 Hi, this is Allison Sheridan of the NoCellicast podcast, who is to thepodfeed.com, a technology game podcast with ever so slight Apple bias. Today is Sunday, February 18th, 2024, and this is show number 980. Before we get into the show, I want to announce that there will be no live show next week. Steve and I are going to go to our granddaughter's fourth birthday party in Texas and we'll be gone over the weekend. We get so little time with our son Kyle and his family that we don't want to miss a precious second so we're not going to do the show from there. It would also be a lot of off a lot of gear to carry on a plane and their house has hardwood floors and three tiny and very exuberant children. So the audio might be a little bit rugged as well. Now, just in case you thought our nearly 19 years streak would break, I expect to publish next week's show on Tuesday. That's the day after tomorrow for me right now and that'll be before we leave. You're more than welcome to wait until your normal date and time to listen or you can open your present early. It's up to you. We'll be back to doing the live show on Sunday, March 3rd. Last week I told you about the tutorial I created for the subscription based service ScreenCast Online. That tutorial was all about how to add image descriptions when posting to social media. This is essential to make sure that everyone can enjoy the content you create and it increases your reach to have more people be able to enjoy that content. I get to think about how important this subject is so I asked Lee Garrett, the new owner of ScreenCast Online, whether he might consider making this one tutorial free rather than behind the paywall. He watched my tutorial and he immediately agreed. I put a new link in the show notes directly to this tutorial on the ScreenCast Online website and I hope you'll go and watch it. I gotta tell you, it's far easier to add image descriptions today than it ever was in the past but there are some tricks to finding the right buttons in each service and I try to teach that in my ScreenCast Online tutorial. In case you're wondering, Don McAllister is still on board with ScreenCast Online but he's handed the management and day-to-day operations off to Lee. Don will get back to doing more video tutorials now. I support this 100% because he is the master of tutorials. Additionally, Lee is a great guy and he's been teaching at ScreenCast Online for a long time so it was a great fit and a seamless handoff. We get the best of all worlds. In this week's episode of Programming by Stealth, Bart continues to expand our knowledge on how to use JQ to query and manipulate JSON files. We learned how to use mathematical operators on data in our JSON files along with fun functions like floor and absolute value. I even contributed some to the learning by showing examples of how seal, that's C-E-I-L for sealing, floor and round produce curiously different results when operating on negative numbers, specifically negative decimal numbers. We move on to learning about both plane assignment and update assignment. That seems like a small deal but the ability to set a parameter using the plane assignment equals versus the ability to update a value using pipe equals is actually huge and has lots of subtleties to it. I think one of my favorite parts was when Bart took us back to our JavaScript lessons and reminded us of how weird it is on one concept but how JQ is much more in line with other modern programming languages. I felt like a seasoned programmer because I knew the history of what we'd learned. Finally, we learned how you can actually divide strings. I know, weird, right? All right, that's enough spoilers. You should check out Programming by Stealth, episode 161 and you can, of course, read Bart's fabulous tutorial show notes at pbs.bartifisher.net and you can subscribe to the podcast by looking for Programming by Stealth or chitchat across the pond. Let's start off with another interview from CES. We all love cameras and, of course, AI is the center of absolutely everything at CES these days. I'm in the slim design booth and they promised the world's first miniaturized affordable AI body camera. That's all the buzzwords. Anyway, I'm here with Walter Koenigs and he's gonna tell us all about it. Yes, thank you for having me. We are a design agency. We develop consumer electronics for a lot of companies. We've done a lot of cameras for MSI 360 camera for Panasonic and other, yeah. And we also do body cameras. So when we were developing the body cameras for the Dutch police, we saw that there is a sort of a lot of other use cases and also professionals would like a small camera that's cheap but they don't get one because it's too expensive. So like bus drivers and all kinds. So what we set out to do is make a very small camera that uses your phone as the hardware. So it stores on the phone and it also used the connection, the connectivity of the phone. So we can make the camera small and very cheap and that's basically what we set out. Is it over Bluetooth or what is the connectivity? Yeah, around connectivity. So and that's something that we developed. Proprietary network between the two. Okay, so I'm looking at it right now. This is a video and audio podcast so I'm gonna explain a lot. So it looks to be about maybe not even two inches across and maybe a half an inch, three quarters of an inch tall. And it's got a big red oval on it telling people I'm recording you right now, correct? And so how does it work? How do you enable it? What is it? So if you press it for a long press, it starts the alarm and the alarm is then sent to a pre-selected emergency contact. So then it's somebody or your father or maybe somebody else or it can be the back end of a security company that has people watching. And here you see a demo of that. So it's basically for families, persons themselves or for more professional that they can use it. So I'm wearing that, the body cam, phone cam. And I'm wearing it because I'm gonna walk down a dark alley at CES and some dodgy person starts coming towards me. I press and hold for the alarm but I'm also recording at the same time. Yes, so it's then sent to the clouds. So whenever somebody then grabs it off you it's still the footage and yeah, it's still in the clouds and you can use it later for in court or anything. So what is the, if it's going to the cloud then it's going from there from the phone cam to the phone up to the cloud. And then are there other uses for that data for viewing it? I mean, are you gonna do a kid's birthday party with this? Sure, you can also just record things and have it as a GoPro kind of thing. But also we see a lot of use cases where people that are working in remote areas and they don't have all the expertise they can then just press the button. The call goes to a backend where there's an expert that can help them then do things that they don't normally do. So you see now then tasks can be done by less qualified personnel that can then do things that otherwise they wouldn't. So we can become remote control devices to people smarter than us then? Yeah, yeah, yeah. Or even when there's an ambulance the doctor can already look into the patients. What has to be done? What can they advise the ambulance personnel? And they also can prepare it in the hospital how to, you know... Take care of them in some way, okay. And so how much is phone cam gonna cost? It's $69. Oh, you're serious about affordable? Yes, yes. So basically that's what we set out to do is to make it as cheap as possible to be able to have all the connectivity that you can. That's really, really interesting. So if people wanted to look up phone cam, where would they go? Phonecam.io. Oh, very good. Oh, wait, I forgot one question earlier. What's AI about it? We have now low light enhancements but we're already now partnering up with a lot of companies that would like to use our phone cam because it uses the CPU of the phone it can do much more than a lot of other cameras can because it's much more advanced. The CPU in the phone is much more advanced than normal cams. So you're opening up an API where they can get access to the data? Okay, very interesting. All right, thank you very much. You're welcome. Appreciate your time. All right, thank you very much. I started using portable USB-C displays when on travel about four years ago starting with the tiny 12-inch Ioyo 2K display. When that one died, I upgraded in 2021 to the CocoPAR 15.6-inch 1080p display. I missed the higher resolution of the smaller display but the CocoPAR was good enough that I was able to do the live show on the road with it. I liked the built-in kickstand which gave me enough space on my work surface to fit all of my gear. For $180, the CocoPAR is still a very good option. I showed my daughter Lindsey the CocoPAR and I let her use it at her house one time and she loved it. Since I'm such a good mom, I really had no choice but to give it to her to support her remote work. She also runs audits at her company and having a second display in the conference room is life-changing. She tells me all the time she should get a commission from CocoPAR because so many clients have bought their own after seeing hers. Well, that was great because it gave me the excuse I needed to upgrade again. In 2023, I bought the KYY 4K 15.6-inch USB-C display for $239. It's now down to $219. I was delighted to have that super-sharp 4K goodness allowing me to get a lot more information on my display. I need every single pixel when I'm on the road doing the show. While the KYY's display is gorgeous, I'm constantly frustrated with its lack of a kickstand. I know that sounds like a tiny complaint but it's a very big deal. Instead of a kickstand, the KYY has a floppy folio case that folds into a stand. It's held on by magnets, much like the folio made by Apple for iPad, except the magnets aren't strong enough so it falls off easily and the little detents to hold it at different angles are not deep enough so it sort of slides out and flints itself if you bump it. If I can get it balanced just right, the part of the case that sits flat on the table sticks out so far in front that it gets in my way. I can't get the display close enough to my MacBook to be as useful as it could be. In my review of the KYY, I told you that about a little plastic tablet holder that Jill recommended in order to hold it up but it doesn't really work very well because the display is so wide. It's really made more for like maybe a 10 inch tablet. This is a 15.6 inch diagonal display and it's like 16 by night so it's really wide. When I have it on that little stand, it's highly likely to get knocked over while I'm moving things around. I have searched everywhere for better stands and I haven't found any. Oh okay, there's one more thing that makes the KYY a little harder to use. It's that the cable sticks straight out of the right hand side and I prefer my display to be to the left of my MacBook. That means in addition to being limited by the floppy case, I'm also limited by how much those cables stick out and remember the cables are gonna stick out on the left in a MacBook Air so I have to keep the laptop really far away from the display which is not ideal. I gotta tell you, that 4K looks great right up until it falls over. Okay, now you're up to speed with where we last left our hero a year ago. Let's talk about the latest display in my life. At CES this year, you probably heard that I interviewed Scott Francis from RICO about two of their portable displays. They were kind enough to send me one of them for a review. The two displays RICO showed off were the Model 150 which is a wired USB-C display and the 150BW which can be used wirelessly or via USB-C. RICO sent me the 150BW and I was really excited to test it out. The RICO displays are OLED, but they aren't 4K, they're only 1080P. I had not appreciated why people are so excited about OLED displays until I got the RICO 150BW in my hot little hands. It is bright, the colors are vivid, it is stunning to look at. Every person I've shown the 150BW2 says, wow, I mean it's really that good looking. I also didn't realize that OLED displays are thinner and lighter than traditional LCD panels. With a built-in kickstand, the 150BW weighs in just under 1.6 pounds. The cocoa power with its required flupy case weighs 2.4 pounds, so it's 50% heavier. The wired RICO 150 is even lighter at only 1.23 pounds. I mean, that's crazy pants. I mean, that's nothing to lift. It wasn't until I tried to take a photograph of the RICO display for the show notes that I realized this is a very glossy screen, while the KYY is a matte screen. I like a glossy screen, I think that makes everything look more vivid, but we all know that George from Tulsa does not, so I thought I'd mention it. The RICO displays are a fair bit more expensive than all of the displays I've mentioned earlier in this article. The 150BW wireless display retails for $675, and the wired 150 will run you $530 on Amazon. If you buy direct from the RICO website, you'll pay even more. Now, I was super excited to see what it was like to use the RICO 150BW in its wireless mode. Wouldn't it be glorious if we didn't have to contend with the wire sticking out of the side of our laptops and displays at all? That would be nirvana. Well, there was no manual in the box, so I started fiddling around with the controls on the back right, and I figured out how to get the RICO 150BW into a Wi-Fi mode. I looked in system settings on my Mac, and I tried to connect to the Wi-Fi network that the 150BW had created. It asked me for a password. Well, I figured it had to be something simple, so I did a bit of the Googles as one does, and I found out that the password is admin123. I also found out where to change that. After I entered the password, nothing happened. The display didn't magically show up as a screen for my Mac. It was time for desperate measures. I broke down and started searching for the manual for the RICO displays. They don't make it easy to find, but I finally found both the display manual and the wireless manual. Oddly, the wireless manual wasn't as helpful because it had more to do with other types of wireless devices sold by RICO, like the line of scanners. But in the regular manual, I found the very bad news about how the wireless functionality works on the RICO 150BW. To use the 150BW wirelessly with a Mac, an iOS device, or a Windows PC, you have to download driver software called RICO Monitor Mirroring. Notice that word, mirroring. Yep, you can't extend your desktop wirelessly. You can only mirror your display. Now, this doesn't solve any problem I have, but maybe it would for you. If you say give demos to people in rooms without projectors, I can see being able to pass around a wireless and gorgeous display to them so they can see what you're doing, especially since it's so light. You can just see passing this thing around like passing around a jar of candy. Now, here's a problem. Most corporate IT departments have lockdown devices these days. So you can't just install any old driver you want. You might not even be allowed to use the RICO 150BW in wireless mirroring mode as a result. Now, I did test it in wireless mirrored mode on my Mac to make sure I understood how it worked. And I have to say the screen looks significantly worse in wireless mode than it did wired via USB-C. The text was smeary and the cursor lagged to a point that I wouldn't even consider using it for that. I have to say I can't really recommend the RICO 150BW but don't turn the page yet. Let's stop right there. I don't want this to be a downer review. So I wanna set aside the wireless functionality and talk about the 150BW as though it was the 150 wired version. Even though the one I have is a little bit heavier, everything else is the same about these. If you're a Windows user, the RICO display is a touch screen with 10 independent touch points. They sell an active electrostatic stylus, that's hard to say, electrostatic stylus with 4,096 levels of pressure sensitivity and two function buttons. I really wish I could test the touch screen in the stylus but since Mac OS is in a touch operating system, I don't get to have any fun with it and the touch doesn't work with the iPad. The 150 series displays have a power switch on the right-hand side, which means it doesn't automatically come on when you connect it to your device. I can see scenarios where I'd wanna leave it connected but also power it down. Speaking of power, you definitely wanna take advantage of power pass-through with the RICO displays. They have two USB-C ports on the back and without adding power to the second one, the display drained the battery on my devices at an alarming rate. At one point I was doing a test with the 12.9-inch iPad Pro and the battery went from 22% to 7% on my iPad Pro in less than 10 minutes. The 150 BW has an internal battery since it can work wirelessly so I think it's charging itself from my device. I'm pretty sure the Model 150 would not drain your battery nearly as much because I imagine it doesn't have a built-in battery. In fact, now they think about it maybe that's why it's so much lighter. Now speaking of cabling, I love the way they designed the cable management on the 150 series. Remember how with the KYY, the cables came out of the right side of the display limiting how close I can put the display to my laptop? Not so with the RICO displays. The display is of two thicknesses. The top half is only 0.19 inches thick, which is bananas thin. The bottom half is a little thicker as it contains the electronics. It also has a cutout for the two USB-C ports. This means that when the power and data cables are connected, they lay flat on the back of the device. They also included four little clips that you double back tape to the back, which allows you to hold the entire USB-C cable on the thinner part for storage. Not having to find a place to store the cable is genius. The thicker part also holds the built-in kickstand, which is possibly my favorite part of the device. I mean, having a kickstand is a glorious thing. It's even got little rubber feet so it feels really good when it's sitting. You can set the kickstand anywhere from nearly vertical at 75 degrees down to a very shallow 16-degree angle, which would be great for doing artsy things with that nice stylus. It's a very wide kickstand, just short of the full width of the display, so it's super stable, unlike that floppy case on the KYY. You can even use the RICO display in portrait because the great kickstand, which is super useful when reading long-form documents. In fact, I was doing some programming the other day and I had Bart's show notes up on the RICO and I put it vertical so that I could see this big section of the instructions of his tutorial so I was able to read along and do my coding over on my main display. It was actually taller in pixels than my XDR display, which I found really surprising because this is a 32-inch diagonal display, but I was able to get more on screen vertically on the RICO than I was able to do on my big display. Now, the RICO display has two stereo speakers, but they're pretty tinny. I don't think you're gonna be listening to them for any length of time. In my iPad protest, the audio automatically switched to the display speakers, but with Control Center, I was able to change the speakers back to the iPad. Now, I've not used an external display on an iPad very often, so maybe I'm acting like I made fire here when I tell you how cool it is to use an iPad with the RICO display. I opened Downcast on iPad and I played the latest video podcast of the Daily Tech News Show. It automatically opened the video on that glorious screen with Tom full screen on that, while leaving the controls of the app on the iPad. When using an external display with iOS, you choose where apps open using Stage Manager. You control it using the three dots at the top of the screen in any app. You get to choose from full screen, split view, slide over, or move to display. It's also interesting to see display arrangement controls appear inside system settings for iOS. I don't do a lot of productivity work on my iPad other than pure writing for the show, so I don't have a big need to connect an external display, but it works really well. And again, the RICO display looks fantastic. My primary usage for an external display is when I go to Lindsey's house and I want to do the live show from there. On our latest trip, I carried the RICO display instead of the KYY and it was awesome. It comes in a very thin zipper case to protect the surface of the display, but I slid that into a thick padded case too because it does feel fragile because it's so stinking thin. I use the RICO display on my grandson Forbes's desk along with a mic on a tripod and a light, not a tripod, a tripod, and a light and a thunderbolt hub and wires running all over the place. While it's still hard to work with all that mess, the display was no longer a contributor to my stress. The cables were out of my way and the kickstand was sturdy and didn't get my way at all. A perfect experience. If I had to choose again, I would definitely choose the RICO 150 OLED 1080p display to take on the road over the KYY4K display with this awful case. The weight being so much lower, the thickness, the cable management, the brightness, the vivid colors, and the kickstand all make this display an excellent choice. But my eye wanders. Dave Hamilton of the Mac Geek app and I have been trading ideas on displays for a while now and after he bought the KYY on my recommendation, he tried out a display from ViewSonic that went over his heart. The VX 1655 4K OLED. Might be the best of both worlds. It's OLED and 4K. Like the RICO, it has a kickstand, which is table stakes for me now. The cables come out of the side of the kickstand close to the middle of the display. So I suspect that's a game changer from the KYY. It's got the kickstand, it's 4K, it's OLED, it's got good cable management. What's not to like? I looked at the kickstand and I don't think you could do it vertically so that might be one thing you can't do. At $500, the ViewSonic VX 1655 4K OLED is right in line with the price of the RICO Wired 150. But it's 4K instead of 1080p. It weighs 1.8 pounds where the Wired 150 from RICO only weighs 1.2 pounds. So I guess ask yourself, would you carry 10 ounces more to get 4K? Like I said, I'm tempted. The bottom line here is that there's a lot of great competition in the category of USB-C portable displays and they have options for every budget. My advice would be to make it a drop dead requirement that whatever display you buy comes with its own built-in kickstand. If your budget conscious, I would look for the 1080p LCD displays that have a kickstand. If your eyes are really good so you can appreciate crisp text or you really need to peck in as much on screen as possible, move up to a 4K display with a kickstand. If you're not picky about crisp text but you appreciate vibrant colors, then move to an OLED display with a kickstand like the Glorious RICO 150. But if you have to have it all and your financial advisor allows it, get a 4K OLED display with a kickstand. But whatever you do, get one with a kickstand. On occasion, I get to review products sent to me by the manufacturers like in the RICO display review you just heard. But the vast majority of what I review comes out of PodFeed podcast funding. My goal is not to make a huge profit or you'd hear creepy ads in the show but rather I just want to fund the products I want to use to produce the show or just to review for you. If you can afford to do it and you find value in the reviews you hear and the other content we do here, stop what you're doing right now and run over to podfeed.com slash Patreon to help out the shows. Well, it's that time of the week again. It's time for security bits with Bart Bouchotte and Bart promises we're gonna have fun today. Well, I think so. When I was writing the notes, I was like, there's a really nice mix here of some news, a little bit of follow-up, two little deep dives, they're sort of perfectly medium, not too deep, you know. I don't know, it felt nice when I was writing the notes and the sun was shining, which may have helped. But either way, I thought there were good notes. So it is the usual mix of good news and bad news because it's obviously, you know, I'm not coming here to say, and security is solved. Have a nice day. So on that note, we've talked quite a few times recently about attackers getting the upper hand at least temporarily in terms of getting malicious ads into Google search results. And in fact, we talked last time about Troy Hunt explaining how they're doing it at the moment where they're basically being legitimate 90% of the time and then being malicious every now and then, which makes it really hard to spot the malicious people. But I thought it was worth mentioning that it's not only on Google that the cat and mouse game is going the wrong way at the moment, another place that has been discovered to be failing to protect their ads is Facebook. They were pushing ads for a password stealer malware. They were doing it in a slightly different technique. So on Google, the lure was fake download sites for real software, where they would give you the software and a bonus extra. So the installer would also install something you didn't want. In this case, the lure is a job ad and they use a job ad to trick you into downloading a malicious PDF, which if you're not fully patchy, patchy, patched patched will get you hacked with password stealing malware. Oh, cool. Yeah, very cool. The fight against Pegasus and its ilk took an interesting turn. The US has announced a visa ban for companies creating commercial spyware. So for people in companies making commercial spyware, it's an interesting way to flex your diplomatic muscles. So I thought that was a clever touch. Okay, you can do that, but you can't walk in here. Yeah, it's like there are consequences to this kind of carry on. I like it. And an update on some European news, Digital Markets Act, there was some question as to whether or not iMessage and Bing search were in fact gatekeepers. Apple and Microsoft, respectively, said we're too insignificant in Europe. We don't have enough of a market share to be a gatekeeper and Europe looks at the numbers and went, yeah, you're right. You're not actually big enough in Europe. Oh, sad. So it's, yeah, it's like, yay. You killed the iMessage. Yeah. But here in Europe, actually, WhatsApp is particularly dominant because there's a lot of Android. And so there is a very strong pull to cross-platform. So yeah, in Europe, neither Microsoft, Bing, nor Apple's iOS are gatekeepers, which does mean that those people who are hoping that the DMA would force Apple to open iMessage up to interoperability. That ain't gonna happen. At least not now. Yeah, that was kind of really hoping for that one, you know? Yeah. Well, RCS is coming, so that's something. Yeah, it'll still be crappy. But do you by chance remember off the top of your head about whether they ruled that WhatsApp is a gatekeeper? I do not remember off the top of my head. Okay. That would be interesting. I have a feeling not actually, I have a feeling not because no one is quite monopoly level here. So WhatsApp have a plurality, but they're not like 90 or whatever percent because you also have a lot of Facebook Messenger. You also have actually a lot of Signal. Signal is quite common over here as well. So Europe is kind of a big marketer. Nope. Hold please. According to leaders, what is Facebook, Instagram, Marketplace, and WhatsApp qualified as gatekeepers under the DMA? Oh, okay. I stand happily corrected. Well, am I happy? That means that they do have... Well, either way, it's good to be correct. Thank you. It's a thing. Yeah, I don't know if it's a good thing or bad thing. I finally thought to ask you, instead of making you sound like you didn't know what you were talking about and asking you a question you hadn't researched, I thought to say, hey, do you by chance know off the top of your head whether this is true? Yes, which I do appreciate that phrasing. And also the fact that you are so good at multitasking that you literally looked it up as I was talking rubbish. It was great. Well, after how many years I finally thought to ask you it in that way. I appreciate it. So we have two deep dives. The first of them is an interesting lesson that I could have made this a one-line follow-up in the follow-up section, but actually there's two lessons here to help us all become better at reading statistics and not reading the wrong thing into headlines. Because it is possible for headlines to be factually correct and utterly misleading all at the same time. And one of the ways that happens is because human beings, I know academically, I need to always be very, very careful of statistics. The question is, is it a rate or is it a level? And when the rate changes that doesn't actually necessarily mean the level has and when the level changes, maybe the rate hasn't. So those two things can be very disconnected from each other. And that was completely... Are you saying lies, lies and statistics? Yes, statistics can be used to mislead while being entirely factually correct. So you can lie with facts with statistics. Absolutely, you're mislead with facts. And case in point, we discussed the story on the previous installment about a report from a company called Coverware or Covware that may have auto corrected an or in there. I think it may be Covware that only 29% of ransomware victims are paying, which I thought was fantastic. And I opined that since this kind of ransomware is done for profit cyber crime, if less people are paying, that means less profit. That means that the end may be in sight because this is purely a commercial crime. That was a rate. So imagine my surprise when a day or two later I was flicking through my RSS feed and I saw a headline over on bleeping computer who is a source I trust quite deeply. The headline blared that according to chain analysis, ransomware payments reached a record high of $1.1 billion in 2023, which is rather the opposite of what I had been led to believe and led you all to believe two weeks ago. Is one of these reports wrong? No. Chain analysis are reporting on the level of ransomware and Covware were reporting on the rate of payment. They're not the same thing. So what is your definition of rate in this context? So they're like what percentage? Right, so the actual number reported by Covware was what percentage of ransomware victims chose to pay the ransom? Just a rate, right? The number from chain analysis was the total amount of ransom's paid. So that doesn't reduce our joy from last time though because as fewer and fewer companies paid the ransom it becomes a less likely opportunity to make money. It sounds like if you make money maybe you make a lot of money but it might mean that not as many people are paying off that should start reducing it I would think. I fear not because what's happened is you can now get ransomware as a service. So it's now easier than ever to spray more ransomware at more people. But if more people aren't falling for it, more people are falling for it. Right, but if half as many people choose not to pay but four times as many people get infected the market still doubles. So if the fact that you can just get ransomware as a service. But your chances of a payout as a sleazeball are lower. Right, okay. The chances are half as low but you have four times as many infections. Your opportunity for profit goes up not down. Not percentage wise but. Absolute money wise though, this is the problem. So okay, that's why I said so your payout is more likely to be big. Not just that it's more likely to be big. So you have done no more effort to quadruple the amount of ransomware in the world because you can now just go to a ransomware as a service provider and you don't have to do any work. Okay, that's a separate thing from whether the rate is higher or lower. But the point is there's this decoupled, yeah. So if the number of companies falling victim to ransomware and the average payout amount had remained constant, then that drop to 29% payment would indeed have meant all of the joyous things I thought last time, right? So that leads to two obvious questions. There's two ifs in that sentence. So did the number of attacks remain constant? Nope, nope, nope, nope, nope. Updately, up, up, up, way more ransomware actually happening out there. What about the second question? Is the average amount that is being paid staying the same? Also, nope. The average payment for everyone who does pay is also going way up because the attackers are going after people who are more likely to be big enough to pay them big bucks. So they're not interested in the little people, which I guess from the silly castaways is good. They're getting more effective at focusing on the people with deeper pockets and a deeper need for their data back. So unfortunately, it is both true that a smaller percentage of victims are choosing to pay and that the total market, in other words, the total amount of money that is available for the baddies has gone up. So I'm afraid to say, I do not believe that the end is nigh. There's another interesting statistical lesson learning in the chain analysis report because unlike the previous report, the chain analysis one is fully public so I've linked to it in the show notes so you can see lots of graphs and things. And there's another little hidden thing in there now. Now, the bleeping computer and no chain analysis chose to go the clickbait route because they are both reputable organizations. But the data in the chain analysis report would have allowed for a factually correct, utterly misleading headline, ransomware payments doubled in 2023. That's not because 2023 was abnormally high. Because 2022 was abnormally low, which is an excellent reminder that when someone gives you two numbers, you need to ask yourself, are those two typical numbers or have they been very carefully cherry-picked? And if you look at the data for the trend as a whole, what you see is that in 2020, the total market was $0.9 billion, which is a lot of money. The next year in 2021, it had gone up to $1 billion in your best Dr. Evil impression. And then 2022 happened, which was really weird, a large part due to the war on Ukraine, and it absolutely plummeted to only $6. something billion dollars. In fact, it's 5.67, so I rounded it up to 6 to 0.6. And then it returned to the normal trend in 2023, going slightly up from where it was two years before. So as I say, had either of these two organizations been unscrupulous click collectors, they could have misled us further with that kind of a storyline. They didn't, but they could have, and I thought it was interesting to point it out. So basically ransomware has been slowly increasing for the last four years and is, in fact, still slowly increasing. So I'm sorry to say that these two stories have canceled each other out, and at best, the statistics are a nothing burger at the moment. It's just continuing. There's no major change, unfortunately. If you're wondering, by the way, why the war on Ukraine would affect ransomware, it's two reasons. A lot of Western countries and the biggest target for ransomware is the United States. Bigger than Europe. I don't know why that is, because in terms of economies, they're both huge economies, but America is getting in way more of a target than it should, and Americans became really, really, really, really averse to paying anyone vaguely connected to Russia during 2022. How interesting. The Russian hackers were being incentivized by the Kremlin to focus their attention on political ends in Ukraine rather than profit-making in the United States. And also being forced into battle. Effectively, yes. Well, not effectively, actually. I mean, they were literally grabbing men and throwing them onto trains to go carry guns. In that case, yes and, because they were also having to defend Russian infrastructure from very effective attacks by Ukrainians. So they were both being physically hauled off as actual soldiers, which I hadn't even thought of, but you're dead right. And they were engaged in a digital war, a cyber war, in fact, with Ukraine, because there's a lot happening, hacker to hacker, between the Ukrainians and the Russians. They are going at it, hell for leather. And the Ukrainians are making some interesting successes, actually, on the digital battlefront, but it's no, you can't really show it on telly, so it doesn't quite make the news as much. Right. So yeah, I'm sorry to say I need to take it back. I was like, yay, the end of ransomware, and now I'm going, yeah, no, don't think so. I'm sorry. Well, you're right, these notes are fun, Bart. Yeah, but the point is, it's a good... They tell a story, yeah. Yeah, it's a good excuse to learn about statistics. And I get to say I was wrong in a fun way instead of just an embarrassing way, so it's always nice. Because I do insist it's important I say what I was wrong, but I'd at least like to learn from it. Yeah, yeah. And DeepLive number two goes entirely into the good news category. So Apple released their Vision Pro recently enough if you're in the United States and have a substantial amount of disposable income. I do not have one because I am not in the United States. And I'm not, well, I might find an excuse to write one off as a business expense, if I'm totally honest. But anyway, not a question. The presentation's not available to you. Yeah, not an argument I have to have with myself or my accountant at the moment. So it's an entirely academic argument. Anyway, now that the device is out there and people are using it, there are questions about, well, hang on a second. This thing has more sensors than you can shake a proverbial stick at and is permanently internet connected. Maybe there's some privacy concerns around this. Apple didn't go out of their way in the keynote to say that they had designed privacy in from the start and they showed their hand. No, they put some wood behind the arrow as the phrase goes. They have released a document describing exactly how they have designed in privacy from the ground up. And I guess the short version is everything you get on your iPhone and your Mac, you get on your Vision Pro and then some because the Vision Pro has unique extra risks and Apple have added unique protections and my short version answer is nicely done. So I gave you a little bit more meat than nicely done. So the first thing that's, okay, so Apple basically their protections I'm seeing as being in five big categories, the extras, right? So everything you normally have, you have on the Vision Pro. On top of that, there are also protections around the fact that the Vision Pro is constantly scanning your surroundings and you tend to use the Vision Pro in spaces within your private life, like say your house. So conceivably that could give away a lot about you. I mean, the kind of things in your room could say a lot about your ethnicity. You could say a lot about your income. It could say a lot about a lot. So how that information is protected is very important. Your Vision Pro also gets to see the people around you because it lets them break into your shared reality and so forth. So again, there's a need to protect that. Your Vision Pro by the nature of how it does its cool UI needs to know at all times what your hands are doing and where your eyes are focused. That has the potential of a bit of a dystopian hellscape if it were to be abused. This is kind of like the ultimate fingerprint. Right, exactly. And then you have this 3D persona that can pretend to be you to varying degrees of effectiveness. Creepiness. Yeah, creepiness, effectiveness. The jury's still out, it's still a beta feature but nonetheless, it is a privacy concern. So those five things were addressed by Apple. The first thing that struck me is that Apple have broken the rules into two very distinct categories. So if you're in the Vision Pro, you're either in what they call the shared environment, which is that sort of that place where you're running multiple apps each in their own little window or 3D box. So those apps are what we're gonna call normal apps. And they have extremely little access to Vision Pro's extra information. They basically have no access to Vision Pro's extra information with the exception that your persona can be used in those apps. But those apps never get any information about what's going on around you. They never get any information with the people around you. They never know what your hands are doing. They never know what your eyes are doing. What they get. Wait, they have to know what your hands are doing. No. Cause when you sell. No, no, let me explain. Don't say no until I can I finish my sentence first? Please. They know when you tap your fingers together you have selected something. So they know what your hands have done. They 100% do. They don't know what your hands look like or where you moved them around in space. Okay, so that's what I was getting to. What they get is events equivalent to a mouse click. They get told someone clicked this button. They don't know that your hands hovered over the click for 10 seconds, that your eyes were tempted by this for 10 seconds. They get click events entirely equivalent to what a Mac app gets or what an iOS app gets. So they're not actually getting the extra information about your hands and stuff because how your gaze moves before you decide to click would be so valuable to someone trying to profile you. But none of that is handed out through the APIs. They just get effectively fake mouse. You're effectively simulating a mouse. Well, okay. I was about to say now I understand and now you've just reversed it. If they know an effective mouse, then do they know that the mouse was hovering? It went over here, it went over there. I had mentally said to myself, don't say mouse, say trackpad or say touch. In fact, iOS- Well, trackpad's the same as mouse. No, iOS. What? No, touch and iOS is a perfect example, right? Cause your finger, how long your finger doesn't touch something because you're hovering over it isn't known to even iOS until you touch the glass. Effectively what these vision pro apps get is equivalent to tap information on iOS. So not like the cursor. So not like the cursor with the magic trackpad on an iPad. Yeah, it's actually even less. They're getting even less than you get on a cursor or a mouse. You're absolutely right. And as a webby person, that's kind of important because we get to, we have APIs for following the mouse around. We have APIs for hovering over things on the web. And those don't work on iOS because there is no concept of hover and vision OS is like iOS. So it's actually even less than you get from a mouse. Like I knew I was going to get that wrong. Oh, well, anyway. The other thing is that, so, okay, moving back. So the regular apps get nothing extra. The only apps that may get more information are the ones in immersive experiences. And Apple give you some immersive experiences for free, but third party developers can create their own immersive experiences. So any app where you fully go into a 3D space that the app is building for you, those apps have the ability to get more information, but none of it is direct from the sensor. No app ever gets to go direct to the cameras. All of the apps are accessing the information through APIs, which means that Apple have a point of control where they get to the side, what does the API provide to the app and what confirmations are required before the API will pass anything. So the APIs are like a firewall or sort of the bouncer of the door and they are very, very strongly controlling the information that makes it as far as the apps. Oh, okay, okay. So the first thing is that no app at all gets the raw information about your room. What the APIs present is the post-processing information, which is effectively a mesh. It's a bunch of texturless, image-less shapes. So it's the ghost of your surroundings, not an actual picture where they can see that your walls are red. They know there is a wall in front of you. There is a flat horizontal surface in front of you, right? So they get the geometry they need, but not any detail about it. And not the images. So maybe you could work out, oh, that must be a picture frame. Look at its shape, but they can't see it. It's just a 3D shape. And they don't even get that without asking your express permission. So any app that is going to get the mesh of your room must have asked you in the same way that you get asked, can I use your camera? Can I use your contacts? So it's exactly the same model as now extended to, can I get access to the shape of your surroundings? Absolutely positively, no app anywhere ever gets access to the people information. The operating system handles passing that through, and it doesn't leave the operating system and no one else gets it. What have I got here? Another very clever thing is that while you're looking around, the operating system is showing you that you are currently looking at a button. And so the button will animate. But Apple makes it clear that the code animating the button is the operating system, not the app. And the app doesn't know that the button is being animated. So until the point that you make a tap gesture or a drag gesture, the app is told nothing. It's the operating system is telling you if you make a proactive gesture, you will be interacting with this thing. But the app doesn't know that the OS has highlighted button one or button two until the point in time you do something. And then the app gets told the user has ticked this button or dragged this slider or scrolled this view, whatever it is, but they're told it in forms of this UI element has had this action performed in it. But the app never knows that you were looking at it before. That's the OS, even though it's within the app's window. Which again, clever design. One thing that every single immersive app knows where your head is pointed. Because how can you give an immersive app without the app knowing you're looking up, down, left, right, whatever? So if an app is giving you a 3D experience that you can look around in, the app knows the direction your head is pointed on a three-dimensional sphere. I don't know if it gets it in radiance and degrees, but it gets it as a degree by degree. And they all get that and they do not have to ask for that because that's kind of baked in. That is how it is. Another very interesting one is your hand gestures. Apple have sort of decided that developers can ask your permission to get some hand information, but it's a very strong trade-off here. They do not actually get the raw information where your hands are. They get a kind of a wire frame. So if you've ever seen a video game before they add the textures on it, where all of the characters are these little stickmen which have particular joints where they can move, your hands are stick hands. So the app gets told that each knuckle is at a certain position so that they can see things like you've made an okay shape or you've made a heart gesture. They can basically see the shape of your hand as a connection of the knee bones, this joint is in two degrees over and this joint is whatever over, but they don't get the image of it. Like the wall is a mesh without the image, your hands are joints and phalanges without skin and bones or skin. Exactly, the skin particularly. So what that means is the kind of information that could leak a lot of stuff like what skin color do you have, utterly unavailable to apps, even those apps that have permission to track your hand movement, which they only got because you gave it to them, but even then, they don't know what color your hand is. They don't know if you have tattoos on your hand. They don't know if you're wearing jewelry because the only thing the AI passes through is the position of the anatomy of your hand, not the shape of the surface. It's not a mesh, it's a wire frame. So for your room, it's only the surface, for your hand, it's only the inner structure. So they've actually done the opposite on those two particular data points, which is very cool. Again, again, very, very clever. And then the last thing- Why are your hands a privacy thing? Is that because of color of your skin? Size of your hand tells whether you're a woman or a man or something like that. I would imagine, yeah, I would imagine if you could look at people's nails and look at people's skin color, you could make a really good estimation of their gender, a really good estimation of their race. And depending on the kind of jewelry they had on, you could probably make more inferences. If someone's wearing a giant big wedding ring, it's like, oh, they're married. Someone's wearing what looks like an engagement ring with a big diamond on it, and they're probably engaged. They'll be really good advertising target for wedding services. I don't know whether the hands show jewelry. I'll have to ask someone about that. If you're wearing a ring, if you're wearing a ring and if they were getting the raw image data, they would see your jewelry, right? I just don't know whether that exists. When you hold your hands up, you see your hands in the image. I wonder whether it's actually recording jewelry. If it's not, then that wouldn't be in there. Well, it isn't in there because the only thing the apps get through the API is the inner structure. Okay, yeah, I keep it low. I'm saying if I'm wearing, sorry. If I'm wearing Vision Pro and I hold my hands up and I was wearing a ring when it figured out what my hands look like, I don't know whether it shows the ring or not. So if it doesn't show the ring at all, regardless of whether they put in protections about that, it wouldn't show. It wouldn't get through to the developers. I just don't know. It might be there. Yeah, are they showing you a rendering of your hand or is it video pass-through of your hand? Hmm, that's a good question. I think it's a rendering because, well, I don't know. I'd like it to be video pass-through because if I had a tattoo on my hand or something and I use a Vision Pro and it was gone, that would freak me out. Like, you wouldn't believe. Like, just imagine if you were used to always seeing, you know, a tattoo on your hand and all of a sudden the hand you saw when you had these goggles on was missing it. I think that would really mess with your sense of self. I think there will be a really uncanny value. There's a lot of it that does that. Fair, fair, fair. Yeah, I don't, yeah, we don't know. And neither of us have the, actually I don't know if you bought one. I don't remember you saying you have it, I imagine. No, but I'm asking Pat Dingler to check into it. We'll get real-time follow-up probably. Ooh, okay, I shall stay tuned. Say, I shall stay subscribed. So the last piece of the protection puzzle then is your persona. And hypothetically, the danger here is that someone could pick up your headset and be you in a meeting and get up to all sorts of nefarious stuff as you. So if you have, well, always you have to either give your pin or do an optic ID. But if you have enabled optic ID, then optic ID is required. So you can't use only the pin to get at the persona. You can get into Vision Pro with only the pin. You can use it and operate it. I've done that. Correct, but the persona won't enable unless you also pass optic ID. Interesting. Another point to note is that the physics model driving the persona is created on device and never leaves the device and there is no API making it available. What the apps get that are allowed to use your persona, like say a third-party videoconferencing app or something, is a video feed. It's effectively a virtual webcam. And the operating system offers the permissions or makes the app get permission as if it were your camera. It's just a virtual camera. So even the apps that you give access to your persona, they only get a video stream. They don't actually get the 3D model. They don't actually get enough to recreate you any more than they would if you were just looking at your normal webcam. It's a video feed. It's just a fake one, a faked one. So there, you know. And then the final point is that to make it easier to share a Vision Pro and definitely not leak any information, there is a guest mode available. So if you enable the guest mode, all of your personal stuff is hidden away and you can give friends and family a fun tour of your Vision Pro without risking any of your information whatsoever. And I'm sure a lot of people are doing that because I know if I had a friend with a Vision Pro, I'd be badgered them for a view, you know, give me a go. I think I thought under silly castaways would. So, yeah. Right. Does all that make sense? Yeah. Okay, cool. Excellent. I never know if you're quiet because I've been really silly or because I've just been really clear. I'm hoping it's because it's been really clear. It's because I'm holding my tongue in this particular case because I have opinions, but I don't want to share them yet. They will be shared next week on this exact topic. Ooh, I look forward against a subscribe. Teaser, I like it. Okay. We have some action alerts. It has been Patch Tuesday. There are plenty of patches from Microsoft. So patchy, patchy, patch patch. 80 vulnerabilities, five critical, two zero days under active exploitation. So, yeah, do that patch. I'm looking at the show notes and it doesn't say what operating system this is. Patch Tuesday. You're dead, right? I've assumed it's Microsoft. I can add it. I'll add it. Yeah. I've got a lot of edits. I'm going. Yeah, it's Windows. Yeah, no, I didn't pick up that that was, what OS that was. Cause we get, we seem to get OS updates more often than any operating system I've ever used in the latest with Apple products. I mean, it's updated GoGo every week and a half right now. Yeah. Whereas in Microsoft land, it's only every first Tuesday, sorry, every second Tuesday of the month. So they get it easier, I guess. Anyway, just to underline the point that patchy, patchy, patch patch, one of the things that got a patch is Microsoft Defender. Your antivirus is a very highly privileged app. You do not want to run an unpatched antivirus when it has no vulnerabilities. So patchy, patchy, patch patch. Now, myself and Allison are recording on Zoom, but we don't have to worry about this. The Windows Zoom people, however, do need to patchy, patchy, patch patch. Zoom have done a critical update for a privilege escalation flaw. So patchy, patchy, patch patch. In terms of worthy warnings, I've been trying to minimize the number of stories I put in here unless they're really big news, but there's three of them here that I do actually think we need to talk about. So the first, we're off to France. The French Privacy Regulator is called CNIL. I could have looked up the definition, but then I would have had some French I didn't understand. National Commission on Informatics and Liberty. Liberty, very helpful. I just looked it up, right? So anyway, the CNIL does what? Yeah, so the CNIL are the data regulators for France. And they have warned that a data breach at two healthcare payment providers, their names are in the show notes, I'm not even gonna have a go, have leaked the information on 33 million with an M French citizens. If you're wondering how big that is, that's half the country. There are 66.7 million French people. There are 33 million French people caught up in this data breach. That is substantial. I wanna pick out a quote from the article that probably sums it up best. It's not clear if they're quoting the actual companies or the company who lost the company's information because the two companies were actually messed over by a third party. They're healthcare payment providers, by the way, according to your notes. That's incorrect. Okay. Yeah, it is, yes. So although the exposed data does not contain financial information, which is good, it is still enough to raise the risk of fishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals. And CNIL add a warning that I think we should all bear in mind when we think about data breaches. Although contact data was not included by the breach, it is possible that data involved in the breach could be combined with other information from previous data leaks. Basically, the digital jigsaw can be put back together. We have to remember when we have a data breach to also put it in the picture that there's so much data about us out there already that if the data breach is missing one important piece of information, it's a really good chance that can be combined with the existing breaches out there to build a bigger picture of us. It's not a happy thought, but actually it's a darn good point by CNIL that I don't think we have been explicit enough about on this show. So I thought that was worth pointing out. Yeah, yeah. By the way, if you're getting weary of all these fishing attacks and things, there's a group that John F. Braun highlighted on the most recent episode of the Back Geek app. They celebrated their 1K, which was 1024, of course, episode and they had John F. Braun back on the show and he sent a link and I'm gonna add this to the show notes because it's great. It's a YouTube channel called Scammer Payback and it's basically these people that try to get scammed and then do things to the scammer. They have actively gotten the scammers to let them into their systems and they go in and just start deleting files and stuff. And I just thought that was such a wonderful idea that I'll try to figure out a place to stick it in the show notes. Maybe I'll put it right in this. Is that a pallet cleanser? Well, it's sort of a pallet cleanser. I could stick it there if you want. That's a, I just thought that was great. It's a bit of a shunt for a pallet cleanser, but I know it cleanses my pallet, it makes me feel better. Yeah, yeah, okay. I'll drop it down there. Now, moving over to America, unfortunately, Bank of America customers are caught up in a data breach because a vendor Bank of America used and lost a lot of data. We're talking about tens of thousands of people's data. And the really annoying part is this quote. It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident. So I can't say I can leave this out of the show notes because all of the affected customers have been informed because it seems to me that no one even knows who is affected other than a lot of people who bank with Bank of America. So given how rather large Bank of America is, I think the takeaway should be, if you're a Bank of America customer, your shields should be extra up for people impersonating Bank of America and trying to trick you into doing something. So if Bank of America normally contact you by one means and they certainly show up by another means, extra, extra suspicious, probably best to bring them on the number on your bank statement, rather than to believe anything coming at you from any sort of even vaguely unusual source claiming to be Bank of America. Because that is the big danger here. The baddies have enough information to convincingly pretend to be BOA and you don't want to talk to someone else as if they are actually BOA. That is not a good idea. By the way, we don't ever call it BOA. We call it BOA. Oh, city foreigner. Exactly. But I don't think you need to narrow that down to Bank of America. I think you should say that basically on anybody who ever wants anything from you ever, ever, ever, if they call you, call them back. Yeah, I would argue with that at all. That is fantastic advice, yes. And then the last one you may initially say, Bart, why did you put this in the show notes? So we're used to thinking of Facebook as a user of Facebook. But Facebook has customers. They're the people who buy Facebook ads. And Facebook have had a data breach affecting Facebook's customers. 200,000 people who buy ads on the Facebook marketplace have had their data stolen. And the reason I think that's worth mentioning is because the biggest customers of Facebook's ad platform are local business people, mom-and-pop stores, one-person companies. It's not even companies, Bart. It's like if you want to sell a, you've got a used air conditioner or a lawn mower, you put it on Facebook marketplace. In fact, if you try to just put it on your page, it says, yeah, that's really adorable. Here's where you put it on Facebook marketplace. You cannot post on your own timeline. You have to put it in Facebook marketplace. So it's basically all Facebook users who've ever tried to sell anything in their neighbor. Because it's good for neighborhood, right? Right, of course it is, yeah. Okay, so it's even more important than I thought it was now. I already thought it was important. So, okay, I now double down and say, the likelihood that there is a no silicaster way affected by this is even higher. So if you are someone who has signed up the Facebook marketplace, have a read of the bleeping computer story and take heed. So I wanna make sure I'm not misrepresenting what the article says. Your byline says, if you sell ads on Facebook. So is it people who sell ads against Facebook marketplace or is it people who post things on Facebook marketplace to sell them? What I made was people who make things appear on the marketplace. Okay, okay, I'll edit it to say that. Yeah, okay. I have to say, I assumed it was always going to be people running some sort of small business or whatever. But if it's even me hypothetically selling my spare, whatever, then wow, yeah, okay. And if it's all records, if it's records of people who use Facebook marketplace, then it's not just the sellers. It's probably the buyers as well. I don't know. Okay. Yeah, I don't know. I don't know was the answer to that. But definitely the sellers need to be on the lookout. So what did they be on the lookout for, Bart? Is this that they, again, more phishing attacks or is it something specific? It's again, more of the phishing attacks stuff. It's very easy when someone steals company data, they can pretend to be that company with scary effectiveness because they know things that only the company should know. So you can craft very believable emails. And normally to do a targeted email involves effort, right? You got to learn about your potential victim and you got to put some work into custom crafting and a dedicated attack just for this one person. But if you have a database of 200,000 records, you can automate it with a script. Well, I'm sad to say that database includes names, phone numbers, email addresses, Facebook IDs and Facebook profile information. That's bad. Yep, sorry. Like I say, I thought it was already important for Noseal Castaways to be aware. Now that I understand just how big this is. Anyway, let us move on to notable news. I have a fire extinguisher next to this story because it is true that ExpressVPN have been leaking some DNS requests for years, but there are so many asterisks about this story that I don't think there's any need for anyone to stress over this at all. And ExpressVPN's response is, I would argue, too strong. So when you're using a VPN, like ExpressVPN, where the intention is to hide from your internet provider, whether it be an internet cafe or your actual home internet provider, most people just turn it on. So it's an all or nothing thing, right? All of your traffic goes through the VPN and in that configuration, absolutely nothing was broken. A small number of people for various, very good reasons choose to have their proverbial cake and eaters with a configuration known as a split tunnel where you mostly VPN your traffic. But you do allow some local traffic onto your LAN and this used to be more important because we had to do things like print things. And so we had to make sure that our printer didn't... Why is that not still important? Well, how many people print things? All the time. I mean, everybody I know prints all the time. People are always talking about their printers. People are talking about printing to color printers or the band laser printers. I mean, it's very common. Really? Okay. I guess we move in different circles. I'm not a big printer myself, but I printed something yesterday, so it happens. But I don't tend to print when I'm not at home. If you're using a VPN at home, I would think you would absolutely need to do the split tunnel dance. You would, but anyway, there's another few caveats to come. But most people don't actually do the split tunnel dance because most people use the VPN when they're out and about. So the split tunnel is actually quite an uncommon configuration on ExpressVPN and stuff. The other thing is that even if you are in a split tunnel and the data only leaked if you're using an untrusted DNS server. So if you're a home user who've configured your home router to use DNS you trust, then the fact that the DNS is going the wrong side of the split tunnel is irrelevant because now it's going to your home router where it's using the DNS you trust. So there's actually no information leak there. So the only time they're affected if you use a split tunnel and the network you run has a DNS server you don't trust. And even then the only information that leaks is what DNS names you looked up, which is not nothing, but it's not an awful lot either. So very, very few people have had very, very little information leaked. And then the response has been, ExpressVPN have a completely disabled feature until they have time to fix it. So it's like, well, we will close that barn door good and tight. And so that feature is gone until they are happy they have completely nailed it down. So I don't, you know, I'm sure there were certainly some headlines that were all shouty about how scandalous it was that ExpressVPN had made such a terrible boo boo. I was like, you know, if you're an ExpressVPN user and you are in any way put off by this new story I wouldn't be, what I see is a company that reacted really quickly to a very subtle bug that affected almost no one. So I would not change my usage of ExpressVPN over this at all, if anyone's worried. Very interesting development from Google. So last year, the Google added a thing to Android where it would do a virus scan using the Android app store app. It would virus scan side loaded apps. So apps you get as an APK file downloaded from the web true blue side loading would still get virus scanned by the Android app store. And if they failed the virus scan, the OS would say, I don't think you should install this. This is a virus. And then obviously you would block you which is very sensible. They've now taken things a little bit further. And it is now they're trialing this in Singapore and that may or may not get rolled out worldwide but what they are trialing is completely blocking the side loaded apps that use a collection of dangerous APIs. If a side loaded app uses these APIs, it cannot be installed. There is no bypass button. The OS says no. It is very... How do they know what APIs are dangerous? I mean, is that a constantly updating list? Probably? Yes, probably. For now they have picked APIs that their virus scanner from previous year has flagged as being a commonly used technique by the baddies. And so this is awfully similar to app notarization. So what just strikes me is that they're not quite meeting in the middle yet but when you look at Apple being forced to allow third party apps but they have to be notarized or they can't get on the phone in Europe and you have Google now saying even doesn't matter where you get your app we're still gonna assert some rules and it doesn't matter where you got the app from you still can't run it if you don't meet these rules. We're philosophically arriving in an awfully similar place even though these two stores set out from such completely different avenues and they haven't quite met in the middle yet but if I project both trends forward we seem to be heading to a situation where everyone is notarizing apps and Apple may be forced to allow full side loading but with notarization which is kind of a macOS future. It looks like we're heading to a macOS style future on Android and maybe on iOS if you project forward. I just thought it was very interesting how these are coming together. Yeah, yeah, that is, I see how you're explaining it. Okay, somewhat, oh, I've duplicated it on my show notes here. So yeah, so the Vision Pro stuff started off as a story and then I made a deep dive so you can delete that out of there. A related note then is that Apple's walled garden while Apple do tend it very carefully, it is not free of weeds. A rather high profile story that broke, an Indian developer decided they would cash in on a brand name, LastPass. They made an app called LastPass, L-A-S-P-A-S with a red logo that looked awfully similar to the LastPass logo. And it appears now that this was purely brand impersonation. It was not in fact a password stealer as it could have been hypothetically. It was just counterfeit. It was just basically run of the mill, copyright and trademark abuse. I guess that's good. It took Apple a little bit longer than it should have to take it down. It was taken down. It would appear apart from some potential brand damage and some potential people having been defloated some money. Although Apple may have refunded everyone if they took the app down for abuse. In fact, they probably... I'm guessing. Yeah. So all in all, this probably was a straw and a teacup, but it was briefly very, very shouty all over Twitter and stuff. Another not such great news. So why do we need to be so careful online? Why are there so many scans? Because they work. So the latest reporting from the US Federal Trade Commission is that they have reported to them $10 billion with a B of fraud that succeeded in 2023. That is 10 times... That's what people have reported. Reported, right? Yeah. Now, we know that the report rate on online fraud is very low because people assume nothing can be done. So this is a massive under-reporting and it's $10 billion in 2023 of Americans' money only because the FTC is only reporting on American victims. And just that massive under-reporting is 10 times more money than ransomware delivered last year. Wow. So that's why there's so many scams out there. It pays big bucks to the baddies. All right. That's all for the scary, scary stuff. So the Federal Communication Commission... The River Cleanzers. Well, not quite pilot cleansers, good news. So the Federal Communications Commission has ordered American telecom providers that if they discover a breach where there is personally identifiable information involved, they now have a higher reporting standard they must adhere to. They have to let everyone know within 30 days. This is more than is required by the current regulations. I really like that one because I don't know whether this is true where you live, but in order to get a phone bill, you have to give them your social security number, which like to get a phone, to get a cell phone, you have to get, I don't understand why that is necessary. That one really makes me mad. Actually, let me put it this way. I think that was when it was subsidized. So you were making payments, but that was some way that they would come after you, but I don't have to do that to get to subscribe to a TV channel, shut me off. You don't have to have my social security number, but they do, they have our social security numbers in a lot of cases. And a lot of similar stuff here, and I think it's basically a leftover of the old way of doing things when phones were new and that you were subsidized and you could have been paying your hands off for two years. Right. So it was effectively getting a loan, and yeah. Yeah, it's like that. But you can just shut off my phone service and I'll pay up real quick. They didn't have to have that. Yeah, I know. I know. Well, I'm glad they have higher rules now. Yeah. Also, Apple has joined Meta, Google and Facebook in a new US government run AI safety initiative. So nice to see Apple joining the club and there's some pretty big names in there. It can't do any harm that they're all in this organization together thinking about AI safety. How effective it will be remains to be seen, but it definitely ain't a bad new story. So, right. Stick it in there. And then finally, DuckDuckGo have released a very clever feature for allowing you to synchronize passwords and bookmarks and things between different copies of the DuckDuckGo browser in an entirely end-to-end encrypted way so that no one, not even DuckDuckGo, ever see your data. And effectively, they're using QR codes for you to share the private key between your own devices with minimal effort. And so each of your devices is using the same private key to encrypt the stuff on device. And then the only thing being synchronized is a completely encrypted piece of garbage that no one has the key to apart from your devices and you're moving the key around with QR codes. It's very nice to do it. I never thought about that. So with Safari, if I have bookmark syncing, which I think it just does by default, does that mean Apple knows what I've bookmarked? No, because Apple have approached the problem in a similar but not quite as safe, not quite as trust no one away. So Apple synchronize your private keys and we trust they don't sneak in an extra private key. If they did sneak in an extra private key, they could then decrypt all of your stuff. Assuming Apple's key synchronization is not malicious, then you are as protected with your iCloud stuff. Okay, okay. And there's out to be no reason to assume any malice here. It would take active malice on Apple's part or a hypothetically maybe being forced to by a gag ordered court ruling from a secret court. Okay, but it's not end to end encrypted like DuckDuckGo. Oh, no it is, it absolutely is. So the difference is how the key get shared. So Apple shared the private keys using their key service, which we have to trust is secure and there's no reason to doubt it. DuckDuckGo share it with QR codes. So Apple's version of end to end encryption is more user-friendly, DuckDuckGo trusts no one. We have to trust Apple with DuckDuckGo, it's trust no one. Interesting, okay. But they're both very good and both very safe. Right, I have one interesting insight. This is actually fun to read. I wasn't sure if I should put this as a pala cleanser or an interesting insight because Troy Hunt is a very humorous writer. He describes discovering what is probably the most insecure and badly developed API you could ever imagine. And it's a really good insight as a programmer into how not to program. And he just takes you on this journey where he says, I mean, it will be absolutely stupid if you were to include blah, blah, blah. Oh, look, here it is. But it couldn't get any worse unless you did blah, blah, blah. Oh, no, there, let's scroll down a bit. It's just, it's written in such a fun way. But it's a really good, if you write code, you should read this as a do, you know, here's pitfalls you should sidestep, only it teaches it with such humor and fun that you will remember. Oh, good, I like that. I can learn from anybody who makes me laugh. Exactly, so, and I really enjoyed reading it even though it's like, oh my God, these developers are morons, but I'll not be that moron in future, I hope. Anyway, that was fun. You differ moron in future, right? Right, exactly as proved by our first deep dive. So I think I confessed this the last time, but just in case I didn't, I'm gonna confess it again. When Bart was talking about have I been pwned on a previous episode of Security Bits, I said that I thought the notifications were silly because I was just always getting them that would go, alicenpodfeed.com has been, you know, breached somewhere and it's like, yeah, but you don't tell me where, I can't do anything about it. There's no action I can take. It's like, okay, so, and then right after that, like the next day, I got an email that was to a specific site saying you need to go change your password. And the other one I just got was about spoutable from have I been pwned because I had an account on spoutable. So I was like, oh, dang it, he's right again. I will stop confessing after this that you were right, but in case that wasn't done once, it's done twice now. It was done once, so thank you for doing it twice. And I guess it's good for listeners to know. Yeah. Because I'm a big fan of Troy Hunt's. He's humorous, he's funny, he's a great interview guest on podcasts and a service rocks. So I'm a big fan. I have quibbles with his choice of JSON data structures, but I know enough JQ to fix it. So it's all good. I'm programming by stealth episode 161. Precisely, we get to plug ourselves that way. I have one pallet cleanser. I don't like to always plug NASA's astronomy picture of the day because I could basically do 14 pallet cleansers of astronomy picture of the day every two weeks because there's one of them a day and they pretty much all rock. Well, one of them from the previous two weeks blew my mind. So this is a photograph of a rocket launch taken at just the right time of day. So the ground is in night and the moon is above the ground's horizon and it's a full moon. The rocket is high enough up that the curvature of the earth means the rocket is in daytime, which means the rocket is casting a shadow. And because the full moon is directly opposite the sun with the earth exactly in the middle, the shadow of the rocket points like an arrow at the moon. Oh, I didn't read it before looking at it. I was looking at, well, that's just kind of interesting. There's this blue line that goes from the rocket down to the moon, but I didn't catch it. That's the shadow. That's the shadow. That's cool. So that proves that the reason the full moon looks full is because you have the straight alignment of the sun, earth and moon because you can see it as a straight shadow. And it proves the earth is round because we on the ground are not in daytime and the shadow of the rocket bloom is in daytime. It's like this one photograph just proves that our knowledge, our understanding of the universe is visibly correct in this one shadow. It's so cool. So I saw a better proof that the earth isn't flat. Somebody posted, unmasked it on. They said, I can prove that the earth is not flat because if it was, all the cats of the world would have knocked everything off the earth by now. As I was reading that, as I was reading that, I was standing at a counter and I heard a clatter and my cat had just knocked my glasses off the counter. Yeah, as a former cat owner, I still vividly remember that sound of something coming clattering to the ground in the kitchen behind our backs. Some of the best videos out there are just cats. There was one with, I don't know, some little container and it had a bunch of little things in it. And the cat was reaching in, grabbing something, throwing it on the floor, reaching and grabbing the next one, throwing it on the floor, like actually pulling it out with his hand and throwing it on the floor. In addition to the John F. Braun recommendation about the scammer payback YouTube, I have another one and I think you'll support this because I sent it to you and you loved it as well. If you like history and you like science, you probably find the history of Charles Darwin interesting. There's a person who goes by the name, they handle odd pride on TikTok and they tell the story of Charles Darwin's early life, how he ended up on the beagle in just the most delightful and humorous and fact-filled rapid fire explanation and it's absolutely delightful. It's so much fun. I don't know, it's a couple of minutes long but it was, you enjoyed it, right, Bart? I thoroughly enjoyed it and what just struck me as someone who does talking into a microphone quite often, the amount of preparation work that must have gone into that three minute video blows my mind. Like that was a machine gun of trivia ordered in a way that tells a story, delivered with perfect everything. It was, oh wow, it blew my mind and it was a fun topic and I learned a lot of things I didn't know about someone I thought I knew a lot about and admired greatly anyway, it was fun. Exactly. I don't know what you call someone who studies dinosaurs but that's who odd pride is. That's their field of expertise as dinosaurs? Paleontologist? Well, they even did one on the difference between an archeologist and a paleontologist. They explained the difference between those two but I didn't understand it. But I think paleontologist. So they're really well read, really brilliant, very, very funny. I subscribed to the channel immediately. I can see why. Yeah, you did send it to me and I'm so happy you did because you was like, I think you like this and I was like, yup, yup, yup, yup, totally did. So double thumbs up for me on that one. Cool. All right, well, that's what I got apart from the usual reminder that what you absolutely positively should do is stay patched so you stay secure. Well, that's gonna wind us up this week. Did you know you can email me at allisonatpodfeed.com anytime you like? If you have a question or suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on mastodon. We're podfeed.com slash mastodon. If you wanna listen to the podcast on YouTube, you can go to podfeed.com slash YouTube. If you wanna join the conversation, you can join our Slack community at podfeed.com slash Slack where you can talk to me and all of the other lovely no-cellic castaways. You can support the show at podfeed.com slash Patreon or with a one-time donation at podfeed.com slash PayPal. And if you wanna join in the fun of the live show, you will have to wait till March 3rd to head on over to podfeed.com slash live on Sunday night, 5 p.m. Pacific time to join the friendly and enthusiastic no-cellic castaways. Thanks for listening and stay subscribed.