 Hi, this is Allison Sheridan of the NoCylicast podcast, hosted at podfeat.com, a technology podcast with ever so slight Apple bias. Today is Sunday, February 4th, 2024, and this is show number 978. We have not one, but two chachat across the ponds this week, and they sort of sound related and in a way they are. The first one is a stretch to the word light for chachat across the pond. I kind of call it more like a crossover episode of chachat across the pond light and programming by stealth. Helma van der Linden joins me to tell the story of how she has successfully started the new version of Bart's fabulous XKPassWD password generation service to move to JavaScript. You see XKPassWD.net was written in Pearl ages ago, and it depends on very old and outdated libraries. Bart spent many months teaching the programming by stealth students the tools that we and he would need in order to port the code over to JavaScript. His plan all along was to have the students help him make the new version of XKPassWD of reality. It turns out that Helma is an extraordinary student and has done most of the work to make it a minimal viable product already all without Bart's help. In the conversation that we have in chachat across the pond, we'll talk about how she did this without, and we try not to get too nerdy. It's some nerdy, but not too nerdy. If you'd like to give the very beta version of the new tool a try without knowing any coding at all, I have a link in the show notes to it, and in a few days Bart is gonna have it up in a very nice URL. It will be at beta.xkpasswd.net. So perhaps by the time you see this, you'll be able to try out the beta. Now the beta version is not feature complete, but it does allow you to create between one and 10 passwords that use the default preset from the original XKPassWD. You can't choose different presets yet, and you can't make customized passwords, but at least it does create long, strong, memorable and typeable passwords, and it's really pretty. At the end of this episode, we put out the call for others to come help work on the code. We have a GitHub repo, and there's a link in the show notes to that. If you have or create a GitHub account, you can contribute to the project. If you don't have programming skills, but you do have feature requests, that counts as contributing if you use the issues tab for the GitHub project to post your feature request. Helma is great fun, and we had a blast talking about what she's accomplished, so I think you'll enjoy the conversation no matter how nerdy you might be. In our second chit chat across the pond, it's a traditional programming by Stealth, and Bart Bouchard teaches us how to use JQ as a programming language this time. Before we get into the new stuff, Bart takes us through his solution to the challenge, and I have to say I was pretty chuffed when he said that my solution to the extra credit portion was more elegant than his. To be fair, it did take a buddy programming session with him for me to get the first part of the challenge figured out, but I excelled at the extra credit. When we get into the programming language part of the lesson, there were so many times that I said, oh man, I needed to know this last week. But I think finding out these options are available after understanding the problems they solve was a fantastic way to do it. We learned how to run JQ filters from files, which means no more looking at our filters all this big long giant command all in one line. We can put in line feeds and indents in our filters. We can even make comments to make them more readable. We can, let's see, Bart tells us about a couple of handy plugins for VS Code that gives us syntax highlighting and that's gonna be swell. My favorite thing I learned though was how to add debugging to our filters. This one is a life changer. We explore a few functions for going, looking at data filters that will also make our life easier. We wrap up with an introduction to JQ variables, which it's really pretty funny. The developers of JQ really don't want you to use variables. It's very begrudging that they let you know about the ones that they do have. Anyway, you can find this episode of Chichat Across the Pond and the previous one in your pod catcher of choice. This one, you can find it under programming by stealth as well as under Chichat Across the Pond. The first one, Chichat Across the Pond Lite. Probably that's confusing, who named all this stuff? All right, let's get started and listen to one of the interviews from CES. I have a cricket at home, which it's hard to explain what it is, but my new friend Natasha Adorably is gonna tell us all about what a cricket is. I do wanna say that my daughter and daughter-in-law are both amazing at all the crazy things. My friend Pat does all these crazy things and I gotta admit, I've done like a T-shirt and I've got my own logo on my car and I haven't done much else. But Natasha's gonna explain to us what a cricket is and then about their newest product. Awesome, so a cricket is a smart cutting machine and we have lots of different models depending on what you wanna make, but you can cut everything from vinyl, from stickers, from iron on, so you can really personalize and make anything. I know that sounds crazy, but you mentioned your car decals, you can make car decals, tumbler decals, personalized birthday cards. This is great for events like bachelorette parties, birthday parties, anything you can think of in your mind, you can go from idea to I did it. I think of it as, it's like a printer, but it's gonna cut and it's gonna print and it's gonna make things more than a printer does. Correct, instead of ink, we have different types of blades that can score, that can cut different types of materials so that you can put it together and make something really personalized. Right, right, but it can also print. It doesn't? A pen, pen inking. Yes, it can take pens, markers so you can personalize and write. You can also take inkjet, or like if you wanna make full colored stickers, you can use your inkjet printer and we have different materials so you can make waterproof stickers. Oh wow, that's cool. So the unit that I have is pretty big, it's maybe 18 inches across, it's pretty big, pretty hefty to pick out, but today you're talking about the Cricut Joy Extra, correct? Yes, Cricut Joy Extra is the newest smart cutting machine that we have launched. I love this machine, I love them all, but this one is just so practical because you can cut over 200 materials on this machine and it's tiny. Describe how big that is, it's like a loaf of bread, maybe. This is eight and a half inches wide so it fits your standard copy paper or that type of size of paper, but what I love about it is how portable it is. You can see I'm holding it with one hand so when I need to make something and I maybe don't have a craft room, I just have a kitchen table, I can pull this out, whip up whatever I need to make and then put it away because it's such a nice size and you can still make big things if I wanted to make a big t-shirt, a de-covered t-shirt, you can still make really great things at this machine. You might not make a wall poster with it, but that's not what we're really making most of the time, right? So the Cricut Extra, it's X-T-R-A, correct? X-T-R-A, that's right. And what's your price point on this? This is $1.99. Oh wow, so it's a really affordable entry point as well. I like that. Now, I'm gonna say what Cheetah and Natasha doesn't want me to say is it's addictive. I mean, I've got, I don't actually use mine very much like I said, but I have all of these cool little tools. I've got things to score the paper and to bend the paper and little things to pick the stickers apart and it's so fun, all the little accessories. So you call it therapeutic. Yeah, oh yeah, yeah, yeah, yeah, yeah. My grandson actually likes to be the picker. He likes to sit there and pick it off. It's fun. He really enjoys it. Yeah, it's just fun. So it's a fun process and at the same time you're coming out with really professional results and it's a fun process. Very, very cool. So this is the Cricut Extra, sorry, Cricut Joy Extra. It's gonna get it right yet. And is this available today? And it's available today. You can go on Cricut.com. You can find us at most major retailers like Walmart and Target, Michaels and Joanne. So really accessible. Oh yeah, don't go to Joanne's or Michaels. Just don't do it. You walk in and just like, I need all of this stuff. It tells you what you need. Yeah, yeah, yeah. The box is all the accessories. It's such a fun store. So Cricut, for anybody who doesn't already know it's spelled C-R-I-C-U-T. That's great. All right, thank you very much, Natasha. This is great. Yeah. Well, you know I love home automation. So when we interviewed Lyftmaster, which is a Chamberlain company at CES in 2020 about their MyQ Homebridge Hub with HomeKit for garage doors, we had to jump on it. We had a Lyftmaster garage door opener already so we purchased the MyQ Homebridge Hub just to get HomeKit compatibility. Eventually they started selling a garage door opener that included it, the MyQ Homebridge internally, but we purposely bought this Homebridge Hub just to get this HomeKit compatibility. And many of the home automation devices that I've bought are in the life-changing category, but having a smart garage door opener doesn't really quite make that cut for me. It's nice, but it's not life-changing. It's nice that it gives us alerts if we've left it open for too long and I like to get an alert on my phone when Steve comes home with coffee so Tesla and I can greet him at the door. When I'm coming home from my walk, I often decide to use my leaf blower to blow off the driveway. It's tedious to walk into the house and then turn around and just go back out the garage to open it. I named our garage door Sesame and I love to say, hey, yes lady, open Sesame. I know that's silly, but I got the idea after Bart named his automations for his Christmas tree lights, Merry Christmas to turn them on and Bahumbug to turn them off. Now I did have someone ask me after they saw the article I wrote on this subject, they said, why didn't you name it Open the Pod Bay Doors? I'll tell you why. It's because Pat Dangler already did that so I had to choose something else. Anyway, one day in December, I asked the S-Lated to open Sesame and nothing happened. I opened HomeKit on my phone and Sesame was grayed out. I was annoyed, but it wasn't the first time something got wonky with HomeKit because wonky is pretty much HomeKit's middle name. I sighed and I procrastinated for a few days about trying to figure out what was wrong with Sesame. And then I heard on several podcasts that this Chamberlain group had purposely disabled HomeKit, Home Assistant and other third-party apps in their MyQ Assistant. According to sources like nine to five Mac, the purpose of disabling HomeKit access was to make us use the MyQ app so we would have to see their ads. I don't know if that's their motivation but it's a logical supposition. I personally think this is unconscionable. The entire purpose for the MyQ Homebridge that I bought was to buy this capability and they summarily disabled the one thing this device does. I certainly wouldn't buy another product from LiftMaster or Chamberlain and I'd never recommend them to anyone after this. I started pursuing alternatives to MyQ and I quickly found the Meros Smart Garage Door Opener remote control MSG100. I'm a big fan of Meros, as you probably know, especially their inexpensive outlet switches. So they were my first choice. However, in digging through the user manual for the Meros opener, which by the way is really hard to find, I saw the door open-close sensors and they look very small. We had a bad experience with extreme fiddliness years ago trying to place small sensors from wise on our garage door so we weren't excited about this Meros design. I have also started to hear from some listeners about intermittent problems with their Meros devices. I've had good success with the switches but you know, so it's not enough to make me turn away from Meros but I knew I would never be able to convince Steve to deal with even potentially fiddly sensors on the garage door. Pat Nangler, who I mentioned earlier, who's a good friend and Apple certified consultant, she found another option called Tailwind IQ3 Pro from Gotailwind.com and that promised to bring HomeKit compatibility to existing garage door openers for only $90. She bought a Tailwind IQ3 Pro and Steve agreed to help her install it. Now my motivation in encouraging this collaboration was that if Steve could see how it worked and understood the complexity of the installation, maybe we could have one too. Luckily, the installation at Pat's house was a success and Steve bought one for our home. I'm not gonna go through all of the nitty gritty of how to figure out which Tailwind IQ3 is compatible with your garage door or even the details of how to do the installation. The first reason is it's a bit complex to figure out which one to buy and they have really good instructions online and they have a great installation video. So let's talk though about the parts and about how it works because it's really rather clever. In the box you get several separate parts. Garage doors usually run on a track shaped like a J. The Tailwind IQ3 comes with a sensor that easily mounts to the J-track. You simply squeeze it on and then tighten a little screw. With the garage door closed, you align a magnet on another bracket right across from the sensor. The magnet is on a big metal plate that you double back tape to the door. The sensor magnet arrangement is what will tell the IQ3 whether the door is open or closed and the alignment is very forgiving because these pieces are really big so it's not hard at all. Now let's talk about the controller. This is a small black box with a surprisingly delightful velvety interface surface. You know, like you would, you'd really like to hold this in your hand except it's just gonna be stuck in your garage door covered with spiders and everything. I don't know why they made it so nice. But anyway, this controller may or may not end up being plugged into your existing garage door depending on what you have. When you buy the Tailwind IQ3, you get asked two odd questions. They ask you whether you have a little yellow learn button on your existing Chamberlain or Liftmaster or Craftsman opener. The answer was yes for us. We do have a yellow learn button. If you have a genie overhead door opener, you get a different question. Now I promise not to get too nitty gritty but that little detail about the yellow button made a huge difference in the way the controller worked and how easy the insulation turned out to be. If you do have a yellow learn button as we do, when they ship the IQ3 to you, they include a little remote. You know what old people like me call a clicker. Anyway, it's a more elegant version of the remotes you get with your normal garage door opener. The printed instructions tell you to download the Tailwind Smart app from the App Store and it walks you through every step of the way in setting up your Tailwind IQ3. I mean, really, really good instructions. The one tricky bit of the installation is that you have to connect a couple of wires from this little remote to the controller. I'd seen this done, you know, connecting wires like this before but I hadn't actually ever done it myself because I have a pocket electrical engineer in the house. You simply twist the wire ends together and then you screw on what's called a wire net. With Steve as my supervisor, he made sure I did the initial twist in the clockwise direction so the wire net would be tightening the twist, not unfurling it. We're now done with the electrician portion of our story. It was easy enough, I think even Bodie Grimm could pull this off. I'm awfully far into the story and I haven't explained how this controller, clicker, sensor and magnet contraption is actually going to work. You use the learn button on the existing garage door opener to teach the garage door to recognize the code sent by the clicker remote to open and close the door. This is just like you would teach any new normal remote or your cars built in system so that it'll know the code. Just as a test, we made sure that both of our cars could still open the garage door after we taught it to learn about the Tailwind remote. Once that 15 second procedure is complete, the Tailwind app you've been following along with helps you connect the IQ3 controller to your Wi-Fi network. It tells you to use 2.4 gigahertz, but it negotiated our EuroMesh network with a combined five and 2.4 gigahertz network without any issues. We didn't have to disable five gigahertz or any of that nonsense. It just connected just fine. Now at this point, the controller's on our Wi-Fi, the remote clicker knows the codes to send to the garage door and the controller is connected to the sensor magnet set up via cable harness so it knows when the garage door is open or closed. None of this ever gets connected to the garage door opener, at least for those of us with a yellow learn button. Seriously, none of this is connected, it's nowhere near, doesn't have to connect to it. So next it tells you to go outside into the driveway with your phone and the app running and it gets your geolocation and you adjust as necessary to get your exact address. I presume that this allows the IQ3 to know when you arrive home and I'll open the garage door for you if you'd like to have that set up. I've not quite gotten my nerve to allow something like that because I picture somebody stealing my purse with my phone in it, which means they can drive my car and then they have my license with my address on it and now they can drive my house and the garage door will open them for them. I guess if they have my phone, my front door will open for them without needing my car, but hey, well anyway. Here's where my genius came into play in this whole plot. The instructions say to mount the controller to the garage door opener with double back tape and then run the very long but thin cable across the ceiling to the edge of the door and then around the door and down to the J-track mounted sensor. But it occurred to me that since we had to have the little clicker and our controller never gets plugged into the garage door open at all, why did we need to mount it up in the ceiling and run that long cable? All the controller needs is power and we happen to have an outlet right next to where we wanted to mount the sensor to the J-track. Since we didn't need to run the wire for that long distance, we probably could have cut the long wire and spliced it to be a lot shorter. Instead, Steve just put a hook into the wall and hung the still coil wire and the clicker onto the hook. Then he mounted the controller to the wall right next to it and plugged it into power. The next step was to add the device to HomeKit. Within the Tailwind app, if you tap enough buttons in the right order, you come to a screen with the HomeKit code on it. In HomeKit, we tried to add the device by typing in the code, but it didn't work. Then Steve remembered that Pat had to do a firmware update to the Tailwind IQ3 before HomeKit worked. Using the Tailwind app, he asked for a firmware update and it said, I'm already up to date. But here's the weird thing. After asking for the firmware update that we didn't need, the device showed up in HomeKit when we asked it to add a device. So maybe you just have to tickle the firmware update screen. That's all that's required. I don't know. So Steve was the point person on this installation so he created an account at Tailwind to control the door. In his app, we found a way for him to share the garage door opener with me. This sent me an email, an invite via email, and then I can use the Tailwind app to control the door. However, as a shared user, I didn't have the ability to change any of the settings on the door. Worked fine and if you're sharing your door with a neighbor or a friend or anyone else you don't want messing things up, that's a great way to go. However, I logged out and logged into Steve's account so I have full control too. Now, my focus has been on HomeKit compatibility but let me read you the Tailwind IQ3 compatibility statement. Works with Apple HomeKit, I'm gonna say the S lady, CarPlay via HomeKit, Android Auto, Google Home, the Google Assistant, Alexa SmartThings, IFTTT Home Assistant, Hubitat, Crestron, Control I4, and a local control API allowing to create your own integrations. More integrations are coming soon. Yes, while others are reducing interoperability, we are adding it. They threw a little shade on the people at Chamberlain there, didn't they? While the Tailwind IQ3 fits into the category of like a hack, it's a hack in the good sense of the word. It's not using any janky technology, it's using our home's Wi-Fi and the built-in capability of the door opener to teach your remote to open the garage and it's all done with HomeKit blessing. I should mention that the Tailwind IQ3 can manage up to three doors with the same controller. So if you have multiple garages or maybe a gate in front of your garage, Tailwind has your back. I give a John F. Braun level fist shake to Chamberlain and a hooray to Tailwind for bringing back HomeKit to my garage so I can say open sesame again. At the end of the, in the article, I'll leave you with Pat Engler's affiliate link which will give you 5% off your purchase at Tailwind. If you like to ski, you know, it's really hard to find time to get up to the mountains or maybe you don't live where it snows, perhaps you'd like to talk to the people at Squeal who have something really exciting for the people who like to ski. I'm talking to Joseph Daherell here from Squeal. What is this product we're looking at here? Thank you. Yeah, it's the world's first all-time electric ski. So it's born from a patient for skiing and engineering expertise and we spent like the last five years to developing a project that redefined the boundaries of mobility. So this is a video and audio podcast I'm going to describe what we're looking at. They look like giant roller skates but it's two flat platforms with wheels, small wheels at either end and then a clamp that clamps your foot into it. We've got lights on the front and the back and you're saying this is an electric ski. Exactly. I know it's like a world but we have like a center of gravity, very lower than a roller blade. So we have like very stable when you use it. We have like one engine in each wheel so it's like very powerful. You can go up to 50 miles per hour. How fast? 50, 50 miles per hour. Exactly, yeah. Wow. The idea is not to go as fast but we need a lot of couple to go on the sand, on the mountain because we love to use it in the beach. You know, it's like a sensation of freedom just really amazing. So how does it give you the sensation of skiing that's different, that's somehow different than rollerblading? It's the first pattern that we create like a front pivot system which first of all you produce the same feel as traditional skiing. So he's turning the wheel and it's kind of rotating in a lot of different positions. You know exactly with the real ski so you have just a curve but for the acceleration and the brake you have the handle in the UN so you accelerate your brake. Okay, so that's just a handheld thing Exactly. that you've got, he's got in his hand that's got a... This is a pattern too because when you finish to use it you just lock it and you have a telescopic handle for an easy transport. Okay, so I've got to describe that to the audio listeners. He was holding something, it looks like a controller like for a VR headset. Yeah. It's kind of what it looks like that loops around your hand and he had a little dial where he's dialing the acceleration and then he popped it in between the two skis and then pulled out a telescopic handle and that's how you carry these. Exactly. Wow. How much do these weigh? The costs? The weight first. The weight, okay, it's 12.5 kilos so it's just like 6 kilos in each fit. So you know it's exactly the same way of traditional skiing with the boots on the ski. Oh, okay. So now the entire platform where your foot goes that's got a lot of friction under there that pops out and that's the battery. Exactly. You have one battery in each fit. You can travel 30 kilometers at a steady speed of 25 kilometers per hour. Not in sand. No, yeah, it's sand too but it depends on your weights. Slow it out, right, right. But we have a removable battery so if you want to make more than 30 kilometers you can change it in just five seconds. Oh, that's cool. Yeah, we've watched while we've been doing the interview one of the other gentlemen has just been popping the batteries in and out and in and out as we're talking. So, yeah, it's obviously very easy to do. When is this product expected to be available? This morning. We launched the co-founding campaign this morning on Indiegogo and we do like a 33% off for the 15th first backer. So I even think everyone to support us. And how much is it going to cost? The wheel cost we tailor is 2,400 but for now in the campaign co-founding it's 1,600. So a very big discount. Get in early on Indiegogo, huh? Yeah, exactly. So where would people go to find out more about Squield? Squield.com. So that's S-K-W-H-E-E-L.com. Perfect. All right, thank you very much. This was really interesting. Looks fun. Thank you too. Richard Gunther is the co-host of The Smart Home Show at SmartHome.fm. Not only that, he's a great guy and I'm not just saying that because he's the newest patron of the PodFeed podcast. He really is nice. He's in our Slack community, podfeed.com.slack, contributing and asking questions. I've met Richard in real life too. If you'd like to be nice like Richard, head over to podfeed.com.patreon and select a dollar amount that fits in your family's budget to help support the work we do here. Thanks, Richard. Well, it's that time of the week again. It's time for security bits with barbou shots. Strangely enough, this bad news, good news stuff is one of my favorite times of the week. Oh, cool. Well, I think we have quite the roller coaster this week. So strap in, put down that little barrier thing that comes down on a roller coaster, whatever you want to put it. But anyway, let's have some fun then. We have quite a few follow-ups, actually. So obviously last time's news was very substantial because it sort of rumbled on a bit. So it developed a little bit. So the first thing I want to pick up again that we've talked about before is loss is stolen device protection is now live on the latest version of iOS, which is 17.3. So this is basically, I call it the Joanna Stern feature. So Joanna Stern is one of the reporters who led the charge on figuring out and explaining how iPhones were being successfully stolen despite the fact that people had multifactor authentication and stuff on their Apple IDs. And the answer was that they were either observing people entering their passcodes or socially engineering the passcode out of them, then stealing the phone and then using the feature where the iPhone plus its passcode can be used to reset the Apple ID password. And Joanna Stern interviewed a thief, a convicted thief who now regrets their actions, who explained that when you were good at it, you could do it in about 30 seconds. So steal phone, change password, disable activation lock and find my in about 30 seconds when you practice all the keystrokes. Right. So this feature was designed to Which surprised all of us. It did, it really did. And probably Apple too. And they took a while to have a think about it. And in the betas of iOS 17.3, they started testing it, this stolen device mode and that's now gone production. So it's gone into the released version. And it's kind of a simple idea. When you turn it on, nothing really happens, obviously, unless you try to do one of those really sensitive things like change your Apple ID password or change activation lock or, you know, turn off find my something, something dangerous like that. And then it will basically go into one of two modes. It will say, are you in a trusted location? In other words, a place I have seen you many times before. And if you are, it will say, do a biometric please. I just want to be absolutely sure it's you. And then it will do whatever you ask. And if the answer to, are you in a place that you usually are is no, it will say, do a biometric please. Now hang tight for an hour, then do another biometric and then I'll do what you said. I'm at one hour delay is enough to lock out a thief, gives you an hour to basically turn on last mode and lock the thief out of the device they stole. That's a good point. You do have to then declare it lost so that somebody are stolen, so that somebody doesn't, so they don't continue with that. The thing I expected and doesn't exist and I'm a little disappointed was I thought we would define where we wanted to be trusted because they said, home and work. Well, I don't have a workplace but let's say I go to the gym all the time. The gym is the most likely place for me to have a shoulder surfer because I don't go to bars and such. And if I go there all the time, I mean, which I don't anymore since the pandemic but I used to, that's the place where it's the most dangerous for me. So that doesn't seem like a good, it seems like it's automatically figuring it out. It doesn't ask you, where do you live? Where do you work? That is true at the moment. I thought it would. The beta of 17.4 brings us close earth, not to exactly what you want, but close earth. There's an extra toggle has appeared, which is always on. So you can basically say that everywhere in the world is untrustworthy. I didn't want that. Yes, but it's close earth. Nothing like what I asked for. No, no, but it's close earth. No, no, the opposite. No, no, it means that everywhere. I mean, it eliminates the bad spot, but it takes away the good space. So. Right. But how often do you need to disable find my and how likely is it that you're going to be put off by an hour's delay? It's not disabling find my, it's changing an Apple ID password. Your Apple ID password being the one, the thing you want to protect the most and I would not want to have an hour delay. No, no, but only if you reset it by using the passcode on the iPhone, if you go to apple ID.apple.com and reset it by knowing the password, none of this matters. It's only if you use. Oh, okay. So, okay, that makes more sense. Yeah, so I think it's actually. That could be okay. I think it could be okay. But I think this will evolve. If it's already evolving between 17.3 and 17.4, I imagine there's plenty of feedback coming in. So I wouldn't assume this is a finished product just yet. So I would stay tuned. I would stay tuned. I've long said that I don't understand why there isn't a giant scam of people who break into people's everything using their gym passcodes. Because at least at our gym, I take my purse and I put it in my locker and I have to give it a four digit code. Right. What are the chances that that four digit code is different from the four digit code that opens my phone? Or the four digit code that unlocks my garage door? Or the four digit code on my ATM card? What are the chances it's different versus the same? So picture this, you shoulder surf me putting my code in on my locker, then I leave for 45 minutes to go work out. You walk over, you open my locker, you take my purse. You now have my home address, you have my credit card, you have my ATM. You probably don't have my phone, but you've got car keys. Yeah, well, not in my case, you wouldn't have car keys, but because I've got my phone with me, but a normal person would have car keys in there. You have everything to steal everything from me. Right? It's probably the code, it's probably the code to the alarm system. If I have an alarm system, I mean, it seems to me you'd have like probably a 50, 50 shot of success. And that's a high attack factor. Not giving anybody ideas out there, but that's what I would do if I wanted money. You're right, pass code reuse, forget about password reuse, we're getting better about that slowly, but pass code reuse. Pass code? How many pass codes have you used in your life? If you look at four digits, how many total? I'm going to not answer that question. I will say one thing, I will say one thing about 10 years ago, when I started to become serious about security, when I would get a new ATM card instead of changing the pin to what I had always used, I changed myself to the new pin. But for most of my life, I did it the other way around. It's like, oh, I have a new ATM card, I'll go to the ATM, push the button to change the pin. Actually, now that I've changed it, while I can tell you what used to be 1701. So if you knew you were a Star Trek nerd, you knew the answer to the question. Yeah, if you knew me, you knew my pin code. Oh, I know some people I can break into their ATM cards now that I think about it. And if it's a five digit code, seven, four, six, five, six. Star Trek Voyager, the five digit code. Oh, really? NCC, seven, four, six, five, six. Anyway, anyway. All right, well, we're almost through item number one. Yes, that was our first bit of follow-up. The other thing we talked, or another thing we talked about last time was a lot of accounts by big people on X slash Twitter getting hacked. We have a little bit more information about what happened to Securities and Exchange Commission. They have confirmed that they had SMS-based two-factor auth and they were SIM swapped. So that is how their account was taken over. A person in the SEC, not the entire SEC. The SEC's X account. Oh, is the... Oh, okay. Yeah, which could be multiple people using it. Exactly. Nice. So that reminds us why we say that SMS two-factor is better than no two-factor, but only just, and of all the two factors, it is the lowest of the pecking order these days. Does the SEC get to keep the word security in their name after doing that? Well, they don't. Securities aren't quite security, right? Oh, okay. Securities, not security. Yeah, they're money people, not security people. Which is a good excuse for me to pop into the show notes that X have started troiling PASCIs. If you are an iOS user in the United States, you apparently can use a PASCI for X. I am not, so I cannot, but apparently that's true. We also talked about a bunch of federal agencies getting really cracking down hard on data brokers. We had two stories, and you are hoping it would just be data brokers full stop, but they were two specific data brokers being cracked down on. But it seems to be a trend. There seems to be an appetite within the federal agencies at the moment to do things when it comes to cybersecurity. So just since last we spoke, the Federal Trade Commission has entered into a consent decree with a company called BlackBod, who had a pretty spectacular data breach last year. And they are a cloud provider to nonprofits, including a spectacular amount of American hospitals and things. And they have been told, you absolutely need to massively change up your security practices, or well, basically they've agreed to this with the FTC. So that is good. Unfortunately, after the barn doors are closed, but... Yeah, it's still better. It'll open again. Exactly, we'll keep them closed. And also, this is a great example of being able to, if you're now in a competing company and you're asking for money from the boss, you can say, do we really want to be forced into a consent decree, or how about you give me the budget to do this right from the start instead of all of this expense? So it's good, it's always good. Citibank are headquartered in New York, along with many, many, many financial institutions. There's this wee thing called Wall Street, you might have heard of, which means that when it comes to regulating banks, it's the attorney general of New York State, who's very important, who at the moment is a lady called Atisha James, and she has sued Citibank for failing to adequately defend their customers from hacks and fraud through not doing the basics of security. So again, good. In related news, the NSA have been forced to admit that they were buying data from data brokers because of some sterling work from Senator Ron Wyden, and he was triggered into asking questions by the news story we reported on last week with the FEC taking action against data brokers. Senator Wyden was like, I wonder who else are customers of these people who've just been sanctioned? Oh, look, we are. We being the government he is part of. So that is good to see action being taken on that. And in some... So specifically the data brokers, it was they were buying your internet browsing data? Location data. So physical location data from those same vendors who had just been found to be illegally collecting it. So... Okay. Yeah. So it was an interesting question to ask. All right, so these data brokers were collecting location data illegally. Were we using them? Oh, yes we were. So good question to ask. Now we switched more to the good news column here. So it is coming up to tax season for you guys. I believe it's the 1st of April, not a joke where you guys need to do your tax forms. And... I think it's usually April 15th. Oh, 15th, okay. Not the first that I... Unless they moved it. No, that's better. Because I always thought it was hilarious on April Fool's Day you had to do your taxes, but it's much better that that's not true. I'm glad I was wrong. It's less funny, but better. Anyway, the Federal Trade Commission has ordered Intuit to stop falsely labeling some of their online services as free when they are not actually free. When they come with little secret hidden, oh, did we say we're gonna do your taxes for free? Well, I actually know you owe us money now. So this has been a long running thing, Intuit. Intuit get federal money to offer free services and they still offer paid services and they have perpetually and continuously try to trick customers who come for the free that the government have paid for into the paid and the FTC have jumped in and went, no, you cannot push free stuff that isn't actually free. You need to do the free stuff the government have paid you for and not try to trick those customers. Imply otherwise. Yeah, let's see the article that you linked to in Bleeping Computer says around two thirds of all tax filers in the US could not use TurboTax for free as advertised by the software provider. So I can imagine it's like if there's a 1040 EZ form where it's basically, I got a paycheck, I don't own a house, I don't have a car, I don't know, I have no assets and here, press this button, that's what you owe. And that's the probably what's free. And if you own any property or have any other kind of income or debt or anything, it doesn't work. So yeah, well, good on them. Exactly. And then in a related sort of, it's not quite a pallet cleanser, but it is good content all the same. So a few days after we recorded last about the two data brokers getting caught up or getting sanctioned by the Securities and Exchange Commission, the Planet Money podcast released a podcast episode with the title, why the FTC is cracking down on location data brokers. And they go into the economics of what's going on and a little bit of the history there. So it's actually a really good way to get an understanding of what's going on that led up to that enforcement action. So I thought that was, and they're quite short. It's less than half an hour. So it's a nice tip I thought I'd share. Yeah. And I just realized, I like to put my show notes in order where bad news comes first, but I obviously made a bit of a boo-boo here because the last follow-up is 23andMe. And I have never said those words and followed it by good news, everybody, unless I mean it in the professor, whatever his face is, ironic sense. We now know more about how the whole thing went down. It was indeed a password stuffing attack which went unnoticed for five months, which means that no one was monitoring their logs for five months. Because when you are hit by a password stuffing attack, I know this for a fact. When you hit by a password stuffing attack, it's noisy because you have to try, if you have a date of breach with, if you have a thousand passwords that you've got from another website, only one or 2% of those will work on any other website. So that means that the amount of noise you're making, stuffing all of those passwords from the Yahoo breach into 23andMe or whatever, it's really noisy. For that to go on for five months and to successfully log into tens of thousands of accounts, that's a sign of negligence at best. Not paying attention at all. Yeah, so that is not good news. The other thing, the other bigger headline is that the attackers got the raw genotype data and the health analysis based on the raw genotype data from the accounts that were compromised. So this is just a theory that keeps on giving in the bad way. So if you're a 23andMe user, you do need to be aware that this information has now leaked for a lot of people. If you're, there's millions of people who've lost enough information for scary phishing attacks and there's tens of thousands of people who've lost their genetic information. If you didn't get an email from 23andMe saying that you lost your genetic stuff, you didn't lose that. So if you don't have an email from 23andMe, it's only phishing you're vulnerable to, but if you do have an email from 23andMe, then I'm telling you something you already know. Maybe check your spam box for an email from 23andMe. Why do they have health reports? Is that health reports like you have a genetic marker for blah, blah, blah? Yeah, so they take the raw genetic data and put it into an algorithm to figure out what it means and then they generate reports. So what are the reports? Is what badly based where in the world you're from, which is based on pseudoscientific nonsense and another report. Thank you. And another report, unfortunately, is based on sound science, which is the health implications of your genetics. That's not pseudoscience, unfortunately. That one's real. Like there are indeed genes that predispose you to all sorts of things. But I'm surprised they can do that from spit. It's as long as they have a DNA. Because I had to take a real blood test to have the genetics, like we had a concern in the family, one of our family members has a, the genetic marker for colon cancer. And so I went and got tested but it was not a spit test. It was not a stick something up my nose test or inside my mouth. It was a blood test. It's possible they were testing for many things at once while they were at it and therefore they wanted the most diagnostic sample possible. Maybe. It's like we don't wanna ask you for 20 things. So we'll ask you for the one thing with the most in it. Yeah. But yeah, by the way, that is, I look, that story just keeps on giving. I thought we would share. But anyway, we're done with that. Let us move on, move on. Okay. So the first one is not in the good news category and the next one is interesting. So attackers keep on getting more clever. And I say attackers, I mean meta, unfortunately. And I just checked in the show notes and I should also put sadly to say, TikTok are doing this too. So I should probably update the show notes to point my finger in two places, not just at Facebook meta, but Facebook meta are on the naughty step for sure. So I'm gonna set the scene a little bit before we go into what's happening now. So we know that iOS is one of the most secure places to do computing because it's a very confined environment. It's not like a general purpose desktop computer where when you run an app, it can do a lot. Inside iOS, the apps are inside a sandbox and there's been very strict rules on what they can do technologically since day one. And one of the things that was very, very, very tightly controlled in day one was when can an app run? And in the very first versions of iOS, if the app was on your screen, it was running. And if the app was not on your screen, it was not. And there was no way for code to run when the app wasn't the frontmost thing on your iPhone. So when you would multitask away, the app would pause. And then when you would come back, the app would resume. But that- That was also a battery advantage too, right? Absolutely, and processor and RAM because those early iPhones, they were out, that was amazing what they were doing on limited resources. Like that was magic, right? Engineering magic. But it does have downsides. So you couldn't have a third party podcast app initially because as soon as you did anything else, the music would stop, right? Oh, right, right. So over time, Apple have added APIs to allow apps to request limited background capability. And so the first of those was background audio. And then they added background download where an app could download stuff in the background for a finite amount of time every day. So your podcast app could have your new episodes waiting for you. And you could listen while you didn't have the app open. And one of the things that was added much later when do you remember push notifications used to be a read-only thing? The notification would tell you some stuff and your only option was dismiss. You couldn't interact with a push notification. You couldn't click like or reply. A push notification was a dumb thing. I didn't know they weren't still dumb. Oh, a lot of them have actions buttons. So if you get a push notification from Telegram, you can reply right within the notification. Oh, okay. Yeah, I see what you mean. Yeah, so they call them rich notifications. So those rich notifications quite clearly mean that some Telegram code must be running for you to write a reply to Telegram, right? It means that a part of the app is allowed to wake up at least a little bit whenever you receive a rich push notification, because otherwise it physically can provide the buttons. And the charming folks at Meta and at TikTok have realized that if they send a push notification, that wakes the wrap up so they can send your location back to their servers. And so they are basically sending out as many push notifications as they can to keep as good a terms on your location data as they can by getting their codes to send your location each time they push, which is slimy. Interesting. So the only defense of the moment. So this does explain why Facebook and TikTok are constantly asking me to turn on notifications. Oh yeah. I get that pop up all the time. I keep saying no. They really want it because that is a valuable source of background information. It lets them track people's location by having notifications enabled. So they want you to have it on. A, because it makes you more likely to be a recurring user because you're seeing things. And B, because it lets their code run. Whenever their code runs, they nom your location either from GPS if you've given Facebook or TikTok GPS access or from your IP address, which is still enough to give a decent idea where you are. So they're either doing it indirectly or directly depending on what they can. So the only solution. So it doesn't sound like this is against the rules or anything. No, this is just being, doing what is technically possible to be that guy, right? This is the, right? It's not technically speaking, hacking. It's just deeply immoral. And sneaky. Right, it's immoral, but it's not against the terms of service or anything like that. It may fall afoul of not being clear in your privacy statements. Yeah. Might do. Depending on what's in the small print that no one's read. But the answer- What can we do about it? Don't allow push notifications on any app that you don't fully trust. Okay. Now, as it happens, my social media isn't allowed push for my sanity. Now I'm going, yay, bonus extra. They can't track me. I don't let them do badges either. You remember I did a post a while ago, an article about how I love notifications and man, it's gotten even, it's just, it's insanity the way we have our house set up with so many things. Like we get a few blocks away and all of the Ufi cams say, okay, I've switched to recording now. And then as soon as one of us gets inside the geofence area, every one of them, I think I need like one of them to send a notification, but they all do. So we get like, bing, bing, bing, bing, bing. And you can hear both Steve and my phones going off and the garage doors talking to us and the ring alarm and somebody's at the door and the Alexis telling us somebody's at the door and it's just, oh, it's a mess. Well, I just go, I rediscovered how many air tags I have and how many notifications they send when I was visiting my parents for a week. And my parents' house is not my house. So when I would say, leave, you know, I had two umbrellas with me. If I left, I'm sorry, I had one umbrella with me. If I left my umbrella at home because it wasn't raining, I would get five minutes away from the house to go, you left your umbrella behind. Oh God. Oh God. No, I didn't. You left your backpack behind. That was the one I got constantly. I turned mine back on for home. So when I leave my house, when I get about a quarter of a mile away, I get a notification that I've left four items at home and it seems to be learning the ones that I use all the time, the ones that are normally with me because I have a lot more than four air tags, but it's these four things that it knows like my iPad and I don't know what else it is, but not some iPad, but four things I usually take with me. But no, but I have my phone with me. Anyway, I had to turn it back on because I left my house to go to San Diego for a week without my purse. That's a problem. So I can't trust myself not to leave something at home. So now I have to have them all on. So that that's going off when I get out of the geofence area. Oh, I think my heater tells me it's turned off. Anyway, so that is- But not TikTok or Facebook. Yeah, so basically if you've seen stuff about this, this is how it works. This is what it is. And the solution is no push notifications for apps you're not trusting of. So, deep dive number two then. I would have seen we shouldn't trust Instagram either then. Right, meta two, right. Since meta owned them. Yes, exactly. Yeah. So this conversation is very much confined to the cybersecurity and privacy hat. So a lot has happened between Apple telling us how they're going to react to the EU's Digital Markets Act which goes into force on March 1st. Their press release is huge. Apple press releases normally have like two paragraphs of information followed by four paragraphs of marketing spin. But this was an essay. This thing is huge because they're doing a lot. There are over 600 new APIs have been added to iOS to facilitate the way in which Apple are deciding to apply the DMA. And a lot of the discussion you're going to have been seeing elsewhere on the internet. And frankly, a lot of the discussion in general is from the point of view of developers because an awful, awful lot of the changes are from the point of view of developers. And that is an important conversation. It's one I have had on Let's Talk Apple which I have recorded but not yet published. So depending on the wibbly, wobbly, timely, whymies of all of this, there will be Let's Talk Apple Episode 125 shortly after or before you hear this. Where I have a detailed discussion on the developer point of view and the economics of what Apple are proposing. But there are implications from the point of view of, hi, I'm Bob. I live in Europe. What does this mean for me? And so that's where I want to focus on for this conversation because otherwise we'll be here forever, right? So Apple did make a few changes that are very important for developers that are worldwide. So there are changes to how developers can do game streaming and there's some extra reports and stuff. All developers and planners can get to give a better insight into how their apps are doing in the app store, which is cool. Great for developers but have no real relevance to end users apart from the fact they might get some nicer features which is yay. All the rest of us is EU only. And Apple's approach has very much been to do what they believe to be the bare minimum that they are required to and not a darn thing more. And whether or not that proves to be correct is going to be an interesting test because the way all of these rules work is very similar to how Apple treat developers which is an irony a few people have pointed out. So imagine, Alison, you have an idea for an app store app and you have read Apple's rules and you're like, well, if I read it this way this is legal by Apple's rules and they'll accept the app and I'll make a fortune and I'm a genius. But maybe Apple will interpret this word slightly differently and they'll reject my app and I'll have spent a year developing an app and I will make $0 and it will be complete waste and I'll go bankrupt. You have no mechanism to ask Apple to give you an approval in principle or anything. All you can do is commit a year of work, submit it, cross your fingers and hope you can react to any criticism. So every developer has lived in this limbo which is one of the reasons people say that the app store prevents innovation because people are afraid to test the edges because the price of testing the edges is hard, right? It's a high price. Now, the way the European Commission work with their regulations is that they do not begin to evaluate people's compliance until the law exists. So until March 1st, the European Commission are not even looking at Apple's proposal. They are not going to start the process of checking if what Apple are proposing is actually sufficient. They will start that process on March 1st and then they will come back to Apple with critiques. So Apple have had to write these 600 APIs and develop this giant big plan in the hope that this is what's going to be allowed. So this may all have to change. So you're comparing this to the limbo that developers go into is kind of like ironic that Apple is gonna have to sit in that same chair. I am, yeah. The changes they're making, the changes they're making have nothing to do with the fact that developers have to wait a year to find out or work for a year and then find out. They're now in the place where they've had to do all of this work and they have to wait until the EU then check to work. Yeah, yeah, yeah. I just thought, I thought the shoe that was gonna drop was that Apple has to change that. But no, there's no hope for that. But ironically, we can all enjoy Apple having to do all this work and then wait to find out. Yes, which means, A, a little bit of a shot in Florida I have seen from people. But B, what this is, is Apple's first offer to the commission because the actual wording of the DMA is that if the commission decided this is not enough, the first step is not court cases and fines. The first step is engagement. So the way this is almost certain gonna work out is that the commission are going to evaluate this. This is gonna happen on March 1st and then on March 1st, the commission will look at it and they will then enter into a discussion with Apple where they're going to either say tweak this or, oh no, no, no, no, this is wrong in every possible way. We don't know what they're gonna find, no one does. But almost certainly. Does it go into effect on March 1st or that's when they give it over and they get to decide and then it goes into effect after that you mess around with it? So these changes will happen on March 1st and then it will be decided. I don't know what happened means. I'm trying to get you to be more precise. This is real. It does happen to me. We will experience it. Yes, it does. Yes, it does, absolutely. This will become, this description from Apple will become reality. Whether it gets to stay reality for any prolonged amount of time is completely anyone's guess. My educated guess is that at the very least this will be tweaked by the end of 2024 or there may be a very, very tough discussion with the commission where they say to Apple, this is terrible and your whole concept is wrong and you have to start over and then Apple will say no and then it will go to court and then it will be years. But all of that time, what's prescribed here will be in place until something replaces it. Why wouldn't the EU review it before it goes into place? That doesn't make any sense. Because everybody's time and energy and every developer going crazy. Except for the commission. Except for the commission because they don't have any staff to implement a law that doesn't exist. So they don't have budget for doing this until the law is real and then their budget kicks in. So then they have the staff to go and actually do the reviews. It's a strange way that the European Union is, I believe Byzantine is the best possible word for their bureaucracy. What you said does make any sense. The Digital Markets Act is in place, correct? The law is passed, which means that on the 1st of March, the law becomes active and the resources to enforce the law, that budget becomes live. So at that point in time, they're... Okay, so on March 1st, they could accept Apple's plan, study it, tell them what they have to tweak before yanking every user and every developer's chain with rules that then they're gonna come back and go, no, that's totally wrong. Well, but how could they... That seems a big waste of everybody's time. It's a lot of work to evaluate this. So on the 1st of March, hundreds of people in... They shouldn't have asked for it if they can't review it. But they didn't, right? The parliament asks for it. The parliament asked for it and the parliament assigned a budget to the commission to police it and the policing doesn't start until the law starts. That's how the parliament do these things. So the congress creators have decided that a bunch of bureaucrats are going to start working on March 1st and this is the effect. I'm not justifying... And everybody will blame Apple for these rules being changed midstream, coming up, showing up, disappearing, coming back. That's unfortunate. Possibly. I am making no comment on the sanity of any of this. In fact, my comment is kind of aligned with yours. Just the fact, man. Honestly, I think it's nuts. I agree with you. But this is what's going to happen. This is reality. So this is what I'm trying to... Let's get me understand. Yeah, I'm sort of preemptively explaining because this is going to be an issue. It's going to confuse people. So what is actually going to happen from the point of view of regular old folk who are just users? So first thing is, unless you're in the EU, this doesn't happen to you at all. And even in the EU, a lot of this isn't going to happen for very many people because all of the developers get a choice. Keep doing what you're doing now or move into this new universe. And unless the developer chooses to move into the new universe, the app doesn't change at all. Nothing changes. So developers have a choice for the status quo, which is perfectly fine because the DMA is about giving choices. So developers being free to choose to continue what they're doing now is perfectly fine under the DMA. They just can't be forced to keep doing what they're doing now. So choosing to do is fine. So the chances are most developers are going to go, actually, this is fine. I get to do the same thing in Europe. I do in America, Africa, Asia. I get to do the same thing everywhere. Keep going. Even if they do updates to their application, they put out a new update. They don't have to follow the new rules. No, because there are two contracts available to a European, to a developer publishing in Europe. You can use the existing worldwide contract or the special EU contract. So you have a choice of two contracts. Okay, okay. So it's not a grandfathered thing. If I am in the EU and tomorrow I've come up with my great idea, I can choose either one. Every developer gets to make the choice once. If you choose to... So if you're a new developer, you sign up to contract A or contract B and that is your contract forever. If you're an existing developer, you can choose to switch to the European only contract and then you can never go back. But you're in it forever and forever. It is a fork in the road. But you are free to go on either fork and you can come off the apple road at any time. But once you go on to the Europe road, that's it. You're in Europe land. Do we have any idea of what's gonna change? Yeah, yes, lots. The whole fee structure changes if you go into Europe land. Like the commission drops to a tiny amount but you get the platform fee instead. I go into all that in great detail on that stock apple. From the user's point of view, different types of apps are going to become possible. In Europe, if developers choose to take this opportunity and my money is on, we will see very few of these. So today, we think we have third-party browsers in iOS which is kind of true because when you install Firefox and iOS, what you see as a user is different. It has, you know, it synchronizes your bookmarks from Firefox and your desktop. It looks different. But it's brain that does the HTML, CSS and JavaScript is actually Safari's brain. It's actually WebKit. And at the moment, Apple do not allow you to bring your own browser engine because browser engines are hard to do securely and efficiently. If you get it wrong, you have massive battery drain, Chrome and Mac OS and you get massive security vulnerabilities like all of those zero days that we see patched in all of our browsers all of the time. So Apple like to keep it nice and tight but that is anti-competitive. Say Europe, therefore in Europe, if you choose the Europe contract, you as a developer can get a new app store entitlement which will give your app access to new APIs which will allow you to build your own browser engine. So you can have your own browser engine and browser fiddly bits if you choose to but only in Europe. So who was going to write two brains? If you're a Firefox, do you want to write an app for Europe and an app for everywhere else? And in one of those apps, you have to do all of the testing to make sure that your Firefox brain works in iOS but you also have to make sure that your Firefox app keeps working with the Safari brain because you have to use that in America and Asia and Africa and... I think that they will. Okay. And it's because of the headwinds that they're facing in the United States because of anti-competitive things and there's very few things that our existing lawmakers seem to agree on and it's everybody hates big tech. So whether they'll succeed at writing any legislation that's a whole nother Oprah but they all agree that big tech be bad. So there's a, I could see a future where whatever they learn to do in the EU they could start doing there. And this makes me even more concerned about something I've talked to you about and you keep telling me that I'm being overly worried. How many services don't work under WebKit? How many of the things like Riverside and Recore Video and what's the other one that we use? StreamYard, you can't use WebKit for it. And so all these services are starting to come out that we're getting back to the windows you had to use Internet Explorer world. And if the one thing that's held them back I think is the fact that iOS is WebKit and iOS is massive and iOS has a lot of money. iOS users have a lot of money. So if now you can start running Chromium browsers on iOS, that's a bad world I don't wanna live in again. I didn't like the active X days. That's an interesting point. And I would love to be able to say no, Alison, you're wrong but I don't think you are. Sorry. Shoot. So I at least until another country copies and paste this rule I don't think we're gonna see many third party engines. The risk to users of third party engines is that while the sandbox will protect you from the browser accessing data on your phones or their apps it won't stop the browser messing up by accident or on purpose data sharing between tabs inside the browser or the browser gathering information and sending it straight back to the browser author. So if Facebook do a custom browser there is nothing to stop them hoovering up all of your browsing habits and sending it straight to Facebook, right? Because they're running the browser then it's their engine they can do whatever they like but the biggest risk is you're gonna have less privacy possibly or maybe more because Brave or whatever could end up running a more privacy forward engine. So Apple are always reined in a bit because they don't wanna break the whole internet but someone like Brave could become really brave and make an even more privacy forward browser than Safari. But the other big risk is your battery will go to hell on a handcart if you start running someone else's browser. That's very likely. I just thought of a more optimistic way to work to think about the problem that we're facing with not being able to do things like StreamYard in WebKit and that is that these companies have figured out some really cool innovative stuff that doesn't work on Apple's browser and Apple should get that working. A lot of it comes down to APIs which in hindsight turned out not to be great. Like there was a thing for a while where there was an API to let apps see the battery status and everyone said, oh it's terrible that Apple aren't implementing it and then everyone took it away because it was used to track people because if you cleared your cookies and your battery level was the same and your IP address was the same they just reconnected your session and started spying again. So there's swings and roundabouts on Apple's reluctance to be frisked with new web APIs. It's a game of two. I guess they're getting way behind on this one though. I want them to fix it. Okay, what is definitely going to affect users though? So forget about new brains, right? There are lots of browsers that have Apple's brain but their own front end. Everyone in Europe is going to be offered a browser ballot in the same way that they were forced to do in Internet Explorer when it was deemed to be a monopoly by the same European Commission a decade and a half ago or however long ago it's been since Bill Gates was being held up in front of Congress and the US and the EU Commission. So the first time you launched Safari either on a new phone or on your first upgrade to iOS 17.4 you will be offered a randomly ordered choice of browsers which will be based on the country you are in which will be the 12 most popular browsers on your country's app store. And then you get to choose which browser becomes your default browser. What do you mean 12 most popular on your country's app store? So they don't exist yet. Oh, no, they do, right? You can go and get some Firefox. This is not, I'm not talking about the brain now. I'm talking about you can get brave, you're using ArcSearch. Okay, okay. So I got you. So in Ireland it will be the Irish app store. We can already change our browser. So that's not a big thing but it'll be in your face that you can't. You'll be forced to choose. So it's not that you will be able to change, you'll be forced to choose. On first launch, you will have to make a proactive decision one way or the other. And Safari will be in the list but it will not, it will be randomly placed in the list and you'll have to pick one. So that is not nothing. Is that a good or a bad thing in your mind? 12 is too many. It's gonna overload people horribly. It's gonna make people really cranky and it's gonna be like the cookie notice which was intended to be pro privacy and has resulted in everyone just never reading anything ever again. So I think well-intentioned, badly implemented. This is my heart take. Okay. The next thing that is going to happen is kind of an easy one. So you as an EU user will be able to log in to the, so you already have a portal that allows you to download all of the data Apple knows about you. So you and I have done it when it was first launched a couple of years ago. It's a giant big zip file. It tells you lots of boring stuff. In Europe, that giant big zip file is going to have a whole bunch of new files about your app store activity. And that will be in a format that can be shared with third party app stores. So you could in theory take your full search history and everything Apple knows about you too and other app stores so that they can make suggestions based on the kind of apps you like based on your history in Apple's app store. So that's a competition thing. And so that's just a simple enough thing. The next thing then is third party payment processors. So whether or not a developer who goes the Europe road whether they stay in Apple's app store or whether they go to a third party app store they will also be able to choose whether to use Apple for payment or someone else for payment. Those will become two separate questions. Which app store am I in and how do I take payment are being separated as two questions. So developers don't have to answer that as one answer for both. They get to make two choices. And if you choose to go, so Apple's flat fees don't include payment processing. If you want Apple to do your payment processing you pay an extra 3% in fees. So 15 and 12, 17 and 20 are the rates depending on whether you do or don't take the fees. Wait, so the regular developer fee didn't change who is still 15, but the upper one was 30 and now it's 20? No, the upper one is now 15. For developers who go to the Europe route the upper one becomes 15. Or sorry, the upper one becomes 20, 20, sorry, 20. It's 20, 17. That's what I just said. So 30 went down to 20, but 15 stayed at 15. So they just help the big vendors. I may be slightly wrong about that, I was saying everyone got a pay cut, not a pay cut, a fee cut. I know it's 3% extra for Apple to do your money. That much I'm sure of in this show now. I'm so confused at this stage with all the numbers. I'm not gonna pay myself, not gonna pay myself for that one. Which means that there are new APIs for getting payment elsewhere. And because it's Apple APIs you can be guaranteed as a user that it will never happen without your knowledge. If you are in an app that uses a third party processor you will receive a clear notification provided by the OS that tells you that you are departing Apple's World Garden and you're on your own. And I'm sure the exact wording is gonna be tweaked a bit but at the moment every sample you've seen has been quite oh my God, the world is ending, the world is ending, you're leaving Apple's World Garden, this is terrible. It has real side effects though because family sharing and stuff like you know the way you can give kids an allowance, all of those kind of cool things are also in fact, I believe you can set up parental controls that your kids can use their allowance but only for certain types of apps. All of that stuff doesn't work on a third party processor because Apple are not in the loop anymore. So there are real effects of leaving Apple's World Garden. It's, you know. And the 3%- I think family sharing is another one. Yes, exactly. Family sharing. I think I might have, but yeah, just be clear, family sharing and parental controls are separate but related and they're definitely all in the mix here. And the thing is that 3% processing fee is not expensive. That's market rate. That's normal. Yeah. So I don't see a massive big draw for anyone who is not a massive corporation who has, who is their own payment processor. And if you're big enough to be your own payment processor, then it's 0% commission for yourself. So 3% is more than 0%. But for almost everyone who doesn't have in-house credit card processing, 3% is so utterly not an issue that the hassle you save by not doing it yourself means that it is economically wise for most developers to stay right where they are. If you wanna hear me go on a rant on this subject, check out the most recent episode of the SMR podcast with Allison where I specifically talk about the fact that people lost their ever-loving minds when Apple said, okay, fine, it's not 15%, it's 12% if you do your payments outside. Well, of course, the only thing you moved was the payment processing. Everything else is the same. Anyway, I'm not gonna go into the rant here but I did not lose my ever-loving mind and I don't understand why people did. You might think 15% and 12% are too big a numbers. That's a different discussion. They're not for the fees. The fact that they only subtracted 3% when they only subtracted the payment processing, you can't, it's illogical to lose your mind about that little piece. Agreed 100% and one of the things that you will hear me say on Let's Talk Apple is that Apple have been forced to name the other percent. So the 3% was credit card fee. So what do you call the rest? It is called the platform fee. Or the, ah, core technology fee, CTF, core technology fee. So it's the fee. There's two things in that. There's stuff that costs them money and profit. That's what's in that piece, right? That's all that's in there. True. But the reason they feel their entitlement is because they took a lot of efforts to build iOS and to build this massive market. And you can argue whether or not they're entitled to that but moving the processing fee has nothing to do with whether they're entitled to that other pile. Exactly, completely agree with you. So that is the payment stuff. The next thing is that you will hear people wrongly say that side loading is coming to Europe. No, no, no, no, no. There is no side loading. Side loading means you bypass the security settings. There is zero bypass of a single security setting through any of this. Every app, no matter what app store it comes from is notarized, which means it is checked through all of Apple's technological, every technological control that stops an app from doing things remains in place. The apps are sandboxed. The APIs remain the same. The apps can't do anything they can't do now. The apps don't get a single new power because they are all... I think you are redefining side loading by a definition that's not widely accepted. The definition according to dictionary.com or from the Oxford languages says to install software obtained from a third party source rather than an official retailer. I stand by that definition because the only way you can get apps is through an app in the app store. So third-party app stores are actually apps. An app store. No, no. An app store. But on iOS, that third party is an app that comes from the Apple app store. You're still getting the app indirectly through the Apple app store and the control Apple are enforcing is massive. There is no bypass of... There is no getting around Apple's control. So I don't think this meets the definition of side loading at all. You can't just download an XE file. Well, I don't know where your definition comes from, but I mean, if you're using an Android device and you use the Amazon app store, that's called side loading. But you can also download an APK file. I think it's called an APK file. You can download a file from the internet and install it on Android. You got to click yes to a few things and away you go. That is not coming to iOS. You cannot go to a random website, download an XE file and run it. Not possible. It's only... Okay, then what is your term? You've got to give us a whole new term that nobody else is using. You cannot run arbitrary code. This is common usage. You cannot run arbitrary code. No, no, no. Give us a term for when you're using a different app store. What is that called? Okay, let me put it to you this way. You cannot run an app. Apple have not approved. Approved in what way? Notarized. It has gone through human review by Apple. If you get an app... But what is the name of that? Now, I'm going to buy an app from the Facebook app store. I'm not allowed to call it side loading. What is it called? You're getting it through a different app store, but it's not side loading because it's still being verified by Apple. It's not side loading according to you. What is it? It's the word people use, side load. I'm using a different app store. I can see that there's a distinction within side loading, that there's two different things there, but I think the fact that it's in common usage may just be the language changing over time. Within the security community, everyone is shouting and screaming that this is not side loading because I can't write an app and give it to you. I can't write some code and give it to you. Whereas on the Mac, I can write some code and give it to you. On Windows, I can write some code and give it to you. iOS remains completely closed. If Apple don't approve it, digitally sign it, the app will not run. Approve it in one certain very specific way. They don't approve whether it can do other things. I mean, they don't approve whether it's porn. It's actually the inverse. So approve is too broad of a word. The only thing they don't get to do is content review. All security review remains with Apple and no app can run that hasn't been proactively blessed. And that approves security review. Right, but they have only thing. They have to digitally sign the app to allow it to run. If they don't do anything, the app cannot run. So without Apple, the app is inoperable. The car can't start unless Apple say you can start the car. Technologically speaking, it's a big deal. It's massive control. So the point I'm making is control. Apple haven't given up control. The only- That's good information. What they've given up because the DMA says it. So the Digital Markets Act explicitly says that the sole responsibility for content moderation rests with the store selling the app. So if you have an alternative app store, they make content decisions legally. And Apple may not in any way infringe on that because the law, it's one of the few things in the Digital Markets Act that's like really clear. So content decisions are with the third party. All technological control is with Apple. And they're very clear that they're going to force the app into the sandbox. They're gonna stop the app using secret APIs. You still have to do stuff like app tracking transparency. So from a practical end user point of view, adult content, fine, gambling, fine, something as cool as audio hijack, still impossible. Mwah, wah. Yeah, yeah, exactly. Because people were hoping that developers could do things, could do the things they're imagining, but they can't and they still can't. And that's why a lot of people are very disappointed because people have great ideas and they were hoping they could do them and they can't. I wonder whether, you know, one of the things that was a good example of you do all this work on an app and then Apple tell you afterwards that you can't do something you were doing was Casey Liss in the app call sheet. He has album artwork for the movies and TV shows and they came back and said, no, you can't do that. And it's like, well, no, you let everybody do that. I mean, IMDb does that. How could you not let me do that? But that was a case of where he got tangled up but took him actually knowing a guy to get that broken loose to where he was still allowed to do that. And it was a big mess, but I'm wondering whether that would fall under technological or under content. No, that's under content. That's copyright. Copyright content, copyright content. That would not be Apple's doing. Except Apple and Disney are like this. I'm holding up my fingers twisted together. And that was the problem was the screenshot he gave them had some Disney Pixar screenshots in it. So he jiggled them around to where none of them were Disney and he got it. I think that's what he ended up doing and he got it approved. Well, under the DMA, the way it would work was that Apple would have to sue him through his other app store. As if they were Joe Blow who had a copyright computer. Oh, okay. Okay. So interesting thought. So those third party app stores I've keep mentioning, they're going to be apps you download from the Apple app store, which have an entitlement which allows them to install apps. So they're apps that have the rights to install apps. Those apps will then be handed over to the operating system, which will show you information about the app, which has been digitally signed as part of the notarization process. So you write an app that's really cool and you're going to sell it through Bart's app store. One of the things you have to do when you're compiling the app for notarization is add metadata like this is what the app is, this is what it does. These are the permissions it needs to run. It goes for notarization. A human checks that your description matches reality and then your description is digitally signed along with your app. So what comes back to the third party app store to sell is your app, Apple's verification that the app is not malicious and your description of what the app does that is unalterable. And then when you install the app from the third party app store, the OS will present that metadata and say this app was written by Bart. It is a whatever app. Here are some screenshots we took while we were testing the app. We have notarized that it's safe. Yay or nay to install it. So that means that as you're installing apps, no matter where they come from, their app store nutrition label is going to come along for the ride but it's going to be baked into the app instead of it being a feature of the app store. Which is clever. Because we do want to know what's going on with our apps. So I like that. And yeah, that's really, I mean the notarization is a big thing. So the fact that Apple will still be reviewing all of the apps for everything apart from content is a really big takeaway. Okay. So I think a lot of people assumed that we were heading to some sort of a world west security dystopia where you would click one okay button and then any app could install anything and do anything. The Android way. A lot of people assumed the only possible answer was a few warnings, the user clicks yes and then all the rules are gone and you can do whatever you like. And that's absolutely positively not what is coming here. What is here is the teeniest of the minimalist possible expansion of what's possible to meet Apple's interpretation of the Digital Markets Act. And how much of this is going to actually be forced to become a little bit wider. That's all up in the air. But this is the starting point and it's very minimal. I'll be sitting on the sidelines with my popcorn. Oh yeah, absolutely. We talk about this a lot. Yeah. So anyway, that is, like I say, big news month. So moving on to some quick action alerts. Apple patched everything. It contains a zero day, patchy patchy patch patch. It's in Safari, therefore it's everywhere. Oh, that's an interesting callback. Google Chrome, also an interesting callback, have also patched their first zero day of 2024. So if you're using Chrome or Edge or any of them they've all been patched, patchy patchy patch patch on your Edge base or your Chromium base browsers as well. There is a nasty flaw in a very, very, very common piece of Linux called Glib-C. It is the GNU-C library. It underpins very, very, very, very, very much software. It is a local privilege escalation. So it is not good for home users and you should patchy patchy patch patch, but it's catastrophically bad for cloud providers. So they absolutely have to patchy patchy patch patch. There is a mastodon bug that has been responsibly disclosed. It has been patched and the details are being kept secret for 15 days. So if you run your own mastodon server, you have 15 days, the clock started ticking a few days ago. If you're not patched by the time the details are released, the chances are that you will be hacked very, very quickly because it's quite a serious bug. People may or may not have noticed I have started to run my own mastodon server. I chose software as a service from something called mastodonhost. So when I checked this morning, my server had been updated by mastodonhost, which is literally what I pay them for. So that is why software as a service is a nice thing to do. Where are the warnings then? The FBI have issued a warning that scammers are using a new trick where they're actually starting to bring physical humans into their extortion scams where they end up getting you to meet a human to hand over cash. So they're telling you that you need to go and liquidate some gold on one of those dodgy gold liquidation sites. And then they will pay some low level person to go meet you and take the money off you. Basically careers like you would do for other... This was for tech support scams, huh? Yeah, so the FBI are now seeing this as the next step in tech support scams, which is amazing. So be careful. No federal agency wants you to sell gold. This vouchers gold, they are never legitimate if someone is asking you for them claiming to be part of the target gift cards. No, exactly, exactly. Also, there was a bug a year and a little bit ago in December, 2022 in iOS that Apple patched and there are enough unpatched devices that the CISA, the center, the US cybersecurity and infrastructure agency are seeing active exploitation of that bug successfully hacking things. Patchy, patchy, patch patch. All federal agencies in the US are under orders to be patched by February 21st, legally. There is a scam on Facebook to watch out for that a bleeping computer say is on the rise. I can't believe he's gone. The obvious thing is to try to trick you into believing someone has died and you're obviously going to click on it because oh my God, I can't believe X is gone. It's a really common scam beyond the lookout for that. But what happens if you click on it? They're using people's hacks. So imagine you reused your Facebook password somewhere. I would then take over your account and send out this message to all of your friends who would then see something coming from apparently you saying, I can't believe he's gone. And that would then trigger you into interacting with me and that would be my in to start trying to social engineer something out of you. It's my way of making initial contact. Got you, okay, got you, right, right, right. Because yeah, you can only trick people if you get them talking to you. So this is their way of getting the conversation going. Trello had a whoopsy in their API that they initially pretended wasn't real but then admitted actually, no, it was real. 15 million people, their email addresses and other information has leaked. The danger here isn't credit cards and stuff, the danger is targeted phishing. That they will be able to believably be fake Trello because they know enough about you to look legitimate. I feel like you told us about this one because I know I went to trello.com and I looked in my one password and I didn't have a password but I knew I'd used Trello for a little while. So I went in and I said, I forgot my password. It gave me a new password link and I changed it to something that is now in my one password account. I have no memory of doing so. I can't think I would have known this without you. You may hear things from other people. I'll just check the date on the story. It's possible. January 23rd, so I don't think it's possible it was me. Okay, maybe they sent me an email. Oh, actually, that's entirely possible. That's possible. It is possible. Yeah, I don't listen to anybody but you, Bert. You listen to Tom Merritt, he tells you things. Oh look, somebody's trying to break into my Instagram account right now. Oh, yeah. Or pretending to anyway. I just got a code. Oh, okay. No, I just got Instagram, just send me a code. I get these all the time from Facebook. People are always trying to get into my account. God bless MFA, or sorry, too FA in action. Moving on to notable news. Oh, I'm sorry. I'm sorry, it's a better story about Trello. Do you remember I said last week that I thought have I been phoned was a stupid thing because all it does is tell me that my password's been, or that my user name has been used. Right after we recorded, I got an email from have I been phoned telling me that I was in the Trello brief and that's why I did it. So I have to confess that you were right. It actually does have some value. Number of accounts, 15,111945 people have been affected on January 22nd. That is where it came from. So shoot, it did come from you. Indirectly, yes. Notable news then. So these stories are important for different reasons. So there's a lot of English in these show notes actually because these need a bit of putting into context. But basically, there is a law on its way through the process in the United Kingdom, which is going to, which has the potential to cause major headaches for Apple and Microsoft and many other people. The UK government want to give themselves a veto for software patches. They want to give themselves the right to tell Apple not to disclose or patch a vulnerability that the UK government is using to spy on people or surveil people. So if they're using a backdoor that relies on a bug, they are saying that they will have the legal right to tell operating system vendors not to patch. That will be catastrophic. It's not clear where it's going to go, but Apple are currently shouting loudly about it. We shall see. On the one hand, it's great that the FBI have disrupted a Chinese botnet that was using un-updatable routers. So remember I keep saying that when a router stops getting software updates, you have to throw it in the bin because it's unsecurable. This is evidence of how unsecurable it is. There's an entire botnet of them out there working for the Chinese government. Or at least there was until the FBI went to a court and got permission to hack into the hacked routers and to install an unofficial unsupported software patch to kick the Chinese out and close the backdoor, which is on the one hand fantastic it's software patches for free. But it's the federal government being given the right to hack people's private devices. I'm in favor of it, but that sounds like something there should be a bit of a debate about. But it's kind of gone under the radar. So anyway, there we are. This next one directly affects me. So I fell off my chair nearly because I finally rented a car for the first time in my life and I chose Europe car because they would rent me a Polestar 2 and I wanted to drive a Polestar 2. And then I got headlines all over the place saying, Europe car caught up in data breach 50 million users affected. Followed a day later by Europe car denies data breach 50 million users were not affected. The data was fake. The good news is the data was fake. This is not a real breach. This is so people trying to extort companies are now pretending to have a data breach to extort silence for not sharing the data they never breached, which is a fantastic way of taking ransomware to the next step. What made this catch a lot of people's attention is Europe car in their press release said this must have been generated with generative AI to which Troy Hunt and most of the security community went actually no. There's lots of tools out there for doing this and this looks just like everything that's been around for years. This probably isn't AI. But I sort of went, yeah, but isn't this another thing that AI could do? So just because someone claims to have breached your data, don't assume you've actually been breached. They usually give out a sample, check the sample. And that's what was done here. Troy Hunt and loads of other people check the samples and lo and behold, they were rubbish. So the data breach was invented, which is interesting. You have regularly said, and I have regularly agreed with you that it is a bad idea to take random thumb drives and plug them into your computer. This is not hypothetical. There is a campaign actually happening now in Italy where a whole bunch of businesses have fallen victim to this. There is malware spreading in Italy, targeting businesses on USB drives. Don't plug in random USB sticks. Also an important reminder, and I also wanted to put this in the show notes because this is a good news story that's probably been reported as a bad news story. So 490 days found in Tesla cars. That is a true fact. It was at the Pone to Own Automotive Security Conference, which means that Pone to Own paid security researchers to try hack cars, not just Tesla, lots of cars, gave them money for doing those hacks on the condition that every bug is responsibly disclosed to the vendor who then have 90 days to patch it. So what's happened here is that some of the best security researchers in the world have been paid good money to make everyone's Tesla more secure. So yay is my answer. That's a good thing. I'm gonna correct one phrase. That is a fact. And I'm going to end. Not a true fact. I'm going to answer true. That is also true. And a fact. Anyway, I'm gonna end then on one final good news story. Reporting on how many people are actually paying ransoms is showing that people are not paying ransoms anymore, which means that the financial incentive for ransomware is drying up, which means that people are companies. So ransomware has already shifted from targeting individuals to targeting companies because that's where the big books were. And now that is drying up too. So the economic case for ransomware is evaporating, which means that ransomware is almost certain to follow because cyber criminals are only interested in money. They're not doing it for the crack. They're doing it for the money and the money is drying up. So this particular phase of evilness is nearing its end. There will be other bad things, but this one is ending. That's good. Yeah, that is good news. I'm also gonna retract what I said. I just did some more reading on the side here on side loading and now I understand what you were saying that side loading, even on Android is where you just download something. It's not when you go get it from an official app store. Yeah. So I retract my arguments from before. Everybody put your pencils down, stop writing me angry emails. It's good we had the discussion though because it's a really subtle point that's important. So that was very valuable. I have two top tips to share. Tidbits, they have a good article on some tactics you can use if you receive an AI voice scam, which is now a thing where someone phones up pretending to be someone who really exists saying they're in trouble and asking you to mail them money immediately. How should you react? Well, Tidbits have some good advice, like phone them on a different, hang up and phone them back. If they're real, when you ring them, they will say, yes, I really am in trouble, help, help, help. But the chances are very high when you ring them, they'll say, what are you talking about? I'm fine. Or if you can't do that, phone a relative who is closer to them than you are. Is Bob really in Africa? No, Bob is just on the road getting the groceries. Oh, okay then. I won't mail $3,000 straight away. Okay. So this is a good advice. And that's good. Also on Tidbits, if you're wondering, how do I securely share a piece of information with someone else online? They go through eight different ways of securely sharing information online. And depending on what you already have, there's a really good chance one of these is already covered by something you already have in the cloud. Because there's so many cloud services. Okay, good, good. So that's a really good one. So like post it to Facebook would be one. Oh, totally, absolutely. Yes, definitely. Post it on X and Facebook with the message saying, please don't read this. Like in those email photos. If this email was not for you, please do not read. I always loved those. Interesting insights then. We talked about the mother of all breaches last time, which is this 12 terabyte dataset. If you're wondering, how do you get 12 terabytes of passwords? Cause they didn't come from one breach. They came from lots of breaches. Troy Hunt has a really good explainer that explains this entire ecosystem of personal stashes, which is where they come from. I learned a lot about how this stuff works from that article. And as Troy Hunt said, it was nice and human friendly. It wasn't all techie and geeky in the bad way. It was techie geeky in a good way. And we have talked many times in recent weeks about malicious software ads on Google, successfully having compromised versions of software. And you and I were kind of wondering how are they sneaking through? Cause obviously Google are trying to have not malicious ads. So how are they sneaking through? Well, Brian Krebs and Krebs on security explains one of the tactics currently being successful. They are being legitimate software download sites 90% of the time. And every now and then they're throwing in some malware. So they build up a reputation and they're a perfectly normal ad user and then they've used that reputation for a while. And that's how they succeed. They're spitting in our soup. They're spitting in our soup. That's it exactly. And then last, but by no means least, an excellent piece of analysis from Intigo. Mac and iPhone malware of 2023. And then they project a trend forward to what we can expect in 2024. It's a month by month, blow by blow. What has been going on in the Mac and the iPhone for last year? And what does that imply is likely for this year. It's a long read, but it's some sterling work. So I thought that's worth calling in. Some of our listeners may enjoy that, but it's a read for when you have a lot of time. And then I have two public answers. And the second one, I think you and Steve will particularly love. So the first one sort of caught me by surprise. There's a podcast I love called Unexplainable that they cover the edges of what we know. And they basically, they tell us that this is the thing we don't know. We almost know this much about it, but here's the question that remains. And it's really fascinating to know where science stops and what we're currently trying to strive towards. But they had an episode entitled the math problem that could break the internet. And I went, ah, yeah, quantum computing, yada, yada, yada. I heard it all before, but I was too lazy to take my phone out while I was cycling and fast forward on. I'm really glad I didn't fast forward on, because that's not what it was about. It was a much deeper and much more theoretical question that I had never even known existed before. And I learned a lot. Oh, fun. So you may too. And then the last one is one I know you and Steve will love. So Freakonomics Radio is usually about economics and stuff, as his name suggests. But it's kind of a name like Nozilla Cast. They're kind of allowed to do whatever they like. And the host is fascinated or has recently become fascinated by Richard Feynman. So they have started a mini series of episodes on Richard Feynman. And they're all called The Something Mr. Feynman. So the first one is The Curious Mr. Feynman. And it goes into his life story and what made him the curious person he was. And what gave him his outlook on life. And the next episode we've been promised is The Productive Mr. Feynman, which is about his really good science and chromo-electrodynamics. And I don't know what else is going to be, but it's going to be The Something Mr. Feynman. So there's going to be, there's at least two of them. Oh, that sounds great. Yeah. The first one's excellent. It starts with the investigation of the shuttle and the O-rings and there's wonderfully understated. This may have some bearing on the case as he basically demonstrates how the thing blew up. So it's fabulous. And unfortunately he got credit for figuring it out, which he did not figure it out. He did that after somebody at the table said it. And then he picked up the O-ring and dipped it into a glass of ice water and held it up and they took a picture of him. And that went across the news and he ended up getting all the credit. It's actually, there's a backstory before that backstory because he went to a lot of work to make sure there was ice water on the table. Okay, but anyway, that's what he said in the book I read by him about him and stuff. So yeah, that's a lot of fun. He's a great character to learn about. He is. Yeah, sorry. I know we're running really long because of the opposite. But one quick thing, his daughter is heavily involved. So his daughter is one of the main interviews in this podcast series. Okay, I think she might've written one of the books that I read about him. I've read a bunch of books about him and he's, yeah, I'll definitely be checking this out. This sounds like fun, but yes, we have gone very long. I'm getting hungry. I gotta go. Me too. So remember folks, the summary for all of this. Stay patched, so you stay secure. Well, that's gonna wind up this mammoth show for the week. Did you know you can email me at alisonatpodfee.com anytime you like? If you have a question or a suggestion, maybe a dumb question like Chelsea had, you can just send it on over. Remember, everything good starts with podfee.com. Wanna follow me on MasterDun? Podfee.com says MasterDun. Wanna listen to the podcast on YouTube? Podfee.com says YouTube. Wanna join in the conversation, join our Slack community at podfee.com slash Slack where you can talk to me in all of the other lovely no silicast ways. Wanna support the show on Patreon? Podfee.com slash Patreon like Richard. Or you can do a one-time donation at podfee.com slash PayPal. And if you wanna join in the fun of the live show, head on over to podfee.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no silicast ways. Thanks for listening and stay subscribed.