 Hi, this is Allison Sheridan of the NoSyllaCast podcast, hosted at podfeed.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, March 31st, 2024, and this is show number 986. Well, before we dig in, I wanna let everyone know there will be not be a live show next Sunday, April 7th. We're gonna be traveling to Texas to see this total solar eclipse, along with what, 12 to 18 million of our closest friends. All right, don't worry about the show though, it's gonna come out early on Wednesday. Let me repeat, for those who weren't listening, no live show on April 7th. In our previous episode of Programming by Stealth, Barbu Shatz taught us how to create lookup tables with JQ from JSON data using the from entries command. Just when we have that conquered, this time he teaches us how to do the exact opposite, disassemble lookup tables. I think it was a really fun lesson because taking data apart, reassembling it the way you want it and then putting it back together again is a great way to really understand what we're doing with JQ. I got much more comfortable as I started to recognize the patterns in what BART was doing. We also get to play with the new data set that have I been pwned data gathered by Troy Hunt. If you're a data nerd, and I mean really, oh, who amongst us isn't, you'll love this episode too. You can find BART's fabulous tutorial show notes for this episode and all of the other ones at pbs.bartificer.net and of course you can find Programming by Stealth in your podcatcher of choice. This week I'm pleased to tell you that I've created the third in a series of screencast online tutorials filled with tiny Mac tips. If you're new to the Mac or even a seasoned user, it's always helpful to learn more ways to become a master of Mac OS. In this third series of Mac tiny tips, I use playful and interesting examples to teach you how to master the Mac. Even if you are a seasoned Mac user, you're sure to learn new tips and the ones that maybe you'd forgotten about you're gonna remember because you saw it here or the ones you already knew, you can say, I knew that. In this tutorial, I teach how to add keyboard shortcuts to menu items that don't already have them, how to do super advanced spotlight searches, how to paste and match style, how to browse versions of a file and bring back that elusive save as option, how to control which apps open specified file types, how to change and copy icons for files and apps, how to collapse and expand all in list view and some easy keyboard shortcuts for finder views. I do wanna tell you that ScreenCast Online is a really terrific tutorial service focused on software for Apple products and operating systems. You can get a free seven day trial over at ScreenCastOnline.com where you can watch my tutorial and all of the current Mac catalog. I started listening to the Double Tap podcast recently hosted by Steven Scott and Sean Priest. It's a podcast about blind accessibility and it's fantastic. The two gentlemen, and they would suggest I'm using that term loosely, have simply fabulous voices. Steven is from Scotland and Sean is from the UK and I am such a sucker for those accents. I also really like the show because there's a warmth in the way they approach the world along with lots of good-natured ribbing and self-deprecation. On a recent episode, I heard them mention CSUN's assistive tech conference and so I wrote to them before the conference introducing myself, telling them how I talk about accessibility on a mainstream show and asking them if there were maybe any interviews they'd like me to give for their show. Steven and I got on a call together to discuss how we could have some fun collaborating and a friendship was born. The next day, Steven and Sean had me on their show. Their website is woefully behind, not their fault, but that means I can't give you a podcatcher agnostic link to the episode that I'm on. I can link to it in specific podcatchers like Overcast and Apple Podcasts which are both in the show notes but it might be more listener friendly to have you search for the Double Tap podcast in your podcatcher of choice and then look for the episode from March 20th. It's an hour long and I come on right around 29 minutes into the show. They're also gonna be playing some of the content that we've created from CSUN on their show so that's gonna be fun too. I had a lot of really good time talking to them and like I said, the show is fantastic so I hope you check it out. You know when you're flipping through photos on your iPhone or iPad and you come to a video and it starts to play but it's muted. I think we'd all agree it's a good thing that it defaults to muted but when this happens to me, I don't wanna miss anything in the video so I don't try to fiddle around trying to hit the onscreen mute button right away. Instead, I frantically find the pause button first and then I try to grab the video progress scrubber to get the video back to the starting position. Inevitably though, I end up grabbing the home indicator app switcher bar, you know that little bar down at the bottom that's right near where your fat finger is trying to get to the scrubber and I end up switching apps instead of doing the scrubbing. I eventually get the video back to the beginning and only then do I unmute with the onscreen mute button. It drives me nuts every single time. This weekend, I was watching my four year old tomorrow granddaughter, Sienna, play around on my phone looking at photos. She got to a video that was muted by default and she instantly hit one of the volume buttons on the phone and the video unmuted. I have had every single iPhone ever made. I've done every operating system and I did not know you could do this. Sienna is hard of hearing and I think volume up for her is an instinctive move on her part but she sure did school me. I hope you like her tiny little tip on a quicker way to unmute on your phone when watching videos on iOS. By the way, she also takes a wicked selfie. This week, I taught myself a new tool and I'm really excited about it. Let's start with the problem would be solved, shall we? As you may already know, the Programming by Stealth community is working on porting Bart Bouchotte's XK PassWD secure, memorable password generation service to modern web tools. Bart originally created the service using Perl when that was all the rage but unfortunately over time, many libraries on which it depended were no longer being kept up to date. It was time to port it to modern tools. In the Programming by Stealth podcast, Bart has been teaching us all of the tools to help him port the project to JavaScript. You've heard the saying give a man a fish and you feed him for a day, teach a man to fish and you feed him for a lifetime. Well, Bart has been teaching us to fish for the last few years and it's paying off in a big way for Bart and all of us. Bart taught us HTML, CSS and JavaScript which let us create functional web services but he also taught us to use Git, the version control system that would allow us to work collaboratively with others. He taught us to use Bootstrap which makes our web services pretty without a lot of work. He knew he'd have to document all of the functions in the new XK PassWD so he taught us to use JSDoc. He even taught us test-driven development using Jest. Bart kept thinking he'd have time to start the port of the project himself from Perl to JavaScript but higher priorities kept taking over. Finally, the most awesome Helma of Anderlinden asked if she could start the project and Bart happily said yes. She has been an absolute beast getting it off the ground using much of what Bart taught us along with what she already knew how to do. A few of us have been working on the project with Helma including Mike Price and me. I've done some HTML layout work to make it more responsive and I've found a few issues with accessibility which we collectively fixed. I'm also pretty good at breaking things so I've gotten quite good at posting issues to the repository and GitHub for Helma to fix. This week Helma mentioned that she was gonna start working on a user guide for XK PassWD. Clearly Helma's time could be better spent on all that heavy lifting so I asked her if I could write the user documentation. I fancy myself a pretty good writer and I better be since I write around 4,000 words per week. On top of that, I actually really enjoy writing. One of the reasons I wanted to take it on was that I'd seen some delightful documentation recently that was made with a tool I didn't know how to use. I had been looking for an excuse to learn that tool. The tool is called MKDocs from MKDocs.org. Probably the quickest way to appreciate MKDocs is to go to their user guide which is of course, written in MKDocs. From a top level, you create your documentation in a set of markdown text files and then MKDocs pulls them together into a pretty easy to navigate format for the web. This means anyone can write the docs themselves but it takes them a bit higher up the nerdy scale to pull it together with MKDocs. This type of tool is called a static site generator. The very first step to using MKDocs to make documentation is to use the PIP package manager for Python from the command line. If I've learned anything about being a nerd, it's to just try stuff I don't understand. I don't know a lick about Python and I'd never heard of PIP but that didn't stop me. It was a disaster. Apple quit installing Python by default a few years ago and I knew that so I installed it from scratch. Unbeknownst to me, Xcode had also installed Python but a lower version. I'm not positive about this but I'm pretty sure there was a third version of Python lurking around in my system somewhere else as well. The other fun thing is that Python wasn't called Python on my Mac. It was called Python 3 and PIP wasn't there either because it was called PIP 3. With all of these conflicting versions, things were getting pretty messy. At one point I sent a desperate plea for help to our Slack community at podfee.com slash slack over in the PBS channel and while both Alistair Jenks and Steve Matin tried to help me, I seemed to make more of a mess of it. I thought maybe I'll just go see if Homebrew, the Homebrew package manager could install MK docs and it worked like a champ. So I stopped playing around with Python. So now that we successfully escaped that scary snake, let's talk about how delightful and simple it is to write documentation with MK docs. Every page of documentation is a simple text file written in the markdown language, like I said before. The MK docs software does all of the rendering and assembling of these individual markdown files into these pretty webpages that are gonna be easy to navigate. For our documentation for XKPASSWD, I created the following pages, About, Help the Project, Home, Varbi Dragons, User Guide, and XKD and XKPASSWD. I told you those page names in alphabetical order on purpose because that's not how they appear in our fancy new docs. The display of your documentation is controlled by what's called a YAML file. YAML is a configuration file format that's pure text, but where things like colons and indents have actual meaning. I don't know YAML, and I've only heard Helma talk about it from time to time, and yet the instructions from MK docs were super easy to follow. In case you're wondering, some say that YAML stands for yet another markup language, but others say it stands for YAML ain't a markup language. So that's helpful. To create the ordering and viewability of the markdown files in MK docs in the YAML config file, you just type nav colon. On a new line, you indent two spaces, not a tab, not four spaces, two spaces, and then you start entering the names of the pages in the order you want them to appear in the navigation. Each line, after the two spaces, starts with a dash and then a space and then the pretty name you want people to see followed by a colon and then the name of the text file. This sounds very clumsy to describe but easy to read and easy to type. For the XKPASSWD user guide, my nav section has simple lines like dash about colon about.md. Before we dig into MK docs any further, we better talk about themes. MK docs comes with two built-in themes, MK docs and read the docs. You tell MK docs which theme you want to use in that same YAML file we've been talking about that defines the navigation. Again, this syntax is super simple. If you're not going to add anything extra to the theme, you can simply type theme colon MK docs. The MK docs theme has a pretty blue bar across the top where the navigation elements live. Almost immediately I realized that having seven pages in the navigation bar was going to be completely untenable. On small screens, it would collapse to a hamburger menu but it still wasn't very user friendly. The read the docs theme is much better for documentation with a lot of separate pages. Instead of navigation across the top, this theme uses a left sidebar. I really like how this element works in MK docs. The name of each text file is listed on the left side in the order you entered in the nav portion of the YAML file. More importantly, if you use headings in your text files, each page in the sidebar can be expanded to show the internal headings. Clicking on a heading jumps you immediately down to that section of the file. It's like an automatically generated navigable table of contents with close to zero work on your part. While I love the navigation and usability of the read the docs themes, the colors don't really blow my dress up. The sidebar is super dark and menacing looking. I started looking for new themes and I found a list of awesome themes and plugins on a repository run by the MK docs folks over on GitHub. So I decided to install them using homebrew. And that's when the real madness of Python began. It turns out that the themes for MK docs are only available through PIP. I deep PIP into submission and I got it to work to install the themes I wanted to try out but MK docs kept saying those themes don't exist. As helmet is my witness, we had a Schrodinger's cap problem going on. I finally had found an explanation online. MK docs installed via homebrew simply can't see any plugins you download via PIP. The only solution was to try to get a Python installation of my MK docs working. After literally two and a half hours of helmet and me fighting with multiple versions of Python and PIP and problems with path and inconsistencies of error messages, we threw in the towel. But I came up with a good rationalization for giving up. Everything about XK PassWD is open source and we welcome contributions from the community. That's really what we're all about. If I want people to help with the documentation, it would be just plain mean to make them have to go through the agony of dealing with Python and PIP to install a custom theme. Now, if you think I'm just complaining because I'm new to the installation of Python, even though I did have Helma helping me, I can prove it's not just me. There's even an XKCD cartoon documenting the nightmare I experienced. So Helma and I decided that I'm just gonna stick with the built-in Read the Docs theme. We can still affect styling using CSS, cascading style sheets. To tailor the docs, I merely had to create a directory in the project called docs underscore dir and then create a file inside that directory called style.css. I then needed to add a configuration to our little friend the YAML file to tell it to go look for that CSS styling. So far, I've only messed around a little bit with styling code snippets using CSS. I plan to get back to it to make it more pleasing and match the color palette of XK PassWD itself. So far, I've resisted the urge though to play with that styling and rather I dedicated my time to actually writing the user documentation. Now working on a tool that creates pretty web pages isn't very fun unless you can get immediate feedback on how your changes affect the site. With MK docs, you issue a very simple terminal command, MK docs space serve. This starts a little local web server and then you can find your rendered documentation at localhost colon 8000. Now don't worry about remembering that port number because the serve command reminds you of it every time you run it. The best part about this little server is that MK docs is constantly watching for saves to files for the site. As soon as you save one of the markdown files, the YAML config file or the extra CSS file, if you have one, you'll see the site update. I really like that instant gratification. Now I made my next heading rather proud of this little joke, it says, let's get this party started. All right, if you're a nerd, you'll know why that's funny. At this point, I had the docs working pretty well on one of my Macs but I live a two Mac lifestyle these days and I wanted to work on the documentation on both of them. I also wanted other people to be able to suggest additions and edits to what I'd written. The obvious solution was to put my documentation under version control with Git. I would create a local Git repository and since the program made by Stealth Crowd has settled on GitHub, I'd need a repo up there too. It was easy enough to use the command line to initialize my MK docs directory as a Git repo using the terminal command git init. Then I pointed my Git client, Git crack into that directory, pushed it up to my GitHub account. It's available right now at github.com.syspodfeed. You'll find it called user docs xkpass.bud and of course there's a link in the show notes. Now, I've gotten pretty comfortable with Git over the last few years since Bart and I use it for all of the show notes for programming by Stealth as well as his security bit segment on the NoCillicast and I use it for my own development projects like TimeShifter Clock and TimeAdder. Working with Git is not as easy as saving things locally but it's not all that hard. I just have to remember to pull from GitHub before I start working and push my changes back up when I'm done. So I'm always sure I'm working on the latest version no matter what Mac I'm on. I kept poking around in the MK docs documentation and I found another super cool awesome thing about MK docs. With a single simple command on the terminal you can create a GitHub page in your repo for documentation. Now, if you're not familiar with GitHub Pages it's a way of hosting the static website on GitHub servers to be publicly viewable. It's a free way to make our documentation viewable to users. Okay, you ready? Here's the entire process. In the terminal you type MK docs gh-deploy. That's it. That's all you do. MK docs will do some churning and then ask you for your username and password to GitHub. This will not work. GitHub disabled this method of login ages ago. I presume since it doesn't support multi-factor authentication. Once it gets to the login prompt you simply use control C to back out of the command but it's already created the page for you. Back in your Git client you'll now see the gh-deploy command has created a new branch called gh-pages. If you check out that branch and push it up to GitHub in a wee bit you'll be able to see the rendered webpage for your documentation. Now, if you haven't seen GitHub Pages before you'll need to go find the URL to tell people about it. Log into GitHub, navigate to the repo for your documentation and then use the drop down on the code tab to change the branch from main to this newly created gh-pages branch. In the same menu bar where you see code, issues, et cetera over at the far right there's a settings tab. In the left sidebar now you should see near the top your site is live at and a URL that starts with your username.github.io followed by the name of the repo. So for our xkpasswd documentation it shows that the page you can view this amazing documentation now yourself. It's currently available at podfeet.github.io slash user-docs-xkpasswd and of course there's a link in the show notes. Now don't memorize that location for xkpasswd but you can use it for now because we'll probably be moving this into the bardefacer org eventually to make it part of the xkpasswd family. I started it in my own repo so I could demonstrate it to Bart and Helma without borking anything up in Bart's organization. I presume the URL will change when we move it but you can view it at my repo for now. Now you get a couple of other cool things for free when you create documentation with mkdocs. It automatically adds search capability for the site. Works reasonably well but I've seen it not return any search results at all and later find the exact same things from the same search later. But hey, it comes for free. Now another feature of mkdocs is a next and previous button at the bottom of each page and at the bottom of the left navigation sidebar. Might not be that useful for this kind of documentation but it can be super handy if you've got sequential documentation you know like a tutorial. If you're a fan of keystrokes you can set them up in the yaml file. It's part of the theme section and the tutorial on mkdocs gives you the format and some examples. It suggests keystrokes for help, next, previous and search. I don't quite understand the format but I copied it and pasted it from the mkdocs documentation and it worked. However, as I was writing this up I went to test the keystrokes and they did not work. I was very confused and it took a lot of searching on the interwebs before I figured out why. Some themes don't support shortcuts and the read the docs one is one of those themes. I thought I was losing what little was left in my mind because I swore it used to work but I had been using the other default theme mkdocs when I first tested it. All right, the bottom line is that I'm thrilled with mkdocs and how easy it was to make beautiful documentation with it. It's a smidge nerdy but the instructions are super clear and easy to follow at mkdocs.org. Well, except for that Python pip nonsense. But I gotta tell you I can't really call a bottom line just yet. That evil temptress Helma just sent me links to several more static site generators to try out. Some of them look even prettier. So now I'm gonna go down the rabbit hole of trying them all. The good news is that they're all JavaScript, not Python so maybe I can have more fun with themes. You might think that changing horses right now after all this work, having to do it all over again would be a big problem. But remember, the real work is writing the documentation itself. The reason Markdown is such a powerful tool is that it's completely portable because it's just plain text. This means that after I figure out these other static site generators I can simply plot my Markdown documents into them and see how they look. Who knows? Maybe I'll come back to my first love mkdocs but I wanna test these other options before settling down. I'm really excited about this as you can tell. So stay tuned for more fun about how to create pretty documentation. All right, let's head back to CES and learn about some cool smart home devices. I really like the internet of things. I've got my houses littered with them but I won't buy anything that's not home kit compatible and I've heard a lot of people talk about a company called Akara and I found Jennifer Biana Gelman here at the Akara booth and she's gonna do us a quick walk through of the home kit compatible devices and of course they also work with Alexa and Google and do the IFTTT thing, right? Yes, definitely. Yeah, Akara, we create smart home solutions. We range from a diverse range of products. We have smart locks, we have video doorbells, we have LED strips, we have thread base, we have thread base line, we have camera hubs, and we have pet feeders and we have different sensors like FP2 radar sensors, water leak sensors, door and window sensors, everything your smart home needs and Akara is different because of the automations. You could create a plethora of automations and because of our diverse range of products you can really just with Akara have it all. For example, our Camera Hub G3 and our G4 video doorbell, they use AI facial recognition, so if your daughter walks into the room and the G3 recognizes that, the LED strip will turn her whole room pink or with our FP2 presence sensor, if you walk into a room and the presence is detected, the lights turn on. When you leave, the lights turn off which saves you so much energy and money on your energy bills. And I gotta tell you, my favorite automations are the ones I'm not telling it what to do. People love to say, Alexa, turn on the lights. It's like, no, I want the lights to know when I want them to come on. I don't wanna have to tell them when to come on. And that's- I don't have that kind of time. Yeah, and that's why the FP2 presence sensor is so revolutionary. And we actually have three new features for the FP2 presence sensor. We have a ball detection, so if you mount it on the ceiling and you have a grandfather with balls, then it will alert you that your grandfather has fallen and the alarm system will turn on. The lights could flash red, there could be a sound on the G3 that yells, all of that type of stuff. How does the sensor know that grandpa fell? It's a millimeter wave radar sensor. We also have a feature where it's sleep detection so it can detect your heart rate, your sleep schedule, and there's people counting so it can give you live real data on how many people are in a room or not and you can see it all on a screen. Wow, and you're saying the name kind of quickly. Say the name of the sensor again. The Akara FP2 presence sensor. And is that visible here on the counter or is that something just in the background? It's right there. Okay, okay. It's our most popular sensor. I didn't know about that. Now the other thing is that I think you, your products don't cost a fortune either, is that right? We're actually like one of the most affordable brands. That's actually how I heard about you first. Home kit and that. Well, this is very cool. You've even got a pet feeder. Yeah, let me show you. Let me show you. All right. She just, oh, she just held her fingers in front of the baby camera and we got M&Ms kind of coming out of the pet feeder. Just a fun, silly automation. You do the automation through the Akara software then? Yeah, yes, you do that through the Akara home app. And obviously it works with HomeKit and Alexa and all the other platforms as well. I like the idea of doing the automation in your app though because to be honest, I'm a big fan of Apple HomeKit but man, it's weird to work with the automation there. So having it in Akara sounds really good. So how would people find these products? We are available on Amazon and we're available globally through distributors but we are very easily accessible on Amazon. All right, and the name of that company is Akara spelled A-Q-A-R-A. There is no you after the Q. Yes, A-Q-A-R-A. All right, thank you very much, Jennifer. Did you want me to talk about the retrofit valve? Yes, yes, yes, talk about this, one more thing. So she's got a water leak sensor down here on the table. Yes, so with our water leak sensor, it's been out for a while. If you put it in a basement and there could be a flood detected and a drip, just a water drip, then this will notify you that there could be a potential flood in your home. And this is a prototype, so this is not released yet. It's still a concept, it's our retrofit valve and if that little drip is detected, then your whole system will turn off and it could potentially save you from a flood. Wow, so this is a smart valve controller that's in line on the pipe and will actually mechanically shut it off. So prototype, yeah, you were wondering whether there was interest in this product? Why yes, yes, everybody is interested in this product, would like to know. I know two people who are off on vacations had floods in their home and destroyed everything, destroyed the neighbors downstairs. That became their fault, oh, so it's a big mess, so yeah, that's a great idea, do that. That's why it's important to always know what's going on in your home. Absolutely, all right, thank you very much and we'll all check out Akara when we get home, thank you. Thank you. Last week I talked about doing my taxes and finding out I actually lost money doing the podcast and I suggested it would be swell if more people chose to donate to the show using Patreon. What I didn't expect was that Lister and good friend in real life, Lynn, who's already a generous patron of the PodFeed podcast, I didn't expect that she would increase her pledge. She's already helping to shoulder the load. Of course, I accepted her generosity and then darned if Mike Price didn't do the same thing, doubling his Patreon pledge. Like so many others, he contributes in so many ways it seems criminal to take his money but I'll also graciously accept his money. Then listener Emmy became a new patron of the show by going to podfeed.com slash Patreon and pledging an amount of currency of her own currency that reflects the value she finds in the material we produce. She was also very, very generous. Now, she was playing right. See, she wasn't contributing before and she started contributing. That was what I was trying to get happen. But then both longtime donors Janet Chesney and George from Tulsa sent in PayPal donations to help out even more. I thank Lynn, Mike, Emmy, Janet and George for the support. I hope those of you have not yet started supporting the show will consider helping shoulder the load, like I said, to make the shows we produce here a success. You're about to hear security bits and in this installment, you'll hear Bart and me discuss at length a back door that was found in an open source library called XZ or as he said, XZ. After we've recorded, I was fooling around on TikTok as I often do and I found a wonderful video by a guy who goes by the name Nate where he explains that nerds save the internet this weekend and it's all about the XZ back door. I put a link in the show notes before the security bit section so you can watch it. It's absolutely glorious. The guy does a great job of explaining it but talks about how nerds save the internet. I loved it. Well, it's that time of the week again. It's time for security bits with Bart Bouchotte's anything big shaking this week? Yes, yes, that's where we are recording. Little and big. We have everything today, a plethora to play with. Do quite a few firework signature icons though. So that at least is something. I'm good. I did want to mention a few little quick updates of things we've talked about before. So we mentioned last week, last time in a bit more detail but there's concept of a watering hole attack where you go after people where you know they're going to come and that at the moment developers are really being hounded. There's lots of things going after developers at the moment. And to prove the point, the PyPy Python repository have suspended new account signups. It's like we cannot deal with the torrent of bad packages being installed. We're just going to press pause until we get to the bottom of this. So if you're a developer and you're getting libraries from third party repositories like I said last time, start at the homepage of the library you want and follow them. And then you're not going to get a typo squat, right? You're not going to get a nearly the same name of the library. So you want a jQuery, but you got jQuery with a letter missing or something. So just start at the jQuery website and follow it. Don't start on node or PyPy or whatever. So, oh, that sounds tiresome. I mean, I can't just say brew install blah. Unless you're dead, sure, blah is really blah. If you do a brew search and then there's five or six packages that look vaguely like the right name, now you're in the danger zone. Okay, okay. I tend to be doing big things that are fairly obvious. So I should probably be okay, but I like that you're bringing up Python right after I will have just spoken. This is a timey-wimey-wibbly-wobbly thing, but I will have already just talked about using the pip package manager for Python. But this is the PyPy package manager, but it could also be having the same problems, right? All right, they're all being targeted. This is the story that made the headlines this week. So I thought, well, I should mention and the feedbacks and follow-ups, but yeah, this is still a thing. Okay. Continuing the topic of this is still a thing. The bodies are still getting one over on Google. They are still winning the cat and mouse game on getting malicious ads to sneak into Google. And I am sure the Google people are working very hard to get those mice, but they are not winning at the moment. So just since we last spoke, there have been malicious ads sending Trojanized versions of CleanMyMac, the ARC browser, Notion and Putty. So- Oh, wow. Again, start at the project's homepage, rather than going straight to a download link from Google. I think this is, again, your best bet, or certainly not on one that's under the advertisement speech. Google does mark which is an ad and which is not, right? So don't click in the ads. And surprising, absolutely no one on Planet Earth. The European Commission is not a hundred percent sure that Apple, Google or Mesa have completely complied with the digital services or the Digital Markets Act. There is an official investigation. Hands up if you're surprised. Oh look, no hands. I would like to throw in just some commentary here is on the Accidental Tech podcast. They very often, especially Marco Armand and Casey Liss, like scream into the microphones about how frustrating Apple is to work with where you can work developing a product, an app for years and submit it to the app store. And then they go, no, guess again, you did something wrong and we're not gonna tell you exactly what it is. And they are laughing their fancies off at what's happening to Apple with the DMA where the DMA is going, okay, guess how to comply. So Apple throws something out there that's in their best interest and they go, nope, guess again, instead of just tell me what you need me to do or work with me together to put this together. Well, that's exactly what every developer wants and Apple does not do with you. So they're just sitting back eating popcorn, watching this whole thing. Whether they agree or not with the DMA is irrelevant. It's just, it's comical to see the shudden Freud that's going on. Yes, yes indeed. Turn around is fair play, yeah. I've heard a few developers taking some perverse pleasure, shall we say? Yes, anyway, so that will go on. So we have a deep dive. It was just one I promoted to a deep dive and it's because it got so many such shouty headlines that I thought maybe we should put the fire extinguisher on this one. You may have heard of something called GoFetch which is an unpatchable flaw in the hardware of all Apple's M series chips. Yeah, everybody's been talking about it. Well, there is a kernel of truth because there is always a kernel of truth but it's very technical and very dense. And so if you read the original journal paper without a degree in computer science you could very easily come away with an inappropriate understanding of what's going on. And then you take that and you feed it through a headline editor who then reads your translation of what the journal paper said and puts on a headline they think will get clicks and the game of Chinese, our game of telephone or whatever we call it very quickly gets you to, oh my God, what is ending? It's doom. It's not nothing but it's not what people think it is. Okay, that's what it is. If you want the nerdy details, Steve Gibson did a real Propeller Beanie episode on the latest security now but I'll give you the quick version. In cryptography, some algorithms absolutely must be implemented in something called constant time where the amount of time it takes to do the crypto can't change depending on the content of the key. So no matter what key is randomly chosen it should always take exactly the same amount of CPU cycles to do the work. Our modern CPUs are full of optimizations. And what has happened here is a collision between an optimization and these cryptographic algorithms. And so the M series processors by default enable some optimizations that break the assumption of constant time. They go and pre-fetch things based on the content of the key. It's like, oh, I think I know where to go fetch that hardware address, I'll go fetch that for you. And it's not constant time anymore. It's optimized. And therefore, if you hammer at us over and over and over and over again by watching the timings you can begin to infer the bits of the key slowly. So over an hour you can end up determining a key. And we're back to the old, these are Spectre style side channel attacks. So if your computer is already hacked and you're using this type of cryptographic algorithm and the malicious process and the cryptography get to rule on the same CPU core for an hour then the attackers get to seal the cryptographic key. So that's not a very realistic scenario, is it? Yeah, if I've got a 16 core M1 or M3 what are the chances it's on the same CPU? They may have to do some engineering to try trick it into definitely being on the same CPU. And if they have root access on your computer I'm sure they could achieve that. But if they have root access on your computer you have a way bigger problem. So if you're hosting servers on an M-series Mac then you do need to pay some attention to this. But even if you are paying attention to this it's not catastrophic. So the second problem is with calling this an un-patchable flaw because actually it's very easy to fix. There is, you just tell the CPU not to do that optimization while you're doing the crypto and then it's fine again. So you basically say that while this function is running turn off that feature and then the function runs in constant time and then you let the feature come back on. So one piece of this that I don't understand well I'm glad I said one since there's probably many but one piece I don't understand is what process is running this cryptographic process? I mean am I initiating that? Is the operating system initiating it? Is some application, some web service? The attacker would basically try to do something to make your computer use a cryptographic key that they know you have that they're interested in. So they might think, oh this person has SSH installed I want the SSH key. Therefore I will sneak your process on that will trick their computer into doing some SSH connections and then I'll watch the timing on the CPU. Okay. It's just not practical, right? It's really cool science. It's really cool research. And the takeaway here is that the implementers of cryptographic algorithms need to be careful that their code when they compile it for the Mac ticks a little box that tells the M-series Macs turn off this speculative feature and then turn it on again at the end. So basically there's a way of telling the M-series processors that this piece of code shouldn't use optimizations. And so you just need to update your functions to say tell the CPU that you are one of those funny secure type processes and then the CPU will stop being all optimized, you know, all optimized. And so that brings us to another kernel of truth behind the other shouty part of the headline. The only fix is a massive reduction in performance of the CPU, which is true in the tiniest of tiniest of ways in that the function processing the cryptography will need to not use those optimizations. Everything else you're doing can. So it's not a binary like that we disable this feature for the entire CPU forever. And now Photoshop is slow. Right, exactly. So I can understand, having read the abstract of the journal paper, I understand why this was poorly reported because the abstract of the journal paper was very computer science. And I understand the clickbait for saying Apple is doomed. So even when a responsible journalist, say at ours, Technica, writes a correct piece, when that goes to the ours, Technica headline editor, who is not the person who wrote the article. That's something we often forget that the person who writes the headline is not the person who writes the article. That makes a lot of journalists very, very, very cranky. Steve Gibson used to be like Steve Gibson hasn't written a regular, not a, ah, what's the phrase? A regular column in years, but even when he did it, he was regularly cranky with the headlines on his articles. And that's decades ago. This is a thing. I think the other problem is so much of what is considered journalism these days is regurgitation of other people's articles. So it could be, and I'm gonna make up websites, but it could be that it starts with a journal article, then it's ours, Technica, who does a fairly good job. Now we've got a bad title that's clickbait, and then Mac update or Mac rumors adds to that one. And then John Gruber adds to that one. And each time the telephone is getting worse and worse and farther away from the real truth. And usually it's fine, but not one. Yeah, then it's a tweet. And usually it's fine, or at least, you know, within you can squint and see the original article in it. But in this case, I definitely heard it reported much differently than the way you've explained it. Okay, so we're not gonna worry about that. It does seem like speculative execution is the most common thread that we've run into in a technical thing that you have taught us over the years. We've heard this over and over and over again. I'm thinking it's a bad idea. We shouldn't do it. No, at the end, I thought that initially, right, when Spectre and Malte came out, but I've nuanced my opinion. Cryptographic code needs to just get into the habit of telling every CPU to turn them all off. So all of the CPUs, the Intel ones and everything, you can turn these features off. And I think all cryptography should just get in the habit of saying, don't optimize me in any way. And then even the optimizations we don't know are bad, just turn them all off. Just no. Yeah, we can wait at that millisecond. We have that kind of time. Exactly. That's good. That's really, really interesting, Bart. Thanks for telling us about that. That's why we're here. Jumping into Action Alerts then, last time we spoke, Apple had patched iOS, their shiniest operating system, and they had been very vague in their patch notes for iOS, just saying it fixes some security stuff, dude, do you know? And the reason they were being vague is because they didn't have time to get the updates for the Mac out because they needed to get the ones for iOS out in time for the Digital Markets Act to go into effect. So now they have retroactively updated the notes for iOS and released the updates for Mac OS and older standalone versions of Safari and another update for the iPad as well. So a few more updates to follow. They're basically the same updates we got on the iOS last time, just rolled out everywhere else. You know what's really sad, Bart, is I was so happy when it was just iOS, I was like, finally, some patch that's only for one of my devices or that category of device, then all of a sudden the rest didn't come out. It's like, ah, you're killing me. Yeah, as is normally the case, it was a bit of a problem in WebKit because WebKit just does everything these days, so that's why it affects everything. Yeah. WebKit. As my mother used to say, everything goes when the whistle blows. Now, we have another news article that we're gonna add a little bit more color on than it currently has in the show notes. So if you're running a version of Linux and there's an asterisk we'll put on this at the very end, but I'm just gonna leave it at that. If you're running a version of Linux, that is what they call one of the more bleeding edge versions of Linux. So different Linux distributions have a different attitude towards being cutting edge. So if you're running in the Red Hat world, then the latest version of Fedora will be using the very, very latest versions of every package and running into all of the problems. And then Red Hat won't bring any of that to Red Hat Enterprise Linux until a year later or so. And so if you're running the Fedora one, you're getting all the latest updates, whereas if you're not, then you're not. And in the Debian world, there's something which I think is a wonderful name. They call it Debian Unstable. So the version of Debian that gets all the new hotness is called Debian Unstable. And the version of Debian that most servers are running is called Debian Stable, which is basically a year old. Yeah, so if you're running the stable OSes, you're fine because what's happened here is someone has succeeded in taking over the Git repository for a popular utility and putting a backdoor in. So it's called a supply chain attack. So it's the XZ or XZ utility library. And the malicious code looks for SSH stuff going on on the computer and basically tries to create a backdoor on your computer using SSH. It was discovered by, I think it was the Microsoft security team were investigating some weird stuff they had seen through Git. And they were like, what the who the what? And they discovered it and then Red Hat released a pretty shouty headline going, if you are running, was it Fedora 41 or Fedora Rawhide, you absolutely positively must patch immediately. And it's one of the weirdest patches because when you install the patch, your version of XeLibs downgrades. So normally you patch to update, but now you're patching to downgrade, which feels really weird. Like, yeah, I'm patched, I have an older version. So in Linux land, unless you're running those beating edge distros, you're probably not affected, but a YOM update or an app get update will fix you on Linux land. But then of course, as Alistair pointed out in the Slack over at podfeed.com for a Slack, Linux packages aren't only on Linux. Some of us bring the Linux universe into our Macs using tools like Homebrew. So if you use Homebrew to install something which has a dependency on XeUtils, then you may have gotten a copy of XeUtils. And that may be a new copy. So you may have to downgrade. Yeah, so Bart and I took a look at this. There's an ArsTechnica article that actually highlights the fact that you may have XeUtils and just because you're using Homebrew. And so I looked on my two Macs. I've just recently been messing around with Homebrew. And on one of them, it did have Xe and I've never intentionally installed that. But you install stuff, you get all kinds of library dependencies. That's just the way this kind of thing works. And so I had the newest version, which was 5.6.1 on one of my Macs. But on the other Mac, I ran the brew upgrade, just upgrade brew, everything that's in it. And now I have the downgraded one 5.4.6. So I'm gonna fix the one on my second Mac today. But Bart looked in his and he didn't have it. So he didn't have Xe. So it's not necessarily that you get Xe, but just because you're running Homebrew, but you may have it installed. And you know what? It's not the worst thing in the world to patchy, patchy, patch, patch, just run brew upgrade and you're gonna get a bunch of new stuff that's patched. So go. Yes. And just you and I both ran into the subtlety. If you read the brew docs, you're gonna be no better off here. There is a difference between brew update and brew upgrade. Brew update effectively updates brew's opinion of the universe and brew upgrade applies this new opinion to your computer. So if you just run brew update, it knows how it should fix everything, but it won't actually fix thing. Whereas if you run a brew upgrade, it will actually upgrade all of your packages. So brew upgrade must do a brew update and then a brew upgrade. Okay. What is the subset of the other? It was interesting seeing it get downgraded. So I know that it worked, but thanks to Alistair for highlighting that. I don't want a backdoor utility on my Mac. No idea if I could be exploited, but I'm not going to do that. So brew upgrade done. The attack surface may be small or difficult to get to, but let's not have it there. Let's just not have it. Well, yeah. And it's super easy to fix. It's, what is that? Like 12 digits, I got a type. Exactly. It's somewhat similar. I have a fire extinguisher on this one too. There's a lot of shouting about a big, big bug in a very, very common package called Linux utils. That might be in a few places. And I sort of chuckled because the bug is in a command line command I haven't played with since I was a college student. It's called wall, which stands for right to all. It's a way of sending a message to every terminal. So if you're ever logged into a Linux computer and someone else does a shutdown minus H now, everyone gets a message saying this computer is shutting down. That's written to everyone's terminal using the wall command write all. And we used to have great fun writing messages to everyone's terminal going, he, he, you're a poopy pants wall. You know, we were big children, but that's the point of being at university. Anyway, seeing wall made me chuckle. I was like, oh, I remember that when I was a kid. There's a bug in how wall handles escape characters. So you can write to people's terminal and then make it send special characters. So people have been experimenting with how do we abuse this? One way to abuse it is to write a fake pseudo prompt to someone's screen. So it looks like pseudo is asking them for the password, but actually it's just a normal bash prompt. And so they type in the pseudo password. And then if you're running Debbie, or if you're running Ubuntu, if you type a terminal command that makes no sense, it tries to give you a hint about what you might have meant. Did you mean blah, blah, blah? Which means there's a log file that shows it trying to figure out what you asked it to look up. So the attacker can check what failed to run, which is your password. If you're running Ubuntu, which tries to do that helpful tip. And someone also found a way to make it mess with your clipboard. So hypothetically, if there's something sensitive in your clipboard, you could use the wall command to snake someone's clipboards. It's all like, again, the attack surface is tiny, but the fix is trivially simple. Just update your Linux. This is a, whether it's a Yob update or an app get upgrade or whatever it is on your particular version of Linux, just update your Linux and you're absolutely fine. So it's a nice simple one. Some people were getting all shouty about it. No, it's difficult to exploit. Kind of fun though, so just update. Now, in worthy warnings, I've actually gone and dug up the emoji for two exclamation points, because this is, there's a big one. So Kreb is on security was the first to warn about this. There are real world attacks targeting Apple users at the moment. And it appears that at least a week ago, it was true that the rate limiting on the resetting of Apple IDs was not working on Apple's server end. So if some random person on planet Earth tries to reset your Apple ID, Apple will send the push notification to your devices saying, is this you? Do I allow this password change or not? And that should obviously be rate limited so that someone can't send you 500 push notifications. But that rate limiting was broken a week ago. And some people in the cryptocurrency world were being bombarded. And if you rubber finger even one of those 500 messages and accidentally click allow instead of deny, say maybe on a small Apple Watch screen, then you have just lost control of your Apple ID. And there's no way to dismiss these, they're modal dialogues. So you must click through them all. So you have an exhaustion attack where someone might just get fed up and take, oh, fine, whatever, allow. Or you might accidentally click one allow at a 500 denies. So either way, if you suddenly get swamped in messages about your Apple ID, it's a real attack. Do not under any circumstance click the allow button, no matter how frustrated you get, no matter how cranky you get, do not click allow. The hope is that Apple will fix the rate limiting and this will not be a thing. But if it happens to you, it's really important you click deny. One thing I hadn't heard was whether rebooting the phone would be a better way to deal with that. Nobody said anything about that. I would think restarting the phone rather than trying to make sure you hit don't allow 100 times. These people said it was like 100. I don't know if the message would be queued up and just waiting for you when the phone came back. It's certainly worth trying. I promise you, if it happens, I don't want to attempt faith. But yeah, it sounds like it's worth giving it a go. So what can Apple do about this? Well, the push notification they're coming from Apple servers, so they could say that the same Apple ID can only have a reset sent to it five times an hour. And then the problem becomes very manageable to deny, deny, deny a good day. Okay. It's a rate limiting thing. Like you shouldn't be able to... If you get your password wrong on Google so many times, they stop accepting you for an hour. If you try to put your pin wrong in your iPhone for so many times, it says, yeah, go away for an hour. You know, it's a rate limiting thing. So it should be... So they can fix it? Yeah. Yes, because it's coming from their server, so they should be able to fix it without an update on our end. They should be able to fix it on their end. You think they're going to tell us if they fix it? Nope. So I think this will just silently stop happening. But the reason I want to say it is so that if this happens to you, and I'm hoping it doesn't, then it probably won't. But if it does, it is really important that you do not click allow. Okay. For a wonderful run. That's two exclamation points. One exclamation point. If you use Twitter slash X, you need to be aware of a fact about a design decision they made with how the preview of a link is calculated. It is trivially easy for a naughty person to make the preview of the link look like it goes to a domain it doesn't actually go to. So the URL you land that when you click the link may be completely different to the one the preview shows. And if you're on a phone, you won't have an address bar. If you open a web page from within the X app, it will just be a blank screen. So if the preview says you're going to GitHub, and if the page you land that looks like a GitHub login page, and you can't see the URL bar, you do not know you're being phished. How could you? You couldn't possibly know. So there is a setting where you can say links open in Safari. And it means that every time you click a link in your X app, it does that swap or loo thing where all of a sudden you switch to Safari. Turn it on. Because at least then you'll see the URL bar and you will know or you will have a fighting chance of noticing that the domain name is wrong. Okay. Or don't. I'm trying to see how this is any different than always. Right. So on other sites, they use a completely different method for calculating the thumbnail. So the preview of a link is calculated differently in the other social medias. So they're not vulnerable to this. It is just a design decision X made. The technical detail is in the link to Bleeping Computer. I read it and I slapped my head. It's like, oh God, no, they didn't. Well, didn't they get rid of their entire security team? Yeah. It's a kind of error. An undergrad on their first day would make. Because there's no adults in the room. Yeah. I mean, it's that simple. This next story is one that I dread having to talk about because it's confusing. So I thought the story I was going to be telling you was that the entire security community thinks there has been a massive breach in AT&T and AT&T insists there hasn't been. The development is that a few days ago AT&T finally went, ah, yeah, it is our data. We were attacked, but it's our data. That may be true. What may have happened is they have so many partners that their data is probably not only in their hands. So their data is quite likely elsewhere, too. And so one of those elsewhere may well be where the data was leaked from. But what AT&T are saying is that two weeks ago, there was a data breach, which is, depending on your choice of definition, you could wiggle it to be factually true, but I would argue that's misleading. What happened is that two weeks ago, the data came up for sale on the dark web. But analysis of that data by people like Troy Hunt and others quite clearly shows that it's 2019 data. It's real. It really is AT&T data. The last time it was accurate was 2019 because they've basically been contacting people on the list and going, when was the last time this was your home address? When was the last time? And if you do that with enough people, you end up basically with a time span. So it must be before 2020. Oh, I moved house and whatever. You zone in on it pretty quickly if you ask enough people to verify the data. So they've zoned into it being about 2019 data. It also seems pretty clear that the data set of exactly the same size purporting to be AT&T customer data that was offered for sale in 2021 on the dark web is probably this same data set. And at the time AT&T insisted they hadn't been active. The data was fake. Do you think that's... Does that smell like... This is just idle speculation, but is it incompetence or malice or, you know, subterfuge on the part of AT&T? I think it's a case that we don't know we were hacked. Therefore we're just going to do the easy thing and say, well, we have no evidence we were hacked. It's just a default deny. Our default attitude is to deny everything always. I think it's the lawyers running the place. That would be my interpretation. Just a guess, of course. So a lot of the data is of former customers because it's probably 2019 data. That's five years ago now. So we... As the security community understand it, there are 7.6 million records of current AT&T customers in the breach. 73 million records in the breach in total. And those 7.6 million current customers also seem to have lost their passcodes, which may or may not mean that actually there's been a second breach. Maybe the data in the first breach was used to do some sort of more recent attack. And maybe... Maybe one data breach has led to a second iteration of the same data breach. And now we have these passcodes because either way AT&T has reset 7.6 million passcodes. So AT&T also say they're going to contact everyone who was affected. And if your passcode was reset, well, you must know, because if you try to log in, you won't be able to. And I imagine when they reset your passcode, they would have sent you an email saying, hi, we've reset your passcode. So I think those 7.6 million people should know. I think. Best of luck with that. Well, the only data point we have that we know for a fact in that is that I am an AT&T customer and I did not get a passcode reset email and I was able to log in with my passcode today. Would your advice be change a password anyway? Yeah. Yeah. I think there's so much going on and so little communication. They're grudgingly admitting to the least possible they can get away with. So that's probably other shoes to drop. Yeah, I think there's shoes hanging over our heads here. So yeah, if I were you, I think that seems like a solid approach. Yeah, I know what I could do, Bart. I could use the new beta.xfapastwd.net to generate a new password that's long, strong, secure, memorable, and typeable thanks to Helma and others for putting that together. Yeah. Yeah, Helma does get it. You open it up, you click the generate button and there's a big password. You shove it into one password, boom, done. Easy peasy. Yes, indeedy. I've been having so much fun because it's my favorite. Strange enough, it's a password generator I use all the time. But I'm having the experience out of the community have completely run with this that I go to the website that, hypothetically, is my website and they go, ooh, cool, that feature is implemented now. It's so fun. Well, this is the best case of Bart, you know, taught people to fish and then he's just sitting back eating the fish. He's just like, I don't have to cook anymore. One of the things I enjoy is, because of contributions by Dorothy, Mac Lerker, basically saying, I want it to work this way. And me saying, no, I want it to work that way between Mike Price and, I think it was mostly Mike Price, generated a way that I can copy the way I want to and she can copy the way she wants to. It's just beautiful. It's a wonderful thing. Dorothy's wrong. My way is right, but we're both allowed to have it. We have what we want and it's not clumsy at all. I'm actually, I think you're both right because there are times I want a bunch of passwords and there are times I want one. And so when I want a bunch of them, I want to Dorothy's way. And when I just want one, I want it your way, but why choose? Yep. It works great. It's a beautiful thing. Yes. So anyway, the story that would have been the story had we not had an actual admission from AT&T is Troy Hunt's description of the work he did to verify the data is correct. So that is now in the show notes as related news. But that was for, I think it's interesting to see how Troy Hunt does his work. Like how does stuff that gets into Have I Been Pwned get validated? How do we know it's not just a bunch of hooey? So I always think it's fun to read his description of the work that gets put into, you know, figuring out if it's true before stuff gets added into Have I Been Pwned. We'll peek onto the covers. Yeah. While we're in the section called Worthy Warnings, so cybercrime's the thing. There's money being made and there is a new product for sale. That product is a malware as a service or sort of phishing as a service targeting fake Microsoft 365 and Gmail login pages. So it doesn't really matter who your cloud provider is, if it's Microsoft or Google, baddies can buy fake login pages to phish you. And unless you're using pass keys, this will get by multi-factor authentication because it's a real-time proxy. So if it's multi-factor where you have to type in a code, they're yonking the code in real-time. So they're getting to you for the length of time your session lasts. So they don't get to be you forever. They get to be you for the length of time you can stay logged in. They're stealing a session, not your account. But I don't want anyone with a session for any amount of time. So when you're on a Google login page, look at the URL. When you're on a Microsoft login page, look at the URL. If that URL is not login.microsoft.com or google.com.forces.login, I think it's a Google one. If you're not on the Microsoft or the Google domain, stop, run away. That's not the real login page. And again, if we combine this story with the Twitter story, you see why the Twitter story terrifies me so much. Oh, yeah, yeah. Another thing I regret to have to tell you because I wanted to be able to triage this story out of existence, but I don't think I can. I think it's fair to say that many of our Nestle Cast listeners may occasionally visit a hotel. And you may be laboring under the false assumption that the lock on your hotel room door has a meaning that it provides some form of security. I think you should remove that assumption from your brain. In 2022, a major flaw was discovered and responsibly disclosed to the vendors of one of the most common types of smart card locks used in hotels around the world. And now, in March 2024, about to be April 2024, the patch rate is 30%-ish. About a third of hotels have bothered to upgrade their hardware. So two-thirds of affected hotels are still running the trivial to clone smart cards. It's basically, when you read about how easy it is for someone to clone a card, it's terrifying. So don't leave any valuables in your hotel room. Just assume your hotel room door is broken. Jeez. You know, that's really disappointing since it's like 30% of the time that my smart card doesn't work to open my door at a hotel and I have to go back and have them clone it, make a new one. Maybe I should just download this uniflock thing and do it myself. Yeah, you might have an easier time hacking your own room than getting a key card to actually work. That is ironic. In addition to the possibility that people who listen to this show go to hotels, the chances that you bring tech gear with you that's worth a lot of money is fairly high. That's a really good point here. We don't just go to places, we go to places, we cool stuff. So you can keep in your backpack. And then finally, I keep on telling people that when your home router is un-patchable, there's only one place it should be. It's called the Recycle Bin. As you know, off to electronic waste recycling with it because it is not safe. To prove my point, a new piece of malware called The Moon, which is an interesting name, succeeded in infecting 6,000 ASUS routers in 72 hours to spin up a new botnet which they were using to power a proxy as a service on sale to malicious types. Which gives me an excuse to talk about one of the other ways in which the cybercrime industry makes money. As well as being able to buy phishing as a service to get into Google accounts, you can also buy a malicious proxy service where what you're buying is the ability to send your malicious traffic through random people's home internet connection. So it's really hard to block a denial-of-service attack when it's coming from random people's AT&T connection or random people's Verizon connection or random people's Vodafone connection if you're in the UK or whatever. So you realize on having hacked software and hardware in random people's houses. And then you buy access to this hacked software or hardware and you route your malicious traffic through the hacked traffic. So that's what the 6,000 routers were doing. They were being the front end to a crimeware system for routing your malicious traffic through people's houses. Similarly, there was a free VPN app on Google Play that was turning your Android phone into a proxy service because, hey, free VPN. What could possibly go wrong? Let me list the ways. Don't ever get a free VPN. It costs money to route traffic. Traffic is expensive. Bandwidth is expensive. A free VPN, there's a catch. It could be a different catch. It could be your privacy. It could be your security. A free VPN, there is a catch. Just don't. Moving on to notable news. You say this every time, so I'm just going to say it anyway. This is not a bad news story. It is very tempting for people to spin the poem to own competition as a bad news story. Oh, my God, all of these big things were hacked. That's not the correct interpretation at all. A bunch of ethical security researchers were paid millions of dollars to, well, a million and a little bit of dollars and a Tesla Model 3 to responsibly disclose vulnerabilities to vendors. They now have 90 days to fix their stuff. This is a really good way to incentivize the goodies to out-compete the baddies. All of these vulnerabilities would have been found eventually. The question is whether they've been found by cyber criminals or by the good guys or the goodies. Sorry, I don't want to gender that because I assume only guys can fix these things. So this is fantastic and this is a great success. So the winner managed to earn, in this case it is himself, Manfred, pretty sure that's a boy's name, $202,500 for hacking Safari Chrome at age. And since that happened, Firefox was patched, Firefox got hacked by someone else, and Chrome have already been patched. The 90 days are more like five days in or something, but those two are already patched, so this stuff works. The Tesla was hacked on day one, but again, that's a good news story because that's been responsibly disclosed. Sooner or later Tesla have 90 days to fix it before it gets released to the public. Also, fixed were Windows 11 on the way to being fixed, shall we say. Windows 11, Ubuntu, VMware, VirtualBox and Firefox. So yay. I noticed you didn't say Safari was patched though. Not yet, but the 90 days are young. Sure. So that's a good news story, masquerading is a bad news story, and then we just have a bad news story. So I remember us talking about something called Onervo quite a few years ago, so I was like, what's the news here? Why is this being talked about again? We already knew that Facebook had this fake VPN product. They were paying teenagers to use so that they could spy on what the teenagers were doing, and they were using that to figure out who to buy. Basically, of all the different possible apps we could buy to not have to compete on our merit, who should we buy? And that's how they ended up buying was a WhatsApp, I think, with the help of all of this. Right. And I thought we knew everything, but there's a court case ongoing because there's a bit of an antitrust issue this, and we have now got some documents in that court case. And it turns out we now know that it's as bad as we all suspected, and we have the quotes to prove it. So I don't think I didn't think this was happening, but I am gold at how blatant this is. So if you're wondering, oh, maybe this wasn't their motivation, maybe they weren't trying to be anti-competitive. We now have it in Mark Zuckerberg's own words. Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we have no analytics about them. Given how quickly they're growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this. That's in order to be anti-competitive. Just pick it up. And in case Mark was just innocent, his head of security wrote an email with his opinion on the matter. I can think of a good argument for... I can't think, sorry, negative. I can't think of a good argument for why this is okay. No security person is ever comfortable with this. No matter what consent we get from the general public, the general public just doesn't understand how this stuff works. Yes! Yes, yes, yes. You cannot in small print somewhere say, is it okay to install a fake VPN that decrypts everything before the HTTPS kicks in? Because they didn't break encryption. They snuck in before the encryption. And so they basically stole the data on device before it got wrapped in the HTTPS wrapper. And one of their small things, so it was called project ghostbusters because obviously the Snapchat icon is a ghost, hence project ghostbusters. Just in case it wasn't clear from Mark's quote what was going on, we also know that they did it against Amazon and YouTube as well. So they were basically stealing pre-encryption people's traffic to Amazon, YouTube and WhatsApp, or not WhatsApp, sorry, Snapchat, to spy to figure out how popular these services were and how to be anti-competitive and stop them from becoming as popular as they would otherwise. It's just sick all the way down. Like I say, I already knew on Apple it was slimeware of the worst order. But it was revealing to see it. The way Facebook used Onavo was even slimeier. Yeah. So I thought I already knew how slime this was, but no, no, it's worse than I thought. I remember I sent you the article and you said, didn't we already know this from a few years ago? Not in writing. Yeah, the more I read, the more I said, anyway, I am very sad to report that Mozilla's latest attempt to get a little bit more solidity under their financing has backfired spectacularly. So they've had a VPN product for a while and that was kind of an interesting idea that, well, we market ourselves as a safe-to-use browser, so how can we give a value add? Why don't we do more security tools? And so they started doing a VPN and I'm happy to say I'm not about to tell you something awful about the Firefox VPN. But that same logic led Mozilla to release a new product where they offered a service where you could pay Mozilla to have your details removed from those sort of grayware websites where you can buy intelligence on people, but they all have to offer an opt-out page because otherwise they're illegal, then they go from being gray to black. And it turns out that the partner they chose was someone of very dubious Eastern European origin who was proven by Brian Krebs to be playing both sides of the field. The same person runs services that steal people's privacy and sell the information and sell the right to pay him to remove the information from the other websites he runs. And they're the partners Mozilla chose. And I'm sorry to say that even the tiniest bit of due diligence should have revealed that. I don't know if it was naivety or desperation, but it shouldn't have happened that Mozilla do not look good out of this. And that makes me stupendously sad because I want a non-chromium web rendering engine to be successful. And there's two web rendering engines left standing. There's chromium used for almost everything and Firefox. I really want Firefox to do well. And this made me very sad. Yeah. Yeah. I mean, we don't know that they did anything bad with that or we do know they did something bad with that. Well, they paid someone who makes their living by breaching people's privacy. So they helped to... Is it black eye? It's black eye. It's not. Okay. It's just... It may end up making it more difficult for them to launch other security products. Because people have lost faith. Yeah. And that's kind of the area that they have the best chance of getting some good independent finances that is not the Google search money. Because that's kind of what's keeping Mozilla afloat is the Google search money. And that's uncomfortable. So, yeah, I was just sad. I was just sad, really. Another thing I just want to advise people against, Telegram are offering a way to get free premium service, which sounds cool. But it's not free because nothing's ever really free. So the exchange is not your privacy. The exchange is use of your cell phone number. If you sign up for the service, you get free premium Telegram in exchange for Telegram rooting the SMS messages for other people's two factor auth through your cell phone. What? You pay the SMS bill. Yeah. You pay your carrier to send SMS's on behalf of Telegram to random people you don't know, and they will see your cell phone number because you sent them the SMS code. It's like, let me carefully. Well, I think it's a good idea. Just one little correction. It's just as horrible as you said, but it's not to random people you don't know. It's to friends' email addresses you give them, right? Or no? No, no, no, no, no. You become a service provider. You become a service provider. Yeah. So they use you to send their SMS messages. They're currently paying someone to send. Wow. No. It's too good to be true. It's not free Telegram premium. It's a terrible idea, don't do it. Yeah. Okay. That's terrible. The second last major news story has a fire extinguisher again. Apart from Spectrum Meltdown, our other eternal friend is Rohammer. Oh, yeah. Good friend, old Rohammer. He's flipping bits in memory by writing adjacent memory over and over and over and over and over and over again, and the electromagnetism basically leaks into the memory between the two rows you're hammering, and you get the changed data in a piece of memory you should have no access to. This immediately falls into the, if your computer's already hacked, then the attackers can category, which we already know if you're a cloud provider running a service where 500 people share a computer, that's bad. If you're a home user, the only person on your computer is you unless you're completely hacked, in which case you have a much, much bigger problem than Rohammer. You're already completely hacked. So for a home user, this is a complete fire extinguisher. But even for people running data centers, there are firmware updates on the way, and it's a spectacularly difficult attack to pull off. The only thing that's changed here is that everyone thought that AMD's architecture was immune because they had put in mitigations against Rohammer. And the smart people in the University of Zurich have discovered that if you do it very cleverly, you can actually do it on Zen architecture from AMD. So they called theirs Zen Hammer. So if you heard something about Zen Hammer, that's what it is. Even bleeping computer who tends to err on the side of telling everyone to do everything you can possibly do to protect yourself. No. I'm making that sound negative and I shouldn't. Their audience tends to be sysadmin, so they tend to... they would tend to be giving warnings to the people who run servers for other people, and even they say not to stress about this one. Oh, okay, good. So really don't stress about this one. And then the last one we have is one of those ones who is like, okay, good. Because cyber war is a thing and our world is a bit topsy turvy. So it makes me happy that the EPA have formed a task force to protect water systems from cyber attacks. Water is important. It needs to be protected from being full of Chinese and Russian malware. So, good. And that brings us on to a nice little tip. So Cult of Mac did a nice little run-down of all Safari's privacy features with advice for how to, as they put it, crank up Safari's privacy to the max. So, Safari features just keep appearing. And a lot of them don't default to on because that would change things. So, I don't know about you, but I don't go into the Safari settings all the time. So every now and then I read one of these articles and it reminds me, oh, I haven't poked around in Safari settings in years. What's in here? And so this is my little reminder to everyone to have a little poke in Safari settings and see if maybe you want to toggle a few more things to on. Okay. Safari's pretty good about protecting you, but you do need to toggle something along. In the Excellent Explainers universe, I talk a lot about the fact that cybercrime is business. You need to think of it as an economy. And Bleeping Computer have an excellent article that explains the economy, who it is, what they're doing, how money is made. So basically, how does the money move that is powering the malware we all have to worry about? And that really helps you understand what's going on. So if you want a good understanding, I highly recommend the linked article from Bleeping Computer. It's a sponsored article, but it's one of these sponsored articles that's good. So a lot of sponsored articles on Bleeping Computer are terrible because they're just a sales pitch from start to finish. This is a really intelligent person who happens to work for a company who wrote an amazing article with one paragraph at the end. It says, by the way, we write a product that helps with this. But the whole article is fantastic. And just know that in the last paragraph was the sales pitch for something of no value to a home user. Enjoy. Okay. And I have three palette cleansers. I didn't get one from you, Alison, unless I forgot. It also happens. Sometimes you send me stuff on Telegram and I list, like, oh, yeah, Alison, I'll put them in the show notes and then I forget. I don't think I did. So if you have been wondering, how do I make an app for the Mac? Maybe I should get into that. Isn't that a good time to start learning that skill? Well, Apple have just released a bunch of new tutorials over, I guess, in preparation for WWDC. So if you've been thinking and humming and hawing, why not check out Apple's new tutorials? They walk you through it from soup to notes, head on, sell Xcode and take you from there. So some people may enjoy that. Yeah. With all of the talk of the Digital Markets Act and fines against Apple over Spotify and all of this European stuff, a name you've probably heard over and over and over again is Margaret Vestayer. Or Vestayer, I believe is the correct pronunciation. If you're wondering what the human being sounds like behind all of those headlines, Cara Swisher did a fantastic interview with Margaret Vestiger, who's coming near the end of her term. And I don't agree with her on everything, but she is an extremely eloquent person. And I really, Cara doesn't, you know, Cara asks the important questions. She's not shy. She doesn't feel like, oh, I must ask herself all questions and the poor guest might be cranky with me. Cara just asked the question. So it's a wonderfully open interview. And Margaret Vestiger is Scandinavian. So she has that Scandinavian thing of, don't sugarcoat things. Just tell me what you think and I'll do the same. And so having two Frank people have a Frank discussion is very enjoyable. And it will make sense. Is she a regulator or just like just a tech person? Who is she? She is one of the European Commission's commissioners. So she would be in the part of government that is a political appointee in the American system. So you know the way the person who heads up NASA is appointed by the president? So they're not elected, but they are political-ish. So she is appointed by politicians. I'm confused by the text of what you wrote. You said she's a lead tech regular. Do you really mean she was a regulator? Yes, I do. That was an autoclave. Okay, good. Yeah, yeah, no, that's fine. I was just trying to go and like, she's just like one of those people in the know, but no, she's a regulator. Got it. She's a regulator. But she is also one of those people in the know. And you've probably regularly seen her. But anyway. And very different interview. There is a podcast, one of Arnazilla Castaways, recommended to me many, many, many years ago called The Change Log. It's very nerdy. It's a bunch of JavaScript developers who talk for... You just talk. They just get together once a week and talk. You sort of feel like you're sitting in a conversation down the probe or something. And sometimes their guest is someone I care about and sometimes it isn't. So I dip my toe in every now and then. But there are often people who have a big impact on the stuff I care about, but who I would never have known as a human being. So I fix it. They're always coming up on our headlines, right? They're very big proponents for the right to repair. And they love stripping apart every new Apple product before you even had the chance to buy one to use it. They've already destroyed one and taken pictures. They've been known to fly to New Zealand to get it before like the first, when the thing drops. Right. Yeah. Because they beat the time zone like it's New Year's Eve. Yeah. So I fix it was set up by a guy. Well, that was the guest on The Change Log. It's an hour to two hour conversation with the I fix it guy. His passion. It's just a really fun conversation. And given how much, how often I see that I fix it name. I thought, oh, I'll have to listen to this. I did. I thoroughly enjoyed it. I still don't agree with him on where the balance lies between right to repair and right to secure. He is of the opinion that all parts pairing should be illegal. And I'm of the opinion that most parts pairing should be illegal, but stuff like the face ID sensor, the touch ID sensor, that should be not only not illegal, but maybe to be mandatory that it warn you if that's not legitimate. But I agree with him on 90 percent. It was a really fun interview. That's really interesting. I know a lot of people are big fans of I fix it. Yeah, exactly. So anyway, that's it. That is that is my three public cleansers. But of course the summary version of our entire conversation is always the same. Remember, folks, stay patched. So you stay secure. You can also support the show. Did I mention that? At potfee.com slash patreon. Or with a one time donation at potfee.com slash PayPal. And if you want to join in the fun of the live show, don't look for it on April 7th because there is no live show on April 7th. Instead, you'll have to wait till April 14th to head on over to potfee.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic Nocella Castaways. Thanks for listening and stay subscribed.