 Hi, this is Allison Sheridan of the NoCillicast podcast, hosted at podfeed.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, March 17th, 2024, and this is show number 984. In this week's episode of Programming by Stealth, Bart Boo Shots as usual walks through his solution to the challenge from last time, and as usual, I learn a lot more about how to use JQ to solve problems. He takes a bit of a detour to explain a fun email we got from Jill of Kent in which she explained the vast number of headaches she'll run into when trying to alphabetize names no matter the language. Then we buckle down and learn about how to make trade-offs between speed and efficiency of resources and how JQ lookups can help us with that. Bart also helps us understand when lookups can help us with wearing JSON files. This episode is more of a lecture, which is fine because he's introducing a new concept and explaining some of the philosophy behind it. You won't hear me breaking into the conversation very much, but it's only because I wasn't confused. Don't worry, when we get to the final example, you're hearing we get very confused. Bart explains it at least three to four times, and you'll finally hear why your co-host was confused. It's kind of ironic actually. Anyway, you can find this episode of Programming by Stealth in your pod capture of choice, and you can find Bart's fabulous tutorial show notes over at pbs.bartificer.net. A year ago last November, Steve and I finally cut the cord. We gave up our cable TV service and switched everything over to streaming using YouTube TV. That left only two things with our ISP, Frontier, our Fios internet and our landline phone. We have saved a fortune from cutting the cord, and by fortune I mean $1,217 per year. That's not chump change. When I negotiated the pricing with Frontier, the lovely person who helped me set it up told me I was getting a promotional pricing. I remember saying to her, so when this promotional pricing is over, I just call back and you find me new promotional pricing, right? And she said, yep, that's how it works. Well, two months ago, Steve came to me with our Frontier bill and it had gone up by $10 a month. I looked at it and $10 wasn't enough to make me take on that battle, so we decided to just let it ride. Then it went up a little bit more and then even more. After three months of this, our Frontier bill had gone from $62 to $94, which is an increase of 50%. It was time to call Frontier. I called them on the phone and I was greeted with those dreaded words. We're experiencing greater than expected call volumes. The recording offered to have someone call me back in 25 minutes and I wouldn't lose my place in line. I agreed and at 25 minutes exactly, the phone rang and I was connected to Tiffany. After exchanging pleasantries with Tiffany, I simply said, my bill went up 50%. I don't wanna pay that. So how do we make it go back down? She said she could help. She did a bit of typing on her end, put me on hold and then I was transferred to Chandra. As is often the case with this kind of thing, Chandra came on with no idea why I was calling. I was a smidge aggravated as I always am when this happens, when I have to repeat myself. But then she said, I'm in retention. Those are magical words because it means her job is to make me happy so I won't leave frontier. I told Chandra that I would be delighted to repeat what I'd explained to Tiffany just a few minutes ago. Chandra took just a couple of minutes to come up with a promotional deal that made my new bill a dollar and a half less than it was before they started increasing our bill. I thought we were done, but Chandra had more for me. She pointed out that we had a landline and I had to apologize for being old school. She said she was obligated to let me know that landline phones require power to operate and that in the event of a power outage, our phone would not work. I didn't tell her that we have a whole home battery with our tests of powerwalls because I wanted to see where she was going with this. She went on to tell me that she could send me a battery to put on our modem so we'd still have phone service if we lost power. Well, I wasn't gonna do this of course because I already had the whole home battery system and actually my modem's on a UPS but I asked her how much would that cost me? She told me that since I lived in California she was required to give it to me for free. Oh heck, free battery that I don't need? That sounded pretty good. So I said, sign me up. After I got off the phone, I told Steve about it. Any question why I accepted a battery if I didn't need it? I said, because it's a free battery. I don't know, he didn't get it. A few days later, a package came from Frontier but it was too light to be a battery. I opened it up and inside was something unexpected. It was an Eero 6 Plus mesh router with power supply and an ethernet cable. The 6 Plus is touted as the most affordable of the Eero lineup but it's still a dual band router that supports gigabit speeds and upon individually they're $140. Well, it's way better than a battery I don't need. I thought about calling Frontier and telling them they'd made a mistake but in my experience giving things back to companies is often very difficult. I remember years ago when Nordstrom made a $100 error in my favor on my credit card and I talked to three different people who could never figure out how to take my money back. I was still struggling with the moral dilemma of whether to spend my time trying to give the Eero back when our buddy Ron came over for dinner. I told him the story and he said Frontier had sent him a battery a year or so ago and it turned out to be something he couldn't even use. So to explain what it was and what it was supposed to be for I have to do some explanation of terms. FiOS stands for fiber optic service and it means that the service is delivered to you over fiber optic cables that transmit information as light. Well, that light has to be separated into TV, voice and data as electrical signals into your home. The box that does this translation from optical to electrical energy and separates the signals is called an optical network terminal or ONT. The ONT is a box that's often outside the home or inside the garage. In our case, it's outside our house. Now the battery Frontier sent to Ron was for the ONT but what they didn't remember was that they had just replaced his ONT with a new version that doesn't require a battery to remain functional in a power outage. I'm not exactly sure how it does that but he's had a few power outages and his internet and phone service stayed up. His ONT does have a circular port on it that says backup but the cable on the battery they sent him had a completely different size circular port or plug I should say. Once I heard Ron's story, we imagined, you know Phil in shipping at Frontier just grabbing any old box he could get his hands on, shipping them out when he got an order. I didn't want to get Phil in trouble so I added the Eero 6 Plus to my network so I now have six Eero's flooding my house with the Wi-Fi's. Six seems like overkill but before this, my cell phone on Wi-Fi calling never worked near my refrigerator till I set up that sixth one in the kitchen. And a few days later, another package arrived from Frontier. I think Phil in shipping, man, he outdid himself on this one. It wasn't another Eero and it wasn't a battery for my modem as Keandra told me I'd been receiving and it wasn't exactly a battery for my ONT either. It was a plastic box into which I could put 12 D cell batteries and then plug the box into my ONT. Seriously, 12 D cells, right? Well, I didn't even bother to see if the plug would fit into our ONT because there's no way I was gonna invest in 12 D cell batteries then put the box outdoors just to time how long it would take them to corrode. Also, there's no room in the box where the ONT lives on the side of my house to fit in another battery box. Now, I should also mention that in addition to our whole home battery, we already have a battery attached to our ONT. I would have mentioned this to Keandra if she told me it was an ONT battery they were gonna send but she said it was for the modem. I thought maybe it was gonna be a UPS. Anyway, I guess I've learned that a free battery doesn't always mean a free battery. Now, the bottom line here is that you should always, always, always call your internet service provider if they raise your rates because you might just be able to get them to make it go back down. Other than the 25 minutes to be called back when I wasn't really inconvenienced, my time on the phone was no more than seven minutes. If they offer to send you something free, say yes because Phil might just find you some nice Euro mesh router in the back of the storage. Then again, he might send you something ready-made for the hazardous waste disposal. I'm gonna play another one of the CES interviews that Steve has done so much work to create the videos and audio files for you. Now, this one is probably really fun to go watch in video because you're gonna see me doing something funny with it but it's a thing called Glide. It's a self-guided mobility aid and in the video you'll see me with my eyes closed driving this little thing around and it's really, really cool. But if you listen to the audio, there's a cool thing about that too because I'm describing to you what I'm seeing, which is nothing at all. So I'm describing my experience and I think it'll give you a little more insight about what it was like to be the one driving this if you were visually impaired. Anyway, let's take a listen to the interview with Glidance about the product Glide. I'm with Amos Miller from a company called Glidance and he's gonna show us a really terrific accessibility tool that he's the co-founder of the company, Glidance, I believe, correct? I am the CEO and co-founder of Glidance, correct? So talk to us about what this device can do. All right, so Glide is, first of all, I'll just explain that the Glide is the first self-guided mobility aid for people with sight loss. So really developing a solution that addresses the needs of people who need to get around who are unable to see and providing people really with a third alternative. Today people use guide dogs and canes and we know that for some people they need some more help, especially people who lose their sight later in life. So that's where, that's the origin of the work that led to the development of Glide. So why is that important to people later in life more than if they'd lost their vision earlier or if they were born blind? That's a great question. I mean, people who are born blind build a mental map of their world and build the skills and capabilities to navigate in the world from a very early age. And by the way, I'm not saying that people who are born blind would not benefit from Glide, they will. And I'm sure that they will enjoy the benefits that Glide brings in terms of this really very clear and guided navigation, which we'll talk about in a minute. But people who lose their sight later in life sometimes are reluctant to take those steps to develop the skillset that's required to be an effective cane user and get out and about independently. So maybe it's like learning a language later, you're always translating. If you're born speaking two languages, you spoke two languages, you're not translating. Maybe it's something like that. It is, yes. And it's also being alert to the information that you get from your environment and being able to orient based on that. It's also a mental adjustment, yeah? Like being willing to walk out there and try for a while before you build that confidence. And I think one of the benefits that Glide can bring to that is that really very quickly because it actually guides you, a person who knows there, let's say, how to get around there, the neighborhood would be able to take a walk very quickly with it. So I'm gonna describe what this looks like to the audience because there's audio only listeners as well. And heck, there's blind people listening as well. So he's got a... By the way, just for the audience, I am actually blind myself. Maybe it's just worth explaining that I lost my sight in my 20s from retinitis pigmentosa. I've been at this kind of quest to figure out technological solutions for navigation for quite some time, maybe three decades now. I developed Soundscape at Microsoft for a number of years. Some of your listeners may be familiar with that. Yeah, yeah. And really, I was very intrigued to explore a solution that can help people who may not be those confident cane users. So let me explain... Why don't you describe what this looks like? Let me explain what it is, yeah. So I'm holding in my hand Glide. I'm holding the handle. The handle stretches 45 degree to the ground and then it rests on two wheels. And the wheels are effectively what guides you. So I will move the device forward and the wheels will start steering left and right to guide me, to keep me on the path, to take me around obstacles and just guide me to where I'm going, whether it's to a door or a dropped curb or all the way to a restaurant that I set up on my navigation app. So it can respond to navigation from the phone? We're working on those integrations so that you can set your navigation on the phone and then it will guide you to that destination. So you're going to be the first one to full self-driving? Yeah, well, it is self-driving but it's also, and that's a very important point, it's also actually the wheels are not motorized. So it's not going to pull me around. Oh, okay. Okay, I'm moving it forward, I'm pulling it back and the wheels just steer left and right. The wheels can also apply the brakes to stop me. Oh, that's nice. But the agency remains with me. I'm the one that's in control. I'm deciding, do I want to go back? Do I want to go forward? Do I want to go fast? I can even twist the handle to turn left and right. Okay, I can see the wheels turning when you do that. Yeah, and when I do that, if there's an obstacle, the wheels, the device will not let me turn until it's safe to take that turn. Okay, so it gives the user a lot of a time. What a C9 dog does, in a way, right? Inspired. Stopping you from stepping into the street. Yeah, inspired by that, but we also have, definitely inspired by guide dogs. I want to agree to that point. I mean, I'm a guide dog user myself. But we also have speakers in the device so the device will be able to use voice to give you some more information about the environment that you're encountering. The speakers up in the handle? They are in the handle and you'll be able to also plug it into a headset if you prefer that. Oh, that's neat. Yeah, the speakers are here in the handle. There's also haptics in the handle so that the device can warn you to slow down or tell you that you can speed up or that there's a sharp turn coming to the left or the right. So really working together with the device. So there must be a camera on this somewhere? Yep, right up here. So they up in the handle? So we have, there's quite a lot of sensors on the device. Along the bottom there are short range sensors that really help with the obstacle avoidance and local path planning. And then we have a camera right at the top of the handle so that the device has a nice view of all the environment, the space in front of you and help to determine a good, safe path to guide you on. Okay, yeah, I can see how you need to know the obstacles on the ground but also the situational awareness of... Yeah, and the camera can... I mean, we're working on line of sight targets for example, so that the camera can detect, let's say a door and then work out a path to that door and Glide will guide you all the way there. Very, very cool. So this is an active product development right now, is that correct? Correct, yes. Okay, and do you have a vision for when this might be a product? I do, of course. One that you willing to tell me about? Yeah, sure. No, I mean, we are really expecting to kick off a beta program this year as in by this late spring or summer this year. I mean, we'll see how successful we are in hitting those dates but the beta program will really give us an opportunity to get devices into people's hands, start to get a lot of feedback from daily use and prepare to launch the product after that. I heard from one of your other compatriots here that you were having a guy demo at who was blind and he started jogging with it, is that true? Yeah, he went a little fast for running in CES. I don't think he saw how crowded the environment was in front of him. Did he run into anything? He did quite well right at the end, somebody just cut across him at almost equal speed and they had a brush, let's say. But no, I mean, the device is definitely working to support good walking speed. I mean, I say to people, we call it glide because when you walk with it, you glide. You know, and that's really the experience that we wanna empower of this. It's a very smooth experience. You walk, you're confident, you're upright, you're heading where you wanna go and the device keeps you on a good, steady pace and you feel empowered and confident. Very good. Do you think we can do a demo of this? We absolutely can do a demo. So we do a video cut and then move and then go do, cause I know you're doing it in a little less crowded area. We can do the demo at the back, yeah. What do you think? Where are my demo guys? We might need to do a cut because we are not quite organized. We'll do it, we'll do a cut and then we'll move. Okay. Okay, so I'm gonna close my eyes. So you've got the device in your hand? I do. Okay, so let's get it to stand first. Okay. So now it's sitting down. Okay. It's a nice angle, yeah. You hold it in this hand and when you pull it down to angle, it will be ready to go. It'll get on its legs, on its feet. Oh, okay. On its wheels, you'll feel it. And then when you walk, just feel where it's going and follow it. Okay, I'm not good at following directions. Don't let it run away. It's not gonna tell you anything. If it starts going to the left, just go with it. Don't kind of let it hang on the left by itself. Okay. You'll get it. Here it goes. I'm closing my eyes now, tilting the back. Oh, there I felt it. All right, I'm just gonna start walking. I have my eyes closed. Oh, it wants me to go left a little bit, a little bit to the right. Oh, I can feel it gliding me. Go a little bit to the left here. I'm hoping somebody will tell me if I'm gonna run into anybody. Oh, oh, I've gotta go this way. It just stopped me. I wonder if Steve's standing in front of me. I bet you anything, he just tried to stop me. All right, I'm still going. This is pretty gentle. I can definitely feel just us. Yeah? Okay, Steve wants me to try turning around. You go in front of me though, Steve. All right, oh, okay, I'm turning. It's letting me turn. It's letting me do a sharp turn. I'm still going around and I wanna start going straight now. Oh, I'm gonna go right, left. Oh, a little bit jerky back and forth there. All right, I'm gonna walk a little faster just to make everybody nervous. Whoa, there it goes. I don't know if I'm gonna run into anybody here, but so far so good. Yeah, I can definitely see, oh, there we go, there we go. I don't know if I went around somebody. It's interesting to do this and not know whether I'm just missing people or whether I've just, I'm completely alone here. I can't actually tell, but I think I'm gonna stop here and turn around again. All right, wants me to turn around. Should I go back anymore, Steve? Go back, walk a little bit more. Yeah, this is very natural. You can definitely see how this just feels really comfortable. I don't think I've hit anybody yet. All right, I'm gonna stop. So I'm gonna bring it up and a high angle and it just put itself to sleep. There we go. Yeah, yeah, that was great. All right, let's close it off here. All right, I'm gonna say goodbye to you here because we haven't actually conducted that work. That worked really well. That was very, very interesting. I understand exactly what you were describing. I could feel what it wanted me to do. Now it makes sense. Yeah, it really does, it really does. Thank you very much. So one more time, if people wanted to learn more about Glidance and the guide, where would they go? So the best thing to do is to go to glidance.io. Glidance.io, that G-L-I-D-A-N-C-E, dot I-O. You can, they can register. We are taking registrations in advance of a pre-order program and they can just register for more information. And we really look for feedback. We look for thoughts. We look for people who wanna talk to us and engage. And Alison, I just wanna say thank you very much for having this discussion with me. My pleasure, my pleasure. Thank you very much, bye-bye. Well, this coming week is the CSUN Accessible Tech Conference and Steve and I will be going there like we do every year and doing more interviews. And Amos is actually gonna be there so we'll be able to find out how well this beta program is going, I think he was gonna start in the late spring. He might be ready to launch and maybe we can get some new information since this was recorded in January. We might know even more this coming week. I made a rule way back when I started podcasting nearly 19 years ago that I would only review products that were either good or great. I've gotten comments from a few people that say they really wish I'd review bad products too when I come across them because then people would know to stay away from them. Well, that doesn't sound like any fun to me at all. If a software or hardware product has promise but doesn't quite hit the mark, my strategy is to send constructive feedback to the company telling them what I think they can do to improve. It seems more polite and friendly overall and I think it serves the public interest better that way. Well, this week I've had a real struggle trying to review something. The problem is that there are nearly as many pros as there are cons to the products which you think would take it out of the running. But Steve and I love the products so much we keep buying them. It's not a love hate relationship. It's more of a love you disappoint me intermittently relationship if that makes any sense. I've been waffling for two weeks on whether and how to do the review and I decided the best path was to do the review but constantly waffle back and forth on whether I should recommend it. That's really the only honest way for me to do it and I really do love the products but it's gonna be a smidge more uneven than it would be otherwise. Okay, with that annoying preamble aside I'll stop being mysterious and tell you that the products are the heated mugs and cups from Ember. You may remember that we interviewed Jake Singer from Ember at CES this year where he talked about the mugs, tumblers, travel mugs and even baby bottled warmers they make. If you've been around for a while you may also remember that I reviewed the Ember ceramic bug in 2018 and we interviewed them at CES way back in 2016, three months before they launched their first product. So here's the deal, Steve and I both like our coffee hot and if it gets too cool we'll run to a microwave to heat it back up. But in the six years since we bought our first Ember mugs Steve and I have been delighted to have coffee that stays hot while we sip it throughout the morning. Well, so what's not to like? Ember mugs keep the coffee hot by using an internal battery which is charged by placing it on a little saucer that's plugged into the wall. The saucer has two Pogo pins sticking up that make contact with circular metal rings on the bottom of the cup and that makes the electrical connection to charge the device. The new containers like the tumblers and the travel mug all use this same basic design to charge the devices. The problem is that the saucers are highly failure prone. The little pins have a tendency to get pushed in which makes it impossible to charge the cups. Early on in our Ember journey you had to buy a whole new mug slash saucer combo so it was pretty expensive when they failed. Eventually they started selling the saucers by themselves which made it a little bit less painful when the pins inevitably went bad. Now the regular cup slash saucer combo runs 130 to $150 depending on whether you want the 10 ounce or the 14 ounce cup and replacing the saucer will cost you $40. That's an awful lot of money to keep your coffee or tea hot but still we bought the new ones when the old ones failed us because we love having our coffee stay hot. Now I have a 10 ounce and Steve has a 14 ounce regular cup which are a couple of years old. Shortly around the time we interviewed Ember and we could see yes this year we started having new problems with our cups. Keeping your cup at the optimal temperature requires a Bluetooth connection between your phone and the cup. My cup would maintain that Bluetooth connection and stay toasty hot but only when the cup was on the saucer. If I held the cup in my hand too long it would just start to cool down. Steve's cup found it way to be even more annoying. Like mine his cup would not connect to Bluetooth if it wasn't on the saucer but even worse it only stayed connected right after he'd poured in brewed coffee that was hotter than his set temperature of 145 degrees. So let's say it was 165 when he poured it in it would stay Bluetooth connected right until it got cooled down to 145 and then it would disconnect. That's also known as not heating his coffee. You know it had one job right? Well, we started looking at the newer offerings of Ember after CES. Now Bart recently bought the new Ember Travel Mugs at $200 each for himself and his darling beloved. These are really cool because they have the temperature displayed on the outside and you can tap the plus button to increase the temperature without messing around in the app. It even shows the battery level on a second display. They're tapered down so they fit nicely in a cup holder and they also feature built-in Find My which is great if you let your mug wander and use an iPhone. Now the only downside to the Ember Travel Mug is it's only 12 ounces. We like to order Grandi Mochas at Starbucks which are 60 ounces. We opted to replace both our at-home Ember Mugs and our inexpensive plastic mugs for Starbucks with just a 60-ounce Ember Tumbler. Now the Tumbler lists on the Ember website for the same $200 as the Travel Mug but Amazon has it for 20% off now so right now so it's only $160. So we got our 60 ounces of happiness. These tumblers are great. They keep our coffee hot and toasty for hours because they have a big battery. They say it'll keep the liquid at 135 degrees for three hours and I'm sure I get at least two hours at 145 degrees which by the way is the maximum temperature. They come with two lids. One is a screw-on lid with a handle which is great if you wanna carry it around but it's not great because you can't drink out of it without unscrewing the top. The second lid is a press fit that's quite snug and it has one of those sippy cup thingies that you slide back and forth to open it up for the sipping. Works really well and we've had no spillage from it. In fact, if you have the sippy thing closed it's pretty hard to shove into the tumbler because it's such a snug fit. I also find it pleasing to drink directly out of the tumbler with no lid at all. Since it's constantly heating my coffee it doesn't cool down because I have the lid off. I tend to drink my first cup of coffee from home with the lid off but my Starbucks coffee with the lid on. I mentioned the nice long battery life but that comes at a price. The price we pay for two to three hour battery life is that the Ember tumblers are heavy and by heavy I mean more than a pound. There's 17 ounces or 487 grams to be specific and that does not include the weight of the lid and that's without any liquid in it. I'm not kidding when I say if you have any trouble with hand to wrist strength the Ember tumbler might not be for you. Now the Ember travel mug that Bart bought isn't that much lighter. It weighs 15.2 ounces or 432 grams. And remember it holds a quarter less liquid than the tumbler. Now the weight isn't a huge deal for us and since the tumblers keep our coffee hot and nice and hot we really love them. Except on the rare occasions happen to each of us once in about a month when the app decides your cup is empty. When it gets in that mood there's not a darn thing you can do to convince it that you really do have coffee left and you really would like it heated please and thank you. But 95% of the time it's been rock solid. The travel mug that Bart bought is designed to fit nicely in a cup holder in your car but the tumbler most definitely is not. We can't squish it down into our rubber lined cup holders hard enough to hold it securely in place but the bottom of the tumbler is still a good inch above the base of the cup holder. Makes me nervous but we've had no cases where it tipped over. If you wanna measure your own cup holders to see if a tumbler will fit in yours the tumbler is 3.3 inches or 83 millimeters in diameter. When we repeatedly bought the regular coffee mugs we bought them in different colors so we could tell them apart. I'd buy white and he'd buy black. The next time I bought silver and he bought the copper colored one. The amber tumbler comes in any color you want as long as it's black. I'm gonna have to break out my cricket and make a cute little sticker for mine so we can tell them apart. So do you see why I had so much trouble writing about the amber tumbler and all of the amber products? At the high prices they charge their heated mugs and tumblers are definitely luxury items and you would think that for these prices you'd get a product that would last longer than they do. I'm afraid their customer service is a great either. On their website they show product reviews. The tumbler we bought has 220 reviews a hundred date of which are five star but 53 of which are one star. Nearly all of the 53 said they had trouble contacting customer service. Recently Steve wrote a lengthy request to customer service for his little mug and he has not heard back from them in the two or three weeks since he wrote to them. I'm pretty sure it was out of warranty but you'd expect some sort of response. When you buy an amber mug you can buy a two year warranty for the tumbler for $19 from the amber site so that might not be the worst idea if I haven't convinced you not to buy one. Should you buy an amber mug of any kind? All I can say is I was really happy when I stopped by a friend's house for a quick chat that turned into an hour visit and when I returned to my car my coffee was still nice and hot. Did you learn anything so far today listening to the show? If you did, is it of any value to you? Do you learn things often from the NoCellicast or watching the fine videos Steve produces from CES and other shows? If so, please consider going to podfee.com slash Patreon and pledging a small amount to help keep the shows going. Thanks to everyone who already does this it makes a huge difference. Well, it's that time of the week again it's time for security bits with Bart Buchatz and I see a shamrock on the date there Bart isn't that cute. I thought you might notice that one. Yeah, I like my little emojis me especially since we spent so long getting them working again on podfee.com. Yeah, I don't know whether anybody noticed but we had for quite some time many, many months we had no emoji. Well, actually we had the real simple emoji the ones that were only one character emoji were working for some reason then Bart and I spent a great deal of time figuring out why and doing encoding and stuff and now they look beautiful again. Yes, and what the listeners can't see is I have my Ireland jersey on which is beautiful and green and I have my greenest Apple Watch band on. So I am fully in the East and Patrick's Day spirit here today. As well you should as a good Irishman. Yes, and I have a day off work tomorrow which is very pleasing. Thank you. Really? Yeah, it's public holiday. It's our national day. So it's our equivalent of the 4th of July is St Patrick's Day but because it's a Sunday we get the Monday. Oh, nice. Yeah, they don't make us lose a holiday just because it happens to fall on a weekend. We get it carried over which is nice. Anyway, we have a decent amount of security news not a terrifying amount, decent amount. And we start with some follow-ups of things we have talked about recently. So the theme of the year for 2024 seems to be ransomware. So two installments ago we said, yay, the feds have arrested lots of people and killed the Black Hat ransomware gang but I'm sure they'll be back. And then one installment ago it was boo, they're back. Well, now it turns out they weren't really back. They were sort of kind of back and it looks like they may have been bluffing about the attacks they said they'd done. And now they appear to have self-destructed themselves in that wonderfully, you know, criminals will be criminals sort of a way. They have stolen all of the money from their affiliates and sold it off. So what they're supposed to do is give 70% of the money to their affiliates and keep their 30% commission. What they actually did was... Wait a minute, wait a minute, wait a minute. A Black Hat ransomware gang has affiliates? Oh yeah, it's ransomware as a service is the way this is all done. This is business, this is big business. Yeah, so they don't go looking for victims. They leave other people to do that. They do Apple's business model. They basically run a malware store and they take Apple's 30% code and they let other people do all the work and they just take 30%. But one of their affiliates got a big one. They got a big American healthcare company called Change Healthcare who apparently paid a 22 million ransom. And they took the 22 million and closed up shop and they put up a fake FBI takedown page and went, oh, I don't know. The feds took us home, we're terribly sorry. And they sent it off. Oh my gosh. Well, you know, no honor among thieves, right? Right, exactly. So I think they're gone now. But yeah, so that keeps on giving. Something else I have definitely said is that the focus of ransomware has shifted from home users with the first targets and you get like, you know, $100, $200, $300 a go. But that's not a lot of money when you could get 22 million from Change Healthcare. So the focus definitely shifted towards the bigger ransoms. That doesn't mean the smaller one stopped completely. So the biggest player in the smallest pond is a ransomware called Stop Crypt and they made the news this week by upgrading their software to make it harder for antivirus to stop it. So even home users need to continue the old, ever-present vigilance. Don't download things from random websites and stuff because what you catch could do you a lot of damage. And the previous story, maybe, you know, because I'm an extra double secret optimist, maybe a black cat running off with all the money of their affiliates will make other bad guys take pause before signing up for doing something through one of these ransomware as a service groups and because they might lose all their money, no? Maybe, maybe, but this is actually the third time the same people have run away with the money. So black cat has renamed itself twice and has done this for three times now and everyone is expecting them to show up again with a new name and someone will say, well, what the heck? Because, you know, they would have paid 99% of their affiliates. You just don't want to be the last affiliate because then you get nothing. Yeah, no one on them thieves. Just one with the 22 million. Yeah, so don't be too successful, I guess. Be an affiliate, but not a good one. We talked last time about GitHub enabling by default something called push protection which checks your pushes for secrets and stops you from accidentally publishing keys that you shouldn't be publishing to the world. And you were wondering how big of a problem this is. Well, we got a little bit of a report. 12 million were found in 2023 pushed to GitHub. So, okay, that's why they did it. Fair enough, that makes sense. We also talked about GitHub having in beta a feature where you could stop using your phone number as a way of connecting to people on signal. And that is now out of beta. I have now played with it, it works. They call it a username, but they don't mean a username. It's a very interesting technique they've gone with. You're completely anonymous on signal. So you don't really have a username or a phone number. You just need a token you give someone to connect to you. And in the past, you would give them your phone number and that would be the way you would start a conversation. Well, now you can generate this token. I'm gonna call it a token. And you give that to people to start a conversation with you and that's all it is. It's not your identity. It's not that your account has this name. It's just here is a little piece of text you give to people if you want them to be able to start a conversation with you. And so now they can start a conversation with you without ever knowing your phone number. Okay, okay. So it's a connection token. The amount of friction to be able to find someone you know on signal is high, right? You have to already know them some other way where you say, okay, let's pick up and go over to signal and have a conversation, here's my token. Yeah, because it's not a social media, it's a private messenger. So it really is for two people to choose to connect, not social media. So they're not, it's a feature, not a bug. Well, it's a choice that doesn't have anything to do with whether it's a, it's not social media for Telegram, but. Well, no, Telegram describes stuff for social media with their groups and stuff. Telegram very much describes it. Yeah, yeah, they want you to. They want you to. Yeah, so they've designed their features to do that. But it's always been designed where if somebody you know joins with their phone, with their phone number that you have in your address book, then you can be notified that somebody you know just joined Telegram. I mostly find it simple. Signal is the same by default, but now you can turn that off. Oh, okay, okay, got you. Okay, oh, okay, that's interesting. Yeah, yeah, I've turned it off because I actually, I don't want people finding me. Just because you know my phone number doesn't mean I like you. I've had the same phone number since my first cell phone. And that was in 1990 something. I don't remember 90 what, but the point is it started with 19. So it's been a while. Back in the 1900s? Yes, precisely, yes, last century, last millennium. I've had the same cell phone number since last millennium. Anyway, so that's now out of beta in use. It's actually quite nice. I was kind of pleased with it. We also have some more DMA developments, Digital Markets Act in Europe. Apple definitely seem to be trickling out their changes. It's like they basically had stuff ready. I went, we have this in our back pocket if someone asks us, but until someone asks us, we're not gonna do it. So the, let me see. The first thing is they released a document describing how they're determining whether or not you get to play in the EU app store at all. So there's a support document from Apple, which is linked in the show notes. So I'll just read out the important bit. So basically the country or region of your Apple ID must be set to one of the country's or regions of the European Union. And you must be, you must physically be located in the European Union. Your device eligibility for alternate app store marketplaces is determined using on-device processing with only an indicator of eligibility sent to Apple. In other words, the app store app on your phone checks if you really are in Europe and then it tells Apple yes or no. I've lost. Are we talking about companies that want to be app stores or we're talking about developers? We're talking about users. Users, this is how do, I'm Joe soap European, who as of iOS 17.4 can hypothetically use third party app stores. No, actually no Mac pause is in beta. So yeah, you could actually genuinely be using one. How come I can take my iPhone and iOS 17.4 and install the MacPaw app store, but you can't. You can update iOS 17.4, but you physically can't get to that app store. How are Apple deciding whether you can or can't? This is how. The one thing I find a little bit interesting is and tell me if I'm completely out based on this is it seems to me that Europeans freely move between European countries. Sure. You might have, I know somebody who lived in Germany and they moved to Austria, but that means that they don't have their Apple ID in the same country they're living in. They're still in the European Union. Yeah, so if you read it carefully, that's absolutely fine. As long as you're physically, your account has to be in a European country and you have to be anywhere in Europe. Oh, okay, okay, okay. In the European Union, not just Europe. Yeah, so in one of those eligible, yes, yes. Okay, I thought it was saying that you had to be we're at the same country. Okay, good, good, good. Yeah, especially if you live in Luxembourg, if they made you be in the same country, like you couldn't move two yards or you'd be in a different country. That's what I was thinking. Don't lean to the left. Exactly. So the important thing is it's on-device processing and all they send to Apple is a thumbs up or a thumbs down in Europe, not in Europe, which is good. If you leave the European Union, you can continue to open and use apps that you previously installed from an alternative app marketplace. Good, so there's no time period on that sentence, right? So if you leave Europe, the apps you have installed won't magically stop working because you've left Europe that so far so good. However, there we get a few caveats. Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union. And you can continue to use alternative app marketplaces to manage previously installed apps. However, you must be in the European Union to install alternative app marketplaces and new apps from alternative marketplaces. So basically, you can't install anything new once you leave Europe, even for like five minutes. And if you do leave, you have 30 days where you can still get app updates. But after 30 days, you don't even get app updates. The only thing you can do is keep using the apps you have installed, they won't magically stop working. So it could be worse, could be worse. But if you're a researcher, if you go into Antarctica or whatever for a six-month stint, you have yourself a problem. You can't use these alternative app places. Now, that's a set of what? Like 50 people or something? Well, you know what I mean. There are people who go away for more than 30 days. Yeah, 30 days is really short. Do you think you're going to do this, Bart? On this as a company, I really trust offering me an app I really, really want. I really have no interest in leaving the safety of Apple's well-regulated store. I have, so I need to make a really good case. No, no, I could just install the other app. Before I ask my question. The developers have to pick, right? The developers have to choose, but the users don't. So you can be in both. I could be in infinity money. So I can just go to the app store and download another app store. And then I have two app stores on my phone. And if I download another one, I have three apps stores on my phone. So I can have as many apps stores on my phone as I want. I just don't know why I'd want. Jumping the gun on something you were going to say, but you also are going to be able to sideload. Ish. From websites. From websites. Yeah. Download apps. From websites. That's sideloading. Except for the fact that the app has to be notarized and it has to be from a developer with very special permissions. So true sideloading is anyone can put software up and it'll just work. This is still a really closed. Okay, I'll follow you. You said that on the Mac we can sideload. And you can. There's notarization requirements for the Mac as well. You right click, go open and say, run anyway. And it will run. Okay. It will run. Yeah, okay, okay. Got you. Yeah, not sure on iOS. You have to know the secret handshake. Yes, which I do, because yeah, I do that. But yeah, there is a secret handshake. The secret handshake exists. There is no secret handshake for iOS even now. But yes, so Apple also then give three new rules. So the first one is basically the Oh, find then Epic rule as I call it. So Apple's rule for third party app stores was that you could run an app store but it couldn't be only for you. You couldn't have a company shop. So you couldn't have a Microsoft shop for only Microsoft apps or an Epic shop for only Epic apps. So that rule has been, that hasn't stood scrutiny. That is now gone. So Epic are free to make an Epic-y game store. Microsoft are free to make an Xbox game store, et cetera. So you can make an app store for just your company. The other thing that has changed is that when you moved out of an app to a third party payment processor, you had to use Apple's predefined template which was full of scary words and you weren't allowed to add any content of your own. And that's now falling away too. That has gone from a required from a must to a suggestion. So they still offer you a template you might consider using but the word is no longer a must when you look at the developer rules. And then the big one you just mentioned is and there's a lot of caveats on this. If you're a developer with a big enough app with long enough standing, then you may get a special entitlement that lets you publish your iOS apps straight from your webpage so that users don't have to install a third party app store. They can just go to your webpage and get the app. And this is coming later this spring. And so we don't actually know how. We don't know how. What file extension, what happens as I go into the files area on your iPhone, we have no idea of the how yet. Apple have just said, this is a thing. Here's how you apply. Here's the rules. It's coming in spring. That one also smells like an anti-epic one because it says you have to be in good standing for two years. And obviously they have not been in good standing for two years. No they have not. They've been in really quite bad standing for two years, yeah. But I think this is a big one for like, if you pay Google or Apple, sorry, Google or Microsoft for your corporate like groupware, right? I don't know what Google call it this week. Is it Google for work? What do they call it now? I don't know. The corporate Gmail, whatever it's called. Like there's a button saying get the apps. And for iOS it was always kind of weird because you couldn't just get the app. You had to go to the app store. Whereas now in theory you could click a button and say get the apps. And they could just give you the app. Straight, you know, you could be logged into the web version of Gmail or the web version of Outlook. And you just click the button and get the app. I think that's really what it's for. Or actually another company would be Adobe, right? You sign into your Adobe account and you just click the button to get Photoshop onto your iPad. So am I wrong in remembering which one this is? But it seems to me there was also a requirement that you have to be able to set up this quasi-side loading option from web sites that you had to have a million downloads of an app. Yes, yes. That's what I mean by having a successful app. Is that a competitive saying we only want big guys? That seems like super anti-competitive. No, it isn't. Because remember, it doesn't get a lot of coverage. And I did mention this before, but I'm gonna restress it again because almost no one mentions it. The DMA puts two competing requirements on the gatekeepers. They must be open, but only so open that they don't make a security risk. And so they are constantly balancing off two things. So Epic think the DMA says we must get everything we want. The DMA actually says that Apple have two competing responsibilities they have to balance, which is security of the entire platform and openness. And so this concept of yes, you can, but you must is actually entirely in keeping with the DMA. You're missing my point. I'm talking about specifically the million downloads. Absolutely, yeah. Let me, what does that have to do with security of the platform? That doesn't have anything to do with it. Because it means you cannot be a fly-by-night operator who just comes along. You have to be one of the big players to get this kind of a very serious entitlement. But big player doesn't define more secure. Let me give you a perfect example. Marco Arment said that his sales of Overcast, Overcast obviously is not fly-by-night. It's long established. It's downloaded a lot, but he doesn't have to pay the 30% commission. He only has to pay 15 because he has far fewer downloads than the requirement to get up to above the 15%, which means he would be fewer than a million downloads and yet not allowed to have a side load to the EU. To his own webpage, but he could still do a third-party app store. He could run his own app store. I'm not talking about the whole DMA. I know. I'm talking about this one thing about a million downloads. That seems to be anti-competitive that only big guys can do it. And only big guys does not mean only secure guys. My understanding based on the reporting I've been reading is that Apple are in active conversation with the European Commission and this is flying. So I would still contend it's highly favoring big players which doesn't, I thought the EU was all about not doing that. So that surprises me, that one. I mean, this is supposed to be about these big, terrible, giant tech companies taking advantage of the little guy, Spotify. It's not quite about the little guy though. It's about other big guys. It's using their dominant market position, right? To not allow other people to rise up and compete. Yeah, but allowing you to have your app straight on your webpage without an app store is a big, that's a big permission. So it makes sense to give that out very judiciously. That's a very dangerous thing to offer out. I'm kind of, I'm amazed to let anyone do this. Absolutely, the Mac is an infinitely, absolutely the Mac is an infinitely more dangerous platform than iOS, massively more dangerous. So, but it's there. Sure, but we don't want iOS to be the Mac. I love to be notarized, right? Right, iOS is more closed and it remains more closed because the Mac is not covered by the DMA in any way, shapesize or form. And the Mac is an open platform by nature that's been tightened up a little bit, but it's still way more open than iOS. Okay, so you think cutting it at a million downloads doesn't cut out small reputable developers that could have a leg up? I mean, to me that's the kind of company that would want to have an app available from a website, you know? But they could still do it on third party marketplaces. If the only thing that's been cut off is this bypassing- They gotta pay somebody. And you know, that it just, this one little piece, that's the one piece that seems funny to me. And I understand it's flying and I'm not in charge of this, but it just seems, that one seems funny to me. It seems anti-competitive to me, to little companies. But anyway, keep coming. Yeah, yeah. The other interesting thing that happened is that Apple had to file their first compliance report because if you're a gatekeeper, you have to file regular compliance reports. Now, the whole report is actually not public, but they have to give like an executive summary that is public. And so the executive summary for their first report is out and it gives an interesting little tidbit by the fall of 2025, not 2024, by the fall of 2025, they will have published a tool to make it easier to migrate from iOS to other operating systems, which is basically Android. So they're going to offer a migration tool. So a migration assistant to Android by the fall of 2025. Interesting. Apple are obviously not the only people who are making, oh, actually, sorry, there's one more little related story here. Brave made a big press release to say that since Apple had to put up the browser choosing ballad screen, our use has gone way up in Europe. It's like, well, maybe, but I don't know how long that'll last, but okay, good on you. You've gotten a few users. You don't, but it wasn't a few. It was a market increase for Brave, I read. Yeah, but a small baseline is easy to make a big change on. I have a, anyway, they'll get no harm to them, right? It's nothing but a good thing. If it's surfacing, people didn't realize they could do it. I'm surprised. I mean, I would think everybody go, no, no, no, no, no, we're Safari or we're Google. That's, I trust Google. I would think most people would. Yeah, and it's kind of interesting because someone said, oh, it's because they're alphabetic, but actually, no, the order is random. So everyone gets to present to their 12 browsers in a different order. So it's not just that B is top of the list because someone said, oh, it's only just because they're B. And I asked someone with a B name who was always first to get like the injections and stuff in school for vaccinations. I hated having a B, but in this case, it is actually a random order. So that's not it. So there is something, whether it's recognition or whether people go, ooh, that sounds cool. Brave, I'm brave. I don't know what it is, but yeah, people are actually choosing them from a randomly ordered list. So there's something going on there. So good on them anyway. Apple are, of course, not the only gatekeepers. We've got a little bit more information from Meta because they are a gatekeeper of messaging apps, which iMessage was ruled not to be. So Apple don't have to do this, but Meta do have to provide interoperability to their messaging apps, which is something that you were hoping would come to Apple Messages. And they have released the rules for how another platform should interoperate with them. And the answer is, thou shalt adopt the signal protocol and the other open source protocol called XMPP, which is a protocol for passing messages, which means you must have end-to-end encryption. And again, because the DMA forces both openness and security, Meta have permission to demand end-to-end encryption for anyone federating with them. Oh, okay. Okay. So signal is an open source protocol. So this is good, I think. Yeah. It would be really cool is if Telegram ends up doing end-to-end encryption by default because they want to interrupt with WhatsApp and Messenger. That would actually be fantastic. And it would be a really good outcome because people are nervous about the fact that they roll their own algorithms. If they just flip over using signal behind the scenes, it's not gonna make any difference to the features of the app, right? Which encryption scheme they use. I am curious how, one of the things we talked about last week was that, or two weeks ago, was that you can turn on end-to-end encryption on messages inside Telegram, but they give you a big warning going, yeah, but you're not gonna be able to read these on your different devices. Yeah. And that's probably not true on other, right, but signal must, right? Absolutely, signal does it face, no, no. As in you're correct. Signal does not behave like this. Neither does Messenger, neither does WhatsApp, who all use the signal protocol. Oh, but WhatsApp makes you log out of one and into the other every time you change. And that's one of the things I just abhor about WhatsApp. That if I don't use my Mac, I have to disconnect it, I have to scan a code just to, when's the last time you did that? Because they had a big upgrade about six months ago without stopping true. Oh, okay. Well, that's less hate. I mean, it's still ugly and... So many features missing, but yeah, okay, that's good. That faffing about wasn't because they used a signal protocol, it's because they hadn't fully embraced a signal protocol. So WhatsApp had their own protocol and because they had their own, it had some really weird things like that scanning the barcode carry on. And they've been slowly migrating to signal behind the scenes, but that migration took years. And while they were in that sort of weird, I don't know what mode they were in behind the scenes, because it's all over the hood and we don't really see it. Yeah, you still have to do that scan thing. That was so annoying. I basically decided that WhatsApp lives in my phone, only my phone and nowhere else but my phone and that problem solved. But yeah, yeah, no, you're right about that. I may forget that. So if I complain about it again, I have officially recorded that I plan on forgetting that. Perfect. We went to visit our friends, Diane and Bill, and when I walked in and I took my bathroom and I hooked it on the back of the bathroom door, I said to my friend Diane, I said, I will be forgetting this. She said, okay, noted. And I was in the car when Steve came walking out with my bouncer but I forgot on the back of the door. I am nothing if not predictable. There we go. A very odd thing has come out. So all the gatekeepers have to have a browser choice screen. And Apple gave it to everyone who upgraded to iOS 17.4. So the first time you open Safari and iOS 17.4, you get the browser ballot. Google are also one of the same law and they are deciding to have a go at a different technique. They're only doing it on new devices. I don't know if it'll fly, but they're having a go at only offering this choice to people when they get a new device in Europe. I'm very curious to see how this one shakes out because like Apple have had to make a few changes. I'm suspicious this may not stand, but they're having a go. So we shall see. It's a bold move, Kat. Let's see how it works out for you. Exactly. And then I just want to give a tip of the hat and a link to a fantastic, very long article over on RS Technica that goes through every one of the gatekeepers and everything they're doing to comply with the DMA. And that is, it's a long read, but it's actually kind of interesting. So if anyone wants to know more, that is linked in the show notes. We have also said many nice things in recent segments about the US Federal Trade Commission cracking down on online fraud. A lot of it focus on tax because of the time of year, but they were cracking down on all sorts of other fraud too. And they're still at it, they're continuing. They are now going after tech support scams. They have given a $26 million fine to two firms called Restoro and Reimage because they were using scare tactics to basically lie to people to tell them their computers were broken. Just to give a little quote from the article. Restoro and Reimage use online ads and pop-ups that impersonated Microsoft Windows pop-ups and system warnings saying that the consumers' computers were infected with malware had various performance issues and needed urgent attention to avoid harm. That's that. Well, apparently, yeah. Restoro and Reimage are probably not the only ones out there doing it since Steve's father sent us a screenshot last week going, oh my God, what do I do? And I see a big X in the upper right instead of a red dot in the upper left. So you click that. Step away, step away. Yeah. So it's good to see someone getting their comeuppance. 26 million, that's not nothing. Now, we have one deep dive, which is it's not really worthy of a deep dive, but it gives me an excuse to explain a term we haven't explained before, which is a watering hole attack. So this is half a learning opportunity and there is a real story here too that I do want to make sure people have the skinny on. And it's an opportunity for me to explain a change in terminology. So basically one third of this story is actually a security story and two thirds is other. So if I wanted to talk about it anyway. So you may see the abbreviation A-I-T-M, capital A, small I, capital T, capital M. And that is the replacement for M-I-T-M, which used to stand for man in the middle. And man in the middle has fallen at a favor for two reasons, why is it gendered? And why do you assume the adversary in the middle is a human? Because in reality, most of the adversaries in the middle are software these days. So A-I-T-M is adversary in the middle. It's basically a body between you and where you think you're talking to. Why is it A-I if it's adversity? Adversary in, the I is for in. Oh geez, it looks like A-I in the middle to me, but yeah, okay. Yeah, so it used to be M-I-T-M, now it's A-I-T-M. So they only changed one letter to try and make this as unconfused as possible. So if you see A-I-T-M, it's what you thought of as man in the middle, but it's now adversary in the middle and there are a lot of it as software these days. So the T of the orbit is if you are the owner of a Tesla, yay, you have a nice car. How did Tesla come into this? So this is a problem, there is a man in the middle, sorry, there is an adversary in the middle attack that allows someone who tricks a Tesla owner into connecting to a dodgy Wi-Fi network to add an extra car key to your Tesla silently. Okay, that's the context now. You hadn't said Tesla before, you just jumped in the middle bit, okay. Yeah, so that's the security, sorry. So pay attention to the security right now and then we'll get onto the other fun stuff again. So researchers discovered that, actually there's a bit of backstory here. So when I first got my Tesla and I tried to add an iPhone, I had to be in the car to do it. I had to actually walk out of my house. Explain to normal humans, what do you mean add an iPhone? So you can have your phone be your car's key, which means that I always have my phone with me. So I have a magic car. When I am there, it is unlocked and when I am not there, it is locked and it's not magic, it's my phone because it's always in my pocket. And so to set that up, you had to in the past sit in the car with your phone and then say, dear car, this is my phone, please be friends with this phone. Are you two friends now? Great, thank you very much. Which meant that if I wanted to give someone access to my car who wasn't here, let's say I needed my parents to move my car while I was away on holidays or something, I couldn't because they would have to be in the car for me to let them in the car, it was a mess. So Tesla made it easier and they basically went, you can now do it from anywhere. So I can use the app and just say, yeah, add my phone, please, as long as I'm authenticated on the phone. So they need my Tesla username and password. And if I do have multi-factor, let's just say that up front, they would also need my multi-factor code. What the attackers have discovered is that if you say add a Tesla supercharger, put up a Wi-Fi network called Tesla and then you present a Tesla login screen. Tesla's multi-factor authentication still uses codes, which means it's not phishing proof. So you're sitting on your, you're in a Tesla place. You're presented with a Wi-Fi network called Free Tesla Wi-Fi or something like that, whatever the name of Tesla's actual network is. And you get a captive portal login screen with the Tesla logo and everything. So you enter your Tesla username and password to get this free Wi-Fi. And then they pop up the multi-factor authentication box. Well, if you type those three things in, anyone, anyone on Planet Earth for the next two to three minutes can add their phone to your car. Because they have your username, your password and your six digits for the multi-factor. How are they, anybody in the planet can get to what you're typing into a local Wi-Fi, dodgy Wi-Fi network. Okay, so the attackers as long as they, so the attackers, the attackers could send that information anywhere, right? That's how these things work. What's the information there? The attackers have to be there because they have to set up the Wi-Fi network. Yeah, but they could have set it up last week. And left a router? Left. I mean, you can buy them in a little pack, in a little pouch, but the size of a pack of cigarettes, you can get a little device that does them. They're used by security testers all over the place. You could just leave them anywhere. And plug them into power? Or just take my battery for a week. Oh no, these are very common. You can actually, they're available as a product for penetration testers. They're very common, unfortunately. They're banned in Canada because people use them to seal cars, but they're very, very common. They're so common they banned them in Canada. Okay, so somebody has to have gone to this Tesla supercharger, put one of these little devices there and then they wait until they catch a fish. Catch a fish. And so the reason this is called a watering hole attack is because they're not going looking for Tesla owners. They're setting up in a place where Tesla owners will come. Where do Tesla owners go? Why two Tesla superchargers? So that's why it's called a watering hole because you have predators on the savannah, like crocodiles and lions and things, who instead of going looking for things to eat, they just sit next to the water where everything comes to get water and then they have free dinner arise for them. So it's the same attack. It's most commonly used against developers where you poison things like the node package manager, NPM repository, or Python's PyPy package repository. But in this case, it's a watering hole attack against Tesla owners. The security researchers suggest there are two very easy possible fixes. The first fix they recommend is to make you have to be in the car to pair your phone. Tesla are not going to do that. You mean to make the car be in the car, the phone be in the car? To make the phone be in the car to be able to pair the phone. And Tesla are not going to do that because that's the problem they were trying to solve. They're not going to go back and undo their work to make your life easier. The second one they suggest I think is a no-brainer. Have the car tell you it added a phone. Just the next time you get in the car, just have it say a car key was added, keep or remove. I mean, you get this all the time. Exactly, or you get this all the time when you set something new up in your Apple ID, you get an email straight away going, was that you? So if the car just told you, yeah, I've added a key, here's the button to undo. Like you know if you've added a key, that would solve it. And you'd still have all the convenience of being able to add the keys without having to be in the car. So I really hope that Tesla do this. It shouldn't be difficult. It's certainly not conceptually difficult. So my fingers crossed this is how Tesla's used to handle it. Either way, the takeaway here for Tesla owners is to be very careful that you only enter your Tesla login details on a network you know to be good. So cellular connectivity or with your VPN connected, but not just into a random public Wi-Fi. Because until there's something done about this, be careful. And that's the takeaway. And I've got to explain watering hole attacks and I've got to explain AITM which you are going to start seeing in more and more security headlines. Okay, so there we are. I like it. Okay, some action alerts. Apple have patched everything. So iOS 17.4 is famous for doing the Digital Markets Act thing. It also fixed two zero days in Safari. So even if you're not a European, patchy, patchy, patch patch. A few days after Apple patched iOS, they also patched Mac OS, Watch OS, TV OS and HomePod OS and Vision OS. All of which are full of software bug fixes and stuff and security vulnerabilities. So patchy, patchy, patch patch. We got out of easy finding for once that it was just going to be iOS and then like two days later, it's like, ah, come on. Yeah, and iOS was done on the day the DMA came into effect. So I think they just, they had no choice but to go early. And so they got that one out at the absolute latest they could and then everyone else followed a few days later. Microsoft have also given us a patch Tuesday. Everyone's reporting it as a light patch Tuesday because it hadn't no zero days. It's now become a thing where it's a new story when there are no zero days in a security update. It used to be a new story when there was a zero day. Now it's a new story there isn't. Either way, there are still 60 patches, including 18 remote code execution. So yeah, they're not zero days, but you know something. Now they're published. The bodies can see them. So patchy, patchy, patch patch. Hey, I interrupted your flow. You skipped over the GarageBand one. Oh Jesus, yeah, because it's such a weird one. Yeah, Apple have patched GarageBand because if you open a maliciously crafty GarageBand file, you can get remote code execution. So patchy, patchy, patch patch. And finally, if you are the owner of a QNAP network attached storage or NAS device, patchy, patchy, patch patch because there's an authentication bypass which is code word for no need for a username or password, you can just be an admin. Which is definitely not what you want on your NAS. On your home server. Yeah, exactly. So patchy, patchy, patch patch. Moving on to worthy warnings. The good folks over at Apple Insider made me aware of a default setting in X that I was not aware of. Elon thinks X is going to become the everything app and one of its everythings is voice calling. Unless you proactively turned it off. Everyone with a Twitter, sorry, an X account on Planet Earth can initiate a voice call with you at any time. Oh my gosh, are you kidding me? Oh yeah, they defaulted it to one. So I went in and turned it straight off. But everyone's defaulted it on. So that must be through the app or your account. If you're running the app on any device, it's under account settings. So I presume it's on the account level. You know, cause I only go to it through the, I have a set of tabs that are all private browsing tabs and I go in and I spam all of the networks and then I close them all at once and one of them is X, so I don't have an installed. Hypothetically, if they support voice calling on the web interface, for those few minutes you have those tabs open, someone could call you on your computer. But that's what I'm saying. Is it associated with your account or is it a setting in the app? Those are two different things. It's a setting in the app, but it's under the section called my account. So your guess is as good as mine. Okay. Either way, I turned it off. I was like, yeah. So thank you to Apple Insider for that one. We also have a good reminder from the hacker news that just because someone sent you a calendar invite or something that says it's a Zoom call and they've given you a link and you click on the link and it has a Zoom icon, look up to the address bar. It may be a fake Zoom page with a fake Zoom download or a fake Skype page or a fake Google Meet page because in actual fact, there's a large campaign at the moment where malware is making fake Zoom, Skype and Google Meet pages. And when you download the app, you do get Zoom or Skype or whatever and it comes with a friend called malware. So check your address bar. Always check your address bar. See where you have landed. We talked a few weeks ago about 33 million French people which was something like a third of the country's population having been caught up in a data breach by two companies who managed basically the public health insurance in France. And that was like, oh wow, that is one of the biggest data breaches I've seen, like a third of a country. Well, try 43 million, also in France. This time, it's 20 years of the records from the state employment agency. So anyone who has ever been unemployed in France in the last 20 years is caught up in this and it includes the French version of your social security number. So everyone in France pretty much between those two data breaches, everyone in France needs to have their shields oh so high up. Oh wow. Yeah. And I've raised the bar on this section of the show notes so far but that was just like, I don't know where I was gonna draw the bar but that's the other side of the bar. So if we jump out to know the news then, I don't wanna talk about every possible WordPress hack because we'd be here forever but there's a new one that sort of caught my eye. It's kind of a WordPress worm. There's malware for WordPress. That one, when it gets into your WordPress because you haven't patched something, it uses JavaScript to attack other WordPress sites to spread itself. So technically speaking, it's the browser of every one of your visitors that's hacking other people but it kind of feels like a worm to me, right? It's self propagating through the internet on your WordPress site. So patchy, the real takeaway here, WordPress has a feature where you can turn on automatic updates for core WordPress. That's an easy one. I'm pretty sure that defaults are on these days. There's a separate toggle next to each and every plug-in you install saying that you allow this plug-in to also be automatically updated. Scroll down your list and go tick, tick, tick, tick, tick. And make sure they're all automatically updating. And then you'll be a lot safer. I did FD, I told you about that. Yeah. Yeah. A good reminder to us all, whether we're in France or not, shields up, folks. Keep your shields up, ever present vigilance in your best Madden Moody impression. The FBI have released a weed number just to let us know what's going on. So they are aware of reports that in 2023, U.S. citizens lost 12.5 billion with a B dollars to cyber criminals. This is only what's been reported because most cyber crime goes unreported. If you're curious, what type of cyber crime is successful? Business email compromise is right up on the list. And if you're wondering what that is, the attackers take over a mailbox in your company. They watch the email in an email thread and then they jump in. And they appear to be someone you're talking to and they appear to be in a conversation you're in and they drop in something like, and by the way, you wouldn't go and pick up some Amazon vouchers and email them to so-and-so or you wouldn't change the bank account number for that supplier to such-and-such or some other fraud thing. And they slip it into an existing email conversation inside your business. So they're in your company. Oh, okay. That's what I was looking for was how did they get in there in the first place? So basically someone, anyone in your company, their passwords are in a data reach or something and they get into that mailbox and now they get to look like they belong. So they send out emails to other people in your company as if they're one of you instead of an outsider. And then they trick you into basically defrauding yourself. Wow. And that is very common. Especially for large organizations, how many mailboxes does a big company have? Right, just takes one. So that's why that works. The other one is investment fraud. Basically, tricking you, a lot of this stuff is around cryptocurrency. Oh, make this investment. It'll pay back, great. Oh, thanks. We have your money. Toodlepip. That's the last you'll ever see that money. Ransomware comes in third and then tech support scams. So yay to the FTC for cracking in on that one. If that makes it into the top four. Good. So yeah, keep ever present vigilance folks, ever present vigilance, even if the email appears to come from someone you know because people's passwords get breached. So, you know, don't change bank details of stuff, things like that. Be careful. The US House of Representatives has passed a bill which if it becomes law, would mean that by dance either sell TikTok or leave the United States. Now, for those of you who don't know how the US government works, for a bill to become a law, you have to sing about it on something called school has rock and then it has to be passed by the House of Representatives, then the Senate and then the president signs it. So right now we are one for three. It has passed the House of Representatives. Biden has said if it gets to him, he will sign it. So you sort of got two or three. You got, we'll call it one and three quarters of three, shall we say? Because the Senate could amend the bill, stick a poison pill in it that means that suddenly the president goes, did I say I'd sign it? I think not. You've mess with it or something. So hypothetically, something could still come off the rails. But yeah, this is looking like it might happen. So I've done a lot of research on this. I first want to give a plug to Know a Little More. I'll find any excuse to plug Know a Little More. Such a great podcast. By Tom here. Indeed. So Tom, thank you for another great show about bite dance. Know a little more about bite dance. So we hear lots of things about how bite dance are a Chinese company. It's not that, it's really not that simple. It's a fabulous episode. I listened to it twice. And so, yeah, you'll know a lot more actually when you listen to it, not just a little more. You'll know a lot more. So hot tip there to Tom. There's a lot of episodes of his where I listened to it and I think I understand it. A few minutes later, I'm like, wait a minute, wait a minute. Do that one again. I think it was like mini and micro LEDs that I listened to three times and the one on what arm actually is. That one took a couple of times. Oh yeah, that's complicated too. Now, Tom's shows are short and snappy into the point. Less short and snappy, but nonetheless extremely good listening. If you really wanna dig into this story to really understand it, there's a BBC podcast that comes out once a week called The Real Story where they go really deep into one topic making the news. And it's an hour-long show and they got on true experts who have a reasoned discussion without shouting at each other. It's very unusual to have a reasoned discussion with people who disagree without shouting at each other online. But anyway, that's what you get from The Real Story. It's quite dry, but it's also always insightful. So if you really wanna deep dive into the actual arguments for and against this bill, then this is where you're gonna get the deep understanding of what is going on. And based on all of my listening and all of my reading, I have come to the opinion, which is currently a loosely held opinion that this law won't actually achieve anything. And the only thing it's going to do is make politicians look like they're doing something. Which is- This appears to be literally the only thing that is bipartisan as everybody seems to hate TikTok. But I don't hear them talking a lot about why. I mean, ooh, China's scary, sure. Right. But I was thinking that you might end up being able to tell us, yes, there is this big giant security hole of horribleness that has been uncovered, and this is why the United States government has banned TikTok from government phones or something like that. I figured there was just something I didn't know. I'm sorry to say no, basically, it's really, really, really hard to do something effective against the dangers of social media. It's very easy to go, ooh, go, ooh, go, China's scary. So this is the way to look like you're doing something about a real problem without doing the difficult thing of trying to solve a really difficult problem. So I'm afraid this is window dressing in my opinion. So there, that's my opinion. But as I say, those two podcasts will allow you to come to your own opinion. And I describe my opinion as loosely held. If someone gives me a good argument, I am prepared to change my mind on this. This is not a hill I will die on in any way. This is my current loosely held opinion, based on what I currently know. Google Chrome is getting a nice update at the end of the month. They are going to do real time checking of malicious websites because attackers have started to become really short term in their malicious URLs. So the malicious URL might only exist for, apparently I've seen so much short as five or 10 minutes. So they will use a malicious URL for like a couple of minutes and then switch to another one. And so it's very, very difficult for that to percolate. So I did a little bit of reading. Apple don't say how they do things. So Apple just say, we protect you and they don't say how. So I have no idea how Safari works. It may be real time, it may not. I can tell you that Safari only updates every 30 minutes. What Google are doing is they're going to do a real time check. So the point in time you go visit this website, they will very quickly send the request to Google, is this one bad? Get an answer and then browse to the page. That sounds like a Coby's security nightmare. Google were very, very careful to say that they are protecting your privacy by using a protocol called Oblivious HTTP, which is the generic name for the technology Apple call private relay. You basically use two proxy servers so that there's no way to know both what you want and who you are. So one of the two proxy servers knows who you are but not what you want. And the other one knows what you want but not who you are. And so no one knows both of those pieces of information. Therefore it is safe for everyone's Chrome to be making this request. And Google haven't just said we're using Oblivious HTTP. They've actually been really specific in saying we are using Fastly's Oblivious HTTP service. So this is safe even though on the surface it sounds terrible. Wait, you mean Chrome phones home every single URL click? Yes, but. So actually this is fine. And then I wanna end on a happy story. Well, happy, a good news story. The US has done more sanctions against spyware. In this case, it is five corporations have been sanctioned. It is not the NSO group they're already sanctioned but it's similar companies with different products. And so that's more of them knocked on the head. And I am very sorry to read that two of them are headquartered in Dublin. So I'm delighted they're blocked, but boo, why are you here? Go away. So anyway. I wanna back you up a little bit. Did you already say about Firefox doing it the double proxy sort of thing or fresh block list? No, so what I said was Firefox get updates every 30 minutes. They don't do it in real time. So they don't need to do. They don't need to do that thing because they pull not push. So basically your Firefox pulls the latest updates every 30 minutes. Okay, okay. I just wanna make sure you didn't skip over it. And back on the X and Twitter phone calls nonsense PCMag says that if you only use a web browser to access Twitter, you better download the app and turn this off. Because it's not available in the interface. Yeah. Oh, that's brilliant. I went searching for it, couldn't find it in the interface and they answer the question. You have to download the app to turn it off. Wow. I don't know what else to say. We'll just leave it out. Wow. Okay, well, we're heading towards pilot cleansing. We're taking a stop halfway to pilot cleansing. This is excellent explainer's section. One of my favorite science podcasts is called The Naked Scientists. I have no idea where the name comes from. I think it's because it's science without dressing it up or something. I don't know why they're called what they are. Anyway, there are a former radio show that is now a podcast and they are aimed at a general audience and they cover any sort of science and technology topics and they have an entire episode dedicated to understanding cyber crime. And it is actually the single best explanation for human beings with the dangers in the world today. So it's a fun show, Naked Security. The episode is called Cyber Crimes in Cyber Times. That sounds fun to you, Bart. Honest to goodness, it's a good show. People will, obviously they're not gonna say, yeah, everything's great, but you will understand what's going on without being terrified with practical advice and it's pitched at regular folk. It's a good show. It's genuinely, I listened to the episode, I was skeptical and I was like, oh no, this is good. It's actually good. And then we do have genuine pilot cleansers. I didn't do a poll. Is it just for me this week? I have three anyway, so it's fine. Yes. Okay, so they're all for me this week. Lots and lots of fun stuff. So two podcast recommendations. Alison has a cat called Ada, or Lovelace. You called it Ada, didn't you? Ada Lovelace, yeah. You called the cat Ada? Okay, both names. So Ada Lovelace was an actual human being who lived a very long time ago and despite the fact that she lived a very long time ago, she was the first computer programmer. She was also the daughter of Lord Byron. Fascinating character. If you'd like to know about her story, not from a computer science point of view, but just from who was Ada Lovelace? Well, the podcast Noble Blood tells her story. It's the story of her life. It mentions the computer stuff. It gives you an idea of how she got into it, how she met Charles Babbage, all that kind of stuff, but it's about her full life. Everything about her life. So if you're interested in Ada Lovelace, you very well enjoy that half hour of listening from Noble Blood. And if you want a story, now, I love the Dark Knight Diaries podcast, but it's generally not Happy Happy Joy Joy. Now, I think you've mentioned before the YouTuber who scams the scammers back. He's a charming man from Ireland with a fantastic Northern Irish accent. The entire episode 143 is an interview with Jim, who is that podcaster. He tells his story. He explains what he does. He is such a fun person to listen to. I smiled from ear to ear for the entire episode, and it's in Patrick's Day, and he's Irish. So ta-da, there you go. Have a listen. Great fun. And like I say, most of Dark Knight Diaries is pretty dark. That one is just pure fun. And then finally, I am a big fan of Glenn Fleischman. We regularly link to his work when he talks about cybersecurity and stuff or privacy. But he does other cool stuff. And one of the things he is fascinated by is everything to do with the printed medium. And he is working on a new book about cartoons, which obviously we think of, you know, the Funnies on the Sunday Paper and so forth. And what is the history of that? And so he's working on a book. There's a GoFundMe page if you want to support his book. But he's written an article about why it is that even today, some of the absolute best artists still draw with watercolours and pencils on paper, and they also use all the modern tech. So basically they start physical, they scan, and they finish it off digital. It's a fascinating story. They do not want to do it all digital because it doesn't work for them. They need that contact with the paper and the ink and so forth. It's a really fun read, and it will give you a good appetite for his book, which you sense. I wonder whether there's been any sort of analysis by Glenn on the age of the people that he makes these statements about? Yes, yes there is. I can picture a lot of people, but are they 20? Yes, that includes people who started, yes, he literally are the young ones. So because that's actually one of the things he says is I was expecting to find that there will be an age difference between how people do this. And I was shocked to discover that it doesn't matter whether you're new, you've been at this for 20 years or whether you're starting out brand new, it still holds through the desire to have the best of both. And so even the old fogies, they use the modern tech and the new ones use the old tech. Everyone does everything. They just combine the two together for the best of both worlds. That's a fun article. Very fun article. Both my niece and nephew are both artists and I'll have to ask them what they know. Yeah, I'll be most curious. But anyway, it's a fun read and I'm a huge Garfield fan and so forth. So it was nice. It was nice. A little bit of history and stuff on there too. So anyway, there are my palette cleansers. Hopefully that keeps you all entertained for two weeks. It does. That was a lot of fun, even though some of that was gloomy, but it'll be real interesting to see what happens with the DMA this week in the DMA. I think you could definitely set up a podcast for a couple of years. It wouldn't last long. But for the next six months, you're probably gonna have plenty of content and then it'll become a very boring show. Google rolls the dice this weekend. Indeed. Anyway, folks, the key takeaway message, as always, remember to always stay patched so you always stay secure. Well, that's gonna wind us up for this week. Did you know you can email me at allisonatpodfeed.com anytime you like? If you have a question or a suggestion or a review, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on Mastodon. How do you do that? podfeed.com slash Mastodon. If you wanna listen to the podcast on YouTube or see the fantastic videos that Steve is making, you can go to podfeed.com slash YouTube. If you wanna join in the conversation, you can join our Slack community by going to podfeed.com slash Slack, or you can opt to meet in all of the other lovely New Zealand castaways. You can support the show by going to podfeed.com slash Patreon or if you wanna do a one-time donation, that's always open too at podfeed.com slash PayPal. And if you wanna join in the fun of a live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic New Zealand castaways. Thanks for listening and stay subscribed.