NC_2025_03_02
In this NoSilicast episode, a GitHub Pages recap, an interview with EcoFlow's Jeanette Holton on generators, a lock screen tip, and a chat with Incase's Ashley Holmes about stylish laptop bags are featured.
Automatic Shownotes
Chapters
0:00
NC_2025_03_02
0:27
PBS 177: Publishing A Basic Jekyll Site (GitHub Pages)
1:48
CES 2025: Ecoflow Portable Power Stations
6:08
Focus Mode to Put “If found call:” on Your Lock Screen
11:46
CES 2025: Incase Laptop Sleeves, Backpacks, & Keyboards
20:54
WidgetSmith to Put “If found call:” on Your Lock Screen
28:49
CES 2025: Shiftcam Accessories for Mobile Phones
36:39
Support the Show
37:33
Security Bits — 2 March 2025
Long Summary
In this episode of NoSilicast, I delve into a diverse range of technology topics while sharing my personal insights from the week. As I present show number 1034, my excitement is palpable, especially since I’ve finally recovered my voice, which had been gravelly for weeks.
We kick off with a recap from my Programming by Stealth mini-series focused on GitHub Pages. This week, I guide listeners through the steps of creating a basic Jekyll site. I explain the significance of installing a modern version of Ruby and utilizing its gem bundler, allowing us to create and serve a local Jekyll site. We then push our initial work to GitHub, leveraging the GitHub actions we explored in earlier episodes to see our efforts manifested as a live website, all at no cost. Moving forward, our goal is to create a custom theme and expand our knowledge, learning how to effectively use Bootstrap and standard directory structures within Jekyll.
Shifting gears, I recount an amusing do-over interview I conducted with Jeanette Holton at CES, where we explored the innovative portable power generators from EcoFlow. We discuss their River series, which is perfect for outdoor adventures, and the more powerful Delta Pro 3, capable of running an AC unit during outages. I emphasize the user-friendly aspects of these generators, including their thorough output options and mobility features like wheels and a pulley for easy transport.
Next, I share a cool iOS tip for securely displaying your contact information on your lock screen—if your phone ever gets lost. Initially referencing the Bob's Contact Lock Screen app from 2012, I discuss its limitations and my search for a modern solution. Following a recent tip from Elliot at MacGeekGab, I discover how to utilize focus modes to create an If Found Call message that displays prominently on my lock screen. I share step-by-step instructions on setting it up and how to make it work seamlessly across all my Apple devices.
The episode takes a turn as I engage with Ashley Holmes from Incase, who showcases their latest laptop sleeves and bags designed for portable lifestyles. I describe the sleek Crosstown Vertical Sleeve, perfect for organized professionals, as well as the stylish and functional Crosstown backpack. We dive into the details of their durable designs and features like water resistance and customizable compartments, emphasizing how Incase products cater to modern users.
Later, I discuss a fantastic discovery regarding using WidgetSmith for displaying lock screen messages and how to center text creatively. Thanks to community input from listeners like My Spoon is Too Big, I detail these clever enhancements and my experimentation with visual customization to keep the message appealing.
As I conclude this episode of NoSilicast, I reflect on various listener contributions and tech insights, underscoring the value of our community. I recommend highlighting new security features and tricks to enhance everyone’s technological experiences. This mix of technical knowledge and personal anecdotes offers something for all tech enthusiasts, leaving listeners with practical takeaways and the invitation to further engage with our growing community.
We kick off with a recap from my Programming by Stealth mini-series focused on GitHub Pages. This week, I guide listeners through the steps of creating a basic Jekyll site. I explain the significance of installing a modern version of Ruby and utilizing its gem bundler, allowing us to create and serve a local Jekyll site. We then push our initial work to GitHub, leveraging the GitHub actions we explored in earlier episodes to see our efforts manifested as a live website, all at no cost. Moving forward, our goal is to create a custom theme and expand our knowledge, learning how to effectively use Bootstrap and standard directory structures within Jekyll.
Shifting gears, I recount an amusing do-over interview I conducted with Jeanette Holton at CES, where we explored the innovative portable power generators from EcoFlow. We discuss their River series, which is perfect for outdoor adventures, and the more powerful Delta Pro 3, capable of running an AC unit during outages. I emphasize the user-friendly aspects of these generators, including their thorough output options and mobility features like wheels and a pulley for easy transport.
Next, I share a cool iOS tip for securely displaying your contact information on your lock screen—if your phone ever gets lost. Initially referencing the Bob's Contact Lock Screen app from 2012, I discuss its limitations and my search for a modern solution. Following a recent tip from Elliot at MacGeekGab, I discover how to utilize focus modes to create an If Found Call message that displays prominently on my lock screen. I share step-by-step instructions on setting it up and how to make it work seamlessly across all my Apple devices.
The episode takes a turn as I engage with Ashley Holmes from Incase, who showcases their latest laptop sleeves and bags designed for portable lifestyles. I describe the sleek Crosstown Vertical Sleeve, perfect for organized professionals, as well as the stylish and functional Crosstown backpack. We dive into the details of their durable designs and features like water resistance and customizable compartments, emphasizing how Incase products cater to modern users.
Later, I discuss a fantastic discovery regarding using WidgetSmith for displaying lock screen messages and how to center text creatively. Thanks to community input from listeners like My Spoon is Too Big, I detail these clever enhancements and my experimentation with visual customization to keep the message appealing.
As I conclude this episode of NoSilicast, I reflect on various listener contributions and tech insights, underscoring the value of our community. I recommend highlighting new security features and tricks to enhance everyone’s technological experiences. This mix of technical knowledge and personal anecdotes offers something for all tech enthusiasts, leaving listeners with practical takeaways and the invitation to further engage with our growing community.
Brief Summary
In this episode of NoSilicast, I recap my GitHub Pages mini-series, guiding listeners on creating a basic Jekyll site and pushing it live. I share an interview with Jeanette Holton from EcoFlow about their portable power generators, discuss a lock screen tip for displaying contact info, and feature a conversation with Ashley Holmes from Incase on their stylish laptop bags. I highlight community insights and the significance of security features, inviting engagement with our tech community.
Tags
NoSilicast
GitHub Pages
Jekyll site
portable power generators
Jeanette Holton
lock screen tips
contact info
Ashley Holmes
laptop bags
security features
Transcript
[0:00]
NC_2025_03_02
[0:00]Hi, this is Allison Sheridan of the NoSilicast podcast, hosted at podfeet.com, a technology geek podcast with an ever-so-slight Apple bias. Today is Sunday, March 2nd, 2025, and this is show number 1034. I don't know if you guys have noticed, but I actually finally have my voice completely back. I don't know if it was still bothering you, but it was still bothering me that it was all gravelly up until just a few weeks ago. Anyway, I'm excited about this.
[0:27]
PBS 177: Publishing A Basic Jekyll Site (GitHub Pages)
[0:27]On Programming by Stealth this week in our mini-series on GitHub Pages, we learned how to create a basic Jekyll site. To do this, we needed to install a modern version of Ruby, that was pretty cool, install its gem bundler, create a little placeholder site, and then serve Jekyll to view our site locally. We then pushed it up to GitHub, where the GitHub actions we learned about last time did their magic and created a real website for us all for free. But we didn't stop there. One of our goals is to create our own theme now and to build on what we get with Bootstrap. We actually downloaded the source, not the compiled version of Bootstrap, which I think that might be the first time I've ever downloaded source. And then we were able to pick and choose which files we wanted to use from Bootstrap. While learning about the standard conventions for directory structure and Jekyll sites, we also learned about SAS, syntactically awesome style sheets. That's just fun to say. Anyway, and how Jekyll will turn those into standard CSS. It's a bit of a heavy lift in terms of a lot of moving pieces, but no one bit of this was hard to learn. It was great fun, and this is just the beginning of what we're going to learn about using Jekyll as a fully functional content management system that will allow us to create a website for free on GitHub Pages. Of course, you can find Bart's fabulous tutorial show notes and the audio podcast at pbs.bartificer.net.
[1:48]
CES 2025: Ecoflow Portable Power Stations
[1:52]We are actually doing a do-over of an interview. I interviewed Jeanette Holton last night at a different event, and I botched up so badly I actually exploded something on their signage in the middle of it. So we're doing a do-over. We are here in the EcoFlow booth and y'all make portable electric generators. Yes, we make portable power generators of all kinds of sizes and capacities depending on what your needs are, all the way from our River series which is good for camping. The smaller versions over here. So that's this little one down here looks like about the size of a toaster. Yes, exactly. Very versatile, very portable. You just grab it with one hand, you can power up your tent if you want to when your campaign you could actually just make sure if the only reason why you need a portable power generator is to back up your computer or your Wi-Fi during a power outage that's a perfect option there as well okay so how many what's the power level on that so this is that I the river three all right so this is the river three don't let me touch the signage.
[3:01]So, it has 600 watt total output. General capacity is 286 watt hours. Yep, watt hours. Watt hours. Exactly. All right. Yep. But your big girl power generator here. Well, this one is kind of our medium level power generators because we go all the way up to huge ones that provide whole home backup if you really want to. And those, you can actually connect to your grid and it's all a big show and production. But this one is a medium-level one. It's called the Delta Pro 3. It is incredibly powerful. It has 4,000-watt capacity, and it's expandable to 48 kilowatt hours. That's right. So what we're looking at here looks about the size of a cooler, really, maybe a little bit narrower. It's got handles on the ends. It's got a beautiful display. But you said that so you can stack batteries to this? You can add batteries. For more capacity, more power if you need to. So this one by itself as it is, it's enough to power your house for two days approximately.
[4:09]And if you live in a hot area in the country like Florida and your power goes out and you need your AC to be running, this is actually powerful enough to keep your AC running. So it can deal with the surge in power too? It can deal with the surge, exactly. So it's pretty amazing. It solves all the challenges that a normal person can encounter using a gas generator. This one is no maintenance. It's ready, plug and play, right out of the box.
[4:38]No noise. No toxic. None of that noise. So it's very versatile. It has a handle as well. You mentioned it has handles here, but it has a pulley and wheels. So it's a rollie. And you can roll it and use it indoors, outdoors, however you'd like. So let's look at the outlets on here.
[4:55]So these outlets, of course, you have your normal AC, power outlet. So 120 volt. You've got your USB. I see 240 there. Yes. So you could run a dryer out there? Absolutely. You can run a dryer. A dryer is one of the most power-hungry, energy-hungry appliances you can have. I've got news for you. If there's a power outage, I'm not doing laundry. But what is this one down here, Steve? 120 volt, but it's a circle. It's a higher amperage, but I'm not sure which one, what amperage. Okay. All right, and then you've got to. I can't read it. Steve's studying it here. So we've got two USB-A and two USB-C on the front as well. And so what would the EcoFlow Delta Power 3 go for? So a unit like this will go for a little bit under $3,000. And we are always having sales and Black Fridays and holiday sales and what have you. MSRP of around $2,000, but be a smart shop. I want the current price. The best source to go to is on EcoFull.com, and that's always updated. E-C-O-F-L-O-W. Thank you very much. I'm glad we did a do-over. I was much better this time. Thank you so much.
[6:08]
Focus Mode to Put “If found call:” on Your Lock Screen
[6:12]If you lose your phone and someone of good moral character happens to find it, how would they contact you to return it to you? Way back in 2012, on episode number 395 of the NosillaCast, I told you about a terrific little iOS app called Bob's Contact Lockscreen that solved this very problem. Bob's Contact Lockscreen let you select a photo and then type in a message such as, if found, call. You then put in someone else's phone number, and remember, you want it to be somebody else's because they have your phone. If they call that number, that's not going to do you any good. You've got to have somebody else's phone number in there. Anyway, you could move the text around on screen to anywhere you wanted, and it worked so well with your image, and it respected sacred areas on the screen like where the time was displayed. You'd save the new image from the app with the text embedded, and then make it your wallpaper.
[7:00]In 2015, when the iPhone 6 came out with a bigger screen, Bob never updated the app to accommodate the new screen size, so it didn't work anymore. With today's operating systems, you could take a screenshot of the image on your phone and use the markup tools in Edit in Apple Photos to type your on-screen message and then save that image. But you'd have to be aware of things like where the time is and the notch and the little home indicator bar at the bottom. It's kind of tedious. It'd be kind of repetitive going back and forth to try to figure out if you did it right. It also means you've only done it to one image, just like with Bob's contact lock screen. Years ago, Steve's solution was to choose an image of Saturn for his lock screen, and he typed on the image if found call, followed by my phone number. In all these years, his solution is he's never changed his lock screen. Now that's great for him, but I like to change my wallpaper pretty often. In fact, right now I have it cycling through favorite photos of my darling grandchildren. Now adding Steve's phone number to every image, after duplicating them so I don't wreck the real one, that isn't at all practical. I'd all but given up on having the safety net of Steve's phone number on my lock screen.
[8:08]That is, until last week when I heard a quick tip by Elliot on MacGeekAb1078 that solves this problem. I don't know how Elliot figured this out, but it is by far the easiest, most elegant, and possibly future-proof method of having lock screen message. The trick is to use a focus mode. I'll walk you through this process with a few embellishments of my own. On iOS, open Settings, Focus. Tap the plus icon in the upper right to add a new focus mode. On the next screen, you'll be asked what you want to focus on with a few stock options like fitness and gaming. Now, I understand fitness, but gaming? They may have trouble focusing on gaming. Well, anyway, we're going to choose custom below that. Next, you'll be asked to name your focus. The name you choose will be the lock screen message. In my case, I named my focus If Found Call, followed by Steve's cell phone number. Next, choose an icon for your focus. This will also show on your lock screen. I didn't see a way to not show an icon, which I would have preferred, but I chose the little present icon because it would be a gift to me if someone returned my phone. Next, you'll be shown explanations of options to customize your focus. Just move to the next screen by tapping the Customize Focus button at the bottom.
[9:26]Now you're going to see a plethora of options, including intelligent breakthrough and silencing, along with the ability to choose people and or apps to break through. You can customize the lock screen or home screen based on being in that focus mode. I didn't mess with any of those options, but below that we can set a schedule. I want my lock screen text to show all day every day. I selected time and then set my Sunday through Saturday schedule from 9.01am to 9am. Well, technically all day. I can live on the wild side for one minute per day without my lock screen message.
[10:01]Now, the only focus mode I normally use is Do Not Disturb. But if you're a big user of focus, you might want to experiment to see whether this scheduled setting might conflict with other focus modes you currently use. I'll be curious to hear if this idea causes any unfortunate side effects for others, so let me know if it does. After this simple setup, my iPhone's lock screen now shows my If Found Call message. Since any device logged into the same Apple account shares the same focus, my iPad now shows the same lock screen message. I ran a little experiment and changed my focus to do not disturb and the good news is that it did override my lock screen focus. When I disabled do not disturb my lock screen focus did not re-enable itself. I'll have to remember to actively re-enable it or let it ride until 9 to 1 a.m. When it'll turn itself back on.
[10:51]Now over in the discord chat for Mac Geek Gab a person called my spoon is too big which is also fun to say had another tip for the Mac. They responded to the article that I'm telling you about right now by pointing out that in system settings, lock screen, you can toggle on show message when locked and enter the same if found call message. Now perhaps my Mac will come back to me if I ever leave my precious Mac behind. I'm delighted with Elliot's solution for using a focus mode to put in my little message on screen. It was easy to set up and so far with the focus enabled, it was working. I seem to be getting notifications from people I care about and the apps I care about. I do still have a fond place in my heart for Bob's contact lock screen, but this is even better.
[11:37]Now, if this focus method of putting a message on your lock screen doesn't work for you, stay tuned for another article in a little bit.
[11:46]
CES 2025: Incase Laptop Sleeves, Backpacks, & Keyboards
[11:50]Steve and I are big fans of Incase in particular. In fact, we just bought an Incase sleeve for our son, Kyle, after we bought him a MacBook Air, and I'm here with Ashley Holmes from Incase to talk about what they have new this year. Cases for laptops, right? Oh, we've got a lot more than just that. But I will start with, this is our new Crosstown Vertical Sleeve. So we know that a lot of our users do multiple pieces from our assortment. A tote, a backpack, whatever. So I put my MacBook in here and I stick it into my backpack I want access from the top. Oh yeah you do, not from the side. Instead of having to pull it up and zip it this way, right? So this is a great feature for a user that wants something like that. It's got a nice big pocket in the front. Does this have magnets in it that hold it closed? It does not, it does have magnets. It does, yeah. Oh, nice, nice. Yes, it's made with our proprietary woolenex material so it's scratch resistant, water resistant, and offers great, you know, just surface protection. I spill a lot, so that's probably good. Perfect. It's got our nice faux leather pad, or faux fur padding in there to keep it protected. No scratches from that. Crosstown sleeve. And that's good for your 14-inch laptops? 14 and 16. 14 and 16 for both, right? And it comes in a bunch of colors. All right. You've got to love it with a lot of colors. Next we have, let me pull this off for you.
[13:12]Got a big backpack here. This is our Crosstown backpack. Very sleek looking so this we went out with the intention of the college student maybe somebody starting their career for the first time they want something a little professional looking but they still need a lot of function so it's a it's just a great solid.
[13:33]I've got stuffing in there, but you have a dedicated laptop section. And you can still have your laptop in one of your sleeves and still go in here? It depends. If it's the 14 inch, I believe it will. The 16 might be a little snug. Sure. Just because this is a smaller, it's a compact backpack. Right. You also have the secondary pocket in the front, so if you have your iPad or a Surface or Kindle, you've got a dedicated section for that as well. That's funny. I actually do it the other way around. My iPad is so big because I have a 12.9. I put it in the big sleeve, and my MacBook Air goes in the front one. There you go. A nice knit pocket on the inside. We have water bottle sleeves on the sides for you. More storage in the front with a zip here.
[14:16]Nice big section. Key ring. Pencil sleeves. I mean, you need something to be placed somewhere there's a spot for it with this backpack. So what I like about this is, if you're just listening, this just sounded like a backpack the way she described it, but it's really sleek looking, like she said, for the young professional trying to make a good impression, but you still, backpacks are so much better than like briefcases of the old days, right? Well, and we have briefcases if you, that's what you're. Oh, wow, that was just a straight line for Ashley right there, right? Yeah, exactly. All right, should we keep backing up here? Yeah, for sure. So next I want to show you, this is our new Edge hard shell for MacBook. It is 13, 14, 15, 16-inch compatible, so Airs and Pros, we make it for all of the sizes. It is Beyer Macrolon polycarbonate, so it's a great protection that is still lightweight. Because laptops can get heavy, we don't want to add bulk or heaviness to the device.
[15:14]It's nice that it's clear, you can see, you know, your beautiful Hapol logo there for you. It's got this frosted kind of lip on it, so it's got a bit of grip for if you're just carrying it from wherever you're at. Not that I have ever dropped a lap. Right. Nobody has, right. Comes in clear, comes in black. And what's this called again? This is called the Edge hard shell. All right, great.
[15:38]So back in September, yes, we're back in the iPhone case scene. This is slim, my personal favorite, and also the most popular case that we've launched so far. It's great that, again, it's based off of our original MacBook hard shell that everybody loves. It's what really set us apart from, you know, competition was our hard shell case. So we wanted to take inspiration from that for iPhone, keep the integrity of the device and just add protection or add style, whatever it is. So you'll see that frosted section is similar to the frosted that's on the edge hard shell.
[16:17]This one is our Icon with pebbled leather. So this is actually corn leather. So it's less emissions it's got sustainability which is very near and dear to in case is heart it feels really nice beautiful so it brings that luxury but in a very sustainable way then I have ARC is it stands for our responsible carry by far most popular bag collection that we offer this is a set of backpacks again? It is backpacks and now we have a duffel bag and we have laptop sleeves and we have accessories and we have crossbody bags. I mean, it's just exploded. The collection is huge now. And this collection again is called? ARC, A Responsible Carry. Oh, okay. So it's made with re-spun 100% recycled polyester on the exterior here.
[17:15]Again, just we're known for intentionally good products. And with intention, it's literally a pocket or a section for any and everything you can think of. Because when you're organized, you're so much more productive to find whatever it is that you're looking for. If you can remember what pocket you put in. Exactly, yes.
[17:35]Water bottle sides that expand or it can be used as just a pocket. It's got pass-through travel. so i can put it on your rolly bag roller there you go and just a really lovely collection comes in black navy uh smoked ivy and then the laptop sleeves also have a peach and a gray all right we got peach all right good right and oh my gosh we're not done yet we're gonna talk about keyboards we are gonna talk about keyboards what don't you make i know right so last year in case purchased or entered a strategic partnership and purchased Microsoft's Heritage PC accessory SKUs, keyboards, mice, team-certified devices. I think I heard from somebody they stopped making them. They did. So we resurfaced them. Same exact, great, love tried-and-true Microsoft keyboard accessories that everyone knows and loves, now just in case. Oh, okay. But this is a brand-new-to-market compact ergonomic keyboard. It's also designed by Microsoft. They never launched it under their category. So now we've brought it to CES to debut it. Looks sort of like the Sculpt.
[18:51]It's very much inspired by the Sculpt. So I actually have that one with us. I love these keys. Yes.
[18:58]So, the Sculpt ergonomic keyboard that you mentioned. Oh, that's the full Sculpt. Okay, so that's actually got a separation in between. It's a split key, yes. Split key. Yes. So this is curved split key, too, but what's cool about this is it's 30% smaller than most ergonomic keyboards in market. So because we're in case and we inspire a mobile lifestyle, we thought that this would be a great option for work from home, take it to office, wherever you need to go, and you prefer to have that separate ergonomic keyboard set up, we've got one for you here. So now this has a Windows key on it. Do you make a Mac version? We hope to in the future. I understand under the circumstances why it has that key, but now I can't play yet. But this does have a dedicated co-pilot key, which is cool. It pops up right there, the AI assistant to your screen. So in boost in productivity, whatever it is you need to ask co-pilot. It pairs to three devices. So I can turn that on, control this screen, control this device, control the other device. Short keys up to the screen.
[20:05]Excuse me, three AAA batteries should last up to like 36 months. So just a really great option for something that's smaller, compact, still ergonomic. Really great feeling for the wrist pad. I have to say, I thought that you only made laptop sleeves. I literally did not know. So I'm glad we came by to tell you, hey, we love your laptop sleeves. And you showed us everything else. Yeah, for sure, for sure. It's fun that we want to continue to go into new categories. We want to continue to evolve the brand and really offer something where our users are. And so we hope that next year when you see us, I'll say, I have more newness for you because that's the plan. Very good, Ashley. Thank you very much. If people want to learn more, let me guess, incase.com? Correct. Very good. Thank you. Thank you.
[20:54]
WidgetSmith to Put “If found call:” on Your Lock Screen
[20:58]So you may remember just a few minutes ago I finished telling you about the cool trick to use focus modes to put an if-found call message on your lock screen. But I may have an even easier method. I posted a link to the previous article in the MacGeekGab Discord, since that's where Elliot had given the quick tip idea. My spoon is too big responded by saying it caused issues with his other focus modes, and he offered what might be an even better way to accomplish the same task. They walked me through how to do the same thing using the free version of the iOS app WidgetSmith. WidgetSmith is from the great developer David Smith, who brought us such fine apps as Pedometer++. I'll go through the steps my spoon is too big explained to me. I do want to let you know that to the best of my ability to test it, it does appear that WidgetSmith is accessible using VoiceOver on iOS.
[21:48]WidgetSmith is free to download but is ad supported and does have ways to pay for premium services, but we're going to be working just with the free version.
[21:58]Across the bottom, you'll see a series of tabs. We're only going to be working in the first tab of the interface called Widgets. Now, like I said, you'll see an ad at the top unless you have a premium subscription. Then there's a couple of videos to teach you how to configure different widgets. Below that, you'll see four rounded rectangle buttons where you can choose what kind of widget you want to create. We want to select Lock Screen, so let's narrow our search down by selecting that button first. Now we have to find the right widget. We want to add text to our lock screen, so you might be tempted to choose the very first option, Add Text Widget. Oddly, that's the wrong answer. It appears you can't add text widgets to the lock screen. Instead, we need to select Add Rectangular Widget. Now the next screen has quite a few tabs, but Widget is chosen and that's where we want to stay for now. Even though we don't want a photo, under the photo section, you'll see one that says custom text, and it shows a colorful rectangle with the words your text here on it. That's the one we want. With custom text selected, we need to select the text tab at the top of the screen. Now this screen lets us enter our custom text. If you put if found call followed by the phone number all on one line, the font will be wee tiny on your widget. I recommend replacing the default text with if found call on the first line and then the phone number on the second line.
[23:19]At the top center of this screen, you'll see the default name of the widget. It's called Rectangular Number 1, and just under that is the word Settings. It's very hard to tell, but that's actually a button. If you select Settings, you can change the name of your widget. In a moment of whimsy, I changed Rectangular Number 1 to if found call.
[23:38]Now hit the back button, and you'll see your new text for the widget and the new name at the top of the screen. Hit save in the upper right. Now back on the main page, under rectangular widgets, you should see your newly named widget with its custom text under rectangular widgets. We're done with Widgetsmith for now, so let's enable the widget on our lock screen next. First, lock your phone using the side button. Tap it once to wake up the phone. Press and hold anywhere on the screen to bring up the option to customize your lock screen. You'll be given the option of lock screen or home screen, and of course we want to select the lock screen. This reveals a rectangular box under the clock that says Add Widgets. When selected, a pane will slide up from the bottom, giving you the option to add different built-in widgets as well as those offered by your installed apps. Scroll all the way down to W in the list of apps and select Widgetsmith.
[24:30]Swipe past Circular Widgets and choose Rectangular Widgets. Close the Widgetsmith pane with the X. Now you'll see a gray rectangle kind of plopped into the wide rectangular widget area underneath the clock on your phone. Tap the gray rectangle once, which allows you to select from your rectangular widgets in the Widgetsmith app. In my case, I just have the one called If Found Call. Now, the gray rectangle has been replaced by the text you entered for that rectangular widget. You can close the lower pane with the X and finally hit Done in the upper right. Your lock screen now has your fancy If Found Call widget. The only thing that bothers me about this is that it's left justified. You can drag it to the right, but you cannot drag it to the center. I had a genius idea. Using Widgetsmith, I created two circular widgets which are half the width of a rectangular widget. My idea was to leave them blank, but put the rectangular widget between them. Sadly, Apple doesn't let you do that. Your text must be on the left or the right. It cannot be in the center.
[25:30]Now, I know people grew weary of the saying, well, if Steve Jobs were still alive, but I am positive if he were alive, and I sent up a screenshot of this OCD-inflicting lack of centering, heads would roll in the widget department. Now, while we can't center the widget like nature intended, we can make this widget slightly more interesting. Open up WidgetSmith again and select your new rectangular text widget. The second tab on the top is Theme. You can change the background of the widget to make it stand out more by either adding a standard or a solid background. The default is none.
[26:03]Standard appears to fill the rectangle with kind of a translucent color complementary to the image behind it, while solid is opaque. I don't like that one because it'll cover up some of your wallpaper, so I actually prefer none on this. However, I did have some fun changing the font for my widget from this same theme tab. Some of the fonts have a star next to them, which I just presumed meant it was part of the paid-for Widgetsmith, but it turns out I was able to choose even those with the free version. Have fun choosing a font that you hope will get that good Samaritan to call you to return your phone. The bottom line is, I think this is a better solution than using a focus mode, especially for those who enjoy focus modes for their intended use. In describing focus modes for the message, I had a moment of pause before I said, as you may recall, that it was future-proof, but I did think the solution would last longer than the one day between my two articles. Now, I do prefer the text at the bottom of the screen like we had with focus modes, but this is probably a more resilient method. Many thanks to My Spoon is Too Big for the hand-holding figuring this all out.
[27:06]Widget Smith looks like a terrific app with tons of fun to be had. I haven't even begun to describe all of the other free features of this app. If you want to have even more options like interactive widgets, premium icon packs, premium themes, weather, air quality, and pollen widgets, consider supporting David, or as he seems to like to be called, underscore. You can do that by subscribing to his app for $2 a month or $20 per year. You would think I was done with this topic, but after I posted that version of how to put your if found call message on your screen, someone named Brian514 gave a tip on how to get this message to be sort of centered on the lock screen. It doesn't work perfectly, but it's a clever way. He said, about not being able to aesthetically center the widget, I would do the following. First, create a rectangular widget that reads if found call. Optionally, have its text aligned to the right. Create another rectangular widget that gives your phone number. Optionally have its text aligned to the left. Add the widget created in step one to the left side of the lock screen and the second widget to the right side of the lock screen. And then know that Steve Jobs would still disapprove of your messing around with his lock screen.
[28:18]I just love that. Now the only problem with doing this, I did follow through with this and I've set mine up this way, is the font is different sizes for the two blocks because it has a different amount of text, and that bothers me a little bit, and there's still a gap between them for some reason. But at least it's not off-center, so I think I still like it better. Anyway, I've had a lot of fun with this, and I really appreciate the folks in the Mac Geek Ab community coming to my aid to figure out how to get my precious if-found call message back on my lock screen.
[28:49]
CES 2025: Shiftcam Accessories for Mobile Phones
[28:53]I'm in the shift cam booth, and I actually came to hear about some camera gear, but we're going to start in a completely different spot here. I'm with Benson Chu. Hi, how are you doing? Very good, very good. How are you today? This is an audio podcast and a video, so describe in detail what you've got in your hand here. Sure, sure, sure. What I got in my hand right now is the smallest SSD in the world. It's a small that some people describe as like a bubble gum, so small, that it actually sits fairly flat at the bottom of your phone so that it disappears in your arm when you're holding it to shoot horizontally and it fits in your pocket as if you don't have anything on the phone. So it's just connected it through USB-C. Exactly. And then it is 10 Gbps, which is the fastest, it's a fast standard on actually storage. You can store, you can shoot with like Apple ProRes, 4K, 120 frame without any draw frame, no problems.
[29:43]All right, that's very cool. What is that called? It's called Plank. Plank? Yes. That's a good name. All right. What else do you got? What is the price on that? We are launching soon to Kickstarter. Super early start at $125. Okay, very good. All right, what else do we have here? I am very interested in this camera grip. Yes, so this is called a snap grip pro It's a magnetic grip that actually attached to your phone so that it double as a grip and then triple as a charger for your phone So it's now actually able to start charging your phone to Foochee to wireless technology All right, I need to hold it. Yes, see how this is so he just grabbed what looks like a camera grip and he slapped it on with Chitu Connected it right up to the to the phone so it's charging and I've got a nice grip for taking photos. Yes, exactly that is pretty slick yes because it's magnetic uh connected center of your phone it privets in the center of your phone as well you rotate your phone to hold on it horizontally or vertically without your hand changing your positions oh that's slick very nice very nice okay yes so this is called snapgrid pro but the whole is part of a system called snap series in here.
[30:47]It has a lot of other accessories such as the snap shoes that actually magnetically also attached to the systems, and you can have any kind of combination in modular systems, so they can be good chews. So he just added, essentially, in series, another magnetic connector, and now he's got a cold chew on top? Yes, or you can actually choose maybe what we call a pocket light, a very small light that actually serve as a floodlight for the phone. Snap it on so that you can actually enumerate anything that you're shooting with, or you can actually rotate and flip it up so that it actually can do it as a selfie to light up yourself as well. Nice, so that's all adding together. Now, you could use this light without the grip, right? Correct. All our products in the Snap Series works independently or in combination with each other. That's really slick okay what else is I see some other things here awesome so, this is actually what's new today on CES this is about the studio lights think about a ring light it's quite bulky to carry we string down the ring light to like the size of your phone around rims so that it is actually able to fit in bags I also fit with your phone it is I'm gonna describe this so it looks to me about the size of maybe an iPad mini he's got a phone mounted in the middle, I can't quite see. Oh, of course it's connected with MagSafe.
[32:06]And you've got, did the light just come on for you, Steve? Not yet. You have to press, long press, long press to turn it on. And then you can change temperature so that it's from warm to cold colors. And you can change intensities from the dimmer to brighter. So this would be for your Zoom calls and that sort of thing with the nice camera. Yes, it's built-in batteries so that it lasts for, on average, a couple, two to three hours. Depends on how bright that you're using it. Okay, great. And does that charge over USB-C, I assume? Yes, and it has different mounting points to extend to different accessories and mount on tripods as well. And what do you call this? This is called studio lights. Studio lights. Yeah, snap studio lights. I like that it's a rectangle, not a circle. I'm tired of seeing the circles on everybody's eyeballs.
[32:51]I agree, I agree. I've got curiosity. I've got something else in my hand here. It's a cylinder that appears to have another MagSafe connector on it, a GT charger. This is actually what we call the Snap Stand Max. It opens and actually mounts your phone magnetically, but at the same time extends as a six-foot-tall tripod. Six-foot-tall? Oh, holy cow. He's extending this thing. Oh, wow. And this whole thing was only, what, about six or eight inches long when he started, and it's six feet tall now. Can you see the stand? Let's go all the way up so you can see. It's on the left actually on here. You can see it as well.
[33:31]Wow. Let's see you fold that back up. So he's sliding it back together. That is a really slick design. And then you can close it.
[33:40]And there's actually a remote, a remote magnetic attachable shutters with it. Rechargeable with USB-C. Put it back, close it, and it will... It's a shutter for your phone? Yes. So it's connected over Bluetooth? Exactly. So that you can have a group. Think about when you're on vacation with a group, you are tired of asking people to help you shoot, and you can just click, set it up, everybody smiles, and use a remote to take everybody in the pictures. It's beautiful. And what's this product called again? It's called SnapStand Max.
[34:07]SnapStand Max. Yes, and there is a SnapStand selfie. There's a smaller version of it. A little stick there. Those are adorable. So the company is called... ShiftCam. ShiftCam. ShiftCam. Yes. And we've talked about the plank, and we've got the studio light. We've got all these different products. Oh, yeah. Talk about lenses. Sorry, Steve just reminded me. So we have that mount over there, but you've also got lenses to attach to the iPhone? Yes. We actually started off our business seven years ago by producing lenses. So lenses is our strength. This is called the lens ultra it's all it's it's we released about last years working with everything with the phone we require our phone case to do it all you need to do is to click on it rotate it and that's the lenses they just he's got so he's got a specific uh case of theirs and a little band up mount and he just put what looks like a fisheye lens on it or this one is a macro instead actually macro okay right mm long-range macro so now you can actually start like uh shooting microscopic things with these lenses and there we have seven different lenses from from macro lenses, telephotos, wide-angle and even anamorphic lenses.
[35:15]How big is the zoom? The telephoto is 2x, it's more like a portrait lens where perfect to shoot on like a person interview like now what we are doing. Okay but not not give it the picture of the eagle in the tree? No not yet, not yet. That's the one I want, that's the one I keep looking for. Well, we are actually coming out with it now. Why is that so hard? Because the problem is that the bigger the zoom, the much bigger the lens. Sure. And sometimes when you shoot with your phone, you don't want to bring a very, very big bulky lens with it. So by actually making a very big lens on the phone, it started to be counterintuitive. Okay. So that's why... And counterbalanced, too. Yes. But then we are actually coming out with lenses that goes on your zoom lenses on the phone. Sure. So that you can easily achieve 10x zoom without a problem. So if you've got a 5x lens on the iPhone 16 Pro, 15 Pro Max, and you put the the 2x, isn't that 10x? That one currently, it's actually needed a different kind of optic design to actually work with the 5x on the iPhone. So we are coming out with another one that actually allows you to put it on the 5x lenses. Okay, so right now none of these attach to the 5x? Yes, mainly it's got, well the macro can work. The macro can. Just not the telephoto yet. Okay, that makes perfect sense. So, again, if people want to find this, they go to shiftcam.com. Yes. Very good. Thank you. Thank you very much.
[36:39]
Support the Show
[36:42]Well, you know how sometimes you're listening to a podcast and you think, wow, I really learned something cool just now. Or maybe that was a fascinating conversation. Or possibly, wow, I bet it's a lot of work to put together podcasts like this every single week. In these moments, you might be thinking that you should reward the podcaster for her hard work, but it feels like, yeah, too much friction. What if you could just go to something like, I don't know, potfee.com slash donate and use Apple Pay to buy me a coffee or three coffees or five coffees or even more coffees if you want. That's what the delightful David Ragsdale did just this last week. Easy as anything, nearly zero friction to hit that Apple Pay button. And you know what? It made me feel like I had a pat on my little pumpkin head for doing all this work. Be delightful like David and go there right now.
[37:33]
Security Bits — 2 March 2025
[37:34]Music.
[37:42]Well, it's that time of the week again. It's time for Security Bits with Bart Bouchotts. How's the security weather look like today, Bart? Cloudy with a chance of data breach. I prefer meatballs. Oh, yeah. Well, what do we got? What do we got? Okay. I don't tell you every single time attackers do something to attack developers because that has become the new, oh, look, there's a vulnerability in a PDF, right? That is the fashionable thing to do at the moment is attack developers, because if you can steal their private key, you can digitally sign their legitimate software and get your malware, yada, yada, yada, right? But this one caught my eye for two reasons. First off, it used one of my favorite tools and how dare they go after stuff I like. And it's one of the tools that you like, and it's one of the tools our entire community likes. So I really thought we should mention that there was a VS Code extension with 9 million installs, which got pulled because it appeared to be phoning home in very suspicious ways. The nicest thing about the story is Microsoft's response, which isn't the kind of thing we're used to hearing where Apple and Google are told about it and three weeks later they finally do something about the developer. Now, they pulled the certificate, which immediately disabled the plugin on everyone's VS Code and kicked the developer out of the store. So, yay-ish.
[39:10]Perfect. But so for people who don't know, VS Code, also called Visual Studio Code, is a code editor. So it's a text editor, and it's written by Microsoft, but it's got a really rich and powerful plugin architecture, so you can do all kinds of nifty things with your code. So it's kind of sad when you see them attacking the plugins, especially our favorite code editor. Yeah, and it's open source and all those kind of cool things. And it's got a great community tool at the moment. It's just a really nice environment to work in. I'm very fond of ES Code, which I think if you told me from 10 years ago that my favorite tool would be a Microsoft thing, I'd laugh at you. And then you'd say, oh, yeah, and they own the repository where all the open source stuff lives. And I go, ha, don't be so silly.
[39:58]Do you know that scene in Back to the Future where he tells them that Ronald Reagan is president and no one believes him because he's an actor in Westerns? That would be what I'd think of myself. I was actually thinking of exactly of Ronald Reagan. That's hilarious. Right. Okay, so we have a follow-up slash deep dive, which basically this story was beginning as we last recorded, and where we last left it was that there had been a very believable and credible leak from within the British government claiming that they had used the highly controversial Investigatory Powers Act, or Snooper's Charter, as is more commonly known, to issue Apple a secret order which would force them to put a backdoor into end-to-end encryption on iCloud which literally means disable end-to-end encryption like that is a definitional problem it is not end-to-end encrypted if someone else has the key that is definitionally not it so they They basically told Apple, you must completely break the advanced version of iCloud protection. And you must do so in complete secrecy. And you may not legally tell anyone that you've made this change, nor even reveal that we issued you an order at all.
[41:23]And that's for everybody, not for UK people. That's for everybody. So every single citizen in, you know, you're sitting in New Zealand, it would have been your data that would no longer be fully protected because they would have a key to the back door. Yeah. So basically the product for everyone on planet Earth had to be broken according to this order. And that was where we left the story. I think we had just covered the fact that this was such a credible leak that US senators from both parties in the United States, I should say, with a long track record of knowing their stuff about both cybersecurity and national security, which is obviously where these two things come together, had released statements saying, oh yeah, this is a big deal and we want answers. That was Ron Wyden, who we've regularly talked about, and a couple of others. And that had just happened as we recorded last time. So since then, Apple did what appears to be the most they could possibly legally do. They stopped UK citizens from signing up for advanced data protection, and they stated they were unable to provide the service at this time. No explanation, no details. We are unable. Well, cannot do.
[42:46]Back us into this. I've heard this described on quite a few shows, but I think it's really important to understand is advanced data protection protects a subset of stuff that Apple gives us with end-to-end encryption. And there is another subset of the stuff Apple gives us that is still encrypted that has nothing to do with this story.
[43:05]Yeah. In my show notes, I start there. So let's back up a little bit and go right back there. So there's been a lot of misreporting about what's actually going on here. So there's advanced iCloud protection is a new feature that was added about a year ago it's very much intended for people who are at very high risk this is kind of a response to all the gray word stuff from Pegasus and all that kind of stuff so it is aimed at so you're talking about politicians uh activists uh you know human rights lawyers places CEOs of large tech companies who know things that certain governments would like to know those kind of people and so before we look at what they get that is in this advanced feature let's back up a sec because a lot of people have assumed that if the advanced protection is end-to-end encryption everyone else must be getting no encryption whatsoever which is not true it's really really not true so every single one of us who use iCloud get encryption while our data is going up and down to Apple servers and it's encrypted while it's on Apple servers.
[44:14]The difference is in order to be able to facilitate a password reset request and stuff, there is a second key to our encrypted data. So one of the keys is with us and the other key is with Apple and they keep those protected on separate servers and so forth but if you initiate a password reset that second key is in apple's possession so they can reset our password if we lose our password we're not locked out forever.
[44:40]A side effect of that is if they receive a court order that compels them to unlock an account they must do so and because they can to facilitate us for getting our password they can do that when they receive a valid in america it would be a subpoena in the uk it will be a court order different countries have different names but basically a process is completed and apple is compelled to decrypt the the the iCloud backup they can but there's a giant big caveat even to what all of us get there is data on iCloud that if you lose your password is unrecoverable because not even apple keep a spare key there is no spare key and that is your health data and encrypted It's true end-to-end encrypted, and that is your health data and your passwords. Those two things, there is no backup. If you lose access to your iCloud... Gone. Apple don't have a spare key. I believe it's a little more than that. I think it also includes messages in iCloud from iMessage and FaceTime calls. That is possible because Apple tend to add more things into that shield. So their latest white paper will list exactly what's in there today. But I'm very confident in those two things. And I think you're right that it's those two things and one or two more.
[46:05]Right, right. Right. But I think having iMessage is, I'm quoting from Apple support article, a message in iCloud is end-to-end encrypted when iCloud backup is disabled. When iCloud backup is enabled, your backup includes a copy of the messages in iCloud encryption key to help you recover your data. No, sorry, that's not the full end to end. That's not like your health data, so it can be recovered.
[46:30]But it is end-to-end encrypted if iCloud backup is disabled. I just read that word right because if it's disabled what it means is that the message so if you don't have your iCloud messages backed up then they only exist while they are flying over and back and on your two devices in which case apple can't see them because they're not visible while they're flying over and back if you have iCloud backup the copy of your messages goes into your backup the backup has a spare key so that's why that caveat is there okay let me read it again. Messages in iCloud is end-end encrypted when iCloud backup is disabled. We agree on that. Perfect. When iCloud backup is enabled, your backup includes a copy of the Messages in iCloud encryption key to help you recover your data. If you turn off iCloud backup, a new key is generated on your device to protect future messages in iCloud. This key is end-end encrypted between your devices and isn't stored by Apple. So I think that is what you just said. It is what I just said. So there is a little bit more to this that I think like the fact that the health data, no matter what. Now, what I'm curious about is whether since we don't actually know what the UK government asked for, did they want to be able to get into those too? Do they want to get to our health data? I don't know. We can't know. Apple's reaction to turn off advanced data protection, is just a subset of what they may have wanted to get to.
[47:59]According to the leak. Like if they want to be able to get to iMessage. Well, no, no, but the leak did explicitly list advanced data protection. So based on the little bit of knowledge we have, the target of the order was the advanced data protection feature, which is quite recent. So I think as best as we can tell, which is not for certain, It is limited in terribleness to that, which is already pretty darn terrible, right? Okay. Wouldn't keep him from asking from the rest of it and us never hearing about it. We can't know, right? By definition, it's all secret. So the best I can do is tell you that the leak said this was the context. Okay, so Apple's reaction to this was... Okay, so now we're ready to tell you what advanced iCloud protection is. So for you... Call it Advanced Data Protection. Yes. That's the name of it. Thank you. Could you correct the title in the show notes? Because my brain is saying the right thing and I'm reading the wrong thing in front of my face. Okay. So the difference when you turn on Advanced Data Protection is that you explicitly agree that there is no parachute.
[49:07]Apple will disable their ability to recover your account. And in the process, the only keys protecting your backup are in your control. They're in the secure enclaves on your devices. So they are irrecoverable. So no matter who tells Apple what, the laws of mathematics make it impossible for them to ever recover your data. Be that because you locked yourself out or because they received a court order. They mathematically cannot do it. That is risky because it now means that if this data is important and you lose, say, you have two iPhones, you lose both of them and you forget your password, that's it. You can never get your data back because you have agreed there is no parachute. That's why it's not for everyone. But if you're the kind of person who's in real risk here, that is a responsibility you want to take on. And that's why the feature exists and that's why it's called advanced and that's so they want a back door into the thing that whose sole purpose in life is the removal of all abilities to decrypt that are not with the end user so they they literally want to destroy the feature.
[50:19]And so apple went no this feature is gone for this country you cannot have it the other thing is apple said that if you currently have it turned on you are probably going to be forced to turn it off, but this is something that's very difficult to do because Apple can't unilaterally turn it off. They need the user to provide the current key that only the user has to decrypt the data and re-encrypt it in the normal way. So the only thing Apple could do if they're absolutely compelled is delete every UK person's data if they have advanced data protection. They can't force decrypt it because they literally can't decrypt it. So all they can do is offer the user the ability to decrypt it themselves and download it and run away or enable the normal level of protection, which means Apple has a recovery key.
[51:11]By the way, I've been trying to search for the actual wording of the memo and I'm not finding it, but the Washington Post does not say advanced data protection is what they demanded. It says they have demanded that Apple create a backdoor allowing them to retrieve all the content any apple user worldwide has uploaded to the cloud that's okay the versions of it i've read that are not the wordings i have read reporting from more technical sites that explicitly quote the feature look i don't know we can't know it's a secret order and we're hearing it through a game of chinese whispers so i i think that's that i don't know i don't think there's much point in having that argument okay okay but it just it might be um so in in apple doing this it's almost a passive aggressive response to it because right it's not doing what they wanted right and it's not even clear that what apple have done gets them out of legal jeopardy but i think it gets them enough pr that they are effectively protected from legal jeopardy.
[52:18]Because the next step is they close their British office and they cease to be a legal entity in Britain and they end up like they are in China, or sorry, like Google are in China, not there. And I don't think the British government are ready to have that land on them, to have all of those millions of UK Apple users utterly go to town on their own government. So I think Apple have very, very cleverly played this as strong as they can and probably slightly more strongly than the law allows. Because the law actually says you must comply while appealing.
[52:57]Yeah, and I believe, I heard on DT&S that the penalty isn't just money, because Apple could just basically afford to pay money until anybody's done, as long as they want. But it's also, there's an imprisonment option. Yeah. So they might be a little more meetable to negotiation. Now, there was also a point at which maybe it was the Ron Wyden stuff you were talking about, that they were going to supposedly come up with a law that would counteract that one. Oh, no, I have more to tell you. I still have more to tell you. So I've told you the first of the things that happened since we last spoke, which is the most dramatic. Apple just went, this feature, go away for UK users, right? That is the most dramatic thing that happened. But it's not the only thing that happened.
[53:43]So Senator Wyden and others, they didn't just release a press release saying we're very concerned. They also wrote to the director of national intelligence in the United States, who happens to be recently confirmed. Hello, welcome to the job. Isn't this nice? So Tulsi Gabbard got a letter from Senator Wyden and other senators saying, what are you going to do about this? And she wrote back. And her letter back is excellent. It's truly excellent. It's written clearly by someone who truly understands cybersecurity. So she has great staffers and it's excellent. I can't argue with it. And basically she is officially investigating if this order breaches the treaty that governs data sharing between US companies and British citizens, which is called the US-UK Cloud Act. Can't remember if it's called an act or a treaty. It's not clear to me because it should exist on both sides of the Atlantic. So it must be a treaty.
[54:40]Basically this may actually be patently illegal under u.s law which then puts up in a really interesting position because under uk law it is illegal for them not to comply while they appeal and under u.s law is illegal for them to comply full stop end of story, they're in both countries but i i think apple want to be told it's illegal because they're u.s headquartered, right? I think they want to be told by the US system that they write, Meanwhile, everyone else in the US who is talking into a microphone is condemning the UK. And apparently we have been told that behind the scenes, there is communication with the British authorities and it is not saying well done. It is saying no, no, no, no, no, no, no. And what is there was one other thing? There was a story leaked to the Washington Post, I think leaked. The Washington Post got their hand on something they weren't technically entitled to. And I think it was given to them, which basically said that the British actually told the Biden administration they were thinking of doing this, and the Biden administration went, Grant, and we won't hold it as a violation of the Cloud Act. Which is, if that leak is accurate, if that leak is accurate, that is despicable in my opinion. That is either naivete or incompetence.
[56:07]If it's true. All right. Anything else on this topic then? This is as much as I am currently aware of. Goodness knows what else is going on, right? And I haven't refreshed my RSS reader since lunchtime and it's now 7 p.m. So goodness knows what I've missed. But that is my best understanding as of right now. All right. Well, that was fun. That was fun. Now, some patchy, patchy, patch, patch time. If you use OpenSSH, i.e. if you're one of the nerdier people listening to this show, you probably have some patching to do. This is doubly true. Okay, there are... Yeah, let me back up. I'm talking over myself here. Two bugs were found. one of them in the ssh server which allows a remote attacker to crash your server so if you have an ssh server on a web server or something that is visible on the internet someone who doesn't like you could just keep taking your website down by sending a few naughty packets at your ssh port so you do want to patch your web server because otherwise you could be taken down they can't steal your data they can't do anything like that but they can be really quite annoying and keep crashing your server. So you'd prefer that not to happen.
[57:27]If you are a user who connects to servers and you have changed your default SSH settings and you specifically enabled a feature where you could use DNS to verify the server keys, which is a way of adding extra security if your organization has those dns entries then you are vulnerable to an attacker in the middle scenario where someone can stick a malicious server between you and the server you think you're connecting to which should not be possible with key verification and intercept all of your traffic so thankfully it's only for non-default configurations okay but i would say hey, why not just patch yourself, right? If you have a Linux box or whatever, just whatever SSH client you have, if it says here's an update, the answer is please. So I have servers. You do, which have automatic updates. That I ostensibly run.
[58:30]But would you call it an SSH server? I mean, does that mean just a server that can be reached through SSH? Yes. Is that what you mean? If port 22 is available on the internet for you to connect to, then it is available on the internet for a naughty person to send the malicious packet and crash your server. And so that's called an SSH server when it's a server that accepts SSH traffic? Okay. So your client is the bit you run to try make connections and the server is the bit that receives connections and lets you actually talk to something. So it's a client server model. How do I know if my automatic updates took care of that little problem? Well, because we know that they are turned on and we also know that the update is out there for all the different versions of Linux. So unless you log in and there's a giant big warning saying we have been trying desperately to apply patches and we failed completely, if there's no giant big red Ooga warnings, you are good. Okay, good, because it's all about me. Absolutely, and I knew you were going to ask. I meant theoretically, somebody might have a web server. That's what I really meant.
[59:37]Another thing one should be aware of is users of Parallels, which is a very nice Mac app for virtualization windows and stuff. There is a known pretty nasty vulnerability, which is as of yet unpatched. So it's in that really dangerous phase where it's known, but there is no patch. So we expect a patch any day. And so the chances are very high that if you run Parallels, it's about to offer you an update. The answer is yes. In the meantime, you can still use Parallels if you're a little bit careful. And the thing to be careful about is making a new VM. Because there's a vulnerability in the way in which new VMs install their operating system that would allow a process on your Mac that doesn't have administrative access to steal it. So this is a case of where you're a little bit hacked because there's something running on your computer that's not yours, but it's currently contained by macOS's many, many layers of security. It's broken through the moat, but hasn't yet got into the keep. But this vulnerability lets it get root access so this would turn a bad day terribly bad.
[1:00:52]And having root access in this case, this thing, its goal is to be able to be root on your VM? No, it's root on your computer. That's why this is scary. So they don't get into the VM. They get to take over your entire computer because you happened to be creating a VM. But I thought it had to already be present on the Mac. Yes, but not root access. So it's an escalation of privilege. So it doesn't have root access yet on your Mac. You've downloaded an app. It can't run as you, right? If you download a malicious app, the only thing it can do is be you. It can't become root unless it finds a second vulnerability. This is one of those. And it's the vulnerability and parallels that is somehow giving it root access to your Mac. Yes, correct. Oh, that's weird. Well, it's privileged escalation, right? That's a thing that happens. Basically, Parallels has very deep access to the kernel. So Parallels is a privileged app. And so the bug lets the non-privileged process piggyback to privilege.
[1:01:51]Okay that makes sense yes now uh that is everything under action alerts which isn't too bad then again it's before patch tuesday it won't be next time so imagine we'll have some stuff to talk about next time moving on to worthy warnings and there's a story here that that sets off my alice and micah cranky if i include this radar it's a data breach it's in america it affects 3.3 million people and they don't appear to have notified the potential victims which to me sounds like the vast majority of working age Americans so it's definitely not a good news story this is a company that does a background drug testing for employee for potential and actual employees so if you work for a company that requires you to do a drug test periodically, it could well be this company DISA and they just lost all their data and they're not being particularly proactive about telling people, Yeah. Link in show notes. I'll leave it at that. Link in show notes. People can decide if they need to dig deeper.
[1:03:01]Another thing you should be aware of is there is currently a weakness in a legitimate PayPal feature that allows attackers to send more believable than it should be phishing emails that come from a genuine PayPal address. And this was actually spotted by our own listeners over on the Slack, podfee.com forward slash Slack, where they started receiving these messages. And if you look at the mail headers, these emails pass DKIM and SPF, which are the mechanisms for cryptographically verifying the authenticity of an email. These are emails from PayPal servers. They are nonetheless horse poop. they are lies and phishing and they are possible because there's a legitimate feature to allow you to try to trigger an email change and it doesn't validate the content of the email field so you can literally put in the email address you want to get warned and a giant big essay and this silly data backend that's supposed to receive this form will never check the length of the data send the email and end up including all the extra information in the body of the email. It's ridiculous that they have a web service this vulnerable.
[1:04:18]And it's still there after an hour, let alone after a week. But, you know, the Bleeping Computer article came out explaining how it works days after the Nassila Castaway started getting these emails. That's not a good reflection on PayPal. Yeah. Anyway. So, you know what you should do? If you get an email from basically anybody that's going to require you to log into any kind of account whatsoever, you do not click that link. No matter if it's the mail that you get every single month from your bank telling you that your credit card bill is due, you go over to that website or you open one password directly and you right click and you say open and fill directly from there or type in the name. You do not ever, ever, ever, ever, ever click a link that requires you to log into anything ever, ever. Correct. And that provides you protection from silliness by companies and from something called business email compromise, which is the single most effective way to defraud people of hundreds of thousands of dollars. You hack someone's email, watch for normal and then fake the normal.
[1:05:26]I feel like we might be making a little bit of progress. I think I've mentioned on the show before that I have some friends who are highly intelligent, highly educated, really important jobs, and the most computer illiterate people I've ever met. I mean, it wasn't that long ago that when I went to their house, I couldn't get online, and they said, oh, yeah, we turn the internet off when we're not using it. That is literally how unsophisticated users they are. I was talking to the husband the other day, and he's considering switching to the Mac, and he had a lot of questions. And one of his first questions was, okay, what kind of antivirus do I get? I said, you don't need an antivirus. We went around, around, around, but he was adamant that, you know, I run my antivirus every single day, da, da, da. So I talked him out of that, and then he said, okay, so how does it tell me when I need to update my computer? Because I always say yes to those updates. I'm like, good on you, great. Good, good. And then I started talking about his password hygiene, and I'd forgotten that I had convinced them that every password needed to be different. And then on my last visit to them, I had convinced them to use one password. And he's like, no, every password's different. Man, that one you made us put on our email, boy, is that thing long.
[1:06:34]And I mean, I remember when it was like six digits and it was the same password they used everywhere. They were doing it all right. But he asked all of the right questions. And this is a guy that just like the level of cluelessness on this particular topic is as close to zero as you can get. And like I said, highly educated, very, very intelligent man with a really important job. This just isn't on his radar, but we've gotten through to at least these people.
[1:07:01]That does tell us there's change in the air. It's obviously a conversation. I imagine within his peer group, there are people with horror stories.
[1:07:09]That focuses minds. Oh, I started talking about not clicking links in emails. He goes, oh, you mean phishing? Wow. How do you know that? How do you know that? But good. Excellent. Excellent. Another thing to be aware of, it's a new development attackers are liking to use. So there are a lot of messaging apps which make it both secure and convenient to link another device to your account.
[1:07:36]Signal does this, where basically if you want to use Signal on another device, you can't just log in. You actually have to, you install the app, it shows a QR code, and you scan that from your authorized phone, and that then authorizes your computer. What attackers are now doing in phishing emails is they're taking that QR code that they're presented, they're repackaging it in a phishing email and tricking you into scanning it on the basis that you are verifying that they really are the bank or whatever. And from that point on, they now have access to every single message you send or receive so they can watch everything you're doing, which may be what they're trying to do, or it may be enough to give them the information to do an extremely effective follow-on attack depending whether it's espionage or some sort of compromise they're trying to achieve but you want to be very careful about ever scanning a QR code in a messaging app so the actual story in the show notes is Signal but a few weeks ago there was similar stuff happening with WhatsApp which is from Meta and is a major major I mean that's so popular particularly outside the US so if any messenger that uses qr codes only ever scan them if you are signing in to another computer that moment intentionally never ever ever scanning qr code from these apps otherwise.
[1:09:00]Okay and then the last story was one of those ones that initially made for a really fascinating um security now podcast episode and i was like well i don't have to talk about this on allison's show because this can't possibly meet allison's criteria and then as steve explained more and more and more about exactly what this hack is and exactly how bad it is i realized that i actually do want to give our listeners a heads up if you are in this company is very active in america so I think the damage here is limited to the United States. If you are in a shared building, so some sort of an apartment block or a condominium or something, where you have a building manager and there's a centralized door access system that you use to get into your specific apartment and so forth, have a look at the brand name on the various panels on your doors. If that brand name says Mesh by Viscount, you need to have a conversation with your building managers to make absolutely sure that they are not one of the 49,000 such buildings in America today on the public internet where full administrative access is available with the username Viscount and the password Freedom. They can unlock any door. Jeez. And the first thing the app says when you log in with those credentials is the address of the building.
[1:10:26]So check your panel if it says mesh by viscount check wait a minute if they all have the same username and password how does it know which building you're at oh because i'm sorry you scan you could search for the there's a specific title on their login page and when you search for it you find 49 000 different websites that are answering and in each of those websites you could log in with those same default credentials oh i got you it's not the one you're standing in front of it's hey there's one Yeah. I think I'll go unlock that door. Yeah. Wow. Yeah. And normally when this kind of thing happens, it's very hard to know. Well, I have an IP address. I have full administrative access and I can unlock apartment 15, but it could be here. It could be in Timbuk2. But because the first thing on the interface is the building it matches, it's not hard for attackers to start to get clever here.
[1:11:16]So this is just spectacularly bad. And the company's reaction is catastrophic. I think we've gotten a little far from one of the original rules we had with security bits is you're only allowed to tell us about something we can do something about this is a very clear here's what you can do about it that is true if you've got one of those door access controls if it says viscount here's what you got to do yeah yeah and if you don't and you just want to hear how the worst possible security can be done the episode of security now is hilarious in a schadenfreude kind of way because however terrible you think it could be it's worse and Steve relishes telling the tale of how awful this is. It's train wreck, but fascinating.
[1:12:03]Okay, notable news then. Again, these are ordered from bad news to good news, so we get to pick up in a moment. But before we get to pick up, we talked recently about Have I Been Pwned developing a new feature where they have become capable of adequately responding to a new type of data breach that didn't used to exist. So when Have I Been Pwned was designed, it was based around the idea that a data breach is in a website.
[1:12:32]PayPal loses your data. LinkedIn loses your data. So all you need to know to know where your problem is is the name of the breach. You know, they send you a notification, you have been caught up in the PayPal breach from bloody blood date. Well, you know exactly what password you have to change. It's your password on PayPal. But with a stealer log, what's happened is malware has been sitting on victims' computers, capturing all their usernames and passwords, sending them back to a server controlled by the attackers, and the attackers have lost or sold that database. So it's one data breach but being told you're included in the stealer logs doesn't tell you which password because you never had a password to the baddies you had passwords to goodness knows where and so the structure of have i been pwned couldn't handle the fact that one breach could be to many websites so troyhunt redid his whole back end and added a whole bunch of new functionality.
[1:13:33]And just in time because the functionality has been released and he had a stealer log with billions of username and password combinations so now just billions 23 billion yeah i'd forgotten exactly how many billion i was desperately scanning my show notes so now if you own an email address you can for free say what breaches am i involved in and if you're caught in a stealer breach it won't just tell you you're in the Steeler breach it will also tell you which of your passwords were included in that Steeler breach so you can now actually break it down and say well actually you were caught up in the Steeler breach and they have your Netflix your YouTube whatever.
[1:14:15]And if you how do you get to those that's all from have I been pwned yes so if you do what you've always done on have I been pwned and use the feature to check your own email address you will now have more information in the answer so you're now going to get richer information back If you're the owner of a website, sorry, a web domain, if you own your own email domain and you have verified your ownership, when you ask for a report on everyone on your domain, that also has now been enriched with this information. And brand new if you own a web service you can also query all the breaches against you so if you're Netflix you can proactively ask have I been pwned which of my users have unknown to them been caught up in one of these breaches and then we as Netflix can tell them they have to reset their Netflix password.
[1:15:05]Okay. I'm looking and it looks just like it was before. I just see a list of, they always say, oh no, you were pwned. And it's every place that obviously I've changed my Adobe password since 2013 when they told me about it, but it's still, it holds them all. But I don't see anything different about. You may not be in the Steedologues. How to get richer data. No, I don't think you have to do anything. I think if they had Steeler log data, you would see it in that report. Okay, maybe it's down towards the bottom. Well, I don't think you have any, because this would mean that you had malware on your computer spying on you. I don't think you fall into that category. I see. Okay. I like one of the lines in the link you gave to TroyHunt.com. He said, he posted a screenshot of a Twitter message he wrote that says, how do people end up in Steeler logs? By doing dumb stuff like this. Quote, around October, I downloaded a pirated version of Adobe AE, and after that, my Trojan got into my PC.
[1:16:14]Yep. I don't know how it happened. Theft opens you up to other thieves. Imagine that. Right. Okay. so what do we have next um yeah so there's a story which didn't it doesn't quite deserve a fire extinguisher we might need a category for it's it's not really a fire but it is not nothing, security researchers have discovered a very clever technique to hijack apple's find my network to track any arbitrary bluetooth device but the amount of computation they have to do because they have to reverse engineer a key to match the actual MAC address they want to track because they can't change how the MAC address behaves. And so they have to do an insane amount of math involving vast clusters of graphics cards and stuff to retroactively build a key, which they can then add to the Find My Network as the input to the cryptography, knowing the output of the cryptography will be the MAC address they want to track. So the practicality of this attack is extremely low. Hypothetically... So that's all just to get to one MAC address. One device. One device, exactly. So unless you are so high value that it's worth spending hundreds of thousands of dollars of compute time, it is not worth someone to go after you.
[1:17:44]Do I remember correctly, maybe I'm mixing up two things, but I thought there was a way, like maybe it even defaulted to this, that your MAC address would change all the time?
[1:17:53]It does. And so what this attack does is it arranges in such a way that they can make your MAC address be the answer to a key at all points in time. So they know how often it cycles, and they pre-calculate the different cycles. And so they add your device to the network many times so that all of the keys will map back to them. So the network thinks you're cycling.
[1:18:14]But you're still being tracked because each basically you end up matching something at all times but the network thinks you're a different something okay it's so oh it's amazing math right it's regular folk yeah worry about this and even even fancy pants folk might not need to worry about this no this is academic hypothetical what's noteworthy about it is it's very hard to fix because it means every single file my device is going to need a firmware update so realistically this is a five-year problem for apple to fix so the fact that it's now computationally completely totally and utterly infeasible means apple have a couple of years time before it becomes feasible to deal with this but it is something they're going to have to deal with maybe close that that hole on future deliveries yeah so that might be like find my protocol version 2.0 coming out in five years time or something right but yeah so that's the kind of timescale we're dealing with here and it's important that apple know about this and it's important the research was done but it's not a panic not a problem and you may have heard hyperbolic news reports because you could track any bluetooth device and if you never read beyond that in the journal paper.
[1:19:28]You won't get all the caveats right so okay now we switch channels here Apple have announced some nice improvements to their child protection features and their child protection features are not new but they have been criticized for being they haven't changed much in the last couple of years they were ahead of the curve 10 years ago and then they sort of rested on their laurels and now they're getting some critique for maybe you might want to update those features a bit anyway someone's been listening there are a bunch of improvements coming so the first thing that's happening is the ratings in the App Store are being, they're made more fine grain. So at the moment, you only have four age categories for the whole of the App Store. And the actual meaning of 16 plus isn't very clearly defined. It's just, well, 16 plus, it means whatever you'd like it to mean. But what they're doing is they're changing it to five categories. And there is a one paragraph description of what it actually means. So for over 13s, it can be mild swearing and references to drugs. For under 13s, It can't be even a mention of drugs. They're all defined like that in these little one paragraph chunks of what it means.
[1:20:38]And so if you have an app for four years and below it means that there can't be even a mention of gambling or a mention of drugs or a mention of anything like that right and it goes up from there so that at least makes it easier for parents to make an informed decision about well what how should i configure my child's iphone like what does it mean 13 plus so now you can actually calibrate that the other thing they're doing is they're adding an api so that if you're the developer of what's called a reader app, right? So Apple have had a difficult time classifying, say, a book reader, right? If you imagine the Kindle app, that app at the moment, I think, has to be rated 17 plus because it's rated based on the worst possible book. There's a new API that will allow the app to be told a coarse-grained age for the child. And then the app can filter its store and therefore the app's entire rating can come down because the app will adapt to the child.
[1:21:41]Okay. Oh, that's cool. Yeah, it's very clever. And then the final thing that's happening is they're making it easier for a parent to configure all this by making the onboarding process for creating child accounts more straightforward. And so that means that the friction to enable the family features has gone down and hopefully more people will actually enable these functions because they are actually quite good. But you don't want to have a kid with a full Apple ID. You really want them having a managed Apple ID inside a family account under your control.
[1:22:15]Okay, that makes a lot more sense. Yeah. And the good folk at Mac Observer took the time to write a really nice guide to all of Apple's existing features, which is just kind of good to know because these improvements are nice, but they're improving on quite a lot of stuff this day already. So it's kind of nice of them to update their previous article to add some more detail so that's linked in the show notes and they also have good reporting on the changes so both of those are linked in the show notes.
[1:22:45]Cool. Meanwhile, AI continues to be a thing. And I continue to be of the belief that while it is true that AI is being used by attackers to make their attacks better, it's more effectively being used by defenders to make our defenses better. So when I have my day hat on, my work hat, I can see how much more effective our cybersecurity tools are because of AI. And we are winning the battle more than we were before AI, even though the AI has made the attackers a little bit better, which that's just cool that that's how it's proving out at the moment. But regular folk who don't have really expensive tools get to benefit as well. Chrome have enhanced their existing feature, which is called enhanced protection. So not only does it stop you going to known bad sites it is now also using ai to recognize suspicious things that they don't already know about so a tech support scam is going to look like a tech support scam so now there's ai there to tell you hey this looks like a scam be careful.
[1:23:52]Okay you're saying so you're saying if you're on chrome and all of a sudden you get these weird pop-ups telling you that you know your machine is infected you don't notice it looks like a windows box but you're on a mac whatever um it's got it's going to detect that with ai and do so instead of showing you the page it's going to show you that so if you're on chrome at the moment and you go to a known bad site it will put up a big thing that says we've blocked you accessing this page because it's on this block list click by this warning to browse anyway well there's going to be a new version of those that says we think that this page looks like a scam are you sure you want to.
[1:24:29]Oh, that's nice. I like that. That's excellent. Yes, I'm pleased. Another nice thing, there's a cybersecurity company called Apirlo, I'm going to pronounce it, A-P-double-I-O-R-O. I have no idea how you pronounce two I's in a row.
[1:24:45]Apirlo. Yeah, they have taken some AI and they have trained it on malicious Git commits because their approach is actually kind of clever. So everything that's not malicious is straightforward.
[1:24:59]Hold up. So 98% of the audience is not listening to Programming by Stealth. Git is a version control system that we use in Programming by Stealth, allows you to make changes and pull changes and keep a running track of everything you've changed, and you can always get back to wherever you were. So a git commit is where, let's say right now, I'm working on the show notes, I'm going to collect some typos that Bart has done, I fix those, and I'm going to make a git commit to push that back up to GitHub. And this would scan that and say, you know, that's a known piece of malware, whatever I'm doing. Yeah, their approach is actually more clever. So instead of trying to figure out exactly what's going on, they're looking for any technique used to hide the true function of code they're looking for any form of obfuscation and the assumption is if someone's trying to be sneaky that should be flagged to you whether it's actually malicious or not just being told this is sneaky is so valuable and they have their ai very well trained for that much simpler question right so obfuscation is where you might take some JavaScript, Base64 encode it, and wrap it in an eval block, right? You don't know what it's doing, and you can't know it's definitely malware, but what is the legitimate reason for doing that?
[1:26:23]Yeah, okay. So it's nice. And what they've done is they've made this free. So the problem this solves is if you have a major open source project, you could have hundreds of contributors, right? There could be pull requests coming in with proposed changes from all over the world. The whole point of open source is community driven. And there are people whose job it is to review all of those changes. But that's tedious. If there's an AI tool that can tell you nothing weird, a little bit weird, very weird, you can make use of your volunteers so much more effectively if they're being told, focus your attention on these. So that's the purpose. Yeah, exactly. So it makes it better for a volunteer community to get value out of their community. Excellent. That is cool. That is cool. We should visit again Steve Matten on the show notes for programming by stealth.
[1:27:20]He's a champion at finding things we've messed up. That is very true, and we appreciate it greatly. He's a good proofreader. You're a good proofreader too, but two proofreaders is better than one. A lot gets past me.
[1:27:33]And then finally, we have a story which had the potential to maybe be bad news, but it has a giant big fire extinguisher next to it. There was a big kerfuffle over Firefox, and it's not even changing the terms of service. Firefox didn't have a terms of service. They're an open source project, and they were basically relying on, we're open source, you can see what we do, therefore we don't need the terms of service. And that's not the worst thing in the world, right? For a closed source app to have no terms of service would be bad. For an open source app, it is not unreasonable to say, well, we don't have to tell you what we're doing because if you're a coder, you can see. But it's actually better if you nail your colors to the mask than actually publish what you're doing in English or French or German, whatever language. And so they did. And their first attempt at wording up what they were doing was clumsy. And the internet lost its ever-loving mind, because if you take clumsy phrasing and you extrapolate it to the worst possible meaning that could conceivably match those words, you end up in a dystopian hellscape. And so the whole place exploded. Now, I looked at the original task and I was like, well, this is normal. Like, if you type into the Firefox search box, it does a search for you. The only way that's possible is if they have the right to use the stuff you entered to send it to a third party, because they're not a search engine. So Firefox couldn't work without having the right to send your data to somebody else.
[1:28:58]Anyway, they had a second go. They had a second attempt. The wording is the most explicit, the least lawyerly I have ever seen in the terms of service. They really, really went, OK, let's just use plain English here. It's very clear. This is not malicious. This is now a very nice terms of service. So good outcome. Yeah, they go out of the way to say, so we're going to do this if you tell us to specifically. It was really, you're right, sarcastically clear, which is awesome. Yes. Yeah. So on the whole, a good outcome. So yay. Good.
[1:29:35]We have a nice little tip from the folks at Cult of Mac. One of the cool features in our iPhones is how easy it is to securely, and I stress the word securely share wi-fi passwords on the iphone it is such a joy when you have friends or family who are fellow ios users to securely let them onto your network and how that works is explained in this nice little top tip okay i i don't know that a top tip needed to put be done for this because if somebody comes in your house and tries to get on your wi-fi a thing will come up on your phone saying hey do you want to share this i know that's what this tip is i assume there are other mechanisms right you can have a qr code appear on your device and stuff because that thing only shows up if you're in each other's iCloud contacts so it works great among my family because we're all in each other's contacts and so the phones offer the prompt but when a visitor visitor comes in that doesn't happen because i may not be in their iCloud you're saying you have to be oh, For the completely automatic, right? Be in their iCloud. What do you mean by be in their iCloud? Okay, so they have to be using Apple's address book with your Apple ID as one of the contacts in their address book. They have to be in the contacts. Each other's. It has to be mutual. Okay.
[1:30:53]Right, so you having them isn't enough. Both of your iPhones. And then you get that proactive do nothing in your face. Otherwise, you have to tap some buttons to make your phone show a QR code. So it's actually there's more to the tip than you realize. But yeah, in reality, I'm in my family's address book. They're in my address book. So when my mom and dad show up and we have a new whatever.
[1:31:14]Yeah, you're right. The phone does that. It says, hey, do you want to share this password? And go, yep, it works great. So I have to laugh at the way advertising works. Steve recently posted the video from CES of my interview with EcoFlow.
[1:31:30]The Cult of Mac, I can only see four lines of text, but I can see three ads for EcoFlow showing about 70 different EcoFlow products. I mean, I can barely find the text on this page. One little ad for VRBO and the rest of the page is all EcoFlow. It's comedic. yeah these things have gone i have two excellent explainers which by utter coincidence are mostly from brian krebs he's been really busy writing his amazing security blog so the first thing is that attackers have started to really focus on stealing your credit card using digital wallets so it used to be that they could clone your card because america was really slow at chip and pin cards and so you could just print a MagSafe strip and clone someone's credit card after you stole it from them either by phishing or whatever. But that hole is finally closed where even America is using chip and pin cards. So how do you steal money, right? You've got to do something new. So the new technique is a phishing website where you are tricked into trying to pay for something. So they now have your credit card details.
[1:32:43]Immediately in real time, they try to sign up to Apple Wallet or Google Pay or Samsung Pay, one of those wallety apps, and that will trigger the bank to ask you for a code. They proxy that to the victim in real time and say, hey, great, thanks for that, but we need to verify this payment you've just tried to make to us because we're pretending to be someone real. Your bank has just sent you a code to verify this transaction, enter it into our phishing page. At that point in time, they now have your credit card on their phone. They have stolen your credit card. And what they're doing is they are buying burner phones, really cheap phones, loading them with 100 cards and then selling those phones on the black market.
[1:33:34]The cyber criminals... The burner phone knows the credit card number? It has been enrolled. So fully enrolled in Apple Pay on 100 different cards. So when they double tap the side button, they get 100 credit cards to pick from. Oh, geez. And that's obviously valuable. So you sell that on the black market. And hey, presto, that is now the new way of selling cloned credit cards on a phone. The key being, if your bank starts to step you through the process of adding something to Apple Pay and you're just making a random web payment, run away. If a random web payment asks you for more than every other web payment you've ever made in the last year has asked you for, there's something very very wrong because they're all the same right whatever your bank makes you do every day they shouldn't be making you do more huh okay and how bad this is depends on the bank so my bank is very explicit they say this pin is to add your account ending in blah to an apple wallet. And so for me, it will be difficult to be tricked. But that's in the bank's control. And some of the banks apparently aren't as clear.
[1:34:52]Okay. So maybe it's not as bad for everybody. That's correct. Correct. What's the other one that Brian Krebs has? Oh, yeah. So this is half depressing. Brian Krebs is continuing to chronicle the negative effects on cybersecurity of the change in administration and the abrupt firings of everyone, which is not good in the United States. In the US. Yeah, and because cybersecurity is nowhere near as dramatic as some of the other stuff, it's being lost in the day-to-day news. So Brian Krebs cataloguing this stuff is valuable if depressing. Thankfully, there are still people in some of the offices doing actual work, and a US healthcare company has been successfully effectively fined $11 million for lying about their compliance with cybersecurity laws. So they were offering medical service to veterans. They were saying, we have been audited as complying with our minimum requirements. And they were lying. And they are now paying $11 million for lying. So yay.
[1:35:56]Yikes. I added an excellent explainer. Silicastway George Goucher posted a link in our Slack to the video recording of his presentation to the Silicon Valley Mac users group. It was when he did all about how to spot scam emails. So he brings up different scam emails and he goes through and he says, look at this, look at this, look at this. In a way, it's just sort of George enjoying raging at the idiots that keep trying to scam him. But while it was cathartic for him, it's a really good presentation. I think he did an excellent job. So I put a link to that video in the show notes. Excellent. I will enjoy watching that. That's a great way to turn your frustration into something productive. I'm wholly in favor.
[1:36:36]Great. All right. I think I have the first palate cleanser here. You do. I kind of went back and forth on whether or not to do this one, but the schadenfreude of this particular article was just so delightful.
[1:36:50]On Mastodon, have I been pwned? Again, sent this message out. It says, New Breach, the Flat Earth, Sun, Moon, and Zodiac app by Flat Earth Dave, had 33,000 unique email addresses breached in October. Data include plain text passwords and users' latitude and longitude, their position on the globe. But the best part was 73% of these plain text email and passwords were already in Have I Been Pwned? So there is an overlap between the gullibility of being fished and being a flat earther. Yes, yes, so just shot in front of it, right? It made me laugh out loud. I'm not proud of myself, but you sent it to me and I actually laughed out loud, even though I was in public with headphones on. So I still laughed.
[1:37:40]I like it okay i have another actually you'll enjoy actually no sorry you did enjoy this i think i already sent you this and you told me it was interesting um the changelog is a podcast i discovered because one of the nosilla castaways pointed it pointed me at it on the nosilla cast slack years and years and years ago and i dip in i don't listen to every episode but i check every subject every week to see if i want to listen and this one was about software development open source, and programming with LLMs. And it was with a guy who is literally an expert on not just large language models, but in specific, how you apply large language models to coding like VS Code. And I learned so much about why LLMs are so amazingly good at helping you code, because I've recently upgraded to an M-series Mac in work, and I am now a full-on user of GitHub Copilot. And my socks are continuously being blown off by how amazing this co-pollet is. And it's not replacing me. It's not leading me. It is following me. It is, I am setting the lead. Yeah. You type for I equals, and it just goes, I got you. And it types in the rest of what you probably want to do. And if you adjust it a little bit, it goes, oh, my bad. Let me do the rest of that for you. So just, it stops a lot of repetitive typing that you know what you're going to write.
[1:39:06]It just puts it right there. Or if you've got three variables, A, B, and C, and you write something for A, it goes, yeah, you want to do that to B and C? OK, good, got you.
[1:39:15]It's just faster. It's faster. And if you're a consistent coder, it is telepathic. So I was describing it to a colleague that it knows not just what I want to do, but what I want to do.
[1:39:28]It was getting my comments in my voice. But I found out why. So a normal LLM's job is to finish the sentence. Its job is to append. So its history is everything that's come before, and it predicts the next word. The LLMs used in coders are trained differently. Their job is to make the most useful insertion. They have the full context before and after.
[1:39:54]And therefore, when you are a consistent coder, they know everything. And when you try to make a new variable, they know exactly your commenting side and everything, because they've seen a head and behind you, and they just give you the most likely filler bit in the middle. It is shockingly good because it has all that context. I have a confession. One of the things we're supposed to put in our code, according to Bart, is called JS docs. And if you put in these comments that are called JS docs, it automatically creates documentation for the library that you're building. And I do not understand it. I do not know when it's a parameter, when it's whether the squiggly bracket, I don't understand it. So you know what I do now? I copy the code that I just wrote and I just say, make some JS docs. Or it'll say, your JS docs are missing. And it goes, and I go, yeah, okay, write them. Because the chances of it being a right, correct, are much higher than if I write it myself. They could be horsepucky. I don't know. But it doesn't matter because it's better than what I'm writing. I mean, we always say that the only thing worse than bad comments is no comments. So what if they're not perfect? They're still better than nothing. That are still going to be helpful to future you three years from now when you're looking back. I can tell if it's completely wrong, but it's much better. Yeah, that's amazing. Yeah, so that changed a lot.
[1:41:12]Yeah, it was a really interesting interview. It did go on a little bit long. I didn't make it all the way to the end, but I got the gist of that insertion thing you were just talking about, and that was really terrific. Yeah. Okay, well... All right, well, we managed to milk this for an hour, Bart. Yeah, I'm just terrible. You say to me, it's a little long, short, and I go, not at all. Light lift today, not much going on. Yeah, and it's an hour's worth. Anyway, so far, people enjoy listening, so yay. But of course, folks, you know, assuming you listen to the end, you know what I'm going to say. Until next time, stay patched so you stay secure.
[1:41:47]Well, that's going to wind us up for this week. Did you know you can email me at allison at podfeed.com anytime you like? A lot of you do, and I love getting email from you. It's a lot of fun. If you have a question or a suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on Mastodon at podfeed.com slash Mastodon. If you want to listen to the podcast on YouTube, just go on over to podfeed.com slash YouTube. If you want to join in the conversation, you can join our Slack community by going to podfeet.com slash Slack. And there you can talk to me and all of the other lovely Nosilla Castaways. You can support the show by going to podfeet.com slash Patreon or with a one-time donation at podfeet.com slash donate. Or you can buy me a coffee like David did with Apple Pay or any credit card for that matter. Or you can go to podfeet.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocila Castaways.
[1:42:44]Music.