 Hi, this is Allison Sheridan with the NoCillicast podcast, hosted at podfeed.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, March 19th, 2023, and this show is show number 932. Well, I'm excited to be back with a live audience. I'm excited to have most of my voice back, and it's the real me now. I love being on the Clockwise podcast, and this week's episode was my favorite so far. I don't know what it was, but sometimes, you know, the chemistry just clicks. It was hosted by the usual suspects, Micah Sargent and Dan Moran, and had guest Lisa Schmeiser. She spent on loads of times, but I never got to meet her before. I was never on at the same time. She was as delightful as I had hoped. Now the format of Clockwise is always four gas, four topics. Our topics this week were how we display and enjoy our photos, celebrating digital cleanup day, software we use begrudgingly, and our device replacement strategies. Now that last one was actually from Jill from the Northwoods. She came up with the question for the show. Now, before we recorded, Micah asked Lisa and me to add our Mastodon accounts to the show notes so they could tag us when they posted the show. I thought it was interesting that they didn't ask for our Twitter accounts. They actually already had them. But you know what? Nobody batted an eye when they said, hey, give us your Mastodon accounts. Things are hopping over at Mastodon. Anyway, you can find this episode of Clockwise at relay.fm slash Clockwise and look for episode number 494. And of course, there's a link in the show notes. In this week's episode of Chitchat Across the Pond, it's another episode of Programming by Stealth. And Bart walks us through how to create, add to, and extract from arrays using Bash. It's a very light episode, which I managed to drag out longer by making him slow down and dig into the syntax used for arrays. Now, it's not just me being dense this time. There are squarely brackets, square brackets, single quotes, double quotes, and the good ol' octothorpe thrown in for some extra fun. So this syntax is pretty confusing. And I think by repetition, I may have gotten to the point where if I'm looking at his show notes, I could create Bash arrays and have a chance of getting all of that syntax correct. By the way, it looks like we're probably going to do another Programming by Stealth this coming weekend because of some scheduling problems. And so you only have a week to get the challenge done before next week's show. For this episode, as always, you can find a link in the show notes to Bart's fabulous tutorial show notes for Programming by Stealth. I am thrilled to tell you that my favorite conference of the year, Maxsock Expo, is taking place July 22nd and 23rd this year in Woodstock, Illinois, as always, just north of Chicago. And I will be one of the speakers. I haven't been in a few years for obvious reasons, so I'm super excited to get to go again. Weekend and single day passes are available now. It's $299 for a weekend pass and $159 if you can only go for one day. I highly recommend you go for if you're going to bother going make it both days because the evenings hanging out with fellow Appleheads are just fabulous. You get lunch both days, a limited edition Maxsock 7 t-shirt, and a free digital pass to re-watch the sessions. Now if you're flying out, don't book your flights just yet because Barry Falk is going to come on the show to explain why you might want to fly in a day early. You can learn more about the conference at max.conferenceandexpo.com and of course there's a link in the show notes. So far I think six or seven people in the live audience have already said that they are going to Maxsock Expo, so if you want to meet the people that I'm always talking about in the live show, you should go yourself. This week, Steve and I made our annual short trek to the CSUN Assistive Tech Conference in Anaheim, California. I think the first time we went to this was at the invitation of Donald Burr and every year possible we've been attending. In March of 2020 it was the first thing we didn't do as the pandemic hit. Missing three of these was very sad so we were really happy to get to go back this year. The conference is a week of in-depth sessions but we actually just go on the last day and go to the exhibit halls. It's not a huge show but for a one-day experience it's just right. In a few hours we got eight interviews and they were all gold. Now gold for me defines that the person knew what they were talking about, could explain it articulately, they were enthusiastic about what they were talking about and the product seemed interesting to me. A couple of them aren't really accessible tech things but they're still really good interviews. As usual, I'll be doling out these interviews over time rather than inundating you with them all at once. Keep in mind that while you'll be able to hear the audio in the show today, if you have the gift of sight you can also follow the link in the show notes to Steve's video recording of the interview. I made sure before each interview I told the person pretend I'm blind in hopes that they would be able to describe everything they were showing to me so the audio is nearly as helpful as the video. Let's hear the first interview from the CSUN Assistive Tech Conference. We're at the CSUN Assistive Technology Conference in Anaheim, California and I'm going to start out my interviews with Mike May from Goodmaps. How you doing today Mike? Doing fantastically, having a great time because for the first time I can actually explore the exhibit hall independently without sighted assistance. Ah, now let me guess, do you do that with Goodmaps? We do it with Goodmaps, yes indeed and the way it works is we come in and scan with a LiDAR scanner this building and the whole hotel for that matter and create a map and then the accessible app is used on an iPhone or an Android in order to give me turn-by-turn directions. I can either just use it in a look-around mode to see what I'm passing as I go down the aisle or I can actually set a destination and get turn-by-turn directions in the same way that you're used to with GPS outside. Okay, so part of the trick of this is somebody has to do the scanning of the environment and is that the revenue stream for the app? Is that how it gets built? Is people paid to do the scanning of their venue? Yeah, the venue pays for the scanning and we make sure that everybody knows this is for multiple purposes. It's for blind people there's a step-free mode for people in chairs or using strollers or carts that's a good visual interface so the side of people can use it. We don't want to leave them out and everybody has challenges when it comes to navigating in airports, convention centers and large buildings. Actually, boy, you bring up airports. I've been lost quite a few times in an airport trying to find my gate. Yeah, exactly and there's alternative ways to do that. You can ask people for directions, sighted people can look for signs but it amazes me a lot of times I ask a sighted person for directions, where's gate 10 and they say, oh I don't know, I'm not from here and I'm thinking, well just look around you can probably see it but people are stressed out in airport situations. So what's the interface like for you? Describe, we're at a conference right now and it has been mapped out for you. What is it like? How do you use it? Well, the look around mode is my favorite because then I just I point the phone, I want to know who's down this aisle that we're standing in. We're in the middle of it, Amazon is next to it and if I point my phone in that direction then it's telling me either through the phone or through my earpiece I have these headphones that don't block my ear so I can walk along and just actively hear what I'm passing or I can pick a business like IRA and make that my destination then it tells me go down this aisle, go 300 feet, turn left, turn right and then arrived at destination. Does it tell you it's coming up on your right, give you like some indication you're getting close? Hot or warmer? Or warmer, colder, colder or warmer? Yeah, there actually is a getting warmer mode but a lot of times it's just turn-by-turn directions, how many feet to go, it says approaching turns, you slow down, you don't miss the turn in much the same way as things happen with your GPS in the car. That is really cool. Now what is the cost to the user of good maps? There's no cost to the user, the apps are free, it's just paid for by the venue of course the big challenge is how many buildings are mapped and right now we're kind of where GPS was 25 years ago where there's not a lot of maps but that's something we're changing actively in railway stations, first in English-speaking countries but expanding to others as things go along. That sounds terrific. Can I ask you an airport like Los Angeles International Airport, is that one mapped? LAX is not mapped, the two airports we've done so far are Portland, Oregon and Louisville, Kentucky with many more to come. So is there a way for people to encourage these airports or train stations or venues to get on board? Well I think the importance of a conference like CSUN is that there are a lot of companies here, I talked to somebody from Hilton yesterday, they have 35 people here, there's banks, there's airports, there's the United Nations, so all sorts of people are coming here to learn about things and so that's why we have a booth so they can come by and learn about this new technology and see how it fits in to their environment for not only navigation but for facility management, once you have accurate maps then they can be used for asset tracking and lots of other purposes. That is really interesting. One of the things I always like to pitch to people is that if you want to increase your audience, whatever that audience is, make things more accessible because by not including accessibility, you're basically excluding potential customers, so why wouldn't you want to do this? Yeah, exactly, we're customers, I hate malls and so I would not do anything more than just destination shopping in a mall. Now I've been into a mall, I can browse, I can window shop, I can go in, buy chocolate, buy gifts, and find out what's there, not just the place that I'm targeting. That is a really good point, so that's back to potential customers, right? It's more inclusive, gets more customers. That's all good. Well, how would people find out more about Good Maps? And by the way, I love the name PodFeed because of course we're a pedestrian focused company for everybody, so PodFeed kind of fits into that. You can get more information by going to GoodMaps.com and you can download the app with Good Maps, which is one word, space, explore is the indoor map, and then we also have another app that focuses on outdoor navigation that's accessible. What's that one called? That's called Good Maps Outdoors. Very good, very good. Well, it's really nice talking to you, Mike. I wish you guys the best of luck. This sounds like a cool endeavor. Nice to meet you, new Allison. Thanks for stopping by. Well, after the interview, Mike told us that we should have come the day before because Stevie Wonder was there. Mike explained that he and Stevie go way back, so he was able to show him around, which was great fun for him. I was chatting with Shelly Brisbane about the show afterwards, and she said, well, of course, Stevie Wonder always comes to see sun. How did I not know that? Anyway, I guess he likes being up to date on all the advances in assistive tech as much as the next person. There's been a lot of very justified kerfuffle about a recent article by Joanna Stern in the Wall Street Journal regarding a relatively easy method for somewhat a shoulder surf to see your four digit passcode on your phone and from there be able to steal your entire Apple ID. By the way, it's important to note that Android users unfortunately have the same problem. With the PIN, a bad actor with your phone can change your Google account password as well. Now, just in case you haven't heard about the issue, I'll briefly describe the method on iOS and the repercussions. That'll give you a solution that may be easier for you than some other solutions you might have heard about. On iOS devices, you can use a passcode or password to unlock your phone and additionally use biometrics with Touch ID or Face ID. The passcode defaults to four digits, but you can also choose to make it six digits, or you can choose to use an alphanumeric password. If you use a long password to protect your phone, it's unlikely that someone looking over your shoulder could determine what that password is. But a short numerical code, especially four digits, is incredibly easy to ascertain. Let's say someone learns your code and then subsequently steals your phone. And here's the discovery that Joanna Stearn reported on. She said, if you open settings on your phone and then tap on your avatar at the top and go into Apple ID, iCloud Plus media and purchases. From there, go into password and security and at the top you'll see change password. On every system I have ever used in my entire life, the option to change password requires knowledge of the current password, but not on iOS. Instead of being prompted for the current password, you're only asked for the code to unlock the phone. So think about that. You've gone to all this trouble to use a long, strong password to protect your Apple ID, but someone with knowledge of the simple code to unlock your iPhone or iPad now owns you. It's a reasonable assumption that your Apple ID is probably also your main email address. Guess what goes to your email address? Password resets on other services. So now someone can change your Apple ID password, log into it on iCloud.com, go to your banking website and change your password there too because they get the password reset sent to them, not to you. If you use iCloud keychain to store your passwords, they now have all of those without even bothering to change them. They literally will have stolen the crown jewels just by knowing the passcode to your phone. Now I think often about the four digit passcodes in other contexts. Have you ever used the same code that you have on your phone to maybe disarm your house alarm? Is it the same code as on your ATM? Is it the same code on your gym locker? If any of these are the same, it's a pretty easy to think thing to steal even more than your Apple ID access. Alright, enough alarming talk. What's the best thing we can do to protect ourselves? Well, the best thing you can do is change your phone's passcode to a long alphanumeric password. The longer more complicated it is, the harder it is for someone to see what you're typing and remember it and be able to put it back in later after they steal your phone. Now, while this is definitely the best thing to do, may not be practical for you, or you may weigh the probability of this problem happening to you against how annoying that tiny keyboard is to type on accurately and maybe choose not to use an alphanumeric password. Another option is to choose a six digit passcode instead of the default of four digits. While six digits is a little harder to watch and memorize than four, it's not that much harder. The shoulder surfer can also see before you start typing that there are six dots to fill in rather than four so they can be ready to watch for all six. Okay, the numeric passcode too easy to spot. The alphanumeric password may be too hard to type, but there's actually a middle ground. Turns out you can create a passcode of indeterminate length. And yes, I heard it, Tom. If you go into settings and choose face ID and passcode, then use change passcode. You'll be asked to enter your current passcode slash password. Once you get past that prompt, it will offer you three options. Custom alphanumeric code, custom numeric code, four digit numeric code. After that, you enter a numeric code of, after you choose custom numeric code, you choose a code of any length you choose, the longer of course being better. The cool part about the indeterminate length of numeric code is how it changes the look of your lock screen. Instead of showing four dots for a four digit passcode, or six dots for a six digit passcode, it just says enter passcode with a text box under it. No one but you knows how many digits you have in your code. Now clearly a long numeric code is not as good as an alphanumeric passcode, or password I should say. The same reason it's hard to type on the alphanumeric keyboard is the reason it's hard for someone to figure out what you're typing. But for me, it's a good compromise because I find it incredibly difficult to type on that tiny alphanumeric keyboard. And as it turns out, I'm not in a lot of environments where someone could shoulder surf me. The bottom line is that there's a vulnerability we didn't know about before in the way Apple and Google protect our most precious password. Evidently left open this easy method to reset your password because so many people forget their Apple ID passwords. Maybe it was a lot of work for Apple to deal with people saddened by the loss of access to all of their data. I wish those of us with a good password hygiene, such as using third party password managers, could turn this feature off. And I put feature in air quotes. Remember, iCloud keychain passwords are vulnerable if someone knows the passcode to your phone. And that's why I say I want to be able to turn this off because I use a third party password manager. I hope that whatever you do, you do type your passcode or password into your phone in a way that no one can see what you're typing. A few weeks ago, Bob Cassidy taught us some tips about how to get keyboard maestro to do our bidding. He was helping me with a specific macro that needed to be triggered on a finder item. At the end of his explanation, he wrote this. I think the ideal way to trigger this macro would be by right clicking on the file and choosing from the contextual menu. In the back of my mind, I thought keyboard maestro had that function, but after investigation, I don't see a way to do it. If anyone knows how to do that, I would appreciate knowing how. Well, I went on my own quest to see if I could figure out how to do it for him. I got really close to solving the problem, and then with some help from a couple of people, I was able to figure it out, but also Bob came at it from a slightly different angle, and we converged on a solution. So I'm going to start with the path I went down, and then we'll veer on over into Bob's method and take us over the finish line for his side. If you'd like to fast forward a bit, I've got the steps in an easy-to-read list at the end. But what's the fun in an easy-to-read list of steps? Let's go the long way around to get to the solution. All right, so we got a keyboard maestro macro that acts on a file or a folder in the finder. My particular macro acts on PNGs in the finder. Instead of having to remember a keystroke or going all the way up to the keyboard maestro context menu in the menu bar, we want to just right-click on the file and choose the macro from the quick action menu. And before we get too far into the solution, I want to warn you that Apple uses a lot of different names for the exact same thing, for quick actions, and it's going to get really confusing. I'm going to go out of my way to add to the confusion by pointing out all of the names each time they change. That's going to be helpful, I figure. All right, inside keyboard maestro, if you select a finder macro, one that operates in the finder, you can select File, Export, and one of the options is Export as Finder Quick Action. That sounds like exactly what we want. By the way, there is an export menu available if you just right-click on a macro, but oddly, that export menu does not include the Export as Finder Quick Action option. You have to do it from the file menu. So the keyboard maestro export option calls it a quick action, but you are immediately asked, what do you want to name the saved service? Okay, we now have two names for it, quick action and service. Once you have the service saved, you still have to add it to the quick action menu. You get a pop-up that explains that to enable this quick finder action, sorry, Finder Quick Action, you need to select Customize from the quick action menu. To do this, we need to right-click on a file in the Finder, and in the menu that pops up, choose Quick Action. You'll see a list of your quick actions, and at the bottom of the list, it will say Customize, because you probably won't see the one that you just created there. This Customize request launches system settings, or system preferences if you're in Preventura, to Privacy and Security Extensions. Wait a minute, are they services? Are they quick actions, or are they extensions? Within the Extensions menu, you'll see actions, but they're not quick. Ignore those. Go to the bottom of the list and choose Finder. Within Finder, we get a section that says Select Quick Actions to Show in Finder. In this list, you can finally see the quick actions you've already installed. You'll also see the one you exported from Keyboard Maestro. Check the box next to your Finder, Macro, Quick Action, Service, Extensions, Name, whatever you want to call it. All right, now from the Finder, if you right-click on a file and choose Quick Action from the menu, you can choose your Keyboard Maestro Macro. That's fantastic. If this is the first time you've added a Keyboard Maestro Macro to the Quick Action menu, you'll be asked to grant the Finder permission to control Keyboard Maestro. Now that makes a lot of sense, because I'm really glad that apps can't just suddenly start running Keyboard Maestro Macros without me knowing about it, and the Finder is sandboxed in the same way. Once I had my Macro in the Quick Action menu, I'd granted Finder permissions to run it, I figured I was golden. I right-clicked on a PNG and chose my Macro from the Services Quick Action menu, and I was greeted with an error. It said, The Action Run Apple script encountered an error. Keyboard Maestro Engine got an error. DoScript found no Macros with a matching name. Macros must be enabled and in Macro groups that are enabled and currently active. I knew that the Macros were enabled and that they were in groups that were enabled, but I didn't know what this active thing meant. When I first wrote the blog post, right up to where I am in the story, it turns out the author of Keyboard Maestro, Peter Lewis, actually wrote a comment on the post, and he pointed me in the right direction to solve the error. So if you saw this blog post, it is completely different after Peter Lewis helped me. But before we get into that part of, Today I Learned, what is this stuff about Apple script in the error message? I never wrote any Apple script. At the bottom of that error window it had the option to show workflow, which opened Automator. I don't remember creating an Automator workflow or did I? So show workflow was in that window and it opens the services menu inside my user library folder with a workflow named after my Keyboard Maestro Macro. So my Macro is a service, is an extension, is a quick action, is a workflow. Got it, okay. So opening this Automator workflow revealed an Apple script that was trying to run my Keyboard Maestro Macro. I found it really ironic that Keyboard Maestro created an Apple script for me, because I've been trying to use Keyboard Maestro instead of learning Apple script, because I've been worried that Apple script might go away sometime soon, as Apple seems to have lost interest as they're flirting around with shortcuts. And yet here Keyboard Maestro goes creating an Apple script for me. Well, I'm looking at this Apple script and I haven't learned Apple script yet, so I didn't know why the workflow Apple script service quick action was failing. I sent Bob everything I did to get this point and I asked him if I knew if he knew what was wrong. Well as it turns out nothing was wrong with the Apple script. Keyboard Maestro's developer Peter suggested I open the Macro in question in Keyboard Maestro and run the interactive help option under the help menu. Well learning about this interactive help menu made me really happy, because I had a problem with this macro and knowing that I needed this interactive help menu was really cool because the tool is really cool. If you select the macro that's giving you trouble interactive help ask you what's wrong. The two most interesting choices are something unexpected is happening or something expected is not happening. I chose the second option and it went through a series of tests on the macro. For the tests that succeed you get a happy check, but for the ones that fail you get a sad red X which then takes you to another step to diagnose the problem. When I ran it on my macro it failed one of the tests and it pointed me to this active thing just like it said in the error message. At the top of a macro it turns out you define the triggers that make it go and that's the active part. What I didn't realize is these triggers they're not options, they're required to make the macro active. I completely did not understand that. When I originally created the macro with Bob's guidance I have the trigger set to the status menu is selected. So that's where you go up to the menu bar and click on Keybird Maestro and you choose the status menu in order to get to your macro. That's the way I was doing it before, but if I'm trying to call the macro using a quick action then the status menu is not selected so the quick action simply cannot run. It's not active, it just can't go because it doesn't have that status menu selected. Now as I explained it this kind of seems obvious but I hadn't really given much thought to the importance of the triggers until the interactive help menu guided me through the problem. Once I fixed the trigger to make the action active for quick action to be allowed to run it, it worked. Now before I received help from Peter on this remember I said I sent Bob everything I did up to and including the error about the macro being active. I'm not sure he actually read everything that I sent because I gave him all the steps and screenshots and everything because he came at this from a different angle and he arrived at essentially the same spot with a but with a solution that was a bit more simple. The one interesting bit in the auto-generated AppleScript code that I got out of Keyboard Maestro was towards the end. It says very simply and AppleScript is great because it's super readable. It says tell application keyboard maestro engine do script big long ASCII set of characters with parameter R and then it says and tell. So it just says tell the application to run this script and then end telling it. So this part of the script actually kind of made sense. It's telling AppleScript to tell keyboard maestro to run my script and I even knew what this big long ASCII set of characters was. I don't know if you remember but last week when I told you about Dan Thomas' awesome keyboard maestro macro that lets you do version control on your macros. I explained that the exported macros have your human readable name that you created for your macro but then they have appended to that a big long ASCII set of characters that they explained was the UUID for the macro from keyboard maestro. I know that's a lot of info I'm asking to keep track of in your head from last time and this time but I was pretty sure that UUID is the only way you could access the macro from within AppleScript. I'm wrong about that but at the time that's what I thought. When I was talking to Bob I didn't understand what this parameter R was that was created and Peter in his comment on the blog post explained it to me. So this says do script and the big ASCII character code with parameter R. He says with parameter value is replacing the trigger value token when the macro is executed. That's how the file you have selected in the finder gets passed to the macro. So that's cool. One more thing from Peter he explained that the UUID could be replaced by the macro's name so you could write it as do script quote macro name. That's pretty cool. It would be a little more human readable later you wouldn't have to remember where that uh that UUID came from. So now let's switch over to Bob's method. Bob's solution was to start from automator add a run AppleScript action and type in those same very simple lines that were in the auto-generated script that with the you know tele application keyboard maestro engine and do script blah blah blah his script worked as well. I had a question. The auto-generated AppleScript knew which UUID called the right script only because I had exported it from the macro I wanted to run. How did Bob know the UUID of the macro if he didn't go through that export step? I knew it was a UUID because of the version control macro from Dan Thomas but in Bob's explanation he didn't call it a UUID. He referred to it as a macro script ID number designation thingy which I really liked. Bob's explanation of how he knew the UUID taught me another new trick that makes this whole roundabout explanation worth all the time it's taken to explain. Remember I hadn't paid much attention to the trigger part of using keyboard maestro macros. One of the reasons I haven't dug into triggers too far is because there are so many options on how to trigger them. You can use a hotkey. You can have a run when a USB device is plugged in. You can have a macro trigger when your audio output changes or when a volume is mounted. The list goes on and on and on. Bob explained that one of the many options is to trigger macros via a script. If you choose the script option you can select AppleScript. This automatically creates an AppleScript for you that says tell application keyboard maestro engine to do script and it shows you the UUID. Remember the UUID is also known as macroscript ID number designation thingy. This is exactly the AppleScript that you can export as a quick action as I described earlier. Bob doesn't use the script itself but he just used that script to find the UUID and then he put it in his very simple script. So I walked you down these two different paths again to demonstrate how much I'm learning by working on silly scripts like checking the alpha checkbox in the save as dialog box for preview. I learned from Bob and now I learned from the developer the developer himself how cool is that Peter rocks. Now the only problem with my storytelling is that you didn't have a concise step by step process to turn a keyboard maestro macro into a quick action and I promised I would boil it down for you here at the end. Step one write the keyboard maestro macro that works on a finder item. Step two set a trigger that you know will be active. Step three with the macro selected select file export export is finder quick action. Open system settings or system preferences and navigate to privacy and security extensions finder and tick the checkbox next to your newly created quick action. Save your service in automator and then to test right click on an appropriate file in the finder and choose quick actions and select your macro quick action. If finder asks for permission to run keyboard maestro say yes. If anything goes wrong check out the fabulous interactive help in keyboard maestro's help menu. Now I promised not to talk about keyboard maestro every week but I was so excited to learn even more about this amazing automation tool that I felt compelled to share. Also if I write about it I can always find the solution online when I forget how to do this. I can't tell you how many times I have actually googled for a solution and found the solution at podfeed.com. One of the things I don't do is pay attention to who stops supporting the show through Patreon after a while. I figure, you know, people have their reasons and I don't want to feel bad about it and see somebody left and I don't want them to feel bad either because I noticed and maybe I'd feel compelled to say something that'd be terrible so I just don't look at it. You know maybe they've had hard times or maybe they've just moved on to other shows. I know that's shocking to hear but it can happen. Even though I don't watch it and I don't worry about it I do know that if we don't get new patrons from time to time the funding for the podcast does slow down and that's happening right now. I can assure you that the cost of making the show doesn't slow down to go with it. I seem to always be able to find a paid-for tool to make the sound better, to be able to supply enhancements to the feed and to buy software and hardware to review for the show. So if you've been thinking that everyone else is carrying the weight of supporting the show consider the value you get out of the podcast and if it's worth a buck or two to you head on over to podfee.com slash patreon and become a patron of the fine arts. Well it's that time of the week again it's time for security bits with Bart Buchatz how you doing today Bart? Hi I'm doing good it's a it's a bit of strange day because due to terrible wet terrible rain here imagine that I did my cycle in the morning so my timetable is all over the place and then you guys have decided to do daylight savings time too early or something so we're recording at a different time and I'm normally off the bike but I'm not just off the bike and there's daylight in my office while I'm talking to you this this is weird Yeah I'm not used to seeing you without you know blue lighting making you look pale See there's a window behind me look there's an outside Yeah there is daylight that's crazy I would like the record to show that the United States by a vast majority said please get rid of daylight saving time all together And the Europeans have a very similar point of view but the politicians can't quite seem to get it done and most annoyingly Brexit is probably going to kill it for Ireland because with Northern Ireland we need to get agreement with our friends across the water and I'm not sure we can agree this guy is blue at the moment Well our problem is pretty interesting and I don't disagree with it Well how the sun reacts by the hour has to do with where you are within a time zone So if your state is on the western edge of a time zone you would want it to stay one way but if your state is mostly on the eastern side of a time zone you would want it to go the other way so the states can't agree on which one to pick because we got to pick one right you got to pick a time I think we should do what India didn't go on the half hour Oh yeah that really works Well no all of India is on one time zone they took all the two time zones and they split it in half and said so they are like whatever it is 10 and a half hours or 12 and a half hours away from us Yeah but that just really messes with everything the half hour Then everybody's unhappy it's perfect That is how we got UTC It is an acronym that is meaningless in French and English because they couldn't decide whether to make it French or English so they took the letters and put them in the order that worked for no one and they called it UTC Fine we'll take your ball and go home Yeah pretty much anyway Hey on the subject of security the listeners will have just heard me in this show talking about my idea of making a long or at least of indeterminate length numerical passcode on their phones as kind of a compromise between a four six digit passcode versus an alpha numeric passcode and I just wondered if you had any commentary on that did that make you scream or would that make you scream into your phone No because really it's a case of doing what doing whatever works for you that's more than nothing Right Because you're You're stepping the right direction Yeah and again you're not trying to outrun everyone you're not trying to outrun infinity you're trying to buy time and you're trying to make it that you're the the more difficult person to get in the crowd of people because these attacks happen in crowded places so you just have to be not the easy target so anything you do to raise the bar raises the bar now raising it higher is better but you know you do still have to be able to use your phone it's like Yay my phone is perfectly secure it's encased in concrete at the bottom of a river Yay Yeah the thing I thought about was it's it's all imbalancing risk and convenience right right I actually don't go clubbing as often as you might think I do I barely leave my house you know so I'm not a high value an easy target I don't think in general but I mean I could be sitting at Starbucks or something right type in in my code and I think about that but I think it's it's a better balance for me actually Steve told me not to tell anybody I'm actually using that I'm not I'm not I got a really long alphanumeric passcode there we go I know you had said you didn't want to talk about in detail but I do just sort of want to say that there are some talk about bypassing the extra passcode and stuff the only thing it has to buy is the screen time passcode the screen time password code so my reaction to that is if someone can brute force it because there's like a back door if you do the right things in my door anything that slows a bad guy down is enough because what you're going to be doing is oh my god my phone is gone get me to another device to do the remote wipe so if it buys you five minutes enough you know that like that is alternative so I think that's true of people like us who know about this but for my father-in-law if he were to use a smartphone it wouldn't even occur to him that that's something that he needs to go do if his phone got stolen true so it's not just get to the you know get to them before they get to you it can be I don't even know I need to go do that that's a fair point but I guess if the criticism is don't set a passcode because it's not perfect my answer is it doesn't have to be perfect you're just trying to buy yourself time slow down yeah yeah I still don't understand why nobody's none of the pundits are saying apple you really need to change this well because most I've heard is they need to give us an opt-out button because that's kind of what they do because there's two risks here there's a risk of losing your Apple ID and not being able to access your stuff there's a risk of having someone take your phone so for like the risk for most people to be honest is that you're more likely to lock yourself out of your own iCloud and need to recover it than this is likely to protect you so it's a bit like that severe lockdown mode they offer to people in high-risk environments a button just give us a button that's all I want yeah I would like to have the option to opt out of this is no no I'm gonna be able to do this yeah but okay all right that wasn't on our agenda what's on our agenda today Bart we've got a good deep dive I think here we do have a deep dive it's good in the sense that there's some meat to it but it's not good news the TLDR starts with the sentence this is bad there is no fire extinguisher icon critical android baseband vulnerabilities in the plural there are four of them project zero is who discovered these and project zero are very well known for having extremely rigid about their 90 day policy they will go public this is a google google project zero by the way yes they are a correct yeah they're part of google somewhere in google's I don't know where they whether they're alphabet or google but they're somewhere in that hierarchy right and okay they are infamous famous known for being very strict on the 90 day they have decided this is so they find something if they find something they give you 90 days to fix it and then they publish it whether if you don't whether you respond or not they publish exactly yes they consider this to be so bad they're doing a halfway house they're telling us that the bugs exist they're telling us vaguely what the bugs do but they are not releasing the details because this is so bad so that that's some context what is affected okay so what is affected with this what is what is the problem okay so your your phone has your normal processor that makes it be a computer in your pocket but it actually has a second processor that makes it be a phone it's called the baseband processor and that's the bit that does all of the engineering for talking over radio waves to the cellular network and it actually has its own little cpu and its own little operating system in there and that operating system is very tightly linked to your real operating system to android in this case and so if something gets in I did not know any of this part oh there you go see I did not know there was a separate computer for the a separate processor for the telephone part that's interesting okay and so it's a computer it's got an operating system and that that operating system is very very tightly integrated with android and that means that if anything gets into that operating system when it gets to android it's not coming in as like low level unprivileged user it's coming in with system privileges because it's like really low down brains of the phone right your phone being a phone when you say coming in so so this this this processor for the radio is running a version of android which really its own OS actually but it's talking to android so android is running on your phone's real processor that's what I'm trying to get to is it's talking to android on your real processor the computer in your pocket part yeah okay all right and so when it's talking to that it's talking to it like at the kernel level it's like not just root it's like super root deeper than root yeah it's the deepest level so there's kind of a fuzzy line between whose job it is to to manage these things but anyway different manufacturers make different baseband chips and they have different firmwares and different little mini operating systems and there is a bunch of chips made by Samsung now don't think that means it's only Samsung phones right these are Samsung is a massive conglomerate they make everything from ships to you know monitors like one of the things they make is these little chips that are the little cellular brain for phones and okay just so just like we might have a qualcomm chip in an iphone there are Samsung chips in more than Samsung phones yes yes they say that's a perfect analogy there because the other big players would indeed be qualcomm so project zero found four bugs in the firmware the little mini operating system on a bunch of these Samsung made cellular chips and they allow a remote attacker who knows only your cell phone number to execute arbitrary code with zero user interaction and zero it's completely stealth you can't see that it happened and you don't have to do anything that is as bad as it gets do they have to have access to the phone no they just need to know your cell phone number oh geez this is why they're not releasing the details right this is this is a five alarm fire well yeah and and there's reverse lookup for phone numbers right that that exists right so the tl dior is that as of today the only phones we know for sure are safe that our android are the pixel phones because google's march patch fixes this for pixel devices who do use the samsung chip so so they were affected but they've already fixed it yes and so every other manufacturer that has the appropriate chip needs to put the new firmware in their chip and you as the end user will get that through effectively an operating system update that comes via your device because in android land yeah yeah or okay sorry bark can see my face of horror right now when he says you have to get a software update from your hardware vendor oh from the hardware vendor not from the so if i've got a verizon android phone that's no longer to getting os updates no no so verizon don't make phones rise in their cell phone carrier i mean i know but verizon is who is who controls what saw os updates i get in the united states okay then it's even worse for you okay then it's even worse than i i'd forgotten that actual error of indirection so that means that if verizon sold you the phone and then verizon are going to get the fix from whoever made the phone and then verizon have to give a say motorola they don't anymore but yeah yeah so motorola would have to fix it give it to verizon and verizon would have to give it to you which they probably won't so because they don't the silver lining is there is a workaround there is a way to stop your it's basically to stop your device executing the problem code you need to turn off two features wi-fi calling and something called voice over lte which is often written as volt with the lowercase o and an e on the end so video lte voice over lte so guess what if you live in an area or say a house that doesn't get cellular coverage your only way to make phone calls is with wi-fi calling or Skype Sarah Lane was talking about she has to drive 10 miles to get a cellular signal from her house and I was thinking about it in her context in my context AT&T just doesn't for some reason work indoors inside my house I have to step outside of my house to use AT&T to call if you have verizon and you're sitting inside my house you're fine don't understand it when we had 2G radios it was fine 3G radios it worked fine as soon as they went to 4G it was gone I have to wonder if like there's some sort of metal structure in your house that's too close together for some frequencies to fit through or something your little fire day cage if there's some wire mesh somewhere that at the right frequency doesn't work so turning off wi-fi calling is really impractical for a lot of people vast swaths of the United States I'm guessing vast swaths of places like Australia might not have cellular coverage holy cow yeah so thankfully the pixel phones are covered we are expecting that the major vendors like your your Samsung's and stuff will also be good about fixing this so the chance that if you have a high-end android phone you're probably going to get okay here oh good rich people are fine I know this is this is what's wrong with android phones across the globe are the the cheap ones right are the ones you get for nothing with a cellular contract yeah and this is the problem with android's model so google have worked around a lot of this by having a lot of the updates to the core operating system comes through the play store so they're basically taking most of the operating system and pretend that it's part of the play store and so when they send play store updates they're actually patching say 75 percent of android I remember after you read that that big report on things they'd done better and you discovered that piece of it but this isn't in that no because this is way too low down right this is way way way too deep down in the stack for this play store to fix you here so we really are dependent on the hardware vendors and whatever path is between the person who made your phone and how you get software which is going to be different in different parts of the world so how do you even give advice to friends or family yeah can you tell is there any way to tell whether a phone has gotten the firmware update that only if your vendor says we're good only if so only if someone on authority says we are covered for CVE where's the number here 2023 on this specific that's the magic number specific device yes but no it's the manufacturer can't just say it because I can have you know let's say Motorola they don't do cell phones anymore but let's say they did Motorola sold me the phone Motorola says yep we fix CVE 2023 24033 we're good unless you have an unsupported phone because it's too old because it's a year and a half old well they would probably say if the the answer you would probably get would be if your device is showing as firmware version blah blah blah or later then you're good so that's usually the way you can see the firmware version there's going to be a version number somewhere in the about in the about this phone screen okay that will tell you where you are but they'll have to give you the details okay after we're done I'm going to boot up my unsupported Android phone because it's two years old and find out what if I can find a firmware number or anything about that like or even a software version there will like the about screen will be able to give you some sort of a version number on something so the chances are yeah the chance that that will be how they would tell you whether or not you've got patched on an older device has it updated itself in the last year will be you know like this is the only devices we know to be patched today are the pixels so every patch is going to be newer than now so if if it says last update a year ago the answer is guaranteed 100% loop but of course you may not have the relevant brand of chip and there's no way to know unless you start to desolder the bloody phone right so this is the extra big thing we don't even know we don't even know what we don't know right it's it's a mess it's an absolute mess and it's down to this terrible model google picked for how to deal with android software updates apple is so right to disintermediate everyone and just you know apple made the us got you we've got you i know yeah it's ah anyway it's it's a mess and you could have multiple manufacturers you don't have to be apple built it right android google could have multiple manufacturers but have negotiated in a way that they always control the operating system itself or the firmware and the proof of that is windows right driver updates come through windows yeah yeah yeah right right right and yet anybody can make them exactly exactly so it can be done and just in case i haven't scared you would know if you're wondering well what would someone do with something like this the answer is this is exactly the kind of vulnerability the nso group one for pegasus right spyware that's designed to to watch everything that happens on a phone that is what these kind of vulnerabilities enable targeted spyware target is joe biden's phone number right now what this also enables because this is so this this is such a trivial vulnerability this would also just enable someone to just go i just want americans i'm just going to go every possible phone number that starts with the area code for verizon and then just look out for you know banking logins and just steal some credentials i don't think verizon owns entire area codes but i see where you're going every number that starts with zero zero one group right number well anything that starts with a plus one that's what i mean right like yeah this is so it can be used both for really targeted stuff or just to just blanket everything and you only have to hit the all of these things are about numbers right and why does spam exist i mean almost no one clicks on it yeah but for them to make money one in a million have to click and you know something one in a million click and the central economics more than that yes actually it's very very profitable unfortunately so this is just that's nice thanks bart yeah i heard about it but i didn't realize how bad it was yep yep now stay tuned there will be more details coming out about this right there we're going to hear from all manufacturers and i particularly hope we hear from samsung very soon because they are one of the biggest manufacturers so if if we can at least get everyone samsung phones up to date as well as the pixels we're in a better place so anyway well the reason i keep belly aching about uh Motorola in particular and keep saying they don't make phones anymore is that's who i bought my phone from oh so you bought one and then they want you know something we've had enough and so they i can't get any support from them i can't get a they just like nope not us oh lovely thanks absolutely lovely right so what that that little palette cleanser it's the inverse of a palette cleanser right so let's let's move on it's all uphill from here even if some of it's still bad news it has been patched Tuesday microsoft were busy 74 vulnerabilities fixed including two zero days under active exploitation so if your microsoft product says hi i'd like an update the answer is yes yes you may have your updates uh by the way when i talk to friends and family i i just love it when they say should i up yes is there a giant big red number one right or is it a number 20 well whatever it is if you know it's giant big red yeah go anyway the number of people who asked me for tech support in antarctica and they handed me their phones and there was a big number on the os i was just like ah you're killing me yeah um worthy warnings then there's one story here which probably would have been our main deep dive had it not been for that little android thing uh basically if you have a windows laptop the chances are how you're going to get a firmware update soon because one of the manufacturers of trusted platform modules or tpm's used a or they had in their documentation a an example implementation which had a nasty security bug in it and a whole bunch of hardware vendors just copied and pasted the sample and never actually took it any further than that so those laptop vendors are going to have to push out firmware updates to actually put secure firmware on their motherboards etc this will come to you via the appropriate windows channels unless you are in a corporate environment this is not a five alarm fire but you know so if you work in corporate it and you have windows devices and you're depending on file vault which is almost everyone in corporate it this is actually important and you need to check with your hardware vendor that you are getting these updates for for us regular in a silicast ways your windows machine is very likely to get a firmware update in the next couple of months yes you do want that so this is the example you were just talking about bad firmware problem microsoft pushes it out fixes it done yeah none of this bloody sorry character you know carrier nonsense and whether or not you're allowed to have the latest os exactly supported exactly you are still relying on the manufacturer of your device to continue to provide firmware but there's literally no way around that there is no distribution model it does not involve the person what wrote the firmware having to fix the firmware what they wrote right it's right right the question is how much is there between them and you and you want as little as possible and that's where you know you can say many things about windows but they got that bit right and actually they managed to also secure it because of these today on windows 11 and indeed windows 10 you're not in the wild west anymore right they now have moved to a model where all drivers are signed and yet they've managed to slowly move to there without ever breaking everything because those people who are making those laptops and doing those for updates they now have to have digital signatures and everything on all of their drivers but the microsoft managed to very slowly make that real by making it optional and then desired and then required but we're now in a state where it's as secure as your updates from apple but they're coming from lots and lots of people so it's actually a very good architecture that we snuck into we sort of by stealth arrived at a good system which is nice moving on then to notable news and this is i i'm putting this in the security bits because i think this is kind of a security story so it is a known thing it has a cool name which is a dark pattern right it's not dark patterns aren't magic there are tricks that fool human beings into doing what is against their will for the purpose of defrauding them in some way we call it a dark pattern because it sounds cooler than dirty trick it's just dirty tricks uh epic games epic games have agreed to pay a fine of 245 million for tricking people into making purchases they didn't want in fortnight using dark patterns so good on them to get there come up on shea months a company so major to be up to this kind of shenanigans that's just ridiculous uh some good news if you are a google one subscriber you don't have a free vpn at your disposal because they have rolled their vpn service into their google one so i saw that but i don't know what google one is well i don't pay any i don't pay google for anything but it's apparently it's there like equivalent of apple one where if you buy googley stuff you get all your googley stuff together i'm guessing maybe it's your youtube and your office your whatever they're calling it not office anymore workspaces uh they change the name every week yeah yeah okay so like maybe whatever google apps for business was that got rolled in grand rolled around and round and round yeah well whatever they're calling it today if you're paying google for stuff and your google one subscriber you'll know what it is you now have a vpn so yeah that's very good and then the last story here is from the united kingdom it actually pinged on our slack potfield.com for us slack um signal have sorry what's up have joined signal in telling the uk government in no uncertain terms that if they go ahead with their online safety bill which would basically end end to end encryption they're sodding off out of the uk and that seems to be that seems to be the front everyone's putting up this is this is another one of those examples of the politicians are absolutely certain that they can both have encryption and scanning for sisa they're convinced it's possible right it's like yes reality math forget all of that so i don't know if the how this is going to play out but anyway it's another strong voice saying no this is stupid and you know what's up does some weight glad they're pushing back yeah hey i need to back up on something that's saying over and over and over again here motorola does sell the moto g7 that i bought i'm pretty sure what happened was i bought it like through google originally and it's google who wouldn't support it but i've just done a little bit of research i have my moto g7 in front of me and uh i checked and motorola is selling the moto g7 right now on their website and i just checked software update and it says your software is up to date security patch level February 1st 2021 done sometimes it goes back and it checks again but this is why i contacted them out like a year or two ago and said hey well how do i get the software update and they're like uh well i don't know that's terrible that's selling the phone they're selling it oh actually no no hey hey i just scroll down it does say unavailable but i was able to find it on other websites where i could buy it i could buy it for $179 at walmart right now so that's not a used phone wow yeah terrible model those are the phones i don't think they're going to get those little updates part no no bad okay um i have annual rant about android done we're now climbing up towards pallet cleansing on our way to pallet cleansing we're passing excellent explainers so one of the changes apple is slowly making and it's been nudging these changes for a few years now um apple wants to get third party software vendors out of the kernel because kernel code is very very high privileged code and what you want is to have the kernel as locked down as possible for the security of your os and one of the last big players left in the kernel that is used by millions and millions of people are cloud sharing apps so your drop boxes and all of those and so apple have created an alternative mechanism for those apps to integrate with the finder that doesn't involve a custom kernel extension and that is called their file provider api and so you may notice your apps are changing subtly where they're they're moving from being under my places to being under i think it's network or something like they're they're moving around inside the finder all of that's to do with the company's adopting this file provider api and if you're curious they're under locations thank you yes there i see it right here one drive locations yes and they used to be under i see google drive keep it and drop box actually it was worse than that they were at the top level of your user account so under allison the first thing it said was drive no i don't want you there and i try to move it and it would go back or it would stop working yeah well anyway there's now a whole api around these things and so these are all being standardized so if you're curious as to what it means and how it works there's a fantastic explainer that really goes into the most detail i've seen anywhere on shockhander or horror tidbits of course um so if you're curious what's going on it's file provider forces mac cloud storage changes and they go into all the details you know the what the why and the what are you going to see as as a user what what difference is going to make and for most people it's not going to make a difference but for power users there may be some crankitude because you can't choose where the folders go they're going into your library folder inside this subfolder called i think it's cloud files there are this locking down has effects but for most people most of the time it's actually going to be nicer because you're going to have this nice consistent thing where they all have that same green tick box if it's downloaded and the blue circular thing if it's syncing and all they're going to get all of that is going to be consistent whether using drive or dropbox or one drive so for most people a lot better i was just delighted when i saw the move and i didn't know why but uh it sure made me happy yeah so they're all coming to the standard api so they're all going to be the same which i love i love the consistency so anyway details there it's very good post very detailed what's then brings us to poly cleansing which you brought us along and it just made me laugh so much it's just a it's a i love this so much uh someone named annie goes by soicottic on uh looks like on on twitter she wrote every time i have a programming question and i really need help help i posted on reddit and the log into another account and i replied to it with an obscenely incorrect answer people don't care about helping others but they love correcting others works a hundred percent of the time i think this is amazing you're hacking the squishy organic it's genius it's genius it's absolutely genius and it really is and true it's in my experience a lot of people do like helping other people but i bet more people like correcting than like helping so i think it's fantastic i think we double like it if we can help someone by correcting someone else that's like we go yeah yeah that's like two endorphin hits right we'll be we're doing we're helping someone is prize and we're telling these people they're wrong like that's win win well it comes to mind the oh shoot i can't remember the guy's name but there's a an account that it's basically it's a troll it's this person who posts just completely wrong answers to things like as though they're just incredibly dense like they don't understand stuff and then people engage with this account and start arguing with it trying to figure out like going no no no you don't understand this and they just say things that don't make any sense and it drives people bananas and it's hilarious when you know the joke when you know why it's happening but it'll be stuff like you know the moon is two thousand miles away well no it isn't why are you saying that you know and they'll say because of asteroids you know it's just like they don't make any sense it's just one of right now i can't remember the name of it this reminds me of the famous xkcd you know are you coming to bed there no i can't why there's there's someone on the internet and they're wrong oh i'm such that person i i am such that person i just found out yesterday that the b and imdb is lower case i just noticed it and i i tuted out why has nobody elver pointed this out to me and said i'm an idiot how could that happen how could i be this many years old and i i had somebody check they said it's been since like 1990 it's been lower case never noticed that never never ever noticed i noticed for the simple reason i am forever trying to figure out whether it's database capital d capital b or whether it's database all one word because that will determine whether or not you should capitalize the b and db i think it's database i think it's db capital d capital b so i think they're wrong therefore i remember but it's argued wait a minute so you're saying whether or not in the in the title of the thing they did at all caps right internet movie database i am db so if i'm writing about a db this and a db that it's capital d capital b so if i'm going to put it inside internet movie database surely it's i am db but you have other people say but the word is database it's one word i was like no it's hyphenator it's like no part it isn't hyphenator i was like should be but you know me in hyphens um so anyway it's a whole thing hang on i got steve to tell me it's ken m and he puts them up on on reddit and it's hysterical so if you go to reddit.com slash r slash ken m that's where they're collected it is one of the funniest things you've ever seen it's just wonderful excellent i'm going to add it to the show notes yeah please i'll put it from steve oh yes all right well like i say it's been a strangely quiet two weeks so that's all i got all right well i'm glad there was only one truly horrible long thing yeah yeah anyway remember if you can and as much as you can stay patched so you stay secure all right that's going to wind us up for this week it's good to be back in the saddle did you know that you can email me at allison at pod feet dot com anytime you like if you have a question or a suggestion just send it on over you can follow me on at pod feet at chaos dot social remember everything that starts with pod feet dot com if you want to join in the fun of the conversation you can join our slack community at pod feet dot com slash slack where you can talk to me at all of the other lovely no-silic castaways even bart you can support the show at pod feet dot com slash patreon remember we really do need some new patrons or a one-time donation at pod feet dot com slash paypal and if you want to join in the fun of the live show head on over to pod feet dot com slash live on sunday nights at five p.m. no-silicast standard time and join the friendly and enthusiastic no-silicast aways thanks for listening and stay subscribed