 This 10th year of Daily Tech News Show is made possible by you! Yes, you, the listener right there, thanks to all of you, including Scott Hepburn, Jeff Wilkes, and Paley Glendale. Coming up on DTNS, Shannon Morris is here to talk about the difference between getting your multi-factor authentication from an app versus a physical key. Plus, Instagram might start a mastodon server, and the bank that serves half of the U.S. tech world closed down. I'm sure it's fine though. It's fine. It's gonna be fine. This is the Daily Tech News for Friday the 10th of March 2023 in Los Angeles. I'm Tom Merritt. And from Studio Redwood, I'm Sarah Lane. From Studio Colorado, I'm Shannon Morris. Drawing the top tech stories from Cleveland, I'm Len Peralta. And on the show's producer, Roger Chen. Happy Mario Day to those of you who celebrate. Oh yes, happy Mario Day to all. Yeah, it's a you. Mario Day. Chris Pratt. Oh gosh. Let's move on from that to the quick hits. Here we go. Apple analyst Ming-Chi Kuo reports that Apple plans to launch a redesigned home pod in the first half of 2024 featuring a seven inch display. So like an Echo show, but from Apple. Kuo says that China's Tianma products would be hired to build the smart display. Sony rolled out Discord voice chat support for PlayStation 5 following Microsoft's Xbox, which got Discord support last fall. So now they both have it your move. Nintendo's which it's Mario Day. Come on. Speaking of Discord, it's launching an alpha test, not a beta test, an alpha test of using chat GPT in Clyde the chatbot starting next week. Discord said the chatbot will be able to send gifts to channels, create new chat threads and recommend music. It will not be able to draft messages. It will not be chatting with you using chat GPT. Not yet. The test will roll out to a very small group of alpha testers. So not everybody's going to be using it either. Discord also began testing opt in conversation summaries and a new version of auto mod. Ours Technica sources say that Apple and manufacturing partner Foxconn successfully convinced the Indian government to change labor laws in the state of Karnataka last month. This means that Karnataka will now allow 12 hour shifts that's up from the previous limit of nine hours. This is similar to how the companies already operate in China, but of course Apple and Foxconn are trying to expand. Karnataka also eased rules on nighttime work for women and the new legislation caps maximum working hours at 45 hours per week, but also raised the number of allowable overtime hours to 145 over a three month period, which is up from 75. Pretty significant. Everybody I know who's in the know has been telling me not to freak out about OpenAI's GPT-3. They say no, wait to freak out until GPT-4 gets here. GPT-4 is going to blow your mind. Well, we're going to, we're going to get our chance soon. Microsoft's Germany CTO Andreas Braun told folks at the AI in focus digital kickoff event, quote, we will introduce GPT-4 next week. We will have multimodal models that will offer completely different possibilities. For example, videos, multimodal models can interact through text images, sounds and videos so you can do things like create a video from a text prompt. The model will also generate answers faster and make them sound more human. Braun did not say which Microsoft products might receive this update. What's up head? Will Cathcart said that meta would stop offering the messaging app in the UK if it was forced to weaken its encryption due to the UK online safety bill. As written, the bill doesn't require weakening encryption directly, but it does require companies to use accredited technology to scan all messages for child sexual abuse material. Signal president Meredith Whitaker previously said that Signal would also exit the UK market rather than undermine its end to end encryption. I mean, with Signal and WhatsApp agree, I'm just saying it's significant. All right, bit of a complicated story here, folks. It proably, all jokes aside, probably won't affect you directly, but this is important background and phone to know when trying to understand the tech landscape. And it has a chance of impacting things well beyond tech. Silicon Valley Bank provides banking services to half of US venture backed tech and life sciences companies. So even though this might not hurt you directly, it might affect a service or a product that is made by a company who banks at Silicon Valley Bank. Or at least they used to bank at Silicon Valley Bank. Rising interest rates, recession fears and a slowdown in IPOs caused a lot of startups to start to have to pull out money to pay for stuff. That meant SVB needed to get some cash to cover those withdrawals. If you've seen it's a wonderful life, you understand why why that happens. So SVB sold some bonds to raise some instant cash, except it's a really bad time to sell bonds because of those rising interest rates that I just mentioned. So to make up for that shortfall when they sold the bonds, SVB decided it would sell some common stock. However, rumor was getting out about the shortfall and there was some lack of confidence in the bank. So the share price began to slide, which meant that they were having a hard time on Thursday getting investors to go on board. Why would I buy common stock at that price when it keeps going down? SVB shares fell more than 60% in pre-market trading by Friday. At the same time that's going on, you have a lot of advisors to startups out there going, you know, you might want to just withdraw your funds from SVB to protect them. And that's how you get bank runs. People start fearing the bank will run out of money, withdraw their deposits, causing the bank to run out of money. SVB started to look at a sale that was reported early on Friday, but before that could even happen, the California Department of Financial Protection and Innovation stepped in and closed Silicon Valley Bank and put the U.S. Federal Deposit Insurance Corporation in charge, the FDIC. FDIC says it will reopen SVB branch locations Monday and start giving depositors access to their accounts. Now, FDIC ensures deposits up to $250,000 per depositor. However, as the Verge notes, according to a recent 10K filing, more than 90% of SVB's deposits were larger than that limit. SVB has a lot more than just $250,000 per deposit on hand so they can cover more than the minimum, but there's no definitive word on how these larger accounts are going to be impacted. They will get an advanced dividend paid within the next week. But all this makes me wonder, how are startups going to pay for stuff? Because startups, especially with payroll coming up on March 15th, probably have a good chance of having more than $250,000 in expenses this week. I did sort of a crash course in finance this morning because the Silicon Valley Bank story has twisted and turned quite a bit over a very short period of time. My first question, because I know some folks who work in startup land, you don't have to be a startup to work with SVB, but they do, and I was like, why this bank? Why have so many tech startups decided to go with this bank over another bank? Is there some advantageous reason that I'm not understanding? I understand the bond thing, but you could do that with pretty much any bank, right? If you're in the sector. I was told that, well, it's been around since 1983. It is very startup friendly. There are a lot of perks that you might get. You might get some better rates for dealing with the bank. The bank may, I don't know, sponsor some cool trip where everybody gets a free plane ride to go to the space and talk more about banking. It's startup friendly. It speaks their language, sounds like. Very much so. That said, as soon as things go south, people are like, ooh, okay. Goodness gracious. Now, the FDIC saying that insured deposits up to $250,000, they're safe. I've also heard from folks like, well, we have more than that in there. So what do we do now? And I think that's a little unclear, and that's where some of the panic has been coming in. So usually what happens in this kind of situation is the FDIC sells off the company. The most comparable second largest bank failure in U.S. history was in 2008. Washington Mutual was eventually sold to J.P. Morgan Chase, and those sale proceeds were used to make large depositors whole. It sounds like that's what they're going to do. They're going to use whatever funds are available to, and that's why they stepped in and shut things down so the losses didn't continue. They're going to use what funds are available to make startups whole as much as they can and hopefully keep them running, and then they'll probably sell Silicon Valley Bank to someone else and use those sale funds to pay out the larger depositors. But it's all up in the air right now. And most Wall Street analysts think that this is unlikely to spread to the broader banking system, but shares of a lot of midsize and regional banks have suffered on Friday. Sometimes that's just reputational stuff and it goes away by next week, but it kind of makes you nervous, right? Yeah, I mean, I have no skin in the game quite literally, but it makes me nervous, especially because this story has changed so much over a very short period of time where people were like, whoa, yesterday we heard the LPs saying we're good, SBB is good, everyone's going to figure it out, and then today it's like, yeah, whoops. Well, they were good. I mean, I buy that. I buy that they were good. Oh, yeah, I don't think it was a lie. This is one of those fast-changing situations where they didn't think this was going to be a problem. It's the kind of problem that isn't a problem unless people believe it's a problem, and there was a lot of whispering behind the scenes that caused it to become a problem, because instead of, if no one had known, they would have sold those shares, they would have covered the bond shortage and everything would have been fine, but because everybody panicked and started withdrawing more deposits, that caused the shares to go down, and when the shares go down, they couldn't sell the shares to make up the money, and you just have a cascade. Like you say, it moved really fast. Indeed. It's a domino's effect. The closest I've been to something like this is I worked at a bank in 2008, and when the recession was happening, I was watching consumers come into the bank and take out all the cash that they could from their accounts, and our safe was empty. We had to order more money from the FDIC, but luckily the FDIC covered it, and we were able to purchase more money to put in our safe to cover those withdrawals. The money's not here. Nobody that I saw had over 250K, and if they did as consumers, they were separating that money into different banks so that all of it was insured. You know, and Shannon, you probably know more about this than any of us having worked at a bank, but I think a lot of people don't realize it's like, my money's in the bank, my money is safe, right? My money is there, basically, somewhere, and it turns out not always the case. The way banks work, and this is not shady. The way banks work is they take your money and they loan it out to somebody else. So the money doesn't sit there, but as long as everybody doesn't need all their money at once, it works fine. Every bank works like that, and they have a certain amount of deposits on hand to cover a reasonable amount of increased demand. In fact, that's one of the rules that came along after 2008, is making that pile a little bigger to oversimplify things. But if everybody starts coming in and wanting their deposits out, then you get this. This is unusual behavior, and then the bank goes, uh, whoops. Yeah, because everybody they loaned it to isn't going to pay their loan back immediately, so you've got to mismatch. All right, well, moving on. On Thursday, money control sources say that Metta was working on an app codenamed P92 that would let folks use their Instagram login to access an app for text updates. Kana sounds similar to Twitter or Mastodon. The app would support ActivityPub, the web standard used by Mastodon specifically. Metta confirmed the plan for a standalone decentralized social network to money control and also a platformer that's run by Casey Newton. Now back in December, TechDirt's Mike Maznick talked about ActivityPub, needing its Gmail moment to catch on. When is the moment that we're all going to say, aha, this is the way? We've got Flipboard, we've got Mozilla, we've got Medium, all starting Mastodon Incidences, Incidences, and Tumblr and Flickr and now Metta are in the offering. So are we at the moment? Maybe. There won't be an actual moment. I don't think Mike Maznick thinks there will be like a moment. But there will be a moment when we realize that we've passed the moment, right? And if Instagram were to suddenly say we've got a Mastodon server, use your Instagram to log in, I mean, Shannon, don't you think a bunch of people would start using Mastodon that we're not interested before? This actually makes it sound a lot more user friendly because people don't have to create brand new logins to be able to access this kind of information. So in a sense, I could see this being adopted a lot more faster now because people don't have to think about anything brand new. They could just log in with their Instagram login and be right there and ready to go. So yeah, it's very intriguing. As somebody who has watched Mastodon grow from like 2015, this is very intriguing. It starts to make me wonder about Blue Sky and Blue Sky uses a different protocol. They don't use Activity Pub. They use the AT protocol because they think it's better. It's Activity Pub is to RSS what the AT protocol is to add them if you know your feed lingo. But basically Activity Pub is just an older one that doesn't do a couple of things better. And so AT was designed to be like, oh, those things that are annoying with Activity Pub will design this not to have those. So then the question becomes is Blue Sky going to stay on that AT protocol and be a competing platform and be interesting? Because everybody who talks about Blue Sky thinks it's a really interesting Mastodon competitor. Is Blue Sky going to go, bam, maybe we support Activity Pub after all? I'm very curious about that part of this too. I mean, the underlying technology is important. But I really wonder how we're going to be with all these companies trying this out, saying, let's see if we can get a community talking to each other using whatever platform we decide on. But it's sort of like an offshoot of the platform itself. If you're hanging out on Medium a lot, okay? Medium says, we're going to throw you a bone and you get access to a Mastodon server that is in a perfect world like the cooler one. That's the one that you wanted the whole time or you wouldn't be paying for Medium. And you got Tumblr, you got Flickr, you've got Meta. How do these all differ? I mean, Google's going to make one. Google's going to mark my words. Everyone's going to try this. Make no mistake. And maybe does this in this sort of post order world, which we're not in yet, but does it make more sense for us to silo ourselves off and just kind of chat amongst ourselves in ways where we're like, we have common ground. I don't have common ground with most people on Twitter, but I'm just used to it. Maybe there's a new way to do that. But Mastodon doesn't silo you off. That's the beauty of it, right? You can be on that cool Medium server if you think it's cool and still see every other Mastodon server. 100%. So you get the best of both worlds. 100%. And that's really interesting to see Meta start to realize, well, wait a minute. If we know Facebook is a dying business. If we're having a hard time keeping people on Instagram from TikTok, what if we give them something else that makes them want to stay and that thing is free and open and interoperable? I mean, that's how this kind of thing starts to happen. And I think it's very interesting to watch Twitter blow its lead. Right now Twitter, it's not that Instagram wants to bring down Twitter by starting something like this. It's not that Mozilla does. It's not that anyone really wants to bring down Twitter. It's that Twitter has seeded its ground. The reason Mastodon didn't take over before is everybody's like, yeah, but Twitter's great. Twitter not being as great has given this space for this to happen. Indeed. All right, folks, if you have a thought about that or anything else we talk about on the show, here is our email address. You can use your electronic mail provider to send us a message, much like a Mastodon address. You would type feedback at DailyTechNewsShow.com. Last week we talked to Rod Simmons about password managers and things to keep in mind when using them. One of the things we talked about was multi-factor authentication. Rod talked about all of the hardware authentication devices he has, like Ubiqui. And after that episode, Kyle sent us an email asking, are physical dongles like the Ubiqui for 2FA really better for security than a 2FA app? So with Shannon coming on the show, we thought, well, let's ask her. Shannon, what do you think? Yes, TLDR, yes. The show is over. Bye, everybody. Thanks, everyone. Thank you for coming. Hold on. I do have one quick question. Why? Why are they there? Oh, man. There are a lot of reasons, but I think the main one is just understanding that there have been a lot of attacks on 2-factor authentication in the past year. We have seen reports from Uber and Cloudflare, and most recently, I believe Reddit was attacked, and the attacker was able to steal their 2FA codes. So we know that there are ways that attackers can bypass 2-factor authentication. So how do you harden that for your own online accounts? And even though these attacks were hitting big companies with hundreds or thousands of employees, the same exact kind of attacks have been used against consumers. And we have often seen this even on YouTube, for YouTube channels. You could have one person who's running this YouTube channel at 500,000 subscribers, their 2FA code gets stolen in some way, and then a hacker is able to get in and steal their account and start posting live streams. So it's really important to understand why hardware keys are better since these attacks are happening more currently, more often in the past year. So it's not that the apps themselves are weak. It's not that Authy or Google Authenticator are weak. As I understand it, it's that because you have to type the code in, it gives an opportunity for someone to steal that code as you're typing it in. Is that right? Yes, 100%. So with hardware keys, all you have is one of these little keys. If you're watching on video, I have one in front of me right here. You plug this into your computer, you tap on a little gold piece of metal on the side of it to show that you're physically there, and then it lets you log in. That's magic. You don't have to type anything in. You just plug this thing in, or if you're using an NFC-enabled device, you just tap it on the back of your phone, and as soon as it registers that it's there, physically there, then it lets you log in. When you compare that to Google Authenticator or Authy or any of those, or even SMS texting, those require you to type in something that you see and something that you memorize real fast and then type it into the website as you're logging in. The two FA code is one, two, three, four, five, six, so I have to memorize that and type it in, and then it lets me enter my account. The problem is if you are typing in something that you can physically see, anybody else could physically see it too. So if somebody is standing behind you and they happen to see your two FA code and somehow maybe they're on the same network and they saw your username and password get wirelessly transmitted to a website, they could type in that two FA code too on your own computer and be able to log in. Or if somebody makes you click on a link and that link just happens to look exactly like your banking website, but it turns out the domain is slightly off. They could copy that two FA code when you type it in and put it into the legitimate website and get access to your bank account, assuming that your bank has two FA turned on. So there are ways that attackers could bypass or just copy over your six digit code even if your phone never got hacked, even if you never had your phone number sim swapped or somebody stole your phone number and was able to download the same Authy or Google Authenticator app on their own phone and copy over those six digit keys. They could still steal them on the internet as well. So I recommend people upgrade to a hardware key since there are no keys. They could still steal your key, but that becomes harder to do, right? None of these things are perfectly secure. SMS is out of your control. If they fooled the phone company into Swiss sim swapping and giving them access to your text message account, you're done. There's nothing you can do about that. Authy and the apps are better because they can't get them that way, but yeah, is somebody going to look over your shoulder and steal your code in 30 seconds? Probably not, but a key logger could and do it automatically and do it really fast. And yes, somebody could steal your Yuba key and somehow have your login, but that's even harder. So to me, what you're talking about is the key isn't perfect, but it is the least likely to be compromised. Right, and websites aren't perfect too. And this is an argument I see often is people will say, well, the hardware key is working the same way when I plug it into X website. I'll use LastPass as an example. They still use a protocol, which has been in use for decades. It's called one-time pass codes or one-time codes. Sometimes these are time-based one-time codes. That's what you'll see in apps where it changes every minute. So you have to type it in within a minute. Sometimes you can plug in a hardware key and it uses that same protocol. So you plug it in and it gives you like a string of digits that you'll see written out and then it lets you log in automatically after you had plugged it in. That is a website issue, not necessarily the key issue. The key includes that protocol to make it more useful across all your different websites. So you can just use one key to log into all the things instead of an app. What you want to do and what I highly recommend is tell websites that you're like, you have an account on to upgrade to something called FIDO 2 or FIDO U2F. So that is a newer protocol that just does... It's kind of like a public-private key pair. It's like a handshake between the website and your key where they authenticate each other. So if you plug in this key into your login and you're trying to log into a website, let's say the website is a fake one and you're trying to log in there, there's not going to be a handshake because the fake website doesn't know who your key is and the key doesn't recognize that fake website so it's going to give you an error. It's not going to let you log in and that's a sure way to tell that you're trying to log into a fake website. So in that sense, when you upgrade to FIDO 2 or when a website upgrades to FIDO 2, you end up with a much stronger way of noticing phishing or noticing somebody trying to spoof a website and get you to log in because you end up with that error and it doesn't allow you to log in. And as Rod mentioned last week, if you do rely on a key, make sure you have at least two of them in different locations. So in case you lose or break one, you're not left out in the goal. Yes, agreed. And that's a question I get often whenever I do videos about 2FA and hardware keys is do I need a different one for every single website? And no, you don't. I have 25 accounts on one of my 2FA keys. This is not the one. So if you find my house, if you steal this, it's not connected to anything. This is just my default key for reviews. So in that sense, you only need one key for all your accounts and then I highly recommend having a backup keys for all your accounts too, just in case you damage or lose the original. Thank you so much, Shannon. Hopefully this helps Kyle and others kind of understand the benefits. Not that the apps are bad. It's just, you know, the safest thing is the key. It's all about, you know, what level of comfort you have with the risk involved. Well, speaking of levels of comfort, it turns out that people really like vinyl records. Sales of LPs just past CDs. That's right, people, you heard me right. Vinyl is alive and well. In fact, the RIAA reports that revenue on vinyl sales increased for the 16th consecutive year in 2022. The 16th consecutive year, up 17%. Vinyl revenue has been bigger than CDs for a few years now because it sells for a higher price, so that's part of it. But for the first time since 1987, vinyl albums, unit sales, past CDs, 41 million LPs versus 33 million CDs. Overall, physical media accounted for 11% of U.S. recorded music revenues in the year. I feel like I need like a bookshelf to display my vinyl because I only have like a few of them and maybe I need more. I don't know, like I want it to be cool. They're so pretty. They're so pretty. They're so nice. I just bought my first two vinyls ever this year. Really? I need to find a record player because I have the record. I found a great technique. I've got the vinyl. Now I need a way to play them. I found a great techniques record player at Target one day when I was buying a record. You can get anything at Target. Yeah. To me, this story says everything, which is, yes, 88% of people are streaming the music. 11% are doing recorded physical media. But it's just nice. It's a nice thing. It's a luxury. Sure. But it's something that's pleasant and it's so much more pleasant to take an album out of a sleeve and put it down and put the needle on. And I like the warm sound. I don't even think it's superior sound, but I just like the style of it. There's the sound. There's something to the experience. And there's, you know, some of my friends who are, you know, kind of more committed to vinyl than I am say, this is the way that you listen to an album from to back. I mean, sure, you can do that other ways, but you're forced to do that this way. There's something in there. I know what that phrase means. Yes. Yes. This was before my time. No, it's great. I just bought an LP yesterday myself. I pre-ordered one. Yeah. I think this is not a which is better music or why are you doing that when you can stream? It's a matter of taste. Well, and just a reminder that, you know, if you, if you're, you know, you're part of some sort of novelty slash, you know, like fun, I don't know, maybe even call it like a fringe movement. The vinyl one has really caught on. Yeah. It's not fringe anymore. No. At least not according to these numbers. Yeah. You CD people. You're fringe cassettes coming for your CDs. All right. Let's bring Len Peralta back in here. He has been busy illustrating today's show. What have you drawn for us today? Well, before I get into what I would, what I drew, I just have to, to chime in about the LPs. So I teach a graphic design class and the, the assignment, I just gave him this week. They have a couple of weeks to put together a gatefold vinyl album. Oh nice. That's a cool assignment. It is a super cool assignment. So they're doing that. They're doing lyric sheets. They're doing sleeves. They're doing everything. It's really, really cool. That's really happy news because I went and I checked my stock holdings and I do have some skin in the game and was very kind of upset about what I found when I opened it up. So I closed it very immediately, which led to this piece of art. Silicon Valley Bank is killing us. Well, not my people who are invested in it. Unfortunately. And you know what, Tom, what you said earlier in the show, it's hopefully we'll all straighten out next week. That's what I'm hoping, looking at my portfolio. I hope it does. Yeah. You know, but yeah, it's not a really great time. And hopefully there won't be a, it's a wonderful life moment coming up. Or at least it ends happily like what's a wonderful life did. Yeah, right. You would hope. People at least are able to go on there. What is it with S acronyms, S-B-F, S-V-B? Like, I don't know. I don't know. Well, that image, by the way, is over at my Patreon, patreon.com forward slash lend. If you can back me at the DTNS lover level, you get it. Or you can go the old fashioned way and purchase it from my store at lendproblestore.com, which I am also taking commissions. So think about that as well. Well, Shannon Morse, also great to have you today, bringing the knowledge about 2FA and everything else. Let folks know where they can keep up with all that you do. So I'm about to hit 100,000 subscribers on you. Thank you. Yeah. I'm so excited. Thank you for the applause. Thank you. Thank you. So if you want to support what I do, if you want to see more security and privacy-related content, check out my YouTube channel. Please subscribe and check out the newest videos. Please remember us when you pass 100,000. We knew her when. Well, thank you, Shannon, and thank you, Len. Also thanks to our brand new boss, Brian. Brian, you just started backing us on Patreon. Mere moments before we started recording the show, and we see you and we hear you and we thank you, Brian. And the audience gives you the same applause that Shannon got for 100,000 on YouTube, right? It's as big a deal for Brian. Brian, very generous, too generous. You're the best. Thank you so much, Brian. Also, patrons, stick around for the extended show, Good Day Internet. We're going to talk more with Shannon about how to choose a specific key. Do you need a YubiKey? We always say like YubiKey, but there are others out there. We're going to talk to her about that. Stick around, patrons, like Brian. You can also catch our show live Monday through Friday at 4 p.m. Eastern. I'm going to tell you, it's going to be 200 UTC when we come back on Monday. That's right. Because the U.S. in many places is going to daylight savings time. Find out more at DailyTechNewShow.com. But no matter what time zone you're in, we'll be back on Monday with Chris Ashley joining us. Have a great weekend, everybody. Talk to you soon. This week's episodes of DailyTechNewShow were created by the following people, host producer and writer, Tom Merritt, host producer and writer, Sarah Lane, executive producer and booker, Roger Chang, producer, writer and host, Rich Strafilino, video producer and Twitch producer, Joe Kuntz, technical producer, Anthony Lemos, Spanish language host, writer and producer, Dan Campos, news host, writer and producer, Jen Cutter, science correspondent, Dr. Nicky Ackermanns, social media producer and moderator, Zoe Deterding. Our mods, Beatmaster, Delia Scottis-1, BioCow, Captain Kipper, Steve Guadarrama, Paul Rees, Matthew J. Stevens, A.K.A. Gadget Virtuoso, J.D. Galloway, mod and video hosting by Dan Christensen. Music and art provided by Martin Bell, Dan Looters, Mustafa A., A-Cast and Len Peralta. Live art performed by Len Peralta. A-Cast adds support from Tatiana Matias, Patreon support from Dylan Harari. Contributors for this week's show include Nicole Lee, Scott Johnson, Justin Robert Young, Shannon Morse and Chris Christensen. And thanks to all our patrons who make the show possible. This show is part of the Frog Pants Network. Get more at frogpants.com. Diamond Club hopes you have enjoyed this program.