NC_2024_11_24
The episode examines U.S. Department of Energy data on electric vehicles, discusses level three chargers, Git submodules, a simplified Stripe donation process, and cybersecurity vulnerabilities, wrapping up with lighter anecdotes.
Automatic Shownotes
Chapters
Long Summary
In this episode of NoSilicast, I share my latest excitement over discovering a treasure trove of data from the U.S. Department of Energy on electric vehicles and chargers. My enthusiasm prompted me to connect with Bodie Grimm of the Kilowatt podcast, where we nerded out about the progress in level three chargers over the past year. I demonstrated how I utilized pivot tables to analyze this dataset and track growth by company. For those interested, I’ve included a link to the episode and the pivot table spreadsheet in the show notes.
Transitioning to Programming by Stealth episode 172, Bart Buchatz explored the concept of Git submodules in a hands-on manner. After an initial theoretical lesson, he guided us through three practical scenarios that illustrated how developers can effectively manage team branding in a collaborative web app project with Git. I always find it rewarding to get my hands dirty with terminal commands while learning about these tools.
I also touched on a notable development in podcast support. A listener named Paul Nealon reached out with a generous donation suggestion which sparked a conversation about simplifying donations through a PayPal button. Upon further research, I discovered Stripe's capabilities to streamline the donation process, allowing users to donate without needing an account. I describe the unexpected challenges I faced in setting it up, the different donation fee structures, and how ultimately, it benefits users by making the process easier.
We then pivoted to some tech insights, where I delved into setting up a redirect on my server, making it easier for supporters to find my new donation page. This technical journey involved accessing my DigitalOcean server, navigating its configuration files, and ensuring proper redirects were in place, reminding me of the challenges and satisfaction that comes from managing my podcast infrastructure.
Shifting gears, I shared an instructional segment on signing documents digitally without the need for printing. This discussion highlighted how to turn editable text documents into PDFs, how to create and use signatures on both Mac and iPhone platforms, and how to send these signed documents back seamlessly via email. I made sure to include a structured outline for listeners to follow along easily.
As we continued, I introduced a quick segment to test my new donation method using Stripe, inviting listeners to check it out. Following that, I engaged in a collaborative discussion with Bart Bootstraps through our Security Bits segment. This week’s cybersecurity news revolved around identifying vulnerabilities widespread in 2023, with a strong message about the slow patching practices of organizations that leave them exposed. We discussed the implications of new regulations aimed at establishing security baselines across various sectors.
Lastly, we looked at ongoing issues regarding outdated coding practices that remain exploitable today, despite the availability of tools and frameworks to prevent these vulnerabilities. I summarized the latest security developments from major tech companies, highlighting the need for consistent patch management and the evolving landscape of cybersecurity concerns.
In the end, I wrapped things up with some lighter moments, sharing palate cleansers and humorous anecdotes related to tech interactions. This balances out the deeper discussions on technology and security, making for a well-rounded, informative episode that intends to empower our listeners with actionable insights.
Transitioning to Programming by Stealth episode 172, Bart Buchatz explored the concept of Git submodules in a hands-on manner. After an initial theoretical lesson, he guided us through three practical scenarios that illustrated how developers can effectively manage team branding in a collaborative web app project with Git. I always find it rewarding to get my hands dirty with terminal commands while learning about these tools.
I also touched on a notable development in podcast support. A listener named Paul Nealon reached out with a generous donation suggestion which sparked a conversation about simplifying donations through a PayPal button. Upon further research, I discovered Stripe's capabilities to streamline the donation process, allowing users to donate without needing an account. I describe the unexpected challenges I faced in setting it up, the different donation fee structures, and how ultimately, it benefits users by making the process easier.
We then pivoted to some tech insights, where I delved into setting up a redirect on my server, making it easier for supporters to find my new donation page. This technical journey involved accessing my DigitalOcean server, navigating its configuration files, and ensuring proper redirects were in place, reminding me of the challenges and satisfaction that comes from managing my podcast infrastructure.
Shifting gears, I shared an instructional segment on signing documents digitally without the need for printing. This discussion highlighted how to turn editable text documents into PDFs, how to create and use signatures on both Mac and iPhone platforms, and how to send these signed documents back seamlessly via email. I made sure to include a structured outline for listeners to follow along easily.
As we continued, I introduced a quick segment to test my new donation method using Stripe, inviting listeners to check it out. Following that, I engaged in a collaborative discussion with Bart Bootstraps through our Security Bits segment. This week’s cybersecurity news revolved around identifying vulnerabilities widespread in 2023, with a strong message about the slow patching practices of organizations that leave them exposed. We discussed the implications of new regulations aimed at establishing security baselines across various sectors.
Lastly, we looked at ongoing issues regarding outdated coding practices that remain exploitable today, despite the availability of tools and frameworks to prevent these vulnerabilities. I summarized the latest security developments from major tech companies, highlighting the need for consistent patch management and the evolving landscape of cybersecurity concerns.
In the end, I wrapped things up with some lighter moments, sharing palate cleansers and humorous anecdotes related to tech interactions. This balances out the deeper discussions on technology and security, making for a well-rounded, informative episode that intends to empower our listeners with actionable insights.
Brief Summary
In this episode of NoSilicast, I share my excitement about U.S. Department of Energy data on electric vehicles and discuss level three chargers with Bodie Grimm from the Kilowatt podcast. I demonstrate analyzing the dataset with pivot tables and provide a link to the spreadsheet.
We also cover Git submodules with Bart Buchatz in Programming by Stealth, explore a simplified donation process using Stripe, and offer tips for digitally signing documents.
A cybersecurity discussion with Bart Bootstraps highlights 2023 vulnerabilities and slow patching practices, while I emphasize the need for better management of outdated coding practices. I wrap up the episode with lighter anecdotes to balance the tech discussions.
We also cover Git submodules with Bart Buchatz in Programming by Stealth, explore a simplified donation process using Stripe, and offer tips for digitally signing documents.
A cybersecurity discussion with Bart Bootstraps highlights 2023 vulnerabilities and slow patching practices, while I emphasize the need for better management of outdated coding practices. I wrap up the episode with lighter anecdotes to balance the tech discussions.
Tags
NoSilicast
U.S. Department of Energy
electric vehicles
level three chargers
Bodie Grimm
Kilowatt podcast
pivot tables
Git submodules
Bart Buchatz
Stripe
donation process
cybersecurity
vulnerabilities
patching practices
outdated coding practices
anecdotes
Transcript
[0:00]
NC_2024_11_24
[0:00]Hi, this is Allison Sheridan of the NoSilicast podcast, hosted at PodFeed.com, a technology geek podcast with an ever-so-slight Apple bias. Today is Sunday, November 24th, 2024, and this is show number 1020.
[0:15]
Kilowatt: EV Data Made Fun with Allison Sheridan
[0:16]Now you know I love me a good pivot table, right? I found a nifty website from the U.S. Department of Energy that includes this treasure trove of data on electric vehicles and chargers. Of course, I had to tell Bodie Grimm of the Kill Watt podcast about it, and then I showed him how I was able to take some downloads of data from this website, make a pivot table to see the progress in level three chargers over the past year, like how many have we gained by company. He thought this was cool, and he asked me to come on his show to talk about the data set and how pivot tables helped me analyze this treasure trove of data.
[0:48]We had a blast, because how could you not? When you're talking to Bodie and getting to nerd out on data, that's the best. Anyway, you can find the episode at the link in the show notes or subscribe to the Kilowatt podcast in your podcatcher of choice and look for the episode entitled EV Data Made Fun with Allison Sheridan. I put a link in the show notes to the pivot table spreadsheet I talked about during our conversation with Bodie. I actually figured out how to get OneDrive to let me share a file. It's harder than I thought it should be. Anyway, there's two tabs with the raw data dump from the Department of Energy about Level three chargers for October 2023 and October 2024, and then I have two pivot tables, one for each of the raw data sets. The front page you see compares the two pivot tables to show the growth by each company in the number of chargers. If you'd like to download your own data set, the Alternative Fuels Data Center site from the U.S. Department of Energy is at a link in the show notes.
[1:46]
PBS 173 of X: Getting Started with Submodules (Git)
[1:47]In Programming by Stealth 172, Bart Buchatz explained what Git submodules are and the kinds of problems they solve. It was kind of a theoretical lesson. But in this week's show, in this practical lesson, he walks us through three scenarios where we actually get to get our fingers dirty and type in Git commands to learn how the process actually works. We get to pretend we're in a small web app business where company branding is important. In the first scenario, we're a new developer joining an app team, and we have a repo that already includes the branding submodule. In the second scenario, we're a seasoned developer on the team creating a new app, and we need to import the branding submodule. Finally, in the third scenario, we're one of the brand designers, and we want to update the branding. In that third scenario, we learn two different ways to incorporate the branding changes into the web apps for scenarios one and two. I got to tell you, I'm always happy when I get to play along in the terminal. So this lesson was great fun. Of course, you can find Bart's fabulous tutorial show notes over at pbs.bartifrisser.net, and you can subscribe to Programming by Stealth by looking for it in your podcatcher of choice.
[2:59]
Take My Money!
[2:58]On last week's No Silicast, I told you about how Paul Nealon made a very generous donation to support the show using PayPal. I also read you his letter in which he explained that he would have done it sooner, but he had trouble getting over the hump of creating a PayPal account. He also said, if I just had a PayPal button, that would have made it easier for him. This had literally never occurred to me before he suggested it. I did a bit of hunting around, and I found that the service Stripe could give me a way to take donations without the user having to open any kind of an account. Now, here's a fun fact. Stripe is an Irish-American multinational company, dual-headquartered in Dublin and California, so it's completely in alignment with Bart and me. I try to keep the dirty money bits away from the podcast, but I think it's an interesting point in time to talk about how these systems work from my end, and then get into the technical aspects of how I made this change. PayPal charges me a 2.99% payment processing fee, so if you donate $25, they take $0.75, leaving me with $24.25.
[4:02]Stripe also charges a fee, and it's a smidge less at 2.9%, but they also charge a $0.30 processing fee on top of that. So the same $25 donated using Stripe would only leave me with $23.98 versus the $24.25 through PayPal. As the donation amount gets bigger, that tiny difference in the fee percentage outweighs the $0.30 fixed fee, but overall, you know what, they're close enough for me to consider them equivalent. The main thing from my perspective is that if I make it easier for you, maybe you're more likely to push that button and that's going to beat the $0.30 cents every time. Well, the first step was to try to create a Stripe account. And that was unsettling. Since I'll be doing financial transactions on my behalf and depositing money into my accounts, and I presume reporting my income somewhere to government agencies, they need to know pretty much every bit of personally identifiable information about me. So I had to give them my address, my phone number, my bank account number, and social security number.
[5:05]Yikes, you know. I did all of this with PayPal and Patreon, of course, but I haven't done it recently. I wasn't comfortable with having my phone number and home address in the system because the way they originally described it, my phone number and address would appear on invoices that you would be sent after you donated. I love you all, but you know, that's a smidge more exposure than I was interested in. Luckily, I did some online sleuthing about it, and I found a toggle where I could turn it off, and it turned out to be off by default, so that was nice. Stripe is designed for people selling things, so there's a lot of features I don't need. There wasn't any upsell though, and I was able to create a fairly simple form fairly quickly with the relevant information. I was able to add my Podfeet logo to the form, for example.
[5:53]Strangely, it put a cute little Podfeet in the upper left and a giant pair of Podfeet in the middle as well. Not quite sure how to control that. They also had some branding options to match my color palette, but it seemed a bit extreme. The defaults, I think, will be more familiar to people, which gives a feeling of confidence. You have absolutely seen a Stripe screen before, and you'll recognize it'll feel like, oh yeah, this is how you pay for these things. It was suggested that I put in a default dollar amount, so I chose $20. But you can change that. It's not as obvious as I would have liked that you can change it. It's a light gray pill button that says, change amount, and then the $20 will become editable. Hey, maybe I should have made it $1,000 so you'd be motivated to find the button. Oh, I did poke around a bit. I wanted to see could you change to a currency of your choosing, but I didn't find a way to do that. I did find something that says it would do it, but it didn't seem to work.
[6:52]Right below that suggested amount, they give me a description field. This way, you can see your donation will pay for expenses such as servers, software, and other hardware used to create the podcast. Now the best part is that prominently displayed at the top is a black button with Apple Pay in white. You can't miss it. And while that was my main goal, Stripe also allows a whole slew of other options. You'll be able to use any credit card, not just Apple Pay, and you can use the Cash App, Amazon Pay, something called Klarna, and another one called Link. Now I've noticed that while the Apple Pay logo is prominently displayed on top all of the time, the other services kind of cycle through the number two spot right next to it.
[7:35]I was talking to Pat Dingler about Stripe, and she's been using it for ages, and she asked why I didn't have Google Play showing. I went back to where I'd been messing around with Link and some of the other options, and sure enough, I was able to put in Google Pay. Oddly, Google Pay doesn't show up on the payment page, and I haven't been able to figure out why. There's another strangeness. If you're not using Safari, but instead you use a Chromium browser like Microsoft Edge, Arc, or even Google Chrome, you will not see Apple Pay. I looked up why, and it had something to do with Apple's security requirements, but I couldn't get anything less vague than that.
[8:16]Now, I haven't dug into it too much, but there's also an option to set up subscriptions in Stripe. That might be interesting. What if you wanted to do regular monthly donations, but you didn't want to have a Patreon account? Not sure how that works, though. I think you might have to assign a price, or I might have to assign a price, and that's not the way I like to do things. I like you guys to get to pick the number you want to donate, but it's a thought for the future. Now, once I had the form set up and gave away my firstborn child to Stripe, sorry, Lindsay, the service gave me a long gobbledygook URL. It starts with buy.stripe.com and then has all the glop after that. But you know, I'm not going to make you remember that address. Everything's good. It's got to start with podfeed.com, right? I needed to come up with a memorable name to send you to. I could have used podfeed.com slash Stripe, but then you'd have to remember what service I chose. Also, if I ever changed away from Stripe, and then that would stop working and you'd have to learn a new URL. Just like how podfeed.com slash chat takes you to Discord, in case we ever move how we chat and you won't have to learn a new thing, this fancy new link to Stripe is at podfeed.com slash donate. I know, I know. Patreon's at podfeed.com slash Patreon and PayPal's at podfeed.com slash PayPal. But I'm trying to future-proof these things. So the new URL is podfeed.com slash donate.
[9:38]In order to create these redirects so you don't have to remember hard URLs, I have to do some interesting work. My server is hosted by DigitalOcean, and if I log into their web service, I get a button to open console, and that logs me into my server at the command line with root privileges. I know this is possible using GUI tools like CoreShell, available in Setapp, but it seems kind of fragile to me. I keep having to ask Bart or Bill to help me get it working again. They've both helped me more than once, and it just seems to be broken every time I go in to use it. The console button in DigitalOceanSight is 100% reliable, which is why I choose that method instead.
[10:16]Now that I'm logged into my server with root privileges, I have to remember the structure of how my web server is set up. As you'll probably remember, AwesomeNoSilicastWayBill helped me do major surgery on my server, including moving it from the web server Apache to something called NGINX. The good news is I took copious notes as Bill told me what to do. I keep those notes and keep it by reinvented software. I'm really glad I have these notes because he created a structure that has more than one directory that looks like it's my web server. There are sites-available and sites-enabled. In my copious notes, I quoted Bill. He said, only make changes to the file in the sites-available directory, the symlinked file and sites-enabled will automatically change. Okay, whatever that means, I made sure I recorded also in my notes, all of this is in slash etc slash nginx slash sites-available. All right, we've logged into the console, we know how to change directory to sites-available, and I also recorded that the file to be edited to add these redirects is called podfeet.conf, So it's a configuration file. I didn't write this in my notes, but I remember every time Bill and I messed with this file, Bill made me make a copy of it first with the current date just in case we borked it up.
[11:39]This podfeed.com file has a lot of stuff in it, but the section we're interested in is the redirects. I usually duplicate and then edit one of the existing redirects because it's a pretty arcane little command.
[11:53]The line says location equals, then forward slash, and the word I want you to use in the URL. So I put slash donate. Next, we have to tell the web that this is a redirect, and you do that with the term return 302. And then you follow that by where you want it to redirect to, in our case, the Stripe URL with all the glop in it. I put in the show notes the entire thing, but I'm not going to read it to you because it's long and annoying. Once the file is safely saved, I need to tell the web server Nginx to reload so it sees the new config file. That's done with a system management command called systemctl. The command is systemctl reload Nginx. At this point, I was able to type in potfee.com slash donate and verify that it redirects to our fancy new Stripe page offering Apple Pay and other methods. On potfee.com, one of the red buttons says support the show. That button takes you farther down the homepage to a row of linked images for the different ways you can help out. We've got Patreon, PayPal, a link to all my referral links, and finally a suggestion to support the show by recording a review. I wanted to add an icon that would take you to our fancy new donate page over on Stripe.
[13:07]Now, I use a theme called Site Origin North, which gives me kind of a little building block method to create the custom homepage you see. I had four icons for supporting the show, so I had to squeeze in another one for the Stripe link, but I didn't want to use Stripe's logo. Instead, I used the Noun Project, which is the worst name on earth for an awesome service to find icons. I pay for this service because it's so great, but it has the most unmemorable name. I sit there for a long time going, oh my gosh, what is it called? I don't remember. Anyway, I finally found the Noun Project, and I found an icon that looks like a MasterCard with a little magnetic stripe, and then the icon has a dollar bill symbol on it. In the Noun Project, you can also change the color before you download the icon, so I used the color picker to make it the same flashy red as my buttons. I uploaded my fancy new icon and resized it to mostly match the size of the other ones. That's always been a struggle. They're kind of lumpy looking. I try to align them, but it doesn't really work. Anyway, we now have a link to Stripe that says Donate with Credit Card. While I was there messing around with the homepage, I realized that the row of icons above the ways to support the show was for tutorials. And I don't really do that many tutorials per se anymore. I mean, I guess I just did a tutorial for you about this whole signature thing, but it's just not a thing I do constantly. So I deleted that entire row, so the page is actually a lot shorter.
[14:31]Then I noticed I still had a Twitter icon as a way to be in the conversation, so I deleted that for obvious reasons. I noticed that there's kind of a big gap in the rows, and I do need to fix that, and I think I know how, but it's kind of arcane in the SiteOrigin North theme builder, so I'm going to save that for another day. You know, this could have been a one-liner when I panhandled for donations in the middle of the show, but I thought it might be fun to pull back the curtain on how all of this works in the background.
[15:03]
How to Sign Documents on macOS and iOS Without Saving Any Files
[15:03]I participate in an Apple user group through email where I often answer questions from those requesting help, and I can't resist the urge to share my expertise if it's going to help somebody else. Recently, a woman posted that someone had emailed her a document. She wanted to open it, sign it, and send it back all without printing it out. She understood this could be done, but she didn't have any idea how to do it. This was something I could explain.
[15:28]Now you may receive a PDF and want to do the same thing, but I'm going to start kind of one step backwards. She had received an editable text document, not a PDF. So I'll explain how to quickly create a PDF that you can sign. I'm going to go through in detail how to do this on a Mac and on an iPhone. Because I'm going to give you the details with screenshots and the show notes, it might get easy to get lost in all the detail I'm going to give you. So here at the beginning, I'm going to give you the outline, then I'll give you all the detail, and then I'm going to give you the outline again at the end so it sticks in your head. By the way, she also didn't want to save any files, which is a little bit odd in my opinion, but she didn't want to save anything. So there's some steps I may go through where I kind of skip over ever saving the file. All right, let's talk the outline of what we're going to do. We're going to open the text document. We're going to, and I'm going to put this in air quotes, print the document to PDF. We're going to open the PDF and either preview on the Mac or files on iOS. We're going to use markup tools to create a signature. We're going to add that signature, and then we're going to send the document back. Okay, that's not too bad, right? That's a concise set of steps, but I'm going to make sure there's so much detail you can't remember those steps. I'll tell you them again at the end.
[16:40]All right, let's start with opening the text document. The woman I was helping had received a Microsoft Word document, and I explained to her that she could open it with Apple's free Pages app because she didn't have Microsoft Word. If you don't already have Pages installed, it's a quick download from the App Store. A huge advantage is that Pages runs on iOS too, so you can follow along with these steps on the Mac, iPad, or iPhone.
[17:03]There is one caution about opening Word files with Pages. you may run into some formatting problems caused by the translation between the apps or maybe missing fonts. If it's terrible, I'd suggest asking the sender to just give you a PDF instead. In fact, if somebody sent me an editable document to sign, I'd be kind of tempted to change and make the terms more favorable to me before I did any signing. That'll teach him. All right, let's assume for this exercise that you can open the document in pages without issue. The process to create, sign, and send a PDF is slightly different between the Mac and iOS. And so rather than flipping back and forth between two operating systems, I'm going to walk first through the solution on the Mac, and then I'll explain it again on iOS, because it is different.
[17:49]Once we have the document open in Pages on the Mac, we need to get it into Preview to add the signature. It's very simple to create a PDF on the Mac because it's built into the print function. Within Pages, choose File, Print, or Command-P. But do not hit the Print button at the bottom right, because that's going to actually print the document. Instead, select the downed chevron next to PDF. If you want to save it as a PDF, you can, but our goal is to never save a copy. Instead, you can simply choose Open in Preview. I actually found this when I was looking this up for this woman because I didn't realize you could go directly to Preview at this point. Now for the fun part. In Preview select the pen in a circle and that'll show you the markup toolbar. In the markup toolbar you're going to find a signature tool. It looks like a line with a scribbly signature above it. The signature icon will reveal an option to create a signature using one of three options. You can scribble your signature using your trackpad so you know that it looks like a three-year-old signed it. Or you can use the camera on your computer and you use that to take a photo of your signature you make on a piece of paper and you hold that signature up to the camera so you can get a really nice one.
[19:04]Thirdly, you can scribble your signature on your iPhone screen which I'm pretty sure will also look like a three-year-old signed it. But maybe you want that three-year-old signature and you have a mouse instead of a trackpad so that would be the only way you could get the three-year-old signature. I personally prefer creating a nice-looking signature by signing on a piece of paper with a real pen and then holding that up to the camera. Note that you can also use the description down drop down to sign a stock name for this signature or to create a custom name. I never bothered to do that because I can see visually which signature is which. Once your signature is stored in preview, you never have to do this step again. Simply tap on the signature you made from the dropdown, and it'll plop into the document you have open in preview.
[19:49]Because we opened the pages document directly into preview, it's not actually a proper PDF yet, so you should see an error saying, this document has changed and it has to be saved. We're just going to ignore that because we're going to be able to take care of that later. At this point, you can drag the signature from where it got plopped into the middle of the document, drag it up onto the line where you want to sign, and you can resize it with the little corner elements. Now, the original request was to do this entire process without ever saving the PDF. So, from preview, we can select the share arrow, get it? Share arrow? We can select the share arrow and then select mail. This will launch mail.app and attach a PDF of our signed document. Even though we never saved it as a PDF, remember it was yelling at us, you got to save this first, we never did that. That PDF simply comes into existence when we We select Send to Mail. Personally, I would recommend saving a copy of any document you sign, you know, for your own protection in case of some sort of dispute, but I still thought it was nifty. We can do all of this without ever saving a document. You'll have to quit without saving after that. Now, keep in mind, Preview stores your signature. I said you only need to do that step once. From now on, anytime you need to sign something, you'll have that signature available from the markup toolbar. are.
[21:10]All right, let's switch gears and go through the process on iOS because, like I said, it is different. If you already created your signature on the Mac, you can just use it on iOS because it's going to show up. But let's go through the process assuming you're starting from scratch on iOS. I'm thinking about the time that Lindsay, the daughter, and her husband were with us on vacation and they only had their iPhones with them. They got a document from the realtor that had to be signed right away because they were closing on their first house. We use this technique to help them sign the document and send it back just from an iPhone. Let's assume that you, like Lindsay, received a text document in email. Like with the Mac, you can install pages on the iPhone. In Mail.app, if you tap on the download button next to the document, you could choose to save it to files, but let's see if we can do it without ever saving that file. Instead of tapping on the enclosed document in mail, press and hold on the document. You'll get a little preview of the document with options to open in Quick Look, save to files, share, or copy. But we don't want any of those.
[22:16]Simply tap the preview of the document again, and it'll close those options, but keep that little preview of the document up. We'll still see the preview of the document, but now we can see an option at the bottom that says open in pages. Once we have it open in pages, we're going to do the same thing we did on the Mac. We're going to go into the print menu so we can quote unquote print a PDF. With the document open in Pages, use the share row to select print. Now you're going to see a print dialog box with no clues that you can save a PDF from here. The hidden secret is to pinch out on the screen. All of that print dialog information will simply disappear and you'll be looking at a nearly identical preview. But this is no longer a pages document, now it's a PDF. If you want to prove it to yourself, tap on the chevron at the top next to the name of the file and you'll see it says it's a PDF. Let's tap away to close that.
[23:12]Now tap the share-o from this PDF and choose Mail. The PDF will be attached to a new email. Double tap on the PDF inside Mail and you'll see a pop-up menu. All it says is cut, copy, paste, and writing tools. We don't want any of those. To the right of that is a chevron. Keep tapping the chevron to slide in new menu options and eventually you're going to see markup. In the markup tools, you'll see the pen, pencil, and eraser tools across the bottom, but on the far right, I want you to tap the plus button. Within this list of tools, we can select add signature. If you've previously created a signature on your Mac or iOS device, as I mentioned, it'll be available to you right here. You'll also see the option to add or remove signatures. From this menu, you'll see any signatures you created previously with red buttons to remove them, but you also get a plus button to add a new one. Unlike the nice option on the Mac where you could scan a signature you wrote with a pen or on paper. On iOS, you only have the option to sign like a three-year-old. I know a lot of people are comfortable with a signature that's maybe just a squiggle, but I like mine to look like my name. Do your best, and notice there's a clear button to let you start over if it's not representative of your real signature. Then tap Done. If you're using an iPad with pencil, you'll probably do an admirable job on this step.
[24:35]Now, as soon as you finish creating the signature, it's going to again plop into the middle of the PDF just like it did on the Mac. You can drag and resize your signature, but on iOS there's also a little line you can tap on to allow you to change the color and line thickness of your signature. I made my signature purple and significantly thicker. Still looks like a three-year-old signed it, but at least it's pretty now. The stored signature is still thin and black, so you'll have to prettify it every time you insert it into a document. Tap Done, and your PDF with your lovely or childish signature appears on the document in mail, and we never saved a document. The bottom line is that it's really easy to add your signature to a document you've received and send it right back. Now, I promised I'd review the steps at the end. You can come back and review the details, but remember, this process is simple. You receive a document, you print it to PDF, use the built-in Apple markup tools to add a signature, and you can create a signature once and use it across your Mac and iOS devices.
[25:44]
Support the Show
[25:44]I bet you're wondering what I'm going to talk about during my quick support the show segment, aren't you? Well, I got a wild and crazy idea. How about you go to podfeet.com slash donate and try out my fancy new Apple Pay method of donating money to support the show. Or if you're not an Apple Pay person, you could use a normal credit card. You know, would be swell if some people tested it out for me, for research purposes of course.
[26:08]
Security Bits — 24 November 2024
[26:09]Music.
[26:17]Well, it's that time of the week again. It's time for Security Bits with Barboost Shots. And I just noticed something. I think my voice sounds normal. I think it might be back finally. Oh, wow. Yay, better late than never. Good, good, good. There's a month and a half of gravel voice. Well, hey, it's winter, so these things happen. I guess so. You normally ask me how was the week of security news and stuff. Let's just say that we have two deep dives because otherwise these show notes had a very, very big scroll bar. A very, very small scroll bar. So it's a good week. It's a good week cybersecurity-wise and I found us some interesting conversations to have anyway. You're going to have to give me a little bit of leeway from our usual definition, but I promise I'll bring it right back around.
[27:07]And I think it's interesting. I hope it's interesting. Anyway, we shall find out. We have two little follow-ups to stuff we've talked about before. We talked recently enough about a big Chinese state-sponsored hack of American telcos. This was an example of why a backdoor for the good guys isn't actually a thing because it's a backdoor. This was backdoor access meant for American law enforcement and the Chinese government got into it and therefore were able to get basically spy on senior American officials. Who agreed to have a backdoor? What company? here or oh the well T-Mobile has now confirmed that they were hacked all of the American cell phone carriers allow law enforcement to do intercepts right we've had phone tapping forever basically they hacked the phone tapping system oh okay okay yeah yay, I thought that happened a while ago didn't it, Correct, but then the list of affected telcos did not include T-Mobile, and now T-Mobile have put their hands up and went, oh yeah, how do we look at our logs, erm? It was us two. Okay, yay.
[28:15]We know that there is a cat and mouse game between the vendors of these grey hat security devices, like GreyKey, which are designed to unlock smartphones, not just iPhones, but they do include iPhones. And we very rarely know where the cat and the mouse are in the race because they're a very secretive company and they don't like it to be known what they do and don't have the current capability of doing. So there was a rare leak of an Excel sheet showing the current feature set as a matrix against the different models of phone and the different OSs and stuff. Basically, none of it is shocking to me, but the old adage of it's worth upgrading holds true if you are on the very latest physical iphone with the very latest version of ios you are more protected than if you are on older ios's or older iphones because apple keep adding hardware and software hardening and it works it it helps so if you've got are trying to make an excuse of why you can't upgrade to ios 18 ios 18 goes back to the iphone xr i have i have one in my hands to prove it i mean i'm looking at uh apple's oh wow uh configuration or their compatibility listing for ios 18 but i got this from my grandson and uh when i upgraded him and uh it's a great little phone and it's it's on ios 18 it's fine.
[29:42]Yeah. Now, obviously, the newer hardware gets extra features, too, because you have better security chips and stuff. So if you're the kind of person who is a CEO or is someone of value, it is actually fiscally, you now have a reason to go to your IT department and say, it is worth the financial interest of this company to give me a brand new iPhone every year because it will help protect our corporate secrets or if you're a diplomat or whatever. The other thing is, it remains true that on average, iPhones remain more secure than Androids. And that's not opinion, that's coming from this article that you're quoting? Yes, yes, yeah. So, you know, averages have outliers. So I'm not saying if you get the very latest, very best direct from Google Pixel, that you're not approximately as good as an iPhone. But on average most Android phones are not the very best latest Pixel straight from Google they're something else which means they tend to have more holes it's probably good to consider, think about tablets in that too Google just discontinued their Pixel tablet so it's I assume that that would also go for Samsung though they're pretty good about doing the high end stuff and keeping their devices up to date compared to the $100 one you can get, They are, but my understanding of market share numbers is that there is an iPad market and a few other tablets.
[31:10]None of them seem to have taken off even vaguely close in volume to Apple's tablets. I've got to tell you, the Fire tablet. Probably why. Fire tablet for a kid, Amazon Fire tablet, man, that's what I recommend. People are always asking me, oh, how do I get a cheap iPad for my kid? I say, buy an Amazon Fire tablet because you're like $100. They're terrible. They're terrible things. They're terrible prices. But they're only going to cost you like a hundred bucks and you can put everything, put movies on them and get your kid to leave you alone for a few minutes.
[31:41]Cool, cool. Let me back you up one little bit, since we do have maybe a little bit of time this week. I was making a confused face when you were saying that the more recent iPhones have hardware things that make them more secure. What would be an example of something that an XR wouldn't have, but I mean, not detailed exactly on that one, but versus a current iPhone?
[32:06]They're going to have newer revisions of the various security chips like the secure enclave because apple are always learning stuff so you're not going to see it as a user but under the hood they have you know longer key lengths and more hardened chips and things they're just whatever the baddies figure out some of it is baked into hardware and all you can do is the next a series chip you you design it to work around the workaround i don't think i knew it was baked into the chip i thought that was you know firmware where firmware upgrade could fix that or you know add security or something just yes and yes and okay sure it's it's a little bit of very it's a little bit of software a little bit of firmware a little bit of hardware all mixed into a big confusing pie and apple don't give us great detail of any of it because they just tell us the user facing feature right so we discover these things when there's really nerdy vulnerabilities released And then someone says, oh, hey, we checked out this new chip and it's not vulnerable anymore to CVE, bloody, bloody, blah, blah, blah. Okay. Okay. Just simply never thought of that. All right. And we're done with feedback and follow-ups already, huh?
[33:12]We are. So that brings us to our first deep dive, which I'm calling Taking Stock, because it's that time of year when my news feed inevitably fills up with reports. The year in dot, dot, dot. And I sort of, I put them into my newsreader. Basically, I use an app to collect links for the show, and I put them in on the expectation that they're a 50-50. If a few of them come together and I can string them into a story, they go into the show notes. And if they're just little atoms, I throw them away. It's like, no, this isn't worth Alison's time. This is worth the listener's time. But two of them come in together that I think tell a story that's important for where we are as we come to the end of 2024, because they tie in with some other bigger trends that we've mentioned in passing but never dwelt on.
[34:00]So we usually focus on stuff that you can do to protect yourself as a regular human. But when you think about what actually makes you safe, it's actually two things. There's the things you choose to do and fail to do. That's just as important. And there's the things the companies you trust choose to do and fail to do. Okay. And you don't really directly control that second one, right? But that second one impacts you a lot. Do you mean and? And that's what these reports relate to. Let me question the way you're saying this. The actions we choose to take and fail to take, don't you mean or?
[34:41]Well no and we choose to do some things and we fail to keep you know we choose to use one password and we fail to do it reliably we choose there's things we, yeah you know there's things we don't do that we should and there's things we do or don't do you know we make decisions and we just don't do things there are equal actions so the the reports i'm going to talk about in a sec relate to that second category but the reason i think is worth thinking about is because it affects all of us a lot and it's now pretty evident now that we are what 50 years into the computer revolution that just leaving it to the free market isn't really working in terms of not having low-hanging fruit just out there? Why are there a million data breaches every year? It's not because the attackers have these amazing zero days that's never been heard of. It's because bugs that were fixed a decade ago are still on production systems. It's like low-hanging fruit doesn't even begin to cover their apples and they've fallen on the ground. Pretty windfall. Ready to be hoovered up, as you would say.
[35:50]Exactly so an interesting thing that's also happening this year is that on both sides of the atlantic there are moves afoot to put security baselines to basically to make it company's responsibility to meet a baseline which will just hoover up all that low-hanging fruit because now that's the new bottom and if that bottom is universally applied then it doesn't affect competition or anything because everyone has to meet this new baseline and so you just well you got to do it right and this isn't a new idea right health care have had baselines for ages now like hipaa there is one whose acronym escapes me this second for financial people they all have to abide by certain standards if you are a government agency your country will have rules you have to follow something like this notion of like nist guidelines precisely yeah because yeah nist is advisory to not government departments. It's binding on government departments.
[36:50]You know, so that kind of thing. So, you know, we have this idea. And there are moves afoot on both sides of the Atlantic to broaden the base, to make more people fall into that category of you must. And the details are different everywhere. And I'm not going to bore everyone with the details, but this is a really obvious trend. And another thing that might actually happen on this side of the Atlantic, which is very interesting. Have you ever noticed that every software license says, and you indemnify us from all damages, intentional or deliberate, in our software. It's not just... All of them have it. It's not just software. I actually read the things, like I remember going horseback riding once when they made me sign a document that said, even if due to our negligence you get injured, you can't sue us. And I'm like, really? You think this is binding in court, do you? It said, bless your heart. I was going to say, the word there is enforceable and I don't think the negligence clause is enforceable. I don't think so. Well, in Europe, they are actually drafting regulations to make all of those kind of things in software unenforceable. So if a software company is negligent, you can sue them for damages. So imagine CrowdStrike and stuff like that, right? If they were found to be negligent. Why would they have to write a law to do that? That just seems obvious.
[38:10]Well, no one has succeeded in challenging that because at the moment, software is kind of in this strange area. We don't own the product. So it's actually, no one really succeeds very much in suing over that kind of stuff. So by making it a law that says, no, no, no, you're not exempt, that makes it all way easier to get stuff through court, right? You know, you make these things explicit. And so if that comes in, that puts a baseline under every company that sells software in Europe not to be negligent. And the definition of negligent would probably end up being a best practice from NIST or something, right? That's going to be agreed by a regulator that best practices, you must at least do blah. Yeah. Do you really think that will change whether people or companies are negligent? I mean, I don't think anybody's negligent on purpose, are they?
[38:56]Well, yeah, but negligence is also failure to act. Not putting priorities in place is negligence. And there's a lot of that, a lot of that. Because people say, well, yeah, but people buy our software whether we spend money on these expensive pen tests or not. So why bother? People buy our software if we add security as an afterthought. Why bother? Right, right, yeah.
[39:17]I think a few court cases and it will, you know, one or two companies go bust and all of a sudden it's like, oh, oh, this is real. So I think it's pretty good. Anyway, the thing here is that lots more people are coming under the net. So it may be, if this log was in, lots and lots and lots of people would come into the net. But even if the only thing that happens is the stuff that's already entrained just keeps going, then on both sides of the pond, the kind of people who in 2025 are going to be either about to be or actually regulated include government contractors, critical infrastructure providers are being targeted both sides of the pond. And here in Europe, even educational institutions count as critical infrastructure. So large Irish universities, now we're not getting regulated as much as the power company, but we're on the spectrum because it's a spectrum of different responsibilities for different organizations. And large universities meet the bottom end of the spectrum. You can't just do whatever you want. You do actually have to do the basics. Does a critical infrastructure include the telcos with their back doors? Yes. Yes it does Absolutely It also includes Oil pipelines Power companies Medical I'm sure That kind of stuff Yeah Well medical's already regulated Right And financial So they're already They're already on the net But that's not Stopping it from getting Hacked.
[40:39]No, but it means that if you pick all the low-hanging fruit, that doesn't mean there's no fruit. It means at least you've picked all the low-hanging fruit. These baselines aren't a utopia, but they certainly help a lot. Okay, yeah. Well, that's good. We're making things better, not perfect, right? And the other one I really like is one of the European regulations that is on the way in is organizations that hold a lot of personal data.
[41:02]That's a pretty good thing to make you count as critical. Yeah. Yeah, those big companies. They're allowed to meet baselines. Microsoft. Yeah. Apple. So when you think about why has everyone agreed on both sides of the pond that this is something we need to do? Why is there this actual momentum actually happening towards this baseline idea? The answer is wonderfully explained when we look at these two reports that made the news in the last two weeks. Okay. So the first report is from the Five Eyes countries. They're cybersecurity agencies. So the Five Eyes is Australia, Canada, New Zealand, the United Kingdom and the United States. And their intelligence agencies work together as the Five Eyes. And together they have released a report on the most exploited vulnerabilities of 2023.
[41:56]So they looked at the calendar year 2023 for, they focused on large enterprises and which actual software vulnerabilities cause the most damage. Okay. All right. So starting where the return on investment could be made the best. Okay. Yeah. So the report itself has a short management summary, which is good. And they have two calls to action, basically. Software vendors need to start doing secure by design. And CISA have been releasing documents to say, when we say secure by design, we mean X and on different topics. So, how you secure by design databases, how you secure by design web apps. What is CISA?
[42:43]The Cybersecurity and Information Security Service. You're a big cybersecurity agency. Okay. Yes. Yeah. So, they come up a lot. They're basically the big cybersecurity people in the US government. So, they have guidelines on what secure by design means? Yes. To help people implement secure by design, yeah. So like NIST have guidelines for how to do various things. They basically have on a whole bunch of topic areas, and they've been releasing lots of them this year, and there's more of them on the way, apparently. So if you design software for power grids, secure by design means blah, blah, blah. If you design databases, it means blah, blah, blah. So it's really good, actually. Practical stuff. So that's the first call to action. The people who make the software do better. And everyone else, they're saying, for goodness sake, patch management really matters. Put patch management systems in place, formally track and monitor this, and don't be so slow. It's not okay to have stuff managed as, oh, we'll patch that in three months. Quarterly patches is a thing still. Like in the 80s before the internet, that was okay.
[43:55]2024? Uh-uh. Yeah. But, you know, people aren't quite getting the message. So that's the call to action. So I read through what were the top vulnerabilities. And I kind of expected what I'd find. I expected to find that all the stuff that we knew about and that had patches within a few days and that all the big stuff would just, everyone would be too slow to patch. And so even though they shouldn't have been the biggest ones of 2023, they would be. So what caught my eye is that too many organizations are really slow to patch even the stuff that makes the mainstream media. Like, forget about the run-of-the-mill stuff that goes under the public radar. Log4j was one of the top vulnerabilities in 2023. That's years old. Is it years old? When did it come out? Oh it must be at least 2021, 2022 certainly not in 2023 okay.
[44:59]But if I know about it... So it's not a zero day anymore in 2023, yeah. We had a couple of actual zero days with something called MoveIt, which is used to move data around by an awful lot of people. But there were remediations posted almost straight away, like how to check if you've been compromised, how to apply the patch, because it was a zero day, so some people were hacked before there was a patch. 2021.
[45:23]There we go. Yeah. Huh. Right. That's still on the list. top 15 and Log4j is still on the list. Ridiculous. Is it hard? Now move it made all of the mainstream nope. It's just a matter of having him the chances are it's just hiding in places because there aren't proper systems giving actual visibility. You get killed by the things you don't know you don't know. Right? Right. Those unknown unknowns are real killers. Or maybe you even know you don't know what's out there. That's still bad. You don't know what's in your state. Just because you know you don't know doesn't mean you know. Right, exactly, exactly. And Move It made all of the headlines. Every emergency response team around the world, like US CERT and all of the big CERTs, Irish National CERT, they all had remediation out within hours. If you use Move It, you must immediately do this, this and this. You couldn't, but if you work in cybersecurity, the Move It stuff was in your face within hours of it happening. And that still made the top 15. It was kind of under the hood, because it's software that companies use to move data between each other. Oh, okay.
[46:35]So, British Airways and a whole bunch of really big companies, you would know it not by the name of the software company, but by the name of the victims, which were big things like British Airways and stuff like that. It was a really big deal. And then the other thing is that the one place you should be patching most urgently is the really, really critical stuff like firewalls, remote access tools and VPNs, those kind of things.
[47:02]Your core collaboration tools like your office suite, whether that be G Suite or whatever, right?
[47:09]Those really core things should be patched the quickest of all because they are it. They are everything. And yet the list is dominated by Citrix, Cisco, Fortinet, Barracuda and Microsoft. They make firewalls, VPNs, remote access, collaboration tools. And you're saying they're the slowest to patch? Those companies are? Well, not the company, no. The companies are quick to patch. Their patches seem to be the slowest to get applied. Because there's a bias in management against, If I do something and it breaks, then I broke it. If I do nothing and it breaks, I didn't break it. So, oh, we don't want any downtime on the VPN. Let's only patch that quarterly or whatever. Well, what if we break the firewall? Then we cut ourselves off the internet. It's like, yeah, but what about the risk of not patching? And I don't think that factors in. I wonder whether that battle will ever be won, Bart, because that battle was a daily battle in my life when I was working. And you know that's that's been a minute since i've been baselines baselines allison that's how you win that battle you don't make it a choice you remove the choice then it's not a difficult business decision it's a requirement you must be patched within seven days done that's that's not a practical statement just to say that because it it does depend on what it is.
[48:33]Okay maybe seven days is a little optimistic but i can speak from direct experience i live under a 30-day rule. Okay, but I'm saying, depending on what the thing is, some things have to be done, can be done quickly, and some things cannot. I mean, that's definitely true. I mean, you can't take down an entire healthcare system within seven days necessarily if you don't know what the implications of all the moving parts are, for example. I mean, there will always be things that can't be done as quickly as other things.
[49:01]Right. But a proper patch management system means that as you're, so it will take some time, but as you're deploying them, you do them in such a way that everything is active, active pairs. So you can patch one half while the other half keeps your company up. Then you patch the other half while the other half keeps your company up. There are solutions for these things that didn't exist five years ago, let alone 10, 15 years ago, because it's a problem. It's one of our biggest problems.
[49:26]There's a lot of opportunity here and it's just not being done. It's just not being done. The other report then is from MITRE. And these are the people who released the, they're a non-profit that seems to be mostly US oriented. They don't quite say on their website exactly where they physically are, but they seem to be strongly US based. Nonetheless, they have developed what has become one of the most important tools for cybersecurity, the MITRE attack framework. This is like, you know the way taxonomy puts all of the animals into kingdoms and species and all these kind of things so that everyone can talk about them in the same way? Well, MITRE ATT&CK is a framework for classifying security threats using a unified language everyone agrees on with definition. So all security tools from all vendors have settled on MITRE ATT&CK. So this has revolutionized how we do things in the last decade or so. It's wonderful. And the MITRE people live and breathe vulnerabilities. that's what they do they're fascinated by vulnerabilities so they have an annual 25 list of most exploited vulnerability types I can confirm mine is a US company by the way.
[50:40]Excellent. Thank you. So what are the 25 most exploited types of bug? And this again is vulnerability. Sorry, bug that causes danger is a vulnerability, right? Yeah. So mistake. Yeah. Okay. So what really strikes me is how many old friends are on this list? Like stuff from the 70s is still on this list. So breaking it down i'm left with this thing of we actually have modern best practices and modern tooling that addresses so many of these things that are still in the top 25 it's not that they have to be here we understand them we have remediations we have tools to avoid them we have tools to find them before you publish the software like our toolkit is huge but it doesn't seem to be being deployed. So how often have I said in programming myself that you have to validate all data that comes from the user? You have to assume that users are intentionally trying to put naughty stuff into data. And yet, number one in 2024 is cross-site scripting. Failure to check for JavaScript code in HTML that you accept from the user on a web page. You have a text box on a web page the user can type in you're not supposed to let them put javascript in there.
[52:09]Failure the number one the number one a close second is cross-site script cross-site request forgery where you have a web form that receives information and doesn't check it really came from who it should so you can add a link in a social media post that actually sends a command to your router and instead of your router receiving the command you're going uh i'm sorry that's not a response to a question i asked the reader goes oh okay you'd like to turn off all the firewalls sure fine that's cross-site request forgery that's also really easy we know how to fix this stuff like we have all of these tools that's number four and what's worse is cross-site request forgery is up up by five places in the last year we're getting worse getting worse sql injection sequel injection literally around since the 70s. Number three. I remember learning about that. That was a long time ago. Bobby Drop Tables has been in XKCD how long?
[53:10]That's SQL injection. Path traversal is a very similar thing where you take input from a user and use it to run a command and you don't check. It includes things like dot, dot, slash. And then instead of showing the user the thing you're supposed to show them, you show them the content of slash etc slash pastwd or something because you've allowed them to navigate your whole file system because you're not checking for dot, dot, slash. Trivial stuff. That's at number five. OS command injection, where you take some input from the user and shell out to bash, or shell out to DOS or something, and just run what the user gave you without checking it properly. That's number seven. And generic command injection is number 13. Generic input errors are number 12.
[53:57]The other thing that strikes me is we know that there is this concept of memory safe programming languages languages like c make you manage your own memory and that's so so easy to get wrong but we understand the ways people get that wrong so we have tools for detecting it and we have new languages where it's impossible you can't have a buffer overflow in javascript or in rust because memory management is not up to this human typing. That's part of the language. That's done for you because computers can follow rules rigidly and reliably and humans can't. So the fact that we have memory issues still dominating in 2024 means that there are tools and languages both to detect the stuff in code if you have to write in c you should be able to detect it if you don't have to write in c then you shouldn't be and you can test this stuff post fact you can test this stuff at compile time we have all of these tools and yet out of bounds write which is otherwise known as buffer overflow number two out of bounds read or use after free which is basically data leaks like Heartbleed, number six and eight. Code injection, remote code execution to you and me. That is sitting up there at number 11, up 12 places.
[55:20]Null pointers, which lead to app crash or denial of service. That's at number 21. And trivial stuff like integer overflows, still at number 23, although it has fallen nine places. So maybe we're almost done with that one.
[55:34]And then we have leaky security. Hang on, let me ask a question here. Yeah is it possible that since we're seeing the oldest stuff the the the old classic hits, rising yeah is it possible there's there's a reason behind its placement that other things are disappearing that were more recently discovered is there i mean there's got to be a reason what what did they displace what used to be there that disappeared there might be some good news in there i don't know.
[56:04]That's a fair point. I guess I am somewhat focusing on the obvious, well, wait a minute, this is low-hanging fruit. And again, Secure by Design would have none of, like these things I'm mentioning here, Secure by Design would get rid of those because you would be implementing toolkits from day one to stop these bugs being in your code. Because that's the best solution. Don't try to debug the code afterwards. Don't write the bad code. That's better. By the way, you brought up the XKCD about little Johnny drop tables and you said, how long ago was that? I don't know the date, but it was number 327 and we are now on 3,015. Ouch. And I put it in the palate cleansers just in case anybody wanted to go see it. Oh, goody. Thank you. Thank you. And then the last sort of, well, the second last section I caught my eye is leaky security controls, which means you're just not doing enough pen testing, right? This is why we have pen tests. This is supposed to be part of standard process that you throw the white hat folks at your stuff before you sell it. And they find the low-hanging fruit, like improper authentication, improper privilege management, improper authorization. They're all very high up the list. Exposure of sensitive data to unauthorized actors, known to you and me as a data leak. Basically, it's supposed to ask you for a password and it forgets. Just shows you the stuff. Oh, was I supposed to check you are who you say you are? Whoopsie daisies.
[57:32]Missing authentication on critical functions That's the end of the list I'm glad that's at number 25 at least But that's still on the list Which means like a router saying Turn off the firewall Oh, did I forget to check if you're actually logged into this interface? Whoopsie!
[57:48]And then the last one literally made my head explode. Now, it is down at number 22, and it has fallen four places. Hard-coded credentials. Oh, come on. Come on. Thank you. Thank you. See what I mean by low-hanging fruit? Yeah, I know that one. Right. Anyway, I figured I'd end on one that everyone would just bang their head and go, oh, right, yeah, and this is why baselines are a thing. So that's what we're driving at here. so my second deep dive isn't really a deep dive it was just a story that was too big to be a story, Microsoft have had their version of WWDC they call it Ignite and it really caught my eye for cybersecurity because I could smell CrowdStrike all over the announcements or rather the response to the very spectacular CrowdStrike outage over the summer so the first thing is that they have made a big deal about a what are they calling it a security and resilience initiative.
[58:53]And the two big things they've let us know are that one they are officially working with the security vendors to make a new api for windows to allow those kind of tools not to have to be in the kernel which means they can't crash the whole system which means you can't have a crowd problem. And we said at the time that the Mac and Linux already have APIs for this, so there's no reason Microsoft can't. Well, that's happening. And they are engaging with the community and there is work going on. So that's good. The other one really made me laugh. So when CrowdStrike happened, the big thing was that you had to physically go to the computer because they wouldn't boot, right? Corporate IT couldn't do something remotely because they couldn't boot. They're adding a new feature to Windows 11 that happens very, very, very early in the boot process before drivers and the dangerous stuff loads that will allow the device to be remote fixed. Hmm.
[59:51]So even if something slips through the net, you'll at least be able to get a remote fix pushed out automatically instead of having to rely on someone physically walking over to every device. And that's clearly CrowdStrike response and they're good responses. So that's nice. But there were three other things that caught my eye. Windows 11 is getting a nice bit of hardening called admin protection. So even if you're an administrator on your local machine, which a lot of home users like to be, because then you can install software and stuff, you won't be running as an admin all the time. Like on the Mac, you'll have to do Windows Hello, which is the equivalent of Face ID or Touch ID. At the point in time, you try to do something admin-like, and then you'll briefly have admin powers, and then they'll fall away again straight away. So if you get some malware, you're not always carrying around this superpower, because you haven't escalated to the superpower. So that should make all of Windows 11 way more secure than Windows 10. So if people are saying, oh, should I update to Windows 11? Yes, if you can.
[1:00:55]Another one that I think is going to make a big difference. So you're talking about how it's difficult to patch stuff quickly because you can't have downtime. What if you could patch the kernel without rebooting? That's coming. Hot patch. It's already there in Linux, not yet there on the Mac. And it is now in the insider build of windows 11 so instead of people putting off you know you get that pop-up or lots of people you wouldn't because you don't use windows anymore but lots of people get that pop-up if they work in a corporate environment saying you must reboot your computer within the next three days reboot now or do it later and they go later later later later as long as their their group policy lets them away with and eventually the computer goes sorry not your choice anymore goodbye and usually they're standing in front of a lecture and giving a lecture to 500 students and they're very cranky and then you go actually maybe you should have listened to it three days ago sorry i may be sharing some stuff it does it does remind me of a wedding i was at with a friend of mine who i think i knew better and uh he wanted to do a play a slideshow for at his daughter's wedding and he was forced to do a windows reboot and patch update in the middle of the reception i might have mocked him a little bit.
[1:02:05]Maybe you should have done that first, yeah. And then the last one is another nice one. Windows APIs to allow passkeys managed by third-party apps to work with Windows Hello. In other words, and they have said explicitly, they are working with 1Password. So people like 1Password allow you to have your passkey synchronized across multiple devices and to use that passkey for Windows Hello, which again is going to make it way easier to have people's Windows 11 machines more secure. Keep in mind also that uh you can now install windows 11 on arm uh from an iso from on a mac, on the silicon apple silicon mac so that's pretty fun oh that is pretty fun yeah yeah the arm version is actually pretty good this time this is not microsoft's first attempt at playing in the arm playground but it does actually appear they're doing it properly this time i hope so So that's nice. Yeah. And okay, back to our usual fodder. It's been patch Tuesday. Patchy, patchy, patch, patch. For zero days. So yeah, definitely patch. Apple also patched for zero days. For whom?
[1:03:14]Microsoft, sorry. Microsoft patch Tuesday. Okay. So all of your Microsoft stuff, just patch it. It's been the second Tuesday of the month. You haven't patched. Naughty you. There's something for you. it's probably important. Apple don't have a schedule, but they did release a whole bunch of updates, including two zero days. The actual dodgy code is in every version of their operating system, so they've actually patched everything. But the reason there's extra focus on Intel-based Macs is because those were actively exploited in the wild. So they were the zero part of the zero day. The others weren't actively exploited. We can't tell why. There may be a technical reason, but either way Apple patched it everywhere but the real problem was on the Mac on the Intel and it was only in the latest versions of the OS so if you were on Sonoma for example you're unaffected, Yes, so basically it's the iOS, iPadOS, 18.blah, blah, blah range, and the macOS, 15.blah, blah, blah, and also VisionOS 2, I think. The latest VisionOS release that came out in September and almost no one noticed. That one too. Okay.
[1:04:28]Ubuntu desktop users need to pay attention. You don't often have to pay attention, but hello, three of you. Patchy, patchy, patch, patch. Fairly nasty bug that basically gives any malware that gets onto your machine instant root. And that's just not good in a desktop environment. There are Ubuntu servers, they could be affected too, but it's usually harder to get local execution to be able to elevate, whereas on a desktop, that's way more likely. So definitely one for desktop users to patchy, patchy, patch, patch. You weren't mocking Linux users the same way you were mocking people who've bought Vision Pro, right? When you said the few of you? No, I'm almost sad by the reality that there are not very many desktop Linux users. But every year it is always said, oh, this will be the year of desktop Linux. And hey, might be right someday, but I've been around for a while and desktop Linux is like hen's teeth. I know two desktop Linux users. They're very happy. They're very lonely.
[1:05:27]Yeah, I know. I used to know three, but he went back to a Mac. Anyway, and just a timely reminder that one of the things you need to patch very urgently is your security tools, because they have a lot of privilege. And this came to my mind. There is a security plugin for WordPress called Really Simple Security, which had a spectacularly major bug that gave attackers admin access to your WordPress without your password. So patchy patchy patch patch. If you install that plugin, you probably installed it for a really good reason. Definitely let that one auto-update. Just go into your WordPress settings and make sure that one's an auto-update. I don't think either of us are running it, Allison. No.
[1:06:16]I'm not a big fan of third-party security tools for WordPress because they have a habit of being leaky. Yeah. Yeah. Yeah. I have one worthy warning. Nosilla Castaways like you, I, and everyone who does programming by stealth are big users of GitHub. There is currently available for sale from the baddies a malware as a service offering where you can bulk attack with spear phishing GitHub users. They try to trick you into install this, authorize this GitHub app in order to apply for this job. That kind of stuff is currently what it's being used for. They're going to try trick you into authorizing sign in with GitHub on something you shouldn't. And you're going to end up giving permissions on your GitHub account to this app that isn't actually legitimate and it's going to be phishing so they're going to target it in some way to try to trick you. It's available as malware as a service so how it will be used is up to the creativity of the baddies. Just be extra suspicious when you get that little pop-up. This GitHub app would like authorization for da-da-da. Just stop and think. Unless you proactively... Keep your Spidey sense up. Keep your Spidey sense up. Exactly. If you're installing a new Git client that you chose and you downloaded and you are asked to authorize your client on GitHub, that's fine. That's how it's supposed to work. Anything else, SpideySense, away.
[1:07:45]The only notable news i have left is there's a nice new feature in signal to make it easier to have repeating calls on their fully secure and encrypted communication network so if you're looking for sort of the canonical trust no one encryption app signal is a good choice why do you call it and it's gotten easier to use what do you mean repeated so you so you know that we have a link that we click to get into the zoom call every two weeks and it's the same link every two weeks Oh, okay. So you can make this permanent link that says, the three of us will get together anytime we want at this link. Got you, got you. And it'll be end-to-end encrypted in the whole kit and caboodle. So that's how they made it easier to get. Easier. Okay.
[1:08:26]Which is always good. And then the last thing I wanted to find some good news to end on. So the United States have tried to tackle the caller spam, you know, all those phone calls to your house, with the national do not call list. We have seen since 2021, when the call do not call list came into effect, a 50% drop in unwanted calls in the United States. Hmm. Sure doesn't feel like it. Actually, it's the number of reported calls.
[1:08:56]Hmm. Okay, fatigue may have something to do with that statistic. You're right. That is another explanation. Yeah. And I have one excellent explainer if you have a propeller beanie that you have spun up and ready to go. How XProtects protects you from viruses on macOS. I will say the first five or six paragraphs are pretty approachable, pretty much for anyone in our audience, and they're a good overview. And then they dive. Dive, dive, dive. It's fascinating. It's really detailed. There's a whole bunch of really cool terminal commands where you can inspect the deep inner workings of XProtect and Apple's various security tools. I was fascinated. I've bookmarked it for reference. But I do say, if you read it all, you're a proper nerd and you have earned your certificate. It's pretty good stuff. People XProtect is, that's not a third-party thing. No. So your Mac has built-in features to protect you from malware. Apple don't advertise it as being antivirus as such, but it's basically antivirus, and its brand name is X-Protect, but it's a big umbrella. There's lots of technical tools that go under the branding umbrella of X-Protect.
[1:10:08]They probably should rename it Mac OS Protect since they renamed it from OS X, but anyway. I was going to say, every time I see it, I think, oh, who's that from? And then as you kept talking, I was going, oh, yeah, yeah, that's built in. So I thought maybe somebody else was confused. Built in. Yes. And we have now more palate cleansers, as you added one.
[1:10:27]I am going to go first because I want to follow up from your palate cleanser last time with the amazing image from Euclid.
[1:10:34]Literally, was it two hours after we recorded, did i sent you a message going oh my god look what's just dropped into my podcast feed an astronomy cast episode dedicated to the euclid telescope all about the cool instrument that made that cool image um if you're the kind of person who likes to play with stuff then running vms of linux or whatever is the kind of thing you might want to do and you can use free tools but they tend to be a bit clunky and by geeks for geeks whereas the vmware tools are really easy to use and nice guis and they work really well uh more of them are now free for everyone even people who are just curious but do technically work within a corporation or stuff they've just made vmware workstation and fusion free for everyone it's the server products where they're going to make their money not the desktop stuff which i just think is cool i mean you know freemium model yay and then if your propeller beanie still has some room i found an amazing website someone linked to an A to Z of all the Apple-specific terminal commands on the Mac. So these are terminal commands that only exist on the Mac, and they do Apple-specific stuff. And there's loads of them. So the chances are if you want to interact with how it does spotlight indexing or something, there's a command for that. If you want to interact with all of the Apple-only features, there's a command for that. Did I send that to you? Because I found that independently and posted it in our Slack.
[1:12:02]Ss64.com maybe that's race art yeah it's really really fun.
[1:12:08]Yeah. And then you're next because you have two fun ones. All right. So I added Exploits of a Mom, which is the drop tables joke on XKCD. But when I was searching for that, I actually came across a site I'd never seen before. It's called ExplainXKCDWiki. So people explain the joke.
[1:12:30]And I love that because I was looking at the latest one, number 3,500 and something around there. I was like, I have no idea what that joke means, and I want to get the joke. And it's technical explanations of what his joke means and why it's funny. And I tried to put a link to the one about drop tables, but because it's a joke about drop tables, there's a whole bunch of funky characters in there. And I got tired of trying to escape all of the characters that they put in it. And I just said, okay, just look for this Explain XKCD wiki. It's very, very funny. The other one I had in there was O2 unveiled something called Daisy, and it's an AI granny who is out there now answering phone calls from spammers. So what they've done is they've seeded where spammers get their phone number banks. They've seeded it with these phone numbers for this AI granny to answer the phone. The whole job of this granny is to keep the spammers on the phone. And the video about it is very funny. Obviously, the calls aren't video, but it's really well done because it's this very classically AI-looking granny, and she's got the gray hair and the whole thing, and she's just talking about her grandkids. They're going, hang on, let me go get a pencil to write that down, just keeping them on there. It's very funny. It's very effective, and I hope it's doing God's work there.
[1:13:54]That's amazing. It made the BBC World Service have a podcast once a week called The Happy Pod, where it's only good news. There's not allowed to be anything depressing on The Happy Pod. It's fantastic. Oh, I like it. And they had a feature on Daisy. They let the journalist use Daisy, be on the other end of the conversation. And it was, we got to hear Daisy in action. And it's like, oh, so what, where did you grow up? What was your street name when you grew up? showed, oh, I grew up in Luton and oh, it was a wonderful place. We had an amazing green grocer down the corner. Where did you grow up? Did you have a really nice cake shop? And away she went. Oh, you need to find the link to that if you can. That sounds fantastic. It doesn't keep. It's one of those podcasts where there's only ever one episode in the feed. What? The current one. Oh, that's mean. Yeah. There's only ever one episode. I know. But it's daily. Sorry, it's twice daily. So that would be a very big feed.
[1:14:48]Anyway, yeah. Tom Merritt's got a big feed five days a week that's a fair point that's a fair point i'll see if it's possible to get on the bbc website maybe yeah yeah maybe not if i can i will that's fabulous because i would love to hear her in action where somebody's trying to get her to do anything that's really really funny well i we managed to uh to make some uh good meaty topics or you did manage to make some good meaty topics here and out of uh not a lot of content this is fun oh good well you know As I say, I always aim to help and I had way too much fun writing those deep dives because I was technically finished the show notes before lunch and I didn't actually stop writing until just before five o'clock.
[1:15:33]So there we are. I like it. Anyway, I just might be able to get you a link. Either way, it will be in the show notes if I can. All right. Very good. Oh, I remember what I'm supposed to do now. Remember, folks, if you want to stay secure. Wait, no, I've got it all wrong now because I've tried to improvise this while multitasking. Alison multitasks all the time. She finds links, she corrects me. I just tried to find a link and now I don't remember my own outro. Stay patched till you stay secure or something. Well, that's going to wind us up for this week. Did you know you can email me at alison at podfeed.com anytime you like? If you have a question or suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on mastodon at podfeed.com slash mastodon. And if you want to listen to the podcast on YouTube, just go to podfeet.com slash YouTube. If you want to join the conversation, you can join our Slack community at podfeet.com slash Slack, where you can talk to me and all of the other lovely Nocila Castaways in there. It's great fun. You can support the show at podfeet.com slash Patreon, or with a one-time donation at podfeet.com slash PayPal, or podfeet.com slash donate, where you can use PayPal or a credit card of your choice. And if you want to join in the fun of the live show head on over to podfeet.com slash live on Sunday nights at 5pm pacific time and join the friendly and enthusiastic.
[1:16:50]Music.