NC_2024_10_27
This episode explores recent Apple updates, insights from the Clockwise Podcast on password management, a Git submodules tutorial, AI voice tech experiences, and positive cybersecurity trends with Bart Bouchard.
Automatic Shownotes
Chapters
Long Summary
In this episode of the No Silicast Podcast, I dive into a range of technology topics with an emphasis on recent events and developments in the Apple ecosystem. This podcast exemplifies a blend of personal insights, collaborative discussions, and educational content centered around technology. Each week, I bring my personal experiences and analyses to engage listeners while keeping a slight Apple bias evident.
I had the pleasure of guesting on the Clockwise Podcast this week, where I engaged in a lively conversation with Dan Morin, Micah Sargent, and the charismatic Christopher Finn. Our four-person format allows us to tackle four distinct topics in a crisp, concise 30-minute format, making it an efficient yet entertaining listen. The topics ranged from the impacts of Apple CEO Tim Cook’s daily device usage to the burgeoning excitement surrounding Apple's upcoming password management solutions. I expressed my concerns about the potential shift users might make from established password managers to Apple’s own offerings, highlighting the security implications tied to users’ chosen unlock mechanisms on their devices.
In a subsequent section, I dive into the intricacies of Git submodules as part of our ongoing series, Programming by Stealth with Bart Bouchard. I unpack these nested repositories, explaining their relevance and showcasing real-world applications that underscore their importance. Git submodules are particularly appealing for my collaboration with Bart on show notes since they can help streamline our workflow, maintaining organization on his end while simplifying my file management.
Additionally, I served as a guest speaker for the Silicon Valley Mac Users Group, conducting a tutorial on Audio Hijack. This session was recorded and now exists as a resource for those intrigued by the software. While my approach was slightly more relaxed than my typical tutorials, it provided attendees with essential knowledge on creating sessions, utilizing templates, and the broader capabilities inherent in Audio Hijack.
Subsequently, I took listeners through my experience of utilizing AI-generated voice technology after losing my own voice temporarily. I explored various platforms, including 11labs.io and ChatGPT, to investigate their effectiveness. The process was more tedious than anticipated, especially with the limitations I faced on both Resemble AI and Play.ht. I detailed my trials with audio file uploads, voice cloning, and the character limitations imposed by each service. Ultimately, I found the most satisfaction from the AI voice generated by Resemble AI and Play.ht, even as I navigated the challenges of accurate voice representation and message integrity.
In this week’s Security Bits segment with Bart Bouchard, we transitioned back to a more positive outlook on current events within the cybersecurity landscape, noting commendable initiatives such as Apple’s advancements in private cloud infrastructure and the developments in the realm of passkeys to enhance user security. We also highlighted important changes to the regulatory framework regarding online subscriptions, focusing on new rules that mandate a straightforward method for cancellation which enhances consumer rights.
Through every part of this episode, I aim to enlighten listeners on the evolving technology landscape while fostering a spirit of inquiry and engagement in the tech community. Whether discussing trends in password management, collaborative programming techniques, or AI innovations, my goal remains consistent: to provide valuable insights and spark meaningful conversations.
I had the pleasure of guesting on the Clockwise Podcast this week, where I engaged in a lively conversation with Dan Morin, Micah Sargent, and the charismatic Christopher Finn. Our four-person format allows us to tackle four distinct topics in a crisp, concise 30-minute format, making it an efficient yet entertaining listen. The topics ranged from the impacts of Apple CEO Tim Cook’s daily device usage to the burgeoning excitement surrounding Apple's upcoming password management solutions. I expressed my concerns about the potential shift users might make from established password managers to Apple’s own offerings, highlighting the security implications tied to users’ chosen unlock mechanisms on their devices.
In a subsequent section, I dive into the intricacies of Git submodules as part of our ongoing series, Programming by Stealth with Bart Bouchard. I unpack these nested repositories, explaining their relevance and showcasing real-world applications that underscore their importance. Git submodules are particularly appealing for my collaboration with Bart on show notes since they can help streamline our workflow, maintaining organization on his end while simplifying my file management.
Additionally, I served as a guest speaker for the Silicon Valley Mac Users Group, conducting a tutorial on Audio Hijack. This session was recorded and now exists as a resource for those intrigued by the software. While my approach was slightly more relaxed than my typical tutorials, it provided attendees with essential knowledge on creating sessions, utilizing templates, and the broader capabilities inherent in Audio Hijack.
Subsequently, I took listeners through my experience of utilizing AI-generated voice technology after losing my own voice temporarily. I explored various platforms, including 11labs.io and ChatGPT, to investigate their effectiveness. The process was more tedious than anticipated, especially with the limitations I faced on both Resemble AI and Play.ht. I detailed my trials with audio file uploads, voice cloning, and the character limitations imposed by each service. Ultimately, I found the most satisfaction from the AI voice generated by Resemble AI and Play.ht, even as I navigated the challenges of accurate voice representation and message integrity.
In this week’s Security Bits segment with Bart Bouchard, we transitioned back to a more positive outlook on current events within the cybersecurity landscape, noting commendable initiatives such as Apple’s advancements in private cloud infrastructure and the developments in the realm of passkeys to enhance user security. We also highlighted important changes to the regulatory framework regarding online subscriptions, focusing on new rules that mandate a straightforward method for cancellation which enhances consumer rights.
Through every part of this episode, I aim to enlighten listeners on the evolving technology landscape while fostering a spirit of inquiry and engagement in the tech community. Whether discussing trends in password management, collaborative programming techniques, or AI innovations, my goal remains consistent: to provide valuable insights and spark meaningful conversations.
Brief Summary
In this episode of the No Silicast Podcast, I explore recent developments in the Apple ecosystem and share insights from my guest appearance on the Clockwise Podcast, discussing Apple's password management solutions and Tim Cook's device usage. I also explain Git submodules in our Programming by Stealth series and provide a tutorial on Audio Hijack for the Silicon Valley Mac Users Group. Additionally, I recount my experience with AI-generated voice technology and highlight positive trends in cybersecurity with Bart Bouchard. My goal is to illuminate the tech landscape and foster community engagement.
Tags
No Silicast Podcast
Apple ecosystem
Clockwise Podcast
password management
Tim Cook
Git submodules
Programming by Stealth
Audio Hijack
AI-generated voice technology
cybersecurity
community engagement
Transcript
[0:00]
NC_2024_10_27
[0:00]Hi, this is Allison Sheridan of the No Silicast Podcast, hosted at podfeed.com, a technology geek podcast with an ever-so-slight Apple bias. Today is Sunday, October 27, 2024, and this is show number 1016. Well, you can tell I do technically have my voice back, but it's still a little rough, but we're going to bear through this one.
[0:23]
Clockwise #577: Witches Are Doing it for Themselves
[0:23]Well, I got to be on the Clockwise Podcast again this week with Dan Morin and Micah Sargent, along with the delightful Scottish Christopher Finn. I love this show because it's so crisp. It's precisely 30 minutes long with four people and four topics. Each of us gets to pick our own topic and the four people answer. The topics on episode number 577 were from Dan Morin. He asked, Tim Cook reportedly uses Apple devices every day. How many do you use? Is it a deliberate effort or is it just something that happens organically? I love that question because everybody listening wants to answer it when you're listening to the show. Now, my question was, people seem excited about Apple's new password app, and many are even considering moving away from paid-for password managers like 1Password. I'm worried people don't realize that their passwords will be protected only by the strength of the code they use to unlock their phones or the login password on their Macs. I asked the other three people, how do you view Apple's password app in light of that information?
[1:24]Micah Sargent asked, when's the last time you launched a game, aside from New York Times-style word games on your phone, and what did you play? Yeah, I didn't do too well on that question. Christopher Finn asked, does technology play a part in your hobbies or do you keep that nonsense well away? This was my favorite answer because I was actually going to put in a question asking whether anybody does anything with their hobbies with tech because of the work that I've done lately doing cross-stitch stuff on my iPad. So that was my favorite one to answer. Anyway, we had great fun as always, and I hope you'll check out Clockwise number 577 in your podcatcher of choice, or of course, you can follow the link in the show notes.
[2:07]
PBS 172: Submodules (Git)
[2:07]In this week's installment of Programming by Stealth, Bart takes us back into our Git mini-series to explain Git submodules. These are essentially nested Git repos. After we learn what they are, he explains why this nesting might be needed. Then he takes us through three use cases as a way of illustrating the kinds of problems Git submodules can solve. The reason I was so excited about Git submodules is it'll solve a real-life problem for me. Bart and I work on the show notes using Markdown, and we collaborate on these plain text files using Git. But because of a tool choice on his end, I have ended up with many folders of content on my end that are not relevant to the work I do. With Git submodules, he'll be able to keep his organization, and yet I won't have to see any of that. This is going to be fun to eat our own dog food with Git submodules. You can find Programming by Stealth at pbs.bartificer.net, and of course there's a link in the show notes to Programming by Stealth number 172 submodules in Git.
[3:06]
How to Use Audio Hijack – Video for SVMUG
[3:06]While I was busy this week, I was also the guest speaker for the Silicon Valley Mac users group, where they asked me to teach how to use Audio Hijack. Now, I'm not just telling you about that as a tease and you'll say, oh man, I didn't get to see it, but they actually produced a high quality video recording of the tutorial. Now, I wouldn't put this up against my Screencast Online tutorials about Audio Hijack. Those are very highly produced and tight and crisp. This was a little looser and I was kind of fun with the audience, but that's cool too. I went through kind of the basics of how to create sessions and I also explained how to use the different sessions that they have as templates and talked about the kinds of things that you can do with Audio Hijack. It's not as maybe expansive as the other tutorials I've done either, but I think it gives you a flavor of how to use Audio Hijack if you're interested in that tool. There's a link in the show notes to the video on YouTube.
[4:04]
Voice Synthesis – the 2024 Edition with Play.ht and Resemble AI
[4:05]As you remember, a couple of weeks ago, I lost my voice yet again and produced one segment of the show with an AI-generated voice. I promised to tell you how I did it last week, but I still didn't have enough voice, and we're going to see whether I can power through this week. In 2023, I used 11labs.io to produce my voice when I lost my voice, but I thought I'd ask ChatGPT this year what all the cool kids were using. I recently started pointing up the $20 a month for ChatGPT so I could get access to ChatGPT 4.0, and in particular to the voice conversation version of ChatGPT. That part wasn't as useful during this experiment because I'd lost my voice, but I went ahead and typed to it. My initial query to ChatGPT on the topic was, I need an AI to read some material in my voice. I have hours of recordings of myself that I can use to train it. Which services would you recommend and what would the cost associated with each option be? ChatGPT responded with five services to consider, along with a section on how it works and a cost summary for each. I gave it a little more information based on my use case. I said, I need this for one-time use and it'll be around 2,000 words.
[5:14]TouchEPT now gave me four options, some of which were included in the first set, but it gave me a better description of how each could possibly meet these new needs. The top two by their description were ResembleAI and Play.ht. For a one-time use case involving around 2,000 words, it said you're likely better off using a service that charges based on output rather than a subscription model. Here are some good options for one-off projects. It described ResembleAI as saying how it works, offers the ability to create a custom voice and pay only for what you generate. As a cost for one-time use, you can pay for output usage rather than a monthly subscription. Pricing typically starts at around, what was it, $0.006 per second of generated audio. For 2,000 words, which would be about 15 minutes of speech, expect to pay roughly $3 to $5. Here's a spoiler alert. That's wrong. Anyway, it says best for high-quality short-term use. Then it described play.ht and under how it works it says you can clone your voice and only pay for the audio you generate rather than subscribing to a plan Cost for one-time use, you can buy credits for short-term needs Prices start at around $5 for basic audio output depending on the number of words This is also wrong Anyway, it said it was best for simple, straightforward TTS with your custom voice I don't really know what TTS is, but let's move along.
[6:39]I started with Resemble AI. Resemble has several pricing plans, none of which are what it described that I could find, but the lowest of which is called Creator, and it costs $29 per month, but you can get the first month for $1. That sounded like a good deal just to test it out, so I ordered a subscription and I made myself a reminder to cancel before the first $29 payment came due. It turns out the Creator plan has some limitations, and I'll explain how these eliminate Resemble for my needs. You get 10,000 seconds of created voice. You get five rapid voice clones and one professional voice clone. The first hurdle with Resemble AI was that I had to record a disclaimer in my own voice that I understood the terms of using it. Well, remember, the problem I had was that I'd lost my voice, right? I managed to croak out the recording as painful as it was, and then I was able to upload some audio of my normal voice to train the service. It was irritating to have to do that little recording once, but every time I tried to train it again, I had to make that video recording saying I understood what they were going to do with my voice.
[7:45]While the service says that I should have gotten one professional voice clone with 98% accuracy, it said that I'd already used mine up. I don't ever remember being offered the professional one, but it showed that I had one with the status of pending, so I wasn't able to use it. Rapid Voice Clone said it was 75% clone accuracy, but I'll let you be the judge of that when you hear the recording it created for me. The next task was to upload a voice recording. You can upload a WAV or MP3 file, and the file size limit is 25 megabytes. I clipped a story from a recent episode of the No Silicast down to two minutes and uploaded it to Resemble AI. After it uploaded and analyzed the audio clip, it asked me to choose the use case for the voice. I could choose from social media, video games, ads, e-learning, corporate videos, voice assistant, dubbing, or podcasts. Well, obviously, I chose podcasts.
[8:40]Next, I was asked to select the tone of voice. This was a little harder. My options were emotion, intense, whisper, accented, slow, conversational, explainer, or character. I'm usually explaining things in my podcast, so that seemed a good choice. I presumed that I would be able to adjust those based on what I heard, but nope, that voice is locked in with those settings once you create it. Now I needed to give Resemble AI the script to read. While I had the blog post at the ready, it was filled with markdown formatting that I had to remove and it had references to images, so it didn't take me too long to clean it up. I copied the entire text of the blog post, I plopped it into the text box on Resemble AI and it yelled at me. Turns out you can only do 3,000 characters at a time and this article was 13,709 characters long. I was going to have to chop this up into pieces.
[9:35]Anyway, when it was done with the first chunk, I had to say I was pretty disappointed in the results. Not only did it not sound like me, it actually sounded like it was changing gender between sentences. I'll let you have a listen to see what I mean. You may have caught on that I'm a bit of a tech nerd, but I also like to do some craft-type stuff. Who can forget one of my favorite articles entitled Knit Like a Programmer? Today, I'd like to tell a story of combining nerdery, tech gadgets, crafts, and even photography. You may learn something that will help you one day, or you may end up shaking your head thinking I make things too complicated. So you see what I mean? I mean, each voice maybe isn't terrible. None of them sounded a lot like me, but the fact that it was changing, that just made it totally unusable. At this point, I gave up and I used the second service, Play.ht, to create the voice you heard last week. I needed to get the show up that same day, so I didn't have a lot of time to experiment with Resemble AI. I'll explain how Play.ht worked in a minute, but I decided the following week to go back and see if I could figure out how to get that darn professional clone to work, because I didn't want to judge them based on the rapid clones. I paid a whole dollar to test the service, and if I panned it based on that frankly terrible quick voice, I don't think that's a good review for you. So before we get to play.ht that I actually used for the voice two weeks ago, let's finish out the Resemble AI story.
[11:01]Remember I said Resemble AI said I'd used up my professional voice clone and it said it was pending? I know for a fact I never used that professional clone, but when I went back in, I noticed there was an option to delete the clone. Then I went through the very different steps to create a professional clone. The biggest difference was that they require a full 15 minutes of audio to do the pro voice. I had to go find an episode of the No Silicast where I didn't have listener contributions and then slice and dice it to remove the bumper music to get 15 straight minutes of me talking. I uploaded the 15-minute WAV file, and after about five minutes, it came back with an error telling me to start over.
[11:38]Okay. Again, I recorded my consent and told it to upload the 15-minute file. Oddly, it came back almost instantly, telling me it was done. And it was in pending status again. The next morning, as I was doing my daily cleanup of my spam folder, because Apple is no longer capable of discerning accurately replies to emails I've initiated in downright spam, I discovered that Resemble.ai had an issue with my upload. The error was that I had uploaded a WAV file as directed, but that it was improperly encoded. I have very little control over the way my software encodes WAV files, so I encoded it again, but this time as MP3, because they say that both MP3 and WAV are supported for upload. But they sent me another failure notice telling me MP3 isn't supported. I put a screenshot in the show notes saying MP3 is supported. They said it has to be WAVE. Seriously, there's two banners. One thing MP3 supported, one thing it's not supported. And they're on the same page. I opened the mp3 file in Rogamiba's fission, and then I exported it as a WAV file, so at least a different piece of software was encoding it, and I still got an error from resemble. This time, they didn't even bother to tell me what was wrong. They said, there's an issue with the dataset you uploaded. Please fix the issue and re-upload the dataset. Issue, an internal error occurred. Please contact support.
[12:59]All right, well, I tried the same file again, and guess what? This time, I accepted it, but it wouldn't let me create a project with it. I entirely deleted the professional voice and tried a third time. And finally, it said I had a professional synthesized voice I could use. Now remember, they only let you synthesize 3,000 characters at a time. So I pasted in the first 2,887 characters of the script I wanted Resemble AI to read for me. I waited while the little spinner showed me it was doing some work. And I waited a little longer, and then I went and took a nap. And then I played around on TikTok, and it was still spinning. Well, I refreshed the window and it had actually finished. You know what it said? Yeah, for that professional voice, it's actually now a 2,000 character limit, not 3,000.
[13:47]Okay, at this point, I was like a dog with a bone. I was going to beat this thing into submission. I'm glad I kept at it because when I finally got 350 words or so in my own voice with resemble, it was pretty amazing. I think it captures my voice spot on and is less flat than what you heard last year or even two weeks ago. I think it matches my intonation better. It did some mistakes here and there. For example, you hear some words cut off. It would take a bit of massaging of the text to get it to do everything properly, and I'm not exactly sure how I would do that. But enough buildup. Let's listen to Resemble AI's professional voice. The best way for me to describe cross-stitching to nerds is that it's like 8-bit graphics. You create a picture using different colored threads, where each cross-stitch is a little block. Making a diagonal line of these little blocks would be a jagged line just like in 8-bit graphics. So this professional voice is much better. Now just for comparison, here's how Play.ht performed the same sentence last week. The best way for me to describe cross-stitching to nerds is that it's like 8-bit graphics. You create a picture using different colored threads where each cross stitch is a little block. And making a diagonal line of these little blocks would be a jagged line, just like in 8-bit graphics.
[15:04]I think Play.ht did a pretty good job, but it wasn't quite as good as the one with Resemble. Before we leave Resemble and go on to Play.ht, remember that to do the whole script, I would have to repeat the last successful part of the process seven more times to get the whole article recorded, and then stitch them all together. There wasn't an easy way to regenerate each section, so I'm not even really sure whether I'd be able to fix all of the errors it made.
[15:30]All right, now let's talk about Play.ht, which, as you've learned, is the service I ended up using for the last two weeks ago show. The bad news is that they didn't have an inexpensive one-month trial like Resemble. Play.ht has several pricing plans, and they look pretty good at first until you realize the prices shown are monthly but billed annually. For example, their unlimited plan is only $29 a month, but you have to buy a year of it for $348. If you toggle it to show the month-to-month price, it's $99 for that unlimited plan. At the other end, there's a free plan, but it's limited to 12,500 characters, and my script was longer than that. The middle tier is called Creator, and the month-to-month price was $39. For that price, I could get 250,000 characters in the month and 10 instant voice clones. I also noticed that only with the paid plans do you get attribution-free use. I'm wondering whether there's actually voiceover on the free plan, kind of like a watermark on an image. I mentioned the creator plan says 250,000 characters per month, but they don't actually calculate it that way. Every time you regenerate a voice clip, you can see a countdown on the number of seconds you have left in your plan. If you hover over the eye next to the 250,000 characters per month, it tells you that's approximately six hours. I bring this up because as I was working with Play.HD, I was watching the number of seconds count down, and I didn't actually know what number it had started with.
[16:59]Play.ht doesn't play well with Safari at all. The play button wouldn't, well, play the audio. I switched over to Microsoft Edge, which is a Chromium browser, and it started to function properly. While Play.ht allowed me to import my entire script, when it generated the audio, it did it in a whole slew of short paragraphs, maybe three sentences at most. I had to tell it to use my voice, not one of the canned voices they offered. For each paragraph, there were several controls. I could change the language, which of course I played with, but I didn't need to do. The initial generation of my voice, it sounded a bit slow. Above each paragraph is a little timer symbol where you can drag a slider to change the speed.
[17:40]Unfortunately, it doesn't speed up the individual clip. You have to drag the slider, hit regenerate, wait around 30 seconds or more, and listen again to see if you like it. Every time I hit regenerate, I watched those seconds of credit ticked down and I got anxious. Each time you regenerate, next to the given paragraph, you start to see a list of all the regenerated clips. You can delete them or download them or leave them be till the end. You can also change advanced settings on each clip. The setting sliders are stability, similarity, and intensity. Here's the help text for each of those settings. Stability said move the slider to the left to create a flatter, more neutral performance. Move it to the right to add expressiveness and variance. I sure didn't want a flat voice, but I found if I moved it too far to the right, it was too excitable. After a few trials, watching those seconds count down and getting bored waiting for it to regenerate, I ended up landing on 1.20 on a scale of 0.10 to 2.00, so a little past halfway.
[18:41]Similarity said, move the slider to the left to reduce how unique your chosen voice will be compared to other voices. That's kind of weird. Move it to the right to maximize its individuality. Okay, seriously, why would anybody not want it as similar as possible to your own voice? Maybe they were talking about other people's voices. Maybe that's what they meant. Anyway, I cranked this one all the way up. Intensity said language intensity. Move it to the right to make the voice follow the selected language, accent, and style better. Same assessment here. I slid intensity to the max setting. Why would I want it to not meet the accent of this selected language? Makes no sense. Now, you would think this was something I could decide on just once and then apply to all the paragraphs, but you'd be wrong. I had to adjust those three sliders and the speed for every single one of the paragraphs, hit regenerate for the given paragraph, wait a minute or so, and watch those seconds count down. Every single paragraph. I looked for some instructions on how to do this more efficiently, but I was unable to find any documentation on the site to follow. I think there was a little video, but it was just an introduction.
[19:50]I think this is the kind of tool that a professional would use, maybe somebody paid by the hour, where tweaking every single paragraph just slightly to get the perfect effect would bring the client joy. But for me, just trying to get the darn podcast out where it sounded reasonably close to my voice, it was sheer tedium. After working my way through a few of the paragraphs, I realized that I actually needed to listen to each one because a few of them had big mistakes. Evidently, the word knit is foreign to this AI tool because it insisted on pronouncing kit. I took the K out of the word, hit regenerated, waited for it, watched the seconds of credit disappear, and then it said knit properly.
[20:30]Overall, Play.HD did not have much trouble pronouncing things correctly and had far fewer errors than resemble AI. For the errors it did make, I found workarounds by rewording things. I explained in the article about cross-stitching that I keep the thread in little baggies, but Play.HD was convinced that the word was badges, not baggies. After regenerating a couple of times, I thought maybe it needed more context, so I made it Ziploc baggies, and then it pronounced the word correctly. However, when I said that some people use little cards that they wind the thread around, Play.ht insisted on pronouncing it wind, like air blowing, not turning something. For the life of me, I couldn't figure out a different way to spell that one out or put it into context. Making these speed, stability, similarity, and intensity corrections, and listening to the clips for correctness, I started to lose my place on which ones I had completed. I actually had to create a spreadsheet to track my progress. The other thing that was interesting in a super annoying way is that sometimes the audio generated by Play.ht was completely corrupted. This probably happened every 10th regeneration or so. Hold your ears, this is what I mean by corrupted.
[21:48]Well, the live show got a big kick out of that. I think our favorite comment was Alistair said it sounded like throat singing. I don't know, Steve thought maybe it was a digitaroo, digitaroo? Oh, no, I don't remember how to pronounce that word. But anyway, I couldn't very well use that audio. And yes, the countdown of seconds continued even with those broken audio files.
[22:07]While the process was tedious and time-consuming, Play.HD gave me a lot more control on how the voice sounded on a paragraph-by-paragraph basis. Unlike Resemble, where I had to use a text editor that would count characters for me and chop up my script into seven pieces by hand, Play.HD used my paragraphs to create the audio for each one. When I was done tailoring each paragraph and ensuring it didn't have any avoidable mistakes or throat singing, I did not have to download every paragraph separately and reassemble them into one audio file. Play.ht as an export button to save each paragraph separately or as a single audio file. The bottom line is that it took me a good couple of hours working with Play.ht to get what I would call a passable representation of my voice to carry you over until I mostly got my voice back.
[22:54]$39 for this one effort doesn't seem like too big of a price to pay, but it was a quite bit more than ChatGPT suggested. While I enjoy learning a new tool, I found the process of regenerating, waiting, correcting, regenerating, waiting, dragging sliders, regenerating, sliders, and waiting to be quite tedious. Maybe I just don't have the temperament for this level of detail work. I think Resemble.ai did a better job of representing my voice, and the intonation was better, but it did make a lot of mistakes that I'm not entirely sure how I would correct, like cutting off the ends of words. The poor explanations of what kind of audio files Resemble will accept and how many characters you can import as a script was annoying and it really needs to be fixed. Once I knew what they really wanted, not what they said, it was easy enough to work around it. The entry price of a dollar was totally worth the experimentation though.
[23:44]I certainly hope it's at least a year before I get to tell you again how I created a synthetic voice to replace my own because of the inevitable laryngitis, I will suffer.
[23:57]
Support the Show
[23:58]You know, people are getting weary of subscriptions, and I totally get that. If you've been holding back from supporting the show, because Patreon is a pledge to give regularly, I'd like you to join all of the fine folks who would go to podfeet.com slash PayPal and do a one-time donation. Heck, the finest people set a calendar reminder for themselves to go back on a regular basis and make donations through PayPal. I really want to make it as easy as possible for you to become a hero we can celebrate here as a supporter of the Podfeet Podcast.
[24:29]
Security Bits — 27 October 2024
[24:30]Music.
[24:39]Well, it's that time of the week again. It's time for Security Bits with Bart Bouchard. How much doom and gloom do we have today, Bart? Little. Very little. Not zero, but in the notable news section, there is no gloom. It is all good news. There is a bit of gloom saved for somewhere else in the show notes, but I can't remember that ever happening before. Do you think we've ever had that before? No, I don't think so. That's a little crazy. I don't know if I'm ready for that, Bart. Anyway, let's start with a little bit of feedback and follow-up. So we had a conversation a few installments ago about the difference between honeypots and watering holes. And we got some nice feedback on Twitter and stuff. And then a new story crossed my radar. On Twitter? Not Twitter, no. Wait, on Twitter? No, not Twitter. Is it on Slack or on Mastodon? I think it was Mastodon. Somewhere. Yeah, one of the places that's not evil.
[25:39]But there was a new story that crossed my radar that I wouldn't have ordinarily bothered putting in the show notes but I thought it might be fun to talk about the difference again so I popped it into the show notes so basically Microsoft have created entire fake tenancies so that's like entire fake organizations giant big infrastructure, which they use to intentionally click on spam email and stuff to see what the baddies will do So they're basically falling for fishing on purpose in fake Office 365 infrastructure to watch to see what it is the baddies do when you fall for fishing, which is just cool. So just as a way to study it. Yeah, which is the point of a honeypot. So a honeypot is when the goodies attract the baddies to study them. Okay. And a watering hole is when the baddies lie in wait to eat the goodies.
[26:35]Okay, now I get it. now I get it yeah so anyway I thought it was nice that's a lot of money to invest to do that, Yeah, that's big resources. Also, Apple intelligence is apparently coming close as we record this. By the time people hear this, it may or may not be out, depending on which part of the rumor mill is accurate. But something we do know for real is that when Apple announced Apple intelligence, they promised that they would make their private cloud compute platform studiable by security researchers. So Apple intelligence prefers to do stuff on device so you don't have to worry about privacy because it never leaves your device. But for some questions that are too complicated, it has to go to the cloud. And they have created a very cool infrastructure that takes the security we're used to on our device and projects it into the cloud. And it literally destroys and rebuilds the virtual machine every time it finishes doing a query. It's very cool. And to prove that they do what they say they do, they promised that they would allow security researchers to basically clone the virtual machines and poke and prod and stab at them. And that's what they've done.
[27:47]Oh, really? So is anybody studying them yet? Well, I think it's been out since two days. So I'm sure someone is having great fun, but we haven't heard any results yet. OK, OK. But the poking has begun. The poking has begun. So, worthy warning section then. Again, this is not the world's best news. I think a lot of our listeners will tend to use the major cloud platforms like Dropbox and stuff like that. But I know we may have users of some of the other services. So, if any of our listeners use Sync, pCloud, iStrive, C-File, or Tresorit, you need to read the story linked in the show notes. Some security researchers investigated. Wait, wait, what do they do? What do these services do? Dropbox equivalents Oh, okay, So yes, for context, that's why I said most of our people probably use Dropbox and stuff. But if you don't, you may be using one of these services. And they promise to be end-to-end encrypted. So as they're synchronizing your files, it's all secret and safe and that they can't see your stuff. And some security researchers decided to test these five because they were the biggest of the small ones, if that makes sense.
[29:06]Okay, okay, yeah. Yeah. So there's one behemoth or a couple of behemoths, and then this is the next tier. Precisely. So Google Drive will be obviously another big competitor there. And what they found was that they don't, none of the five lived up to their promises perfectly. They told them all about it months ago, and some of them responded by changing things, and some of them responded by not responding at all and ignoring everything. So if you use one of those five services, you need to read the linked article and then read the section for you, because the article's broken into pieces for each of the different services. So they were not end-to-end encrypted, or they were sort of, or they were poorly? What kind of categories? There were different weaknesses. Different weaknesses depending. Each service was different. So some of them were quite esoteric, where if you had malware on your machine and some of them were a little bit more, you know, bad choices of random and stuff. It was very, very varied depending on which service it was, as was their response, which is obviously a much bigger issue. So like I say, if you use one of those five, check them out. Sync, pCloud, IceDrive, C-File or Tresorit. Okay.
[30:25]Moving on to notable news then. And the closest thing to a not good news story which I'm spinning as a good news story is that Ireland have fined LinkedIn 310 million euro for how they use personal data in targeted advertising because the GDPR has rules about these kind of things and LinkedIn were not complying with these rules. They have now said we thought we were compliant but okay then we'll change things and we'll become compliant And they're paying the fine So they're not really arguing So they were targeting They were targeting when they said they weren't targeting, They hadn't No, they're using data They don't technically have the right to use Because they claimed that they could use it Without asking for explicit permission Because they said it was part Of their core business, Which is not actually appropriate. That's a complete misinterpretation of the GDPR.
[31:25]That's for things like a server that stores IP addresses in log files. That's sort of just the way it works. You can't use that defense for targeted advertising. They were trying to pull a fast one.
[31:41]Next piece of good news, and this is purely 100% of the good news category. So one of the things you and I are both looking forward to is the day when pass keys become completely the norm and they start to take over everywhere and they become really user friendly.
[31:57]And we are making good progress in that direction. But one of the known pain points that the FIDO Alliance flagged as a known issue, but they put it on the long finger to try get the basics working first, is secure synchronization of pass keys between networks. So if you stay within the Apple universe, your pass keys will synchronize using iCloud. If you stay within the 1Password universe, your pass keys will synchronize by 1Password. If you stay in the, don't go near the LastPass, but if you did, then you would. Or if you stay in the Google ecosystem, your pass keys will synchronize within the Google ecosystem. But what if you want to move from iCloud Keychain to 1Password? Or LastPass to 1Password or Google to iPhone or whatever. There's no mechanism yet. You could export each passkey one by one, their giant big strings of numbers and paste them back in and it would be a pain. Well, there has always been a promise there would be a proper protocol for securely synchronizing passkeys. That protocol is now quite a big step closer with a draft version published ready for others to comment on. Let me ask for a clarification.
[33:20]Is this for I would like to stop using it this way and I want to start using it with this service or is it for being able to be cross-platform? Like if I want to use LastPass on my iPhone but I want to use 1Password on my Mac. I think yes and. So the protocol is quite generic. Eric, it's about how do we say, how do we securely move a pass key from one place to another? And whether you decide to use that ability for a one-off migration or whether you use that functionality for something more continuous, that's kind of going to be up to the app developers. But the protocol itself is about how do I safely get a pass key from A to B? Okay. Okay. So it could be used in two different ways. Interesting. Yeah. And it looks good. Steve Gibson has given it his two thumbs up. And given that he's been a crank on pass keys because it meant that his pet project isn't going to take off, he sort of thought Squirrel would somehow take over from pass keys. And that isn't going to happen. And he's finally accepted that. And he's been a real crank on pass keys. And even Steve Gibson gave it his two thumbs up. So. As much as it pained him, huh? Yeah, which is pretty much what he said.
[34:37]In related news, again, this wouldn't have made the show notes if there hadn't have been somewhere to hang it on, but Amazon made a press release. Probably not coincidentally, actually, now that I think about it. But they have said that 175 million of their customers are using Passkey to log into Amazon.
[34:56]Wow. Yeah, that's a big deal. That's a fair number. Yeah. More good news. WhatsApp have improved the security of their messaging app so that it now encrypts contacts as it synchronizes them between your devices. So we now have encryption of the contacts database within WhatsApp. Nice. Um, in the United States, you guys have a, an organization called CISA, which is the Cybersecurity Infrastructure. No.
[35:33]Ah, I've lost the bloody acronym now. Yeah. What does, I got chat GPT open. Let's find out what does CISA stand for? Cybersecurity and Infrastructure Security Agency. Okay. I knew it was A at the end. I knew the agency. Anyway, they have released a new set of security requirements that they are proposing to become required. And so the idea is if you're an organization who's large enough and doing important enough stuff that you are potentially a risk to a lot of Americans, specifically entities that engage in restricted transactions that involve bulk US sensitive of personal data or U.S. Government related data, you're going to have to meet this baseline of security. And it's actually really good stuff. And this is going to become a requirement in America in the same way that NIS2 is now coming into force here in Europe. So what's NIS2? OK, so in Europe, if you're a company that's above a certain size or that has more than a certain amount of employees, you have to do basic security. You just have to do basic cybersecurity. And that is NIS2. That is basically, it's a cybersecurity baseline to exist in Europe.
[36:51]And CISA want to do the same kind of thing in America, so that if you're a company above a certain size dealing with US citizens data or government data, you're going to have to do this baseline of security. And so it's basically setting a foundation for cybersecurity across the whole country. So would that include that the federal government shouldn't lose all of the SF-86 security forms for every single employee of any federal contractor and send it out over the internet to everybody? Well, that should be the effect of putting a good baseline in place. The actual baselines are much simpler stuff. It's kind of, I don't know if it's terrifying or fascinating to actually read the bullet points in the link notes laying out what the baselines are. But they're very simple things like having an inventory of every IP address that should be on your network and noticing if a stray IP address shows up because then someone plugged in something they shouldn't have. I mean, none of it is rocket science. It's all very basic stuff. But again, if you put that foundation under everyone, that should actually have a really big difference. Do the simple things and do them well. And if everyone did that, we'd be in a much better position. So I really like these kind of baseline regulations.
[38:09]Yeah, they don't have to be rocket science to make sense, right? Precisely. Precisely. And then the last is another piece of good news. The Federal Trade Commission has pushed through a new rule, which they are calling click to cancel. Basically, if you subscribe to something online and it's as easy as clicking one button to subscribe, it now legally must be exactly as easy to unsubscribe. It must be a one-button unsubscribe. So this locking you in and making you go through retention. Goodbye.
[38:42]Now, see how quickly I can find this? No, I'm not going to be able to get it quickly enough. But shockingly, some of the big ISPs are fighting this. They don't think this is a really good idea. I don't know that it was the ISPs, but some giant companies are all not wanting to do this. Well, isn't it your ISP that makes you jump through these retention? They send you to a department called retention if you try to cancel. Now, you're using it to your advantage to get them to give you a better deal. But if you were trying to cancel, you'd have to do that as well before now. A lot of them. A lot of them are like that. But I haven't really run into it other than to my advantage so far. When I went to cancel cable, they said, okay, okay, that's fine. But can we give you a deal on YouTube TV? Why, yes, you can. They gave me 10 bucks a month off of YouTube TV. It's like, why did you just do that? I think they're tired of doing the cable TV stuff. Cool. Oh, it was. Cable companies asked Fifth Circuit to block the FTC's click to cancel rule. I'll put a link to the Ars Technical article about that. In other shocking news. Water is wet.
[39:58]I have some excellent explainers to link to. Actually, yeah. So these are articles that are, if you're interested in cybersecurity, which you may well be because you're listening to this segment, then these are cool articles to read. But if you're just interested in staying safe, you can skip over this. That's why they're excellent explainers. The first one is from Bleeping Computer. And this is, this comes with a very small caveat. This is a sponsored article. So the bottom 20% of the article is a sales pitch, but the top 80% of the article is a superb overview of how passwords are being attacked at the moment.
[40:38]Basically, understand the seven password attacks and how to stop them. If you're curious, how are people taking over accounts? This is how it's being done today in 2024. And I'm really impressed at how well written it is for being a sponsored article, because some sponsored articles are awful. It's like the sales team rather than the technical team. This is technical people who are good at communicating who wrote this article. I just really, I was really impressed with it. Yeah, it's sponsored by Spec Ops Software, but you said it's really good. I'd like to take a look at this. This looks pretty interesting. The second one, Alison, I picked entirely because I heard your voice in my ear as I was reading it. It's called Acronym Overdose, Navigating the Complex Data Security Landscape. So if you read cybersecurity headlines, they are full of acronyms. Or if you're even trying to buy a product, they're full of acronyms. And even if you're in the industry, it becomes really difficult to keep in mind, DLP, what's DLP again? Or what's EDR? Or what's, well, here they are laid out what they are. And actually, much more importantly, what they do.
[41:49]That's actually what really matters, right? Like endpoint detection and response. What is that? Okay, great. That's what EDR stands for. What does it actually mean? It means better AV, is what EDR means. It's basically next generation antivirus. I was going to give you a hard time in this context for saying NIS-2, but when I asked you what NIS-2 was, you didn't even tell me what the acronym stood for because that would just go in one ear and out the other and be useless information. But understanding it is the European law that requires these basic security-related measures to be taken. See, I remembered it, and that was almost six or seven minutes ago. But if you told me what NIS-2 stood for, I would not have remembered that. There we go. Right um okay now this interesting insight this is the one where if you don't want any bad news today cover your ears now this interesting insights is excellent reporting it's really good reporting by some really good people including brian krebs none of it is good news basically we know that mobile advertising is a privacy train wreck we know that the ads in the apps and in the websites we visit on our phone are tracking us and selling that information in all sorts of unscrupulous ways we know this if you want to double underline that and know all the details of how this expose is terrifying links in show notes i read it i didn't feel any better after reading it.
[43:19]Are these things still true if you say, you know, ask app not to track? Oh, yes, because basically they use, it makes it harder, right? If you say ask app not to track, it makes it harder because they don't just get the information for free. They don't just get it from an API call. They have to infer it from your IP address and they have to do more work. But because there are no laws. It doesn't stop them. Yeah, because it's not illegal, all it does is make them work a little bit harder.
[43:51]Okay. Don't they do the low-hanging fruit people first? I think they do everyone, but the low-hanging fruit people are more tracked, and they'll have even more data points. Got you, got you. Okay. Oh, goody. So I'm glad you were able to fold some gloom and doom in here. We wouldn't have been comfortable if it had been all good news today, right? I wouldn't have felt right. Yeah, you're right. Like, you know, security news and it's all good. No, no, no. Now, I'm going to cleanse your palate thoroughly, though. And I'm going to do, I'm going to cleanse your palate in a very unusual way. I'm going to tell you to trust me. And I don't often do this. So please give me that trust because I don't often do this. And I was told about this video in exactly the same way. I got a link from someone I trust that said, I'm not going to tell you what this is. It's not that long. It's 20 to 25 minutes. It's a talk by Cable Sasser from Panic Software. You like transmit, therefore you like cable. Nothing more. It's worth watching. The end is amazing. Go watch. And I was like, sir, yes, sir. Huh. And I did. And it is. And I wanted to share.
[45:02]So that's interesting. I do that to my friends occasionally, just saying, just trust me. I usually tell them whether it's going to make them happy or sad or whatever, but you're going to leave us wondering. Oh, happy, happy, happy. This is palate cleansing territory. 100% cleansed. Okay, good, good. Yes, I do like panic software. That's for sure. Well, I'm afraid that's it. That's all you got, Bart? It's weird. I felt like I had done something wrong. Now, today is the day that the clock's changed, so my whole day has been weird. And I was writing the show notes thinking, oh my God, I need to record an hour earlier. This is going to be terrible. Oh my God, you know, panic, panic, panic. And I had two hours left to go work on the next programming by stealth, which I did, and it was great. Wow. Yeah, very quiet.
[45:49]But of course, we know what we must all do. We must all stay patched so we stay secure. Well, that is going to wind us up for this week. did you know you can email me at alison at podfeed.com anytime you like? If you have a question or a suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on Mastodon at podfeed.com slash Mastodon. If you want to listen to the podcast on YouTube, you can go to podfeed.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeed.com slash Slack, where you can talk to me and all of the other lovely Nocella castaways. You can support the show at podfeed.com slash Patreon, or with that one-time donation I mentioned at podfeed.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocella Castaways.
[46:39]Music.