 Hi, this is Allison Sheridan of the No Silicast podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias. Today is Sunday, February 5th, 2023, and this is show number 926. Well, I simply cannot start the show without first giving gigantic huge over-the-top thanks for Bart and Alistair for producing the shows while Steve and I were gallivanting off in foreign lands. I think both of their shows were terrific and I had a really good time listening to them on one of our many, many plane rides, and it was also made possible because of Bruce from Tennessee and Steven Gatz. Like I said, I really liked listening to these shows, had a lot of fun. I'm so proud of our 17-year streak of never missing a single episode every week. I don't believe any other show can say that, and I do say we, because it clearly takes a village to keep this going. Well, next week, I'm gonna be doing a segment on tech and travel, but I did wanna tell you what an amazing time we had. We flew to Argentina, first to Buenos Aires, and then down to a tiny town called Ushuaia, which is referred to as the end of the world because it's the southernmost city in the world. From there, we boarded a 150-person cruise ship where it took two full days to get to Antarctica. In preparation for the trip, I created a very nice diagram, of course I did, and it was of all the places we were gonna go and things we were gonna see in Antarctica. It turns out, though, when you're on an expedition cruise, you have to be ready to just roll with the weather and end up someplace completely different. We only saw one of the things we were scheduled to see on my diagram, but it turned out that was okay because everything we saw was amazing. Imagine standing on a beach with 40,000 penguins. I'm not exaggerating. They went as far as the eye could see. We saw three different kinds of penguins. It was just spectacular. On the second half of the trip, we saw Iguazu Falls, or Iguazu Falls, as they say it, and that's the second largest waterfall area in the world, right behind Victoria Falls. It's on the Iguazu River between Argentina and Brazil, and it was positively astonishing. It was 1.75 miles long with 275 separate falls. Now, we never pictured ourselves as world travelers, but we are absolutely in love with going to exotic places and learning new things. If you ever get a chance to go to a weird place, say yes. As you can tell, my voice is not up to its usual dulcetones. I finally got rid of my laryngitis and my cold from last time, and while I was on the ship, I got another cold back to back, so I'm not gonna do as much recording as I had planned, but luckily we have a security bits with Bart and Jill from the Northwood sent in a segment about Steam Deck, not to be confused with Stream Deck, and Bode Grimm of the Kilowatt podcast did some interviews at CES just for us. I gotta tell you, it killed us not to be there to see him for his first CES, but we had to stay safe as safe as possible to make sure we would be able to go to Antarctica so we didn't go this year. Hopefully we'll get to see him there next year. This week our guest on Chat Across the Pond is Bart Bouchots with programming by stealth number 144. When last we recorded, Bart started teaching us the basics of shell scripting using Bash. We learned how to collect terminal commands into a reusable shell script, but we didn't yet learn how to accept any kind of input. In this installment, we learned how to take inputs either from the execution of the command or from user input and how variable names are created for the different ways of receiving input. We also learned about exit codes, which are really more like error codes and how they can be used in Boolean logic. Now this logic, I should say this knowledge will come into play when we learn next time how to do conditionals and loops. It's a short episode and as Bart says, not a heavy lift, so I enjoyed it quite a bit for my first time back. And of course, as always, you can find Bart's fabulous tutorial show notes at pbs.bartificer.net and there's a link in the show notes directly to this episode. Hi, this is Jill from the Northwoods. When I switched over to Mac, I lost a lot of my Windows games. That was the last piece that I couldn't seem to figure out how to get on my Macbook. And some of the games would play in Mac, like Minecraft or even Civilization, which are two of my favorites. But then there were other games. Mostly I buy them from Steam and most of them don't translate over to Mac. So there I was, a bunch of purchase games, but I really enjoy playing and no real way of playing them on my Macbook. Now, one of the things about gaming is that it is the one thing I do for pure relaxation. I can knit and I can play podcasts and it's fun and exciting for me to do, but if I really just need to relax, I'm just stressed out. I had one of those days the other day where I just sat there and played a couple of hours of video games and suddenly my stress was gone. What am I supposed to do? Now, the good news is one of my favorite games, No Man's Sky, is coming to Macbook in Ventura. What about the rest of the games? What other options did I have? I could try Microsoft's Game Pass system and that works through a browser of all things, almost all browsers and all the games that you buy through Microsoft or are provided through that Microsoft Game Pass are available for you to play. Problem is one, I don't have that many games purchased on Microsoft. Two, you're streaming the game through a browser which means that it may not be as responsive as you hope it would be. The last thing is it's a $15 subscription which is only gonna go up over the course of years every month. The last problem is I have an Xbox X controller which does work with Mac. I played other games with it, works fantastically. However, it doesn't seem to work on Microsoft Game Pass with a Mac. Now, this was about six months ago and I haven't tested it since but I couldn't get the two to work together. Since most of my games are over at Steam which is owned by Valve, that also was a big setback. Then, Steam announces that they're gonna come up with something called the Steam Deck, not to be confused with the Elgato Stream Deck. This is just a gaming device. It's a lot like the Nintendo Switch, a small portable handheld item, maybe about the size of a loaf of bread if you sliced it the long way which also means it's very portable. So because the Steam Deck was coming out it was a natural obvious choice for me. All my games are on Steam. To talk a little bit about what the Steam Deck is, again, it's a handheld gaming item. It has Linux on the system itself and is pretty easy to grip. It has controllers and a very bright screen. It connects with USB-C. You can hook up a monitor through the USB-C. You can use Xbox controllers, Bluetooth mice, keyboards. So if you're into computer gaming and you're used to all the commands you play to play some of your games, it's easy to do. Many of the games that are on Steam are available to play on the Steam Deck. There are a few of them that aren't available but most of them actually do work even if they're not verified. There's very few of them that error in any sort of way where it's unplayable. I noticed that when I played Microsoft Flight Simulator which is not verified to be on the Steam Deck all you had to do is switch one of the loading settings which I found on the internet and it suddenly started playing. Fantastic. The bonus is that I can take it with me whenever I travel from work. I even brought it camping and didn't use it that much because I really tried to do outside things. There was some bad weather at the end of my trip and what else was there to do other than to sit in my tent and play with my Steam Deck? I also tried playing with it on my way back from California on the airplane and it was a good distraction. Although I was race car driving in fours of five and that caused me to be a little bit unstable when I drive around curves. I always drove right off the road every time we hit a bump on the plane but that's pretty funny in and of itself. So the Steam Deck for me was the perfect solution. Portable, has my Steam games and the price is not so bad. Plus it gave me a lot of availability to do other things. The systems are all exactly the same except for how much storage they have on them. I have a lot of games so I went with the 512 gigabyte system that went for 649. That one also comes with a carrying case. It has a better anti-glare screen on it along with the bigger storage. So for 529 you can get the 256 gigabyte version of it. You get a carrying case but not the exclusive carrying case. For 399 you can get the 64 gigabyte machine. It has a micro SD slot in it so that you can increase the size of the hard drive space by using the SD card. I put another SD card in that one so I even would have a little bit more space. I have a lot of games on Steam and some of them are pretty large. Four is a five, four is a four and Microsoft Flight Simulator are all really large games. Most of the other games themselves take a very small space. You can also buy a dock for it. The dock is $89 and it gives you a resting point with a USB connector. And then outside the back of the dock it has a 4K 1440 HDMI 2 display port. It has some USB 3 drives, a network port and you can also charge the device through it. So it is pretty handy. And many times I play at home I'm putting it through my computer monitors using the Xbox controller. Their website even shows more things you can do with the Bluetooth. But they say this is an AMD chip called an APU chip and it's optimized for handheld gaming. It's a Zen 2 plus RDNA 2 powerhouse which is enough power they said to deliver some of the biggest games out there. Forza can be rather intense along with Microsoft Flight Simulator with resources and both of them work flawlessly on the system. So it is handling some pretty high-powered games that even my Windows machines struggle to play. It says that the CPU can do 448 gigaflops and the GPU can do 1.6 teraflops. I'm not much of a flops person but if that means something to you, there it is. It's pretty darn fast. It has 16 gigabytes of RAM on board and it also has much more video memory available to it as well. The storage is what I said before that you can buy storage with the device and you can add more storage using the micro SD cards. The game controller itself is really nice. Some people talk about it being too big for their hands or too small for their hands. I have really small hands and it actually fits my hands very well. It has the standard ABXY buttons that you'll find on many regular controllers. That D-pad which is just the north, south, east, west controller, left and right triggers, left and right bumpers. It has two touchpads on it, four assignable buttons, steam buttons that will also take you directly to Steam Store and your list of games and two analog sticks that you'll find on a lot of game controllers as well. It has haptic reflex which means it can vibrate when you're doing certain things. I haven't played around with this much in the Forza game. Every time I ran over the grass or a building or something it would just vibrate which would annoy me. I mean the whole purpose of driving games is to run over stuff, right? The display's resolution itself is 1280 by 800. I think the screen is very bright. I mentioned before that I have really bad eyesight and I was worried that this little tiny screen was gonna be a problem for me. However, the screen is so bright, it's IPS LCD and I can see great on it. In fact, I can take off my glasses and still play and it's because of how far a monitor is away from you compared to how far a handheld is from you. I think it works great. It has 400 nits for the monitor and the display is about seven inches diagonal with a 60 hertz refresh rate. The screen is also a touchscreen which gives you one more way of controlling things. I find sometimes in Forza there's some menus that are there, it's much easier for me to just click on it than it is for me to route it through the controller itself. It supports Bluetooth 5. It has Wi-Fi for 2.4 and 5 gigahertz and stereo in it. But you can also hook it up to headphones if you want better sound out of it. It even includes a microphone for when you're playing games that are multiplayer and you need to talk to someone. It has a head jack directly on the device itself which makes it easy to hook up to other audio devices and it weighs about one pound eight ounces or 669 grams if you're in the metric system. So it's very portable, easy to pack, easy to use, super easy to take out on the airplane with no fuss. Just was a fantastic device overall. Sometimes the fan noise on it can get a little bit loud. People have complained about it and because people complained about it, they came up with better ways of dissipating the heat. I don't know anything about this but the fan now is much more quiet and you can tell they did something to make it better. The biggest complaint that people have when they play it and it's not such a big complaint for me is that the battery can play for about two, two and a half hours just on battery power alone. People feel that that's a little light. However, I think it's pretty good. I play it a lot of times when it's sitting in the dock and you can hook up a battery pack to it if you want to do that. I don't wanna sit there and play video games all day long like I used to a couple of decades ago. For me, when the battery runs out, that's a good signal for me to get back and do something else for a while. I read a lot of reviews and people felt like they wanted a better screen the next time. I think the screen's fantastic and I know I'm not a particularly picky person so it wasn't a problem for me. And then other people complained that they wanted a bigger drive, maybe a terabyte drive on the device but you also can hook up a hard drive to it with the dock and just keep it there. So when you're playing on the dock, you have all your games while maybe you take it with you, you could just have some of your favorites. The other fun thing is that if you want to, you can nuke the OS, this is literally a machine. I am planning on actually installing Windows on an SD card. I have a feeling that when some games come out and they're gonna be Windows exclusive games not through Steam, I'm gonna be kind of sad. So if I have a working Windows device on a micro SD card, I can play Windows games anytime I want. And to install Windows on the Steam Deck, it takes one micro SD card with at least 32 gigabytes of space or maybe even a thumb drive that you hook up to the dock. You also need a Windows PC to create the ISO file I think and then you just need a keyboard and a mouse that hooks up through Bluetooth and you're good to go. And it runs the full blown Windows, not even just the limited arm version. I'm looking forward to this project. They think it's gonna be fun to run Windows off of there, but I've seen people put other operating systems and other emulations on their Steam Decks so that they can play Nintendo games to make it almost like a Nintendo Switch. It is just a very small PC. The build you can tell is a very quality machine. I haven't seen one flaw in the build at all. This is a solid device. And if you've never been to Steam, the games library is absolutely huge. They frequently go on sale. Look at times like Black Friday and Christmas and other times of the year where they have amazing sales and you can get these games for only a percentage of the actual price. The other nice thing about it is I felt that the Steam button allowed me to quit games and go into another game quickly. Or like when I was on the airplane, just quickly shut the whole thing down and put it back in the case and then just pick it up when I pick up the game system later. So it saves your game. If you're on the internet, it syncs it up to Steam so that your saved games are available to you everywhere. So when I stopped playing Windows games, guess what? I put them on the Steam Deck and there's all my games exactly where I left them. I was just thrilled by that. I wondered if I was gonna lose anything at all. And in fact, I didn't. The other thing about Steam is that Valve is great with customers. They're very attentive. They listen to what people are complaining about and responded to it. So even the company itself is just fantastic when it comes to customer service. And what other fun you can have doing it is if you have a Steam Deck, you can call it a Stream Deck or a Steam Desk or a Stream Desk. I mean, it's all getting confusing because everything just sounds the same all the time. But it is much fun to play as it is to say rightly or wrongly. And at home, I never confuse my Stream Deck with my Steam Deck. Two different things, even though they're sitting right next to each other. And this is Jill from the North Woods. You can find me sleeping in a tent, playing with my Steam Deck. But if you have any questions, please feel free to look me up at Allison Slack channel. I'm around a lot of the times. And if you have games or things that you like to play on the Steam Deck, let me know. Well, I actually played that entire review for the live audience and a lot of people were jumping on saying they thought that the flight simulators wouldn't probably run very well on it because Steam tends to be a streaming service, but this is not a Stream Deck. It is a Steam Deck. And these files are actually local. The games are local. So she said that the performance on the flight simulators in particular was really, really good. The audience was pretty excited about that to people for sure looking at buying them. George from Tulsa also commented on Jill's blog post and gave a link to some power banks that work well with the Steam Deck. But he also said something interesting. He said, it can be used in full desktop mode running a customized Nome desktop and Nome is what's on the mainline Ubuntu distribution of Linux. And he said, Linux desktop applications are available directly from Steam or can be side loaded with terminal commands. Is that crazy? This thing is a little computer for a pound. He did also make a note that the cheapest 64 gigabyte version has an EMMC drive and the larger capacity drives are the much better NVME. So he's got a couple of other links in there that are pretty interesting. But yeah, it looks like this one's stimulating a lot of interest. My grandson Forbes was listening and he got all excited when he heard them talk, he heard talking about Minecraft on this. Hey everybody, this is Bodie. Awkward intro. I had a chance to sit down with Dr. Adeel Akhtar who is the founder and CEO of Scionic. And what Scionic does is they make bionic prosthesis for amputees. And not only did I get to sit down with Dr. Akhtar but I also spoke with Brian who is an amputee. He lost his arm in a work accident approximately mid forearm. Brian uses Scionic's ability hand which works with his neuromuscular system. The ability hand's muscular system, it allows amputees to manipulate all five fingers and the thumb, which is pretty impressive. You can do different grips, you can do different hand gestures, even the rude ones. You can even use the ability hand to charge your phone. It's a pretty impressive piece of tech. I'm not gonna be able to explain this as well as Dr. Akhtar and Brian will. So let's go ahead and listen to that interview. I'm here with Dan and Dr. Akhtar of Scionic. Dr. Akhtar, why don't you tell us what Scionic does? So Scionic develops advanced bionic limbs that are affordable and accessible for everyone. Okay, and then how did you get into this? How did this become your passion? Yeah, this is something I wanted to do my whole life ever since I was seven years old. My parents are from Pakistan. I was born in the US. When I was visiting, I actually met someone with missing a limb for the first time. She was my age, living in poverty, missing her right leg using a tree branch as a crutch. It's what inspired me to go into this field. And how long have you been doing this? We've been working on this for seven years and we released the ability hand, which is a bionic hand meant for people who have lost their hand. In September of 2021, it's FDA registered. It's covered by Medicare in the US. And it's the fastest hand on the market. It's the first one to give users touch feedback as well. Oh, it gives you touch feedback. That's super cool. So the demonstrations is very hard for an audio podcast because this is a very visual demonstration. You guys actually stopped at the South Hall. You had people stopped at the front door blocking people because they were so impressed with what you guys were doing. How does it work? Yeah, so Dan, actually, you wanna explain how you're actually able to control the hand. So you lost your hand in an accident back in 2009. I lost my hand in a work accident. I met a deal in 2020 and that is when I started using the ability hand. And I've had many, or I shouldn't say many, but I've had two hands in the past and nothing compares to the ability hand. So I'm able to use it with sensors that are on my muscle. So as I manipulate my muscle, I'm able to open and close the hand. I'm also able to manipulate through different grips that we offer, which is about 32 grips that we have on an app. So I'm able to connect to my app and I could change my grips when I want and I can have it anywhere up from like four to six at a time that I could use. And how do you find like fine motor skills? We're able to pick up small objects. We've done raspberries without crushing them. I'm able to pick up fine things off of the table. I would say they're great. We talked about straight, you said you were able to pick up objects that are about 75 pounds. I could, about 50 to 75, we started Max not at 75 before the hand will disconnect from the arm, but the hand itself can handle it. It's just the arm, the prosthetic itself, it may be the problem. But working out, I could do about 50 pound kettlebell swings and like a bench press, that's no problem. Awesome. Is there anything else Dan that I should have asked you that I didn't ask you? I would just say everyday life, this definitely helps out. I mean, I'm able to cook with it, do things with my kids. I can even tie my shoe. It's definitely a helpful tool. And you've even broken boards with it as we just demonstrated. I will say the biggest thing I've noticed between this hand and other ones I've used is the durability. But like Adil said, we broke boards and it keeps working. Where other hands, you may bump into a table and they stop working. It's more durable. Is there anything that I should have asked you that I didn't ask you? So we're actually in the middle of an equity crowdfunding raise right now. And if anyone who wants to invest in the company, we've made the company itself accessible to everyone. So if you go to psionic.io slash invest, you can actually get in on the action. Okay, all right. So that's awesome. Thank you, Bill, for coming on the show. I hope you guys have a great CES. Thank you. So my audio gets a little bit quiet during the interview because I only had two lavalier mics. So I gave mine to Brian because what Dr. Aktar and Brian were saying was significantly more informative than the questions I was asking them. I wanna thank Brian and Dr. Aktar for agreeing to be interviewed. And the cool thing about this group, there's probably five or six of them running around CES. And they were everywhere. I saw them three or four times in different places. Is everybody on this team was energetic. Even at the end of the day, they were energetic and they were smiling and they make sure to say hello every time you saw them, they recognized you. It was just, they're a very cool company. And if you know somebody that needs a prosthesis or you're just interested in this kind of tech, I would go to psionic.io. Wow, this was great, Bodhi. I love to do accessibility interviews at CES and sometimes it's hard to find really good ones but this sounds fascinating. I love it when the guy said he could break things and what was it he said he could tie his shoe? That is some serious dexterity. That's really, really interesting. I can't wait to go over and see if I can find some videos on this. And thank you so much for doing this, Bodhi. This is great. I think, Steve, maybe we don't need to go to CES. We just have Bodhi do all our interviews. He did a great job. Now, I was gonna play two but we actually have a really long security bits because it's been a while and Bart and I've had a lot of fun just being together after a long time apart. So I'm gonna cut this off and I'm gonna save the other interviews Bart, sorry, save the other interviews that Bodhi did until next week. And Bodhi, I just love your introductions. It's, his awkward is his favorite thing to say about himself. I am so grateful to all of you who help pay the bills that keep the PodFeed podcast shows running. Whether you're a patron by going to podfeed.com slash patron and pledging a weekly or monthly amount. Or if you like Kenneth and you send in an amount of your choosing using podfeed.com slash PayPal on a schedule of your choosing. Kenneth really made me laugh this week when he sent his PayPal donation and he does a regular donation and he wrote, sorry, I'm late. How fun is Kenneth? In any case, I thank all of the benefactors of the PodFeed podcast. Well, it's a time of the week again. It's time for security bits with Bart Bush shots. Anything go wrong while I was gone, Bart? I'm mostly fine. Although I had one of those weeks in work where in hindsight, it was a good week. But at the time it was a very stressful week. So our users never realized how close they came to having all of their internet access disappear. But, oh my gosh, what happened? Our DNS infrastructure reached a tipping point. It was like, I am fine, I am fine. I am not fine. It just did not think capacity just reached up and it just really hit a tipping point. So I ended up re-architecting our entire DNS infrastructure in a week, but I learned a lot and it was good. Helma will be pleased. So it didn't fall over in a heap, but it wanted to? Oh, it was so close, Alison. It was so close. We just about managed to limp through until I could get the new infrastructure spun-off. But Helma will be pleased. Everything was done using Ansible. So that is a wonderful new concept, infrastructure as code. So don't build the server. Build the Ansible Playbook to build the server, which is just a bunch of text files and then use Ansible to build it for you. So it's obviously a cluster to make it a highly available system. So do all the work on the first element in the cluster, build it up as an Ansible script and then literally stamp out a second server in five minutes. And if we want another pair, we can stamp it out again. Oh, it's brilliant. Is this the first time you've done that? I've been playing with Ansible for smaller projects. It's the first time since I started to become good at Ansible that something really big came along. One of the fun things is that with Ansible, everything is idempotent, which is a wonderful word. Idempotent. Idempotent, what it means is that you can reapply the same setting. If it's already in compliance, it will do nothing. So it is safe to just reapply. So if you say make the server a DNS server and it already is, it will just report back and say, I've done nothing. So it's completely safe to keep reapplying your template over and over again, which is the property of idempotence. Interesting, that's a fun phrase. It is a fun phrase. Was this with your previous hat as a vanilla sys admin or your new hat as a security specialist? Oh, that is definitely me going out on a bang on my old hat. My replacement is getting very, very close to starting work. So I'm very close to losing my old hat and full time having my new hat. Well, lots of fun stuff for the new hat as well. But actually, while you were away, I had a lot of fun. Got to watch an attack in real time from some naughty people in Lagos and watch them bang into Microsoft security features and fail utterly to get through them, which was nice. Oh, yay. Yeah, that's the one you want to see, right? I was really fun, actually. I was able to give a report to everyone else on staff. So yesterday, they tried to attack us from Lagos and here's how they fail at this hurdle and here's how they fail at this hurdle and then they tried this and that failed too. It was really nice. Oh, that's cool. Yeah, the problem is what you don't want to do in your job is have nothing reported. Right. You need to tell them, yes, they're attacking and here's why it worked all the time because otherwise it becomes like, you expect the water to come to your house or the pipes every day and they won't realize that it takes effort to have it do that. Exactly. And also, these tools, they're not cheap. Like, the good software tools you get to protect yourself on a modern enterprise, they don't come cheap. That's, Microsoft can give away a lot of stuff for very cheap to a lot of people but they make their money on the other side with the big organizations. So yeah, you pay for the tools. And so when you can see the tool. You want to make sure your bosses know that they're getting their money's worth. Yes, exactly. Oh, it's so much easier to ask for money for stuff when you can say, and by the way, it did this, this, this, this and this. Much nicer. So yeah, it's been fun. Well, in the security front, I did want to report one thing. I was completely and utterly unable to use PIA VPN when sharing shipboard Wi-Fi at whatever it was, 20 kilobytes per second or whatever the bandwidth was. I don't think the attackers could do much against you at that speed. I think, you know, the other thing you have to run, you know, don't be attempting target. That guy's on the ship. What if, what if those other shipboard people were evil, you know? Roo, they could have got what was on your machine but they couldn't have done much else because they weren't getting anywhere with you. Right, right. Interesting. Yeah, anyway. Right, well, I did. Should we get stuck in? I was gonna say, I did keep the ship going while you were away, if you'll excuse the pun there. But yes, some more stuff has happened in the last two weeks. So some follow-up on some longer-running stories to start us off. Anchor have come clean and admitted what we already knew. Their UV cameras were never encrypting stuff properly. We knew this because we could watch the video streams if you knew the secret URL in VLC. That means it wasn't properly encrypted or that would be physically impossible. So you're, okay, great. You've come clean. You've told us what we already knew and you've promised this time you're gonna fix it. No, no, no. Yeah. Seeing as we're leaving on that one. I'm getting tired of quitting people and quitting companies. I'm running out of companies, you know? Yeah, that is annoying because particularly because I kind of like Anchor for all the other stuff and it made me very cranky. I know they bought UV and so maybe it's like when Amazon bought Ring, maybe they bought some baggage and maybe now they're going into Clean House and maybe it'll be fine. Prove it to me. Yeah, prove it to me. We shall see. We've also talked a lot about Apple's upcoming improvements to iCloud security over the, basically it's gonna be rolling out as 2023 goes on, right? The Apple have promised us three things and have been slowly rolling them out to different parts of the world. And in January, we got Fido tokens, so hardware tokens for two-factor authentication for iCloud for those people who need it. So I think it's important to stress the audience for these advanced security features Apple is rolling out. They are for journalists and industry leaders and lawyers working on human rights stuff or political leaders or campaigners. They're for people who have a reason to believe they are at extra risk and they come with a loss of convenience, right? You're someone who knows you need more protection than your average person, therefore you have to accept certain caveats. And in this case, very similar to the last one as you discovered just before Christmas, you have to have all of your devices on the latest OS before you can turn on hardware two-factor OS because if your device can't support the hardware token, then it can't play ball, right? So then it falls off iCloud, but that's not gonna work. So you need to have- You can't have one device below level and everything else working. That device just no longer has access, right? Right, exactly, because this is your iCloud protection which spans everything. So you also need to have two hardware tokens because otherwise, if one of them breaks, you're completely locked out. So Apple forced you to have two or more tokens which is very smart of them to do that. But you do need to have multiple tokens. You have to have all of your OSes up to date and at the moment, Windows support isn't in place yet so you cannot use the Windows iCloud client if you turn this on. Now I don't know if that's a Windows issue or if that's an Apple issue and I'm sure it will get resolved at some stage but right now today, they are the caveats. So you get the inconvenience of having to have your hardware token whenever iCloud wants authentication. So forget your key chain. No iCloud for you today. So again, it's a nice feature for those who need it but don't everyone assume that this means every single person who uses Apple products must immediately turn this on. No, just make sure you have two factor authentication turned on. That is what most of us need. By the way, when you said if you lose your key chain you didn't mean iCloud key chain, you meant- The physical. It has your fob on it. Yeah, sorry. The thing it's named for, the actual thing in real space where the virtual one is named for. Yes. I find that a funny thing to talk about since the two people having this discussion don't have key chains actually, right? For our cars anyway. No, no it's true actually. I just walked near mine and it unlocks. It's magic. It's not magic, it's Bluetooth but anyway. It's still cool. And then we talked a fair bit about Mastodon over the last couple of months and one of the things is I showed you a way of hacking around so that you can have your GitHub profile linked from your Mastodon so it goes green by doing it indirectly by linking to your GitHub.io page rather than your real GitHub page and having that be an automatic redirect to your GitHub page. No need to do any of that anymore. GitHub have rolled out a new feature. If you edit your GitHub profile there's now a section at the bottom for social media links and if you paste in a Mastodon link it is smart enough to do the right thing to put in the appropriate tags so that it will just validate. Oh, nice, nice. And to replay this to people this is to get a green validated check mark that says that you are the one controlling the website that you have linked to your profile. Yes. It doesn't mean that you're Bart Bouchats it just means you are the person who controls this website that is supposed to be owned by Bart Bouchats. Correct. So basically when my Mastodon profile says that this person on GitHub matches this person on Mastodon that is what's been proved. It just means that the Mastodon account matches the GitHub account. Right, right. You only have three links there so I've only done podfeed.com or four. I did podfeed.com but I have so many podcasts I wanted to put links to the podcast too and it does, those don't, I just put names, you know. Now, because I have Let's Talk because it can be a different domain I have that one, I have basically my personal site Let's Talk and GitHub so I'm only using three out of my four. But they seem like the most important three. So anyway, it's a nice touch, just a little feature but it's nice of them to do that so that just makes everyone's life a little easier. It's another step that Mastodon is really taking off though, isn't it? It is and there's been another push to go at all the various pulls. So Elon has decided that the API should be available for no one unless they pay him like $150 a month, which is insane because those apps that post off to Twitter that's adding content into the network he should be paying them. Yeah, the biggest downside to that that I heard was a lot of the emergency alert systems that have been set up, they are bots. Right. But like there's a flash flood warning coming. You know, you can follow that bot to know when that's happening and where you live. Those emergency things are just all gonna disappear. Unless... It's just a racing content. Right, unless the government's all started, I mean, just imagining a true procurement to get monthly, just even getting that built, that invoice paid, that's not gonna work in the public sector. Right, right. Well, and they do a lot of them. They don't just do one, they do a ton of them so that it could be enormous expense. And like you say, I always find it really funny when I was working that I could spend $150,000 on my signature, but I couldn't spend $50 a month. Right, because it's recurring cost. Because there's no mechanism to do it. The funniest one was one time a company paid me back for a piece of equipment that turned out to be hot garbage and they gave me a check for like $40,000. And I looked at it going, I only know how to spend money. I don't know how to put it back in the company. It was the funniest thing. You took it down to the cashier and you put the source code for your organization in there and the money went right back in. It was the weirdest thing. Yeah, anyway. Finding out how to spend money is very difficult. It just, it's just not thinking things through. But then, hey, look, it's, his next interest payment is due shortly and that's going to be fun. And if that one doesn't sink the sip, the one after that three months later probably will. So I'd say. I also saw that he hasn't been paying his rent payments for the facilities. Correct. And one of the buildings is owned by the Crown. Oh, yeah. Yeah. Well, a lot of things are owned by the Crown and like, that's how he's not Prince Charles anymore. That's how King Charles, King Charles was a business genius when he came to the Duchy of Cornwall. He made a fortune and he was a landlord to a lot of people. So they own a lot of stuff. He's now suing Elon Musk for not paying his rent. Darn tootin. I also, after making everyone come into the office and making such a big hoo-ha, he's also making people around most of the world work from home so he doesn't have to pay the rent on their office space. I'll give you two. Anyway, enough idiocy there. So where was I? Yes. So get home. Good, shiny, happy. I have one deep dive, which is more of a medium dive, but I thought it was worth talking about because there's been a lot of news lately about passwords vaults not being, you know, having issues. We obviously had LastPass, which still wins, LastPass wins the award for being the biggest, you know, screw up of 2022. I think that goes to LastPass. And the minor issues with password reuse on Norton last month, I mean, it pales in comparison to LastPass. And this key pass thing pales in comparison to the Norton thing. But you probably saw headlines about it, or at least if you weren't in the Antarctic, you probably saw headlines about it. The listeners probably saw headlines about it because password manager vulnerability, that's link bait there. So it is true. Key pass is another password manager? Key pass is an open source password manager, a cross-platform open source password manager. It's been slowly bubbling away in the background for a long time. It suffers from the buy nerds, for nerds thing where the UI, it just drives me potty. I did experiment with it a few years ago and you know, it's cross-platform. It's up to you to figure out how to sync it, stuff like that, right? So a lot of people will throw their key pass file in their Dropbox and let Dropbox take care of the sync and then they just have the client on the different machines. So you do that kind of thing. But yeah, it's basically a well-encrypted file. Anyway, there is an active CVE number against it. So CVE is a catalog, for want of a better term, for tracking known vulnerabilities. And the security community say this is a vulnerability and the open source developers of key pass say, it's not a bug, it's a feature. And I'm not even paraphrasing here. They genuinely say, no, no, no, that's a feature. We want it that way. Oh, okay. So it's complicated is what I put in the show notes, which I think is the fairest thing I can say. And I think it's probably worth digging into a little. So there is, when you run key pass, there is a settings file for you in your home directory. It's an XML file and it defines how you want your key pass to behave. And one of those settings will instruct key pass to run this code when you unlock your vault. It's an event handler for I have just unlocked my vault. And so you can use it to automate what happens when you unlock your vault. But that's not in the vault. In fact, that's probably how they should secure it. They should probably have the event handler code in the vault so it doesn't trigger. So it can't be edited unless you know the password. I just think I've just solved the problem for them. But it's not in the vault. It's sitting in your home directory. The sidecar. Yes, unencrypted. So if someone manages to get some code execution as you, they can edit this file to add a line of code that says next time the vault unlocks, take all of the secrets, put them in a CSV file and email them to me. So the moment you unlock your vault, it's a booby trap. Everything gone. They say, no, no, no, this is a feature. Yeah, well, we want people to have the automate stuff. I mean, if some bad guy gets on your machine, the show is over anyway, so there's nothing lost here. And five years ago, I think I'd have agreed with them. I would have said, yeah, you're right. If someone's on your machine, then it's already show over. But that's not the world we live in today. We live in a much less binary world between everything's fine and everything's terrible. Defense in depth is your approach now. So you're always trying to limit the damage that can be done by any piece of malicious code. I mean, why did Apple put so much work into sandboxing apps? It's so that if one app gets compromised, the app can't reach out and do anything. So something as vital as your password manager should be doing everything it can to protect itself from every threat, even a rogue piece of software on your computer. Because we have a lot of software on our computers. Right, a perfect example on this one would be, sure, if somebody owns my machine, they could put a key logger on the machine and then they could capture me logging into my bank. But they would have to wait until I logged into my iCloud. They would have to wait until I logged into my insurance company, until I logged into my school. And this is just handing the whole thing tied up in a little bow. It is. And worse than that, so on the Mac, if you get to run code as random apps, let's say you've installed a Solitaire app that's actually malware. And the Solitaire app reaches out to a command and control server and executes whatever code the command and control server tells a Solitaire app to execute. That's a very realistic scenario. On the Mac, that Solitaire app cannot install a key logger because a little pop-up came up saying this app is requesting access to your accessibility features and go into settings to allow, like we have to do for text expander, like we have to do for all of these tools. So on the Mac, actually, that piece of software couldn't steal your password with a key logger. But it can write an XML file. Yeah. But it can write an XML file in your home folder. Doesn't it have to ask for access to documents to do that? It would if it was in the documents folder. But your settings are not in the documents folder. They're in your home folder. So your home folder is a sibling of your settings, not. Yeah. Documents and desktop are next to your settings and stuff. Your settings aren't in documents, especially the Linux-y style ones, which are in a dot folder sitting in your home directory. So in this case, it wouldn't be there. The only thing I'm worried about is we get asked that so many times when it's not obvious why they need it. And you're just like, OK, it needs that. Let me go check that box. It is still a very effective barrier because a lot of people get so put off by it, they just never do it. Yeah. Yeah. And they click cancel or whatever. And the app works fine because it's a Solitaire app, and it shouldn't be doing any of this stuff anyway. So it'll still be a Solitaire app. So you do have to sort of think about it. I mean, I've had a few apps say, hey, can I have access to your contacts? No. You don't have a right to do that. But calendar app, can I have access to your calendar? Why, yes, you can. Indeed, fantastic. Make sure you keep thinking. What is it asking you? Yeah. But at least it gives you the opportunity. It is another gate. So to me, as a Mac user, the argument that this is not a vulnerability is hogwash. But over on the window side, they're not as wrong. But I still think that as a password vault, even on an operating system that doesn't have the extra protections the Mac does, the vault should be protecting itself as best as it possibly can. I think you're a password manager for goodness sake. You should be doing the absolute best. So I just disagree with the developers. Hold stop. I think that they're thinking a decade ago way of thinking. And they're thinking as if they're running. Basically, they're thinking like they have Evernote, which is a little library of stuff. Yeah, you have a little library of stuff. All of my secrets. You have a higher responsibility than Evernote does. Now, you can turn it off system-wide by editing a setting in the applications folder. And unless you're running your Mac as an admin user, you can't, a random piece of malware can't mess with that because it would need to escalate privileges first. And in Windows land, you would get that UAT pop-up that says you're about to do an admin thing. So again, you would be protected from that. So if you go edit the setting at the app level, not the user level, then you can protect yourself from this for basically disabling those event handlers. But it's a bunch of faffing about. And this brings me to the other obvious thing. If you think it's so important for one or 2% of your power users to do this kind of weird fancy pants thing, make it an opt-in feature. Yeah, oh, yeah, yeah, yeah. Right? Not an opt, not an on by default feature. They just, they have a little bit of work to do here. And at the moment, they're trying to defend the indefensible and they are going to fail. They're going to see the light on this. The question is how much shouting has to happen first? Well, and how much loss of credibility happens between then and then. Yeah, yeah, exactly. So we shall see how it ends up. It's not the end of the world. This is nothing like what happened to LastPass. This is absolutely positive. So if you're a key pass user, you now understand the situation, you know this setting exists, and you should act appropriately, and you should make your own decision. But this is not a catastrophe like LastPass. So let's keep it in context, folks, even if I think they're wrong. Right, right. OK, so normal business can resume action alerts. Oh, can I tell you one last thing? Sure. On the ship, I met a woman who had all of her passwords written down on a piece of paper in her purse with her iPhone. Well, I'm not actually against writing down passwords, but the with her iPhone in her purse bit is where it breaks down, just a touch. Yeah, the thing was, she also had a pattern, like blah, blah, blah, 2323, blah, blah, blah, 2323. Look at the piece of paper. What do you think her four-digit code was to open her phone? 2323? 2323. Yeah. Yeah. Sweetie. OK, I'm going to help you with this little problem you're having here. But you're going to do this when you get home. It's called onepassword.com. Yeah, because a lot of people mock password logbooks and stuff. But actually, if you keep a password logbook in your house, that's actually for a lot of people that's most likely they are to do something securely. For goodness sake, don't make an Excel file. For goodness sake, don't put it on the computer unless it's in a password vault. If it's on a piece of paper, you cannot hack a piece of paper remotely. And if someone steals a piece of paper, unlike someone stealing something digital, you've lost it. It's gone. You know it's gone because it isn't here anymore, right? That's the problem with digital theft. You don't know it's taken. Whereas with physical theft, you know it's gone. This is an important difference. So anyway, yeah, one last thing on this. So Lindsay and Nolan were on LastPass and they switched over to onepassword. Lindsay keeps telling me over and over again how much more she likes onepassword than LastPass, which really surprised me because I always looked at them as pretty equivalent. I thought it was a little bit nerdier in LastPass, but she's just said, it's so pretty and it's so easy in the way it fills in passwords is better. And she said that the conversion from one to the other, I sent her a link to the tool they have to import as a CSV. And she said, it took me maybe 35 seconds to move all of my stuff from one to the other. Yeah. And I have to say, I changed them all. So I do not believe there is anyone else doing a password manager with as much thoughtfulness on the user experience. Not raw features in a spreadsheet, but thoughtfulness in terms of how it feels to use the app. Yeah. Yeah. Now they have had some janky problems with version eight and they've just published a blog post about how, yeah, we heard all those things that were irritating you. We are fixing all of these. There's a lot of stuff that's fixed in there. Like you can actually reorder items. Like you've got two websites and you want one above the other and you would have to delete it and add it. They've put that back in. The other thing they've done is if you have subdomains on the same domain, it won't keep offering you every password. So we have an awful lot of stuff on the subdomain of our university domain. And when I go to some of our websites, it just gives me hundreds of spurious. It's like, no, you have a password for this exact subdomain. Stop telling me about these other subdomains. That's good. You can also set a default vault, which is nice for people who have a work vault and a home vault. But the thing I'm looking forward to most is the version eight will actually work on my iPad. There was a bug where it just asked me to type in my password every single time I accessed it. And I wrote to them and they said, yeah, go back to seven for a little while. We're working on that one. And so I'm looking forward to going back to eight. The other thing that's still missing that we used to have in seven was when I would unlock one password, both of my vaults would unlock my work vault on my personal vault. Now I have to unlock them separately. Really? Now that's true on my machine without TouchID. That's not true on my machine with TouchID. TouchID seems to unlock both, but typey typey password does not, which is really annoying. Weird. It's a subtlety. Because I believe under the hood, they used to keep the password to one of your vaults in the other. And so you would unlock one and that's how it would have the password to unlock the other. And I don't think they're doing that anymore. They've changed something in the architecture. And the other one that's driving me nuts and I'm hoping the rearranging fixes this, but I have accounts where there are multiple multi-factor authentications. Right? Oh, really? So I have single sign-on credentials that have many different front ends that they go to. But the same username and password at the very, very, very, very back end, right? Active Directory, sitting at the back of it all. But some of them have Google Authenticator and some of them are Microsoft Authenticator. So the second factor is different. And so when I open that account, I see four six-digit codes. I can't choose the one that sticks to the top. And auto fills. And it's wrong. It's the one for password recovery that sticks at the top, which is the one I never need. The three I need all the time. If you could rearrange them, maybe you can fix that, yeah. That's what I'm hoping. Fingers crossed on that one because that would make my life so much easier if the right one were total popular. But anyway, yes, one password is continuing to improve. You posted that in the Slack and I had a read and I liked a lot of what I saw. So that should be nice. Right, so our first action alert is a fire extinguisher. If you have basically any Linux, you should allow open SSH to update itself. And you should do it just because it's best to have the latest open SSH, but there's no need to panic. There is a very subtle bug in there and they have very responsibly disclosed it. It is patched. It's also not exploitable by any means anyone has figured out. Now attacks only get better. So six months from now, someone might figure out how to possibly exploit it. But for now, it's just let this patch when it needs to patch. But if you read something about open SSH bug, yes, there is a bug, but there is no need to panic. It is under control. The fire brigade are on scene. Everything is fine. Just work along as busy. A dumb question. How would I know if I had an open SSH on my server? Oh, you do. Can you SSH to it? Yes. Yeah, then you almost certainly do. It is conceivable that there is someone somewhere not using open SSH. Well, I'm not aware of any major distro that isn't using open SSH. So can you put it on your checklist to tell me how to do that? Well, you have your updating itself automatically all the time. It's just going to come out in the wash. Do I? You do. Okay, I knew that. Yes, you do because otherwise you would have hundreds of security updates behind then you do not. Okay. So yeah, you have to do nothing. You just have to, yeah, you just have to do nothing. It'll happen. Let it do its thing. It's great. Automation good, as you know yourself. So that's the first one. Apple have also patched pretty much everything everywhere. So let all of your Apple devices update themselves and they have also backdated some of their patches to older versions of iOS. So right back to the iPhone 5S. There is now a security update available. Wow. Yes. So how many? Is that like nine years? Eight years? It's a long time ago, the iPhone 5S. If I had, if this wasn't my new Mac, I would have Mac tracker installed and could tell you very subtly, but I don't. But yeah, it's a long time ago. So patchy, patchy, patchy, patchy and all of your Apple goodness. Moving on then to worthy warnings. So remember we've already mentioned LastPass a few times? Well, they're owned by a company called GoTo. And it turns out they didn't only lose their LastPass stuff. They also lost a whole bunch of really important data for various GoTo products. And just like with the LastPass disclosure notifications, they're a bit low on detail, very low on detail with things like, there are some two factor authentication settings have been stolen. Home another bar? What precisely do you mean by two factor authentication settings? And quite what could an attacker do with this information? You haven't told us exactly what it is. And also on some accounts, it was somehow encrypted. How? How strongly? So yet again, the assumption we have to make is that they've lost everything. Because they're not giving us enough to tell us. If you don't tell us, it's probably bad news. If it was good news, you'd probably have told us. So the other main product is then is GoToMeeting, right? Correct. So I'm sorry to say, Alison, you have some homework. You need to reset two factor authentication. So you need to reset your password, reset two factor authentication, start from scratch and make sure you generate new recovery codes. Because your old recovery codes could well be the metadata that was lost. If one had GoToMeeting. If one had GoToMeeting, GoToWebinar, any of the GoTo products. Are we not on GoToMeeting? I do. Oh, no, sorry. We're on Zoom. We're on that other one I don't like. Sorry. It's one of those blue icons I don't like. I got all confused. Sorry, you're fine then. No homework for you. You're all good. But yes, so basically, and also if you are using SMS-based two factor authentication, almost certainly your cell phone number is one of the things that has been leaked, which would definitely put you in danger of sim swapping as a way of attacking your stuff if you're valuable enough. So the advice from Naked Security is to switch away from SMS-based two factor authentication to app-based two factor authentication, especially if you had it turned on. So good advice, really. Wow. Oh, they answered the question on the iPhone 5s. It started in 2013 and was sold until 2016. So the youngest one would be, was that, four, seven years old? And the oldest ones are literally a decade old. Seven to 10. Yeah. That's kind of impressive. Wow. Nice one, Apple. That's really impressive. Yeah. I probably should have put a fire extinguisher icon next to this story as well, actually. So GitHub have lost an encrypted version of the private key for the certificate that signs their app. So if an attacker succeeds in decrypting the key, then the attacker could use that key to sign malware as if it was officially from GitHub. And so Windows and the Mac, et cetera, would see it as validly signed. It would not give you a warning saying this is from an unknown developer and would run the malware as if it was from GitHub, which would be bad. But thankfully, GitHub kept their keys encrypted. So while the attackers were able to sneak in and get some stuff because of an errant API key, they were not able to get the unencrypted version. So that's, again, security working as it should. So GitHub have responded very responsibly. They gave everyone a week to let their app auto-update. And then they revoked the key. If you didn't update your app in that week, it's not a catastrophe. It's a minor inconvenience. Auto-update will not work for you because the signature will fail because your app doesn't know about the new key because your app didn't get the update in time. So your app will think that every valid update is malware because it's a different key. You simply go to GitHub's website, you redownload the app, and away you go. Because your settings are fine, it's just that you need a new copy of the app. I wonder, will it be obvious to people who've downloaded an app that that's what's wrong with it? It may or it may not, but thankfully, the community of people who use the GitHub app are also the community of people who are quite nerdy, so I'm hoping it's a fairly minor. Well, you're just talking about the GitHub app itself, not apps you've written and put on GitHub. No, no, just the GitHub app. Oh, I think that every app we've written on GitHub. No, no, no, no, it's the GitHub app from GitHub. So it's a small audience, it's a well-contained problem. And I mean, I think some people are probably losing their mind because, again, you can have a headline, GitHub lost a key. Although most of the headlines just say they lost a key. They don't actually say that they lost an encrypted copy of the key, which is a significant difference. And the whole point is, their security worked because this could have been a catastrophe if they hadn't have had good security in place, but they did, so it isn't, so it's a good news story. This is just the marching along, this is what we do. This is it, we had contingency plans for if the worst happened, the worst happened, we're now doing our contingency plans. Good, nice, well done. Yeah, and this is somehow I managed to get it updated while I was gone because I opened the GitHub app and it didn't seem to complain. Oh, good, good, good, good. I suppose if I get an update though, that's where you're saying I would find. You may find that the next time it tries to update itself it goes, this doesn't check out. Okay. The last worthy warning I have is an unusual one, but we have talked a lot about air tag, so I do think it's worth mentioning. There are people, actually there are companies selling various ways of attaching air tags to pets, which implies that this is a safe thing to do, do not. Seems like a reasonable thing to want to do. Yeah, the problem is pets are ingenious, pets swallow things and air tags contain very toxic batteries. It could literally kill your pet. How do you get an air tag off of your own collar? Well, unfortunately, there was a lady in the States who buried her dog because the dog was cleverer than me. I don't know how, but the dog succeeded, chewed the thing apart and is dead. So you shouldn't put any kind of tracker on your dog? Yeah, nothing battery operated on your dog, I think is really the key, because it's those batteries. You know the way that you have to buy very specific ones for the air tag that don't have the childproof coating, because otherwise they actually don't make contact with the right parts inside the air tag. The reason those childproof coatings exist is because those batteries, if they end up in stomach acid, not good, not good. And so this is actually, it's unusual. I'm just thinking about all the different kinds of, I mean, I've got a light up collar. That light up collar's got a battery in it. Would you ever leave that on the dog when the dog is not in your presence? I wouldn't, but I could see somebody doing that. Yeah, so I guess the warning is valid, I guess. If you can't see the dog, don't have the dog with a battery tied to it, because dogs are ingenious. They are geniuses, like they are absolutely geniuses. Well, my dog's dumb as a stick, but he's got a great personality. You only think that, although I was convinced I had the words. Bart, she licks soap. I wouldn't put one on Dodger, but I'd put one on Tesla. I don't know. The dog is a genius. He can open doors, sliding glass doors, door handles you have to turn and then pull towards you. Wow. He used to turn on the stove. I don't know. They decided he was trying to kill him, but they ended up having to put chow-proof locks on the handles on their stove. So is he what, an equivalent of a three-year-old? Yeah, exactly. Tesla doesn't know how to go through a door that is a jar in the direction she would have to push it to walk right in. She will stand at that door all night long and not go through it. Okay. She's excessively polite. We don't know which. Yeah, either way. I think we had the words dumbest cat because it was the only cat I knew who didn't understand gravity. Lie at the top of the stairs, stretch, roll, and then go, end up at the bottom of the stairs with this look of what? How? How did that happen? Anyway. As I recall, he only had one eye, so watching him jump was entertaining as well because he didn't have depth perception. Well, that was later in life. Yeah, he had a very clever thing. We'd bob his head left and right to get the depth perception and then jump. So it was actually kind of cool to watch because initially after the operation, when he lost the eye, he would just miss. It was hilariously tragic or tragically hilarious. And then after a few weeks... He felt bad laughing, but you still did. Yeah. After a few weeks, he just watched him just bob his head left, right, and jump. And he was perfect. Once he just learned, you know, left, right. My brother only has one eye, and when he was in high school, they did a depth perception experiment with the kids, where they had him cover up an eye and look at two boxes, one close and one far away and try to guess which one was which. And the teacher watched Grant notice he jiggled his head. Right. Subconsciously. He just does a little tiny quiver. Yeah. Yeah. And that's all it needs, right? That just breaks the illusion of they're the same distance. No, they're not. I've just moved side to side and now I can see the difference. Yeah, it's cool. Okay. So that was Worthy Warnings. Notable news then. The United States is suing Google over its monopoly on the ad market. That seems significant to me. ATUS States and the US Department of Justice on that court case. We shall see how it progresses. And in the very strongly good news column, the Federal Bureau of Investigations has cooperated with the Dutch authorities and the German authorities to wrap up the Hive ransomware, which was frankly wreaking havoc around the world. It was one of those ransomware as a service where you could pay to have the bad guys extort people for you. And they were one of the groups who felt it was perfectly fine to go after hospitals. And schools and things. Oh, that one. Yeah. One of the ickiest ones. So nice to see that wrapped up. A neat little, you know, a rest bow. Well, actually, they got the servers rather than the humans. But either way, they have significantly disrupted some nasty malware. So that's good. In terms of top tips then, Apple, because it was data privacy day a few weeks ago, Apple released a bunch of resources, primarily a very fun video and some today at Apple sessions. I've no idea what the today at Apple sessions are like, because that would involve having an Apple store, which I still don't have. But the video is fun. It's about five minutes long, which I think is probably a good length. It is with Nate from Ted Lasso. And it's, it is funny, but informative. It's information rich, but at no point do you feel like you're learning. It's, it's really nice actually. So I think it's a great one to send to friends and family. I mean, I, you and I won't learn anything new, but it's a really good one to share what actually your iPhone is doing to protect you. It's, it's well done. I liked it. And it was fun. So if you're a Ted Lasso fan, watch it because it's fun and share it to actually get the security message across. In terms of interesting insights then, I absolutely positively want to give a hat tip to Glenn Fleischman over at tidbits for two amazingly good articles. I think they started as one article in his brain and he very wisely decided to split them into two because they both got quite long. So we have talked a lot about mastodon. So the article that's probably of the most interest to the most people is his article on mastodon and you hope for social networking. It is a very clever way of explaining mastodon to people. He uses a very fun analogy of a flotilla of boats to describe all the different servers and how you can safely hop from boat to boat. And if you're on a big boat, things are a bit different if you're on a small boat. But if you're a small boat because it's a trouble, just hop over onto another boat. It was clever actually. It was nice and very human friendly. But of course mastodon is just one example of something called the FedEverse. So mastodon sits on top of an open source infrastructure that could be used for any kind of social app, which is called the FedEverse. And that actually also opens up some interesting possibilities. So the second article dives into the possibilities. I mean, there's no guarantee any of this will happen, but it is an interesting vista that is open to techie people to explore. So I thought it was a very good description of what the FedEverse is and what the potential is for it. So two excellent articles from Glenn Fleischmann. I really just want to plug. So when you get onto mastodon, you'll look at your follower account and it'll be maybe a tenth of what it was on Twitter. So dialing these numbers down, I'm getting way more engagement than I ever was on Twitter. Infinitely more. Infinitely more. Because it's not a bloody algorithmic timeline, it's also valuable. Yeah. But Glenn Fleischmann is coming up on 10,000 followers on mastodon, which is massive. But as a celebration of that, he's giving 10% off of all of his books and written things that he's created. So if you follow Glenn Fleischmann on mastodon, you can see he's updating it. I saw a new update today of how much closer he is to 10,000. And he's got a bunch of... If you like really cool printed stuff, he's got really cool printed stuff. Excellent. Yeah, he's a cool guy. He's very good at writing. He writes very well. Very big fan. Just because it's cool. So the only real takeaway for our listeners is Google have made DNS a bit less insecure. DNS is one of those protocols from the... I think it's from the 80s. No, it's probably from the 70s. I never think about it. It's bloody old. It's from the days when we were kind of just happy that the internet worked as opposed to anyone thinking about securing the bloody thing. So we have done a lot of proactive work to retrofit security, like the Dan Kaminsky hack a few years ago made us really change things up. And Google have found a new way to add more entropy into DNS queries to make them harder to spoof, which is called DNS cash poisoning, which sounds really bad, which it is bad if someone manages to convince you that another IP addresses PayPal.com, that's not good. So cash poisoning is bad. So you need as much randomness in the query so that it's really, really hard for a bad guy to sneak a forged response in. Because there's no encryption to enforce the security. Your only chance of security is entropy. Make it hard to guess a plausible answer. And the DNS protocol is officially case agnostic. If you give it a query in any case, the answer should be converted to lower case, then queried and then you get back the result. So you were also supposed to, according to the spec, preserve the case in your reply. So if you randomize the case of people's DNS queries, then the attackers need to randomly guess the right case in their poisoned answers. So it adds massive extra entropy to long domain names. So Google have started to randomize the case and throw away answers where they don't get the same randomization back. Oh, that's clever. It's very clever. And the explanation over on Naked Security is fantastic. So it's a really good job of explaining why Google are doing it. And it also gives you a little short history of everything that's come before, like we started randomizing port numbers and stuff, to add entropy. So it's a really good explanation if you're curious about how we've had to be clever to make an insecure protocol acceptably secure for the 21st century. This is fantastic. And I should note that all of this hackery, as cool as it is, is all just a stopgap for the future, which is both, I think, DNS sec, which is an extension to DNS that adds actual encryption, actual cryptography to actually digitally sign things. And DNS over HTTPS, which is actual encryption. So you have actual digital signatures and actual encryption on the way, but Google are backfilling the gap with this new approach. Which is very cool. And everybody gets the benefit of that? Yeah, if you're using Google, no, everyone who uses Google's DNS resolvers, which is a heck of a lot of people program into the routers, if you've configured your router to use 8.8.8.8, then you're getting this. Okay, so if we're using Cloudflare, we're not getting this. That is correct. 1.1.1.1. Well, I don't know for sure that they won't copy this by next week. Exactly. If it's good, they will. Almost certainly. And in fact, Google, everyone was... This idea is 15 years old, but everyone was afraid to go first because what if the DNS servers don't follow the spec and what if we end up breaking our DNS resolution? But Google are such a big player that the fact that Google have done it and it hasn't broken Google, that means everyone else is going to feel a heck of a lot more comfortable following Google. Don't be first, just, you know... Right. So I think you'll see this rolled out to all the major providers. So yeah, I do think 1.1.1.1 is very likely to follow. Also, 1.1.1.1 are good supporters for things like DNS over HTTPS and stuff. So they're very on the ball. I don't trust Google. Therefore, I use 1.1.1.1. Then it's as easy to remember as 8.8.8.8, which is also important because I used to use OpenDNS but I can't remember the servers. So good to me. And then we have Pallet Cleansers. And I have had a Pallet Cleanser sort of in my back pocket for a month and a half that I was like, yeah, maybe it's too nerdy. Maybe it's not appropriate, but it is the perfect companion to your Pallet Cleanser. So I've snuck in. I've basically gone in your coattails. So do you want to describe yours? Can I do mine? Yeah. Yeah, so one of my favorite things I follow on Mastodon is called Nixcraft. N-I-X-C-R-A-F-T. And it's kind of nerdy, but often just really quick, little clever, fun things you could do. And they give a tip on how to access W-T-T-R dot I-N, which is an API that will print out in ASCII your weather. And it's really, really fun to look at because they're drawing clouds with ASCII characters and the sun peeking out from behind a cloud. But it gives you your 7-day forecast. It'll give you the hour-by-hour weather where you are morning, noon, and night kind of thing. And it's super nerdy. And if you just look at the link, you'll get a kick out of it whether you decide you want to do it in the future. So I definitely recommend following Nixcraft. But also, as Bart reminded me, and I did remember at the time, we covered this in learning JavaScript programming by stealth. And Bart has put a link in the show notes to installment 80 where he taught it to us. So pretty cool stuff. I got a big kick out of it. And the API is even cooler than Allison has made it out. So on the terminal, it doesn't just draw a picture of the cloud. It uses the escape characters for color in the terminal. So it actually gives you color terminal output. And if you take the same URL and put it in your browser, it gives you HTML. Because the API is actually smart enough to look at the user agent. So if you look at this curl, it gives you back terminal output. And if the user agent is Safari or Internet Explorer, it gives you back HTML. And when we did it with programming by stealth, we explicitly said, please give me back JSON files. So then you have raw data that you can process. So this same API can give you the weather in terminal, in HTML, in raw data. And it's all for free. It's just so cool. And it's basically, take all the vowels out and it's weather dot in. We'll give you Dublin weather. The weather dot in forward slash Los Angeles. We'll give you Los Angeles weather. It's so cool. Big fan. A lot of fun. Exactly. Now, there's a similar API that is also designed to be accessed from the terminal using the curl command that also returns nicely formatted ASCII with all the various color codes. It's called cheat.sh, which is a whole bunch of cheat sheets for nerdy stuff. It covers both terminal commands and common programming languages. So you can basically use your terminal to get like, oh, sugar head of the LS command work. If you would prefer to have a human write something human friendly instead of the man page, which involves I mean, you will learn to speak man page ease. But it is a different language. It's some sort of jargon. It's not human speak. And you will eventually get good at man pages. But a lot of people prefer not to read man pages. So cheat.sh is perfect for humans and all the details are linked in the show notes. And again, that will work in the browser or from the command line and it will be sensible and give you sane output regardless of how you go to it. So another cool use of a web-based API. Very good, very good. Those do fit. Those do nestle quite nicely together. I've been wondering how, because I thought if I'd come out with that cheat that sh1 without you having something else that was similar, I don't think it would have gone over as well. So this is perfect. Well, that's all I got. Does that wrap us up? That wraps up my content. Unless you've got some more. I'm all out. All right. Well, this was fun. It's fun to get back in the saddle with you, Bart. It really is. That sounds weird. Does it be? No, but we're still out of practice. It's just hilarious folks. We were just yakking away, forgetting to do a test recording. I was like, wait, do I put the file again when we recorded yesterday? I couldn't even remember that it was Dropbox. I was supposed to use it completely to practice. But hey, we're back now. I couldn't even say the date correctly yesterday. That is also true. But yes, we're back in practice by next time. I'm sure it'll be absolutely fine. But anyway, folks, remember, until then, stay patched, so you stay secure. Well, many thanks to Jill and Bodie for not making you listen to this voice any longer than necessary. I truly hope that I have my real voice back by next week. But we are going to wind it up for this week. Did you know you can email me at Allison at podfeed.com anytime you like? If you have questions or suggestions, just send it on over. You can follow me on Twitter at podfeed and you can find me on mastodon at podfeed at social. Actually, I'm not sure why I'm even saying my Twitter handle anymore. I haven't been writing there for a week, so actually more than a month probably since I've posted there intentionally. Now that I don't have a Twitter client, I don't know. I don't feel like going to the web. I mean, that doesn't make any sense. So I am on mastodon at podfeed at chaos.social. If you want to join the fun of the conversation, you can join our Slack community where you can talk to Jill, as she said. And you can go to podfeed.com slash slack to do that. And in there, you can talk to me and all of the other lovely, you know, cellicast ways. Remember, everything good starts with podfeed.com. You can support the show at podfeed.com slash Patreon or with a one-time donation or a regular donation like Kenneth at podfeed.com slash PayPal. Be sure to let me know if you're going to be late though. Anyway, and if you want to join in the fun of the live show, we had a hoppin' show since we'd missed a couple of weeks. You can go to live show by going to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no cellicast ways. Thanks for listening and stay subscribed.