NC_2024_09_29
This episode covers Apple Bias in tech accessibility and privacy, featuring Bart Bouchats and Helma Vanderlinden discussing xkpasswd-js for password generation. It also critiques data breaches and emphasizes ethics in programming and UI design.
Automatic Shownotes
Chapters
Long Summary
In this episode, we delve into the complexities of Apple Bias and how it intertwines with technology accessibility, programming, and user privacy. With a catchy introduction acknowledging the episode number—1012—this installment explores the nuances that arise when combining advanced concepts like the Model-View-Controller design pattern with everyday applications.
The episode features an enlightening discussion with Bart Bouchats and Helma Vanderlinden, who guide us through their projects, specifically focusing on their latest endeavor: xkpasswd-js. This project enhances password security on xkpasswd.net by generating memorable yet strong passwords. Despite some initial confusion on my part about the implementation of the Model-View-Controller structure, both Bart and Helma exhibit immense patience and clarity, ultimately making complex ideas accessible.
Transitioning from programming to real-world applications, I share my experience preparing for a workshop at MacStock, where I introduced techniques to improve presentation quality. I emphasize the importance of accessibility features like screen zoom. Additionally, I explore several apps designed for annotating presentations, specifically highlighting Presentify, an affordable tool to draw attention on screens. This app has proven effective in drawing the audience's eye to critical content, demonstrating how thoughtful design can foster an engaging experience.
In the latter part of the episode, the focus shifts to navigating the crowd of digital media. I disclose how I utilized Keycaster, an open-source tool that captures keystrokes during presentations. This application, while offering a unique solution to highlight typing, also presents certain quirks that require users to familiarize themselves with its setup and functionality. The episode explores installation methods and usability, stressing the importance of tools that simplify tech interactions.
The conversation also takes a critical turn towards security, examining the implications of recent findings about compromised data and security protocols, such as in the case of Kaspersky and various social media companies. We address the prevailing sentiment surrounding corporate transparency in the event of data breaches and the changing landscape of regulations affecting tech companies like Meta and Apple.
Ultimately, the episode encapsulates an extensive analysis of the interactions among programming practices, user interface design, digital privacy, and corporate ethics, all while introducing useful tools that empower users to enhance their digital experiences. The discussions blend technical details with practical advice, illustrating the ongoing evolution of our relationship with technology in today’s fast-paced environment.
The episode features an enlightening discussion with Bart Bouchats and Helma Vanderlinden, who guide us through their projects, specifically focusing on their latest endeavor: xkpasswd-js. This project enhances password security on xkpasswd.net by generating memorable yet strong passwords. Despite some initial confusion on my part about the implementation of the Model-View-Controller structure, both Bart and Helma exhibit immense patience and clarity, ultimately making complex ideas accessible.
Transitioning from programming to real-world applications, I share my experience preparing for a workshop at MacStock, where I introduced techniques to improve presentation quality. I emphasize the importance of accessibility features like screen zoom. Additionally, I explore several apps designed for annotating presentations, specifically highlighting Presentify, an affordable tool to draw attention on screens. This app has proven effective in drawing the audience's eye to critical content, demonstrating how thoughtful design can foster an engaging experience.
In the latter part of the episode, the focus shifts to navigating the crowd of digital media. I disclose how I utilized Keycaster, an open-source tool that captures keystrokes during presentations. This application, while offering a unique solution to highlight typing, also presents certain quirks that require users to familiarize themselves with its setup and functionality. The episode explores installation methods and usability, stressing the importance of tools that simplify tech interactions.
The conversation also takes a critical turn towards security, examining the implications of recent findings about compromised data and security protocols, such as in the case of Kaspersky and various social media companies. We address the prevailing sentiment surrounding corporate transparency in the event of data breaches and the changing landscape of regulations affecting tech companies like Meta and Apple.
Ultimately, the episode encapsulates an extensive analysis of the interactions among programming practices, user interface design, digital privacy, and corporate ethics, all while introducing useful tools that empower users to enhance their digital experiences. The discussions blend technical details with practical advice, illustrating the ongoing evolution of our relationship with technology in today’s fast-paced environment.
Brief Summary
In this episode, we examine Apple Bias and its effects on technology accessibility, programming, and user privacy. Guests Bart Bouchats and Helma Vanderlinden discuss their project xkpasswd-js, which generates strong, memorable passwords. I share insights from my MacStock workshop on improving presentations with accessibility features and tools like Presentify for engaging audiences. We also explore Keycaster for capturing keystrokes and critique recent data breaches affecting companies like Kaspersky and Meta. This discussion connects programming practices, user interface design, and corporate ethics, offering tools to enhance digital experiences.
Tags
Apple Bias
technology accessibility
programming
user privacy
xkpasswd-js
strong passwords
MacStock workshop
accessibility features
Keycaster
data breaches
corporate ethics
digital experiences
Transcript
[0:00]
NC_2024_09_29
[0:00]Music.
[0:08]Apple Bias. Today is Sunday, September 29th, 2024, and this is show number 1012.
[0:16]Okay, Steve says I should have said a thousand and twelve, but that's too many syllables, so maybe I'll go with thousand twelve? One thousand twelve? I don't know. We're gonna have to come up with a consistent way of naming these, but I'm getting used to this four-digit number thing, okay guys?
[0:31]
PBS 171: MVC in XKpasswd-js
[0:31]In Programming by Stealth this week, we had a very unusual lesson. Bart Bouchats and I are both students, while the instructor is the delightful Helma Vanderlinden. We learned about Model-View-Controller last time with Bart, kind of the structure and what it's for and why you would have this design pattern for how you organize your code. But this week, Helma teaches us how she implemented this Model-View-Controller thing for our project xkpasswd-js. That's the project that's controlling the code that you see when you go to xkpasswd.net to generate your long, strong, and memorable passwords. Now, I'm confused a lot in this episode, but with Helma's patience and Bart jumping in from time to time to clarify things for me, and sometimes Helma has to clarify things for Bart, I think they succeed at helping me understand this newfangled structure of our code. I should mention, by the way, I'm calling it newfangled, but Model View Controller's been around for more than a decade. I forget how long, maybe it's 20 years. In any case, look for Programming by Stealth in your podcatcher of choice, and you can follow the link in the show notes to follow along with the show with Helma's fabulous tutorial show notes.
[1:46]
Annotate Your Screen During Presentations with Presentify
[1:46]When I was preparing my workshop for MacStock, I knew that I'd be in a big room with the audience pretty spread out and far away. I was going to be teaching my Tiny Mac Tips series, so it was going to be a live demo. I started looking around for some apps to help make the experience better for the audience. The first thing I knew I would use is the Accessibility setting that allows you to scroll with your trackpad or mouse to zoom in and out on the screen. If you haven't ever enabled that, no matter your age or visual acuity, I highly recommend having it enabled. To enable the feature, you open System Settings, Accessibility, and go to Zoom. First you toggle on Use Scroll Gesture with Modifier Keys to Zoom. The default modifier key is Control, but you can choose to change that if you like. The default zoom style is fullscreen, which I favor, but you can change that behavior too. I do like the fullscreen best, so I don't change anything in here other than toggling it on. You can play with the options and see which makes the most sense to you. Once you have this scroll to zoom feature turned on, it's handy for your own needs like trying to see the ever-shrinking road names in Apple Maps, but it's terrific when doing a presentation. During Mac Stock, I probably used Control-Zoom 30 or 40 times to show people what I was doing on stage. In fact, I taught it as one of the tiny tips, and then every time I used it, I mentioned that I was using that same thing, Control-Zoom, so they could see what I was doing. And I think if they remembered anything, it was probably to do this one feature.
[3:16]So you do have to get into your mindset to always picture yourself as sitting in the back row and trying to see. While you're picturing yourself in that back row, also remember to repeat the questions when people ask them and they're not on mic. It's one of my biggest pet peeves when someone on stage doesn't repeat a question because they heard it just fine, and you know the people in the back or the people who watch it recorded later can't hear. So you'll often hear me in the middle of a presentation going, repeat the question, even if I could hear. I'm doing it for the people in the back and the people on the recording. All right, so that control zoom trick helps the audience, but I started wondering whether there were apps out there that would add even more enhancement to the user experience during my presentation. I decided to start my search in Setapp, and I found an application called Presentify by Ram Patra from presentifyapp.com. The problem Presentify sets out to solve is to help you draw attention to something on screen while presenting using arrows, boxes, circles, and text. Presentify is available for a one-time cost of $7 in the Mac App Store, or you can get it with your Setapp subscription.
[4:23]In the Mac App Store, you'll see in-app purchases, but Ram added that simply as a tip jar, just in case you keep using Presentify and you want to throw him a bit more money because he's doing a great job keeping the app up to date for you. I like that approach. $7 for life and all versions is a great deal, but obviously a developer could use some more funding from time to time to keep the app in active development.
[4:46]You can control Presentify's functionality completely through keyboard shortcuts, or you can use the Presentify menu bar app. By default, if you toggle on Presentify, you'll see a floating control strip at the top of your screen. You'll see five colors to choose from, along with icons for freeform drawing, arrowed lines, rectangles, ovals, and text. You pick a color, tap on an icon, and then draw away on your screen. I'm not much for that whole freeform scribbling thing. I'm a little too structured, but I love being an obvious rectangle or a nice arrowed line to point at something. I've never been a fan of ovals and circles because it's always so hard to encompass the item you're trying to highlight, but a rectangle or an arrow usually works better. When you're doing a presentation, it's pretty rare that you would want to have an annotation stay up on screen indefinitely, so Presentify automatically has the annotations fade away after two seconds. Next to the five colored icons, there's a curious icon of two kind of intertwined curvy arrows. This delightful option creates annotations that are gradients of random colors. So you draw a rectangle and it goes from purple to pink to yellow, maybe. Now, while I wear rainbow pattern prescription glasses, I tend towards plain old red for my annotations. If it brings you joy though, Presentify has you covered with a rainbow option.
[6:09]Now the final control on this little control strip is an eraser. You can use that to quickly erase an annotation you've just put on screen.
[6:17]The floating control strip is visible to your audience. If you think that's distracting to your intended audience, from the menu bar app or with a keyboard shortcut, you can choose to annotate without controls. Once enabled, hit the F key for free form, R for rectangle or square, C for circle or oval, A for arrow, or T for text. I figured all of those out just by poking the keys. Getting out of text is a little bit harder because if you type R, R, it would type an R instead of invoking the rectangle. So it's hard to get out of text. I couldn't find an easy way to get out of it other than to hit escape twice or control A, which disables Presentify, and then you can hit control A to turn it back on. I feel like there should be a way to get out of text, but I never did find it other than the two ways I just explained.
[7:07]Probably the most useful option in Presentify is called interactive mode. In this mode, you can toggle back and forth between interacting with your applications and annotating the screen. First, you enable interactive mode from the menu. You'll see a brief pop-up telling you to hold down the function key, or FN, to enable interactive mode. Then from the menu, enable Presentify with or without the on-screen control strip. Now, let's say I'm flipping slides in Keynote using my keyboard, but I want to draw an arrow. I simply hold down the function key, type the letter A, and I can draw that sweet arrow to point to something in my presentation. I can let go of the function key and I'm back to interacting with my Mac.
[7:48]It's often useful to have your cursor highlighted in some way so the distant audience doesn't have to try to strain to try to find that tiny pointer. Presentified has you cover here too. With the highlight cursor option, your cursor is surrounded by a big pink hollow ring. You can't miss it.
[8:06]Now, I told you I figured out the keyboard shortcuts for the different tools by experimenting, but then I discovered that if you have Presentify enabled to annotate, you get another option in the menu bar to view all annotate shortcuts. And boy, howdy, are there a lot of them. You can select the color by number if you can remember five numbers, like is five pink, is three blue? You got to remember that. You can increase or decrease the line weight of your annotations with the right left square brackets. That one's really easy to remember because it's standard in a lot of image applications like Apple Photos, Affinity Photo, and Photoshop. There's a highlighter you're supposed to be able to invoke with H, which works well in regular annotate mode, but if you're in interactive mode, macOS takes over that keystroke and shows you your desktop with function H.
[8:53]Likewise, after you enter some text on screen with Presentify, you can simply scroll on your mouse or trackpad and the text will shrink or embiggen. I discovered in the Annotate Shortcuts menu that you can invoke a whiteboard mode. This covers your entire screen, with the exception of the menu bar at the top, with a gray rectangle that you can draw on. I'm not really sure that's super useful only with a trackpad or mouse to draw, but maybe there's some use cases you can think of. There are three tiny tips at the bottom of the Annotate Shortcuts screen. As is true in many annotation tools, you can hold down the shift key to draw a straight line with the freeform line tool. I might use it then if I could do a straight line. If you hold down the option key while you're drawing a rectangle or circle, it will fill with a semi-transparent circle or rectangle. Finally, if you hold down the control key while you're drawing, you can toggle the auto erase behavior. In general, I think it's a good thing that the annotations fade away after a few seconds, but sometimes you might want one to stay. So it's cool you can hold down the control key to get it to stick around.
[9:59]You'd think I would be done describing a $7 app by now, wouldn't you? Close, but the settings for Presentify give you even more control. On the General tab, you can start Presentify at login, and you can also have your cursor highlighted with that big pink ring right when the application launches. Maybe you have a giant screen or multiple screens and you're always losing your cursor. This could be handy to keep an eye on it. On the Annotate tab in Presentify, you can change the five color choices for annotation. Or as RAM refers to them, your favorite colors. You get to choose the five colors. Tap each one and you get the standard Apple color picker to change the color. You can change the default line weight too. Let's say you're always using the left bracket to shrink the line width on your arrows. You could just change it in the settings from bold to regular to thin. Remember the Fn key invokes interactive mode? Well, if you've never figured out what the caps lock key is for on your keyboard? Here's a hint. It makes the keys capitalized. Anyway, if you've never figured out what that key is for, you can use that instead of the function key in the settings. Screen annotations with Presentify vaporize in two seconds, like I said, but you can change that to anywhere from zero to ten seconds, and you can even disable auto-eraser of annotations. That explains why there's a manual eraser in the set of tools.
[11:22]Our cursor highlight has some options, too. If you don't favor pink for some reason, you can change the color. You can change it from large to small so the little ring is kind of tighter in. You can make the border of the ring dashed instead of solid, and you can change the opacity of the ring itself. By default, it's 75% opaque, but you can set it from 0 to 100. And we talked about keyboard shortcuts, and in settings you can change the three main shortcuts, toggling annotations, toggling whether you see annotation controls and toggling the visibility of the highlight cursor. You can change which shortcuts apply to those.
[11:58]The bottom line is that if you want to maybe keep your audience awake a little bit longer by adding annotations to your screen during live demos or canned presentations, I think Presentify for the grand sum of $7 might be just what you need. Again, you can find it in the Mac App Store, or it's included in your Setapp subscription.
[12:20]
Free Keycastr Shows Your Keystrokes During Presentations & Demos
[12:20]Well, you just heard me explain how I used the app Presentify to annotate my screen during that workshop I was teaching at MacStock. The problem I solved was that the audience was spread out in a large room and I needed them to see the detail I was showing on screen. I did use the control zoom feature that I talked about and Presentify did a lot to help the audience. But there was one more thing I wanted to solve. The workshop I was teaching was my Mac tiny tips or is it tiny Mac tips? I think I named that wrong. Tiny Mac tips implies the Mac is tiny. Anyway, I was teaching my tiny Mac tip series and a lot of these tips involved using keyboard shortcuts. I'm pretty good about saying things like hold down control T with your cursor between two characters that you want to swap, but it would be more vivid if they could see the keystroke when I was talking about it. I've used various tools over the years to display keystrokes, but they were generally inside tools for creating screencasting tutorials. I needed a tool that was independent of any other application. In my hunting, I found an open source free tool called Keycaster. And it's kind of one of those old school, you remember when they used to pull vowels out like Tumblr took the E out? There's no E at the end of Keycaster. It's K-E-Y-C-A-S-T-R.
[13:36]Now, I don't want to scare you off if you're not a programmer, because the way you get Keycaster is a teeny, teeny, tiny bit nerdy. However, the application itself is not one teeny bit nerdy. You don't get Keycaster from the Mac App Store, and you don't download it from the developer's website exactly. You have two options. So let's back up a second. Imagine you're on a normal site for an app. How do you get an app? You see a big button highlighted that says Download. A single click downloads the app, and sometimes it's a zip file. You double-click the zip file, and you've got your app ready to move to your applications directory. With Keycaster, it's exactly like that, except the website is the developer's GitHub repository. You have to click a link to download the zip file, open the zip, and move the app to your applications directory. It's exactly the same. The only difference is that there isn't an obvious single download button. I put a screenshot in the show notes of the GitHub repo for Keycaster, but let me explain what you're going to see. In the upper left, you'll see that you're in the Code tab in GitHub with the releases tab highlighted, sub tab really. That makes sense, right? We want the released version of the software. Now the obvious attention grabbing section on the page currently says, as of the time that you're hearing this, fix modifier detection on Intel.
[14:57]Okay. Turns out that's the name the developer gave when committing the changes to the app that fixed the latest bug. That title has no meaning, zero meaning to you whatsoever. It might even make you give up because you're running on an Apple Silicon Mac, not an Intel Mac. In fact, that was my first reaction. Now, I'm reading to you what it says right now. It might say something completely different by the time you read or hear this article because it's the notes on the latest bug they fixed in the current release. So if they fix another bug between when I'm saying this and when you're hearing it, that title is going to be something different. So don't get scared away. I assure you, you are still in the right place. Below this headline, that's kind of weird, that's just the name of the bug fix, you'll see a section called Assets. Under Assets, you can see three links. The second two both talk about source code, and unless you're a developer who wants to change the tool, you want to stay away from the source code. That leaves only one option. It says keycaster.app.zip. This is the link you want to click. This is the zip file. Now remember, all you're doing is going to the developer's site and clicking a link to download the app zip file. I went to such great lengths to describe this page because I used to run away when I was sent to GitHub repos because I didn't know what to click or what all this glop on the page meant.
[16:19]So now we've downloaded Keycaster in a single click. I mean, literally, you're going to go to the website I'm going to send you to and you're going to click this link. Now that we've got it there, we've downloaded it, double-clicked it, and we've installed it. Now KeyCaster acts like any other Mac app. In fact, while I was working on this review of the tool, I got a pop-up when I launched KeyCaster telling me I had an update to the app. I didn't have to go to GitHub. I didn't have to mess around in there. I just agreed to install the update. So it acted just like a normal app because it is a normal app. Now, the second option to install KeyCaster is through Homebrew, and we've talked about Homebrew before and how it's nerdy but easy. If you have Homebrew installed, the command on the terminal is brew install cask KeyCaster. That's it.
[17:07]All right, instead of starting at this installation page for KeyCaster, you can take a look at the homepage of the KeyCaster repo where they explain a bit about the project and they include some cursory usage information and some nice screenshots. Screenshots so i put a link in the show notes to the repo itself uh the upper level repo that gives you a little bit more information but if you follow my first link that's straight to the download all right this was an awfully long lead up so let's finally have some fun with keycaster once you launch the app it can run as a menu bar app or as a normal app as soon as you choose to start casting when you use a keystroke using any kind of modifier key in the bottom left corner of your screen, you'll see the keystroke displayed. Now this little display is very small and subtle by default. It's got a tiny white font and it's on a kind of a dark gray black bezel background.
[17:59]After you type the keystroke, the keystroke will fade away in about two seconds. Now while technically KeyCaster has fulfilled its promise of showing our keystrokes on screen, I don't find that the default settings are nearly as dramatic as I need them to be so that Dr. Drang can see what I'm typing from the back of the room at MacStock. Now that's where the preferences for Keycaster come into play. The first tab in preferences is the General tab, where you'll choose whether to run Keycaster as a menu bar app, as a regular app, which is often referred to as in the dock, or you can have it be in both places. I like it as a menu bar app since there's really not very much to it. By default, you can toggle this capturing or casting of this little display using the keystroke control option command K, but you can change that. Also by default, preferences will show at launch, and of course you'd want to turn that off almost immediately. The second tab, display, is where the meat of KeyCaster lives.
[18:57]At the bottom of the display preferences, you can change the color of the bezel and the text. Screencasts Online tutorials are created using an app called ScreenFlow, which can record and display keystrokes automatically. We use a nice, translucent, very professional-looking dark gray with white text, and that's great for these professional recordings. But I gotta tell you, if I'm going to keep the Mac stock audience awake, I gotta do a lot more than that. So I changed the bezel color to bright red. By default, it has a font size slider and it's almost all the way down to tiny, so I dragged it up to huge. Now on my 13-inch MacBook Air, the keystrokes are more than 20% of the height of the screen. Anyone watching my demos would be able to see these keystrokes from the International Space Station. So I explained that the keystrokes fade away after about 2 seconds. Just like it was with Presentify, you can change how quickly they fade using the Linger Time Slider. You can slide it all the way down to instant, which isn't very useful, or all the way up to long, which I timed at around 7 seconds. That's kind of annoying and could probably be distracting. I find the default right around the middle is just right, but you can mess around with it to see what works for you. While you're messing around with the linger time, you might as well play with the slider for fade duration. You can have your keystrokes blink off instantly, or you can make them fade, and I'm quoting here, fast-ish.
[20:21]Now, there's one slider in Display Preferences, actually there's two, but the first one that baffles me is entitled Line Break Delay. It goes from short to long, and the tip says length of time before the line breaks. Okay, what line? We don't have any lines, we've got text. And why is the line breaking?
[20:42]To try to crack the code on this critical line break issue, I played around with some other useful settings. Display mode, by default, has the radio button selected for command keys only. I'm not sure where they got the definition for command keys, but if you have this selected, it means that if you use either the command key or the control key with any other key combination, that will be displayed in the little display of KeyCaster. But if you hold down, say, Option D, KeyCaster won't display anything on screen. If you hold down Command-Option-D, both the command and option symbols will be displayed along with a capital D, even though you just held down a lowercase d. Now if you switch the display mode to All Modified Keys, now any modifier key you use will be displayed. In addition to Command and Control, both Shift and Option will display when you add a character to the keystroke. That's kind of where I expected it to be. I'm not quite sure why shift and option get left out.
[21:44]Now, the last one, if you really want to drive your audience nuts and drive yourself nuts, you can choose all keys under display mode. Keycaster will literally display every single key you hit. If you type fast enough, you can type out entire sentences that will fill your screen. You'll even see the symbol for the space key between your words. Now, this option was the one I thought might give me a clue on that line break delay thing. I hypothesized that if I set the line break delay to long, when I typed so much text that the characters went to the edge of the screen, there would maybe be a delay before it broke to the new line. See that line break? I thought that's what it might mean. No. Short, long, and the line break delay slider had no effect on what I saw when I typed enough to fill my entire screen. I'm afraid this one's going to be left a mystery.
[22:36]I'm glad I experimented with the all keys display mode because I thought of a use for it. I have to get my eyes dilated twice a year, and I hate how long it takes for my pupils to shrink back to normal. I even make them give me a half dose, or if they have it, the baby dose like the ones they use on little kids, because this medicine is so effective, excessively effective, on dilating my eyes. One of the main reasons I find it so irritating, other than that I can't go outside because the sun hurts, is that it's hard to play on my computer because I can't see when I'm typing. With KeyCaster, I could at least have my own text blown up huge on screen as I type so I can see if I was making typos. If I see a problem while I'm typing, I could use the Ctrl-Zoom accessibility setting I told you about to find the mistake and fix it. It's worth a try as a solution. Now there's another option I don't understand from the display mode settings. It's a checkbox that says Apple Modifiers, and this checkbox can be added to any of the three display modes we just talked about. So command keys only, all modified keys, and all keys. You can add this checkbox for Apple Modifiers to that. I tried toggling Apple Modifiers on and off for the other three options, and for the life of me, I can't see what it's supposed to be changing.
[23:52]Now, one thing you might expect to find in display preferences is a way to tell KeyCaster where on screen you'd like to display the keys. I mentioned that it was in the bottom left, but wouldn't you think there'd be like a left, center, right, at least, where you wanted it on your screen? Well, there's a hidden feature, but you can simply drag the display anywhere you want on the screen, and KeyCaster will remember it for the next time it's invoked. Now, you might want to slide the linger time up a bit so you have enough time to drag the the little display to your desired position, and then put Linger of Time back to where you like it.
[24:25]In my review of Presentify, I explained how the app can show your cursor as a big colored ring as you move it around on screen, defaulted to pink. Maybe that's a little too much distraction, and you just like to see it highlight where you've clicked on the screen, not always showing your cursor. Keycaster has this option under a dropdown called Display Mouse Events. It's off by default, fault, but you can choose from three options. The first is called with mouse pointer. That means wherever you click, a thin red circle will briefly appear. I wish it would show a bit longer or at least be controllable by that linger time slider, but it has no options. You click and it goes and that's it disappears. Now the second option is with current visualizer. This one's kind of odd. When you click, you see a representation of the Apple no button mouse where you normally would see those modifier keys showing up in the little display. It does show modifier keys as well, but it's kind of a shared interface. I guess its job is to alert people that you've clicked, but it doesn't show them where. If you want to really confuse the audience, you can choose with pointer and visualizer. This gives you the thin red ring where you click and gives you that representation of the mouse. It's very busy, especially if you've made your visualizer giant and red like I have.
[25:42]So finally, I'm going to tell you about the very first option on Display Preferences. It says Selected Visualizer, and there's a dropdown that says Default. That's what's selected. In other words, everything I've been teaching you about changing is the default method of working with Keycaster. The only other option in this dropdown is called Svelte. With Svelte, you can't change the font size or the bezel color. You can't change the linger time or the delay. Instead, you get a medium-sized, dark gray translucent box that shows the modifier key symbols across the bottom. So you see this symbol for shift, control, option, and command. When you hold down one of these keys, they light up in the key caster's floating display. You have one toggle to work with, and that's to display all keystrokes or not. You can also set whether to display mouse events, but from keystrokes, it's all of them or just these modifier keys. I do have to say this Svelte mode is very clean, or Svelte as they say, but also whatever you type only shows for a brief instant in that Svelte display. I'd have to say it doesn't really solve the problem I was trying to solve because the keystroke isn't up there long enough for anyone but the most alert to notice. The bottom line is that Keycaster is an open source solution under the BS3 license and it's been freely available for the Mac since 2009.
[27:04]That makes me think I should go back through my show notes and see if I did know about this years ago. That's the kind of thing I would do. Anyway, it's a wee bit quirky to install if you've not done a GitHub installation before, and I did have a couple of times where it hung up and I had to restart it, but I'm running on Sequoia, so I'm going to forgive it for that. But remember, even though it does have this wee bit quirky way to install with GitHub, it's only a matter of clicking on the right thing, and now you know where to click. Since my workshop at MaxDoc was filled with keystrokes I wanted to teach, Keycaster was the perfect tool to keep the hecklers in the back row engaged. Now, if anyone figures out what Apple modifiers and line break delay means, I'd really love to hear from you.
[27:49]
Support the Show
[27:50]Now, we don't have any new patrons or PayPal supporters to announce this week. So instead, I'm going to reiterate my thanks to Helma for supporting the work we do here. She spent a lot of time writing out those show notes, putting up with my overwhelming number of changes to those show notes. And then she asked for a play date so I could help her set up her mic correctly to get the best possible audio. And she let me teach her how to use Audio Hijack to record both her voice and me and Bart from Zoom. Then she put up with my constant barrage of questions and helped all of the listeners to learn a valuable new skill. I just wanted to bring that up again to let you know it's not just monetarily that people can help the show.
[28:33]
Rogue Amoeba Tools 22% discount
[28:33]Speaking of Audio Hijack, right now, the makers of Audio Hijack, Rogue Amoeba, are having their 22nd birthday sale, where you can get 22% off any and all of their tools if you use the coupon code 22, all capital letters. Now, you know I love all of their tools, especially Audio Hijack, SoundSource, and Loopback. just to name a couple of them. If you've been hesitant to buy because of the cost, I would jump on this deal before October 7th when it expires. All of their tools work with macOS Sequoia and they vastly simplified the installation process. Now, this sounds like an ad, doesn't it? I am not advertising for them. I have never advertised for them. I'd love to get money for advertising for them, but they don't need to pay me because I say this stuff all the time. They've got fantastic support. These tools solve problems that nothing else could do. Probably one of the best Apple developers out there. Anyway, you can read all about this discount and about the new way to install their applications and get that 22% discount with the coupon code 22ALLCAPS before October 7th by going to rogamiba.com. And I'm not even going to make you learn how to spell rogamiba because it's hard. Just click the link in the show notes.
[29:46]
Security Bits – 29 September 2024
[29:47]Music.
[29:56]Well, it's that time of the week again. It's time for Security Bits with Bart Bouchats. And it just took Bart and I 35 minutes to get Zoom and macOS on two computers and Audio Hijack and SoundSource to actually function. So don't touch anything, Bart.
[30:11]My hands are in the air. I'm recording hands-free here. This is, yeah. You'd think after, what, a decade and a bit of this, we'd have all of the kinks figured out and we'd never be surprised by anything. And then just out of the blue, it's like, no, not going to work. Whole new whole new fun in in basically every every app we needed to function was weird on both ends and neither of us went sequoia because then we could have blamed ourselves for being silly but neither of us did that no no no it's not our fault yeah okay anyway well let's get stuck in, right so uh the first collection of stories i've put together under the heading oh sorry feedback and follow-up these are stories you talked about before that are back in the news um and the first First one, I put the fun label consequences arrive for past failures. So first up for some consequences are AT&T. They are paying the Federal Communications Commission in the United States $13 million for their 2023 data breach. I don't remember if there's been more since, but anyway, that's for that one. I don't know. They probably have more comeuppance to come. And the Irish data. Who gets the money? does the government get the money or do i get some of that uh well if it's an fcc settlement that means it goes to you if it was a class action it would go to all of the peoples.
[31:32]It's just yeah pays for the fcc no one of those the other way around so fcc they keep the money it just goes yeah that's what i mean yeah if it was a class action then you would get the money okay, So this way it pays for the investigators who found the problem. You know, it pays a bunch of salaries. So that's no bad thing. The Irish Data Protection Commissioners issued a ruling against Facebook. Now, they were a bit slower because in this case, it was dealing with a problem that came to light in 2019.
[32:06]So they've had five years to figure this out. Anyway, 91 million. I have my show notes saying 91 euro. No, no, that is 91 million euro, which is about $100,000. Do you want me to fix that? Please. I mean, I know Facebook make a lot of money, but 91 would be a pathetic fine, especially because it was 600 million passwords. Now, they didn't lose them. They just had them in plain text, so they could have lost them. And you're not supposed to do that in Europe. The GDPR says that you're not allowed to be careless even if you get away with it. And so they were careless. So your show notes don't say who fined them 91 euro. The Irish Data Protection Commissioners, the link just underneath. Okay. So basically... It just says metafined. Okay. Yeah. So in Europe, because their headquarters are in Dublin, all of Europe's privacy law goes through the Irish Data Protection Commissioners. Okay, so this wasn't an Irish-specific thing. No, our good friend, the GDPR. But Ireland wielded the stick. Also, I've realized the actual link link is missing from that. So I guess you'll have to make do with the press release from the Irish Data Protection Commissioners, because at this stage I've cleaned up my link tracker.
[33:28]Anyway, the press release... Can I add one more? Sure. Consequences for past failures? The reason I asked who gets the money is this week, I got a check in the mail from, oh, shoot, who was it? Oh, the story would be way better if it was. It was one of the companies that lets you sign up to sell t-shirts and stuff with your own logos. I can't remember who it was now. Cafe Press? Yeah, that's who it was. And I was always mad at them because they actually never paid me for the stuff that I sold there. and I forget what their reason was, but they didn't pay me and it wasn't much money. But I just got a check for $31 for the class action settlement. Excellent, excellent. Because I remember them being on the naughty step. So I'm glad to see that's come through. I guess that's some sort of comeuppance. Yeah. Yeah, exactly.
[34:21]Now, we talked a few times about Kaspersky leaving the United States. Well, they didn't go quietly. And technically speaking, They're still allowed to be here for today and tomorrow. But they left early by deleting themselves, which is not too bad, and force-installing an AV product no one's ever heard of called Ultra AV, which surprised the heck out of everyone when all of a sudden their computers had a new AV product they did not recognise and a lot of people thought they'd just been hacked to be Jesus. Well, in a way, they were. Right. I saw that. I was like, are you freaking kidding me? I mean, that's crazy. Yeah. So whoever this Ultra, I'm assuming the Ultra AV paid a vast amount of money to Kaspersky to take over all of those customers. They just got handed a lot of people who may or may not continue renewing. So, yeah. Yeah, anyway, that's certainly a way to go out with a bang. So thanks, Kaspersky. How did, how, how, how? How can they do that? Remember that an antivirus has to run at the absolute highest level of privilege on your system. You really, really, really, really, really have to trust your AV vendor. They have as much power as your operating system. So they can force install apps.
[35:50]They are basically a benign rootkit.
[35:54]Wow. Yeah. Yeah, this is why I'm very picky about who gets to be AV. Because it's a lot of power.
[36:02]We don't know whether it's worth it. Right. Well, actually, that's a fair point, yeah. It does sort of depend on your risk profile. We didn't go into too much detail about France arresting the founder of Telegram because it was more of a law enforcement story than a cyber... Well, it was a law enforcement story. It wasn't a cyber security story. But it now has some actual impact. The reason he was arrested was because Telegram just didn't answer any legal queries from law enforcement, even those that they could answer and even those they legally had to answer. And that didn't seem tenable. So they've changed their policy a wee bit, better late than never. However, they now actually will hand over IP addresses and phone numbers when they receive law enforcement requests, just like everyone else does. So this is a good story then? Absolutely. There is some amazingly bad cybercrime that goes on on Telegram because they have a policy of they actually make it a selling point that we don't hand over stuff to law enforcement. So shock and or horror, that attracts people who would like that to be true. Right. It's like there's hosting companies in Iceland and a few places where their selling point is we don't answer law enforcement and that's where all the malware is. Well, you know, Telegram was forming the same function. So good. Yeah. Anyway, consequences. Actually, I could have put that up in the consequences section.
[37:31]Another story that's gotten a lot of Sturm und Drang is Microsoft's recall feature, which is one of those things that no one seems to have asked for, but Microsoft are convinced is the bee's knees and the future of all of life on Earth. This is a feature where they take screenshots every couple of seconds and then train their AI on it so it can help you. What was that email I answered last week? Why? I remember. And they didn't... I hope it's Clippy that jumps in and tells you. If it's not someone should do a skin that would be fantastic.
[38:04]Either way they have i think they're under a third rethink of this feature it will now be off by default and be a purely opt-in feature even if you buy their hardware specifically designed for it it will also be completely removable under the add remove features section of the Windows control panel. And they're adding even more encryption to the storage of all of those screenshots of all of your everything. And they've also decided that AI could be used to automatically detect sensitive information and stop itself saving it in the first place. Then there wouldn't be nearly as much to protect in there. So that's actually AI helping AI, which is kind of clever. And also anything you do in private browsing is never captured. Which seems like a very sensible thing to do if I turn on private browsing. You know, private?
[39:04]Exactly. So basically, they've now arrived at what I think should have been the beta version of the product. But hey, third time's a charm. You're now at beta. Well done. So anyway, that's, I guess, a positive development. Yeah, shouting at people helps. Action alerts then. Apple have released all of their new OSes, which is obviously cool but they have also patched all of their old os's so if you're running mac os sonoma or ventura or ios 17 or ipad os 17 you have security fixes that you should install, um you should also be aware that if you do choose to go to sequoia you're dipping your toe into a very freshly filled pool and there may be the odd piranha or something in there that didn't quite get cleaned up because we have not the world's most detailed reports and it certainly doesn't seem to be that no security tools work but there are people who are having problems with third party security tools on Sequoia and it seems to be down to a change in an API which as best as I can tell was marked as deprecated about five years ago and everyone should have remembered to update their product in the last five years.
[40:19]Code that's been working fine for 20 years and you don't read the release notes carefully, it happens, you know, stuff that's deprecated gets forgotten about. So, you know, these are normal teething problems. I've noticed a few more teething problems than usual. I get into an argument with Pat Dingler about this, my friend, the Apple consultant, and she says, no, nothing, nothing's gone wrong for me at all. And I'm like, okay, let me start counting the ways. I mean, Nothing has been showstopper-y, but it's been a lot of little weird, naggy stuff that's been just like, that wasn't right. Nope, shouldn't have done that. That's a problem.
[41:01]Overcast, the iPad client will run on an Apple Silicon Mac. I can make it crash 100% of the time by clicking on the magnifying glass. It's like, okay, where'd that come from? Yeah. I'm going to quote your dad. The plural of anecdote is not data. I'm having no problems is a pretty, it's a datum. But on the grand scheme of things, a pretty meaningless datum in the millions and millions and millions of users of my OS, Sequoia. Exactly, exactly. Also, it's not very helpful when somebody tells you it doesn't happen to me. It's like, that doesn't mean it's not happening to me. Yeah, I often feel like, well, okay, and my first cat was called Minnow. We're exchanging useless information neither of us care about, right? Oh my gosh, I'm going to use that. I'm going to use that. That's perfect. Or my other favourite, that shouldn't happen. I agree.
[41:59]No bleep, Sherlock. Yeah, no, there was a stand-up comedian has that line where he just randomly in a conversation says, and my first dog was called Wolf. Oh, what? what, we weren't sharing useless information neither of us care about? And I thought, that's such a good line. Such a good line. Anyway. It is fabulous. If you switch... Well, we should say that there was a catastrophic iOS 18 that went out to iPadOS. There were many cases, not everybody, some cases of people having literally bricked iPads. And I hate the word bricked because people use it all the time when they mean, oh, it crashed and I had to reboot. boot. No, these were really, really bricked. And so Apple actually pulled that update back. And I heard on Mac OS X, it's supposed to be back out this later this week, supposedly.
[42:48]Yeah. Again, we don't know how many, because there's millions of iPads out there. So if it happens to 0.001%, that's a lot of cranky people. Rightly cranky people. Full on bricked, you don't want. Annoyed is fine, but bricked, not so much. Yeah, pretty much, exactly. Also, if you choose to go to the new OSs, be prepared for a change in nomenclature. Your Apple ID is gone. You now have an Apple account. Probably better, but not an easy change. I'm sure we'll be able to find it sprinkled incorrectly in documentation for years to come. Yeah, yeah. care.
[43:33]I don't know whether, are you going to talk at all about the Apple Passwords app? I don't have much to say about it. I've got one quick thing to say about it. Great, go for it. You guys have all probably heard that the access to passwords isn't through this clunky keychain interface anymore. It's through a nice, pretty app called Passwords, and that's great. If you have somebody who's not using a password manager at all, and they duplicate their passwords instead of creating weird passwords, and this would help them make weird passwords, I guess that's a good thing. But keep in mind that if you use that, The security of all of your passwords is only as safe as the code on your phone, which maybe you have a four-digit code, maybe it's a six-digit code, maybe you've got a long, complex password, but your passwords are only as secure as that or the password you have on your Mac.
[44:25]Right? Ish. Because it asks for your login to your account on your Mac or your passcode if, say, Face ID fails. Or Touch ID fails.
[44:39]Yeah, actually, no, yes. So if you do have a terrible password on your Mac, then yes, actually, yes. I have a terrible password on my Mac. Okay. I mean, terrible, but it's not in the top five passwords. It's not my one password. I can tell you that. Yeah, my approach is to make my password not too awful and to have delete this device after 10 failed attempts because everything's backed up in iCloud. Hmm. And yes, but you're right, it is. So we're down to the fact that it's better than not doing it for most people, but that doesn't mean it's a utopia. So think carefully about how you protect your phone. And it's not any different than it was before. This was always true. It's just really obvious now to me that when you open up passwords and it goes, oh yeah, what's your login for your Mac? I'm like, wait a minute. Now bear in mind that anyone who's ever clicked save password in Safari ever is in exactly the same situation because where the password is saved hasn't changed. It's just that the user interface has moved from where no one knows it exists to a place where it's obvious. And the other thing that disappoints me a little is we don't actually have any new core functionality. What Apple have done is made the functionality that's been in iCloud Keychain visible, which I guess is a nice first step, but there's still a long way to go if they're going to make this a real password manager. Yeah.
[46:05]Yeah. Right. Fire extinguisher time. So it is one of those true facts that Jill knows so much that there is a bug in an open source product called CUPS, which is the Common Unix Printing System. And it is a fairly serious bug, but there are a lot of silver linings to the point where it's almost all silver lining and there's not all that much cloud. So first off, it is patched. So patchy, patchy, patch, patch, and your Linux systems are fine. Wait, patch what? Patch where? Okay, so Linux. Sorry. Well, okay. Let's start in Linux and then we'll visit the Mac. Okay, we can jump straight to there if you like. There are two stories. It didn't say anywhere which it was in the beginning of it.
[46:52]Okay, that's a good point actually. Sans Institute just assumed that everyone would know CUPS is on Linux. I like their headline. It said, don't panic. I thought, oh, we'll take that headline. Yeah, yeah. Yeah. Yeah. So this isn't in the bit of CUPS that does printing, which is confusing because it's the common Unix printing system. But on Linux, it does a little bit more than just print things. So on the Mac, the only job CUPS has is to print things, whereas on Linux, the CUPS has two jobs and it has two completely different daemons. So it has one daemon that does printing and a completely different daemon that scans the network looking for shared printers for you and for some reason to find shared printers it opens a port on your machine, which I still don't understand why you would do things that way around but okay and if you enabled the feature to tell your Linux machine to scan for printers then you could potentially be attacked by someone else who's on your local area network sending UDP packets at that port that you just inadvertently opened up on yourself. But this is all off by default.
[47:58]So if you have a bunch of Linux VMs, you're not going to have turned this on. If you're a Linux desktop user, you might maybe have turned this on, but probably not because you probably have your printer. You probably don't have this feature on looking for shared printers as you're in an office environment. But how many office environments run Linux desktops? So the attack surface seems quite small here and there's a patch. So yum update, apt get update and you're golden anyway. Anyway, so real-world impact is likely to be very small.
[48:30]And here in Apple land, where Apple are not particularly known for being quick to patch open-source components within macOS, it's been their weakness for a while. Here in macOS, we only use a bit of CUPS that does the printing, because we find shared devices using a different protocol, which is now called MDNS, which used to have much more fun names like Rendezvous and Bonjour. Azure, but now it's just MDNS. So it's a completely separate system to CUPS. So this bit of CUPS that has the problem, it just isn't here on the Mac. So we are fine here. Okay, good. So I rearranged the bullets. So it says the bug is on the Linux feature first. The bullets, I just rearranged it so you can see. And so then it's obvious when it says patch promptly, that'd be on Linux. Okay. Excellent. Brilliant. Next up, if you have a D-Link router, log in, check for updates because a bunch of their Wi-Fi 6 routers have a pretty nasty flaw that is a hard-coded password. That does not seem like a good idea to have a hard-coded password.
[49:35]Should we have just maybe a standard segment in Security Bits about why D-Link is bad at routers? I mean, this seems like they've earned one. We should do a search to see how many of them there have been like this. This is ridiculous. It kind of is. And just in case you're forgetting why we care about this, this news wouldn't have made the show in its ordinarily, but it was like, well, no, this has to go here. Chinese botnet infects 260,000 small office home office routers. In other words, those D-Link routers that aren't being patched, a quarter of a million of them are now in a Chinese botnet. That's how this works. Patchy, patchy, patch, patch.
[50:17]Finally, If you are running ChatGPT on the Mac, make sure it is patched. It had a wee bit of a bug. It had some pretty not-so-good security implications. So just patch and you're grand. So do that. So the specific ChatGPT app? Yes, the app for macOS. I'm not sure how big an audience that is. I think a lot of people chat GPT through the web interface. Although there is something to be said, I guess. Well, and I have an app called MacGPT. Ah. It's a different app. There you go. Yeah, no, this is the official one, which didn't exist for a long time, which is probably why MacGPT came into being. So there is a patch for that app? Yes. It was patched and then disclosed. So most people would have auto-updated themselves most probably before. Oh, no. A new version of ChatGPT is ready to install. We'll install that now. And it didn't query me. I had to ask for it. All right. Thank you. Disappointing.
[51:21]Worthy warnings then. I have stopped telling you every time there's a new way to try trick developers because I would tell you every week. But this time it hit XK past OBDJS, which we've been working on as a community. So it seemed like this was a worthy time of reminding everyone that as of the last 12 months or so, there has been a surge in watering hole attacks against developers and power users of all kinds, where the attackers have decided that we can get our hands on stuff by going after things on GitHub, basically polluting GitHub with malicious stuff. So the latest is comments or GitHub issues.
[52:05]What's a watering hole attack? It's where you... Like a honeypot?
[52:10]No, a watering hole is like a crocodile that hides in a place all the bison come. So the bison are coming there anyway. So if you wait there, your dinner will come to you. Developers will come to GitHub. So if you attack there, the developers will come to you. You don't have to try to go to them. Yeah, so that's watering hole attack. So a honeypot is different because they're not necessarily there already. Yeah, a honeypot is for attracting things, whereas a watering hole is for where they come anyway. Okay, this is just waiting where the... Okay. Yeah. All right. So basically GitHub comments, in this case it was pretending to be a notification about a security vulnerability in the repository. So they really were targeting the owners of the repository more than users of the repository. But we've had recent stories where they post answers to people asking questions telling them to run a powershell script in this case it was your repository is vulnerable but hey run this powershell script and we'll fix it for you both of those things are a bad idea don't run random powershell given to you by anyone anywhere ever yeah or bash script or any sort of scripty really if you don't understand the code run away But just to be aware that the attackers have decided that the positive community on GitHub is a place they can be SOBs. So yeah, precisely. A heads up to any of our listeners who rely on Tor to protect themselves.
[53:40]I don't know if this is a problem or not, but the Chaos Computer Club, who have a long history of doing interesting research, and they often find things that are theoretically interesting, but practically meaningless. Like they succeeded in some very, very difficult 3D printing and stuff to make a sausage-based fake finger for Touch ID. Which had no real world impact, but was a really fun story. They have done a bunch of research on whether or not Tor is efficient at being anonymous, and they actually believe it isn't. The Tor project disagree, and I am not qualified to judge. Link in show notes if this is important to you.
[54:20]Okay. Moving on then to notable news. And the first news item, I think you jumped up very loudly. I had also jumped up very loudly when this crossed my stream. NIST, the National Institute for Standards and Technology in the United States, have updated their guidance on passwords. Now, you might be thinking, but that's a US group, Bart. Why would you possibly care? Well, technically speaking, NIST only applies to US government agencies and contractors supplying stuff to US government agencies. But NIST are really good at their job. So lots and lots and lots and lots of organizations all around the world adopt the NIST advice as if it was their advice, because NIST have done such a great job. And so, for example, here in Ireland, we have a different standard with a name that says Ireland in it, but it's actually just a copy and paste of NIST with one or two words changed. So I call it NIST with an Irish accent. So whatever NIST do has a huge impact all around the world, even though it's technically speaking very, very small influence. But no, it's a big deal. And they have added some common sense to the rules for passwords.
[55:31]Now, I should say that this is for end user passwords, which is an important distinction. This is for passwords for humans. So for listeners of this show, all of you, for people who work as a sysadmin, this does not mean all passwords because you will have passwords used for service accounts or for administrative accounts. They are not covered by this.
[55:52]But it's for user passwords. So don't annoy your human beings is what this comes down to. And a lot of it is turning advice into requirements, which in government language speak is should becomes shall. And shall is legally binding if you are in fact a government agency. So this is a big deal. Except for the fact that NIST actually is only influence. Influence it doesn't actually they can't like they can't uh hold somebody accountable for not obeying what they say my understanding is that if you work say in the department of defense and you break nist the department of defense will hold you accountable so nist won't that can be true right but nist nist isn't a it doesn't have a an enforcement arm they are an advisory thing and And other organizations can say, we will comply with this. And if you don't, then we slap you upside the head. Yeah, exactly. Other people can choose to enforce NIST on themselves. Which is disappointing. So, for example, NIST says don't use SMS to authenticate, especially if you're a bank, and every bank in the United States uses SMS. Yes, you can beat them over the head and say, oi, NIST says you're being dumb, but no one's going to force them, which is annoying.
[57:17]Anyway, good news. I wanted this to be a happy story. So if people who follow NIST are now prohibited, banned from forcing periodic password resets, that is no longer allowed, which is amazing. That came with a equally sensible other side. If an organization has a reason to suspect a password is breached, they now must or shall force a password reset. set. So don't do it based on time. Do it based on evidence. Seems like a much better approach. Good, good, good. Yes. Yeah. There are also bans on password complexity rules in terms of composition. So you can't say to people. This one bothers me.
[58:02]Well, it may bother you a little bit. We'll explain it first. Yeah. So basically you can't say you must use this type of character and these special characters. It's like you should have every print. You must have every printable ASCII character as allowed, but you can't force people to mix them. And you should have every UTF-8 printable character allowed. So you should be allowed to use emoji in your passwords, which I know a lot of people actually do. But you must have ASCII. I was OK with this one until the next one that's on your list was that it requires a minimum length of eight characters. So if you go back to the previous one where they can't force complexity, so you can have all lowercase letters and an eight-character password and you meet the NIST requirements. You meet the requirements, but you're called out. Yeah.
[58:54]You meet the shall. They specifically called out having upper and lower case. You're not allowed to force that on people. You're not allowed to force them to have a number in it. Right. So the shall says ace. The should says 15. But still, so the shall now changed from forcing people to have special characters to not forcing them to have special characters and a minimum of eight characters. So I looked it up in Password Haystacks by Steve Gibson. 2.17 seconds in an offline attack scenario to crack an eight digit password with only letters. Yeah, I mean, I don't know why that should and shall are still there. My guess is legacy systems. There are still in existence, particularly in government circles, devices incapable of more than eight characters. It's an odd one. Hopefully the shall is what takes or should, sorry, is what takes preference here, because they're saying you should have 15 characters. And that's a much better approach. The other one I really like is that if you insist on having a maximum length, you cannot make that or you should not make that maximum length less than 64.
[1:00:05]Which is good. Good. There's also a ban on password hints, which is probably a good idea not to give away. Yeah, it's my dog's name. Well, that's just narrowed down the dictionary here a bit, hasn't it? There is also a ban on knowledge-based authentication, i.e. what was the name of your first pet? What's your mother's maiden name? These are now just for not allowed, not allowed.
[1:00:30]Oh, when I saw password hints, I thought it was that. I guess both. They're now both. So password hints are gone and knowledge-based authentication is gone. So two thumbs up, one for each. And like I say, this is for people. So if you have scripts that have passwords in it, it is absolutely perfectly valid to have a forced change of every month that that password has to change because a script is a dangerous place to have a password. Consider better authentication, certificate-based. But yeah, and you can still force admin passwords and stuff. They're not saying you're not allowed to make your, say, domain admin account have an expiration of six months or whatever. It's just the humans. You can't be bothering your humans because research shows it makes them use worse passwords. So your attempt is to secure things and the effect is to insecure them. And we knew that years ago. When did that report come out from the U.S. government? They did a study where it basically proved that if you make people reset their passwords, they create worse passwords. It's been done. It has been repeated so often, I don't know when the first one was.
[1:01:36]Yeah. I know. So what's fun about the NIST thing is even people like you in a different country, you're able to use this report to say, see, this is what I've been trying to tell you. NIST says so. And so people are commenting in our Slack at podfee.com slash slack about how, okay, I'm going to take this report and take it to my blank and show it to them and say, please, please stop doing that. Yeah, yeah. It is a trusted organization. When they give advice, it has weight. Thank goodness.
[1:02:08]Okay, next up, a little bit of good news. So the RCS standard is managed by a group called the GSMA. And so the RCS standard is a cross-cell provider messaging system that is now supported by iOS 18 and has been supported by Android for ages and ages and ages. GSMA stands for GSM Association. Thanks for your help. At least it gives us a little more information. Recursive acronym. Lovely. Yeah. Or nested, not recursive.
[1:02:45]And one of the things that people may not realize is that the official standard does not have a mechanism for encryption. Google invented their own custom encryption protocol and added that to Android. So Android to Android can be encrypted, but it's not part of RCS. It's an Android feature, not an RCS feature, which is why it doesn't work across to iPhones. Oh. Okay, everybody's been blaming Apple for that, saying, why didn't Apple do it end-to-end encryption? Because it doesn't exist in the standard. Oh, that's really interesting. Okay. Well, they've decided. I suppose they could have implemented. But they could have implemented Google's not standard standard. That's a dangerous thing to do, because then if you're a worldwide company, that starts to get a bit, will that break stuff over here and will that break stuff over there? And the European Union might get a bit cranky, because what if there's a carrier in Europe where it doesn't work or something? saying, you know, Apple are breaking the, you know, one of the new laws. Either way, the good news is the standards body who run the RCS standard have gone, oh, maybe we should make a standard, like an actual standard standard for end-to-end encryption so that everyone can do it the same way and have full interoperability. Good. Thank you. So this is a fix and a make a plan, though. It doesn't exist yet. Yeah, but hey, you know, GSM agencies, yeah, GSM agencies don't move fast. At least they're moving the motion has commenced in the correct direction.
[1:04:12]Less good news the Federal Trade Commission so not the FCC we talked about earlier this is the FTC they did a giant big report into what do social media companies actually do in terms of the accounts of kids and teens and are they keeping to the letter or spirit of COPPA or any other relevant laws no no they're not they're making money hand over fist selling the data of kids.
[1:04:40]They don't have enforcement power, but the report might light a fire under someone who does. If you'd like to know more... Hey, can I back us up to talking about RCS? Just for one quick second, I'll say something good about iOS 18. I wouldn't put iOS 18 on, and Rod Simmons' entire family is on iOS, iOS and he's on Android. And I, so I texted him and I said, here's a full res video. Can you see it? And he could, and he sent me a full res video and I could see it. And he wrote back, he said, I'm so happy. I could cry because what he's had to do with his family is he always had to upload it to Google services and then send them a link. And it's just like, here's some stupid video of, you know, my kid playing basketball or something. And, and, uh, so the, the, it is, it is a really good thing that we've got GSM now. That, if you deal with a lot of Android people and you want to be able to play with them back and forth, it is a good reason to go to iOS 18. Excellent. That's a very United States thing, because particularly in Europe, we just all use Telegram or not Telegram, the green one. WhatsApp. So it's the green icon. I'm terrible like that. The blue icon is for chatting to Alison. The green icon is for chatting to family. Anyway.
[1:06:03]Um where was i ah yes uh our friends noib which is a privacy group which stands for none of your business which is a good name well it's a good name it's a terrible acronym and noib um they have filed a lawsuit against mozilla who are not the kind of company you usually expect to be sued by a privacy advocacy group and i did a bit of reading on this going what why would mozilla be be in the line of fire here. And the conclusion I have drawn is that this is a battle between idealists and realists. So Mozilla have developed a technology where they use the browser to anonymously track the effectiveness of ads and give that anonymous data back to the advertisers in the hope that that will stop them using evil tracking because, hey, at least they can get their advertising stuff this way. So the idea being the web doesn't have to completely be changed, but we can have privacy and the privacy advocates feel that well okay it's different tracking but we don't want anyone not even the browser to be collecting this information anywhere not even on your own device so idealist versus i guess a pragmatist which is what mozilla are being so i don't think anyone's being evil here it will be interesting to see what happens and i think there's some sort of a conservation of ai training momentum or something in the united states because Because I had two stories that I just was like, what? Is it like one out, one in?
[1:07:27]So Meta said, we are going to start using the data of UK Facebook and Instagram users to train our AI. I was like, oh, that's not good. And LinkedIn went, we are stopping using UK data to train our AI because we think we're about to get in trouble with the Information Protection Commissioners. So maybe there's only room for so many of them. It's a finite space. Somebody at any point in time has to be abusing your privacy. Good. Clearly. Yeah, exactly.
[1:07:56]And, oh, my show notes say apply and meta. That's another typo. Apple and meta have opted out of the EU's voluntary responsible code for AI or AI code for responsible computing or code for responsible AI computing. I can't remember what the bloody thing is called. But anyway, it's an optional list of things. Probably doesn't have any teeth. But they've opted out. They've opted not to do it. They don't want to do responsible AI code? Or they just don't want to play in this particular... I think, well, in the case of Apple, it's this particular sandpit. In the case of Meta, I shall reserve for all comment.
[1:08:33]And then we have some nice, because after all that, I thought, let's collect all the good news together. A whole bunch of software has gotten a little bit better. So Discord now has end-to-end encryption. So nice. Nice. The Google password manager will now automatically synchronize passkeys. Again, nice bit of future. Google Chrome have updated their permissions interfaces so that instead of having to say yes or no forever, you now have an Apple style once only please when a website asks for permission. So again, nice.
[1:09:06]And Windows Server 2005, which is obviously see a preview of what's coming. But they are adding a feature that has existed in Unix and then in Linux for a long time where you can update the kernel of your operating system without rebooting. It sounds like magic because effectively it's like changing the tablecloth while you're eating your dinner. But it works. Or a heart transplant while you're having a conversation driving a car. Right. But it works. We do this on our Linux servers and work all the time now. It's just become completely normal on recent versions of Red Hat, and it is now coming to Windows Server first. So my hope is that if it comes to Windows Server, it will flow down to Windows 11 not too long from now, and then rebooting for Windows updates will become a thing of the past. You can just update. The amount of friction it removes to be able to just update is, it's a huge difference. People hate rebooting.
[1:10:04]So I hope this comes to everyone. In terms of top tips then, one of the nice new privacy-related features in the latest iOS's is the ability to either lock and or hide apps. So this is particularly important for parents who may give their phone to their kids to futz about on and also have, say, their work outlook installed. And maybe you don't want a four-year-old texting your boss about the poop in their pants for God knows what. So this is just a good feature that you should know about um and then i hadn't thought of it for that reason that's that's a great reason yeah and then interesting insights um troy hunt has been on a roll with interesting blog posts and he's written it's a long read make yourself a cup of coffee sit down uh but he's made a very thoughtful post on data on whether or not you should disclose when you've had a breach and he starts off by pointing out that the law is nowhere near as strict as we all think it is and i'm guilty of this too i found myself reading along going but the gdpr forces disclosure and troy pointed to weasel words when there is a risk of genuine harm.
[1:11:21]Oh lawyers can have a lot of fun with that kind of weasel word so actually the onus to report is a lot weaker than i realized and i think that a lot of people realize but troy makes a very good point you should disclose anyway because it's in the best interest of your company to do it now because it is going to happen and you can either do it in a way that will get you plaudits from your users for being responsible or end up with egg on your face choose and there is now very strong evidence that everyone assumes data breaches are going to happen. So people are not angry with companies for being breached anymore. That ship has sailed. People are now angry when you don't tell them. So the incentive is very clear. If you're paying any attention at all, you should do responsible disclosure of breaches because it is better for you, even if it's not legally mandated. So that's good. That sounds like what you've been saying for quite a while. It does, but I hadn't realized how weak the laws were. So I agreed with everything that came after. But in the first half of the post, I was like, eep, meep. Oh, okay.
[1:12:35]As I say, always good. Now, I have a palate cleanser. Did you add anything to the show notes since I refreshed? I did add one, but you go first. Okay, so I have so many shades of nostalgia for this app. You won't because you're not a music person. but I have massive nostalgia for a wonderful app called Winamp which played all of my MP3s for years and years and years and years and that app was.
[1:13:00]Sort of died a slow death on windows and then i moved to the mac and it died it could be death for me anyway the code has now 20 odd years later been open sourced and they're asking for help to modernize the app and bring back winamp to modern windows operating systems so that's so fun that's just fun i don't care who you are that's fun i love exactly that all right well since i I mentioned Clippy, I decided to throw in a, there's a woman named Ellie Cordova or L Cordova, and she does videos on space things and technology things. And it's one of, she does those kinds of videos where she plays a bunch of different characters. And so you see above her head who she's being when she's doing this different thing. She did one on digital assistants, like the S lady and a lady. And, and she brings in Cortana GPD four. It is absolutely hilarious. Hilarious. The end of it will make you spit coffee out your nose if you happen to be drinking it at the time. So it's delightful. If you don't like TikTok, you can also find her on Instagram. So I didn't put a link to the Instagram one, but I gave it to you on TikTok. It's very funny. It's entitled Server Break Room. Okay, cool. I will enjoy that later. That sounds absolutely fantastic. Thank you, Alison.
[1:14:17]All righty. Well, palate cleansed. We've fire extinguisher. This as as uh security bits goes this is pretty nice yeah actually i was i yeah now that you say it this has been a decent two weeks of cyber security let's hope for more of the same but remember folks regardless of what happens in the next two weeks there's one thing you always have to remember to do stay patched so you stay secure.
[1:14:42]Now, it was a while ago that you guys heard this, but you might have found it ironic that I complained about the Audio Hijack and all the Rogamiba tools right after telling you how great they are. We just went into a firestorm of weird. I don't blame them. I don't know what was going on. It was very, very strange. But I will give one more plug for Audio Hijack. As I've mentioned a bunch of times, I record my side and Bart's side on two separate tracks, and I separate them and put them into the show. Bart does the same thing. and so I actually take the clean version of him and the clean version of me from our two recordings and I discard the other half of each one. But one of the reasons we do that is it's a belt and suspenders approach to doing the recording. And because we've been faffing about so much with all these different controls, I never hit my record button. So the reason you just heard security bits and heard, more importantly, heard both sides of security bits is because Bart and I both do double enders and we record both, so we record both sides. So anyway, it does end up still being an ad for Rogamiba. But that is going to wind us up for this week now. Did you know you can email me at allisonatpodv.com anytime you like? If you have a question or a suggestion, just send it on over. Oh, I just remembered something really important. There's no live show next week. We will not be here next week, and the show's going to come out early on Wednesday.
[1:15:58]All right, now you can remember everything good starts with podv.com. You can follow me on Mastodon at podv.com slash Mastodon. If you want to listen to the podcast on YouTube like the kids do today, you can go to podfeet.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack. And you can talk to me and all of the other lovely Nocilla castaways there. You can even go thank Helma for all of her hard work on programming by stealth. You can support the show at podfeet.com slash Patreon or with a one-time donation at podfeet.com slash PayPal. And if you want to join in the fun of the live show, not next week, but the week after that, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic pod.
[1:16:39]Music.