gets plopped into MarsEdit. And I only have to change it one place, not five places, because they all change together when I change one of them. Now, I thought I was done, but I forgot that this text expander snippet calls yet another text expander snippet, which enters the MP3 files, the MP3's file name. The file name always starts with NC, followed by year, month, and date interspersed with underscores. So it should be like NC underscore 2024 underscore 09 underscore 13 dot MP3. So it's in there too, that date. And then I forgot there's yet another text expander snippet embedded in there that calls for the date, so I added both of those snippets too, and now they grab the same date change I make in the bigger encompassing snippet. I know that's a lot of detail that's probably hard to follow, but the good news is that by telling you about these mistakes, I think I found a better way to use TextExpander to set the show notes up for success, and you are the beneficiary.
[10:28]But wait, there's more. If it was just a poorly written automation that didn't take into account the idiot behind the keyboard, I probably wouldn't have written an article about it. But of course, I managed to make even more mistakes last week.
[10:42]When Bart and I record a show together, we both record both sides of the conversation. If nothing goes wrong, I use my recording of me and his recording of him. This gives us the highest quality recording of both sides. It's all done with the magic that is Audio Hijack from Rogue Amoeba. Now, the way we do it is first he starts his recording and then I start mine. The way he tells me that he started is he says, Plink! Well, this turned into a joke over time where now I ask whoever I'm recording with to yell, blink when they start the recording. I've saved many of these plinks over the years. I've got Joe from the Northwoods, the CEO of Rogamiba himself, Paul Kafasis, I got Dave Hamilton, and more. Now that I'm recording regularly with Adam Angst, he has joined the Plinkers Hall of Fame. Plink! Isn't that great? Anyway, you don't normally hear the plinks because I cut them during the production of the show. If you attend the live audience show, sometimes you do get to hear them, and nobody enjoys these planks more than Steve. When I lay down the audio tracks for Chit Chat Across the Pond or Security Bits in the Nosilla cast recording with the live audience, Steve usually asks me to play the plank before I cut it out of the recording. Well, last week, I dropped in my recording with Adam, and I cut the plank before he stopped me. But then he asked, hey, can I hear the plank? Well, I made a little bit of a fuss about how this might cause problems, and he said, oh, no, it's not a big deal, never mind. But he sounded sad, so I undid the cut.
[12:08]Now, that left the plink audio to the left of the real starting point, which meant if I played it for the live audience, it would be covered up by our fancy new bumper music. To fix this, I could have slid Adam and my recordings to the right, played the plink for Steve, and then slid them back and undid the cut. But I had a much better idea. Instead, all I had to do was mute the bumper audio's track in Hindenburg, I played the plank and then I used command Z to redo that cut to remove it.
[12:39]Anybody see the flaw in that process? Well, that undo redo keystroke had no effect on Hindenburg, so it did not undo the mute. It undid the cut, but it didn't undo the mute, or it redid the cut, I should say, but it did not undo the mute. I know not to use mute because I can never, I can count on, no, I can't even count on both hands and both feet how many times I've forgotten to unmute an audio track when I mess around like this. Every time though, I think this time I'm got to remember to fix it afterwards. Well, I finished recording, I exported from Hindenburg to an M4A file, I uploaded it to Auphonic, which for some reason took forever last week, like an hour when it's normally minutes. Anyway, then Auphonic did its magic, including securely FTPing the file to Libsyn, where the audio file gets served to you. In MarsEdit, I tested the link to ensure the audio file was in the post for the website, and in Feeder, when I created the item him for the feed. I verified it was the right file enclosure. I published, I pushed publish everywhere. I opened Overcast. I waited for the NosillaCast update in Overcast. I confirmed it was the right audio file by listening to a little bit of it. And then I spammed the internet about the show.
[13:50]The next day, I think it was sometime in the morning and maybe on my walk or something, I had my phone in my hand and I must have bumped the dynamic island, which still had Overcast showing in it. And my latest episode, 1009, not 2009, thank you very much. Anyway, that episode started to play. Imagine my horror when after a few seconds, I heard dead silence. Well, actually, it wasn't even dead silence. Worse yet, it was sounds of me shuffling around when there should have been the bumper music. I realized immediately what had happened. There was no bumper music.
[14:23]Now, that wouldn't have been the worst mistake I've ever made. Remember when I deleted the entire NoCillaCast and Apple Podcasts on the thousandth episode? That was the worst mistake I've ever made. But it still would be really bad for this particular episode because I made such a big deal about adding bumper music. You'd have all thought I was bananas that I thought I was playing bumper music in the show, but you couldn't hear it. As soon as I realized what had happened, I raced home, and I opened up Hindenburg on my Mac, I unmuted the track in question, and then I exported it yet again to an M4A file. From past experience, making mistakes, I know things get weird if I try to use the same file name, so I added an A to the end of the file name, so it became NC20240908A.M4A. Next, I uploaded the A version of the file to Auphonic, which did not take forever this time. Auphonic did its magic on the new file, and it securely FTPed the new version to Libsyn. I waited until Libsyn had the new A version of the file, and then I popped open Feeder, changed the file name to the A version, verified it pulled the new metadata for the file, such as the length and bits and the date. I pushed the feed up, and I verified in Overcast that I now had bumper music. Okay.
[15:37]Good. Then I went back to the blog post, and I changed the file there for those who'd like to listen on the web. Now that I think about it, one of the magic bits of Auphonic is that it now pushes the audio with a little graphic to YouTube, and I'm pretty sure there's probably two versions up there to this day, but, you know, I'm tired of cleaning this one up. All right, I'm all good, right?
[15:58]Well, not yet, sister. I still have two files up on Libsyn. You see, they charge by how much new audio you push up there per month, and And I've actually run out of my allowance on my plan before I needed to get, because I hadn't gotten rid of some old version or I accidentally uploaded a video file. So I really needed to get rid of that old version on Libsyn. I've mentioned to you before that Libsyn has a terrible web interface. Their new version 5 is beautiful and elegant, but it doesn't allow you to manage the files you've stored on their servers. I literally can't do what I need to do in version 5. They've told me, oh no, you got to use version 4. Well, luckily they've kept version 4 around. It's at for.libsyn.com, and it's old and it's clunky and it's graphically damaging to your sense of beauty and style, but it's mostly functional. Now, since I was smart enough to name the two files differently, I assumed it would be easy for me to tell them apart in the Libsyn interface. One should have an A at the end of the name. When I re-ran the production in Auphonic, I didn't change the title, and I think at that point, both files showed up with the same title on Libsyn even though they were pointing to different files, so it was harder to tell them apart. I ended up looking at the dates and times of the files to figure out which one was which, and I deleted the old one. For some reason, it didn't disappear the first time I asked it to go away, so I clicked delete again. Finally, there was only one file. I declared victory, and I celebrated.
[17:25]And the next day, I started to get emails from people telling me they couldn't download the show. Mark Schaefer and Emmy Conster were the first to alert me to the problem. Now, if one person has an issue, it's usually something they can fix on their end with a resubscribe, but two people, that's a pattern. I tried to download the show again on Overcast on my phone, and sure enough, I got an error on the episode that I had checked just the day before. I went back to Libsyn and I found the weirdest thing. Remember I deleted the old file, but I had to do it twice. What was left was not an audio file. It was a text file. It had a T on the logo. The file was somehow the transcript of the show, and I have no idea how Libsyn even got that file. When Auphonic is done with its magic, it gives me a download link for the MP3, and as a safety net, I always download it to my Mac. Since I had that real file, I deleted the text file in Libsyn, and I uploaded the MP3 file. I raced back to Overcast, and while now the file downloaded properly and it had bumper music, for some reason, the chapter marks were gone.
[18:31]Now this was a mystery since I'd followed the same darn process to create the file starting in Hindenburg where I added the chapter marks and Auphonic where they definitely get preserved in the file through transcoding. All right, remember I said the Lipsyn interface is ugly? It's also confusing. In my haste to upload this darn episode yet again, I selected the content tab and then I clicked on add new episode. Well, gee, Allison, anyone can tell that's way wrong, right? I was supposed to use add file for download only. Libsyn can do the full production of the show for you, including giving you a website, but I don't use any of that. I only use them as a file server, so I needed to do it a different way. And had my memory been working properly, I would have remembered it's add file for download only. Now, I still don't know why a new episode would lose the chapter marks, but when I deleted the file yet again and I added it as a file for upload only, I finally had a working podcast episode.
[19:29]Now, throughout all of this adventure, I was surprised that I didn't get a lot of emails from people asking me where the bumper music was on the original file before I broke everything and made it even worse. I even noticed that Bart posted a lovely note on Mastodon and in our Slack about how much it tickled him that not only did I approve of his use of that bumper music, but that I liked it enough to adopt it for the show. He's eight hours ahead of me in time zones, and he usually listens pretty soon and pretty early on Monday mornings. So how did he hear the bumper music before I fixed the muting problem? Well, I was noodling this all week and I figured it out. I pulled up my Hindenburg project and I started looking at the bumpers. My projects have several tracks. One is called ambience and one is called music. Get this. Of the four times I dropped and Bart's bumper music, three of them were on the music track and only one was on the ambience track. And it was the ambience track was the one I muted and forgot to unmute. That means not only did I accidentally hit play on my iPhone in Overcast, I just happened to have the playhead situated on the only spot in the hour and 27 minute recording that had dead silence. I did all of that work and I made all of those mistakes trying to fix the new mistakes I made for a four-second audio gap. If I knew then, what I knew now.
[20:58]All right, Alistair Jenks is back with part three of his Philips Hue programming off the charts.
[21:05]
Philips Hue Programming, Off the Charts (Part 3 of 3)
[21:05]In the second installment of this series, I left you with a couple of useful scripts, one to fetch the device ID of a light given a name and one to perform the conversion from RGB to CIE color. I developed those two scripts as a necessary part of what comes next.
[21:24]I have demonstrated the actioning of four different aspects of a light. Power, color temperature, color and brightness. In my goal of creating bespoke automation, I wanted simplicity. I didn't want to use different scripts for different tasks. I didn't want to have to use magic numbers like 153 Merrick. And I wanted an easy way to specify any combination of change and across multiple lights in one go. The result of this insanity is a single script which addresses all of these aspects. So how did I get there? Well buckle up. My first requirement was that I didn't want my script in my home directory with bespoke parameters. It had to operate like a native command. I achieved this in three ways. First I named my script simply hue. There is no .sh suffix. Second, I placed it in a directory that was already in my path. And third, I implemented standard command parameters.
[22:32]In my case, the directory home slash .local slash bin was already present and in my path. This appears to have been created by a third-party tool, but from what I have read, it is a recommended location for user scripts. I will leave it as an exercise for the user to worry about where to put the script and how to make that location a permanent part of your path. We have more than enough to cover here already.
[22:58]For the handling of standard parameters I have used a third-party tool to help me out. I did not consider rolling my own use of getopt or getopts because both have competing drawbacks. Getopt is far harder to use but allows long option names. Getopts is much easier to use but does not have long option names. So I called on the services of argbash.
[23:25]Argbash is a downloadable tool, but I always use the website provided by the developer, which means I don't need to install anything. I will leave the reader slash listener to peruse the Argbash website, but in a nutshell, you simply provide a description of your parameters in specially formatted bash comments, then ask Argbash to generate the code to handle them. I created a very basic script that defined my parameters and had just enough code to prove they worked. I've switched to the Bash shell because that's what ArgBash knows, let's send a name. My parameters are comprised of four optional flags, one each for switching on or off, setting a color, setting a color temperature and setting brightness. Beyond those I allow for an infinite number of light names. The initial script simply printed out the parameters as it was given. I will spare you a description of the full code generated by argbash, but suffice to say it worked essentially as I wanted, so I did the rest directly in the generated script without needing to return to argbash. I left the argbash lines at the top for later reference should I end up expanding on this.
[24:38]With my flags and arguments defined, this is the form of command I was aiming for. Hue dash dash rgb 255 comma 127 comma zero dash dash dim 45 study s1 study s2 study s3. Those are the names of my lines. Now on to how the script turns this kind of command into action. First, I added a couple of lines to define the hue application key and the bridge IP address. These were mentioned in part one of the series. To use my script, you will need to edit in your own values.
[25:17]I defined a base URL variable that contains the IP address and the correct API path for both querying lights and, with the addition of an ID, actioning them. Next up are two functions. These are essentially the two scripts I produced last time. The only tweaks were to make them work with the variables in the rest of the script. Note that each of these functions simply echoes out the result. When we call them, we can use the same $ to capture that value. Now we move onto the first functional part of the new script. it. Because fetching light IDs takes a not insignificant amount of time, especially given I am allowing for an arbitrary number of them, I decided it was worth spending the time up front to gather all of the needed IDs. This is done with the getID function defined above. Also in this process I am silently discarding any lights that could not be found. The result is an array of light IDs for use later. It is worth noting at this point that shells were not designed to be fast. If you want instantaneous action across a significant number of lights, you're better off using a different language.
[26:32]The next phase of the script is validation of the provided values there may be edge cases but i think these capture and complain about any fundamentally incorrect values first up i check whether i have at least one valid light id if i don't the script prints a suitable message and exits right then all of the following validations follow this basic pattern the next validation is the most simple, if the switch flag is specified it must be on or off, this is all fairly basic bash logic.
[27:04]Validating the RGB flag is a bit more involved, the user must supply three values separated by commas, they must be valid integers, and they must be in the range from 0 to 255. There are several more interesting bash constructs in that check. First splitting up the comma a separated triplet into an array, which involves setting the separator and reading the values into the array. If the array has any number of elements other than 3, then I complain. Once I know I have 3 values, I check they contain only digits, and again complain if not. This uses the very powerful bash regular expression comparison, though in a fairly simple way. Finally, I now know I have three integers, so I check to see they are in the range 0 to 255. Up next, and a little simpler, is the temp flag for color temperature. Once again, a check is made for only digits, and when that is satisfied, I check the number is in the range 2000 to 6500. The final check is the dim flag for brightness. This needs to be an integer from 0 to 100. The checks are nearly identical to the color temperature ones, just a different range check. Once I get to this point in the script, whatever values I have been given are in good shape. So the next phase is to build up the JSON string that will write the actions to the lights.
[28:31]For each of the flags provided, these sections will add to the JSON variable using straightforward string concatenation with some conditionals thrown in. The switch flag section is the first. After this, each section also has an extra conditional to insert a comma if there is prior content. The RGB flag processing calls the getColor function to get the complete JSON object, the temp flag processing does the simple MIRAC calculation using BC. Finally, the series of JSON objects are wrapped in an outer object before looping through the previously collected IDs and applying the actions with the curl command. That's it. The complete script is 311 lines long. Without blank lines and comments 236 lines and ignoring the argbash bits only near 123 lines of code I have written myself.
[29:27]In use this script can seem a little slow but in my case I have six lights and one switch connected to my bridge and it is able to set three of the lights color temperature and brightness in about one second. Setting a color takes more work in the conversion of RGB to CIE and sets the same three lights including brightness in around 1.6 seconds. In both cases I can see the changes ripple across the three bulbs. The speed could be improved either with a more efficient language or by looking at storing IDs rather than looking up each one every time, or you could look into light grouping. There is plenty of scope to improve on my effort. For my own purposes I will be using BetterTouchTool to script my Elgato stream deck buttons to perform various actions on my lights. The possibilities are many. You can find the full script on my GitHub account. Link in the show notes. Well, thanks for that, Alistair. I'm really glad that you said at first that you were descending into madness on this because you have really taken this up a notch, but I always love your content and so does everybody else here.
[30:39]
Support the Show
[30:39]There are a lot of ways to support the show and you know one great way is to pledge a monthly amount through patreon the gift that keeps on giving this week one of my longest running supporters trevor drover did something extraordinary after nearly eight years of supporting the show through patreon he increased the amount of his pledge how cool is that now while it is cool it would be even more swell if more people supported the show instead of the the existing patrons carrying so much of the load. So if you've got a little extra money to spare, I sure hope you'll head over to podfeet.com slash Patreon to help keep the servers humming and the microphones recording.
[31:16]
Security Bits — 15 September 2024
[31:17]Music.
[31:26]Well, it's that time of the week again. It's time for Security Bits with Bart Buschatz. And apparently the world didn't fall apart while I was gone, but I'm looking forward to doing it with you today, talking about security. Well, it's always, I always prefer these, you know, these segments when you're here to make sure I don't do silly things like slip in jargon words or make assumptions I shouldn't. Because I think I was saying this on Bodhi's show when we were talking about your show on Bodhi's show. That sounds very incestuous. But anyway, it was a positive conversation.
[31:56]And I work in this stuff all the time. I forget what is jargon and what is common knowledge. It is so unimaginably valuable to have you here to catch me doing silly things. It gives so much. I rely on a lot. I'll take credit for that because a lot of times I do know what you're talking about, but I want everybody to know what you're talking about, not just me. So I'd say it's probably 20%. What are you talking about, Bart? Bart, the other 80% is, I bet there's people who don't know what he's talking about. So it's for everybody. And I heard you talking on Bodhi's show, and I was really flattered. But we should mention what that show was. That was another segment in what EV, what electric vehicle is Bart going to buy? Because you've just test-driven a new one. So people should go look for the Kilowatt podcast. I don't know what episode it is, but look for one with Bart Bouchard's. It's about two weeks ago. Listen to them all. Collect them all. He doesn't number them. Because I tried to tweet it out with a number and there's no number. So it's just like, okay, episode.
[33:00]Yeah, he also doesn't have a website, so other than that, it's great. It's like, he uses Acast for himself. Great content, though, so hey, I'm happy it's in my podcatcher. Yeah, just search for Killwatt Podcast. Exactly. There you go. Right, we have some follow-up of stories we have talked about before. A strange twist in the NSO group saga. So these are the charming people who made the Pegasus spyware that caused so much kerfuffle, must be two, three years ago now. And Apple was suing them, and they have decided not to because the disclosure they would have to do as part of the court case risks doing more harm to iOS user security than punishing NSO Group maybe someday in the vague future if this court case ever ends. So they have dropped the case. Oh, wow. Probably for the best, but I wanted to see them lose. I really did. But it's not worth reducing our security.
[34:02]Yeah, one of the hardest things in the world is to get past, but it's the principle of the thing. Yeah, yeah. Our charming friends at 23andMe have settled one of the class action suits. They still have all sorts of regulatory problems, but this is the class action part of their problems. In the United States, they probably have class action problems elsewhere too. Anyway, in the United States, the Klaus action suit is going away for a mere $30 million. That's all. Now, 23andMe is the genetic testing people, right? This is the website where you spit in a tube and send it to them, and then they profile your DNA. They make some scientifically dubious assumptions, tell you all about it, and then allow you to find your relatives, which is kind of cool. But unfortunately, that was done really badly, and they ended up leaking people's genetic data that way. So, whoops. Okay. $30 million. Yeah. Great.
[34:56]And one of the things Apple did over the summer, and it wasn't at WWDC and it wasn't at the September event where they launched their cool new camera phones with the button I wanted. It was in between. They released a white paper, which is so, you know, that's really going to get everyone's attention. It wasn't like a white paper to get people's attention. It was basically an essay about the balance between repairability and sustainability. And one of the things they promised was that they would be making it both easier to repair iPhones and doing so in a way that would not create a market for stolen phones. Because if you did that uncurvefully, you could suddenly end up with it being valuable to steal phones again. Right now with activation lock, stealing an iPhone doesn't get you very far as a criminal because you can't sell it.
[35:47]It's a brick. whereas if you could easily replace parts hypothetically now there's something you can do with the stolen iphone so all of a sudden it becomes financially viable for criminals to steal iphones again which will be bad but apple have solved the problem by taking activation lock to the part level so your screen if you report your phone stolen all the parts of your phone become marked as stolen and will refuse to activate. So as long as your phone isn't stolen, your screen can now be put into any other iPhone and it will work and there's no more negative type of part pairing and stuff. And so repairability goes way up. But the moment your phone is reported stolen, it's not just the phone that's marked as stolen, it's the interchangeable parts that get marked as stolen. So you can still cannibalize a phone instead of having to have a new screen produced or a new battery or whatever, but if any of the parts in that phone or the phone from which those parts came was marked stolen, then you can't. Exactly. It's brilliant. It's really good. That's a subtlety I didn't get when I heard it reported.
[36:57]Yeah, I'm really happy, and this is great. So this is happening. IOS 18 is going to bring the software half of this into play, and the new iPhones are the first phones to have this finer-grained activation lock. And so going forward, repairs, screen repairs, There's swapping a touch ID sensor, which is, I guess, less of a thing now. But, you know, it's a thing. Swapping a screen, that all becomes way easier. So third party repair shops can just swap these things around. If you come into them with two phones and say, make one that works, they can.
[37:31]Which is great. Well, I sure hope that the thieves read the white paper and understand they shouldn't steal phones now. It won't take long until, you know, they'll try it. They'll fail to sell the phone. They'll figure it out. Yeah, they'll figure it out. They're pretty smart when they don't get paid. Motivates them. Now, while you are off having an amazing time in Africa taking eye-wateringly beautiful photographs, I hope you plan on printing some of those on giant big sheets of canvas and hanging them in your sitting room with pride.
[38:02]In fact, some of them are of prides. I think the one you really liked was the silhouette of the buffalo with the sun setting in the background and all the dust they had kicked up. That one, and I'm real fond of the leopard in the tree. That one I think is maybe the best photo I've ever taken. If I were your interior designer, which I'm not, and I'm not even sure that's a good idea in anyone's house, apart from maybe my own. But you have a collection of three or four sunset shots which would make a really fun if you print them not too big and just arrange them as like a triangle and hang those together on your wall as a piece they could be amazing we do have some space in the uh the room formerly known as lindsey's bedroom that is actually where we uh we work out to apple fitness plus and we have put up some pictures like i've got a great shot of this bay off the coast of california with the sun setting and Steve's drone is right next to the sun. That's one I have printed there, but we've got some other space I think we could utilize here. A little triangle of them could be really beautiful because you have.
[39:06]The orange of that sky is not the orange I'm used to seeing and the silhouettes you get are kind of cool. You know, Africa makes cool silhouettes.
[39:16]When the sun went down, it was a blue sky with a ball of fire going down. Nothing else. It was really, really boring. And then you just had to wait for it to light up. And then the whole sky would light up with this brilliant orange. It was a very delayed effect. I've never seen sunsets like that. Wow. Cool. Okay. Anyway, while you were doing that. Well, moving on. While you were having that great time and I was soloing the show, ago a news story broke that I gave the listeners a very quick this is the takeaway and I will come back when Alison is here and we can do the deep dive. So this is now the deep dive I promised everyone three weeks ago.
[39:53]So a news story broke that a new type of malware was doing the rounds on social media again through ads. This is a thing now. I think my takeaway from the last six months of news stories is tell all of your family never to click on an ad ever anywhere because there is so much malware in google ads in facebook ads i don't even want to think what's going on on twitter ads that i'm not even going there they might just they mightn't even be malicious in the traditional sense anyway yeah basically ads are where attackers are succeeding at the moment and what they did while you were on holidays was a campaign now it happened to be in brazil but it could be anywhere where they would put ads on social media that appeared to be from a really popular bank in Brazil and the ad said your banking app is out of date click here to update.
[40:51]And they claimed it was an important security update blah blah blah and when you clicked it was the install button for a progressive web app so you ended up with an icon on your home screen with your bank's name and when you clicked on it, an app opened that looked like your bank. How many people do you think would fall for that and type in their details?
[41:12]I would. Right. So don't click on things in ads. So this is all down to something called a progressive web app, which in geekier circles is a thing, is a big deal. PWAs are a big deal in geekier circles, but I don't think they have filtered into the mainstream consciousness very much. I think they're quite niche. I will confess that I've heard the term a million times. And if you asked me for a definition, I would have thought it was when you go to a website and you say, They put that in my dock, and now it's a separate web app that I can run just like a regular app. That is not untrue. I don't think that's what it is.
[41:51]Well, you're describing the user experience. But the what it is is kind of interesting because it has some interesting effects. And it is not inherently malicious, but it is open to the squishy organic bit being tricked because the organic bits aren't all that aware of what's going on. So, believe it or not, a progressive web app is actually some HTML, some CSS, and some JavaScript sitting on a web server that is behaving like a normal web app, a Gmail client or something. But it has an extra file. It's called a manifest file. It's in JSON format. Those details aren't important. And the manifest file lists all of the assets needed to make the app work without the internet. And so a computer or a phone can download the relevant files in the manifest and save them onto the device. And then you have everything you need to create an icon on the desktop that you can click and it will just work. Whether you're connected to the internet or not. So you can have a cool fun game that works while you're in the airplane. You can have an email client that lets you compose emails and it will keep them until you land. And then it will send it because the app can have logic that works without the internet because it has this manifest file and therefore the phone was able to get all the pieces ready.
[43:15]They also get... That sounds like a good thing. It's a great thing. Like I said, the technology is not evil. It is being used for evil. A bit like chainsaws and chainsaw massacres. Chainsaws are amazingly powerful things, but, you know, don't apply them to arms.
[43:31]So as well as being able to work offline, which is already cool, a progressive web app has some superpowers. So it is just JavaScript, HTML, and CSS.
[43:43]The Progressive Web App Standard defines extra APIs. So, you know, you can say document.title to get to the title of a web page and stuff like that. Well, there's extra variables that JavaScript can access in a PWA that allow it to save data permanently.
[44:00]So a web page normally needs a web server's help to save something in a database running on a server, so more like your MySQL instance for your WordPress blog. But a PWA can save data to the phone's local hard drive so that the PWA can use it. Like if you compose an email while you're in the airplane. What does it do with that email? It saves it locally and it has these APIs to let it use local storage.
[44:23]It also is allowed to ask the phone for more information than a real website is allowed to ask for. Or sometimes it's the same information but it gets to keep the permission forever. So the app can say, I would like access to location. location and like a normal weather app it will pop up the standard operating system pop-up and it will now have that permission forever because the app is saved on your phone and it can ask for camera access microphone access those kind of things and it can keep that permission forever and it can use those stuff from within javascript so you have a web app that's sitting in a gray area between a web's app and a full-blown app but it's still written in javascript html and css so So it is limited in what it can do, but it can still do a lot more. And in the open source community, these are spectacularly popular, particularly in Android land where a lot of these people spend their time because you don't need to register as a developer to write a PWA. You can write software that runs on everyone's Android phone and stick it on GitHub or whatever, and it will just work. And you never have to prove your identity by scanning in your passport and prove your business details, by getting your DUNS number and all of these hoops and things you have to jump through to become a developer in the Google Play Store or the iOS App Store. You don't have to do any of that. You can just write software that works on people's phones. And it's really cool.
[45:47]I want to do that. Right, exactly. And it's HTML, CSS, and JavaScript, which is such an easy technology stack. The barrier to entry is wonderfully low.
[45:56]Where things go wrong isn't technologically. This is fine technology. This is actually cool technology. But people aren't aware of it. So the user point of view is where things get interesting. Because what does the user see? The user gets an icon on their desktop that is visually indistinguishable from every other app they got from the App Store. And when they click it, they don't realize it's a web app because it doesn't get any of the browser frills. There's no address bar showing a URL. There's no back and forward buttons. It is a full screen experience. So it is, as far as you're concerned as a user, it is an app. Only it hasn't been through app review. So you're living in a world where what you hear on the news is Apple and Google are in trouble for antitrust because they're these gatekeepers and they're keeping that lovely Roblox, not Roblox, the other one, Fortnite people out of the app store. And so you have this vision in your mind that every app on my phone has been meticulously honed by these overzealous gatekeepers. Only here's an icon on your desktop that's like an app that has been looked at by no one. No one has ever looked at this. So a progressive web app then is just like putting an app on my Mac where I didn't get it from the app store. Yes.
[47:17]Yeah. Although these days, even that, if it isn't notarized, gives you a pop-up. So you'd have to go to Windows land to get an analogy or to Linux land to get an analogy. Because on the Mac, if it's not notarized, you get a pop-up and you get a message saying, hey, this came from the internet. With a PWA, you don't get that. And I don't think you even get that on a Mac from a PWA because they're sandboxed. So they can't do, like a PWA can't reach into the finder and grab a file from your My Documents folder because it's still a web app. It's just a web app plus plus. It's like a super web app. But it's still very, very limited compared to an app app. It's a gray zone, right? It's all this little gray zone. So it's very, very sandboxed, but it can do stuff. So you get this false sense of trust, especially on iOS, where you probably haven't heard about them because they're not a thing. And now you have this icon that looks exactly like your bank. And when you click it you get a page with no address bar that looks exactly like your bank. Even an experienced user is going to find it very hard to know that's actually a web page.
[48:19]And my advice is, whenever you're going to enter your details, look up, check the address bar to make sure that it's actually your bank's URL and not, you know, randomhacker.com. How do you do that? But if it's a progressive web app, can you see the URL? You can't see that. I'm sure if you press and hold on it and get it to give you extra options, you can go in. Before you download it. Oh, and before you download it, you're going to know where you are. And it probably says something like you're about to download an app from this URL. But if you've been tricked by the ad and you think it's your bank offering you something, you're probably not going to read it. You're going to go, OK, this is my bank. But after you've downloaded it, you can't tell that it's talking to, you know, bobsevilserver.com. Not superficially. I think you can press and hold and get details that way. Well, there's almost certainly extra, like, if you press and hold, there's probably options that wouldn't be there for a normal app. It probably looks different if you do that.
[49:20]But superficially, the answer is no, it just looks like an app. And that may have to change. It may be a case that on first run, a PWA needs to say, hey, by the way, I am from this website. And that will be very helpful. So there actually may be a need for PWAs to become a little bit more, mildly more friction. Not every week and every time you reboot make me say okay to every app level of bad like yourself and Adam had a great conversation about last time but more than zero friction.
[49:52]Now, you bring up something interesting when you talk about sandboxing, and this is kind of sideways from what we're talking about here, but definitely related. Alistair Jenks posted in our Slack at podfee.com slash slack a question about how ever since macOS 14.6.1, if you do go to a web page and say save to dock, like let's say my fabulous time shifter clock, you want that to be an app. You can say save to doc it goes into the doc and then it actually shows up as an app in your applications folder you can move it into there and then you can run that just like a regular app but he's noticed that since 14.6.1 and others have have noticed that those web apps can no longer select files for upload so if you've got an app that requires you to upload a file and you you piped in and said you've seen the same behavior that sounds like they strengthened the sandboxing, No, I think that sounds like a bug. Because what's supposed to be is if user interaction is involved. So the app, the web page you've saved to the dock, it's like a really bad, it's not even a PWA because it's not making use of the fact that it hypothetically could use extra APIs because it's just a normal web page that you've told Safari to hide in the dock. Pretend you're an app. Pretend you're an app. That smells of bug. Because you're supposed to be able to use, the whole point of the sandbox is a user action is supposed to succeed. but the app doing something behind your back is supposed to fail.
[51:18]Oh, oh, okay. But, so that's not part of sandboxing, to reach into your, I mean, a normal app would be required to ask for access to your files. No, not if you click File Open, because, sorry. If the app uses the standard Finder window interface, then it will count as a user action because you are using the operating system to fetch the file and give it to the app. But if the app tries to be like Photoshop, where it gives a custom picker, then the app is looking, not you. Or something like Hazel. Oh, Hazel's perfect. Hazel's off doing things where you're not interacting. Yeah, yeah, exactly. You told it what to do, but it's doing it on its own. Exactly, and that has to have permission. Yeah, which is why Word doesn't need permission. Okay. Because you are going file open. So that's you using the finder. No, I don't use Word, so I'm never saying file. Pages. Pages. Excel, your favorite friend, Excel, right? Yeah. There you go. Yes. I'm becoming a big Excel fan. Okay, I'm glad I asked that question. I went to a training course about Excel, and I learned new things. I learned you can name cells as variables, and then you can use them in all of your formulae with names. This has blown my mind. This has blown my mind. It's amazing. I believe that's been around for about 20 years, but I like your discovery. That's really fun. It was so fun. It was so fun. That's fun. I think I may have squeed. Anyway, it was great. So...
[52:48]All right uh well this is good i'm glad i asked the the follow-on question because i've been confused about pwas versus just saving to doc and having that be an app so that that is an interesting distinction well very interesting so don't click on any ads ever what you know what i do there's some things that they advertise on tiktok where they they're just such effective ads that i just i just really want this thing so i'll go out to the web and i'll type in the name of the a thing yeah that's what i tend to do is i see something advertised on say one of the mac websites i think is it one of the mac websites in my rss reader regularly advertises things that i'm like you know your audience really bloody well i don't think you're doing any ad tracking i think you're just advertising this stuff on a website full of geeks and this is perfect and i end up just firing up my amazon app and typing it in and buying it for for less often which is a bonus this actually we should have a talk about that sometime about do you i really like buying stuff through amazon because i know where all my receipts are and i can search it and everything but if i find it organically i feel like and i really should give them the money directly instead of having them have to pay amazon but it's i don't really like it all in amazon i can sit and have the argument by myself i what's convinced me i like amazon is that here in ireland amazon use 100 100% recyclable packaging. It's all paper or cardboard. There's no plastic. And they have electric vehicles now delivering to my door.
[54:15]Sweet. I have seen some electric vehicles in my neighborhood, but I think it was actually FedEx who had them. Here, the Dublin Depot has a lot of electric, I think they're Mercedes, actually. And we are within range, so we get the EVs. Hey, electric vans. They're not electric vehicles, they're electric vans. It's still EV.
[54:37]Anyway, so that's our deep dive, which then brings us to our bread and butter action alerts. Yeah, so yeah, Patch Tuesday, yet again, only 79 from Microsoft, which used to, 10 years ago, that was a bad month, but nowadays that's quite good. Seven critical, again, 10 years ago, that would have been a ooga, a ooga. Yeah, only four of them under active attack. Patchy, patchy, patch, patch is the answer here. There's two notable bugs. There is a zero date that has been under active exploitation since 2018. That sounds worse than it is, but it's kind of interesting. You know the way on the Mac and on Windows, when you download something from the Internet and you try to run it, it says, hey, you got this from the Internet. Are you sure?
[55:31]On Windows, that system is called the mark of the web. It's like the executable has been branded as being a webby thing. And this vulnerability let malware remove the mark of the web. So the malware could phone home to a command and control server, download malware and run it without you getting the pop up saying, hey, you're running something from the Internet because they had stripped off the mark of the web. And so this fixes that little loophole they were using to turn malware into bad malware. You still had to have malware, but this helped the malware become badder malware. So it's good to see it nipped in the bud. And the other one that was interesting, there was a bug. There were some version numbers on some components of Windows that were optional installs, not used by that many people, thankfully. But their version numbers had multiple dots and they were strings instead of numbers. And the logic for checking if you were fully patched got the math wrong because it wasn't really math, it was strings. things, a very subtle programming bug. Basically, Windows update was like, yeah, yeah, you're patched. Only you're like 10 versions behind because the math was wrong.
[56:37]Remember that string versus numbers thing when we get to our palette cleanser. Yes, I saw. Oh, yeah, that's a really good point. Yeah, it's perfect. Because it was patched Tuesday, it also means that Adobe did some patchy, patchy, patch, patch, and Google did some patchy, patchy, patch, patch. The Android security update is out. It fixes is 40 sorry 34 vulnerabilities including one under active exploitation if you can patch if you can't get a new phone i don't know and i did skip over one little thing um if you are running an older version of windows 11 you're going to be forced to upgrade to version 22 h2 which means the version The version from two years ago is the new baseline, which I don't think is unreasonable for Microsoft to say that if you're running a Windows 11, you're not getting any more security patches if you've staged yourself back by four major versions of Windows 11.
[57:34]Wait a minute. Windows 11 isn't end of life. That's the current version. So Windows 11 is... Oh, Microsoft have been so tricky here, Alison. You're lucky not to know this, but there isn't a Windows 11. There's lots of Windows 11. There's two of them every year. Oh, yeah, I know that. I know that, but you just said if you're running Windows 11, you're going to be dialed back. No, no, if you're running Windows 11 22H2. So you can choose to stick on one of those six monthly ones, and you still get security updates. So your features are stuck two years in the past, but you're still getting security updates. So Windows 11 is not a useful term, because you could be on eight different operating systems. They're all branded Windows 11. You can choose to stay behind and still get security updates. And Microsoft have said that, I'm sorry, but if you're two years behind, you actually do have to get caught up before we'll give you more security updates.
[58:28]Okay. I'm just going to let that go because I didn't understand any of that. I don't see any reference to Windows 11 in the show notes, Bart. Well, it's because it's called Windows 22 H2. I promise you the people who need to read this understand it. And the people who don't understand it don't need to read it. I promise you both of those things, in fact. Okay.
[58:54]It's actually not called that in the show notes either. It says, oh, actually that part does. Okay. Anyway, it is now a thing that I tell people, you should get into the habit in the evening, maybe before you go to dinner or something, of shutting down the browsers you have that are not part of the operating system. Because Firefox and Chrome, and depending on what operating system you're on, on Edge, in fact, unless you're on Windows, Edge is not part of the operating system, they auto-update themselves on restart. And so if you do what I used to do, which is start my browser in September and leave it open until I reboot my computer in November or December, then you are not getting your security updates to your browser. And we are now on the 10th actively exploited zero day that has been patched in Chrome this year. So it is kind of a thing that you really should cycle those browsers and they now remember all of your tabs and they're very quick to start up. So it's not the chore I remember it being years ago. So I now just have a habit that when I leave, when I finish up in the evening, when I close down the lid of the laptop, the browsers are off. And then the first thing I do, the first thing I do in the morning is open Fantastical and my browsers. And then maybe my mail client.
[1:00:16]It's just, as I say, 10-0 day. My family uses Chrome. I'm going to tell them to do that. Actually, I think someone in my house uses Chrome. I don't keep my browsers up except for Safari, so I should be okay. Which is handled for you by Apple, so you don't worry about it. That's taken care of. And in related news, probably quite related to those 10 zero days, Google have increased the reward for their bug bounty program for Google Chrome. You can now get a cool quarter of a million for a serious bug in Chrome, which definitely makes it more attractive to... Give it to Google so they can patch it than to sell it to the cyber criminals, which is the economics you want to achieve. So that is a good move by Google.
[1:01:00]I used to be a big fan of an app called Pigeon that used to let us use lots of different messaging protocols all at the same time. And it was really, really cool. And it's open source. I loved Pigeon. That's how we could do AIM and all kinds of things all in the same thing. That was a lovely little app. Yeah, it still exists and is open source. and it's cool and it has a plugin architecture and unfortunately some evil so-and-so abused the open nature of the project and put some really nasty malware into one of the common plugins in the plugin system for pigeon so if you're a pigeon user have a read of the bleeping computer article to make sure you're not a user using one of these really quite badly booby-trapped plugins, I didn't know Pidgin was still available. Yeah. It just doesn't do Twitter and the things that a lot of us like these days because they're not open protocols. But it still does the open protocol. We don't like Twitter anymore. No, that's the wrong word. It also doesn't do Telegram or WhatsApp or any of these ones with closed protocols. There you go.
[1:02:06]I may have mentioned once or twice that if you have a router that doesn't get firmware updates, you need to remove it from your network. Just to prove my point, there are a once popular router from D-Link, the DIR-846W, that is now under active exploitation because now a critical bug has been found. And D-Link have been very clear. We're not patching this. This thing is obsolete. delete it is not going to be patched and it is absolutely being hammered at the moment, um and that this is just a thing now there is a botnet that is going around hoovering up routers and vpn appliances that are not patched uh the quad 7 botnet but you don't really care what button it is the point is this isn't hypothetical if you have an unpatched router it could be attacked this is happening this is real this this is this is going to happen if you You'll leave something unpatched on the internet for long enough. It will get hoovered up and you will be part of a botnet, which could be tasked to do anything, because that's kind of the point of a botnet, right? It could be doing anything and it could get you in trouble because your IP is associated with whatever that botnet is up to. Right. Moving us into worthy warnings.
[1:03:25]This first story is just ick, but I think it's important that we put people on guard. hard. It's been a few years now since the first time some evil genius had the idea that if you take leaked passwords, you can use them to make extortion attacks seem more real because the leaked passwords are real. So if I send you an email out of the blue saying, hi, I hacked into your computer. I have videos of you on your webcam doing something naughty. And if you don't pay me a Bitcoin, I'm going to leak those in the public. That's scary, but you're probably not going to believe it. If they say, hi, I know your username is boopityboop and your password is wafflespancakes.
[1:04:06]And dot, dot, dot, dot, dot, that adds a layer of believability. And because there are so many billion password leaks, that's quite easy to do. And there was a time about two or three years ago where within a week, about five people in my circle of friends and at least one person in your circle of friends were attacked like this. And you messaged me on Telegram as I was about out to message you on telegram and we were able to put all of our friends and family at ease might even be three or four years ago now it's it's been a thing well that same concept has not gone away and it's been in the background but within a week two new variants have come out two new takes on the same evil idea so another thing in data leaks these days i guess recently with that one from the credit bureaus is probably where this is coming from, is physical addresses. And if I know your address, I can go to Google Street Map and I can get a picture of your house. So just include that in the extortion. Sure.
[1:05:08]Makes it more believable at first glance. Oh, I see what you're saying. I know where you live. I know where you live, and here's a picture, right? In reality, all they have is stuff from a data breach and public information. But goodness me, if that comes at a novice user out of the blue, that's terrifying. That's evil genius again. We're back to evil genius. And the other new one that just came out of the blue and hit lots of people all at once was a variant where they say we have evidence that your spouse with your correct name and their correct name is cheating on you pay us money and we'll share the evidence with you and this has almost this has with pretty high confidence been linked to a data breach at a specific wedding planning site called the not because some victims or some intended targets shared the details with bleeping computer, including the fact that they had accidentally typoed their name on the not and the extortion emails had the same typo.
[1:06:10]Oh, wow. Huh. The big thing is these are fake. These are things using information in data leaks in such a way that makes it feel like you're under a real attack by a real person who knows real information about you. But it's fake. Okay. Delete them, throw them in the bin, get on with your life. That's one of the classic, excuse me, classic manipulation techniques is to interweave facts with fiction and that makes the fiction believable. Precisely. Yeah, absolutely. It's very clever manipulation of human beings. It's attacking the squishy organic bit. And so forewarned is absolutely forearmed. So that's what's happening here, folks. It is doing the rounds, your friends and family and or yourself, are likely to get one of these sooner or later, put their mind at ease. It's not just them, it's fiction. It's creative fiction, leveraging the fact that the internet is leakier than a sieve. And we're all in data breaches, I promise you. The question isn't whether, it's how many and where.
[1:07:19]Right. And the last warning, while I'm still being in ick territory, I've stopped telling you every single attack targeting developers, but I am going to share one new one because it doesn't really target developers, it targets computer enthusiasts. If you're using an open source app and it's buggy and you Google for help, one of the places you're likely to end up if that app is hosted on GitHub is on the GitHub page for the app you're trying to use. And if there is a comment in an issue that matches your search term, you're likely to end up on that comment. And that comment may offer you help, like run this PowerShell command and it will magically fix this problem you're having with this Windows app or download this XE file and it will magically help you with this problem you're having with this Linux app. Unfortunately, I've never used any of those, Bart. Absolutely. Well, unfortunately, the attackers are now booby trapping answers to issues on GitHub with malware. Yeah.
[1:08:26]So this is why we can't have nice things. Precisely. So my advice to people is if you get some PowerShell or something like that, if you don't know what it does, don't run it. If you have it, you can go look up what it does and then run it. And so I still use scripts and stuff I get from Stack Overflow and from GitHub and stuff. But there's a step in the middle where I take the name of the function that's in their script they've told me to run and I stick the function name into Google and it will give me the API documentation about the function which will start with a paragraph that says this function allows dot dot dot. And if it's malicious it's going to allow something you didn't want because it won't match what the English said it would. And the English will tell you this will help you with blah blah blah only the documentation will say nope. It does something else. Huh. Okay. So there is a way to check it. That's good. Yeah. Yeah, that's been working for me anyway. And thankfully, this is the kind of thing that more advanced users tend to be caught up in. Therefore, they have the skills to do the extra little bit of homework. Just double check the answer and then type it in. Right, so that brings us on to notable news. And I would love to say it's all good news, but I'd be lying. But we have amazing palate cleansers on the way shortly.
[1:09:46]Okay. So there has been rumors for a long time that ads listen to people on their smart devices and they generally get poo-pooed as, no, no, it's just coincidence or tracking your web activity is so accurate that they don't have to listen to you to know what you're doing. It's not them listening to your microphone. And 99% of the time, that's probably true. But we now have a second piece of evidence that an American company was selling a product promising to do exactly that on operating systems where you can get away with that kind of thing. So the company was Cox Media and they offered a product what was it called? Active Listening. And the PowerPoint deck advertising the product to potential customers has leaked. And it has such choice, like the pitch to the user or to the potential customer is the power of voice and our device's microphones, which is definitely not ominous. Followed by the bullet points, smart devices capture real-time intent data by listening to our conversations. Conversations advertisers compare this voice data with behavioral data to target in-market customers.
[1:11:06]But this rings a really strong this brings a really strong bell from a long time ago we've seen we've already seen this this does not sound new right this is why i'm saying more evidence so there was there was less convincing evidence of this very product about a year ago from one of the blogs that reports on the media, Advertising Times or something like that. And this is now, no, 404 Media. And this is now follow-up reporting with stronger evidence because the last time this was poo-pooed a lot because the evidence they had was circumstantial. They've now come back with more evidence. An important takeaway here is that this is impossible on iOS and macOS, because an ad can't just listen without you being given a pop-up and none of these ads ask for those pop-ups they look they check the operating system and then don't do anything in an operating system that would give the game away because you have to be stealthy for this kind of thing so a lot of people are safe from this but if you're a windows user in particular you're in a lot of particularly older versions of windows where there's absolutely nothing going to pop up if your microphone gets activated.
[1:12:22]So current versions of Windows, they still can? I don't use Windows 11 enough to say a fact, so I didn't say a fact. Well, your written text does say that. It says it seems that at least on Android and perhaps also on Windows. I mean, that's damning. I think there are now pop-ups. Okay, if you're running Windows 10, you're definitely at risk here because Windows 10 definitely doesn't have any of those kind of things because it's old at this stage. but I don't know about Windows 11, so that's why the word perhaps is in there.
[1:12:56]So it's not in the article at all. It doesn't talk about Windows. Yeah, exactly. I'm doing a search. No, it doesn't. That's why I'm trying to be helpful while not saying more than I'm comfortable saying. Perhaps. Okay. So the article says on Android, but so I don't think we should assume that it's true on Windows. I'm not assuming, I'm saying you might be at risk. Because I can't say you're not. Okay. I'm being defensive. I don't want to give a false sense of safety. Yeah, but it's sort of like, you know, Bart may have committed that crime. I don't know. I don't have any evidence that he did. But he may have. That's kind of what that sounds like. Don't take it that way. This is definitely a danger to people on older versions of Android, and it may also be a danger to people on Windows. Remember, the point of view is the user or should the user be concerned. So it may be on Linux too. Oh, definitely on many versions of Linux. Okay. All right. We can discuss the copy when we're done with this. But okay, this is great. So they had this product, but did it actually go into place? We haven't found hard evidence of it in the world. We just know they were selling it. So at the very, very, very least, this is deeply icky. and one of their big customers is a small little company called Facebook. Which is very disturbing. And at least Cox Media Group is a small company that nobody's ever heard of. Yeah, definitely not a major big name, definitely.
[1:14:25]Now, the Dutch have been extremely busy. And I get to make use of the fact that I speak Dutch to say that their data protection authority is the Autoriteit Persoonsgehevens. And they have fined two rather large companies for breaching the GDPR, proving that this legislation, which people were very sceptical about, really does have some teeth. Uber are getting a third fine and I'm afraid you don't get a 20% off on your third fine you have to pay the full amount which is a whopping 290 million euro or 325 million US dollars because they were caught again, moving data on EU users to their US data centres without bothering to put in place the data protection processes that you are supposed to put in place when you do these kind of data transfers Perfectly fine to transfer the data, you've just got to do your homework. You've got to do it in such a way that it's safe and it protects user privacy. And Uber forgot. Imagine Uber, of all people.
[1:15:24]And in a similar vein of colour me completely and utterly surprised, Clearview AI were fined as well for collecting photographs of Dutch citizens and using it for biometric profiles without their clear consent. Because that is literally their product. So yeah, 350 million. I don't know if they have offices in the Netherlands, so this may be a fine that is impossible to enforce. But nonetheless, they can't come into the Netherlands now because they'd have to pay that money and stop doing what they do.
[1:16:00]And their neighbours, the Irish Data Protection Commissioners, are also busy, but they haven't finished. They have started but are not yet finished and they have launched an inquiry into whether Google is collecting AI data appropriately within Europe. Basically, are Google breaking the GDPR by how they are hoovering up data for their AI? And Google's European headquarters are in Ireland, which is why the Irish Data Protection Commissioners are doing this heavy lifting. So stay tuned. We have talked a lot about WordPress plug-in vulnerabilities. And I've stopped listing the individual vulnerabilities because they happen all the time now. I have a piece of news here that will make that happen less, hopefully. Every developer whose plugin gets into the official WordPress repository of plugins will now have to have two-factor authentication. So what happened while you were in Africa was that two major plugins were effectively hacked because someone stole the login details for the developer and uploaded malware into the plugin's place on WordPress.org. or wordpress.org.
[1:17:17]Now, to get stuff onto wordpress.org, you must have strong authentication. So it will be much harder to spoof legitimate developers. This is good. This is responding. Wait a minute. So how does 2FA for logging in keep you from spoofing? I mean, I can still be, you know, I don't want to keep picking on Bob, but Bob's bad plugin developer, and I can put it in there, and I can log in, just like before, and I just have an authentication code. How does that make me less able to put garbage in there? It doesn't stop you who has no reputations putting up a small plugin that will then have no downloads and have a hard time convincing people to install it. What it stops is a much scarier thing where you have a plugin that's really popular and you phish the username and password of that developer. Oh, okay. Okay. You're the legit plugin developer. I'm the bad actor and I try to be you. Yes. But if you've got two-factor, if you've been forced to use two-factor, then it's basically just securing the people who are doing the legitimate work. Bing, bing, bing, which is very important. Okay. Because that was how it went wrong. Legitimate plugins were hacked because of poor authentication, therefore allowing them to upload a fake version of a real plugin.
[1:18:34]So, good. It was a good response. and I am very happy and I'm sure there are other people similar to me who are very happy that one of the favorite long-time tools of naughty people who send out evil emails is ActiveX controls in Microsoft Office documents in general be they PowerPoint, Excel or Word and that is a real way to get basically malicious code into people's devices is to send them a Word doc and tell them to double click it don't worry about that warning about ActiveX just click yes.
[1:19:07]That social engineering won't work when support for ActiveX is just gone from Word. And that is what is happening in Office 2024. Unless you have... Oh my gosh, why is this not already dead? Come on. I know, I know, I know, I know. But thankfully, ding dong, in 2024, this witch is finally dead. So yay. Jeez. I'm going to back us up a little bit. Okay. I was trying to do a little bit deeper dive on the listening to your device or activating your microphone problem. And we were talking about how Apple doesn't allow you to do that. On Android Central's coverage of the same story, they talked about Android devices and Amazon Echo devices have two safeguards. One is they only listen for a specific keyword. So it has to hear ALXEA first or whatever the Google Assistant word is, and they do have, on Android devices, they have a status bar icon that shows a microphone.
[1:20:08]So there is a way for you to know on Android. That doesn't necessarily mean it's going to stop it from doing it, but you do have the kind of safeguard of a microphone that we have on our devices. Good. The harder this is to be a productizable idea, the better. They've had the idea, and they've had it well enough to stick it on a bloody PowerPoint deck. But the harder this is for them to do, the better. So I'm very happy. Also, you add another amazing piece of value. Your ability to multitask, which continues to blow my mind, is something that is... Well, you give me too much credit. You're assuming I'm doing a good job of listening to you while I'm doing this. But I figure part of this you can roll on your own. But it also wasn't just meta, but it was Facebook, Google, Amazon, and Bing We're all partners of Cox Media Group that were at least approached with this active listening ad targeting, according to 444 Media, who broke the story. But they also don't mention Windows on Android Central. I know.
[1:21:09]Like the Mac people didn't mention Windows because they don't care. And the Android Central people didn't mention Windows because they don't care. So we're left kind of going, oh, they're on Windows Central. Who should have reported on this? But no, no. But they mentioned Alexa. So they did mention other platforms. I would love to say you're safe on Windows, but I don't know if we can. I wish someone had just. OK, I'm not saying you should say we're safe on Windows. I'm saying you shouldn't throw shade on them if they're not even mentioned anywhere as being part of this. Update the copy to say we don't know about Windows, because that's the problem. That's what I was trying to say. I can't promise you you're safe. I can promise you you're safe on the Mac. I can promise you you're safe on iOS, but I don't know about Windows. So update the copy so that it basically says, because that is my total knowledge on the situation.
[1:21:59]Now, we are heading in the vague direction of True Palette cleansers. This is still cybersecurity related, but it is interesting. So I came across an article over on thehackernews.com that struck me as being amazingly well written and a fantastic explanation of what is, without a shadow of a doubt, the single most effective attack being used by real adversaries in the real world today, a so-called adversary in the middle attack against multi-factor authentication. Identification.
[1:22:33]And this is now available as malware as a service. So you can buy access. So basically one set of cyber criminals do the heavy work and they sell their efforts to other cyber criminals who don't have the skills. And then those cyber criminals can use the malware by the first cyber criminals to attack victims. So the whole problem of adversary in the middle, at the end of the day, looking up at your address bar is still your best defense from any of these kinds of attacks, which is why I keep telling people when they're on the internet and they want your username and password, check the address bar. And that is still the best defense. But this explains what the attackers are doing, how they're doing it, and they do it in a really friendly way, which surprised me because it's actually a paid post by someone selling a product, but 80% of the post is fantastic content and then they flip into ad mode, so basically you can just turn off at that point, which is what I did. I'm just really impressed at how well I've written it, so I figured I would share it with our listeners, which is not something I say often about the Hacker News use because it's jargon heavy sometimes. Very.
[1:23:35]Speaking of jargon heavy, I'm going to ask you to spell things out, Bart, in the show notes. Okay. This section says AITM, and then immediately later says ATM, and then it says AITM. And you're talking about two different things, and I didn't know what you meant on either one of them. Now, hearing you say it out loud, I think AITM means adversary in the middle. Correct. Which is not a kind, we don't have that as an acronym that we know AITM, and T would It would probably be lowercase if it was. And ATM, I read it and I was like, what do ATMs have to do with this? And then I realized you meant at the moment. So stop using all the acronyms. I'm sorry. At least define them. Sorry. Yeah, it was a long sentence and I may have been typing on my phone. Noted. Noted.
[1:24:19]Okay. Especially since they looked identical too. I was like, is that a typo? The other thing is AITM is the gender non-specific version of man in the middle. Sure, but you didn't say that. You said A-I-T-M. Yeah. No, just saying, just saying that to the audience. Yeah, sure, sure. But since we're talking about it anyway, since you brought me back, I get to throw that in too. The other thing I want to recommend is make yourself a big cup of coffee and sit down. It's a Wired article, so it ain't short. Apple intelligence promises better AI privacy. Here's how it actually works. Okay. Oh, cool. And I suggest using reader mode because it's impossible to read Wired at all because of the ads. It's not possible. Like if you look at it on an iPad, you cannot read it. Everything like the close button on the pop-up ads isn't visible. It's terrible. Used to love Wired. I read it in my RSS reader, which automatically only shows me the text. It's amazing. Nice. Nice. Okay.
[1:25:21]Interesting insights then. Apple released a white paper, which is never a thing that I would say is approachable. It's an academic journal paper. It's intended for an academic audience. Thankfully, the people at Cult of Mac have written us a summary. So Apple shows why it's ahead in AI, not behind. The short version is that Apple have focused on cleaning the data before they shove it into their AI. So don't teach it on the whole internet. it, filter what you teach it on, and let it learn only the good stuff. Whereas the approach other people take is teach it on everything, and then filter the answers to remove the bad stuff. So stop it being a Nazi after you've taught it all about Nazis. Back up, back up, back up. How do you clean data beforehand? How do you know what's good or bad? That's a lot of work. So what you're doing is you're choosing your sources. You're not taking stuff off Twitter and stuff. You're You're scanning the stuff beforehand for Nazi content and you're filtering the input instead of the output. Okay. So if you don't want to make a Nazi chatbot like Microsoft did, don't teach it that stuff.
[1:26:32]Yeah, I mean, I understand conceptually it's the, how do you exactly do that? It takes a lot of work is the answer, which is why everyone doesn't do it. And some of it involves opening your wallet. lot. So Apple do scrape some stuff from the web, but they also have deals with people like the New York Times and they were not cheap. But that means Apple get to learn on the entire back catalog of the New York Times, which is a much better source than some random person on Reddit. As much as we all love Reddit, it's not the New York Times. So it's an interesting summary. So I definitely thought it was worth a link. But the point is, it's a really good summary of what would otherwise be completely inaccessible to us.
[1:27:14]And then you may notice in the news section, I completely did not mention the very controversial story about the arrest of the Telegram CEO in France. That is because I don't really think there's a security message. There's no, it doesn't change the reality of using Telegram. So I don't, it's not relevant. But if you're interested, because it has an effect on the tech industry, then Ted did an interview with a social media and a privacy expert discussing the actual nitty gritty of this. It's a very reasoned, intelligent discussion, and it struck me as being informative and useful rather than alarmist. And so I figured I would link it here instead of me trying to talk about this, which I didn't think was worth my time. And I was terrified of, you know, trotting on some sort of a city landmine. So there you go.
[1:28:10]And now, Alison, you may take the very fun lead in cleansing our palate, because I really, really, really like your choice here. Oh my gosh. So I think this will be slightly humorous to normal humans and to the programmers in the crowd. It'll be spit coffee out your nose funny. money. Someone who calls themselves Shizanon at Mastodon.social, S-C-H-I-Z, anyway, posted the hardest problems in computer sciences. Number one, cache invalidation. Number two, data standardization. Number three, naming things. Yeah. How many times have Bart and I argued about the way he names variables in programming by stealth? Every dang time. Number four, 4. Compound Booleans. 5. Determining whether a value is a number or a string. You brought up that very thing in one of the stories earlier. 6. Time zones. My favorite thing on earth. 7. Tolerating your co-workers. Which is where the arguments about naming things come right back into play.
[1:29:14]Oh my gosh, I love that. It just made me laugh so hard. So true. It's funny because it's true. All right. That's my palate cleanser. I have a two in one. I'm going to link to a specific episode. It's 15 minutes long. It's episode 14 of a podcast called Uncharted, which is a podcast about math, but it has no math in it ever. It's by an amazing creator who works for the BBC called Hannah Fry. I. She is a mathematician. She's also a STEM communicator and she's a really good STEM communicator. And the podcast, the hero always uses math to solve the problem, but the problems could be absolutely anything. And the episode I'm linking to is called Whispers from the Cosmos. And I'm not going to spoil what it's about because that's kind of the fun of these little 15 minute episodes is they don't tell you upfront what they're going to tell you. They tell you through a story and you find out as you go but the hero of our 15 minute tale is a north a northern irish scientist whom i have been a huge admirer of for many years called jocelyn bell burnell.
[1:30:25]Who was a groundbreaking female voice in stem when it was excruciatingly difficult to be such a thing and her supervisor ended up taking credit and prizes for her discovery of quasars Sorry, Pulsars. She discovered Pulsars and her boss... Wait, a woman had a man steal credit for her work? That's breaking news. I know. Now, there's a wonderful twist in the tale. About three or four years ago, she was awarded a $3 million prize for her work retroactively. And what did she do with it? She didn't keep a penny of it. She created a scholarship for girls in STEM.
[1:31:06]The Jocelyn Bell Burnell Scholarship. This woman is amazing. She is the hero of this story by Hannah Fry, who is also amazing. So if you have a girl who is interested in science and you're afraid it could be beaten, you know, society could ruin that, this is an inspirational podcast episode. This will help all of the girls interested in science not lose interest. Stay with it. Go with it. Follow your heart. Go into STEM. All right. Right. So I'm going to add Jocelyn Bell Burnell in my list of potential names for future pets. Oh, yeah. You want a cat called Jocelyn. I mean, Feynman's in there. Why not Jocelyn Bell Burnell? If she has ever done a TED Talk or something, if you can find anything by her on YouTube, watch it. She is such a great communicator and she has a Northern Irish accent. So she just wins every which way that way.
[1:31:57]But yeah, you and Jocelyn Bell Burnell, she's your people. She's absolutely your people. I had the pleasure of meeting her. All right. Well, does that wind us up, Bart? That does wind us up. I figured one really good pile of cleanser from each, and I got rid of the other ones that were only mediocre. So, folks, until next time, remember, stay patched so you stay secure. And I nearly forgot my line. Well, the live audience voted I should leave in that last little crack of Bart's there. Anyway, that's going to wind us up for this week. Did you know you can email me at allison at podfeet.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash mastodon. If you want to listen to the podcast on YouTube, you can go to podfeet.com slash YouTube. And hey, look to see if last week there's two episodes, because I bet there is. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all the other lovely NoCilla castaways. You can support the show at podfeet.com slash Patreon like Trevor Drover does or with a one-time donation at podfeet.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time.
[1:33:13]Music.

Error: Could not load transcript. Please try again later.

Reload

Loading Transcript...