 Hi, this is Allison Sheridan of the NoCillicast podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias. Today is Sunday, December 11th, 2022, and this is show number 918. Well, before we get too far into the show, I have a couple of announcements. There will be no live show on Christmas Day. So we'll be here next week, but not on Christmas Day. Now we might do on a New Year's Day, depending on how things work out, because that's, you know, as Sandy points out, maybe some people will be hung over, but most people probably not doing anything on that Sunday night. Anyway, I'll announce this again next week, but I think you'll probably be able to remember that there won't be a live show on Christmas. I also want to remind you to send in your I'm Still Using It contributions. I have a fair number of them, but I'm nervous that it will be enough to give us a full show for the show between on Christmas Day that I've got to do early. The idea of I'm Still Using It is to tell us a story about a piece of software hardware that you're still using after a very long time. And why? Most importantly, why? A lot of people are sending me things I'm still using this, but I'd like why? What is the thing you use it for? And that'd be, I have to ask a follow-on question, so if you can just give it to me in one, that's even better. By the way, it could even be a podcast you're still listening to after many, many years. The way you can get yours read on the show is by sending me an email at allisonatpodfeed.com with the title I'm Still Using It. Now getting the title right is important because I've got a smart folder, a smart mailbox that shoves them all in there. And if you don't do it quite right, I might miss yours. Okay, here's the last announcement. If you get any free time over the holidays, I have another ask of you. On January 17th, Steve and I are off to Antarctica for a couple of weeks. Bart and Alistair have volunteered to hold down the fort in my absence, which means we are going to be needing listener reviews for the middle of January. If you get any cool gadgets as gifts over the holidays, or maybe you treat yourself to a nap that you've had your eye on for a long time, anything you think is fun and nerdy would be great for the show. Alistair and Bart are kind enough to do this so that our streak of coming up on 18 years without interruption can be maintained. I sure hope you'll think of a way to step in and help. Well, I had a lot of fun this week being a guest on the Clockwise podcast with hosts Micah Sargent and Dan Moran, along with hosts, I'm sorry, with guests, John Moles. We talked about what we would ask OpenAI's chat GPT and where those things might go wrong. We talked about Apple's new App Store price points and we talked about the never-ending Apple car rumors. My question for Clockwise was about time-consuming automations we've written and to both of our amusement, Micah and I had the same exact, silly automation and we had both had them written for us by different people. Check out episode 480 of the Clockwise podcast at the link in the show notes, which are visible in your podcatcher of choice and they're also available at podfeed.com. My latest tutorial is up on screencast online and it's about a terrific tool called Touch Retouch for iOS and iPadOS and the Mac. Touch Retouch does a fantastic job of removing unwanted objects in your images even with your big fat fingers on an iPhone and it's only $4 US on iOS. I've been using Touch Retouch for years and years but I had no idea how capable it was until I researched the app fully to create the video tutorial for screencast online. I did review it for the podcast many years ago but I learned so much more doing the video tutorial. Now there's also a Touch Retouch app for the Mac which is more expensive and oddly somewhat less capable but if you have an Apple Silicon Mac you can run the $4 iPad version and get all of the capabilities. In the tutorial I demonstrate the similarities and differences so you get to see it running on all platforms. Now I'm gonna give you my usual disclaimer. Screencast online tutorials is a subscription podcast and magazine and it provides real training on how to use tools. There is a free seven day trial where you can get access to the back catalog to see if it's a service you might like but it's a dangerous trial because I can pretty much guarantee you'll find value in the tutorials from all of the different tutors so don't even check it out if you're worried that you might like it. We actually have two chitchats across the pond this week. On one of them, a chitchat across the pond number 754 we're joined by developer Casey Liss of the Accidental Tech Podcast and creator of the iOS apps Masquerade and Peek-A-View. I asked Casey to come on the show to talk about automation. In particular we talked about unnecessary or overly complex automations. Automations that mysteriously run but we can't remember how or why they're running. Automations we're really proud of and finally darn it, these just make me happy automations. It is a great conversation, it's a lot of fun and if you haven't heard Casey Liss describe how he created an automation to know whether his garage door is open or not you have got to listen to this episode of Chitchat Across the Pond. You can of course find Chitchat Across the Pond episode 754 with Casey Liss in your pod catcher of choice. For our second Chitchat Across the Pond this week we have an installment of programming by Stealth. In this episode Bart officially kicks off the XK PassWD JavaScript project. This is what we've been waiting for. As I said to Bart at the end of our recording we're no longer fixing to make a plan we actually have a plan now. The show notes for this episode point to the read me file for the official GitHub project. Bart explains in the podcast that we'll have a project skeleton phase where Bart will define the code that has to be ported from Perl to JavaScript and then he'll build the guidelines that will help us work as a team of contributors. This means things like a style guide, automated scripts to build the project and configuration files for all of the tooling. Now he has a vision that we're gonna work on the direct port next with no enhancements during the direct port phase. I tried to get him to take a dollar bet on whether that goal will be achieved but he did not fall for it. After that we'll go into maintenance mode so those are the three phases. Anyway this is a fun episode because we are finally moving forward after learning all of the tools we'll need to make this project a success. You can find Bart's show notes that point to the read me at pbs.bartificer.net. Now at the end of that episode, or in the middle, the beginning, somewhere in that episode, I'm pretty sure I promised transcripts of that episode and I don't know why but the auto-generated transcripts I talked about last week did not work and I've got a note into the developer of Alphonic and I'm hoping to help me still get that transcript but I don't have it yet so that's one that would be really good to have a transcript for because the show notes don't really talk to exactly what he talked about but anyway, I'm still working on it. I was chatting with my buddy Naraj this week and he thanked me for putting him on distribution for emails whenever I wrote a blog post. I told him I never did that and I didn't have any idea how he was getting them. I asked him to send me one of the emails he gets and from that I was able to figure out backwards how these little treats were coming to him. At the bottom of every blog post I make, there's a comment box. Below the comment box are two checkboxes. The first says notify me of follow-up comments by email. This is handy if you make a comment and you wanna know if anybody responded to you. It only sends you emails if you give it your address and only for that one post if someone else comments but the second checkbox says, notify me of new posts by email. Apparently, Naraj had checked that somewhere along the line. So if you'd like to have hand-delivered notifications of all of my blog posts just like Naraj, check the notify me of new blog posts by email box and your dreams will come true. You'll not only see all of the blog posts I create but you'll also get security bits by Bart Buchsatz and if other contributors write their blog posts like Alistair often does, you'll get those as well. Now I should mention that you don't get the entire blog post in the email. You get the title and the excerpt and then a link to the website to read the rest. The funny part of this is that I had no idea I'd even enabled this feature. I have a plugin called Jetpack from the fine folks at WordPress.com that has a lot of features and buried in all those settings I found that I had enabled this right in there. If it sounds fun to you, check the box and if it gets tiresome after a while there's an unsubscribe link in every single email. I wish I'd realized I had done this when I was talking to Casey about automations that run and we don't know why, this would have been a good one to add to that list. Do you remember when you first heard about Twitter? You remember thinking it sounded silly and you didn't think it had any legs? Remember thinking the word tweet sounded idiotic? Do you remember finally joining Twitter and then being baffled by it, wondering why is everybody so excited about this? And remember wondering, well, wait, but who do I follow? How do I find people? This is so confusing. I bet you're having those same concerns about Mastodon. If tweet sounded silly, how about toot? That's what it's called when you post on Mastodon. My goal in this story is to make Mastodon a bit less baffling, to offer a bit of advice on how to proceed on a few parts of it and how to just have some fun. I'm having a really good time on Mastodon. It's fresh and new and people are especially interactive. I encourage you to go in and kick the tires a bit and see if it's a service that might make you happy. I don't know if it's gonna unseat Twitter in the end, but for right now, it's a very pleasant place to hang out and have some fun while we wait for the dust to settle on Twitter. As hard as it was to wrap our collective brains around Twitter, Mastodon does add a nice little extra layer of complexity. Before you can join Mastodon, you have to decide which instance you're going to join. Now, an instance is just a fancy name for a server. But get this, it doesn't matter which instance you join. Now, I say that for a couple of reasons. The most important of which is if you decide at any time you don't like the instance you're on, you could just move. When you move, you don't lose any followers and you don't lose the people you've chosen to follow. I accidentally created two accounts on different server instances over time and I was able to freeze one of them and make it an alias to the other one. And that combined my followers and the people I was following on the two accounts all into one. No one was the wiser. No one knew that I moved servers or I combined servers. So it's pretty easy to move. Little bit nerdy, but not too hard. Now, on Twitter, you follow specific people and you can look at things like trending or follow a hashtag. And you can do the exact same thing from all Mastodon servers because they're federated. By federated, that means that while people, different people are managing all of these different servers, you can still find people and trending topics on all servers. If you wanna chat with a small group of people with a specialized interest, then choosing a server that specializes in that topic might make sense. But I think for most people, I'd suggest choosing a server with wide interests rather than specialized. Here's why I give that one caveat about not choosing a server that's too specialized. When I suggested to Steve that he might wanna look into Mastodon, we talked about what instance he should join. He's super into astronomy, so I suggested the instance astrodon.social. It's been great, but it actually put him into an odd position. While he really likes astronomy, he doesn't just like astronomy. If he wants to post about physics, well, that's probably still of interest to that community. But what if he wants to post a picture of how we restained our back fence or of our dog Tesla looking goofy? Seems kind of out of place. Now, some servers have had to cut off adding people because the influx has been so massive, but don't be discouraged by that. You could try the server that Bart went on and it's Mastodon.social, it's MSTDN.social, and I put a link in the show notes. Or you could try the geek-oriented one, hackyderm.io, or you could just go to joinmastodon.org, close your eyes and pick one. But remember, it doesn't matter if you change your mind later, you can just move. So what does it actually mean to be part of an instance? What does that have to do with who you follow? Stephen Goetz asked this very question and I think I came up with a good analogy to try to explain it. Let's say you and your cousin go to different high schools. You can talk to your cousin and find out what's going on in their lives and they can tell you what their high school friends are doing, but you can't see everything going on in their high school. You can, however, see everything that's going on in your own high school. On Mastodon, someone you're following is like your cousin in the other high school. Doesn't matter if you and I are on different instances, we can follow each other and we miss nothing. The people you follow can expose you to things going on on their server, like their high school, and you can see everything going on in your own server, your high school. I hope that analogy helped explain how you can be on different servers and still see toots by the other people. So let's say you've closed your eyes and blindly chosen an instance to join. Just like when you join Twitter, your first question is how to find people to follow and especially, how do you find the people you are already following on Twitter? Because so many people are either abandoning Twitter altogether or at least hedging their bets by testing out Mastodon, something wonderful has happened. People have all started putting their Mastodon accounts into their Twitter profiles. Now, full Mastodon name is at your handle, at your instance. So you, or you can write it as your instance slash at your handle, like chaos.social slash at podfeed. This all makes a lot more sense if you see it in writing like on my website, but we're gonna make it even easier than that. Now, while it's great that people are putting their Mastodon handles into their profiles on Twitter, imagine how tedious it would be to comb through all of the people you follow on Twitter, going into their profiles and finding out whether or not they had put their Mastodon profile in there, their Mastodon link, I guess it is. Let's say you even had the patience to do that one time. What if the next day someone on your list adds their Mastodon info? Are you gonna comb through all of the people you follow every day to see whether they've added their Mastodon information? Of course not. And that's where the internet comes in to help again. There's a fabulous tool at movetodon.org that solves this pesky problem. When you go to move to Don, you'll be asked to give authorization to the tool to access both your Twitter and Mastodon accounts. This is exactly the same kind of step that you go through when you install a Twitter app. It has to have authority to allow it to pull the info from your accounts. Once you've authorized the tool, it will show you a very nicely formatted list of people it has found. You can see their avatar, their name, their Twitter account and their full Mastodon account. If you hover over this area, you'll even get a pop-up showing you their full bio. This will help you remember who they are and whether you still think they're interesting. Now you can see when they joined Mastodon and how long they've been active on the service. But the important thing is to the far right of each name it finds, you'll see a big purple follow button to follow the person on Mastodon. If you've already followed them, the button will say following. That's awesome. This makes it super easy to follow people and you can just go back to the page and refresh it once in a while to find more folks. Now they also provide a follow all button, but I recommend against this. Consider this like a nuke and pave opportunity. You're really starting fresh. So I suggest looking at each person you follow and questioning, do they actually give you joy? If they don't, just skip them and look for those who do. Now Bart said on Let's Talk Apple that he has really culled his Mastodon list down from what he was following on Twitter and I've done the same. I'm not following angry people. I'm not following people who don't give me joy and I think that's one of the reasons I'm enjoying Mastodon so much. So let's talk about a couple of basics of Mastodon. I mentioned earlier that instead of tweeting, you toot. Now some people are trying to change the word toot to post. That's boring. I think tooting is fun and I think it's gonna stick. When you retweet on Twitter, it means that you're exposing the clever tweet you saw to the people who follow you. On Mastodon, that action is called boosting. Right now, when so many new folks are looking for accounts to follow, boosting is super important on Mastodon. I follow April Menendez on Mastodon, really recommend following her and her Mastodon link is in the show notes and she follows a lot of great photographers. When she sees an image she likes, she boosts it. So now I see them in my feed and I can find photographers I might wanna follow. It's a chain of happiness. Now here's the interesting thing. On Twitter, you can quote tweet. So that's retweeting while also commenting. But on Mastodon, you can only boost or comment not both at the same time. This was an intentional choice by the founder of Mastodon, Eugene Rochko. He felt that quote tweeting encouraged toxicity because your comment is targeted at your audience. It doesn't go to the person who created the original tweet. With comments, you have to talk directly to the person who wrote the toot, which he hopes will encourage more civilized behavior. I see his point, but I do find so many times I really wanna tell people why I'm boosting a toot. Why I think it's interesting or funny or what memory it surfaced. I can boost a toot, which is just fun to say. That's why I keep saying it. And I can make a comment so I can do both. And that way I suppose my followers might still see the comment. Now there don't appear to be any great clients out there for Mastodon just yet. But tap bots, the makers of tweet bot are hard at work on a Mastodon client called Ivory. I'm not in the public beta yet, but those on the private beta say it's pretty awesome. For now, I'm using Metatext on iOS and Mastonot on the Mac. They're passable, but they seem to be missing some features, but you know, they're okay. But before worrying about getting a dedicated client, I really suggest just log into your instance via the web interface and you'll get a full featured experience. I was originally confused by a few terms when I went into Mastodon, so I'd like to explain them. In all clients and the web interface, you'll see three options, home, local, and then a third one that's either called public or federated. Home is where you can see and read toots and boosts by the people you followed. Think about it as essentially what you would see if you were using a third party client for Twitter like tweet bot, you just see the people you follow. Home is just like that. Local is everyone talking on your server instance. So for Steve with astrodont.social, that's awesome because it's all astronomy talk and it's relatively small. For me, on chaos.social, it's just completely random. It's just all kinds of topics from people I don't know and a fair percentage of it is in languages I don't actually speak. So local is kind of like your high school. You may or may not have anything in common with all of those people. If it's a large server, a large high school, the feed might be scrolling past really quickly and not be very interesting. Now federated slash public, depending on which tool you're using, that's where you can see everyone on every instance talking. It's basically a rapidly flowing river of the conversation of the world. Now once I found enough people to follow and move to Don, I've chosen to limit myself to just reading home. It's chatty enough, but not too chatty because I've carefully chosen who I'm gonna follow. In fact, it's pretty similar to my Twitter experience except with less anger. There's also a notification tab and it tells you when people follow you, star something you've tuted or boost a toot of yours. If you're super popular, that can get a bit noisy but if you're a regular person, that can be a happy place. Now through the web interface, if you search for hashtags, you can follow them just as though they were people. I recommend hashtag astronomy for the pretty pictures and maybe some science. The bottom line here is that there's still a lot I need to learn and want to learn about Mastodon but I'm really enjoying myself. As I said to Bode Grimm, get on over to Mastodon. It's like Twitter but way less cranky pants. I hope you'll come over and join us. You can find me at Podfeet at mastodon.social and let's see, I asked Steve to give me his account and I'm gonna read it here. I'm vamping as I'm scrolling and it went past too far. Ah, here it is. He is at spsharedon at astrodon.social. I'm pretty sure if you just search for at spsharedon, there's probably not a lot of those and if you find the one at astrodon.social, that's Steve. And if he moves to a different server, it won't matter once you follow him, you'll be connected to him. I highly recommend following Steve. He's a very interesting person to follow. He has lots of varied interests and they're pretty cool stuff and he's never cranky pants. Would you like to have ad-free versions of all of the shows from the Podfeet podcast? Would you like to have free access to our Discord server for the live shows? Would you like to be able to chat anytime you like with other NoCillicast ways in our Slack? You can have all of this without paying a dime. There are no paywalls to have fun talking tech with the Podfeet podcast. All of this is brought to you by the generous people who support the show by either giving a one-time donation at podfeet.com slash PayPal or becoming a patron at podfeet.com slash Patreon. If you appreciate having no paywalls to have fun with the shows, please consider becoming a supporter voluntarily. Well, it's that time of the week again. It's time for security bits with Bartmuse shots. However we in a mess is everything wonderful. What are we looking at today, Bart? Do you own a UV camera? Yes. If you do, then it's a mess. If you don't, you're fine. And it's not necessarily a mess. And I'll tell you why when we get to that. I will need a lot of convincing that it's not a mess, but I'm always open to being convinced, always. And that, can I guess? Is home kids the same year? Well, let's tell them they don't need to do it. Don't need to do it. Okay, look at there very shortly. It's all ruined now. Anyway, it's second item down anyway. If you follow up items before we get into the main, we have two deep dives, by the way, just to tease ahead. The UV is a deep dive and then Apple provided a heckin' lot of news. So I'm really excited to hear that part. That's what I'm really looking forward to. I mean, if I'd been pushed for time, I would have just done the Apple story and nothing else. If it had been a case of Bart, you have to triage. The Apple one is definitely the biggest news of the last half year, if not the last full year. It could be the biggest news of all of 2022. Okay, anyway, some follow-ups. That will use us at least. Right, which is a fair few people. Yeah, yeah. So Twitter chaos continues. I think it's Cherry Breton. That's the EU commissioner you enjoy following on Macedon, isn't it? Correct. That's why he had a meeting with Elon and made it quite clear to Elon that when the Digital Services Act comes into effect next year, Twitter cannot continue to not moderate like it currently is. He can't ban people on a whim. He can't allow people back on with a poll. He has to have actual, documented policies and procedures applied equally and fairly to all. So he has to apply it to himself, too? Yes, because he shouldn't be applying anything to anyone. His employees who follow a process should be doing it all. Yeah, go eat you. I hope so. I don't want Twitter to die. I really don't. Me, too. Me, too. It just has to live well. Yes. It has to deserve our attention. Yes, that's it, exactly. In related news, a fascinating interview by Kara Swisher of Twitter's former chief safety officer, who credited to him. He stuck with Musk for a couple of weeks and then eventually he was like, I'm out of here. And even in the interview, he is extremely levelheaded. This is not a revenge interview. There are times where he defends Musk and there are times when he does not. And I would kind of see that when he doesn't, he has a point and when he does, he has a point. I actually found it was refreshing to see such nuance with Twitter. Interesting. What podcast is it on? I see the link, but I can't tell. On with Kara Swisher. That is the current name of her podcast. The feed has stayed the same, so you probably to subscribe to it as a different name that I can't remember right now, but it changed the identity. I think she left in New York Times. Because I think she's independent now, I think. Anyway, fascinating interview. Very, very highly worth it. We also talked last time about, we thought that Apple would be introducing the 10 minute airdrop time limit to everyone. We now know that it's coming as part of iOS 16.2. It is in the current basis. And specifically, it's a 10 minute limit on how long you can be open to everybody. It's not you can only airdrop for 10 minutes, since you just can't be wide open for more than 10. Yes, exactly. You can't be a universal receiver for more than 10 minutes. Which I think is a good change in spite of the circumstances under which Apple did this. Right. Like a stopped clock can be right twice a day. The fact that it's being done for dodgy reasons does not change the fact that it is actually the right thing. And if the feature had been invented today, it would have always been like this. It's just technical debt from a more innocent age that it ever came into being the way it is. OK. And in other good news, Google Chrome's past key support has moved out of their, well, I say beta in the show notes. I believe they call it Canary. Which is, it's a good name, I guess, for beta. They're cute. Does it die? No. Let it go into production. Anyway, past keys has moved from Canary into the production branch of Google Chrome. So that is, again. That's great news. Bingo. So Safari and Chrome is Edge? Firefox? Are they on board yet? Do you know? I don't know off the top of my head. If they are not actually on board, they are on the road. They are all well into their beta programs. If they are not actually switched over to production, they're very close. So we are very close to having all the browsers on board here, which is fantastic. That, again, makes it more, the incentive for websites to do their bit becomes much greater when the browsers are ready. Until the browsers are ready, every website owner who's a bit lazy can realize, he'll say, ah, yeah, but sure it's not on Edge yet, or ah, yeah. Although Google Chrome is by far the biggest one, right? Because if you don't include mobile, it is the biggest browser. And if you do include mobile, it's Safari, in which case the argument is the same. So it's fantastic. Yeah. Yeah. Good. OK. So our friends at Eufy, I have titled it, Eufy Destroy Their Credibility, which is the politest I can be, because I just find this whole thing quite the train wreck. But if you would like to follow it blow by blow, the links are below in the show notes. It is a twisty, turny tale with many, many confusing bits. And I think a part of the reason it's so confusing is because there were two different problems found. They were found by the same researcher. And so they tended to get conflated. And then there's a third underlying problem. So I'm just going to basically say what the problems were and where we stand with the problems and how Eufy responded. And I'm sort of going to leave all the rest to the listeners to go dig deeper if they would like to. So one of the things that was discovered is that OK, so I should back up one sec. So one of the things Eufy promises about their cameras is end to end encryption. And they promise you that the data is only available to you and to no one else, which is a big deal for a security camera. I have started to slowly allow some smart stuff into my house. I have not dared let a camera into my house yet. When I do, it will be using that secure video feature in HomeKit. But I'm sort of waiting for Thread East stuff. Actually, no, I'm waiting for Thread and Matter support to come out. University, I just want to live in a world where everything is Thread and Matter. We're nearly there. I can see it. Anyway, that's not the hero there. So the promise is full end to end encryption. And so one of the problems discovered is that if you set your notification settings a certain way, then thumbnails of your videos will be sent up to Eufy's cloud unencrypted. And that's not really in keeping with we won't send anything to the cloud. Previously, it was done so silently. Now it has done so with an explicit warning from Eufy that if you choose these settings, you will be uploading stuff to the cloud. So basically, it was done without consent. Now it's done with consent. Well, but you can still do things and set your settings and not have the thumbnails go up. Correct. So if you see the thumbnails in your notifications, those are coming from the cloud. So you need to change your settings so that when you get a notification from your camera, there are no thumbnails in it. And you've done it right. So that one, you know, that's not wasn't initially transparent, a gun held to their head. They've done the right thing there. Correct. And I'm not going to lose a lot of sleep. I'm not going to lose a lot of sleep with thumbnails. OK, hypothetically, your thumbnail could show something you don't want to show, but the grand scheme of things. But it's going to get worse, isn't it? Unfortunately, it is going to get worse. So the really big clanger was the unencrypted video streams. So in a world where there is actual end-to-end encryption, the only thing moving between your camera and your phone should be encrypted garbage. And it should be encrypted gibberish at every single step along the way, because otherwise the encryption is not end-to-end. So no matter how catastrophically wrong security goes en route, the only thing compromisable should be gibberish. And yet, a security researcher found that for every Ufie camera that is set up in the normal Ufie way, there exists a really weird-looking URL that will give you a live feed of an unencrypted live feed from the camera. That literally should be impossible if the promise was true. Right. Now, the URL is not like ufie.com forward slash Allison's camera forward slash. It is an obfuscated URL. So it is a big load of gibberish. Unfortunately, the gibberish is actually calculable gibberish, which is the third major flaw. The gibberish is based on the serial number. Now, a serial number is a permanent, unchangeable, not secret. To use something unchangeable that is not a secret in any sort of security control is the world's biggest red light. That you absolutely, your security should be ingesting secrets, keys, passwords. Your security should not be based on something that is not a secret and not immutable. Sorry, that it should be mutable and a secret. So a serial number is not treated as sensitive data. So unsurprisingly, the security researcher found that the serial number is in various API calls, so the serial number can be determined. Now, youthly have tweaked the APIs to remove the current places that happen to leak the serial number that we have discovered. But because it's not a secret, it is just a matter of figuring out another place it leaked because the developers would never have been trying to hide it because a serial number is not a secret. The other thing is, if you sell a camera, the serial number stays with it forever. So it is impossible to buy a secondhand youthy camera safely because the previous owner could know the serial number that you cannot change and that is vital to the building of these secret URLs. And while what youthy have responded by making the secret URL harder to find, they still exist and they still work. So even now, the feeds, if you can figure out the URL, still work. So there is a fundamental design flaw here. To have used the serial number as a security control is fundamentally flawed. And the only way to fix that is a complete re-architecting of all of the cloud infrastructure, which I'll save your powder for a moment. So that is at a technological level the three problems. The first one is like, yeah, OK. So you should have put a warning in these settings. OK, yeah, whatever. The unencrypted video stream is head exploding. It means that the end to end encryption is like cake. It's a lie. The definition of end to end is it's not unencrypted anywhere in between. How can this URL exist? And then you have the fundamental flaw of using a serial number as a secret to try hide things. That's just fundamentally wrong as well. And then we come to the bit that really makes me lose confidence is how Yuffie responded to the security researcher. They started off with categorical denials that were proved false. They were then followed up by own warranted downplaying of the issue. And finally, with technical changes to hide rather than fix the problem. I love anchor, anchor-owned Yuffie. I adore my soundcore headphones. I just feel really, really ick. Because I like anchor. And this is bad. So you've said impossible to buy a second-hand camera from Yuffie camera and have it secure. And that's not a true statement because. And I'm going to talk into, you spoiled all of my excitement here, but I'm going to do it anyway as though you didn't. If you pay for iCloud Plus, and that means pay anything more than zero, you can use HomeKit Secure Video. And HomeKit Secure Video allows you to store all of your videos in iCloud, which makes them available to you within HomeKit. And if you do that, it is not going to the servers from Yuffie. You've separated it. You do lose something. You can only do 720p. That's a requirement by Apple. You lose the 1080p or HD. And I was, I actually toggled going to, I want to do it or do I not. I really like having high-quality cameras. It's why I bought high-quality cameras. But in the end, I chose iCloud Secure Video. And I'm happy about that. You also have to make sure that the model of Yuffie Cam you buy supports HomeKit. They do not all support HomeKit. So I'm adding a link to the show notes that will show you how to set up HomeKit Secure Video. This is from Yuffie. It tells you how to do it. And also a link to what you have to do in paying for iCloud, how much storage. What's real interesting is that the HomeKit Secure Video doesn't add to your storage. So you're putting up gobs of videos, but you can be paying the littlest amount. Which is why they limit you to 720p? Sure. But still, that's a lot of video. That's a lot of video. So I'm going to put up a link for that so you can see what the requirements are. Yeah. Now, all of that is true. I'm putting it down as solution. If you have Yuffie Cams. I'm not saying it's a solution that says you should buy them. If you do that, do you still have the Yuffie app? How do you do you still use the Yuffie app to configure the cameras? There are configurations you can do, like geofencing and things like that. So the Yuffie app is still in the equation. I think it's still. I don't know for a fact that it's changing it. My concern remains that if the security of this video streaming was so fundamentally broken, can we trust the security of the app? Whatever idiotic mistakes have they made? I don't know that there's anything else wrong. I don't feel confident that there isn't. It's just one of those you've shaken my faith here. Like I say, I have so many years of liking Anchor. It's their response that disappoints me because everyone makes mistakes. Everyone does dumb things. And I believe they bought in another company. So this may have come in as technical debt. So the actual problems could be acquired rather than created. But the response, that's today. That's not technical debt. The response is now. And that you don't like it. It's also important to remember that Anchor is a Chinese-owned company. I know that always has me a little nervous anyway, although they make me nice stuff. It's sort of like this social media problem. I'm running out of social media platforms. I'm quitting them right and left and they keep lighting on fire and I have to leave them. And so there's a point. I did throw out all of my indoor wisecams after they screwed up. And so I got rid of them and I replaced them with euphycams. And I am not in a position to, I don't want to throw them all the way again. And HomeKit secure video makes me feel comfortable. I'm okay with it. So for now, Alison, I think you, basically what you're doing now to me is that we know anything worse. Right, exactly. So for now, there are no known issues with your setup. So you have a very, very different question to someone who has no cameras and is thinking, what should I buy? Because. Well, who do you buy? That I don't know yet. But at the moment, I would be very reluctant to buy from you. But if I had a eufy, I would do exactly what you've just done. That would be exactly my response. Cause I'm not going to throw the camera away unless I know it's broken. But if something more comes out, if there is another shoe hanging, when the second shoe drops, I probably would leave because if there's two, there's probably more than two. But for now, if I were you, I would do exactly what you've done. Yeah, the nice thing about having a HomeKit is you can do your automations and things according to it too. HomeKit is just nice. Well, your HomeKit, let's be fair though. Your HomeKit automations will fail randomly and you'll have to recreate them all. Just let's be clear. Let's not pretend they're going to keep working. But when they do work, they're really cool. I think they're really cool. I'm going to actually have an interesting experience because the biggest automation I have is my Christmas decorations. I say jingle bells to turn them on and home bug to turn them off. I remember that from last year, yeah. And I now have a whole new wireless network and all of those smart plugs are in the attic along with the Christmas decorations. So they have no idea their whole universe has changed. So when I plug those Miros plugs back in, I have no idea what's going to happen. Oh, that'll be fun. Hot tip, remember to turn your VPN off. Okay. Every single time we set up new, I actually put a sticker on my switches. Now when I put them away, that says turn off VPN because the first thing you have to do is you have to connect to their network. Your VPN kicks in because it's never seen this network and it doesn't trust it and it shouldn't. And then you sit there going, what is wrong with this piece of poop? Every single time, every single time we do this, we go through it. So. Thank you. And the reason I bring up a home kit falling over in a heap is that Sandy posted that one day, all of her home kit automations failed and she had to rebuild them all from scratch. And then a couple of days later, it happened to us. And then it happened, I want to say it happened to Alistair but Alistair stuff is always falling over in a hoop, and then I was talking to my consurgent and he said all of his fell over in a heap. So he says he heard something did fall over in a heap at Apple on that. As I understand this, under the hood, there is a gigantic rewrite happening at the moment in preparation for matter. And so I think it's quite plausible that that gigantic rewrite had a whoopsie. Yeah. It sounds like it. We also have an automation that we don't know how it's happening at all. Like it's not in there, but it's working perfectly. And Steve thinks that we might have done it in the Hue app, but the Hue app no longer allows you to create the automations in there. So there's an automation running that we can't edit, can't change, but it works. So there's no UI anymore, but it's still in the brain. And it's working. Talk about screen reaction. Yeah, but imagine you wanted to stop it. Yeah, but imagine you wanted to stop it. Nope. Yeah, anyway. So anyway, deep dive number the second. This one is fun. This is mostly fun. I have one bit of neutral news. It's not the good news or bad news. It is a thing. And I will end with a big question on this. Okay, good. About why it won't work, but let's go. Okay. So the big thing is we have three new announcements that we're gonna dig into in detail. And Apple had a great big press release but three big new announcements. And then they didn't do a press release. They released a statement to a select number of websites say, and by the way, that's controversial CSAM thing we were talking about that we had paused. Yeah, that's it. That's not happening anymore. So that's kind of interesting in this story because the reason we all thought they were doing that, so what they were going to do was at the point in time when a photograph was flagged for uploading to iCloud, Apple were going to on your phone between deciding it was going on actually leaving your phone. They were going to take a fingerprint of the photograph and then compare that fingerprint to fingerprints of known child abuse imagery and look for matches on your phone and then send it off to the cloud. Which meant that in the future they could encrypt it as it went up to the cloud because they'd already done the checking on your phone. And people were very, very, very concerned with the concept of your phone working against you. Your phone messing with your photos, not in the cloud but on your phone and people got very upset about it. And in the end, Apple were forced to park the idea and I think I had said at the time, I don't think this is ever coming back when they parked it. Well, it's gone. They have abandoned it, it is gone. Which makes it all the more surprising, they went ahead with the features we're going to talk about now. So the first feature is the one that in some ways has me the most interested. Well, no, not the most. Yeah, that's just doom and order. I went with the order they were in Apple's press release because I was too lazy to rearrange them and to decide which was cooler. So I just put them in that order. So the first feature we have is called iMessage Contact Key Verification. And this is the one that takes the most explaining. So we're gonna spend most of our time here. So the most substantial genuine security-based criticism you can make of Apple's messaging system is that while it does good end-to-end encryption using public key cryptography, the fundamental flaw is the wrong word but the weakness is that Apple manage the keys and they don't show their work. So you have to trust that Apple have safely and correctly shared your public key with everyone else who's in a conversation with you. So remembering the way public and private keys work, right? So let's say we're in a group chat myself, yourself and Alistair. So the way it works in Apple's system is that you send the message to the group. That message is encrypted twice. Once with my public key, which means only I can read the message and once with Alistair's public key so only he can read the message. And that is true end-to-end encryption. It was encrypted before it left your device with separate encryption to me and to Alistair and the only place it gets decrypted is on my phone and on Alistair's phone. If I have a phone and a Mac and an iPad, you actually got three public keys for me and you encrypted the message three times for me. If Alistair has a Mac and an iPhone, that's two, you've actually encrypted the message five times with five public keys. Okay. It's perfect end-to-end encryption. Now, if you had to manage those keys, if we had to manage those keys, I think we'd go nuts. So quite sensibly, Apple managed the keys. But it has long been the case that we trust that Apple do not add an extra key. If they added just one more key to the set of keys, then that could be the public key that matches the FBI's private key. And then they would be end-to-end encrypted in our secret conversation. And it wouldn't break end-to-end encryption, but there will be an extra person eavesdropping. The phrase in the media was ghost keys. And because Apple doesn't show you the keys, you can't go into iMessage and say, show me who is in this conversation in terms of keys. It's just gonna say Bart and Alistair and under the hood it has three keys for me and two keys for Alistair. So the other way to do this, to make it way more secure, would be to allow us to manage our own keys. There is actually an app that does it that way. It's called 3MAT and they have a triple color code system. If they do the key management for you, the conversation is colored in red to say you're trusting us. If you and I have exchanged a key by sending it to each other through another channel or by scanning a QR code straight off each other's phones, our conversation turns green because we have definitely proven each other's keys. And if I have verified your key and if you have verified Alistair's key, then Alistair goes yellow for me because I have an indirect connection to Alistair. Very, very secure. Did we talk about this once before? We did. It was one of the chat services uses 3MAT, right? 3MAT is a chat service. Oh, oh, sorry, okay, okay. It's an alternative to signal WhatsApp, et cetera. Leo Laporte loves 3MAT. So you get this color code of traffic light system so you know how confident you are in the key. I took care of it, the app took care of it or it went only through my friends. Give you the red and the green on the two ends and the orange in the middle before it went through my friends. And that is very, very secure. And if I were a journalist working with sources or something, I would definitely like that level of control. But why is 3MAT not popular? Cause it's a giant pain in the hoop. Think it's just, it's just effort. And that's why it didn't take off. Now there is another approach you can take which is the approach taken by signal, which is I would argue equally as secure. Signal manages all the keys entirely automatically just like iMessage does. But in signal, you can view the keys. And it doesn't just tell you all the keys that exist which is mildly useful. It represents the keys as pictures. So you have a direct mapping between the keys, bits and the picture. And if I look at the picture on my phone for our conversation and you look at the picture and they are the same, then we are using the same key. And so we can verify by say, standing together and looking going, oh great, our keys match, super. Or we can have a FaceTime and show each other our keys. As long as we know that those two pictures are the same by any means we trust, right? It's up to us to figure out how we decided to say we could email each other the screenshots. We could do whatever we wanted. As long as we know those two pictures are the same, we know for sure that forever more, unless the key changes in which case signal will tell us the key is changed, we can communicate safely. So that means it's all automatic but if you need to prove it's true, you can prove it's true. That's what Apple have done. So they're gonna keep managing the keys but if you want to prove it, they are going to provide the interface to prove it. So it's about trust. Yeah, the trust has been removed. We don't have to blindly trust. We can now verify. Verify. Trust by verify. Precisely. So no loss of functionality, no loss of convenience and for 99.99% of people, we are never even going to bother our backsides with the verification because it's perfectly fine for us to trust Apple. But if you are someone who is particularly at risk of being targeted, well, you can verify. Without this feature, you can't. Now, you can. That is fantastic because you don't have to trust Apple. And if Apple are caught once with their pants down, well, we'll know that will be headline news. So all the rest of us can continue to just use the app. So I think this is fantastic, best about worlds. All of the convenience and we're not blindly trusting anymore. Super. Now I never worried about it before but I knew about it. But now I don't need to, I definitely don't need to worry about it because I'm not in a position to probably be terribly worried. But that's good. Good. And the reason I wasn't too stressed about this was because of how heavily they fought the San Bernardino case. That sort of told me they probably wouldn't secretly add a key. But I was a trust, right? That was me trusting. I was happy with the trust. So that's the first most complicated feature. The second feature then is very straightforward. If you believe that your Apple ID is in danger of being targeted, you can configure two factor authentication so that it will only authenticate you with a hardware authentication token. The press release is sparse on detail. I am almost certain this is the Fido standard because I can't imagine in 2022 coming on 2023 there was anything but Fido still in use out there because it is the standard and Apple are a member of the Fido Alliance. So I'm almost certain this means Fido keys which could be an Uber key or a Google key, whatever. Okay, so you would be adding, still get your six digit token from your authenticator app and you would still have a username and a password and now you'd have a hardware key? No, so you would replace the weaker two factor authentication with the stronger two factor authentication. So username and password. We already described it was both but it wouldn't make sense to have both because then it could fall back to it. Right, but the press release is two paragraphs. My reading of those two paragraphs is that you replace your two factor auth with basically the two factor auth must be a hardware token. Well, it makes more sense because when I was listening to somebody say that I thought, well, that's kind of weird because then that attack factor would still exist. Exactly, exactly. Yeah, absolutely. So this is, because right now today you have support for a hardware token because Apple support the Fido standard. So you could add a token for your convenience but this feature is saying the only way anyone ever gets into my account is with a hardware token. So if I worked for the government or something I would want my Apple ID secured with something verifiable. And the great thing with a hardware token is like you don't know you've lost your password because someone else having it doesn't deprive you of it but a physical token exists in one place unless there's been some sort of quantum tunneling going on. So a physical token exists in one place. So if someone else gets it you lose it so you know it's gone, which is not true of a password. That's a really big difference between hardware and software tokens. So it's just, I'm not gonna use it because that's an awful lot of hassle but it's good that it exists. So yeah, nice one. And then we get to the third feature which I am almost certainly going to use. And I would say this is the biggest deal because of its implications. So at the moment there is a sort of a two-tier system within iCloud. So Apple use SSL to encrypt all of our traffic as it moves between our device and iCloud. So it is encrypted in motion. Apple encrypt all of their hard drives in their data centers so it's encrypted at rest. But Apple have and securely store a copy of the key so that if you forget your password you can go onto Apple's website and go jump through a whole bunch of hoops which if you lose your things far enough means you have to send them a copy of your passport to get back in. But they can let you back in because they do have a copy of the encryption keys. If they have a copy of the encryption keys they can help you recover your account. And they can be forced to recover your account on behalf of law enforcement and they can be done through a FISA court in which case there is nothing told to you about it because that is how the FISA legislation works they can be forced to hand it over secretly. Now that is true of almost all of your iCloud data with two very notable exceptions your health data and your iCloud key chain. Those are genuinely end to end encrypted. So if you lose your iCloud password and you go through the hoops to get a reset you will get everything back except your health data and your passwords because Apple do not have the keys. There's true end to end encryption the key is in the secure enclave on your devices. And so there is a different key for each of your devices a bit like with the example of the chat it's a multiply encrypted and the keys are physically in your devices. So your device is what has access and that's where the end to end encryption is and what's stored in the cloud is encrypted gibberish which means they can't hand it over. What Apple are offering starting it's in beta now actually I should have said the first the first of those features is what did I say is available quote in 2023. So the iMessage contact verification is in 2023 so take that for what it's worth. The secure keys is early 2023 which sounds newer and this last feature is already in beta in the US and is rolling out to everyone else in early 2023. So what Apple are changing is that you can have this level that we currently have for our passwords and our health data for everything except for I think it's contact mail and calendar which is because mail is done through the SMTP protocol which is insecurable really. It's just, it's a pre security protocol. It's a postcard. It's a postcard exactly. And calendars use Caldalf and stuff so there's all these protocols for office apps that are meant for interaction with each other and stuff. You can't end to end encrypt your groupware. It's just those protocols are just so old that they are not secure or bully. You would have to, basically you'd have to use Slack or Teams to get secure groupware because the old protocols are old protocols. They can't be retrofitted. It's like, you know, no amount of putting, you can't put a catalytic converter on Fred Flintstone's car. There's nowhere for it to go. Okay. Keep putting everything apart from- Well, you could. It doesn't do anything. I was gonna say, it's some sort of, I mean, it's got a precious metal so maybe it's an ornament. But yeah, so basically everything apart from those legacy contact email calendar, everything else in your iCloud would be end to end encrypted. So what you get is no way that Apple can share your stuff with themselves or with anyone. No seriousness of data breach in Apple could ever expose your data. And if you lose your access, you are hosed. It is gone. So you have just taken responsibility for not losing all of your Apple devices simultaneously and or actually and simultaneously for getting your password. As long as you have a device or a password, it should be recoverable. But if you have no devices and you've forgotten your password, the data has become noise. It isn't- No, I thought, correct me on this. I thought if you had assigned a, if you have a designated contact. If you have a legacy contact and the key exists somewhere else, so assuming they haven't locked themselves out, then you could get out of that way. That is true. Cause what you're actually doing is you're entrusting someone you trust with a copy of the key. So at the moment Apple have the key and your trusted person has the key. So if you stop Apple having the key, I think, although it doesn't say in the press really, so it seems sensible to me that if you do that, they would also have the key because that's the whole point of the feature. But I haven't seen that confirmed, but I think the answer is yes. Logically it should be yes. I think that's what I heard. Two problems here. Number one, you have to be capable of running Ventura and iOS 16. Right, because this is gonna be a whole new brain. Which means if you have a machine, if you have a machine that cannot run Ventura, like my Spare MacBook Pro, you can't do this. Now I don't understand why it's restricted to an OS level. I mean, I guess it's in the OS. This is a core OS feature that is being added to only the newest OS. This is an additional capability that is really limited to Windows. So that really limits, that really limits it, now here's another situation. Steve can't go to it either, even though every device he has is capable of running the latest OS. You know why? No. We have a shared library. Oh, that, okay. Shared photo library. So if he's in, well, I don't know what would happen. It's possible I would be locked out of my photos. Or else that library would be exempted from the encryption because there's a second copy for you, right? You're sharing, which means there's some sort of. Yeah, who knows? Who knows? That's an edge case that gets interesting, but it could be common, right? If somebody's got an older iPhone that can't go to iOS 16, they're still running iOS 15, and they're in a family shared library, everybody else goes forward, you can't do it. We shall see, they're the kind of details that will fall out before this thing goes into production. So that is one to keep an eye on. Yeah, so don't get too excited. Don't switch. If you're planning on sharing photos with anybody, I wouldn't switch. Certainly not until there's more clarity. This is not a feature where I want to be in the early adopters group. So the way I look at this, right, is I was talking about this recently in work with my security hat on. It's almost impossible to take security and project it backwards in time. What you do is you simply say that from this point forward, everything you will have this new feature. And so by Apple saying everything from Ventura on will support this, what you're doing is you don't have the feature now, but it is on the way to everyone and it will arrive at for different people depending on their upgrade cycle at a different rate. And to me, that's perfectly fine to project forward. Just stop making the problem. Just draw a line in the sand and move forward and say from here on out, this is now available. So I, yeah, slowly, slowly catch you monkey on this one because if they mess this up, just imagine there's a catastrophic bug in this. Right, this one, this has to be done carefully. So I'm not sorry, this is slowly, slowly catch you monkey. And I also don't want them to backport it because it's never gonna get the same level of TLC to backport into code no one's looked at in a year and a half. Well, you say that because all of your devices can run the latest OS. No. After you sell the one in the closet to Bren. No, no, ah, yes, but I also have my work hat and my MacBook adorable, I do not believe can go and I do love my MacBook. That's not logged into your, that's not logged into your personal iCloud account, is it? Yes, it is. Oh. It's logged into both, I have, I keep two accounts on my machine so that when I'm traveling for work or something, I use Apple's account switching to move between work me and not work me. So it's the same laptop, but when I'm in the hotel in the evening, I'm on personal me and that's my iCloud has come down and all of my stuff. And then when I'm in work work, it's the other Apple ID, it's the other account and Apple ID I use. So yeah, it is actually logged in. And it is adorable and Apple do not yet make, even though they have these amazing M series chips and they could make that form factor again and it could make it amazing. Doesn't exist yet. Come on, Apple. Blow the dust off that design, stick the M2 in it. You'll have my money straight away. I'll just hand it over. Oh, such a great form factor. Okay. Man, 10 to eight. Okay. So yeah, big news, right? That is big changes here from Apple, I think. So I am excited. Oh yeah. I will be excited when I can play. I'm just happy at the announcement, right? This is a roadmap. This is what, it's a bit like WWEC. You don't get it straight away, but you know what's coming. And this is a nice roadmap. But it's pretty soon. Early 2023 is in 19, wait, I'm bad at subtraction. No, 19, yeah, 19 days. There's 31 days, right? December's a long one. Okay, 20. I think it might be 20 days, yeah. Okay. Three weeks. That's right, Dr. Three weeks. That's not far in the future. Early 2023 is right around the corner. So, but yeah, I'll be sitting back and watching this one until I can figure out some spare MacBook Pro or MacBook I need to buy. Yeah, well, I think round about next summer Apple will rob a round about next summer Apple might give an excuse to replace that last machine. Yeah, just. No, it's hard to, I don't regret the decision, but I normally give away my oldest machine to Lindsay, but it was such a great machine that I couldn't see having it sit in the closet. So I actually gave away my, I gave her my next oldest one and now I have my oldest oldest one. So it's a 2016 MacBook Pro. It's a great machine though. It has a place in your heart to be like my MacBook Adorable that is after being 18 years old there. Well, no, it's essential to, if something happens to this computer and I can continue to work. It's not emotional. No, why did you pick that one? Well, not the newer one, right? You have to have a machine, but. Because Lindsay is precious to me, not because of the machine. I gave Lindsay the 2019, because it was only two years old at the time. Okay, sorry, I've misunderstood. I thought you'd kept the older one because you liked the older one better, but you actually like your daughter better, which is I think quite good. Yes, okay. Right. Okay, so moving us on to regular service and resumes. Wait, really quickly, did you say that the FBI is deeply concerned about Apple's new security protections? I did not. I think I implied it, but you're dead right. That is shock and or horror. They release a press statement. Yeah, deeply concerned is their quote from their short press. I love them, but sorry. You can't have this one. They wear two hats. It's their job to protect people and to spy on people. And their two hats are completely in conflict because this will make FBI agents safer and this will make FBI agents work more difficult and it may be the same physical human being who both benefits and loses at the same time. Yeah. So that's a difficult one. Anyway, yeah, so that's where we are. Okay, regular service, action alerts. This, you can't make this up. First story, Chrome fixes eighth zero day of 2022 edge as well. Number nine, Chrome fixes another 2022 zero day edge patch to two. That both happened in the last two weeks. It was like one a week since we last recorded. So patchy, patchy, patch, patch. Although to be honest with Chrome, it's turned it off and turned it on again. And it won't fix it out. Is that a lot? People seem alarmed. Is it? Okay. For zero days, like for bugs, that's not a lot. But for zero days, that's a lot. Like, I think Safari may have had like one or two this year. And, you know, small numbers, rounding errors, but nine, we're approaching the wrong order of magnitude here. It's, yeah, there's something going on with some quality issues in their code base. I'm guessing some sort of technical debt to be paid down. Not sure why, but that is unusual. It is unusual. And then Apple have released a security update, iOS 16.1.2. The security notes don't tell us anything about what they fixed. Apart from it has some security fixes. And it also apparently tweaks crash detection. So it may not go off while you're skiing quite as much. Cause that's the thing at the moment. We had fun with that on last stock, Apple. And the good thing is the emergency services are telling people, yes, it causes false alarms. No, do not turn it off. Yeah. I mean, falling while skiing can very much fit in that category of you really do want emergency services. Yeah. But I think it was not falling. I think it was just skiing. I think some people may be skiing a bit roughly. Okay. And I know sound plays into it. So I think as you're, I think you end up, the noises may sound car crashy as you're hooping up. You're throwing yourself off a mountain with sticks on your feet. It is a rough thing. Moving on to worthy warnings then. So the first one is getting some serious finger wagging from me, cause this is a really subtle thing Google have done here. So up until now, Google Maps was on its own domain, maps.google.com, which meant that if it asked you for a location ability and you said yes, it was maps.google.com got your permission. They have moved it to be part of Google.com. So if you say yes to Google Maps, you have just said yes to all of Google's websites because they're all on the Google.com domain. So you cannot say maps can have my location. Nothing else can. It's one permission. Seriously? Seriously. By wrapping it into the one domain. That is the worst thing I've ever heard. Oh, it made me so cranky. Oh my gosh. And given that they just sent it into a consent degree. Either Maps doesn't know where you are or everything knows where you are. So cranky. So yeah, Apple Maps. To be honest, Apple Maps have been sending me less wrong, less often. So sort of been using it more. But now I'm really sure that's what I'm doing. So with that out of the way, there was an issue in Twitter's API in January. And we knew data had leaked, but it had been kept secret. The bad guys hadn't shared it publicly. Well, 5.4 million records have never shared publicly. It's mostly just scraping off your public data. But it also includes your privately configured email address and the telephone number you use for a multi-factor authentication. So a little bit of a data leak there for the 5.4 million people. Now there's way more than 5.4 million Twitter users. So we're not all caught up in this, but that's still a lot of people. It's a lot of people. And again, it's a million, not billion. So compared to Yahoo, drop in the ocean. We always go back to that one, right? We do. Last pass then have yet again very proactively and very, you know, all out in public. They have said that we have detected another hack. Someone used information stolen in the August hack to get back in. We're still investigating the full details, but we can guarantee you they have not gotten your end to end encrypted passwords. We will update you when we know more. So there is another shoe to drop. It may be that contact details have leaked or something. We literally have no idea and they haven't told us yet, but we do know the most important thing, your passwords are still safe and they're being very proactive about communicating. So I have full faith that they will tell us what happened when they know. And they're having those. I was listening to the SMR podcast and Rob Dunwood was really upset by this, mostly because it just feels like they're repeatedly screwing up. I felt that they were fairly connected that it was, you know, it was the second shoe in the same story dropping. Explicitly, they actually say in their release that information taken in August was used to get back in through a third party system that they use. Like their actual press release lays it out that this is not me joining the dots. Last pass I've joined the dots explicitly. This is the same reason. So it didn't seem to make things worse. No, no. And the fact that they're continuing to communicate. So they could have very easily said nothing until they knew everything. Most companies would. The fact that they're continuing their approach of being open does the opposite of making me more worried. It makes me less worried. This is what I, this is how you earn trust. So yeah, I'm not, I don't use last pass because I prefer the UI on one password. But if I did, this wouldn't change anything. Good, good. Yeah. And then we have a listener support to the story which at the point in time, the listener posted it to podfee.com forward slash slack. It was a purely bad news story. So, you know, the way with two factor authentication, you're supposed to do your username and your password and they're supposed to match. And then you're supposed to do the second factor. Well, Disney tried to roll out 2FA for their Disney Vacation Club. But when they rolled out their 2FA, they were failing to check the username and password. So you could literally say username and the password Boogity Boo. And as long as you pass the two factor off, they'd let you in. So the entire security collapsed down to like a three digit code or whatever or a six digit code, whatever number of digits they gave. And that's not a second factor. That's replacing one factor with another and arguably not that strong factor. So they have rolled back their changes and we'll try again in a few months time. Good. By the way, this was from Mike Price. So thank you for sharing, Mike. You'll be glad to hear that. At the time, when Mike posted it, the story was this is broken. And now the story is we've rolled it back because we know it's broken. We unbroken. Good. Unbroken, yeah. Then we have a notable news. Just one thing to be honest, it caught my eye here. Digital car keys are becoming more of a thing. So I think it's important that Google added some features to their Pixel phones that allow a digital car key as implemented by I think BMW and one or two companies. You can share the key between iPhones and Pixel phones. So that means that you can be a family with a mix of Pixel phones and iPhones and share your digital car key. I presume this is a precursor to the same feature coming to Android in general as opposed to just pixels. Probably only to Androids that have secure enclaves. There's probably gonna be some caveats on that for genuine security reasons. But I think this is good because as we move towards this kind of a keyless future, this becomes important. So I thought that was good news. And then excellent explainers. Yet again, yet another tip of the hat to Tom Merritt. Why not have Tom explain Pasky's to you? Yes, Tom, that was perfectly. That was a great episode of Know a Little More. I knew, arguably I knew it all, but it was so fun to hear it laid out so well that I felt 100% confident in sharing that clip to anyone who asked me about Pasky's. And that says a lot. Right, exactly, so I was perfect. For me, it was just great to have it additive. I need to hear these things several times. I'll probably go back and listen to it a third time or a second time. Well, hopefully he does that cool thing where he updates stuff as news changes because I think that's a great way to remind myself when he does an updated version. Oh yeah, yeah. That's why I cared about Wi-Fi 5 and Wi-Fi 6. Thanks, Tom. So. Okay, well, that then brings us on to palette cleansing. There's two from you. So do you want to do one and then I'll do my one and then we can jump back to you? Yeah, sure. I've been finding a lot of great content for astronomy on Mastodon. I started following, well, you follow NASA, of course, but a bunch of astronomers, you can follow a hashtag. So I follow the hashtag astronomy and just the pictures of everything coming back. One of them was an amazing gallery of images of Jupiter, but these are photos taken by the Juno probe and they're just spectacular. It's of Jupiter and its moons. Those are really, really good. So it's a link to NASA there. But the really funny one to watch now is, there's a satellite called ESA Mars Express Orbiter that's been going around Mars that I didn't know. I didn't even know it was there. But anyway, it's pointing at Mars and it's got this video. It's looking at Mars and all of a sudden the moon Phobos goes right in front of the screen and it's huge because it's really close. So it's just sort of like, you know, you're just going, oh, there's Mars, there's Mars. Whoa, what is that? It's really, it's a very surprising one. I got that one from Mastodon too. So that was pretty fun. Yeah, no, that is cool. And you know, it's nice to see those Europeans managed to do some space stuff. Well, actually we have pretty good rockets too, now that I think about it. But yeah, it's cool to have a European mission. Yeah. My theme is the same as your theme. It is now a thing where we have rovers and stuff taking selfies. I think one of the first, the Mars rovers started the trend and I was listening to a podcast interview just this week with one of the scientists who proposed the selfies from the Mars rovers. Actually, it was the people who made the documentary Good Night Opie or Opie, which I haven't watched yet, but it's on my list. Oh, I was going to recommend it to you. Yeah, it's just so we can interrupt really quick. It's about opportunity. The rover opportunity is the subject of it. Yeah. And one of the scientists who's featured in the documentary was interviewed on one of the science podcasts. I listened to one. I listened to far too many to remember which one. And it was such a fun interview. And one of the things that came up was the subject of proposing to a bunch of scientists that we should do a selfie. And they're like, well, what's the scientific value? And much to her surprise, the reception from the scientists was, oh, yeah, that's cool. By the way, it's on Amazon Prime. Good night, Opie. And so now that's a thing where rovers and things we send in the space take selfies. So America, with the help of Europe, I discovered we are partners on Artemis, which is cool. I've sent a rocket around the moon, preparing the way for human beings to go back to the moon. And while on the far side of the moon, Artemis-1 took a selfie, which has Artemis-1 in the foreground with its giant big nasa logo very prominently displayed, the moon in the, I guess we'll call it the mid-ground, and the little marble, the blue marble planet Earth sitting in the background. So our spaceship, the moon and us all in the one selfie. Very good. I love it. So it's like when you have to hold your arm up real high and kind of at an angle to get everybody in the shot. It is, and it's very wide angle lens because there's very obvious distortion in the bit of Artemis-1 we can see. So it's obviously a wide angle camera stuck out in the room, but it's still so cool to see the three together like that. The pictures from Artemis were just tingly all over and it splashed down right before we started recording. Oh, cool. It's come safely back to Earth. Well, its job was to prove that it was ready to take people. So it went up safely, went all the way around the moon safely and came back safely. Yay. No, no Explody bits. Yeah. The best kind. The best kind? Excellent, excellent. I look forward to, I look forward to celebrating the first woman on the moon ever. Yeah. Yeah. Me too, me too. Just one last little tidbit. I just learned that Japan is gonna send a non, non space oriented or a privately owned rover to the moon And they took off with a little test flight today on a Falcon 9. And it just went into a low Earth orbit, a stable low Earth orbit, but went up on a Falcon 9 today. And Canada's involved. I forget what Canada's doing. Canada's part of it. And so is Japan. The only thing I know is that Canada made the arm for the International Space Station because of the Canada arm with a joint big red maple leaf was just it was always in trouble marketing of all time. When we went to the Johnson Space Center in Houston, we got to go and do a simulated 747 that had in the shuttle on top. I'm sorry, it was a simulated shuttle. It was a real 747. They didn't, Houston didn't get one of the shuttles. And but they had the Canada arm in there. So I took a picture for Steve and get so. Excellent. Yeah, that was masterful, masterful marketing, the Canada arm. So, you know, with the amount of publicity, you'd think that the arm was more important than the space station or the spatial itself, it's more memorable. You remember that and the fact that that Hubble needed contact lenses because my very own company didn't grind the mirror quite right. Well, they exactly ground it to the wrong spec. It's they're perfectly wrong. Exactly. All right. We've probably been going on long enough, but I had fun. I learned a lot. This is this was excellent, Bart. Excellent. Well, do we meet again before the holidays in this in this venue? We do one more before the end of the year. One more for the end of the year. In that case, folks, enjoy the run up. You did. Hopefully you're winding down, relaxing, and we will talk to you soon. And until then remember to stay patched so you stay secure. Well, in theory, there will be a transcript of this episode, including security bits, so you can hear all of the lively discussion. We read all of the lively discussion we had there. I suppose you just heard it. Anyway, I hope it works. Like I said, I'm having a problem with the one of the chit chat one. So anyway, in any case, it is going to wind us up for this week. Did you know you can email me at Allison at podfeed.com? Do you know what you're going to email me? You're going to email me with a title. I'm still using it and tell me a story about something you're still using and why and start working on those reviews for Alistair and Bart. They're really going to need those. If you have a question or suggestion, you can also send those on over. You can follow me on Twitter. I'm not tweeting very much. So maybe you want to just jump on over to Mastodon where you can read everything I do at Podfeet at Chaos Todd Social. If you want to join in the fun of the conversation, you can join our Slack community at podfeed.com slash Slack, where you can talk to me and all of the other lovely no silicast ways. You might be noticing a pattern here. Everything good starts with podfeed.com. You can support the show at podfeed.com slash Patreon or with a one time donation, podfeed.com slash PayPal. And if you want to join in the fun of the live show where next week will be the last 2022 live show head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time. Enjoying the friendly and enthusiastic no silicast ways. Thanks for listening and stay subscribed.