 Hi, this is Allison Sheridan of the No Silicast podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias. Today is Saturday, December 23rd, 2023, and this is show number 972. Well, of course we are not going to miss a show because we never miss a show at the No Silicast, but there will be no live show this weekend or the weekend of New Year's, so we'll see you in the New Year. This week we're going to start the show with a very important retraction of something I said last week I was completely wrong about, and then you're going to hear Bode Grimm of the Kilowatt podcast teach me how to create a GPT using GPT-4. Then Bart joins us with the solo security bits, which he did by himself so that I could spend time with my grandkids. Very much appreciated. Then we'll close out the show with Steve's annual tradition of the night before Christmas in honor of Honda Bob. Before we get started, I need to give a very important retraction from last week's show. Christian from Germany gave a recommendation for the app Find Any File, and I downloaded it and tested it, and I give you a review of this awesome shareware app. I tested Find Any File for accessibility in far too much of a hurry, and my original assessment was that it is not accessible. This is not true. In my more clear-headed testing, I found that it is accessible. I only discovered this when the developer, Thomas Tempelman, wrote to me asking for clarity on what I had found inaccessible because he wanted to improve it. I felt just terrible at my egregious error. Over the last week, Thomas dove in and he fixed a few labeling problems I found with Find Any File, and then he had me test his changes. He has a bit more work to do, but it's nearly there. In any case, it's definitely accessible. My apologies to Thomas for my initial analysis and to those I misled last week. You can find the accessible Find Any File at apps.tempel.org, and of course there's a link in the show notes. In programming by stealth this week, Bart Bouchotte and I started off by going through the challenges of our previous installment. Remember how I said I was really digging GQ and querying JSON files because at heart I'm really a data nerd? Well, I felt completely at accomplishing the homework challenges. It was not for lack of trying, though. I worked about four hours on just the first challenge. Because of a fundamental building block that wasn't properly in place in my brain, I was never going to succeed. That means that this episode is almost half about the challenges and Bart carefully re-explaining the pieces he taught us in the previous installment in the context of these challenges. We both agree that it's good work because if I was lost, there's always a reasonable chance that at least one other student was as well. Because of my questions, we ended up cutting this episode in half, so the show notes are complete for a full story, but the second half of this episode will be explained in Programming by Stealth 158b, which we'll record in a couple of weeks. You can, of course, find Programming by Stealth in your podcatcher of choice, and Bart's fabulous tutorial show notes are linked in the blog post. In this next segment, you're going to hear Bodegrim teach me how to create a GPT using GPT4. Now, you probably have a lot of questions about what that even means, but Bode goes through and explains what he's going to do in the audio you're about to hear. If you'd like to watch Bode do this, we also recorded the screen, or I should say Bode did. He recorded the screen and the audio, and then Steve went through and very carefully did video switching so you see us and then you see the screen of what Bode was showing me. So the video is linked in the show notes, but you can listen to the audio right now. Well, I'd like to welcome to the show noted expert in creating GPT's Bodegrim. How you doing today, Bode? I'm doing really good. However, I would like to point out, I put a disclaimer at the top of our show notes that says that I am not an expert and I know not even a fraction of a percentage about AI. So yeah, I just want to get that. I just want to set a tone for people who might actually know about this stuff. Well, what kind of fun would it be if I didn't yank your changes to start off? But you may or may not have heard from Bode before. Bode is the host of the awesome KillWop podcast, which is a podcast all about electric vehicles and as I like to say, he's informative, he's intelligent and he's also ridiculous, self-effacing and makes me laugh every single time. So big fan, big fan. Yes, well, thank you very much. I'm also a fan of yours. I don't have as many nice things to say about you as you do about me, but we'll get through it. Well, that's good. That's good. OK, so everybody's heard of chat GPT. If you haven't heard of it by now, you've been under a rock somewhere. But I've started to hear about this thing called GPTs, not chat GPT, but GPTs and something about you can make them. And you said you could teach me how to make a GPT. And I don't even understand what it means to make a GPT. So on a very basic level, very basic again, I'm not an expert in this, but on a very basic level, this is just a chat bot that does something specific for you. So if you are a person who is really interested in Marvel comments, comics, and you upload a bunch of information about certain Marvel comics that you're most interested in, you can create, I don't know, a little game show, a trivia game show, or you can just ask it questions and win bar bets or whatever. It's really a tool that you can use in your personal life, but it's also a tool that you can use for business. And we'll talk about this a little bit later. But I created a GPT for the HPV vaccine that gives people who interact with it information about the HPV vaccine and why they should get it. So you give it information to learn from. And so it's a very narrow, large language model then about that specific set of data that you hand it. Yes. When we, when we get to the point of actually doing the demonstration, I'll show you that it doesn't, it's not always narrow. Sometimes it reaches out beyond where it should. And you have to reel it back in. It's like a toddler where you have to set boundaries. So could you give it everything I've ever written on podfeed.com? Well, it's funny that you mentioned that because I'm, in our example today, we're going to create a GPT for podfeed.com. Sweet, sweet. That was not a setup. That was, we actually have it spoken. That is, that's fun. Yeah. Okay. So where do you start with this whole thing? So I'm going to enlarge this. Oh, there he goes right away. He's letting people know that we are recording video. We haven't, we do not promise to produce the video. If I am going to produce the video, I'll let you know. But my job is going to get Bodhi to not just say, as you can see here, but describe what he's doing, because we want this to work for the audio podcast too. The good news is I only have an audio podcast. So there's, there's little chance I'm going to do that, but I might. All right. Allison, are you able to see the screen? Yeah. So where are we? You're starting at open AI and you're logged in to chat GPT for, which is the paid for service that I can't sign up for right now because they've halted subscriptions because they have too many people wanting to throw money at them. Right. That is a, that is a really good disclaimer to start with is you can't actually use any of these unless you're already signed up. You can't create them and you can't view them. So it's a little bit of a bummer, but I can tell you since open AI had their big AI day presentation, my experience as a chat GPT for user went from being incredible to being terrible. So. Oh, because too many people are doing too many people. Yeah. Okay. So it's probably good that they've slowed down while they scale up. I'm, yeah. And then they had a little thing where they fired their CEO and then brought them back and replaced the board. They're probably really busy, I'm guessing. And some people are going to be working through Christmas. Okay. So chat GPT for is 20 bucks a month, if and when you are able to join back in. And I'm sure we will be able to eventually. So what are we going to, what are we going to learn about today? What, what, what is a GPT? Well, a GPT is a, okay. What's, what's break down the G, the P and the T G is for generative, which refers to the GPT's ability to generate text, not just text that just not like a random text, right? Like, I think there was an app for the Apple to like the lila or something like that, that thing could create random bits of text. But this is text that's relevant about the conversation you're having with the GPT. It's very human-like. And I think this is part of the reason why people are so worried about AI. Next, we have the P, which is pre-trained, which means that it's trained on a norm, just an enormous data set that covers different languages and different formats of, of data. And then you have the transformer part, which talks more about like it's just a neural net and that neural net kind of feeds in. And that also helps with the context of the conversation. Okay. So generative pre-trained transformer and the transformer is taking, here's all this great data set. I'm going to generate some stuff. And I'm getting the transformers through the neural network. I'm going to spit out some stuff. According to my moronic understanding of it, yes. Okay. Okay. All right. So why would I want to create a GPT? Well, I can give you a few examples why I created a GPT. You would want to create one because you're a nerd and you would really enjoy doing it because it's actually a lot of fun. I, I created a GPT. My first one I created in my real job on the firefighters. And one of the things that I struggle with, and I struggle with it even as a podcaster, as soon as you put a mic in front of my face, whether it's attached to a fire radio or whether it's attached to this microphone that I'm talking on, I freeze up by panic and I have a really hard time. So that's honestly been one of the things that has kept me from getting promoted. It's not the, the, the ability that I have as a, as a commander when we go on scene or whatever, or to talk on the radio. But it's my, my panic that happens when I actually address a mic. And I also have a little bit of a stutter when I get really nervous. Then it's a struggle to be honest with you. These are all good reasons to become a podcaster, right? Oh yeah. Well, yeah. Also, I don't like being on camera and I've got another podcast that I'm working on more exclusively to be on camera. So I'm facing your fears, folks. There you go. OK, so you wanted to create a GPT, though, for firefighters. Is that right? Yeah. So in the fire service we have and police service as well. We have something called incident command. So when we go on with just a standard house fire, the first arriving unit on scene doesn't matter if it's a battalion chief or an ambulance or a, you know, fire engine. They assume command of that scene. And then everybody has to do what they say. And there is a certain way to present your information. And you when you when you when you give your on scene report, that needs to be done in a certain format. And then when you address other units that are incoming, that needs to be done in a certain format. And you can practice that all day long driving in your car. But it doesn't give you any sense of, oh, this is real life. So I created a GPT that goes through dispatches, just like our dispatch does. It gives pertinent information, just like our dispatch does. It assigns random units to the call. And then it also assigns those random units to show up at different times. And I never know which units are going to show up. I use Dolly 3 in this GPT to give me a view five miles out from the call that we're going to. So sometimes you might see smoke. Sometimes you don't. And then I use Dolly to show the house that's on fire. When you arrive on scene, Dolly also shows the interior of the building when you're inside. And it just kind of gives me an ability to practice. But then also I'm able to hand this off to somebody else in our department or we're able to do it as a crew and we can practice and learn as a crew. OK, so there's been a big leap here. It was a generative pre-trained transformer. So I can type in, you know, how big is the lump of coal? And it's supposed to answer the question in the way the data set has strained it. But all of a sudden you're talking about visual pieces and timing and things like that. That sounds like a completely different beast than what I thought a GPT could do. Oh, yeah, this thing, your imagination is your only limit, as far as I can tell at this point. Like you'll bump up against some things. Like, for instance, when I told GPT, hey, give me a two story house on that's on fire. And the GPT will actually or Dolly, based on the information the GPT gives it, will actually create a close enough image to what you get, what's described to you in the beginning of the scenario. And, you know, it's it's sometimes you have to tell it to go back and go ahead. I mean, I understand it can draw pictures. Dolly, three can do can do pictures. But I'm having trouble understanding how and maybe that's what you're going to talk through. How I this this GPT is going to give us something time based. It was a little video I'm going to see. What? No. OK. So yeah, that's OK. I think I got you. So what I did was I broke it up into phases. So phase one is your dispatch and that will give you all of your units in your address. Is this what you're asking? So you're going to see you're going to show me a list. A typed out list is dispatch and the units that have been dispatched are engine 101, 102, 103 and latter 201 Battalion Chief 301. Correct. OK. And in my GPT, it will give you an address that's in Phoenix. It's probably not real. And then when you're when you've obtained that information, you just hit next. There's there's some other stuff below there, Allison, that's only relevant to firefighters, so we don't need to talk about that. And then he's just typing in next, next, next into this model. Right. So if I don't stop it at each little phase, it will run the entire call for you. OK, which is what you wanted to do. No, no, it's not, it's not. So it's not a good way to learn. So in the second phase, it'll give you the pertinent information. This is the caller report seeing flames from a second story window. The house unsure if residents are home, right? So that gives the the incident commander an idea of based on the time of day and based on, you know, whether it's a weekend or not. If somebody is somebody home, are they not home? We don't know. And then it creates this image of somebody who's trying to practice. What is it you're practicing, hitting next? No, so this is something that we do in most of the time we do this in a in a classroom type scenario. So we're we are being vocal about what we see. So when it comes to the dispatch, somebody will read the dispatch to you when it comes to the pertinent information, the battalion or the incident commander will be able to read that pertinent information. And then the next phase is it shows a picture from about five miles out. Now, Allison, if you could do me a favor and explain the picture that's on the screen. OK, it looks like a bunch of houses in a suburban neighborhood with what's probably a nuclear explosion sized fire going on. It's pretty it's pretty intense. Right. GPT goes hard on the scenarios like there. If I saw this, I would be immediately calling a first alarm fire because something else besides the house is on fire. Yeah, this is a terrible refinery. Yeah, you have to take all of this with a little bit of a grain of salt. Or you just tell GPT, hey, that's too much tone it down a little bit. OK. But again, and I promise what if you're training yourself doing this, all I see you doing is hitting next. Are you saying in your head, OK, I'm going to do a four alarm fire or number one alarm fire, whatever you said on this. Or are you trying to give responses that you would give in real life, like in your head? So, yes, for me, if I'm doing this by myself, I will just go through as as if I'm really going to fight the fire, right? And I'm saying this out loud as if I'm practicing saying it into a mic. The next phase for this would be to type it in. But there's an even better part of this that I was going to get to later. But we might as well talk about it now is GPT. Chad, GPT has an app so I can go into the app. I can turn on the the voice to text mode or just you can just have a conversation with the GPT, I don't even know if it's voice to text. And I can tell all I can tell the GPT all of this information and it will give feedback. It's at this point, it's not great feedback, but it will give me feedback. OK, I think I get the sense of what you're doing with this. It's it's pretty crazy. Do you want to keep going with the with the fire safety training thing that you've built here? Do you want to start talking about how how do you build something like this? No, I think we should get to how do we build something like this? I want to play. I did practice some things, like I mentioned earlier. So when you're in the GPT page, there's on the left side of the screen, you have your GPT. So you sometimes it's chat GPT and Dolly and maybe something else that you've used, it's got what you've used most recently on the left side of your screen. And then underneath those items is an Explorer tab. And then you have all of the GPTs. And these are pretty much all the ones I've created since I have. Oh, good gracious using GPT. He's done like 40 of these. One of them had chicken in him. Oh, no, this is like all the way back to April when Sierra, my daughter convinced me to sign up for the paid version. Wow. OK. All right. So pretend we're just coming in from scratch here. We've got a little pencil next to chat GPT at the top or we've got Explorer, right? Right. So we want to go to Explorer. OK. This is a bit of a new one. Yep. And we want to at the top, it says my GPTs and then created GPT. OK. For a specific purpose. Yeah. Oh, it's beta. It is beta. And it's pretty good, but it definitely has some pickups. So now that we're in the chat or created GPT section, you have an option to create or configure with create. It'll just ask you questions. It'll like walk you through creating a GPT, which is great because if you have no idea what you're doing, configures almost completely useless to you. I don't see create a GPT. I saw you press the button, but I didn't. I don't see the next page coming out. It is. How about now? Here we go. OK. So you basically just hit create GPT and we've got now we've got create and configure our two options. And it looks like there's a pane on the left for creator, configure, and then on the right we've got a preview. So we're looking at GPT builder for create. Correct. So it's it welcomes uses. Hi, I'll help you build a GPT. And basically all we're going to type in here is we're going to say what we want to make. So I'm just going to say I'm going to keep this very simple, like three minutes to make a GPT for www.podfeed.com. OK, nothing else. We don't have to tell it what we want to do with it. Nope. I mean, once you kind of get your head around how these things are made, then, yeah, you add a lot. Like my my fire commander GPT, it's lengthy. And but this is going to be simple. OK, so all he did was type into a little field. He said, I want to make a GPT for podfeed.com says, great. How about naming it podfeed helper? Does that sound good to you? How does that sound to you? That sounds fabulous. So you just type yes as an answer. So you're just having a conversation with it. Just a basic conversation. OK. And then it's going to go off. It's updating the GPT. It just went through 18 years of blog posts. Well, OK, so that is that's another thing that we have to talk about. But if you look here on the right on the preview side, Alisson, we have some added things. It says, tell me about the latest tech news on podfeed.com. We didn't add this. It did it itself. It says, how do I start a podcast? Discuss the latest latest gadget reviews on podfeed and explain technology, explain a technology topic from podfeed.com. So these are suggested questions you could ask the GPT at this point. Correct. OK. And it's just a way to get somebody started in the process. And while we were talking over here on about the preview stuff, we go back to the configure side or the create side and it created a logo for your podfeed helper GPT. OK. One thing I like about this is it clearly knows that it's a podcast blog because I podfeed.com they could have come back and said, OK, we've got your podiatrist here. Right. And obviously went through the data in some way to figure out that it was a podcast, got a little laptop, it's got headphones and a bunch of microphones. So OK, that's a cool logo. That's perfect. OK. So we're going to answer one more question and then we'll stop this particular GPT and the question we're going to answer it's asking now let's refine the role and goal of podfeed helper considering its focus on podfeed.com. What specific types of informations are tasked do you envision it handling? For example, would it provide detailed summaries of podcast episodes or technical or offer technical advice or both? So Alison, I'll let you. So a summary of podcast episodes is kind of silly since I give everybody summaries of podcast episodes. What about answering questions about what kinds of things I've reviewed? Maybe like, OK, he's writing answering questions about product and software reviews. Sure. A lot of people say, I don't know how to find out whether you ever talked about X. And I always figured, well, there's a search bar. You could stick it in there, but the search isn't that great. So you can the GPT doesn't always end up being great. But if over time, I will say it can get better and it can get worse. So in this create mode, we have created this GPT, right? It's fantastic. It's going to work great. However, over time, it's going to expand what it was initially built for. And sometimes that could be good. Oftentimes, I've found that it's not. It kind of just goes right off the rails. And you have to create another one. And another negative part of this GPT builder is when we navigate away from this, all of the stuff that we typed in on how we want to set that up, this all just disappears. Oh, so does it remember that? It might remember it, but you can't go back and be like, how do I answer these questions? So it's almost easier at that point rather than going through and trying to figure out how to change it through chat to start all over. Oh, wow. OK. All right. So now it's asking us, what should we avoid? And I kind of like that last thing it said there. It says, this could include avoiding technical jargon. No, we love technical jargon. How about no topics outside of the scope of technology and podcasting? You could copy that if you want. So is that all in this? Is that that's normal for pod feet, right? Right. I don't want to talk about anything outside of technology and podcasting. So this is how I get away with that. Instead of saying that, it said all questions. Oops. All questions out. Oh, I got my mic in front of my keyboard. I can't see. Oh, I hate that. So you're you're he's writing out what he doesn't, what this thing should not talk about. All questions outside of what you'll find on pod feet, dot com, what are verboten should result in a your mama joke. So all of my GPTs, except for the HPV one, because we're actually showing that to a client and with a your mama joke. And they are the most polite your mama jokes you'll ever see. OK, OK. So if anybody asks a vaccination question of pod feet, dot com, it'll say your mama, so whatever. Yeah. OK. And they're usually very complimentary. Every now and again, you'll get one that's not. But it's not even that bad, whether worthy or anything. No, no, no, it's nothing like that. So over here, Allison, we have the preview while it's updating that. We have the preview. If we practice inside this preview, it'll work. But for whatever reason, until you save it and go back into it, it doesn't work great. So we're going to save it. I mean, while you're building it, for sure, practice it. OK. So are we going to lose our create stuff right now? Yep. Yeah, we lost it all. It's all gone. Yep. So if we go back into Explorer and we might and we go to edit a GPT. It says, welcome back. Can you are you able to see all this? Yeah, it's saying just it's it's 10 minute time. It's lost. It's completely lost all information. Completely. So if you look over here in the configure part of things, it does have information that it created for you. But you can't edit that. Oh, yeah, you can edit it. But I found that it's easier just to throw this out and do it the way you do it because it just overruns you. But that's neither here nor there. We'll start here in a minute. So you're going to we're going to go look at the pod feed helper GPT. It exists right now. We're ready. So I need to stop sharing that screen and share a different screen because. So am I going to be are you going to suddenly spring in me? I've got to think of a good question. Yeah. All right. What's the best way to use alt tags? So alt tags are the tags you put on images when you post them to social media so that they're available to screen readers. So let's see. Pod feed helper says using alt tags effectively is important for both accessibility and SEO. I've never said that. OK, well, this is where this goes off the rails a little bit. It's the first question. OK. So we said that and I'm going to it's giving me a big old long answer. Yeah, it's been going on. I'm going to ask, did you get this from? Did you get this from pod feed dot com? He's writing to it because it is literally still going. It's right in all kinds of nonsense. It's going it's doing research with Bing. Now it's searching your site. So what the people can't see is that it's coming up with the like a like a little search bar. It's not even a bar like a search like a circle pop up thing. Yeah. And it'll tell you what it's looking for. Now now it has after I asked that you get this from pod feed dot com. It has something that looks a little closer to what would be on Allison's website. Yeah. So what I love about this is it's like you told the kid to write a book report and the kid went to Wikipedia and copied and pasted it. And you said, did you write this yourself? And then it goes back and goes, OK, I'll write it myself. Right. Correct. So now it says things like descriptive content. The alt text should go beyond basic descriptions for instead of just dog include the dog's color actions or other unique attributes. Sounds like something I might have said, you know, the last one was me. It says incorporating humor. Because sometimes I like to put in little Easter eggs in my alt tag. So it very likely could have gotten that from me. Now, look, if you look down here, we have the little quote. OK, there's a little quote mark. Looks like a link. And it says where it got the information from. Get your get your content out to more people by adding. And then alternative tax alternative tax. Oh, that's great. So that proves that it got some of this, at least from something I had actually written. Yeah. All right. And now we're going to ask it. Who won the 1986 Super Bowl? Oh, we should get a yo mama joke. We should. OK. And it didn't. It's telling us it was the Chicago Bears. Correct. My favorite team. That's the that was put in there. Did you get this? Did you get this from pod feet.com? You should have a text expander snippet for that. Yes. OK, so since obviously it didn't get it from here, now it says doing research with Bing. Now it switches it to researching the site pod feet.com. Correct. OK. It says it does not appear to be available about the 1986 Super Bowl. Why didn't it give us a yo mama joke? I do not know. This is to make it look silly on the podcast. Yeah. Well, no, this is actually part of the the point is hopefully hopefully when we do this the other way, it will be more consistent. OK, the other way. Yeah. So we're going to go to we're going to go back to explore. So the first way we did it was we did create, but the other ones configure, right? Correct. And. And it's spinning. Live demos, this is this is the best, right? I feel like Steve Jobs. Can everybody turn off your phone? There you go. OK. So we're back to the created GPT button, which is going to open this on another screen that I won't be able to see, right? Correct. So we'll go back. I got a lot of these open. So we're going to go back and share with you the new one. OK. So this time we're going to go with configure and this is going to be different. OK. Yeah. So we've got to call this one pod bot, pod bot, a description. And then instructions. OK, for descriptions, he's putting in all things pod feet dot com instructions. So I'm just going to say I want to create. A GPT for. But you don't have to give it all that W, W, W nonsense, right? Yeah, yeah. It's an AI for crying out loud. I can't figure it wouldn't think so. But sometimes you do have to be kind of specific. You're not always like I was putting in weight wise cameras. And it was correcting it because in Apple's infinite wisdom was connected to ways cameras and it still knew what I meant. OK. But then I was putting in wise cameras and it had no idea what I was talking about. That was within two minutes of each other. So. Yeah. OK, so we've got a name description and then the instructions is going to be essentially like what we talked about before. So he's got I want to create a GPT for pod feet dot com. Don't give me any information that is not found on pod feet dot com. OK, so in theory, OK, now it's going to say if the question is not related, the information requested is not related. Give us a yo mama joke. Correct. Just like what we did before, but it's under instructions. OK, so we're we're just filling out a little form instead of just being completely free form. Correct. And this is really this gives you a lot of flexibility. If you find later if you find out later that there's something not quite right, but you don't know where to go to fix it. If you have your instructions, you can just I move it all on to a text program, a text editor, so that I don't have to. So I have to creating it. Why keep recreating it, but also like if you accidentally delete a section and you haven't you haven't saved it somewhere else. You don't get it back. That makes sense. You could try to control Z. But if you've already saved it, you're done. All right. So now you have to the next field is conversation starters. So tell me about Allison. Well, that's easy since there's a page called about me. Hopefully it'll figure that one out. We'll see what it does. So conversation starters and what do they what are they going to do is it's just going to be Oh, is this going to be the kind of questions that you would show to somebody saying, here's some typical things you could ask the pod about the pod. OK, got you. Tell me something cool. Why not buy a wise cam? Change it to buy instead of but. Oh, that way it might make worse, a little more sense. Nope, that's my fault. OK. All right. He's putting in a fourth one here. Oh, who won the 1986 Super Bowl? All right. All right. So if we wanted to, you see this section here that says knowledge. We could upload PDFs. We could upload pictures. We could upload word docs so that it would be a little bit more accurate. So for my fire GPT, I have the entire volume to SOPs that we use, which is the standard set of guidelines that's about an inch and a half for two inches thick. Standard everything that we do for every situation. OK, so use that you had a PDF of that or something that you submitted. Correct. OK. Yeah. So I just submitted that and that's what it goes off of. And honestly, when you have that kind of stuff, it actually works a little better. I would think so because it's really specific. It's I mean, that's that's narrow, right? Right. Right. So then we have capabilities, which we want to include. There's only three web browsing, Dolly E, Dolly, Dolly image generation and code interpretation. I don't mess with code interpretation, but folks who are fans of programming by stealth might find this interesting. OK. And then it says, create new actions. What is that? That is something I do not understand. I do not have an authentication key. OK, so let's get that part, not something for today. OK. Did you just back out and lose everything? I don't know. Oh, no. You hit the wrong back button. OK, yeah, yeah, there we go. OK, share your screen again. It's popped away from me. Oh, OK. So we're we're done with the configurator, which we've done. We've given it essentially the same questions we had before, but we wrote our own. Hey, you might want to ask this pod bot these questions. But other than that, you've pretty much told it the same thing you did in Create. And do we get to test it now? Yes, actually, let me save this. So he's going to save, confirm, and this should let us see it as a standalone. All right, here we are, pod bot, all things pod feed dot com. And he clicked on tell me about Allison. So didn't have to type anything because we already had it in there. It says, I'm the creator and host of the no silicast of technology podcast at pod feed dot com. All right. You know, it's pretty much as I'm about tech. Yeah, and it's got accessible in there. So yeah, that sounds like me. Oh, I recommend visiting pod feed dot com for more details. OK, he's written based on this information, give me a photo realistic image of my friend. And he's going to say of Allison. OK, so I did. And huh, yesterday, I can't create photo realistic images of specific individuals. You might want to go to the website, duh. OK, this is where you have to get creative. What do you think? The creator of the pod feed dot com looks like. All right, I'll be curious to see if that works. Use. Dali. OK, what do you think the creator of pod feed dot com looks like? So this actually this actually worked. Let's see. Say yes. So it just said I can't I can create an image based on a general description, but it's part to note this will not be a depiction of Allison Sheridan or any specific individual associated with pod feed dot com. You sure you want to do it? A fictional podcast host. I had to I did this three or four times yesterday and it worked every single time. So, you know, that was one day ago and there's Allison sitting in front of a mic. She's got a Mac. She's got two Macs. I that looks like pretty, pretty close to my my microphone style. I'm about 40 years younger. So I'm liking that. And it's got the wrong. It's got the wrong pop filter. And the microphone isn't plugged in anything. It's hanging out in space with no boom arm. Yes. And in the back, it's got a live sign to let everybody know that you're live on the air. But it says live. So I've noticed that with Dolly. It can't spell like even when you spell the thing you wanted to to to write in there, it spells it wrong. Yeah, it can't spell. At all. Like I had to do a logo. I said have some bare feet and I wanted to say no silicast and technology podcast with an ever so slight Mac or Apple bias and it misspelled no silicast. It put like four L's in it. Yeah. Yep. So I have this other podcast. I don't know if I could talk about yet, but we created our logo with Dolly and I had to ID like Frankenstein, like six or seven Dolly photos logos together to make ours work. But oftentimes it's spelled the name of the podcast wrong, despite the fact that we told it how to spell it. OK, so he just asked it. Tell me about Wisecams and should I buy one? And the advice says that you should definitely buy one because here's all the great reasons you should do it. So I think that one's that is not from pod fee dot com. So let's ask that is definitely not my current advice. This says as of April twenty twenty three cameras. Wisecams were popular for all these different things. OK, it says I can't access or retrieve information directly from pod fee.com or confirm a specific contest available there. Yeah, my answer, my responses are on general knowledge. Hmm. That's kind of interesting. So I can tell you like I had I created yours in the morning and then I created the document that I wrote up for the show in the afternoon and the morning answers were not as good as the afternoon answers. I do not know if it gets better over time. OK, he wrote try searching pod fee dot com for the answer. And we have now what looks like a religious painting of from like, I don't know, the fourteen hundreds. And this guy has got this this brush pointed up, but he's pointing at what looks like a little closed window box from windows. Correct. So this must be what the Pope sees when he opens the computer. I guess so. I'm guessing. So I mean, this was a spectacular failure, but over time, you could play with this as as you get a little bit more familiar with chat GPT and creating GPT, as you can play with this. And the product that you get. Most of the time gets better and better and better. Like my I showed my command. GPT to my chiefs that met my department and they were blown away by it because that up until now, this is not a joke. Sometimes people would draw on a whiteboard or draw on a piece of paper what you saw on a fire. It was not a it was a very low tech way of doing these things. So despite the fact that both of these GPTs failed today, don't let that deter you from creating a GPT because it might if you put the time and you put the energy in, you might get something pretty magical. So let's let's be perfectly clear. They were mostly impressed that it drew cool pictures of fire. Yeah. Well, they were impressed that because it gives you the biggest thing is you we have to keep because when when you go into a fire, you have to keep all of the units that are arriving on scene in your head. So you're not not only are you telling your crew what to do, incoming units or radioing in that they're on scene or staged in a specific location and you're assigning those units. And at the end of your your scenario or real life fire, you need to relay all of that information back to the battalion chief who gets on scene and wants to know what you have and where everybody is. So all of that information is random. So you can't get stuck in a you got this engine all the time. You get this ladder company all the time. You got this rescue all the time. It's all different and it it changes based on GPT's whim and the type of fire that changes and the information that you get back changes. So nobody has to be creative, thinking of different ways to ask what feels like kind of the same question they've been training on all along. And honestly, they're not creative. Like we are as firefighters, aren't that creative and their software that will do something similar to this. You have to build your own scenarios, but it costs five thousand dollars just to start using it. And if you wanted to add on, it's more than that. You got to buy a pretty beefy computer to make it work. So do you think that the success of that was based primarily on the fact that you were able to upload this very specific manual and that's what made it have good content to come back to you? No, I think let me see if I can go to mine. I think the success that is part of it, right? It stays within those rails, but I gave it very specific instructions when I did my. Can you still see? Right, I don't want to get too deep back into it or get low on time. But but you can see, like I said, this is what you need to do on dispatch. And you can see all the stuff that it's required on dispatch. This is phase two. This is what you need to do. So you were real specific on your instructions. Very specific. I wanted it to be have enough room to be creative and create a scenario that maybe we hadn't thought of before, but I didn't want it to go off the rails. And when I was using the GPT builder, every single time it went off the rails, you couldn't reign it in. Well, that's interesting. So the lesson is that configures a better way to go. Create might be a good way to start just to play with it. But configure gives you a little bit more control over where it's going to go because you can be so specific in those instructions and edit them and stuff. Yeah. And the biggest thing is, is later, if you find out that it's doing something you don't want it to do, you can go in and either create a new GPT and just copy and paste the instructions in. Right. Or you can you can go in and you can try to edit it where you think you've gone wrong in its understanding of your instruction set. I wonder whether it gets better over time. Like right now, did it instantaneously literally absorb all of the data from? I mean, I've written a lot. I write about five thousand words a week and I've been writing for 18 and a half years. It can't have absorbed all that in the time that you hit go. No, I don't think it could have either. Yesterday, it was doing very good. And this also has to do a lot with how busy it is. Yeah. So I was doing it on a Sunday when I started. It was a Sunday at about six o'clock in the morning. And then when I went back to it, it was a Sunday about seven thirty eight o'clock at night. So I don't know how many people were on it at during that time. But also in the middle of the daytime, it airs out quite frequently. So it may just be that we're in a scenario where we have lots of people using it and it's just it just throws up its hands, you know, freaks out, throws up its hands and crawls underneath a weighted blanket and says, I'm done for the day. Well, speaking of done for the day, I think I'm going to close this out here. But this is cool. I now understand what a GPT is, how to actually build one, what to start doing to try to learn to give it the right kind of instructions. And it makes me jealous that I can't get in yet and try it. But I guess it's good if it's getting hammered so heavily. And of course, like you said, the company's been through a little bit, a wee bit of turmoil over the last couple of weeks. So yeah, this is very cool. I appreciate you teaching us this, Bode. Hopefully it was informative and not boring. I wasn't bored a bit. I never am when I'm talking to you. I think you should put that on your CV, never boring. Well, put it on. Allison is never bored when talking to me. I'll be very specific. There you go. All right. If people want to check out the Kilowatt podcast, where would they go? Just search for Kilowatt podcast in your pod catcher choice. It's pretty, pretty simple. I have an email address that if you want to contact me, because if you have questions and I didn't explain something very well, it's bodibode at 918digital.com. That's great. All right. Thanks a lot, buddy. I appreciate it. Thank you, Allison. Hi, folks. Bart here with, unfortunately, a solo security bits. And I'm afraid you're going to have to get used to it a little bit because with the silly season being what it is, I'm penciled in to do at least one more of these. And we haven't quite got around to penciling in further. So it's possible I'll end up doing another one even beyond this. But anyway, for the 22nd of December, which is when I'm recording this, it is just me. I will do my best to channel my inner adolescent as always as we dive into two more weeks worth of security news. First off, some follow ups. And so if we talked about last time, we had mentioned that thanks to the sterling work of Senator Rodney Wyden, we were now all aware of a new type of law enforcement. But spying is perhaps too strong a word, but data acquisition that we were not aware of and that they had basically Apple were and Google were prohibited from letting us know that it was possible for law enforcement to request from them the metadata for all of our push notifications, both through the Google Play Store and through the Apple Store. And those push notifications, they contain a lot of data that allows law enforcement to do things we wouldn't have considered possible, such as tie a real world identity to supposedly anonymous messaging services, you know, like signal and so forth. So it was kind of a big deal. And once Senator Wyden released his letter, Apple were allowed to admit that it was going on as with Google and they both promised to tell us more about it. And it became obvious that there was a discrepancy, presumably because neither was able to talk to there before, but basically Google had a tighter process. They required a judge to approve a search warrant before they would hand over data, whereas Apple did not. Well, they reburied shortly after we recorded last time Apple updated their policy so that they are now in line with Google. So in order to get push notification metadata, it does now have to go in front of a judge, which seems like a much better safeguard for regular folk. In related news, should you be interested, there is a link in the show notes to the full process document that Apple published for US law enforcement listing everything they can request and how they can request it. It is not a short document. And it's interesting and it's full of caveats, you know, saying, well, actually, we can't do this. You can ask us for this, but we can only, you know, it's all very interesting, but there's a lot there. So definitely worth a read if you're curious about such things. We also talked a lot about Beeper Mini, the app that was the briefly was able to give blue bubbles at Android and it had already developed into a cat and mouse game when last we spoke and I had predicted it would remain in cat and mouse game until someone gave up. I had expected it to last a little bit longer, but well, Beeper have thrown in the proverbial towel. They have decided they're not playing the cat and mouse game anymore. They're having one more roll of the die and then that's it. They're saying that if this last thing they're doing is worked around by Apple, then they're not doing that anymore. Now, this is all kind of very interesting. So since last we spoke with this, I now have much better understanding of where the pitfalls were with this. So last time, we were saying that Beeper were absolutely certain it would be very difficult for them to be locked out of the protocol and they had figured out how it worked and Apple couldn't lock them out without changing everything on every iPhone. And I don't know if I expressed skepticism on the show, but I certainly felt skepticism and if I didn't express that I should have, that didn't smell right to me. And lo and behold, you know, they were cut off. And it turns out that the reason they were cut off was because the iMessage protocol requires a device ID to be cryptographically entangled. I think the correct technical term into some of the steps of the registration process. And there's also a sort of a periodic check-in where the device has to keep checking in with Apple. And again, you need the device ID to be cryptographically signed with a bunch of other stuff. So you need to have device IDs. And initially, Beeper were simply reusing the same device ID they'd gotten from somewhere before and it was one of their own iPhones or something. But they were using the same device ID for everything, which is how Apple were so easily able to turn off the speaker when they decided they wanted to. Because everything done with that device ID could just be removed from Apple's end of the cloud service. Poof! All vanished in an instant. The next turn of the wheel then, Beeper started to use a different pool of device IDs they'd gotten from somewhere and they had sort of figured out that if they do 20 devices per device ID they should be fine. That also didn't last very long until Apple pulled the plug. So then they decided that what they would start to do was to use Mac device IDs to register their stuff. But Apple seemed to have been able to figure out which Mac device IDs were legitimately being used and which weren't because that was then promptly killed. And at that point you couldn't even register the phone number, which is kind of the point of the whole thing. So the whole thing was already a farce at that stage, but it got one bit farceer, if that is a word. When the final update, which is now what they have said, that this is it, they're not going any further than this, but the final update, if you're absolutely positively desperate, then what you need, and I'm not joking, I'm not making this up, what you need to use Beeper Mini to use Bluebubbles and Android is a jailbroken iPhone. And not just once, but you need to keep it permanently jailbroken, powered up and connected to Wi-Fi so that it can continuously do that whole device ID thing. So I am sure someone somewhere will make use of this. But it's not going to be a mainstream thing and requiring a jailbroken iPhone in order to use Android doesn't seem like much of a runner. So yeah, I think this game is over. Now something, a lot of people got all caught up in the whole antitrust, antitrust, antitrust thing, which as a European doesn't gel with me in the slightest, because Apple don't have a lock-in on messaging. In fact, if anything, what they have done by not being cross-platform is they've locked themselves out. Because those of us in Europe have figured out ages ago how you get reliable, workable, doesn't break every five minutes, cross-app messaging, or sorry, cross-platform messaging with all of your friends on every platform. The answer is not iMessage. It can be WhatsApp, it can be signal, it can be telegram, it can be basically anything, just not iMessage. And maybe it's a critical mass thing or something, but we in Europe don't suffer from this blue bubble, green bubble thing, because we don't use blue bubbles or green bubbles, we just use telegram, WhatsApp, signal, etc. Anyway, I was getting lost there for a second, so I was never particularly caught up in this whole anti-trust thing. Of course I have a lot of the right to protect their platform. What worried me was the fact that it seemed to be so easy to bypass the security on iMessage, and then actually I found quite scary, so I'm actually quite relieved that Apple were able to lock this down quickly, because that at least shows that they're in control of their platform, which means that the platform actually seems a lot safer than I feared it was. But again, that's not a particularly popular point of view in these things. It's a bit like jail breaking, really. I'm always relieved when jail breaking is impossible, because it means my device is secure. I have one deep dive. Initially I thought maybe this would be a panicky deep dive, but it's not quite a fire extinguisher, because we're not sure, but it's probably a fire extinguisher-ish. What am I talking about? Well, Cox Media Group, as I understand it, Cox is an American cable company. Cox Media Group were found to be advertising a product to advertisers, offering something they called Active Listening, where you could buy access to customers based on what Cox Media Group heard them talking about. What Cox were promising was that they could use smart televisions, smart phones, and other connected devices to listen to people in real time, translate their random conversations, and then sell ads based on what they were talking about, which is proper scary stuff. And they gave examples in this advertisement for advertisers, where they said, I mean, just imagine if you could buy advertisements based off statements like, the car lease ends in the month, we need to plan. A minivan would be perfect for us. Do I see mold on the ceiling? We need to get serious about planning retirement. This AC is on its last leg. I don't know that it's supposed to be last leg's plural, but anyway, not the smartest people clearly. We need a better mortgage rate, apparently they thought people say randomly in their own homes. Anyway, based on the advert, it was pretty scary stuff. And once 404 Media broke the story on their blog, the Cox Media Group promptly deleted or removed or blocked this page on their website and said basically nothing. It's not really clear at this stage whether this product was really real or whether it was aspirational more than it was real. It may have been vaporware. Now, we do know that smart TVs are being used to monetize themselves by listening into what people say. That's not a conspiracy theory. That's the thing. That is how a lot of the cheaper Apple, or say the cheaper smart TVs, are able to be cheaper because the companies selling those cheaper smart TVs are also selling access to the viewer or data on the viewer as a way of monetizing their stuff. So the smart TV bit, that seems plausible, but the smart phone stuff isn't really possible because our smart phones all have little indicators to show the microphone is active. And so if there was an app that was booby trapped, then it could listen while the app was running, but it would show the indicator in the menu bar. We would also see this constant flow of data from our phones. I don't believe it's feasible to believe that this is happening at any sort of a scale and no one's noticed because privacy researchers are constantly looking at what is streaming out of our phones across our networks. And there is no sign of this flood of data that would need for this product to be real. So it's probably a vaporware. It's probably not real, but possibly part of it is in terms of the smart television. So my takeaway in all this is that I was always pretty sure that I was never going to connect my television to the internet. And I am now extremely sure I'm never going to connect my television to the internet. What I'm going to continue to do is to buy these smarts for my television separate from my television and continue to use Apple TVs in my case, but an Amazon Fire 6 is a perfectly valid alternative as well, and basically bring the smart to the television myself, connect the smart bit that I bring myself to the internet and never ever ever ever ever let my television anywhere within a million miles of an internet connection. Links in the show notes to the original reporting and some various analysis on it. The 9 to 5 article, 9 to 5 Mac article linked as the third link in the show notes. Their final take aligns pretty well with sort of my feeling of I don't think this is actually even vaguely as real as they were pretending it was. I think it was advertisers not being particularly honest. But it was pretty, pretty galling stuff and Steve Gibson on security now came to a similar conclusion that basically this is probably hot air, but the fact that someone thought that this was something they could aspire to is terrifying. Moving on to action alerts, lots of patchy patchy patch patch here. Apple had, very shortly after we spoke last, Apple released emergency updates to fix zero days in older devices. So when we last recorded Apple had just released zero day fixes for their current OSs and then within a few days it was recording they back ported those fixes to iOS 16.7.3, iPadOS 16.7.3, TVOS 17.2 and WatchOS 10.2. Google meanwhile have fixed their 8th zero day of the year. So patchy patchy patch patch or in the case of Google Chrome turn it off and turn it on again so it patches itself. And should any Nosella Castaways be fellow PF sense users be aware that there are some fairly nasty bugs that have just been patched in PF sense. So be sure you have automatic updates turned on in your PF sense box and that you reboot it, or that you allow it to reboot itself to actually fully apply those updates which you are hopefully doing automatically. Moving along then to worthy warnings. We have some potentially relevant warnings from government organizations and public interest groups. I'm reading my own description the show notes. Okay. Anyway, the first thing I want to draw your attention to is that we have discovered a new technique being used by attackers to try and get around two factor or multi-factor authentication. So we've already seen fairly technologically advanced things where you have real-time proxying services where you can basically buy malware as a service and buying the time from a human being in a low-wage country and to in real time be an adversary in the middle and attack two-factor authentication. And that's happening for real. Actually being sold on the dark web and succeeding in taking over people's accounts and bypassing multi-factor that way. But this new campaign is interesting. Now it targets at the moment it's targeting Instagram but it doesn't matter that it's targeting Instagram. Takeaway here isn't there's a phishing campaign targeting Instagram. The takeaway for me was that this particular phishing campaign is using a new novel trick to get around two-factor authentication. So when you set up two-factor authentication you're generally speaking offered, in fact not so much offered, you're basically told save these recovery codes because if you lose your device and you can't generate the six-digit number or whatever you need these recovery codes to get back into your account. Well the phishers are now trying to trick people into handing over their recovery codes. Thereby they can remove multi-factor or two-factor authentication entirely and then take over your account. So do not allow anyone to trick you into handing over your recovery codes that is the keys to the kingdom. Another thing you should be aware of is that Twitter slash X has a very silly bug that allows links to lie and it allows the links to lie in such a way that it appears that a link is to a tweet or whatever a post I guess we're calling it these days from someone whom it is not from. So when you see the URL that you know when someone shares Twitter slash X posts with you the URL is twitter.com forward slash username forward slash a big glop of random digits which is the ID of the post and you know you as a human looking at that URL the random ID on the back is not going to catch your eye what's going to catch your eye is the username and you're going to assume that that is the username that posted the tweet. That part of the URL is purely decorative it has no actual effect on the functionality of the URL. You can change the username piece of that URL to waffles and as long as the post ID is correct the URL will take you to that post. So to maliciously use this you can email someone a link that quite clearly appears to be from a reputable person and when you click on it you end up on a different Twitter account and if that different person has been clever about it they will have you know adapted their icon and so forth and maybe their display name to look just like the person they're impersonating in the URL and unless you're very careful you won't notice that you've ended up on a tweet that doesn't match the URL you've clicked. I mean it's not enough on its own to do a lot of harm but it makes effective phishing darn easy compared to what it should be so really Twitter need to fix this like the username should be forced to match the post ID or the URL should not work and in related news there was another critical bug in Twitter which would have allowed anyone to take over your account and it ended up being fixed not because Twitter were being proactive and good citizens on the internet of course not it got fixed because the person who tried to report it was told to go pound sun so he reported publicly and then they banned him from the bug bounty program and reluctantly fixed it this is like if you'd like an example of how not to run a bug bounty program here you have one shock and or horror Twitter's gone to absolute poop something which makes me a lot sadder because they're generally not considered to be absolute poop there is a company that do very good value networking gear called Ubiquity and we now know they had a brief database corruption and we know it was brief and we know how many people are involved and it's all sort of been looked at but briefly the database that mapped device IDs to user IDs got corrupted so other people's cameras showed up in the raw basically cameras went to the wrong account and so when you went to the cloud interface you could see other people's cameras because they were accidentally assigned to your account and your cameras may have ended up assigned to someone else's account the whole thing was quickly corrected but it's kind of scary and so if you are a Ubiquity user maybe just be aware that wherever your camera is pointing if it's pointing at something sensitive that something sensitive may have been seen and maybe that means you need to do something probability is low it was very short lived I need to be very unlucky for this to have caused you some sort of harm be aware just be aware I don't like doing too many data breaches these days because I can hear Alison's voice in my head telling me yeah well what can ordinary people do about it but every now and then they're big enough that I think yeah I probably should talk about this one so I have two of these reluctantly met the bar I have about 10 I threw out and didn't meet the bar but these two I think do meet the bar so the first is Xfinity where I put the major ISP in the United States so major they managed to lose data on 35 million with an M people and rather unusually for recent data breaches they did indeed lose the usernames of passwords now they were hashed but they'd nonetheless lost the password database so if your password wasn't particularly strong it easily could be reversed or it's going to fall quickly and if you reuse the same password anywhere that you use an Xfinity A make sure you've changed the Xfinity and B make sure you've changed it everywhere else you've reused it to and then another one that sort of reaches the bar of yeah you really do need to watch out for this one major major mortgage company Mr Cooper had a data breach affecting 14.7 million Americans and while this one doesn't contain usernames and passwords it does contain social security numbers bank account numbers as well as names and so on and so forth so with the social security number and the bank numbers I actually fear financial fraud may even be possible but what's definitely definitely possible is extremely convincing automated targeting phishing emails if you know someone's name and their bank account number you can create a very convincing face that pretends to be from the bank and says how are we contacting you about your bank account last six digits of the account number or blah you can really start to sound very convincing with that kind of information so if you got a mortgage through Mr Cooper be very on the lookout for being targeted by clever phishing you definitely are at risk moving us into notable news I'm going to start with the bad news get it out of the way first and then go into better news so everyone needs to be a everyone who uses SSH which is a lot of in the civil castaways and that includes secure FTP by the way you need to be aware that a new attack has been discovered that can downgrade the security of open SSH connections to the point where basically an adversary in the middle can break into your SSH connections now the silver lining here is that it needs to be an adversary in the middle an attacker needs to get themselves into a position where they are between you and the server you're SSHing into and they need to be able to not just see the data flowing over and back they need to be able to manipulate the data flowing between you and the server and they can use some interesting interactions between the transport layer security and the open SSH protocols to basically break the encryption and now their technology on its own should allow a breaking of encryption but the way the two of them work together basically flaw found in how these technologies are talking to each other it may actually require substantial change to SSH to fix this permanently so it may actually be the case that the advice will be don't use anything less than SSH3 which is not yet but in the mean in the short term what does this mean for us well what this means is that we should all be aware that SSH is not safe in a place where you don't trust your internet connection so if you're in a coffee shop or hotel Wi-Fi you need to be aware that someone else sharing that Wi-Fi with you could intercept your SSH connections and so my takeaway is VPN then SSH when you're out and about and that should keep you safe because again unless the attacker is an adversary in the middle this vulnerability doesn't apply so SSH through a VPN that's the way to go right moving on then now that for the bad news column fairly bad news by the way it's called the Terrapin attack if you're curious so first bit of good news comes from Google so a particularly legally questionable the EFF asserts that this is in breach of the Fourth Amendment of the US Constitution and I very much agree with the EFF's assertion what am I talking about well the Fourth Amendment protects from what's the word they use it's unreasonable search and seizure and what has been happening because it is conceivably possible with Android is that law enforcement are going to judges with so-called geo-fence warrants where they the evidence they presented is there was a crime and we believe it's reasonable to assume that the person who carried out this crime was carrying a phone because they were human in the 21st century therefore we want Google to tell us every single phone that was in blah yards or blah miles of the crime scene at the time of the crime and effectively everyone with an Android phone within a radius of a crime just becomes a suspect that is unreasonable search and seizure in my book so anyway the fact that Google had the data meant it was possible from there to be compelled to hand over the data Google is changing how it stores location data so that Google don't have access to it anymore so you the user aren't going to lose any functionality but you know with the joys of modern encryption and so forth Google are going to be unable to collate to this kind of data and answer these kinds of probably illegal warrants problemo solved and they're going to pat on the back from the EFF and I'm going to say nice things about them even though they should have done this age to go and this Apple don't need to do anything because Apple were never collecting this information because Apple don't like having information like this because then they could be forced to hand it over and I do much prefer Apple's approach to these things another piece of good news this time from Microsoft land throughout the pandemic we had story after story about spectacular zero-day vulnerabilities in Microsoft's print spooler to the point that the advice for much of the pandemic was unless you actually need your computer to print unless you actually have a printer connected to your computer disable the print spooler because it's riddled with security vulnerabilities and whenever Microsoft would patch one another bug would be found almost right away like you know it was the done thing in corporate land to push out a group policy update to just disable the print spooler on mass you know print servers need a print spooler nothing else needs a print spooler push it out by group policy object push it out to the whole domain by GPO try and wreck up a mess the print the printing system probably because it was very old been part of Windows for ages went on to the radar of attackers attackers started poking in it and once they pulled on one thread the woolly jumper just disintegrated that was about you know a year or two years ago and Microsoft have obviously been busy behind the scenes trying to figure out how to reinvent that particular wheel so that it is not so flawed and we now get to see the fruit of their work it is called the windows protected print mode and it is going to be slowly rolled out but it as part of the rollout is going to become the default and in protected print mode these nasty vulnerabilities all go away basically the print system joins the 21st century so I am very happy to see windows getting and those are important under the hood updates to make it more secure meanwhile again still in the good news column Apple get to join the good news column so over the again last year or so we have seen reports of iPhone thefts combined with the stealing somehow of iPhone pass codes then being used to disable or to change the password in fact on people's Apple IDs and potentially re-register faces with face ID and make payments using Apple Pay and so forth so what was ending up happening was people's bank accounts were being emptied people's entire digital lives were being destroyed and people's iPhones were being stolen and then resold on the black market because they were then device unlocked the phone being lost is almost the least band of the thing the emptying at your bank account and destroying your digital life parts are actually worse and this is all to do with one of those very annoying trade-offs where Apple historically had a lot of problems with people losing their iCloud password and losing all of their stuff so the solution to that was to allow proof of control of an iPhone that is connected to the iCloud account to be a mechanism for resetting the iCloud password i.e the passcode on your iPhone can reset your Apple ID and that saves a lot of people losing their data through well let's just call it carelessness and it removes a whole bunch of Apple support calls it moves on from the column of I'm sorry we can't help you you've just lost your entire digital life into the actually the easy fixes they just used the passcode from your phone and so on balance this was actually probably saving a lot more data than it was losing but of course once the attackers got good at this they were developing techniques where they could we now know that there were crime sprees where 20 30 phones could be taken in a night with the passcode successfully and people's entire digital lives were being opened and so this feature suddenly became a bug and Joanna Stern at the Wall Street Journal deserves a lot of credit for highlighting the abuse of this feature and Apple have now responded to that change in reality and iOS 17.3 which is now in beta will introduce a new opt-in feature at the moment it's opt-in I don't know if in the future they might make it opt-on by default but it's starting off as opt-in called stolen device protection if you turn this feature on and if you have done that thing where you can tell your iPhone that this is my home and this is my work then when your phone is not in one of those explicitly specified distrusted places then if you try to do certain sensitive things like change your biometrics register a different face register a different finger or change your Apple ID password then you will be required to do a biometric wait an hour do another biometric and then you can reset the password so in the situations where you have genuinely lost your Apple ID details and you need to make use of this ability to use the iPhone to reset the Apple ID you still can you either need to be at home or at work or you need to wait an hour and that's not actually a bad inconvenience but the space of phone thefts in bars is very much thwarted by this because the trick of swipe the phone get to the passcode and then immediately reset the Apple ID that goes away now very much related to this story is a video Joanna Stern had now Joanna Stern actually done this before Apple announcer feature which is kind of interesting so Joanna Stern interviewed in prison a man who was convicted for stealing iPhones with their passcodes and blanking the Apple IDs etc and the interview was fascinating for a bunch of different reasons one of those reasons is that the well actually the criminal basically said I can reset an Apple ID account in about five seconds and that's the first thing I do then I changed the face registered with face ID so that I can quickly do all sorts of things and a lot of banking apps are only protected by face ID so then they can start to transfer money they can use face ID then to make Apple pay payments so they go to the local store and they buy the most expensive things they can and that was interesting and then the other interesting thing was how do you get the passcodes and the answer was disappointingly non-technical you know Joanna was like do you video people surreptitiously and then no that's far too complicated no social engineering you just ask people for it and if you do it right you get what you need basically it wasn't rocket science it was EOD social engineering and quick fingers so we all thought this might be high-tech crime not high-tech at all just informed thieves abusing a feature designed to save people's data and ironically resulting in destroying a lot of people's data anyway when ios 17.3 comes out people who spend time out and about in bars should really consider enabling this feature stolen device protection because it does sound like it will provide a very strong protection from the current wave of thefts still in the good news column and back to google google have released some details this is really technical stuff right the link is in the show notes if you want to go read the technical stuff clang is a compiler i can just tell you that anyway the takeaway is that google have say have released some details about how they're going to use a very cool security feature in the compiler they use which basically does security checks at the point in time the code is being compiled that's a very powerful place to do your security checks because it means that there is a check going on between the human being typing the code and the ones and zeros that go into the device and they're starting to roll this out with the most security sensitive parts of android and they're going to start to expand this to more and more of android but they're starting with the drivers for the base bands the cellular radios inside your android phones and that is an extremely good place to start this kind of security work and it's great to see google are heading this way and i'm going to start rolling it out to more and more of the core os so google are definitely to be commended for that also to be commended discord is rolling out support for security keys specifically web-authent which means in practical terms either hardware dongles like your uber keys or pass keys so that is a nice way to secure your discord account this is important for many of our new cell castaways discord is a thing in the cell cast community and finally i get to say some nice things about meta specifically about threads first off threads is launching in europe with what meta believe are sufficient privacy protections to meet EU law the reason we didn't get it as quickly as america's because we have much better privacy protections and it took facebook some time so meta some time to bring their product into line with these privacy laws i've seen some people debate whether or not they're fully compliant with EU laws they certainly believe they are and i guess some lawyers may need to become involved at some stage in the future we shall see but anyway you know privacy tweaks have been made and threads is now available in europe and one of the things that was promised which again i think was partly to modify european regulators for the digital markets act and stuff as opposed to the GDPR meta said that threads would be an open platform in that it would interact with activity pub which is the open source protocol that powers a bunch of stuff most importantly mastodon which means that you can follow threads users on mastodon because threads is now being federated over activity pubs you can subscribe to a threads user from mastodon or anything else on activity pub kind of cool and all of that burst of good news is the end of my show notes apart from one pallet cleanser so i'm hoping allison will like this one actually you know excel is perhaps the most advanced incarnation of the calculator but we humans have been mechanizing counting for millenia and 99% of visible is one of my favorite podcasts for the design of simple things you don't think about and their episode 563 is an interview with an author who wrote a book on the history of the calculator and it really is a fascinating story that starts us off with counting beads and abacus and things like that and takes us all the way up to electromechanical and mechanical calculators lots of things that allison will over the slide rule the slide rule features heavily because it's kind of a magical device i think allison will love this i think a lot of nasilla castaways will love this it's called empire of the sum 99% of visible episode 563 linkedin show notes if while all other podcasts apart from the wonderful nasilla cast are going on hiatus over the holiday season you're in need of some extra listening i would highly recommend all of 99% invisible that is absolutely one of my favorite podcasts right i'm going to draw a line under it here i have noticed i have managed it off for 38 minutes so apparently as well as helping me to be more accurate more honest and more clear allison also somehow managed to simultaneously make me be more brief you knew anyway until next time remember folks stay patched so you stay secure well thanks so much for that bart i know you don't like doing the show alone and i don't like missing doing the show with you but it sounds like there was enough meat there without me asking endless questions to make it take even longer but really appreciate you standing in for me on on your own there so that i could play with my grandkids since christmas will soon be here i thought it would be a good time to resurrect the poem that has become a holiday tradition on the nosillicast in 2019 we lost our beloved honda bob a longtime nosillicast away and contributor to the show and a very dear friend but his memory and the silliness he inspired in the nosillicastaways will live on so grab a hot beverage and some cookies sit back relax and enjoy a slightly modified version of the night before christmas dedicated to honda bob twas the night before christmas went all through the house not a creature was stirring not even a trackpad okay work with me here the air pods were hung by the chimney with care in hopes that all things i maker soon would be there the nosillicastaways were nestled all snug in their beds while visions of ipads danced in their heads and pot feed in her kerchief and i in my cravat had just settled down for a long winter skype chat when out on the lawn there arose such a clatter i sprang from the keyboard to see what was the matter away to the windows i flew like a flash drive tore open the shutters and nearly did a nosedive the moon on the breast of the new fallen snow gave the luster of brushed aluminum to objects below when what to my eyes seemed very bizarre but a miniature sleigh and eight tiny cars with a little old driver with whom helves hobdob i knew in a moment it must be honda bob more rapid than 5g his vehicles they came and he tweeted and shouted and called them by name now accord now civic now fit and crv on element on ridgeline on pilot and odyssey to the top of the porch to the top of the wall now drive away drive away drive away all all as dry leaves that before the reality distortion field endowed when they meet with an obstacle mount to the cloud so up to the house top the vehicles they flew with the sleigh full of apple products and honda bob too and then in a twinkling i heard with a squeal the skidding and sliding of each little wheel as i drew in my head and was turning around down the chimney bob came with a bound he was dressed in coveralls from his head to his foot and his clothes were all tarnished with oil and soot a bundle of ssd's he had flung in his scotty vest and he looked like a geek who was extremely obsessed a wink of his eye and a look not too pious soon gave me to know he had an apple bias he spoke not a word but texted his concern and he filled all the stockings and then hit return and laying a finger aside his levitation app a command to his ipad up the chimney asap he sprang to his sleigh and the autos did they bristle and away they all flew as if shot from a missile but i heard him exclaim as the poem prescribed happy christmas to all and please stay subscribed thanks for doing that every year steve i really do miss honda bob but this brings back some nice memories but that's going to wind us up for this week even during the holidays you can email me at alison at pod feet dot com i can't promise i'll be quite as responsive as i normally am but i will have some downtime over the holidays if you have a question or suggestion just send it on over to alison at pod feet dot com and you can always follow me on mastodon at pod feet at chaos dot social remember everything good starts with pod feet dot com if you want to join in the fun of the conversation you can join our slack community at pod feet dot com slash slack where you can talk to me and all of the other lovely nocella castaways because for the show i go to pod feet dot com slash patreon or with a one time donation at pod feet dot com slash paypal and if you want to join in the fun of the live show you're gonna have to wait until 2024 but when you do head on over to pod feet dot com slash live on sunday nights at five p.m pacific time and join the friendly and enthusiastic nocella castaways thanks for listening and stay subscribed