 Hi, this is Allison Sheeran of the Dosellicast podcast, posted to podfeed.com, a technology podcast with an ever-so-slight Apple bias. Today is Sunday, March 5th, 2023, and this is show number 762. Well, next weekend is Steve and my 40th wedding anniversary, so we're sneaking off for a weekend of wine tasting with our dear friends Dean and Suzanne, whom we met when they crashed our romantic dinner for two in Sedona on our 20th anniversary. We won't be home on the weekend, so there will be no live show next week. I'll tell the chat room, no live show next week, March 12th. Now to give my voice every chance to heal, it's quite likely that the show won't come out until Monday, March 13th. Don't panic, the show will go on. Hi, this is Allison's assistant, 11labs.io. As you can tell, Allison's voice took yet another turn for the worse. She asked me to tell you that we got some great listener content submitted this week, so she's going to hopefully move the content she had planned to next week, so you don't have to listen to the gravel machine any more than necessary. We've got a segment of security bits, too, so it's going to be a great show. We'll get to that content soon, but let's hear what she's been up to this week. I got to be on The Daily Tech News show with Tom Merritt and Sarah Lane this week. I haven't been on the show in ages, but not for lack of Roger trying to book me. All the trips we've been on have really gotten in the way of my guest appearances. We had a blast doing the regular tech news, and then we talked a bit about my advice for tech on travel. Tom and Sarah and Roger have some bonus content they do for their patrons, which they call Good Day Internet. Normally, it's just a random discussion, but this week, Roger had a quiz for us, and it was absolute anarchy and hilarious. Tom would read a description of a movie that Roger had written, and the question for each movie was, what was the name of the computer? Sarah, Len Peralta, and I were the participants, and we barely got any right, even though we knew these movies really well. Four of them, Steve and I, actually own, and I still didn't get any of them right. I'm not sure why it was so hilarious, but it really was fun. You can find this episode of The Daily Tech News Show at the link in the show notes of your podcatcher of choice. This weekend, Barry Fault came to visit Steve and me. Barry is a good friend of the Apple community and was instrumental in the event that is now known as MacStock. When Bart put out his call for panelists for this Let's Talk Apple podcast, I realized Barry had never been on the show before, so I invited Barry and me to be on this month's show. Bart and Barry had a great time together, and Bart hopes to include him in the regular rotation of guests. You can find this episode of Let's Talk Apple in your podcatcher of choice under LTA 114 or follow the link in the show notes. Rod Simmons of the SMR podcast in BBQ and Tech joins me to talk about password managers. Under the recent breaches, and more importantly breaches of trust from LastPass, Rod migrated over to OnePassword and changed all 400 of his passwords. We talked through what LastPass did wrong and what Rod appreciates about OnePassword and misses about LastPass. I found it a really interesting conversation about UI design, trust, and what makes an app feel right. I'm going to keep going with the AI voice because my voice is really painful to talk to you, but boy, am I enthusiastic in AI, aren't I? When programming by stealth, Bart continues our miniseries on shell scripting. He explains the simplicity of looping and the four types of loops, while until four and select along with the simple syntax of do done within a loop. He walks us through a lot of examples that illustrate how each one of these loops works. He ends by giving us a challenge because teachers pet Allison asked for homework last time. And as always, find Bart's fabulous tutorial show notes at the link in the show notes. Okay, enough of that. Let's get started with some actual listener content. Hi, this is Donna from Southeast Michigan. I noticed something new in iOS recently and I shared it with Allison, along with Dave and John at MacAgeek Gap, another great podcast. Allison asked if I would record this for the show so she could share it with her devoted followers. Here you go. I'm typically my mom's driver for doctor's appointments, but due to a broken shoulder, my husband has been helping out. I wanted to share contact info with him for one of her doctors so he could use maps, and I noticed something which is new to me anyway called filter fields. It shows up when you open the contact card, scroll toward the bottom and touch share contact. This is great. When I only wanted to share someone's phone number or address before, I would copy and paste or send a screenshot. Now you can just uncheck anything that you don't want to include within a contact card and send only what you want to share. For example, you might not want to forward someone's contact photo, birth date, cell phone number or their private email address. In many of my contacts, I have a lot in the notes section, and I've heard before that those do not transfer when you share a contact card. This doctor's contact didn't happen to have any notes, so I tried it with one that does and notes didn't even show up as a filter option. I think that's probably a good idea to prevent accidentally sending private info. And here's a helpful tip I want to share. My mom sees a lot of doctors and I can't always remember their names, so I enter mom after the doctor's last name and their specialty under company. I also enter mom on the contact cards for her insurance agent, accountant, attorney, pest control, snow removal, lawn care, and even a few of her neighbors. It makes finding their info so much easier. I hope some of you find this helpful. Thanks to Allison, Steve, and Bart for all their hard work. I listen to a lot of podcasts, and this is one of my favorites. This is great, Donna. I wonder how long the filter field's drop-down has been hiding in plain sight. Donna wrote this tip up as a blog post as well, and she's got screenshots walking you through how to do it, along with a sweet photo of her husband escorting her mom away to a doctor's appointment. I hope all of you heal up quickly, and thanks so much for bringing us this useful tip. This is a real Allison checking in for just a moment. I did want to thank Donna for her kind words. The AI didn't think that was necessary, I guess. But that's very nice of you, Donna. I appreciate it. After Donna sent this in, I also gave her another tip that Lindsay gave me a long time ago, which was the idea of using emoji in your contacts, and that helps you be able to see visually the ones that you're looking for. So she now put stethoscopes next to all of the doctors that her mother goes to. So that was kind of another good visual aid. And in the live chat room, Mike, also known as Grumpy, suggested making a mom contact group and dragging all the ones in that are just for her mom, and that way that she could see those contact groups. So that's another great tip, and I appreciate that, Mike. For our second listener review, we'll be hearing from Bill Reveal. Bill is the guy who helped me migrate my entire web server, fixed the plaguing encoding problems I had in the database, and in combination with efforts by Bart to make it as fast as it is now. I will be forever in Bill's debt for how stable and well-controlled podfeat.com is. If you appreciate that as much as I do, think of Bill every time it makes you happy. As if those contributions were not enough, Bill has a terrific review for us. Greetings, Allison, Steve, and my fellow no-silla castaways. I'm kind of wondering if you even have to be able to pronounce no-silla castaways to be a no-silla castaway. Anyway, Bill here with too many problems to solve, but for one, I'm a grouchy, obstinate old geek that is headstrong when it comes to computers. As the old saying goes, I hate all computers. I just hate my Macintosh the least. Despite being a long-time user of Dropbox, there's one thing I've always hated. Everything has to go into that one silly Dropbox folder. iCloud has its own folder. OneDrive has its own folder. They forced me to use their directory to use their syncing. My Dropbox folder is a real mess. I need a syncing solution that allows me to say, sync this directory, that directory, and another one on this computer, but over on that computer, those same directories can be anywhere I want them to be, even with different names. Furthermore, I have a folder I want to sync with my friend over there and no one else. Oh, wow. How about something really silly? And this really just happened. I want to synchronize a folder in Dropbox on my Mac with a folder in OneDrive on my friend's computer and a folder on a Linux server that doesn't have either. Ha, I need the power. Enter syncthing at syncthing.net. Syncing in simple terms is a private, secure, and free Dropbox, limited only by the size of your hard drives. Its only downfall is it has no iOS capabilities directly, although that doesn't stop me. The syncthing developers are very proud how syncthing is very open. As in it is based on an open protocol, it is open source available on GitHub, open and active development, and open to discussion regarding that development. Works on the Mac, Windows, Linux, several BSD flavors, and a couple others. On the Mac, there are two ways to install syncthing. You can download a binary installer, which turns a mostly command line app into what looks like a native Mac app. You can also install it using Homebrew, but it isn't very Mac-like. I recommend the official binary installer found at GitHub. It just makes life easier. Once installed, most people configure it using the admin GUI, which runs on a built-in web server that was installed and launched by syncthing. You access it using any browser located on the computer on which syncthing is installed. If you use the binary installer on the Mac, it is as easy as selecting open from the menu bar. You can also install it remotely, say on a Linux server like I did, using the command line. After installing, you make a couple configuration changes on the remote computer, primarily to give remote access to the admin GUI, after which you use a web browser to finish the configuration. But when working on Macs or for Windows, I guess, the setup is mostly painless and obvious when you use the installer. It is important that I point out because syncthing has a lot of options and ways of doing things. Some people find it intimidating. However, the documentation is well written and provides all the answers you need to get up and running. I found that I could quickly get two Macs syncing with each other within 10 to 15 minutes using the basic configuration and very little reading of the docs. Because of the way it works, I didn't have to worry about IP addresses. Each computer is given a syncthing ID which you use to connect the two, since part of syncthing's protocols involves discovery servers and relay servers out there in the cloud, which makes connecting computers all over the place easy and because everything is encrypted secure. Once set up, it works just like Dropbox. If I do something on one computer, it is eventually changed on all the remotes. Now, the keyword there you may have caught on to is eventually. Sometimes syncing isn't necessarily fast synchronizing. I truthfully haven't noticed it, but others sometimes complain about the speed. Apparently, this is often due to someone incorrectly configuring syncing by messing around with things that ought not to be changed, but sometimes it is due to the way it moves data across a network. It encrypts and breaks the data up into blocks to transfer the data, sort of like BitTornt, but it's not the same protocol, so no worries there. Ironically, because of the way it transfers data, the more computers you synchronize to, the faster each computer may be updated. Bonus, the data transfer method also means very large file transfers are not a problem. As I said, I want the power and syncing does its best to give it to me with all kinds of options. For example, I have syncing watch a directory that contains my active projects. My projects mostly are Git repositories, but it can be a waste of space and bandwidth to synchronize the hidden .git directory, not to mention an occasional .git merge conflict. Syncing allows one to exclude files and directories by name or even regular expressions per folder and per computer. That way, my local copy of a website under Git can synchronize with a website on a web server, but there it doesn't have those thousands of hidden .git files. I have the power. I have been using syncing for several years with no issues and a lot of peace of mind that those things that I wanted synced are done so securely and without issues. As I've changed computers, added and removed folders to be synchronized, even replaced my main Mac after a catastrophic failure, I haven't lost any data that was synchronized. So if you want your own private and secure and free Dropbox-like experience, check out Sync Thing. I know I don't have the enthusiasm of expression of the real Allison, so I appreciate you bearing up with listening to me. By the way, services like 11.io cost money, and if you appreciate the work I did to help Allison out, maybe you could throw her a dollar or two by going to podfeed.com slash Patreon or to podfeed.com slash PayPal. Thanks and let's get on with the show. What's that time of the week again? It's time for security bits with Barboos shots. How's it going today, Bart? It is going good today. I managed to, I set out with the aim of doing a two and a half hour cycle and I got home and it said 230, 31. So out by 31 seconds. Oh, that was pretty good estimate. Nice, nice. It's good. Yes. It's actually raining here again. Oh, wow. I've been trialling. Yeah, we passed our annual rainfall in two months. On the whole, given you've had a drought for like a decade, I guess that's good. Yeah, except for those poor people up in the mountains. There's people who haven't been dug out yet. They've been stuck up there for weeks now. Yeah, it's not great, but yeah, yay, no drought. Yeah, okay. Well, we have an odd show today. So there's very, very, very little news, but it's actually two quite juicy deep dives. So basically two deep dives and then like three minutes and we're done. I think you said this show is going to go. Okay, sounds good. So the first thing we definitely want to talk about, since we spoke about it so much over the last couple of months, is last pass. And it feels like someone took the entire leadership team at last pass and replaced them overnight with a whole new team of people because this final breach report is so different to everything that's come before. In terms. Different in a good way? Yeah. This is what I'm used to seeing. Like this is an industry and I work in day to day. And this reads like what I'm used to reading. This is a normal document. This is what you would have thought would have happened when the first breach happened. Yeah, yeah, exactly. This is like, this is how companies are supposed to respond to breaches. This breach report has all of the things I'm used to seeing, all the usual euphemisms. And I've just realized there's one thing I should have put into my show and I said I didn't think of. But another thing that strikes me is even from day one, their actual response was a lot better than their communication implied because the very first thing they did right back in the middle of summer for the very first breach was they employed Mandiant who are probably the best company in the world to dig you out of this kind of a hole. So even when they weren't communicating with us, they were doing the right thing from day one by getting someone like Mandiant to come in. So that was good. So it was more of a comms problem than a procedural problem possibly? Possibly, yes. Actually with hindsight now, it looks like they, yeah, definitely comms and they admit that. Actually, they say that in their own stuff that one of the biggest lessons learned is that they need to do better at comms and they do justify it by basically saying until we knew what we were talking about, we wanted to say as little as possible. But now in hindsight, we realize that wasn't a good idea. It's like, yeah, you're dead, right? It wasn't a good idea. So I have much less negative about the company than I was a week ago, which is interesting because they hadn't made me their friend. But I like what I read mostly. So we should say what they've done is they've released a lot of stuff. It took me an entire walk to read it all is how I judge these things. Normally I read all of my stories on my morning walk on Sundays and today the only thing I got done on my walk and had to do all the other show notes when I got home, the only thing I got to read was what last past released because it was a blog post that linked to lots of other documents and I decided to read them all. I did skim some of them because there's only so many errors in the day, but they released a blog post which is linked in the show notes and that's the starting point. And read that and it's not too long and then it will jump out to all the different things and then jump to the ones you care about. I would very strongly suggest jumping to the one that says recommended actions if you are in fact still a customer. Because that one you definitely should do. The other ones that are interesting is they have a really detailed breakdown now, data field by data field, about what it is they're storing, whether or not it's encrypted and a little description about what it is. That's fantastic to have that level of detail. So you now know exactly what's in the structure, like what is in your vault, what is stored in your account. It's all there now. And then if you really care, like if you want to know what happened as well as what you should do about it, then you have detailed reports on the two security incidents. So we now understand big picture wise what happened. So in the first incident, the attackers didn't really get anything of any value. So they used existing vulnerabilities in other apps. So the key word in the industry is endpoint security. In other words, they had people working from home and the computers, the PCs being used by the developers were not as well secure as they should be. So that's your endpoint, right? And that's one of the things COVID made a lot more difficult is endpoint security. Because when you were working industry, you would go into a place. There would be lots and lots of computers. They will be managed to within an inch of their life. You as the user could do almost nothing, right? Right, right. How different is that to working from home? Right. Just a smidge. Just a smidge, right? Windows XP or something, right? Exactly. So a whole big thing the industry is completely rethinking now is how to deal with what they call endpoint security. And the answer is that you're going to end up running agents on your machines at home that are going to enforce a level. Basically what the agent will do is it will check that everything's okay and only then allow you login to work resources. So it's effectively an extra factor of authentication. The factor being your machine is not virus riddled. And that's the answer to these things. But the thing is that only happened in the last year or so. So last summer, I can promise you there are many, many, many, many, many companies around the world who hadn't caught up with the new best practices. And so a lot of people would have been suffering from the same issue of endpoint security. So one of their developers got some malware onto their computer at home. And that malware allowed a keylogger to be installed on the developer's machine. And that keylogger was able to listen in and basically learn secrets. And by learning the secrets, they were able to get at the developer environment. So they couldn't access any real data in the summer. The only thing they could do was to look under the hood at how developers work at LastPass. And so they could see the source code, which may or may not have been interesting depending on whether or not it was good source code. But it gave them insight into how the company works, not actual user data. So hang on, but didn't they get the developer's credentials through the keylogger? Right, but the developer's credentials to the development environment. Okay, okay. And not to... I thought they got the developer's credentials to the S3 blob or something like that. No, that's second time. That's take two, right? That's the second attack. Oh, sorry. Sorry, I'm reading ahead. You're too... You're slightly ahead. So the first attack they got in, and the first they engaged Mandiant and they destroyed the development environment. They just blew it up and started over, which is, again, exactly the right thing to do. If you know bad guys have gotten in, it's almost impossible to clean up. So what you do is you rebuild clean. And so they did all of that. But of course you can't extract out of the brains of the attackers the knowledge they have learned about who makes up the teams, who reports to who, how, what's normal, what's not normal, right? So what you have is an insight into how this place works. You have an insight into the human beings. And that's what they leveraged for the second attack. Not a technical thing, a people thing. And they were able to use the people knowledge to construct a very convincing fishing attack, which allowed another set of malware to come on to another end point that wasn't as well protected as it should be. And this time, they got the developer's credentials for the cloud storage that stores the backup, which meant that they could download backups. So that is the story of what happened. And it comes down to, I guess, sort of your lessons learned are you need to get better at endpoint security, but that's you and all of planet Earth, frankly. That is just, that is where we are today. The other thing that I would argue, they were, they were behind and based on what they have promised to do, they are about to get very caught up. But another thing that's become a new, five years ago, this wasn't a thing, but today, this is a thing. Everyone who has a large organization should be collecting all the logs, like far too many logs, more logs than any human being could ever do anything with. And you don't give those logs to a human being, you just feed those logs into an AI. And that AI has been trained on normal. And that AI will alert to your human beings whenever the AI sees something that the AI hasn't seen before. And so your security team is basically relieved of a whole bunch of drudgery, but you need to have the log collection working. You need to have the AI trained and then you need to have the professionals to respond to the AI's alerts to actually do the investigations. So that involves tooling resources. So it's money, people and time is what that involves. And that is where everyone in the industry is racing to get to, because that is now the new normal. But again, there are more companies on planet Earth not at that ideal than at that ideal. Now, you could make the argument that someone in last passes business should not be on the tail end of the distribution. They should be on the other tail end of the distribution, right? But again, I think the impression I get is not of a company that was bad at security, but a company that didn't have enough resources to stay current. So they were doing what was good two or three years ago. Okay, okay. Which I think is a resources thing. Part of their business model is they give a lot of it away for free. And maybe they gave too much away for free. There is that a certain thing. And they're also the fact that they were at the time owned by venture capitalists who would have put an awful lot of pressure on them to make returns, which means that investment in the future becomes heavily discouraged. Whether that be explicit or implicit, the pressures on people are to make money, make money, make money. So that's not a healthy environment for proactive security. An environment where you're told to cut corners. So that doesn't help. But basically, there wasn't a clanger in there. There wasn't a auga, auga, someone was negligent, auga, auga, someone did something blatantly bad. This is just, this is how corporate IT is in most companies. And these people should have been ahead of the curve, but they were just on the curve. And so you can complain that they shouldn't have been on the curve, they should have been ahead of the curve. But okay. So all in all, that seems pretty good. The other thing that I took away is that their descriptions of how they are responding to this made sense. So they have made promises for the medium term and the short term. And they both seem realistic. So they're not promising the sun, moon and the stars. They're promising actually concrete deliverables that I would read and go, yeah, you could do that in six months. And they seem sensible. So that, again, is a decent response. Where was all of this six months ago, three months ago, right? Maybe this was going on and they weren't telling us. Either way, now that they've actually shown us the plan, it's a good plan. Well, I mean, you can't really say why didn't you instantly know all of the root causes to why you had a problem? Correct. It's not really realistic. Absolutely, yeah. So I guess the issue is they communicated as if they were clueless. Whereas they weren't clueless, they were just being silent. They could have done better to give us the impression that they were on the ball, as opposed to giving us the impression that they were covering their, you know what? Right, right. So the final thing I do just wanna sort of say is that if you've made the move to one password and you're now hearing me say things that are at the very least not negative, whether I'm not gonna say, this is not me saying they're brilliant. This is me saying they're grand. Like this is so much, I thought these people were terrible, they're actually grand. But I'm not saying they're brilliant. And if you were sitting there going, yeah, I moved to one password, that was a lot of hassle. Was I hasty? No, you weren't. Because even if they do everything they promise and they do it on time, their fundamental architecture is still inferior to the one one password developed. Because while they're doing a lot of work to encourage you, both with carrots and sticks to make your master password better, the entire security still rests on that master password. And you can still type 12 terrible characters into a password and it will still work. So the human is still far too involved here. Whereas one password's architecture is built where the password is a second layer sitting on top of a foundation, which is a truly cryptographically random key you can't control and you can't mess up, which guarantees a security of your account and the password is a bonus on top of that. Because those two are hashed together, right? Those two are hashed together, they both become part of the final key. So... So that tells me I should make my password on one password, just monkey. No, because that's protecting you. Maybe one, monkey, one, two, three. That's protecting you from something else. That's protecting you from a random person sitting down at your computer while you have your back turned. Okay. But it's not protecting you from a cloud breach. Your protection from the cloud breach is that really super strong key on your printed out recovery. Okay. And that is a fundamental difference between the two and I know where I want my stuff to be. I want it to be your one password. The other thing I would say is that one password have a track record of not just being on the curve, one password of a track record of being ahead of the curve. They are on the very, very front edge of this and they have been for a long time. Even as the company was sold, they have retained their edge. They are like in the show notes later on is a new story linking to a video of them showing a preview of their pass keys support. Right. They're not trailing. You can use today. You can actually use today. Oh, I missed up. Well, you can use pass key. You can create a new one password account without a password. I missed that this was already available. Oh, wow. I thought this was a preview of what's to come. Cool. I thought that was, you could already do it. Yeah. So back up a little bit. One of the things that was problematic was that they didn't have enough passes through the encryption. PPDFK2, yeah. Yeah, okay. So let me say that. I get to PD and I run out of digits. I have to mentally say it in my head. Can I ask my question first? Let me ask my question first. So the problem was they didn't have people set to enough encryption passes. And so for example, my vault was at 5,000. Now they had started doing people at whatever it was, 50 or 100,000 but they didn't retroactively do it. Now they said in this report that it's gonna be 600,000 and they're going to set it to 600,000 automatically for they're gonna retroactively change everybody's. But if they lost your data when it was 5,000, all of those passwords are vulnerable, right? Absolutely. Whether they're smart now, whether they're communicating well now or not, it doesn't change the fact that they lost that data is vulnerable. Absolutely, yes, absolutely correct. So all you can do is make things better going forward. You don't, they don't have a time machine. They can't go back in time and undo past mistakes. So absolutely everything they're doing now to encourage better master passwords, to everything they're doing now to make things better in the future. Absolutely none of it provides any protection for the data that they have already lost. So let's talk about the backups themselves. One of the things you had said was that we didn't know the dates of the backups. Backups could have been, maybe you had gotten changed to 100,000, but at some point in time you were at 5,000, when were those backups? Do we know the answer to that now? Yes-ish, kind of. It turns out we actually can't really know the answer and I should have realized that it wasn't so simple. So I, in my mind, I was thinking, a vault is a thing, right? I was thinking of it as an atom, right? There is a vault and they have taken a backup of your vault. But actually, what you see as your vault is a collection of different pieces of information stored on different media and the backup is of the infrastructure. It's not a backup of your vault, it's a backup of the vaults. I'm not catching the distinction, Mark. Okay, so what you think of as a vault is actually made up is not an atom, it's a molecule. And each of those molecules are sitting in different things. Some of them are database records, some of them are files in a bucket. They're in different places. The parts of your vault are spread out across multiple systems. Okay. And the backups are of the systems. So there is a backup of the database. There is a backup of the stuff in the vault, in the vault. My data in the database is in the same backup with your data in the database. And your data is spread across multiple things. So your data is sharded, is the technical term. So your vault is actually lots of pieces and those pieces are with other people's pieces and there are backups of all of these pieces of everyone's vault here and there are backups of all these other pieces over here. So the concept of a date for your backup doesn't even make sense because there are many dates for different pieces of your vault. Okay. But the question was, what was the number of passes when that backup was taken? Right, but even then that doesn't help you very much because, okay, so let's say, let's even leave aside the fact that it's not atomic, which makes everything a hundred times more complicated, but let's pretend it doesn't do that. Even if it was just a file, there's still a second thing that I also should have grogged but didn't. So what is in the backups depends on two things. The backup policy and the times that you edit it. So if the backup policies retain the five most recent edits, then if you edit your vault once a year, then for you, if I steal the vault on a Thursday, it's five years ago was the worst backup I have kept for you. But if I change my stuff every week, then for me, it's only five weeks ago. So the backup policy plus your activity. Why wouldn't that be the case? That doesn't make any sense to me. They do a backup on a certain date. Not necessarily. It depends on the backup policy, right? Backup policies are often on a per file level, right? If you can figure a backup policy on a backup server, you say, I need to keep these files, the last five versions of this file should be kept. Well, if that file is updated five times a day, then five versions back is a day's worth of the backups. If that file is updated five times a year, that same policy means that some files in the backup are five years old and some files in the backup are five minutes old. So knowing the date the backup was taken from plus the policy is still not enough to know the date of specific pieces of data because the question is, well, how often was it edited? Well, so does that mean that last pass users still need to assume that every one of their passes is vulnerable? Absolutely, yes. That is the bit I bolded in the show notes. Don't even try to figure this out. The worst thing you ever did in your entire time as a last pass user, the silliest password, the poorest configuration, assume that is what you have and act appropriately, and then you cannot go wrong. Let's take it off the user. The least amount of encryption passes that they had. Right, exactly. That's what I mean. Assume the worst case because that is actually the only safe assumption and then react appropriately, which I think means that, oh, who's that you had the wonderful interview at last time and chitchat across the pond? Well, just Rod Simmons. Thank you, Rod. Perfect, yes. This week? Yes, it was very recent, yes. That was a lovely interview. I had a little chuckle to myself when I was reading the data fields on one of them was equivalent sites. I was like, I know someone who's very fond of that feature. Anyway, so yes, we have to assume the worst and react appropriately. Now, there is an advantage, like no one only got into last pass very recently, and so he was like less than a year. So he probably had enough, I know he had a strong password and he had enough passes through because the default was 100,000 then, so whatever it was. So that's, he's probably fine. He's at very low risk because again, it's the old analogy, you don't have to outrun the bear, you have to outrun your neighbors. So there is millions and millions of all. No, they're gonna sort it by that number. Absolutely they are, of course they are. So just don't be the most vulnerable and you're very safe because the reality is there's a glut in the market here of volts to crack. So, whereas Rod had been with him for 12 years, that's changing every single password. Right, but the other thing to bear in mind is there are still two factors, right? So the first factor is the passes, but your password is still your password. So even if you had one pass and you had a really good password, you're still actually very safe because they're gonna spend so many dollars of GPU power because this is all done in the cloud now, right? So the bad guys are doing an economics exercise. They are basically saying, I'm going to spend a maximum of X amount of dollars of compute power to try each volt. And if your volt outlives its economic value, it will not be tried any further. So if you could have the least amount of rounds but a really good password, they will try it because you're on the list of people who are potentially vulnerable. They will try you, but if they don't break you within an economically viable amount of time, they'll move on to the next one because the chances are someone had open one, two, three as a password. Okay, okay, so low number of passes with a good password would not be as economically viable as low number of passes with a monkey one, two, three password. Yeah, so you will get, basically, if you have a high number of passes, you probably won't even get tested. They probably won't even try you because they could just spend their money elsewhere. But if you have a low number of passes, they will try, but they're not gonna try forever because there's so many vaults to crack, right? They're gonna have a configuration in their script that says, after I have spent this much money, move on. Someone else will have a worse password, move on. So you're not trying to be perfect unless you're someone like, if you are the president of Intel and they know you are because they have your email address. Well, they're going to throw, like the economic value of that vault is so different, right? But again, remember that the bad guys are not, they're not doing it for ideological reasons. They are profit-driven. And then actually- It costs a lot of money to crack yours. Yeah. You want to make it cost a lot of money for them to crack yours. Yeah, and it also means that you can think about it in terms of, am I worth it, right? And if I have a really strong password, then actually it's just not worth it. It's not economically viable. And these people are thinking purely in terms of economics. Yeah, that's really interesting. I could say, follow the money. One thing I, we haven't mentioned in all this conversation going from last past to one password is that one password will honor the amount of time you had left on your contract with last past. Clever. So if you were six months into a one-year subscription, they're going to honor that for the next six months. That's, I mean, that doesn't cost them a lot of money, but it's very good PR. So that is, that is, that's thinking. Up there for thinking, you know, that's good going. Yeah, I think so. Just looking at my own show notes, something else I just thought it was worthy of sort of hanging my hat on here. So when I was interviewing for my new job, one of the things I spent a lot of time doing was reading the threat reports for the previous year. So what were the large cybersecurity companies reporting as having actually succeeded at attacking people? So what is it, what is it like out there in terms of the environment? And over and over and over again, all of these reports had the same final paragraph, like the executive summary always had the same bit at the end. Basic security hygiene protects from the vast majority of attacks. The basics are still the most important thing. So how did the bad guys get in here? Vulnerable software, not enough software updates, not enough patchy, patchy, patch patch. On end machines that were obviously, that were allowed to connect to a trusted system, but there was nothing verifying that they were fully passed before they were being allowed to connect. In other words, no endpoint protection. You're basically your equivalent of Microsoft Defender or whatever wasn't running on the machines, basic, basic stuff. Once they were authenticated, they weren't being continuously re-challenged. So the modern zero trust idea is that you constantly re-challenge for authentication and you make people prove they are who they said they are and you make people prove they are secure. So again, the modern tooling wasn't quite deployed. And then the other thing is that you assume breach and you have monitoring in place to find the breach that you know must be happening. So there's your lots of logs, lots of proactive monitoring of it and that kind of stuff. But these are just the basic. And I say just. That last one is what, that last one is the thing that Rod talked about. I'm not sure you talked about it on my show, but he talked about it on some other ones was, why didn't they notice that this particular user was downloading this giant file? Yes, yeah. And that is what the modern tooling will flag to you, right? Right. So I see this stuff in action. That's an unusual blip. Bing, bing, bing. And that should generate an alert as long, you know, anomalous user activity, it'll probably have a stupid type like that, right? But that will in a modern system generate an alert. And that alert, generally speaking, will actually have a diagram. So the way these tools work these days, there's now a standard for these things. It's called the attack framework with the A's and that symbol. Don't know why, but anyway it is. And there's actually a way of graphing these data. So you actually see a picture representing the mailboxes, the files, the processes, the users and how they're all connected to each other. And the IP address is involved. So you'll be presented with an email that says, there's a new alert, black title, and it will give you a list of all the things that make up that made it suspicious and a graph showing how it's all connected. So this IP address was all of a sudden doing this, this, this and this. And it will tell you, there'll be a column called attack story. And it will tell you, this is the first time this user has ever connected to this SharePoint. This user downloaded two gigs of data. Normal usage for this SharePoint is 500 megs a day. This user has never before connected to this shared mailbox. And they've just downloaded thousands of emails. And so when you read that as a human being, you immediately go, oh, oh, and then probably at the very, very bottom of the attack story is, there was a vulnerable version of VLC found on this computer. And then you go, ah, I see how this came to be. These two things shouldn't be together. Yeah. And so that is the kind of tooling that's in use these days. But again, you have to pay people to acquire, configure and operate these tools. So it's just, it's just resources, right? So you need to have enough staff so that they have enough time to actually continue to learn because what you need to know today is not what you needed to know a year ago is not what you needed to go a year ago. So your security staff need to have 10, 20% of their time available for learning. Your staff need to have 10 other 10, 20% of their time available for review, reevaluating the current architecture to refresh it. So if you don't have enough people to do one and a half times the work, you don't have enough people. Oh, wow. Right? So I say just because it's not rocket science, it's just resources. Just resources, that's all. Because people like to think, right, that these kind of big hacks happened because a really smart hacker has found a zero day and they've done some amazing nation-state level hackery. No, it was a vulnerable version of VLC on an endpoint without antivirus, that's it, right? Right. It's really boring, 99.9% of the time. So you can flip that around and say that the silver lining is that we know how to fix this. You just have to put the resources into the basics. Okay, that's all. That's all, just my most evil word on planet Earth. So anyway, I think that covers the basics of where we are with the last pass thing. And did I miss anything? Yeah. Nope, that's what I wanted to know. Cool. Deep dive number two, then, is triggered by a story in the Wall Street Journal by the wonderful Joanna Stern that has gotten a lot of attention online for a very good reason because while this- Oh, I don't want this to be true. I don't like this one. I don't wanna hear it. Actually, I think it's another one where the simple stuff protects you perfectly. So- Okay, fine. The backstory is there have been anecdotes and anecdotes are terrible because they can be easily dismissed and you don't really know what to make of them. But there have been anecdotes about people swearing blind that they had a good iCloud password with multi-factor authentication and when their phone was stolen, the attackers somehow managed to disable, find my and lock them out of their iCloud. And there were anecdotes. And so people had two reactions to those anecdotes. Either the zero tech reaction, these people must have reused passwords or they must have really bad passwords. Or the other approach, the other people jumped to the conclusion that, oh my God, these attackers have like those gray key devices that only law enforcement could buy. That must be the tax horrors. But they were the two responses, either they have no tech or these bad guys are amazing, right? They're James Bond villain level of attackers. And now we know the truth and it's way more banal. It is neither of those things. So I remember this happening. It's probably about 10 years ago. But Apple added a feature to make it easier to get back into your iCloud account when you inevitably forgot your password, that if you had a phone that was logged into iCloud, that phone had the power to reset your iCloud password. That feature still exists today. You can go into your phone. Because you're already logged in? Because you're already logged in on a device that you have proven control of because you have it in your hand. So you can today go into your iPhone, go to settings, click on the iCloud icon at the very, very, very top of the settings page and go and click change password. And you can change your password without knowing your current password. What you will be challenged for is the pin or password to your phone, not the pin or password to iCloud. So. So you're right. But it's always asking me for my password. That's in the normal run of things, right? But you can change it there, right? So if you forget it, you can change it there. So that means that the security of your iCloud account rests on the security of your physical iPhone. So the way this has been working is that people, the attackers have been working in gang. So they go to a busy nightclub and some of them are just shoulder surfing. They are watching people use their phones and when they see someone enter a four-digit pin into an iPhone, they memorize it and then they steal the iPhone later. That person there in the blonde, we know their pin code, you can nick their iPhone. And they're just working as a team, floating around a room, shoulder surfing, targeting people for theft, shoulder surfing, targeting people for theft. So then they have the physical phone and they know the passcode. So all they do is they log in, they change the password and then they disable Find My. And if they can do that within five minutes, which is quite easy to do, they have probably locked you out before you know your phone is gone. And so you say five minutes because at that point you realize your phone is gone, you would go to another device to try to lock it out. Yeah, I mean, how quick can you type? I mean, you could probably do it in less than five minutes or I've been very generous there. If you've practiced this and you know all the strokes, you can probably take a phone, tap, tap, tap, tap, tap, tap and get through the whole process in a minute. Right, if you're the kind of attacker who's gone to the effort of learning this, you can probably do it in a minute. What my point is you can very quickly. So the idea is they disable Find My? No. Two things. So the first step in the attack is to change your iCloud password. So that they now have your iCloud password, but you don't. Then they disable Find My. Okay, and disabling Find My is what disables your ability to declare it stolen? Yeah, because they have basically- That's where stolen, that's where somebody stole my devices. Yes. Okay. Yes, so they basically get to pretend to be you, therefore all of the usual theft protections are now gone because they have your iCloud password because they just changed us. So then- Okay. They can now have the owner of the phone effectively as opposed to the loser of the phone. And a side effect, because they don't care about this, right? They're interested in your phone, which they are going to sell because it is now an unlocked phone that can be sold because it can never be assigned to a new Apple ID because it is not activation locked anymore. So they have what they want, but as a side effect to get it, they had to lock you out of your iCloud account. So all of your photos, all of your contact, all of your calendars, if you're using iCloud for your email, all of your email, you've been locked out of that too. And you may or may not get that back. You possibly can if you post a scanned copy of your passport to Apple and stuff, I'm sure you can eventually recover. But this is not a minor inconvenience. This is a pretty major inconvenience. This is everything, yeah. Yeah. So the lesson is, don't think of the pin on your iPhone as being a small matter. Pinning your iPhone is really bloody important. And so I very, very strongly recommend that you follow the advice that ZDNet and many others are giving, change to an alphanumeric because you don't actually have to type it in very often anymore because with biometrics, the biometrics will do it for you automatically until either your face triggers, either you failed a few times because you weren't really looking at your phone and it fired anyway or because you're wearing a mask or something. So you might have to enter it once or twice a week. And I think every five days that make you enter it, just to prove you're still about. But other than that, you don't really have to enter your passcode very often anymore. So if it is an eight character- I have to enter my passcode daily, at least daily, if not a couple of times a day. Something happens that causes that. I don't know why- Maybe you leave it at a stand where it's constantly thinks you're looking at it and then fails a face ID, because if it does that three times, that'll lock you out. No, it's not like that. It's like, I just, no, I don't know. It just fails. Okay, well, my experience is it does that very rarely. Sometimes it will do it when I leave it on my charge stand and it's looking at me, but I'm not looking at it. And then it's failing to do face ID and then it's going, I'm not sure about you anymore. Do you want to just prove yourself to me again? But you don't have to set a password that's 50 kibillion lines long, right? What you want to happen is that when they ask you for the passcode, you get a keyboard, not a giant big number pad. So immediately, shoulder surfing has just gotten way harder. And then you want it to be six, seven, eight characters. Like really, how hard is it to shoulder surf? It really doesn't have to be huge because at the end of the day, I would also recommend you turn on the setting that says wipe my device after 10 fail tries. So that protects you from the old fashioned, I've stolen your phone and I'm just going to have a go. So you can't be shoulder surf because you now have this tiny little keyboard and at least six characters to type in. So that makes shoulder surfing all but impossible. And again, this is a gang operating in a nightclub with thousands of people. You don't need it to be impossible to get in. You just need to not be the easiest to attack, right? We're back to the whole economics of it, right? So don't be the person. The other thing is, I think John Gruber's response was, do you remember when you first got your first ATM card, how you covered that pin pad? Treat your phone the same. So that people don't shoulder surf, right? And that's all you have to do. So you don't need to panic, right? And to me, this is really good because that mystery of those anecdotes has been niggling at me. Each anecdote on its own is dismissable and each anecdote on its own is impossible to make an inference from. But I've been in a lot of these anecdotes and I've felt a bit uncomfortable that there's a shoe here. Is it going to hit me on the head? And there we understand where those anecdotes were coming from. So on the whole, this is a good warning. We can action. So I don't see this as a bad new story. I guess so, except I didn't want to change my passcode. That's all I was complaining about. There is another trick. So a cult of Mac and a few other places have recommended this. Parental controls is a different password. So if you enable parental controls on your own phone, you can't get into the iCloud settings with just the phone's pin. You need the phone's pin plus this other password. So this other password is never going to be shoulder surf because you don't enter it in the normal flow thing. It can be 11111. That's funny. That's funny. What else do you lose when you turn on parental controls? I think you're going to end up having to type the stupid password sometimes. So if you make it 111111111, it won't get in your way a lot, but you don't do that normally. So it can't be shoulder surf because you don't type it in. So it can be stupid. It can be a stupid password. It just has to be not the same as your pin. That's interesting. So it's an interesting hack. What about unlock with Apple Watch? If you had your Apple Watch on and they grabbed your phone, they could unlock it right while they were near you. But that won't let them change your password because as soon as you go to iCloud to go change my password, you have to enter the pin. Oh, that's right. They do need to know what it is. They do need to know what it is. They always have to know what it is. So the shoulder surfing step is required. So again, good hygiene. Cover up your screen when you're putting in your passcode and have a passcode that's hard to shoulder surf. Even if you turn on Alpha New America and just make it be 11111B, even that makes you way harder to get than regular folk with a four digit passcode. Just have the keyboard appear is such protection. The thing I think I've said this about 85 times. I'm going to say it again as I've always thought about at our gym, they got rid of the locks where you could put your own lock on and they put in this thing where you set these four digits. And so when people go up to their lock, they unlock it, they put in the four digits. A lot of them don't scramble it afterwards because they've just gotten into the lock. And I guarantee you that that's their ATM code. Probably. And it's their iPhone code, right? Right, which are both in there. So if you shoulder surf them, you get into the thing and then the chances are the same digits are going to get you into all the other things. You're dead, right? And their ATM card is in their wallet. Yeah. So you've got your bank and everything. One thing, I don't know that this is a fact, but on MacBreak Weekly when Leo and the gang were talking about this Joanna Stern's article and what happened, Leo kept saying over and over again, this is also true of Android. It is also true of Android. I have heard that from reputable sources that are not Leo Laporte, but are security publications. Not that he's not disreputable. No, no, he's not an expert in the field, right? Additionally, yeah. Yeah, I mean, Leo is well-meaning and often right, but he's not a cybersecurity expert. So yeah, no, he is unfortunately right. And the reason is very simple. Before this feature was added, the amount of people who were opening support calls because they were locked out at the right cloud was huge. And this made Apple's life massively easier and frankly, also the users. This is one of those features that unbalances the good thing, but the downside is we need to be careful of our pins. So you don't think Apple's going to undo it after all this publicity? They might tweak it a bit. They might make it opt-in or no. They might make it opt-outable because they're not going to get rid of it because this would lose all value if it was opt-in, right? Because the people who need this kind of help are the people who will never go into find that setting. But you can make it opt-outable, that's easy. And maybe you can have an option where you have to have a different reset code or something. But I think just making it opt-out is all you need to do because if you have a legacy contact, I'm perfectly happy with my legacy contact set up to turn this feature off. If there was a switch, I would have pushed it. So if Apple's response is to make this an opt-out feature, I'm done. I'll just go in, I'll opt-out, and that'll be that. And I would, yeah, so yeah. Right, I think that covers us off on that one. So that gets us into our normal service, which like I say, there wasn't a lot of normal service, but it's not zero. I just have a few things to say. So Worthy Warnings is where we start, and this was enough, this was enough filing to the Securities and Exchange Commission. So when we talked about bad communication, GoDaddy deserve so much shouting at for doing a security notification to a federal regulator of their finances. That's how important they think cybersecurity is. They put it in their SEC filing because it might affect their earnings. Oh, but not to users? Like we found about it because it was in a regulatory filing about their stock price. Oh, wow. They have had people in their system for years with the ability to inject malware into people's hosted websites. Wow. That is earth-shattering. So they were injecting malware into people's hosted websites for years. You said you're saying years, but the article you linked to says it happened in December of 2022. Oh, did I? I read 2021 somewhere. I read 2020. It says December 2022, and authorized third party gained access to and installed malware on our C-Panel hosting servers. I am delighted to have misread that date. I read 2021. Okay, good. Phew. Well, no, I'm sorry. Almost everything I said holds. The appropriate venue for this kind of disclosure is not an SEC filing because your worry should not be your stock price. Your first concern should be your users. Your secondary concern should be your stock price. Right, because your reputation is what drives your stock price. Yeah, it's just, oh my God. Ah! So if you're a GoDaddy user, definitely read this article. There are many great cloud providers. I shall say no more. Oh, they're also on the worthy warnings category. So this is sort of more anecdote than anything else. We keep saying SMS is a very poor second factor. We now have reports based on someone infiltrating cybercrime telegram channels, telegram groups. There are at least 100 separate data breaches into T-Mobile, which were used to power SIM swapping as a service cybercrime operations. So at least a hundred times they managed to steal credentials for the back office systems that power T-Mobile. In other words, the system where you go in to change the SIM card associated with a phone number. In other words, SIM swap portal. So this is why we say that SMS is not secure. 100 times in 2022. 100 separate successful attacks. The other thing to say is there's a lot of people now starting to rethink their password managers and stuff. So some security researchers went looking to see are there malicious apps in the Google Play and Apple app stores, or at least grayware apps trying to cash in on this new found interest in password security. And the answer is yes, there are. There are apps promising to be your second factor, your code generator apps. And the best case scenario is they charge you like $40 a month recurring stupid subscriptions. So they're just milking you. Worst case, one or two of them have been found sending copies of the private key behind the two factor authentication to the developer's GitHub account. What are we gonna do about that? I presume report the apps, but I think basically you do not download a security app that does not have a reputation and has come recommended to you from somewhere. And then just a timely reminder seemed to be just the thing of the week. So there is another random piece of Mac malware that is not news. The reason I put in the show notes is because how is it spreading? Pirated copies of Final Cut Pro. Don't pirate software. It's not free. It's infested. So, yeah. Okay, so that jumps us onto notable news then. So Facebook have joined the club of having paid for verification. I don't think that a necessarily a bad job. So the first thing to say, so we talked with the Twitter one about what does it mean to be verified? In this case, what it means is that you must provide government ID. So when Facebook give you a tick mark, they're not just asserting that you own the account. They're asserting that you are the human being you assert to be because they need government ID. So this is strong authentication. This is actually, this verification means something. They are also offering you identity protection. So if you prove that you really are Alison Sheridan, then if anyone else tries to sign up to pretend to be Alison Sheridan, you can use your, you basically get premium support. You can basically flag it under premium support and they will take the person down because they know you are the real Alison Sheridan. So they will protect your reputation proactively because they have verified you really are you. And that's all for the low, low sum of? 11.99 per month or a little bit more if you sign up on iOS. So Twitter blue is a better deal even though they don't give you anything of any value. I would say the people who I would recommend this for are influencers. They are people whose financial well-being rests on their social media accounts. If you make your living off social media, this is a pittance. If you're making $3,000, $4,000 a month on social media, this is a pittance and it will protect your identity and your brand. This is a really good idea if you're a professional social media person, which is a thing now, it's a career. You can be an influencer. It's a job. So it's good for those people. Another thing that caught my eye is that someone has built a little tool that will scan for air tags. So you can literally use this tool to see is there an air tag hiding here? Because basically they're all emitting RF, right? So of course you can scan for them with RF. So someone has- That's kind of fun. Yeah. So I think that's cool and I'm hoping law enforcement buy a cabillion of these because it's a really useful tool. Holy cow is it ugly. Oh yeah, it's a very utilitarian device. That is revolting. It's beige with a baby blue rim around it. It's got red, it's got green, it's got black, it's got yellow and that baby blue and words everywhere with and an Apple logo. Well, they're not gonna be allowed to do that. Probably not. But yeah, so anyway, I think it's good to see this kind of thing coming and hopefully a more tasteful one comes out but I want law enforcement to have these kinds of things so they can just, if someone comes like, I think I'm being stalked by my ex-husband, that law enforcement have the tools to actually genuinely put you at ease. And I'm really, really, really hoping someone builds a scanner like this for those stealth tiles we talked about last time. Right, right, right. And then this is a bit nerdy in some ways but I thought it was worth noticing. So since 9-11, the American government have had an official cybersecurity strategy and every couple of years they update their strategy which is wise. And the newest strategy has just come out and there are two important things that caught my eye in the strategy. So the first thing is that the administration would like to work with Congress and industry to remove the ability for software companies and cloud services providers to give blanket immunity to themselves in their terms and conditions. So when you open a software license, they all say, and we completely indemnify Microsoft from all harm that could come from using this software. They all say that because that is currently legal. What they're saying is we should move away from that to a model where there is a baseline that every company should do and if you meet the baseline, you get safe harbor. So if you're not being negligent, you still have blanket protection but you have to earn that blanket protection by doing the bare minimum. And so they now want to enter into the process of figuring out, well, what is a reasonable bare minimum? And then you'll end up basically with the equivalent, like with copyright protection. You have to respond to takedown notices and then you get safe harbor. In this case, you have to do certain baseline security stuff and then you get safe harbor. That seems like a sensible approach to me. Yeah, I know I've read a lot of the terms and conditions that people make you sign. And one of my favorite was a horseback riding thing where it said, no matter what happens to you, including death, it's not our fault even if we were negligent. And I talked to a lawyer, you brought that and they said, yeah, they can write that. Yeah, even if we are negligent, it is not going to sound up very well in court. No, no, it turns out not so much. But yeah. And then the other thing that caught my eye is that the official assessment of the US government is no longer that the biggest threat to both public sector and private sector cyber infrastructure in America is not Russia anymore. It is China. So the biggest threat actor is China. It's neither yane or nay. It's thing, right? Fact. Yeah. So it's just a changing scenario. China is well-resourced. Russia's busy. Yeah, frankly, yes. Ended up becoming soldiers probably, all those script kiddies. Right, and their economy's crashing around them in the heap. Yeah, exactly. So sorry, but China is on the ascendancy with a lot of resources and they're quite interested in industrial espionage and espionage, espionage. They're interested in a lot of it and they're good at it. So yeah, I'm not surprised this is the number one threat, but it's official. The biggest threat to America is China in terms of cybersecurity. And then we've already mentioned the nice preview of the past key's support in one password, which just rocks. Yeah, now I might be wrong, by the way, about that already being available to create an account without a password. I thought the future tense was used. I saw it quite a while ago. I thought the future tense was used, but either way, whether this is now or shortly, or whether it's in beta and that we're both right, that it is available but not universal, either way, this looks real good. And it's a nice video too. I like it. So that brings us on to palette cleansing. So the first one I have is what I immediately thought of you, Alison, the moment this happened, I thought of you. So I have been working very hard to minimize the amount of news I'm exposed to, so I'm not living in a sea of negativity, but I don't want to be ignorant. So I've settled on a twice, a half hour twice a day from the BBC World Service with the world news. And I've been tolerating that, but they have just done something that cheer me up every weekend. They have decided that on Saturdays, one of their two daily shows is going to be dedicated 100% to good news. Oh, I love it, I love it. So they used to do this once a year on Christmas Day so they didn't have to work on Christmas Day and now they have made it a weekly feature. And it is, like today's was the first one, it was so nice, an entire half hour of good news from all over the world, every week. I love it, so. Because they never tell us that stuff and there's a lot of good news. There really is, it was so nice. It was genuinely, yeah, it was just such a cool idea. And as soon as I heard of it, I thought about you and you're getting so cranky about bad news, bad news, bad news. So here you go, once a week, a dedicated episode of nothing but good news. So BBC World Service. Love it. Yeah. So then you have a picture. So I've got one. Yeah, so the magic of the influencer, if you will, CGB Gray, and when he does his videos, is he takes a topic that you probably think you know something about and you realize you don't know anything about it. Like one of them, once he did, was on the border between the US and Canada. I know exactly what that looks like. It's a smooth arc that goes from one side of our country to the other and it divides the two countries and it's perfectly normal. How hard can it be? And it is ridiculously complicated and it's hilarious because the deeper he goes, or if you think you understand the United Kingdom, no you don't, because he takes it to an absurd level of every bit of it. Well, he did one on the simple secrets of runway digits. And I got this from Barry Falk, but you told me that you had just told me about it recently and I don't remember. So do you remember the last time you picked the AI one? And I said, by the way, he's just on one on runways, it rocks. Oh, okay, okay. So basically it starts with, there's runway numbers. You see a runway, it'll have like an eight on it. What does that mean? And I sent this to a bunch of my friends and including Steve and Steve said, well, that's the direction, the compass direction. I say, yeah, but it's more complicated. Yeah, but it isn't. And it's like, it's 30, no, it's 18 minutes long and it gets deeper. You end up diving down into iron molecules to understand why the runway's numbered the way they are. It's hilarious. It's really, really good. I enjoyed it quite a bit. Yeah. So I love that video. And I'm also like Alistair, I'm a bit of an aviation geek. So one of the things I love to do when the wind is from the Northeast is my cycle takes me towards the airport. So air traffic control is public. The whole point is it's supposed to be public so that everyone knows where every airplane is doing, right? So there's a community of people, they're volunteers and they run like little Raspberry Pis and they have little radio receivers connected to the internet and they publish on a website and an iPhone app the live feed of air traffic control. So when you're near an airport, you can tune into air traffic control on your iPhone and you can hear what's being said while you're watching the airplanes overhead. So I'd like to play a little game where I try to see if I can recognize the airline, see how my outside is doing, before I hear the pilot in my ears because I'll hear the pilot announce themselves as you know, Shamrap, 123 or whatever which means Air Lingus. And I'll try to guess what they're going to announce before they announce it. And then if you really want to learn how this stuff works, right? You can listen, there's a great app called FlightRadar24 that shows you the airplane. So you can listen in to what's happening and you can actually watch the stack of airplanes. And then you can see how logical air traffic control is. It's English, but it's so meaningful. It's like a little protocol. It's almost like negotiating a connection over TCP or something because the first word has to be the word hello. Klaus just did a review of FlightRadar24 for the show. Brilliant, there we go. So this is so much synergy here. So I was thinking about this just the other day because Dublin opened the new runway. So for years and years and years and years and years there was one major runway in Dublin. It was runway one, zero because it points east. And so for years I would have listened into established runway one, zero, whatever. And now there's two and they're parallel. So now we have runway one, zero right and runway one, zero left. And so I'm still listening in to air traffic control and for the first time ever, I was there while they were using the new runway. And so these controllers have obviously been working in Dublin for decades and there only was one runway. So they have learned in their mind, the last thing you say to an airplane when it's landed is you basically tell us who to go talk to in the ground controllers. And this has been the same in Dublin for so long that I think the air traffic controller has seen it as one word. So the word is contact ground one, two, one, decimal eight, goodbye. But they see that as like a single atom. If you land on the new runway it's one, two, five, decimal eight. Not one, two, one, decimal eight. 100% of the time when I was listening I heard them say contact ground one, two, one, correction contact ground one, two, five, decimal eight. Every single time. That runway has been in use for five months. Human factors are a thing. Anyway, two bonus picks and a little bit of trivia around Dublin airport. The other thing of course is that Dublin airport at the moment is being, I was at the airport the day before and there were no airplanes in the sky. And I was so disappointed because I'm finally going to see the new runway in use and there were no airplanes. Came home. All flights in Dublin airport grounded to drone activity. Some gombing flew a drone close to the airport. Oh no. And Dublin airport have drone detection devices but they don't yet have drone disabling devices. So they know every time a drone is launched and they can't do anything about it. So they have to shut the airport every time some idiot launches a drone. Anyway, so there we are. Well, we managed to milk that for almost an hour, Bart. Well, as the listeners know, your poor voice needs a rest. So there we go. Some free content and hopefully people enjoyed it. I did. Thanks, Bart. Excellent. Right, folks, until next time, stay patched. So you stay secure. That's going to wind this up for this week. Did you know you can email me at Allison at podfeed.com anytime you like? If you have a question or a suggestion, just send it on over. You can follow me on Mastodon at podfeed at chaos.social. Remember, everything good starts with podfeed.com. If you want to join the conversation, you can join our Slack community at podfeed.com slash Slack, where you can talk to me and all of the other lovely no-silla castaways. You can support the show at podfeed.com slash Patreon or with a one-time donation at podfeed.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific Time and join the friendly and enthusiastic no-silla castaways. Thanks for listening and stay subscribed.