NC_2024_11_10
The episode covers Apple tech trends, including iStatMenu 7 and macOS Sequoia’s Passwords app, plus a "Security Bits" segment on child protection and TikTok, urging adaptation to evolving security needs.
Automatic Shownotes
Chapters
NC_2024_11_10
Are You Baffled by iStat Menus 7’s Interface? Lee Garrett’s ScreenCastsONLINE Tutorial Can Help
I’ve Changed My Mind About Apple’s New Password App
How to Get to Images out of Apple Pages, Numbers, and Keynote
Support the Show
Security Bits — 10 November 2024
Long Summary
In this episode of the Technology Geek podcast, I delve into various technology trends and personal experiences, reflecting my enthusiasm for all things tech-related, particularly with an Apple slant. I share my journey with creating tutorial videos for Screencast Online, highlighting the exceptional work of Lee Garrett, the new owner of the company and a talented tutor in his own right. I recount my initial frustrations with the interface of iStatMenu 7 and how Lee's tutorial opened my eyes to its many hidden features.
As we transition into discussing Apple's latest developments, I delve into the new Passwords app introduced with macOS Sequoia and iOS 18. My ongoing engagement with password managers, particularly my loyalty to 1Password, comes to the forefront as I emphasize the potential pitfalls of relying solely on Apple's password-saving method. I reflect on conversations with friends like Melissa Davis, touching on the importance of secure password practices, especially for technology-resistant individuals. My personal anecdotes about guiding friends and family on password manager usage and cybersecurity best practices illustrate the broader conversation around account security.
The episode continues with a detailed examination of the image extraction process from iWork documents, a feature that many Apple users may find perplexing. I offer a step-by-step guide to accessing images within package files, showcasing the challenges and solutions discovered through collaboration with listeners. Moreover, I share insights into the broader purpose behind these package file types, uncovering Apple's intentions aimed at enhancing user experiences with large documents.
We also shift gears to the realm of security with an engaging discussion featuring Bart Bouchard during our "Security Bits" segment. Bart and I explore Apple's ongoing initiatives regarding child protection technology, the implications of recent TikTok controversies, and the importance of keeping devices updated with the latest security patches. We further analyze security trends among various platforms and the implications of a recent survey that highlights the growing adoption of password managers.
As we conclude the episode, I tease the exciting possibilities that technology brings to our lives, peppered with personal anecdotes that enrich the narrative. My excitement for new advancements is palpable, and I encourage listeners to reflect on their relationships with technology and security. This multifaceted episode aims to provide listeners not just with critical insights, but also with engaging stories that underline the significance of adapting to an ever-evolving tech landscape.
As we transition into discussing Apple's latest developments, I delve into the new Passwords app introduced with macOS Sequoia and iOS 18. My ongoing engagement with password managers, particularly my loyalty to 1Password, comes to the forefront as I emphasize the potential pitfalls of relying solely on Apple's password-saving method. I reflect on conversations with friends like Melissa Davis, touching on the importance of secure password practices, especially for technology-resistant individuals. My personal anecdotes about guiding friends and family on password manager usage and cybersecurity best practices illustrate the broader conversation around account security.
The episode continues with a detailed examination of the image extraction process from iWork documents, a feature that many Apple users may find perplexing. I offer a step-by-step guide to accessing images within package files, showcasing the challenges and solutions discovered through collaboration with listeners. Moreover, I share insights into the broader purpose behind these package file types, uncovering Apple's intentions aimed at enhancing user experiences with large documents.
We also shift gears to the realm of security with an engaging discussion featuring Bart Bouchard during our "Security Bits" segment. Bart and I explore Apple's ongoing initiatives regarding child protection technology, the implications of recent TikTok controversies, and the importance of keeping devices updated with the latest security patches. We further analyze security trends among various platforms and the implications of a recent survey that highlights the growing adoption of password managers.
As we conclude the episode, I tease the exciting possibilities that technology brings to our lives, peppered with personal anecdotes that enrich the narrative. My excitement for new advancements is palpable, and I encourage listeners to reflect on their relationships with technology and security. This multifaceted episode aims to provide listeners not just with critical insights, but also with engaging stories that underline the significance of adapting to an ever-evolving tech landscape.
Brief Summary
In this episode of the Technology Geek podcast, I explore key tech trends with an Apple focus, reflecting on my experience with Screencast Online and the influence of Lee Garrett's tutorials on iStatMenu 7. I discuss the new Passwords app in macOS Sequoia and iOS 18, highlighting my commitment to 1Password and the importance of secure password practices.
I provide a guide on image extraction from iWork documents and examine Apple's intent behind package files. The "Security Bits" segment with Bart Bouchard covers child protection technology, TikTok controversies, and the necessity of security updates. I conclude by encouraging listeners to reassess their tech relationships, emphasizing the significance of adapting to evolving security landscapes.
I provide a guide on image extraction from iWork documents and examine Apple's intent behind package files. The "Security Bits" segment with Bart Bouchard covers child protection technology, TikTok controversies, and the necessity of security updates. I conclude by encouraging listeners to reassess their tech relationships, emphasizing the significance of adapting to evolving security landscapes.
Tags
Technology Geek
Apple
Screencast Online
Lee Garrett
iStatMenu 7
Passwords app
macOS Sequoia
iOS 18
1Password
security practices
image extraction
iWork documents
child protection technology
TikTok controversies
security updates
Transcript
[0:00]
NC_2024_11_10
[0:00]Music.
[0:06]Technology Geek podcast with an ever-so-slight Apple bias. Today is Sunday, November 10th, 2024, and this is show number 1018.
[0:16]
Are You Baffled by iStat Menus 7’s Interface? Lee Garrett’s ScreenCastsONLINE Tutorial Can Help
[0:15]Whenever I do a Screencast Online tutorial video, I always tell you about it. I tell you how much fun I had creating the tutorial and what you learned from it. I do this because I'm very proud of the work I do for Screencast Online. What I rarely mention is that there are other terrific tutors at Screencast Online, like Lee Garrett. Lee not only makes terrific videos, he recently bought the company from Don McAllister. Now, while this particular discussion might strike you as sucking up to my new boss, I want to tell you about a fantastic tutorial Lee just produced that was of great value to me. Before I tell you what it is, though, there's a backstory. During the few weeks before I have a tutorial due, I consult with my editor, J.F. Brissette, about which app I'm going to teach. For my next tutorial, I suggested to J.F. I wanted to teach the new iStatMenu 7. I told him the reason I wanted to teach it was because I was completely baffled by the new interface. I've been using iStatMenus for ages and ages, I don't know how many years, but I couldn't make heads or tails of how to do some of the simplest things I used to be able to do. And I'm a firm believer that teaching is the best way to learn. However, when I suggested this, J.F. said, wow, that's a great idea, except Lee's going to be producing a tutorial on iStatMenus tomorrow. Well, I was bummed, but I got to tell you, after watching his tutorial, I am so glad he did it instead of me. He found so many little hidden features I'm nearly certain I never would have uncovered.
[1:43]IStatMenu 7 is filled with areas where if you just hover in a certain space, you get a bunch more functionality that I didn't even know was there. Now that I know how it works, I'll be able to get my money's worth out of the tool. If you aren't a subscriber to ScreenCasts Online, you can get a free 14-day free trial at ScreenCasts Online and watch Lee's tutorial and all of the current back catalog. I said free twice. Free 14-day free trial. That's good. But again, I'm not doing this to suck up. I'm doing this telling you about this because it was an amazing tutorial and I'm so happy that he did it.
[2:21]
I’ve Changed My Mind About Apple’s New Password App
[2:21]With the advent of macOS Sequoia and iOS 18, Apple upgraded its method of saving user passwords from the arcane keychain access to a fledgling, full-fledged password manager. Because Apple likes to name its products so they're impossible to search online, the app is called Passwords. I'm a huge proponent of password managers, with my current favorite being 1Password. Steve and I converted his parents to use 1Password very long ago. While his father does require a wee bit of assistance now and then, when maybe a bank or other service changes things, overall they're both dedicated users and believers in 1Password. I've told you about it before, but Steve's dad actually did a testimonial about 1Password nine years ago for the show. And if anything, he's more enthusiastic about it today than he was back then. Both his parents have wicked, long, complex master passwords, created, of course, with the wonderful tool by Bart Bouchot's XKPassWD.
[3:18]Now, I remember years and years ago talking to Melissa Davis, you might know her as the Mac Mommy Online, about convincing people to use password managers and, you know, our various strategies for how we did this. Melissa helps a lot of elderly people in her neighborhood and friends and family and people she works for set up 1Password. And I remember being shocked when she told me she lets them use a short, easy-to-type, and easy-to-remember password to unlock one password. We got into a debate about it, and she patiently explained to me that it was that, or they wouldn't use a password manager at all. Ever since that discussion, I have stuck to my opinion that she should have just tried harder to convince them to use a good master password, because we were able to do it with Steve's parents.
[4:03]When Apple introduced the password app, I began to ring the alarm bell on podcasts far and wide, including in a recent episode of the Clockwise podcast, about how I think it's dangerous. My problem with Apple passwords is that I think it'll give a false sense of security. I don't think people realize that all of their passwords are protected only by the strength of the passcode they have on their phone or the password they have on their Mac. Unlike users of independent password managers, there is no separate master password for the app called Passwords by Apple. You may say, but Allison, you can have a long, strong, complex password on your phone and Mac.
[4:42]Sure, you can, but how many people do? My Mac's password is on the complex side, but it's not terribly long, and the password on my phone isn't terribly complex or long since I have to type it so often. I mean, it's better than most, but it's nothing like my complex password to get into 1Password. So that's why I've been sounding the alarm. I'm not wrong, but I have come around to thinking that Melissa wasn't wrong either, and it folds into the new Passwords app narrative. Here's why I've changed my mind. I have a friend who's brilliant, but she doesn't really use tech particularly well, just not an interest of hers. She and her husband are such low-tech users that just a few years ago I was visiting her and I tried to look something up on my Mac, and I discovered that her husband had turned the internet off. When I asked him why, he said, well, we always do that when we aren't using it. Okay, you get my drift of what I'm dealing with here, right? Well, every year, this same friend invites me over to help her print out address labels for her Christmas cards. A hundred years ago, I created a tutorial for her on how to do this directly from Apple Contacts, and I posted it on podfeet.com. This tutorial is so old that the interface on OS X was still Aqua, and Contacts was still called Address Book, but surprisingly, the steps haven't changed substantially, and that's why this tutorial is still up on podfeet.com. There's a link in the show notes, of course.
[6:07]Now, my friend is getting pretty good at the process by now. We've been doing it for, I don't know, around a decade, but she still likes my hand holding through the steps. Her husband teaches her, teases her, I should say, that by now she should be able to do it on her own, but she always explains to him that it's the one time a year we get together to catch up. Every year when I help her put a little baby reindeer covered in Christmas lights on her labels, she squeals with delight, and then I remember why we do this together. As a tip, she gives me a bottle of wine and a bag of chocolate for Steve, so it's win-win all around, right? Starting about five years ago, I started lecturing her on how she should be using a password manager. I used the classic scare tactic of explaining that someone could steal all of her money and remove access to her precious photos. I tried using the carrot, too, by explaining how much easier life is with a password manager and not having to remember your passwords. I gave her the phone number of my good friend, Pat Dangler, who is a certified Apple consultant, and I assured her that Pat would make the transition to 1Password as easy as it can be. I'm a good friend, but it's not worth any amount of wine and chocolate for me to help her actually make that transition myself, so she'd have to pay Pat for her services.
[7:19]Every year, when I go back to do the labels with her, I find she still hasn't taken my advice. Every year she promises, this time I'm really going to do it, Allison, but she never did it. The only good news is she started to use long, complex passwords. The bad news is that she saves the passwords in plain text in contacts. If you look up the name of a bank at her contacts, you'll probably find her password. Let's fast forward to this year's Christmas card labels play date. When we were done making the labels, I asked her yet again, so did you get started on a password manager yet? She said, I knew you were going to ask me again, so I downloaded LastPass.
[7:59]I explained to her that LastPass wasn't to be trusted any longer and that she should download one password instead. Then I had a thought. If after all this time, she still had embraced the idea of 1Password, maybe I was never going to succeed. With the new Passwords app on iOS 18, I wondered, maybe that would be a more frictionless path? Her iPhone was still on iOS 17, so I had her start the update to iOS 18. We had very recently replaced her failed MacBook Air with the new 15-inch M2 MacBook Air, so it was already on Sequoia. While the iPhone was being updated, I had her open the passwords app on the Mac. When we opened it, we discovered that she had already been letting Safari save passwords, so there were around 30 of them already in passwords. We looked at the list and we chose one of them to test out. I had her navigate to the website, as she normally does, and I showed her how to use passwords to autofill her username and password.
[8:55]The squeal of delight wasn't quite as good as the one for the tiny Christmas reindeer, but it was pretty close. She pulled up her contacts, found that same entry in her phone, showed me the password in plain text, which is how I knew this, but then she looked at me and she said, huh, I should probably delete it from contacts now, shouldn't I? I gotta tell you, I beamed with happiness. I was so proud of her for thinking that that's what she should do. Then she said, can I do another one? She tested three or four of them while I was there, and she dutifully erased all each of the passwords from each one of her contacts. Even better, she said, this is fun, and said, I'm going to do the rest of them this very night. I don't know if she did, but she was real happy about this. I also showed her how to let the Passwords app create passwords for her. She liked that very much. Once her iPhone was up to date on iOS 18, we opened passwords on the phone, and she was able to confirm she could use it from there as well. I told her she had one more task. She simply had to change her passcode on her phone from the current four-digit one to six digits. Surprisingly, she immediately agreed. I'm sure glad she did it because I found out the passcode she'd been using was her birthday. She suggested several six-digit codes, all of which were as easily guessable as her birthday. Eventually, she settled on one that was obscure but memorable to her.
[10:16]The bottom line is that I think Melissa was right. It's better that with a shorter, less complex password, that people actually use a password manager with different passwords for every account. The danger of an online attack is probably higher than the danger of someone breaking into their password manager. Apple did do a good thing, making the passwords app easily accessible and understandable by the less technical people. While I'm still worried and nervous about the passcode password on people's iPhones and iPads and Macs, the bigger threat to the security of their accounts is password reuse. I think this step to a dedicated app will get more people to raise their password security, and that's only going to be a good thing.
[10:57]After I published this article that you've just heard, Ken Ray, who you probably know as Mac OS Ken, is the host of a security podcast called The Checklist. He asked me to come on episode 399 to talk about this very subject. You'll hear some of the same things that you heard from me just now, but you might get a little different perspective when you hear the kinds of questions Ken asks and the anecdotes that he tells. Look for The Checklist in your podcatcher of choice for episode number 399.
[11:28]Now, there's one more interesting thing on this topic. In 2022, and again in 2023, security.org conducted a survey of Americans about passwords. There's a lot of great info in their Password Manager annual report, and I want to highlight one very surprising finding. The link, of course, is in the show notes to the entire article. What they found was while 41% of respondents in 2022 and 2023 said that they memorized their passwords, the next highest strategy was the use of password managers. Get this, in 2023, more than 34% of respondents said they use a password manager. 34%. That was up from 22% in 2022. More than a third of Americans who responded to this survey, which might be self-selecting to some extent, said they use a password manager. I found that shockingly high. But it wasn't all good news. They asked the people who used password managers whether they ever used their password manager's master password as a login on other sites. 28% of them said yes. So my final thought is, it's okay to encourage the technology-resistant people in your life to use Apple's password apps, but don't let them use the same passcode on their phone or password on their Mac anywhere else. And for the love of all things good in this world, at least encourage them to have a six-digit passcode instead of four on their phone.
[12:57]
How to Get to Images out of Apple Pages, Numbers, and Keynote
[12:58]Have you ever been working with an Apple Pages keynote or maybe even a numbers file and wanted to extract the images? Here's the process. Open the document, find the first image you want to extract, right-click on the image, and choose Copy from the contextual menu. Now open Preview and choose File, New from Clipboard, or you can use Command-N. The image will open full-sized in Preview, which is great, and now you can save it to the Finder. This is fun. This is an easy process, right? But what if there's a lot of images in the document and you want all of them? Well, you got to rinse and repeat over and over and over again. What if I've just emailed you my Africa travelogue as the original pages file with 696 images in it, and you want to have every baboon, hyena, hippo, lion, and warthog photo in a folder of your very own? This process would get pretty darn tedious.
[13:51]Now, I have to give credit to the solution to this problem to two people. Chris Mackey on Mastodon and Michael Westbay answered in our pod feed Slack, and the two of them put together the answer for me. Between the three of us, and with quite a bit of experimentation, we figured out a method that will let you see a folder holding all of the images in an iWork document. By the way, I thought the name iWork was deprecated as the handy name to describe pages, numbers, and keynote. But guess what? Apple's still using it. You can go to apple.com slash iWork if you don't believe me. All right, the trick is to open the document as a package file.
[14:29]Okay, what's a package file? According to Apple, a package is a collection of files that your Mac reads as one file.
[14:37]Well, that's not very descriptive, but it might become more obvious as we work through this. Rather than being like one of those recipe sites that spends 1,200 words describing their grandmother's pantry before just telling you how to make the best blueberry pancakes, I'll give you the solution to the problem to be solved, and then later we'll circle around and explain why Apple even has this concept of a package file for iWork documents. Here's the easy-peasy but arcane instructions to get direct access to the folder containing all of the images in any iWork document. Open the document. From the menu, choose File, Advanced, and then change File Type, and from there, change it from Single File to Package File. Now save the document again. In the Finder, right-click on the file, and now you can choose Show Package Contents. If you don't do that File Advanced Change File Type and change it to a package file and it's a single file, Show Package Contents doesn't exist. So now that we've got it as a package and we can do Show Package Contents, this will reveal several items, one of which is a folder called Data, which contains all the images. Now you can copy all of the images. Don't mess around with them inside the package. Copy them all out of that folder to a new folder. Like I said, it's arcane, but it's pretty easy. You just open the document, change the file type, right-click on the file, say show package contents, and open the folder.
[16:02]Now, if the images had names before being dropped into the iWork document, they will be preserved in the package. But more than likely, you'll have a big pile of temp or unknown prefixes with numbers as the names. The other thing you might find is that there are small and regular versions of the same image in the data folder. Here's where it gets super fun. The small and large versions don't have the same image number. I was perusing the 696 images in the package file for my Africa travel log, and I found an image of the incredibly adorable wild dog puppies we saw on Safari. I found two versions of the same image where one of them had small in the file name. The big one was 640x480 and the other was 256x192. That's the one that said small in the title. Now, you know, 640x480 isn't much to write home about, but that second image can only be described as a thumbnail. The two file names had identical glop up front that kind of looked like a catwalked across the keyboard only on the special characters row. They both said unknown in the title next, but one was dash 540 and the other one was dash small dash 541. Well, the small is helpful to tell them apart, but why aren't the numbers the same? Why is it 540 and 541? Couldn't have made them both 540 so we could tell one was the big and one small of the same image?
[17:25]Anyway, if you're looking for the real images, after you copy them out of the package file, be sure to ignore or delete any images with small in their title. Or take your time and really look through them to figure out which ones are the good ones you want. Here's an editorial note. I said there were 696 images in my Africa travelogue. If I eliminate the 347 images with small in their titles, there were really only 349 images in the travelogue. I'm sure you appreciate my clarification for accuracy.
[17:57]Now, the instructions for peering inside package files are handy for mass export of images from iWork documents, but with numbers files, if you have images in cells you want to extract, this is literally the only way you can do it. You can't copy them. Back in July, you may remember, I was trying to help listener Bob clean up his contacts. Bob was very interested in maintaining his current set of contacts as some kind of an archive, and he really wanted to be able to maintain all of the little images for people that he'd added. In the process of figuring out a path for him, I followed Apple's instructions on how you can drag people from your contacts application into Apple Numbers. This process worked, and it created a column called Images that contained all of the little photos of the individual contacts. But what I couldn't figure out for Bob was how he could extract those images for numbers. You can't copy these images even one at a time. Having a backup that you can't actually use seemed rather silly.
[18:54]Let me give you a quick aside, by the way. As of right now, as of the time I'm recording this, this method of dragging contacts to numbers doesn't seem to work consistently anymore. You definitely can't drag hundreds of contacts in from contacts to numbers the way you could before Sequoia. Just a little disclaimer there. Anyway, so now Bob's got this Excel file with this column, and it says images, it's got all the little pictures, everything's great, but he can't get them out. My only solution at the time I wrote the article about this was to embiggen the image as much as you can by increasing the size of the cell and then take a screenshot of the image and save it.
[19:33]Now that we're deep inside this very obscure problem that you may never run into, here's another curiosity. If you paste an image into a numbers document, not inside a cell, you can copy the image and open it from the clipboard in preview, just like in Pages and Keynote. Also, if you have an image in a cell in Numbers, you can copy and paste it into Pages or into Keynote. But it doesn't paste the image. It creates a one-by-one table in the receiving application with only that image in just that little cell. I tried the same thing going the other way too. In a new Pages document, I dropped in a blank table and I pasted an image into that table. I right-clicked on the image, selected copy, and I was able to paste it into Keynote, and I got a one-by-one table in Keynote with the image in that one cell. But I couldn't paste it anyplace else. It feels as though I work as kind of like the seagulls in Finding Nemo yelling, mine, mine, mine, and never letting those images out. This very problem was why Chris and Michael jumped in with a solution of peering inside the document's package context to extract the images from the cells. Bob will have no clue which image goes to which contact, but at least he can get the full-sized images out of numbers.
[20:47]Now that we've figured out how to extract images from the data folder inside a package file of an iWork document, you might be asking yourself, why does Apple even have this option to change the file type to a package file? I did some digging, and I found an Apple support document that explains why. Apple says, if your document is larger than 500 megabytes, and you aren't using Apple File System, APFS, or if you're using an older version of Pages, Numbers, or Keynote, the app might prompt you to save the document as a package. They go on a bit in the article later to say, if you're saving documents to your hard drive, you're experiencing weight cursors or slow performance when editing your document, or you're saving your documents in iCloud Drive, you should use package. They go on to caution, if you plan to upload your document to a third-party cloud-sharing service like Box or Dropbox using Web Browser, choose Keep Single File. Now, reading Apple's reasoning for letting us change our file type to package files suggests to me that I got this article out just in the nick of time. As soon as nobody's using a spinning hard drive, and nobody's using an older version of iWork, and APFS is the standard file system for everyone, I bet Apple will remove this capability someday.
[22:05]
Support the Show
[22:06]You know I love doing the podcast for you. Conversations on Chit Chat Across the Pond and programming by stealth are such great fun. And also writing and recording all of the content for you for the NocilaCast is also a pleasure. I love doing the research and testing, like what I was just talking about with extracting the images. That just gets me going. I'm just loving to do it. I love to do it. And I love to figure out how to explain things so that people can understand. The work is rewarding, and producing all of this content costs money. And that's where you come in. If you get value out of all this hard work that brings me joy, I'd love it if you head over to podfee.com slash patreon and
[22:45]
Security Bits — 10 November 2024
[22:43]pledge to help support the show. Music.
[22:47]Music.
[22:55]Well, it's that time of the week again. It's time for Security Bits with Bart Booth Shots. What new horrors do we have to talk about this week, Bart? Well, given that my short-term memory isn't great, I don't remember, but they're all in the show notes, so we'll meet them in turn, I guess. Sounds good.
[23:13]We have talked quite a few times over the years about Apple's struggles with child protection.
[23:21]They wanted to do some fairly aggressive on phone pre-scanning before iCloud and people were very upset about that and so they backed away from that and then the child protection groups were very upset about that and then they rolled forward with some AI based protections which people were like well it's better than nothing but no one no one ever seemed quite happy either way um it would appear that apple have another tweak on the way um in australia the latest ios beta contains new functionality that when the opt-in parental control feature is turned on and it detects an image that appears to be inappropriate based on the ai on device as well as giving the warning it gave before that this image may not you know may be dangerous you may not want to open it and so forth it now also gives a button for the child to report the image to apple at which point it will be reviewed by someone in apple before potentially being forwarded to the relevant law enforcement agency so that is australia only at the moment but one assumes this is a trial balloon of some sort a test of an idea that is likely i I would imagine, to go to more places over time. As long as the AI doesn't make any mistakes. We're good.
[24:43]Well, you see, that's why you have the human interaction there, right? Nothing ends up going to law enforcement without a human looking at it. So I think... And it's the child who reports it, though.
[24:54]Yeah. Yes, which seems, again, appropriate. So you have your human check going on. We also have had some issues with TikTok coming under fire, particularly in the United States well Canada has joined as a club they have ordered that their Canadian subsidiary be disbanded I found this fascinating because it wasn't about the application they're not making it inaccessible to Canadian citizens they're saying you can't have the humans there, So that's different. Yeah. Yes, but also on national security grounds, which is equally as... Really? Okay, well, anyway. Also, expect the TikTok ban in the United States to magically disappear because a certain someone donated a whole bunch of money to a certain campaign.
[25:48]Yeah, but that was passed by Congress. Yeah, but it needs the president's signature, right? Did Biden sign it? But it was signed into law with a timestamp, yeah. Oh, it was. It is signed into law, so the clock is ticking. That doesn't mean... Can't be unticked. I don't know when the time runs out. Yeah. Well, it depends. If the time runs out before the new Congress starts in January, then... Yeah, I feel like it was longer than that. I feel like it was a year or something like that. Oh, I thought it was six months. Either way, we shall find out shortly enough anyway. Action alerts then. A reminder that when Apple released their 0.1 updates, yes, you get shiny new features, but you also get a whole bunch of security fixes. So you should patchy, patchy, patch, patch, even if the shiny new features aren't really what you're interested in. And also Apple have patched their previous OSs as well with those same security patches. So you should patchy, patchy, patch, patch, even if you haven't moved to the new OSs. Nice. Can I give a shout out to Apple? for how far back they go this i'm holding up for bart to see my grandson's iphone xr this model came out six years ago this one was uh this one is four years old it's in beautiful condition i don't know what he ever did it is it's got 96 battery on it and um guess what it runs ios 18.
[27:15]It's a six-year-old model. It looks brand new. Yeah, it does. The screen is perfect. It's only worth $85 to trade in, and it breaks my heart to have it not go to somebody. So, I don't know. It's like a great kid's phone. I gave him, we did a flow down, and he got a much more recent phone, and one of the things I said was, well, this will be better because it'll be able to run iOS 18 and get security updates and have a much better battery. No, it won't. This is 96% the one I gave him was probably in the mid 80s or so maybe low 90s so anyways shout out to Apple for that great definitely, somewhat not the same if you're on Android try patch yourself because there is a zero day that Google patched and it has been exploited in the wild how you do that good luck wish you the best of luck.
[28:08]Most people Well, the predominant is Samsung, and they usually get the updates pretty quickly, right? Pretty quick, yeah. I mean, it is getting better, but it does depend on your choice of which Android you get. That's a good reason to choose one of the bigger vendors. Unless you can't afford it, and then you get the ones that don't get patched. That is also true. A few weeks ago, the Pwn2Own conference, which travels about these days, traveled to a little green island off the coast of Europe. It was held in Dublin. And of the vulnerabilities found were a bunch of vulnerabilities in very popular NAS devices, network-attached storage, and in response to that, QNAP have issued two patches for their NASes, and Synology have issued one patch for their NAS. By the way, it's not... Patchy, patchy, patch, patch. Don't freak out about the Synology one. It's in photos, so it's not an OS-level bug. Bug it's in photos and some other type of photos app you can install i forget i think the word b in it yes but if you have those available it will get you into it will get you a backdoor into the nasa as a whole so if you have those apps running then you actually do need to patch yeah if you have them running i checked i didn't but i patched it anyway, Otherwise I just patched anyway, because you get bug fixes and stuff as well, right?
[29:34]Less good news. If you are the owner of a D-Link DNS 320 something, something, something, there's a few variants. D-Link considered these devices to be out of support. A very serious security vulnerability was found in them. And D-Link went, yeah, no, they're out of support. So, toodles. So if you own one of these devices, it is time to introduce it to the trash can. And get yourself a new NAS device. Now, I'm no fan of D-Link and their security practices, as we've discussed many times on this show. But to be fair, these were, I want to say it was 2020 was when they were deprecated. So they are four years out. And so that isn't completely out of the question, but it's still... No. Boy.
[30:26]Yeah, well, at the end of the day, nothing lasts forever they just happen to be a particularly popular model and i think a lot of vendors would make an exception for a particularly popular model but glinkers stick into their policy you know so i think you're always mistaken to run a device that's out of official support you can't read i mean you can get lucky and get extra support for free but i don't think you should count on it so i think particularly if you're these are quite popular in small offices, I don't think that's a good idea to have anything business critical sitting on something without official support from the vendor. That seems a tad risky. Yeah, you know, this is a silver lining way of looking at it is if this hadn't happened, people would not know or may not know that their NASAs were out of support. But now it's such big news, maybe they will know. Because how do you notice that? You know, unless you're real good at checking once a month, as I do, going in and saying, okay, is everything good? Things are running, you know, doing my little checks. Maybe you wouldn't have noticed that it was out of support four years ago. So, yeah.
[31:35]Possibly. Yeah, good point. On a somewhat related note to software updates, if you are really happy on Windows 10 and you're a home user and you'd love to hang around that Windows 10 for another two years, well, now you can. So Windows 10 was due to go end of support on the 14th of October 2025.
[31:59]But Microsoft have given notice that they will be allowing home users to buy what they call ESU or extended security updates for one year for $30. Oh, okay. So. That's not bad. I think by that point, it's not bad. And by that point, I think two years from now, if your computer is already running Windows 10, it's probably already a few years old. I think it's probably due a replacement two years from now. So, yeah. I know people scoff at these things. Oh, Microsoft charging extra money for their old stuff. But it's like, what do you expect? You paid for it once. can't have updates forever yeah uh moving on to worthy warnings then a couple of interesting techniques being adopted by the baddies last pass are warning that they are seeing some strong activity targeting their remaining users in this case sort of making use of the fact that if you're on a page for a plugin or an app on an app store you might be more likely to trust what you read because that's generally speaking published by the vendor.
[33:06]But a lot of those pages contain content that's not from the vendor in the form of reviews and answers to questions and things. And so what was going on here was that the baddies were putting fake technical support numbers into answers to people's comments in the Google Chrome Extension store oh geez so check the context within which a number appears because just you know if it's user content instead of vendor content don't trust it yeah yeah i mean you might think it was you might say oh you know we can help you with that here's our support number yeah yeah uh there was also a particularly effective example of a technique the baddies are very fond of these days called Living Off the Cloud, where you try to find ways to misuse or abuse common services that are used by lots and lots and lots and lots of people. So hosting files on Dropbox, that kind of thing, because most people's firewalls are going to let Dropbox through because there's so many legitimate Dropbox uses.
[34:11]And this time the baddies got particularly clever because they found a way to make DocuSign's API I send out emails it probably shouldn't be. Which means that you were getting emails from DocuSign with a fake invoice saying you'd agree to spend stupid amounts of money and then giving you phishing information to basically, oh, call us here and we'll help you deal with this terrible fraud. And I assume they would end up taking your bank details and taking your money. Oh, wow. And this one was big because I saw real-world examples of it from multiple near victims, shall we say.
[34:52]And finally, on the ish list, the United Kingdom, there's been a very controversial development politically, where something called the Winter Fuel Allowance for Senior Citizens is being changed. I don't remember the exact details, but this is a payment pensioners would get in the winter to help buy fuel for the cold winter months in the UK. And this year controversially it's being scaled back because i think it was given like a boost for covid and that ran out and it wasn't renewed it's changing it's all over the news attackers have set up domains that are vaguely plausible as official domains but only if you don't like only if you're not an expert user but um a lot of pensioners might not be expert users so the fact that the actual page you land on very effectively fakes a uak government website means these campaigns are quite successful and the way it works is you get an sms message with a link shortener url and it says it's from the government and click here because if you apply quickly enough you can still get the full payment which has controversially been cut and so if you have family in the united kingdom and they are potentially the target of this thing it might just be worth raising their attention to this that this appears to be quite successful a campaign, that's super ick.
[36:16]Isn't it moving us on to notable news um another new tactic by cyber criminals um this this one sort of caught my eye in that whole that's genius you evil evil people sort of a way so obviously once you have malware on your device you can't trust anything on the device because the device itself has just become malicious which means that you can intercept all sorts of things, and there's a new variant of Android malware that is intercepting outgoing calls, that you dial to the number of your bank, and redirecting them silently to the scammers call center. How? Oh, geez. Well, remember, once your phone is hacked, your phone is hacked, right? So they just have a little listener in there that goes, if the phone number is this, change it to that. So they... And I'm always amazed at how they can find the specific one. So if I'm with Bank of America, but they have to know I'm with Bank of America, or they have to have all of the phone numbers of all of the different banks that I could potentially be calling in every country.
[37:33]Well, no, but you're assuming that they're interested in you specifically. But the attack is usually the other way around. If I put out 1 million malwares and I attack two or three banks, and if 1% of those 1 million emails hit their mark, that's the win. Okay, so let's say they just want Bank of America. And so they try Bank of America on a million phones. It doesn't have to be my phone that it succeeds on. Got you. Precisely. Yeah. It is all a numbers game. So you have to bear in mind that you just make up for it in scale. Oh, this mightn't be successful 100% of the time. okay we'll just do it more often and then you know you get there in the end yeah it's um um.
[38:16]The major software-as-a-service vendors are continuing to slowly nudge the universe towards more security. So we're flipping into some better news here. So the first bit of news to break was that Microsoft have announced that they are ratcheting up their security by default on their Microsoft Entro product, which basically, Microsoft rename everything every week. So if you are if you have bought office 365 for a small office or maybe a family plan basically you have like you know a handful of users you're going to be on a version of entra all the way up to if you are a company with 5 000 users you're going to be on a version of entra and the default has always been a little bit conservative so as not to scare people and make them cranky, um but if you for the last couple of years if you don't touch anything there's been a little tick box enabled by default called I think it's called security defaults tick and that's on by default and the meaning of security defaults changes over time okay so the user doesn't have to change their settings yes the user doesn't have to change their settings so they set it up once they don't have an IT team because they're like the corner shop with five you know they're your local bookshop with five employees or something they don't have a tech person they set this up their email works great but that default tick box is still ticked their security is ratcheting up behind their back. And the next ratchet is everyone is going to be forced to fill in the details needed for multi-factor.
[39:45]So that means that all users will have to complete the details to make them multi-factor capable. I imagine the next ratchet is multi-factor enabled. Oh, this is just capable?
[39:57]Yes, which means you have to have two methods of verifying your identity. So instead of only having a password, you're going to be forced to have a password and an SMS number or a password and an authenticator app. So they're making sure everyone has two. And once that policy has been around for a while, the next click on the ratchet is obviously and now you must do two-factor authentication okay.
[40:20]So ratchet up ratchet up meanwhile google are also continuing their ratchet and in this case it won't necessarily this is actually going to affect everyone not just people who have a small office or whatever because the biggest cloud provider in the world is amazon web services aws is the king of the hill but aws has two big pieces of competition that are both catching up quite quickly. One of them is Microsoft, and they already have forced MFA for their cloud services. But the other big player is Google. So Google Cloud is a competitor to AWS. And until now, Google have not been on a road to forcing multi-factor authentication. That road has now been started. By this time next year, everyone who has a Google Cloud account will have multi-factor authentication. So the reason this matters to regular folk is that the back end of so many of our ios apps of our websites of all of these services are backended on to one of these three big providers and until now if they were backended onto google it was much too easy for the attackers to take over at the back end of the app so by forcing the the owners of the app to be more secure it makes the users of the app more secure oh there you go should mean less data breaches Can they do this on the banks and have them stop doing SMS? Sorry.
[41:41]Oh, if only. If only. Yes. My bank today. They really well should. They absolutely really well should. They asked for my username and password, and then they asked me for an SMS code and my password again, because that couldn't possibly be known from the previous step. Not three-factor authentication, Alison. Password, password, and...
[42:03]Anyway. Oh, dear. Oh, dear. The next pair of stories kind of caught my eye because they're interesting how they illustrate a bigger point. People like to think of AI as being the answer to life, the universe and everything, or the end of the universe.
[42:19]The answer is, well, yes and no. It has both positives and negatives. And one of the things that's actually proven extremely effective at is in cybersecurity, AI does a lot of good because it makes it a lot easier to spot malicious activities. But the flip side of that is it also makes it easier to automate certain, particularly the simpler attacks. You know, the script kiddies in Nigeria used to find it difficult to write good English. Well, ChatGPT can turn their broken English into very good English, so they found it to be a great boon to make their low-hanging fruit a little bit nicer. But the defenders have a much easier time filtering out their junk. So, you know, a lot of the time these things balance out. But anyway, there were two stories and I thought they illustrated the two halves nicely. So on the one hand, we have security researchers showing us that something we have expected to become true is becoming true. Which is that you can now, in real time, use ChatGPT 4.0 to fake a voice phishing scheme, which will basically have an entirely AI conversation with a victim. So you can automate phoning people to do voice-based phishing by having ChatGPT 4.0 in the background in real time talking to your victim.
[43:37]Now, at the moment... That's really interesting. I've been experimenting with the voice version of that, and it is phenomenal. I mean, you can just sit there and chat with it and have a full-on conversation, but you'd have to have written a specific GPT that was targeting this. Like, you don't want it to tell them the truth. You want it to lie to them, right?
[43:59]Right, exactly. So there's a little bit of work, and they're using the API, but they have demonstrated proof of concept. And I'm going to quote the researchers directly, just in case you think the world is ending. What they have said is, researchers have shown that it is possible to abuse OpenAI's real-time voice API for ChatGPT 4.0, an advanced LLM chatbot, to conduct financial scams with low to moderate success rates. So that's where we are today, low to moderate. I wonder what that low to moderate success rate is. Success rate at doing a good voice or success rate at getting money out of people?
[44:33]I think getting money out of people, right? That would be success from the point of view of doing a scam, right? That's how you measure success, yeah. But on the other hand, we also have a first. One of the teams in Google have successfully used AI to find a zero-day bug that is not one of the easy-to-find ones. So memory management issues are very easy to spot, and we've been using AI for that kind of stuff for ages because they're just low-hanging fruit and they're easy to fix. What's much more difficult is subtler security bugs. AI hasn't yet found any of those until now. So to quote the Google team, we believe this is the first public example of an AI agent finding a previously unknown exploitable memory safe issue in a widely used real world software. That's cool. So, yeah. So again, swings and roundabouts. So it's not that the sky is falling and it's not that this is life, you know, paradise on earth. It's both. Yes, and. It's both. It's always both. It's always going to be both.
[45:42]And I should also flag that if you are an Android user and a Google user and you like to use the all-in-one Google app on your Android device to interact with Google's large suite of software, your calendar and your email and all that stuff all together in the Google app, you may or may not have noticed that now when you share a link, you're no longer sharing the link. You're sharing a trackered version of the link. The URLs are all prefixed with search.app, I think, is the prefix URL that they're using to track people. So this is equivalent to how when you post a link to Twitter or X, it's not, the link isn't really there. It becomes t.co forward slash gobbledygook. And that's so that Twitter can track you or the people who click on your links. Well, this is the same thing, but from within the Google app. And Android users are fairly cranky about this new level of spying, but these are probably also using Google's free services, at which point I'm left kind of going, well, how exactly did you think they were paying those server bills? It has always been your privacy. Freepy.
[46:48]Yeah, free pee, precisely, follow the money. And speaking of, you know, you need to get proper permission and stuff, South Korea have fined Meta 15.67 million US dollars for illegally sharing sensitive user data with advertisers. So, good to see them get their comeuppance, I guess. I want to give a hat tip in our top tricks section to Adam Engst over at Tidbits.
[47:17]We didn't talk about it last time because it was too depressing a story but we linked to the fact that there had been a major expose by four leading cyber security news outlets including Krebs on Security, illustrating just how messed up the tracking industry is in the United States, and it was all bad news so I basically went look over there if you want to be depressed we're walking away because I don't like to dwell on these things and you don't like me to dwell on these things. If you follow the link and are now all depressed, Adam has some very practical tips for doing the best you can to protect your location data from being caught up in this whole big tracking mess. And, you know, it's arguably all sensible stuff, but it's a really good link to have in your back pocket and it's just good to double check. Just, you know, check your settings. Just, you know, have a little checkup of yourself. sorry to the listeners I'm on some painkillers today so my ability to improvise is compromise You're doing fine Bart, you're doing fine.
[48:24]Well, also, we're almost out of stories here. I have two excellent explainers I would like to link to in multiple formats. We have a multimedia experience. We have an article from Apple Insider, why free VPNs aren't always safe to use. Now, I actually think they're being very generous here because I would have used the word never. I would have said why free VPNs are never safe to use. Yeah, I wondered about that word. They were like, well, there might be a few good ones. they didn't see anyone and nail their colors quite as firmly to the mass as I would but nonetheless the actual logic of their piece is perfect basically follow the money if you're not paying for it oh you are you just haven't realized how and they explain the various on a grading scale of nefarious, ranging from they're just tracking you and selling your data to they are injecting malware into your web browsing that is the scale for free VPN because they're in a privileged, you know, machine in the middle position. So they can do very nasty things. So, you know, a good read. And particularly if you have friends and family who really don't want to pay the, what? Like some of these VPNs that have been audited by trustworthy firms are not spectacularly expensive. Like you're talking some of the lower packages are like 10 or a year and stuff like that. Yeah, yeah. PIA is like $1.49 a month or something like that. I mean, it's really, really inexpensive.
[49:53]So if you have family members using free because they absolutely don't want to spend any money, I think this article might be enough to get them to go from free to $2 a month. Or hand them $10, right? Or just buy it for Christmas. Here, your Christmas present for the year, a voucher for a VPN that doesn't sell. I tried to do that for a family member of mine, and they said, what if I don't want a VPN for Christmas?
[50:19]Okay. Well, you did try. Yep. You did try. And then the last one I have is a podcast pick. I know there are a lot of fellow Nusilla castaways who are huge fans of Planet Money. And I have plugged them once or twice before because they do amazing shows. Because actually, Follow the Money is the answer to a shockingly large amount of things here on planet Earth. And another thing Follow the Money is very interesting on is data breaches. So they have an episode entitled So Your Data Was Stolen in a Data Breach. And actually the sort of the hook they used to tell their story is the snowflake breach that we talked about quite a bit here on the show over the last couple of months. Because some of their hosts got emails to say, oh, you were caught up in that. I believe Ticketmaster was the avenue that the host in question was caught up in, which was one of these snowflake victims. And so it's just a good description of how the money makes the cyber crime work which at the end of the day the vast vast majority of baddies whom listeners to this show are likely to meet are interested in money and so the economics of the baddies is actually i think important to help you protect yourself i think it's important to understand the mindset of the people out to get you and what it is they're trying to do.
[51:39]Very good. Very good. Wait, I've got the palate cleanser. I get to go. You have the only palate cleanser. You do indeed. So, the European Space Agency has a mission called Euclid, and it's taking pictures of the cosmos. And there's a fantastic video. It's one of these videos that starts real big, and then it zooms in, zooms in, zooms in, zooms in. And it's, which, who doesn't love one of those? Those are always great. But it's a 208-gigapixel mosaic that they start with, and it starts by showing you 14 million galaxies in this panorama, and it keeps zooming in until it's zoomed in 600 times compared to the full mosaic. And, I mean, when you get there, of course, it's still – I mean, it's full of stars? No, it's full of galaxies when you keep going deeper and deeper. And this mosaic, when they get down to that, it's only 1% of the area that Euclid will end up covering over six years. I mean, it is astonishing, and it's beautiful, and the music, and you just can't help but immerse yourself in this. It's just fantastic. This data was just released in October, so this is fresh. And the purpose of this is not just to take really cool pictures, but to try to understand the cosmos, and in particular looking for dark matter and effects of dark matter and that sort of thing. How do I do, Bart?
[53:06]Perfect. So Euclid is an ESA space mission. I'm just wondering who else is a partner, because there's definitely my tax dollars at work. Sorry, my tax euros at work. But a lot of these things are often big partnerships, and I'm frantically scanning their website to see who all the partners are, because I wouldn't be at all surprised if there was American money involved as well. These things are very international, usually. Yeah. Yeah, it's rarely one agency, very rarely. Let's see. Frequently asked questions about Euclid. Someone has to take the lead, obviously. Let's see. Why are we interested? What can Euclid do that JWST cannot do? What's the image quality? Who paid for it? Oh, yeah, there we go. No, that's what I'm looking for. will it study black holes or partners yeah oh partners would be a good thing to search for, or let's see France is usually thrown in there right here we go there I looked for a country the consortium comprises scientists from Austria, Belgium, Denmark, France Finland, Germany, Italy, the Netherlands Norway, Spain, Switzerland, Portugal, Romania and the UK, the consortium also includes teams of scientists from the US, Canada and Japan.
[54:16]Okay, good, good. Okay, for a second there, I thought it was purely European. That would have surprised the heck out of me. No, that's good. Yeah, more than 2,000. A big swattering of Europeans. More than 2,000 scientists from 100 institutes are part of the Euclid Consortium. Holy cow. Wow. This is fun science. Yeah, it takes effort to do this kind of science. Yeah, this is not trivial science. This is some seriously cool science. And what I really loved was how they showed the full CMB background image. So that's like the old sky picture of the cosmic microwave. CMB is the... I was yeah I was about to the cosmic microwave background so that's like our biggest view of the universe as a whole and they show you which little bit of it they have studied so far and then they start their 600x zoom and it's like oh my god yeah it's just it's beautiful I remember the first time I remember the first time there was one gigapixel image a one gigapixel image released and I think it was of was it president Obama's inauguration might have been it was a really big deal and you could zoom in and see the individual faces and this one percent is a 208, gigapixel image crazy that's one percent it's crazy it's and i think it's a great marketing thing to make this video right because you could write a big long sciencey article and we would have gone oh it's fine you guys go study that science but you show me a cool picture that too by the way oh yeah absolutely but it's like this is part of the outreach that they're trying to do more of now, I think, is to get us excited about it.
[55:45]Yes, I know that ESA are very big on outreach because they realize that if you don't do outreach, your funding evaporates. Yeah, and NASA's been all over that too. So go spend two minutes and 37 seconds diving into the cosmos. On your highest resolution screen. If you have a giant big cinema display or something, not cinema display, studio display, watch it on your biggest, shiniest screen. You know, I got to do that. I think I watched it. on my macbook air i should do it on the big on the big girl uh monitor so that they'll be good, well bart i appreciate you powering through your uh your pain reliever induced state i think you did you did fabulously excellent well until next time folks remember stay patched so you stay secure, i very nearly didn't remember that but anyway i got there.
[56:37]Well, that's going to wind us up for this week. Did you know you can email me at alison at podfee.com anytime you like. If you have a question or a suggestion, just send it on over. You know what? One of the things you could do when you're emailing me is send me reviews. I would like some help for the Thanksgiving weekend show. I've got a couple of things lined up. A couple of people said they think they can do some work for me, but I'd sure appreciate some more help doing some reviews. So email me at alison at podfee.com if you've got an idea for a review. Now, remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash Mastodon. If you want to listen to the podcast on YouTube, you can go to podfeet.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all the other lovely Nocilla castaways, lovely people like Michael Westbay, who answered my question over in Slack. You can support the show at podfeet.com slash Patreon, or with a one-time donation at podfeet.com slash PayPal. And if you want to join in the fun of the live show head on over to podfeet.com slash live on Sunday nights at 5pm pacific time and join the friendly and enthusiastic Nozilla Castaways thanks for listening.
[57:46]Music.