 Hi, this is Allison Sheridan of the No Silicast podcast, hosted at podfeed.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, September 3rd, 2023, and this is show number 956. While we finally have the announcement date for the next Apple event, it will be 10 a.m. Pacific time on September 12th, and as always, our chat room will be open for everyone to join in the fun of bantering back and forth about what we see and hear. You can join that chat room at podfeed.com slash chat. Now there's a little bit of bad news. Steve and I will be on a plane during the announcement, and we probably won't be able to join in the fun. I mean, it's possible we're gonna be on a plane, that you can pay for Wi-Fi, I don't know if you can pay to watch the video, and being in the chat room without knowing what everybody's talking about, that might be sad, so I don't know whether we'll be there or not. But I'm not too sad about it because the plane will be taking us to Texas to meet our sweet baby grandson, Teddy, for the first time. As always, we will make sure that people are in charge to keep you all in line, and I think I've dedicated Sandy to being in charge of making sure everybody behaves themselves in the chat room. Now we've never had a problem with anybody misbehaving, anything beyond maybe what Kevin does in the chat room anyway, but it's good to have someone in there who can moderate just in case. Well, this week on Chitchat Across the Pond, Bart Buchatz joins us for programming by stealth again with the final installment of our mini series on Bash. He explains a few new concepts, but the real value of this installment, and especially his fabulous tutorial show notes, is that he compiles a lot of information into some tables first used as a reference for the future. As with all good programming, Bart is scratching his own itch. He wanted a single place to go to know which brackets mean which thing and which ones you have to cuddle versus not cuddle. He also wanted a table of the order in which Bash processes the seven distinct types of expansions. So we're closing out Bash, but Bart has a new mini series on the horizon for us all to look forward to. Well, it's the time of year when the wild and unsubstantiated rumors about the new iPhone and Apple Watch are resolving into slightly less wild and more substantiated rumors. In less than two weeks we'll know what's coming, but the frenzy doesn't slow down just because we'll know soon. One of the rumors is that Apple is going to eschew the stainless steel rim around the iPhone in favor of titanium. The Apple Watch Ultra comes in titanium, but they don't tell us which titanium. They only call it aerospace grade titanium. As a mechanical engineer in my day job for many years, I had the opportunity to choose materials to build things. So I know a little bit about why you'd make the trade off between steel, aluminum and titanium. And better yet, I feel the need to share a bit of what I know. Metals have a few properties to consider. In military devices like what I worked on that often went on aircraft and in commercial electronics like iPhones, a big consideration is trying to make the devices lighter without sacrificing strength. Now weight is a function of how dense a material is, which is mass divided by volume. In metric units, we use grams per cubic centimeter to define density. So let's take a look at three materials and see which ones we should use to make our proposed iPhone based entirely on density. So it won't weigh down our purses so much. We're going to compare three metals. First, aluminum alloy, which is a blend of aluminum with just a dash of magnesium and silicon. For the nerdy amongst you, I'm going to be using 6061-T6 specifically, but don't worry, you're pretty little head about that if you're not into material specifications. I like this one because I actually remember specifying 6061 on my drawings back in the early 1980s. Our second material is going to be stainless steel, and in this case, I'll be using 301 for the properties I'm going to be quoting. Finally, we'll be looking at titanium, and I'm going to be using TI-6AL-4V. The AL and the V stand for aluminum and vanadium that help to make the titanium alloy. Now, as I said before, Apple simply says aerospace grade titanium, and the ASM folks that I'm going to be quoting say it's good for blades, disks, rings, airframes, fasteners and components, vessels, cases, hubs, forging, and biomedical implants. That sounds like it's probably good enough for our uses, right? My main source of data for this exercise is from asm.matweb.com. ASM stands for the American Society for Materials, and I gotta say, I bet their conferences are a hootin' good time. Now, I'd also like to point out that I cross-referenced as much as I could from the book my father gave me shortly after I graduated from college. The book he gave me, when my mother wanted to give me a dress of all things, can you imagine? Anyway, the book is Mark's Standard Handbook for Engineers, eighth edition published in 1978. I think they're on the 11th edition now. The specific table I used for cross-referencing the materials information is on page 6-11. I wasn't able to cross-reference nearly as much as I'd hoped, as apparently materials have advanced since 1978. Okay, with my sources duly referenced, let's get into the good stuff. If we look at the density alone of the three materials we've chosen to try to find the lightest one, we find that the aluminum alloy has the lowest density at 2.7 grams per cubic centimeter. Steel comes in at over 8 and titanium comes into the middle at 4.4. Clearly, we should use aluminum for our fantasy iPhone because it has the lowest density, right? Slow down there, Skippy. There's more to the story than just the density. What if aluminum isn't as strong as the other contenders for the same volume? Don't you want your iPhone's frame to be strong? One measure of strength is called ultimate tensile strength. I love that name because it sounds like one of those shows with people fighting for physical supremacy, doesn't it? Well, strength is measured in freedom units in PSI, or pounds per square inch. But in the rest of the world, it's measured in megapascals. Now, a Pascal is one Newton per meter squared, and a Newton is one kilogram meter per second squared. I bet that's way more than you wanted to know, isn't it? Sorry, I couldn't help myself. I did think about multiplying out all the units and figuring out the full thing, but I'm not going to do it because we're going to want to get back to the plot at hand. OK, so how do our three materials measure up in the ultimate tensile strength contest? Our previous fan favorite, aluminum, comes in at a paltry 310 megapascals, while stainless steel comes in at a strong 862 megapascals. But don't count out titanium yet, though. It finishes with a winning 950 megapascals. It's more than triple the ultimate tensile strength of aluminum. So now we have a quandary. While aluminum has the lowest density, titanium is the clear winner when it comes to ultimate tensile strength. How do we decide? Well, the answer is to calculate the specific strength. You're going to absolutely love this one. The unit for specific strength is kilonewton meters per kilogram. I am not making this up. Now, while the units are clearly getting out of control, calculating specific strength is trivial. We simply divide our old friend the ultimate tensile strength by the density. Our three contestants, aluminum, steel, and titanium, come in with these final stats for specific strength. Aluminum alloy 6061 T6 gets 115 kilonewton meters per kilogram. So 115 for aluminum. Stainless steel comes in second at 107 kilonewton meters per kilogram. Titanium, though, wins the battle for the materials at over 214 kilonewton meters per kilogram. Now that we know that titanium is the clear winner in the materials battle, what does this really mean? If Apple chose titanium for the next iPhone, they could keep the exact same frame design and swap out the heavy but relatively strong stainless steel for titanium. Since titanium is less dense, the same size frame would be much stronger. Alternatively, they could choose to make the frame thinner while maintaining the same strength. But the last thing to take into consideration is cost. Titanium is a lot more expensive than stainless steel for a couple of different reasons. First of all, titanium is rarer than the elements required to make stainless steel, so the materials cost alone would make the phone more expensive. Titanium is also much harder to machine. Now, machining the same iPhone frame out of titanium would increase the cost of making the device. We've heard rumors of an increase in the base price, and this could be one of the reasons why. I don't know what Apple will do with the next iPhone, but I hope you enjoyed my little lesson on why titanium might be in our future for more than the Apple Watch Ultra. Let's cleanse our palate from all of this material science discussion with a little conversation from Jill from the North Woods. She's gonna join us to tell us about three microphones she's been using. Now, I want you to listen carefully to this because as she introduces each microphone, she's actually switching to the mic she's telling you about. Hello, this is Jill from the North Woods. When I got started in podcasting, Allison was so great, helped me in so many ways, and gave me advice on things I knew nothing about, including microphones. The first microphone I owned came as a recommendation. It was the ATR 2100. This microphone, as she told me, built the podcasting world. It was the one that many people started with, and it was something that was widely available, low-cost and sounded great. I jumped all over that. That was exactly what I was looking for. Am I gonna like podcasting? Am I gonna keep up with it? Or am I just gonna quit as soon as the pandemic's over with? So getting a low-cost microphone that is reliable, durable, and has been proven to be great for podcasts was right at my alley. And so that's what we're gonna talk about today. My tale of three microphones that I own, and maybe it'll help you pick the right microphone for what you're looking to do. So here I am on my ATR 2100 microphone, my first microphone. Don't you always remember your very first microphone? I know I will. This is made by Audio Technica, and it is, again, the microphone that started the podcast movement. It has both USB and XLR. That's why I liked it so much too. Allison said I could use it everywhere. I could plug it directly into my map, and then when I get to be a sophisticated XLR user, I'll be able to plug it into an audio interface. So it has everything. This is a dynamic microphone, and honestly it worked great regardless of where I plugged it in back in the beginning of my podcast, when I plugged it directly into my map. Now that I have a Scarlett audio interface, it also works great. It has a microphone jack right on the microphone so that you can plug your headphones in and monitor, which is important, so that you can hear what noises are coming in, how you sound, and it helps to get rid of all the extra noise that's not directly near the microphone. So you can hear things that are coming in close to the microphone, but it drastically falls off when I back away or I go side to side. It helps make sure that your podcast sound is very quiet, has a nice on and off switch, which is great in case you wanna make sure you turn it off. And again, it's very durable. You know that this thing is just going to outlast everybody. I felt in the end that it made my voice a little bit pitchy. Maybe we'll hear it on this podcast. Maybe it was just my imagination. So I ended up deciding to move to my next microphone, but I also got based on Allison's suggestion. Was the Shure SM58. And the reason I got this microphone is it came with the Shure MVI digital audio interface. This was gonna be my next step. It gave me the ability to plug in an XLR cable. It also had a mute switch, which I really wanted to have. Allison talked about the power of having her mute button, compression, gain control, how much you're gonna boost the sound, mute and that volume. It also has what is called phantom power, which helps again, power the mic, which makes sure that your sound is loud enough without boosting the gain too much. I'm not gonna get too nerdy in all of this. But I wanted the interface, and so this mic came with it. And I did end up in the end liking the sound of my voice with this microphone a little bit more than I did with the ATR. With the ATR, I thought it was a little bit pitchy, but this one seemed to have nicer tones. I liked the darker tones of my voice too, and I thought it enhanced those tones better. Then that led me to buying the Shure MV7 podcast microphone. The reason I got this one is first of all, it was a lot cheaper than the very high end version, the SM7B, which is probably the most expensive of the Shure microphones used for at least podcast recording. But this has a pop filter built into the microphone, and it allowed me to get away from all the contraptions. I felt like I kept whacking into things and making a mess and getting whacked in the face with the pop filters. This doesn't need it. So this was allowing me now to have more control over my voice. It sounded great. I thought that this had such a good tone to it, like the SM58 and the ATR 2100, my other microphones. This is a dynamic microphone. They say it's broadcast quality. I think the other ones were good broadcast quality too, although I did like my voice the best on this one. Again, I'm probably gonna listen back to all these recordings on these different microphones and find out there wasn't any difference between any of them. This also has the XLR or USB interface on the back end so I can plug it in directly to my Mac or I can plug it in to an audio interface like the MVI or the Scarlett interface. And that way it will be able to get that better sound which some people say you have when you're using the XLR cable versus the USB cable. But after doing some research for this particular podcast, I heard a lot of people say they heard no difference between the two. Now, again, I'm not an audio file. I'm not a sound engineer, just a normal nerd trying to put out a podcast. The microphone itself has some level controls on it, some volume. I can see whether I'm peaking directly on the microphone, although it's kind of weird because if I'm looking at the microphone, then my face isn't in the right position to actually talk. So I haven't found that to be too useful. And it also has the ability to plug again, monitoring headphones into the bottom of the mic. The mic also has a mic mute but it's easier for me to control the mute through software than it is through actual buttons on the microphone. Primarily because, again, you're looking at your material that you're talking about on your podcast instead of looking at the microphone itself. It has an interesting sort of a swivel mount to it. The other microphones were just kind of your standard stick microphones that go into a bracket. This one has a little bit of a curve to it. There'll be pictures in the show notes. And so it allows a little bit more, what they say, versatility because you can kind of tilt it and angle it. I found getting those other two microphones to be in the right position sometimes a little tricky, but with the way that this mount works, I can easily tilt it and angle it exactly how I want to angle it. People say that it has good tones. I thought so too. Again, I thought my voice sounded better in it. When it comes to all the Shure microphones, the SM7 and this Shure MV7, you can use the mode of app, which comes on Mac and on iOS, plug the microphones directly into those devices using USB, and you have some onboard controls. You'll be able to change how much gain is coming into the mic. And it even has some EQ settings and doing some other types of voice warming, other kinds of settings that you have only when you're using these mics on a USB situation, like plug directly into your Mac. And I thought that was neat how you had all these settings, but as I was doing more reading about it, people were saying specifically not to use those settings, primarily because whenever you change a setting on the recording side of things, it's what they call destructive, which means you can't get it back. So if I were to limit my tones, change my tones on the mic itself, using the software, I can never get back exactly what it did. If I change those tones in the editing process, using something like the filters that come on Hindenburg, some filters that exist through Apple, and something like Isotope, where it allows you to edit your software, get rid of breathing and other types of problems. Those types of edits are not destructive, which means if I went too far, I noticed on some of my podcasts, the last syllable of my words were getting clipped, I could go back and fix that and try to make it better without actually destroying the recording at all. So you have a lot of editing power. The only time they say that you should use these various sure settings is if you're recording something and you're not gonna have time to do any editing, they're pretty darn good. So if I'm gonna do an ad hoc podcast on the road and I'm immediately gonna post it and send it out, those settings on the microphone are gonna be great for giving me a better sound without doing any editing. So this is my favorite mic, I really enjoy this mic, and I have no urge to buy another mic, thank goodness, than the one I have. So there you have it, my tale of three microphones. Hopefully it gives you a good idea of maybe what kind of microphones you want. Even if you're interested in other brands, you can see side by side what different levels of microphone sound like, what kinds of things a more expensive microphone will give you, and whether or not it's worth taking that leap going from USB to XLR, those are those big, thick cables, and whether it's worth your time. And I hope this review helped you in deciding what kind of microphones maybe you wanna get. Do you wanna spend money or do you wanna stick with the microphone you have? It's a complicated and trying dilemma when you're trying to have a podcast that sounds really good. And if you have any questions, you can always look at the blog articles on Allison's website or email me at Jill at startwithsmallsteps.com. Thank you very much for listening and let me know what you think. When I normally talk about how to support the show, I talk about the heroes who donate money to help cover the costs of the podcast. But today I wanna highlight a real hero and it's Jill from the Northwoods. She contributes regularly with content like what you just heard and really comes through for me to be able to make sure that I can take a break from time to time. You just heard her excellent review of her three microphones. She's got another mic review coming up and she's also recorded a segment about a really nifty tool called Notion that she's been teaching to me. Now, she has two podcasts of her own and she works full time and yet she steps in to help you have a great show when I go off on travel. If you'd like to be a hero like Jill, pick up a microphone and tell us about some cool tech you enjoy. I have at least four more mini trips planned in the next few months so you have lots of opportunity to help out. Well, it's that time of the week again. It's time for security bits with Bartmuse shots. Looks like me show notes this week, huh? They are, but a lot of it is basically me having the freedom to put in stuff that was cool rather than ooga, ooga hair on fire. So I prefer these kind of full show notes. Okay, okay, that's good. I was a little worried when I saw so many deep dives, but I love a deep dive. I'm focusing on them much here. I'm giving them, I'm biased towards them in the good kind of bias. Well, it's fun because it's context. It's not just a listing of facts. It's context and why do you care and why do you not care? Yeah, which is kind of more important, I think, because I was thinking about this and in the early days of this segment, we used to, it used to be the case that there were people in our audience who we had to catch their attention and say, oh, if you meet blah, blah, blah criteria, you most dot, dot, dot. It was like we had to reach people so they could protect themselves. But nowadays, if you just keep your machine in its default settings, it's out to protect you. And so it's a long time since we've said to people, drop everything. If you do this, you must do whatever, which is great, like it's matured. And so now we have the freedom to talk more generally, which is nice. So we have a section called Feedback and Follow-Up where we talk about stories, but I want to feedback and follow-up on something not in this segment. Cheater. Yeah, kind of, but related because it deals with the microphone dropout issue we had and a fantastic segment contributed by one of our amazing Lucila Castaways. So yeah, so it was in the last week's show. It was actually already played so that is sort of already heard it. But I was blown away by just, A, by the quality of the presentation, would be by how cool the physics is. The idea of- So this was by Andy Dolf, by the way, is who he's talking about. Yes, and yes, in last week's show, which is number something, well, we should link in the show. No one knows, and certainly not me. Fair. But just, with my physics education, just the experience of when you take the signal and you invert it and then you take it away from itself and all the noise disappears and I was like, oh my God, that's amazing. That's just so clever. Yeah, and- I love that explanation because it accounted for two things, not just why your audio dropped by 50% but why when Alphonic boosted it, why was it so noisy? That didn't make any sense to me. Why didn't it handle the noise floor? Well, it's because it had more noise, it had that induced noise and I didn't realize that was induced noise either. Yeah, so because it's, you send the signal twice and one of the two copies goes away, that gives you the half, the half the volume. And because it's not doing its magic, cancel the out thing, yeah, there's all the noise and then you're of course being forced to amplify the half quality signal. It's kind of hiding to nowhere there. So I believe it is not my cable, I believe it was a loose connector, which is of course going to have exactly the same effect because the electrons were not flowing on half of my wire. I wonder, because there's four pins, would it have to be two pins that weren't connected for that to happen? Maybe Andy will come back and tell us more. Yeah, because what would it be, if what Andy described was for our channel and there are two channels, wouldn't that mean four pins? Right, but I'm saying in order to cut it in half, would it have to lose two pins? Or would just one pin not quite connected? But the way I do my audio, you only get one channel from me because I split them in half, I go on the left, you go on the right. So I think there's only one channel coming to you. I have no idea. F, anyway, yeah. Yeah, Andy, help, we're still, even though we're the podcasters, we're still the ones who are lost. Now the thing to know is, Bart is not being recalcitrant and refusing to buy another XLR cable because they aren't that expensive. The problem is that the boom arm that he purchased, and we'd like to try to blame Alistair for it, but it's not entirely Alistair's fault. Alistair recommended a boom arm and did a review for the show and Bart bought the more expensive version, but the more expensive version has the XLR cable fully encased and I didn't believe Bart. I made him help me and actually Alistair helped me find the exact boom arm he bought. And sure enough, the website for this boom arm says, cut the cable off, solder on a new connector, like, because you cannot get the, you can't get the cable out. It's completely encased and they call this Deluxe. Yeah, and they call this the Deluxe model. If I bought the cheap model instead of the Deluxe model, I would have had a better arm. Yeah, hopefully it's not the cable because if it is, it does end up being the cable and we recorded a full show yesterday and other than some other kind of weirdness involved, no audio dropouts. So maybe hopefully it was just a loose connector. My suspicion is because the day before while I was in this office for work, I accidentally swung my backpack into my boom arm and I think I actually knocked it, the connector, and when I went to fix it, what I actually did when it fixed itself was I reseated the connector. So, can I open the connector? Yeah, but it happened twice over the course of a week or so. The other thing, right next to the connector, like right next to the connector, is a twiddly knob for a hardware gain dial. And when I moved that, it felt wrong. It's kind of hard to describe, it didn't feel, it felt like the twiddly correctly. Yeah, it just felt wrong. And then it sort of snapped into a new position where it felt not wrong. As if it was, you know the way they're spring loaded? It was as if when I banged the mic, I had actually dislodged that in a bad way. Anyway, it all feels right and it was fine yesterday for an hour and a half and I'm touching nothing. Alison's watching the mic, I mean, really careful not to stick my hands in the mic today. Put your hands down. I'll have coffee, I'll hold my coffee. Anyway, yeah, thank you very much, Andy. That was terrific, I really enjoyed it. And as I said last week, I had Alyssa do it twice, once alone and then once with Steve. And Steve was just nodding his head the whole time, having a background in signal processing and stuff. He was like, yep, yep, yep, this all makes sense to me. And I was cycling along with my physics head nodding along going, cool, cool. So yeah, nice one. So we have some follow-up, follow-up more traditionally. We talked last time about the app Night Owl turning naughty and of course, as always happens, the day after we record, I read the best summary of the whole saga with all of the detail and exactly what happened. The bottom line is we were correct. It's a slightly more nuanced, if you care. It wasn't explicitly a bot in it, but it's a really dodgy, like you, look. We said uninstall it, uninstall it, but if you're- And Apple- Exactly. So that was double proof. That was double proof, exactly. He was selling access to a service that is officially legitimate, but everyone knows it's not. So you can buy a service where you get a proxy that is people's home IP addresses, which means it's not easy to block people who use this proxy. And that proxy, those kind of proxies have one use and one use only. It's for doing a lot of service attacks because you appear to be coming from domestic IPs. So everyone knows these services they're only used for evil purposes, but they are technically speaking legal services. It's just a web proxy. But anyway, icky, icky, icky, uninstall, uninstall, uninstall. We also have talked quite a few times in recent years about Apple's very controversial and then abandoned sort of attempt at doing a hybrid version of scanning iCloud photos. They didn't really want to scan your photos on device and they definitely didn't want to break their end to end the encryption and scan the photos in the cloud. So they sort of said, well, we won't scan them until after you've configured it to send it to iCloud and then we'll scan it on your device between it being sent to iCloud and it actually leaving your device. We'll do it in that little gap. We just technically sit on your phone and it was very nuanced and they got a lot of people who were pro child protection praising them and a lot of people who were technologically minded and pro security encryption and privacy shouting stupendously loudly and in the end they went, yeah, never mind. And they just, they did other things, but they didn't do that. And now out of the blue, a new group has formed with a fairly substantial budget and they have decided to go make a lot of noise to try pressure Apple into starting it up again. And Apple answered with basically, this was a bad idea, we abandoned it for a reason, we're not starting it up again. So they went, fine, now we're having a big campaign against you. Ugh. So we shall see what happens. What's a campaign? Well, they march around with signs or... Oh, media and stuff, right? You only get them on Twitter or, okay. Yeah, so media campaign, contacting politicians, I am sure it's massive lobbying going on, right? Cause that's how you get companies to do things. You make politicians shout at them, hold them up in front of the committees, that kind of thing. So we shall see where it goes, but yeah, there is money behind it. So some stuff will happen. And that's what's going on. Anyway, deep dive number of the first. So there were a whole handful of stories and this happens every August. There, none of these stories individually are really all that exciting, particularly when we apply the filter for this show, which is I'm supposed to be telling you things that are useful to regular folk about security. And none of these stories are anything anyone needs to worry about. But all of these stories made the media and they made the media with fairly shouty headlines in some cases. So maybe people are worried about it because they didn't hear about it. And if it was just worn, I would have went, yeah, well, they forget about it, but there's loads of them because August is a special month in the security calendar. It's when loads of the big conferences are on, including Defconn and Black Hat. And so even, so a lot of stuff happens at the conferences, but even security researchers who don't make the conference, they still like to release stuff at this time of the year because the media's in a security mindset. And frankly, there's very little else happening in the world. It's the middle of what the media called the silly season. So it seems to be a good time to release security stories. And of course, if you can wedge the word Apple into your story, you will get headlines. So I thought, well, why don't we look at these stories? And because they are all like, it's really good computer science. It's not that these stories aren't worthy of an audience. It's just they shouldn't be in the news feeds of regular folk trying to make them think something scary is happening because there isn't anything scary happening. It's just good computer science happening. And if there had been good, had been actual stories of bad things happening, these probably wouldn't have made the news because they'd have had something else to talk about. Yeah, exactly. So like double anything you read on April Fool's Day. Kind of, yeah. And like I say, these stories are not true. They're just, there's no need to worry. And they are often interesting because again, these are what's going on in the cybersecurity world. And some of these may someday develop into a problem. And if they do, then I will tell you to take some sort of evasive action. But for now, you know, first takeaway, don't panic. Listen, enjoy, but don't panic. So the first bug that caught my eye was one in, it's one of these bugs, which the Mac does its very best to protect you even when malware is already on your machine. So it goes kind of above and beyond normal security you would have in most operating system and tries to give you an extra layer of protection. And so a lot of the times when security researchers break Apple stuff, they're breaking this extra layer. And that's not good because you want the extra layer because you want defense in depth. But because you have defense in depth, just breaking that extra layer doesn't really end up with an ooga, ooga, ooga. So the actual story here is if you already have malware on your computer, which is already a very bad start to any sentence because you kind of already have a problem, but if you already have malware on your computer, it will be no more secure than a fully patched Windows machine because the extra layer of security can be bypassed. Well, it's not good. And we should, you know, it's good that it was discovered. It's good that it's been detailed. It's good that Apple have the facts to help them improve the design of their future OSs. But it's not set your hair on fire. It's like Apple had extra protection, now they just have normal protection. Okay, I guess that was the point of extra. So we've talked about that before as there being a moat and a drawbridge. And so maybe the moat got breached but the drawbridge was still there. But why do you say it's only as protected, without that extra layer, it's only as protected as a fully patched Windows machine? Are you saying Windows doesn't have extra protections? I would imagine you do. It doesn't have, no, they do. So the Mac has inherited slowly the iOS style deep sandboxing between apps and Windows hasn't inherited that. So Mac apps- Okay, so the specific type of extra layer. There are extra layers on Windows certainly. Sure, but I'm not aware of a layer that Windows has that the Mac doesn't. But I am aware of layers that the Mac has that Windows doesn't, which is why I say extra. I got you, got you. Okay. So certainly Apple will go, the nice thing about this is Apple will go after it, right? Right. And the other thing is, so this has now been described and at the moment, there's no actual attacks of any kind against this vulnerability. And should there ever become some, Apple have things in place to block developer certificates and so forth. So if you make sure to keep X protect turned on and if you don't install random stuff from random parts of the internet, the chances of this affecting you are effectively zero. But it's important that this is known about because if it isn't known about it can't be addressed. So again, it's good computer science but don't take your hair on fire. Another one that's kind of interesting was from the guys over at Jamf. So Jamf is a company that do powerful sort of, I would say corporate level but that's not quite the right word because they're very heavily used in education as well but they do management of large fleets of Macs. If you have many Macs that you need to look after, Jamf is an amazing tool to help you do that efficiently. And they have a lot of really good nerds in the best possible sense of the word working for them. And they also do a lot of stuff in the area of security for obvious reasons. And they came up with an interesting set of attacks where they basically poked around inside of iOS and they found the various unpublished APIs that the operating system uses to control the display of the little airplane icon when you're in airplane mode and those kind of things. And on a jailbroken phone where they already installed malware, they were able to make it look to the user like the phone was in airplane mode while it still had internet access. Oh. So the theory is if you were doing some really targeted malware against someone who was particularly valuable and you managed to use one of these grayware things like Pegasus to get yourself deep access into this person's phone, they would be the kind of people who would turn the phone into airplane mode when they were trying to do something they wanted to be sure was definitely not being spied on but you could make them think you weren't leaking any data out when you were actually leaking out their data. So for a very small subset of people, it's important that this be known about. What we don't know is basically the research starts with assume you can run any code you want on an iPhone which again is why it's don't set your hair on fire. This doesn't get the attackers to that point but it is really interesting that it is possible when you get to that point to play these kind of shenanigans. I imagine Apple's lockdown mode is going to harden those APIs because now that Apple have been told that we can mess with these APIs in ways you didn't expect. Well, the cat and mouse game just flipped over now and now it's basically saying, right, Apple, over to you. Now you need to make these APIs more robust so that we can't play these shenanigans when we managed to get arbitrary code execution on the iPhone. And maybe that's actually the real takeaway. It's a cat and mouse game and there's batting over and back between the cat and the mouse. So that was interesting. Yeah, that is an interesting one. I wonder whether it just shows the little airplane mode icon lit up but if you went into system settings, Wi-Fi, would it show that Wi-Fi toggle is being off? I was looking through the article to see if I could tell. Basically, if you go into the settings app, you won't be fooled but if you only use the pull down. So you know the convenient pull down? Right, from control center. From control center. So control center is fully fooled but settings app is zero fooled. But I'll be honest, I rely on the pull down. You know, I do but I swear about 95% of the time I still have to go into the full settings to do something. I mean, if I had just done that, if I'd said airplane mode, I don't know. Yeah, that's an interesting one though. Have you discovered that very, very many things in the pull down when you press and hold give you a deeper pull down? Yeah, but that's exactly why I end up going into settings is because it works so badly. If I, so if you're, let's say my iPhone has connected to the wrong network in my house. In theory, I can hard press on the little wifi icon and then I can press again and select a different wifi network. But what it always, always, always does is just turns it off. I mean, I press and hold, I try really hard. I have on occasion succeeded in getting it to give me that menu but almost every time I try to do it, it just turns it off. So it works poorly. So I end up going into settings. Interesting, because there was a time before I realized that you could tell the Mac had organized up importance of networks where I was going in there once a day every day and I did it through control center every day and it worked reliably for me. To switch networks, you're saying? Yeah, because basically I'd come home and it would pick the wrong one. But if you go into your Mac and reorder them by dragging them around, the iPhone obeys because iCloud syncs it. So once I did that, I haven't had to do it in ages and now it behaves correctly. Here's another hot tip while we're in the middle of that. Press and hold in the middle of that entire box, the one that has the airplane and the cellular and the Wi-Fi and the Bluetooth. If you press in the middle, then you can see all of them and you actually get more information. I think I did this as a tiny tip but you can also get, that reveals two more, personal hotspot and air drop. So you can change air drop to contact only temporarily everybody. That's actually really important now that Apple have defaulted air drop to trading off after 10 minutes. That's just become extra powerful. I got a tip from a tour bus driver in Brazil. He said, I want to send you guys all this photo of the Iguazu waterfall during three different conditions that I put together. Here's how you turn on air drop for everyone and I just cracked up and was like, I didn't know that. That's cool. That's cool. Excellent. That's interesting that someone who deals with tourists is really good at moving files around between iPhones. That's, yeah. I see how they would get that extra piece. The Android people were just sitting there with their hands folded looking sad, not getting anything from anybody. I felt bad for them. All right, moving on. The next up then, we're back to macOS for this one. So macOS Ventura introduced a new notification that I think most people mentally tune out. When you install an app that runs in the background, you get a little notice saying, such and such has just installed a background process. And I think most of us ignore those pop-ups completely. Well, it is possible to make something run in the background and not give the pop-up. Oh, okay. So, again, Patrick Wardle discovered this one, which is, I love the fact that he's still doing his thing. And again, it has now been shared. Therefore, Apple can tighten up that API and stop the leakiness around the edges of the API. And then the last one is an interesting, the last one is potentially one that everyone should be kind of aware of, but I wouldn't worry about it too much anyway. So, at Defcon, and it's always fun at Defcon to try to do something practical, because everyone at Defcon knows that everyone at Defcon is hacking everyone at Defcon. And so everyone at Defcon is trying not to get hacked. They invented something called the wall of sheep in the early days when people didn't really realize passwords are floating around in plain text. And it was a giant big screen where every plain text password on the network was displayed on the screen. And you could basically see your username when you're password. And if you ended up on the big board, you were a sheep, the wall of sheep. It was, yeah, it's great fun for awareness of why is an HTTPS everywhere. So it's always fun when a researcher can do something that affects people at Defcon who have their phones locked down and who are doing their absolute best to be secure because they know everyone's trying to hack everyone and still succeed in making something unexpected happen. That will always get attention because it's cool. So you may or may not know that if you bring your iPhone physically close to an Apple TV that's in setup mode, your iPhone will get a pop-up telling you to configure the Apple TV, which means this is way easier than the old way of doing things. And that's done over Bluetooth protocols. And it's triggered by proximity. So the researcher wondered, how hard would it be to pretend to be an Apple TV? And to start triggering these pop-ups on random people's phones and what equipment would I need and would it be expensive? Now it's not pretty, but he was able to jury rig together a rig for about $60 that over a much bigger distance than you would expect because it boosted the Bluetooth signal was able to make the pop-up appear. And it's in theory, he thinks you could manipulate the pop-ups to make it give you the one asking you for your password and to possibly intercept that password. So hypothetically, if people were inclined to type their password into a pop-up they weren't expecting and a TV that isn't theirs, maybe you might get a password. So imagine planting one of these in a hotel next to a real Apple TV. That might be a scenario where you have a chance, yeah. Yeah, just like I say with a bit of playing with it, where you're expecting to try to talk to an Apple TV and it says, oh, you got to give me your password first. Oh, okay. I think if you didn't have an Apple TV as part of the intention already, it would be unlikely to be a little harder. Yeah, the social engineering is a high bar. You have to be clever, but I like your idea. Yeah, that's, you're thinking the right way. You're thinking like an attacker now. Evil. Yeah. But like I say, yeah. So like I say, no reason to panic, but this is going on and it's part of the normal process of making all of these things more secure. This is how it works. Sussage being made. So deep dive number two is me having a little bee in my bonnet and deciding to treat this as an opportunity to remind us all that clickbait is everywhere and a lot of the clickbait is factually not incorrect, but nonetheless deeply misleading. And so I picked a story that just made me cranky because if it wasn't the silly season, I don't think it would have been a big deal, but it was everywhere and it's harmless in the sense that no one's going to die and it's not going to be the end of civilization. Of all the things doing the news that's clickbait, so much of it is so much more ick. This one is like, this is a good example. Let's just have some, let's just dig into this a little bit. So for a couple of days, I couldn't turn on my phone without reading a headline somewhere that our Apple Watch and our Fitbits were going to kill us all because of bacteria and their headlines. There is truth to this story. Some genuinely good science was done and there are interesting results and I'll get to those in a minute because I actually think we can learn something from this. But I'm going to start with the headlines because goodness gracious me, are they completely off the wall? Apple Watch, Fitbit, wristbands carry shocking levels of bacteria, colon experts. Now, shocking would appear to be what the experts said. So I decided, let's start at the journal paper because it's public access and we can read the whole thing and do a little command F and look for the word shocking. It is not in the paper. So the experts did not say it was shocking. The other word they kept on coming up was hotbed. Apple Watch and Fitbit wristbands are quote hotbed unquote for harmful study, for harmful bacteria, study reveals. Now, they actually use quotation marks around the word hotbed. So do you think when I did a command F in the journal paper, the word hotbed was in that journal paper? Of course it was not. That to me is deeply misleading. That must be contagious though because we also have Apple Watches and Fitbits are quote hotbed unquote for harmful bacteria that cause quote nasty sores, boils and toilet trouble unquote. Neither of those quotes are from the journal paper. Does toilet trouble include like missing the toilet? I don't know, maybe you need a stronger flush. I don't know. Alarming bacteria levels found on Apple Watch and Fitbit wristbands study reveals. Sorry, reveals study. Does the word alarm, alarming, alarmist? None of those words. Nothing starting with A, L, A, or M appears anywhere in that journal paper. Possibly arm. Arm does because that's where your wristband goes because it is the normal bacteria that are on your arm. So yes, arm is in there, but not alarm. Is your Fitbit or Apple Watch wristband making you sick? Question mark. Study says they are a hotbed, again with that word, of bacteria like E. coli. No, your wristband is not making you sick. And what is it with the word hotbed? It's just everywhere. And then the last one is just like, okay. Anyway, Apple Watch is a health marvel, but maybe a health hazard to report claims. Hazards a bit strong, but as these things go, this one is like the least stupid of them all. Was it hazard in the article? No, it was not. Did I check that too? So anyway, link in the show notes to the full journal paper. Now there is actually some interesting stuff in there. It actually is. They did a good study. They did it well under some interesting stuff. So I'll now quote from the paper. This is actually what the scientists have to say. Wristbands often worn daily without routine cleaning may accumulate potentially pathogenic bacteria. Bacteria found were common skin residents of the genre Staphylococcalus and Pseudomosis. And intestinal symbionts like the genera S. Carinth... It contains E. Coli. It's a word of a bunch of bacteria that contain E. Coli. Basically, our skin is always full of bacteria. And some of that bacteria comes through our toilet because when we flush said toilets, it goes into the aerosols and they sort of go everywhere. And if you didn't wash your skin, it would get very full of bacteria. If you didn't wash your clothes, they would get very full of bacteria. If you don't wash your wrist strap, which is right next to your skin and your clothes, it will be as if you wore the same clothes all the time. They will get icky, right? It will happen. Now, the paper is very clear to say who needs to auga auga about this. The ability of many of these bacteria to significantly affect the health of immunocompromised hosts indicates a special need for healthcare workers and others in hospital environments to regularly sanitize these surfaces. So this paper has a real call to action because if you are immunocompromised, if you are taking medication that is disrupting your immune system because you've had a transplant or because you have certain medical conditions that have that effect, then you need to be aware that you should actually take this seriously and take care of your straps as if there were anything else that is around you. Because, yeah, there's bacteria there. And for you, the normal skin bacteria could be a real problem. If you're a health worker and you were around people in that situation, you need to be aware that you should not be by far marrying your icky sweat into this situation. So definitely this is important. So if you want to take this seriously, whether or not we're immunocompromised or work in a hospital environment, do they give any guidance on how to clean your watch? They do. They do. So we're getting... Yeah, so there's more good things in this paper. Actually, by the way, just as a tip, if you buy the apple at infinitely adjustable loops, what I do is there's little things you can buy for washing delicates. I don't own any delicates. But there are little bags that are designed to go in the washing machine to hold, like, you know, womeny bits that I don't have to keep them safe in the washing machine. But if you take your Apple Watch straps and put them into that little holder, you can shove them in the washing machine. And I do them at 30 degrees just in case. I have been doing this for years. They come out clean, they come out un-icky, and they take about two hours to dry. And so every now and then I just throw them all in the washing machine, and then I have... This is the Pride band from quite a few years ago, and it's still nice. It's beautiful. Yeah. Oh, that's an interesting idea. Well, I used to shower with my Watch band on, which I figured that certainly does a lot of good. But then I read that Apple doesn't warranty the waterproofness if soap was involved. Yeah, because I think it's to do with some of the stuff that keeps the seals sealing maybe oil-based by that. Yeah. So I can take a shower with my Watch band on, but not the Watch. But not the Watch. Even though I take a shower with his all the time. Yeah. I just show them in the washing machine because cycling clothes need to go with 30 degrees. So I put them in with the cycling clothes. And they are delicate. So anyway, Clothes require a temperature. They're all made of lycra and stuff that doesn't like being warm. So they all say wash at 30 degrees. Do not tumble dry. Okay. So that's 86 degrees in freedom units. Huh. So not very hot. Not very hot, basically. And I just put the Apple Watch straps in. They'll probably be fine at the normal 40 degree temperature. But heck, I have a washing machine running cold. So let's just chuck them in there. Anyway, all right. Back to the people. Now the report does not say to put your Watch band in a little bag for early bits. It does not. Let's skip ahead to what they do say. And then I'll spin back a bit. So they do give some advice on the house. They say common household disinfectants, such as Lysol disinfectant spray, 70% ethanol and Heinz apple cider vinegar, which what did Heinz pay? Did Heinz pay for the study? How did Heinz get their name into the actual content of this paper? But they did. Heinz apple cider vinegar all proved at least somewhat effective on all materials, quote, rubber plastic cloth and metal. Although antibacterial efficacy was significantly increased at two minutes compared to 30 seconds. So like washing your hands at the start of the pandemic, two minutes of Heinz cider vinegar. Well, we keep cider apple cider vinegar. I'll just have to check and make sure it's Heinz before I test this out. Now I pushed you to read this part, but right before that you said that they also found that rubber plastic wristbands had a higher bacteria accounts while metal ones, especially gold and silver, had little to no bacteria, but they didn't talk about the cloth ones. The clothy ones, yeah, which is a bit disappointing because that's what I wear in 99.9% of the time because I do a lot of sweaty things. That's why I don't wear them. That's exactly why I don't wear them because they get wet and then they take forever to dry and I hate having that icky damp thing on my wrist even if I've washed it. I own 32 watch bands. I change mine twice a day. I do change it every day most days, so I'm not changing my watch band that often. Well, that's good to know though. I might keep some nice disinfectant spray up in the bathroom to squirt them down from time to time. That's a good idea. The other thing the paper does say in very scientific ease, there is a need for regular and popular sanitation of these surfaces. In other words, oh, folks, clean your watches. Popular means regular folk. We are poppy. We are the poppies. Oh, I got you. I got you. Yeah. So everyone should do this. By the way, I really liked the way they talked about this on the Daily Tech News show. They said they didn't have to say Fitbits and Apple Watch Bands. All they had to say was Watch Bands. Because there's nothing about this. Like if you wear a classic watch with a leather band on it, it's probably collecting bacteria. Leather being a biological material. Yeah, probably more. We bet they're nice and absorbent. Yeah. Yeah, apple cider vinegar works on leather. All right. I'm assuming they're describing what they did, right? I think basically they're saying we used 70% ethanol, Heinz apple cider vinegar. So I think it's because this is what they found to be effective. So yeah. Anyway, I thought it was funny that Heinz. Okay. So white vinegar doesn't work. I don't know. That's a good point to say that. Yeah, exactly. It doesn't say what doesn't work, right? They're not making negative statements. They're only saying that we checked and cider vinegar is good. It's also tasty. Okay. Action alerts. Just the one across my radar because it hasn't yet been patched juice. That's coming up. What I can tell you is that if you are a user of Winrar, it's probably about time you blew the dust off it and gave it a wee patchy patchy patch because it has some, if you open the wrong zip archive, it's arbitrary code execution. See, that's not good. So for those who don't use this, this is a Windows application that does compression and decompression of files. Yes. Initially written for the raw format, but because, well, if you're going to install an app, it means we'll do the mall. It kind of unzips anything you throw at it. And one of the almost never used formats that it happens to support, probably with code from the 80s that no one's looked at in 20 years is riddled with vulnerabilities and someone noticed. But of course, once someone notices, the attackers just put on a website some city file in a weird format. And if you double click it, Winrar will open it and bad things will happen. So patchy patchy patch patch. In terms of worthy warnings then, just two things that sort of caught my eye is like I think it's worth reminding our listeners about this because I don't know about you, but during the pandemic, I did not go near an ATM. I went nowhere next night near an ATM because I didn't use any cash for about three years. Pretty sure the 20 year old note in my wallet has been there since 2019. But anyway, people are starting to use ATMs again. And the problems that existed in 2019 with ATMs haven't gone away. They're all just as bad as it was in 2019. The naughty people are attaching readers to the devices and they're getting thinner and easier for you not to notice. So the advice from Naked Security is grab hold and give it a wiggle. And if something on the ATM machine, it's basically saying that if any of the fittings on the ATM machine look a bit odd, just give them a little shake because nothing should ever come off a real ATM because everything is designed to be out in the public for years. So if anything in there is looser, rattly, that's very suspicious. So if you're suspicious, give it a shake. And I think the real reminder is just that the bad, the naughty people, I'm trying not to gender them and say they're bad guys, that the naughty people are still doing it. It is still a thing to scan your card and seal your pin. That is still a thing of value that is happening, not for the better of anyone. I can't remember. And the last time I went to an ATM, I still don't go. I go maybe twice a year. The essence to tips for the gardener or something like that once or somebody carries some furniture in, we'll tip them, that's what the cash is for. So it's like four times a year. Yeah, I probably shouldn't say this, but we had a handy person in doing some fixing and they were like, well, the full price is blah, but if you pay me off the books, it's blah. So I went down to the ATM and paid them off the books. It wasn't a huge amount of money, but the Irish revenue commissioners missed out on a few in a few quattolous. Anyway, that's the last time I use an ATM. You know, so that's how often I use them almost never, basically. The Federal Bureau of Investigation are warning of a way more high tech scheme that is apparently picking up in popularity in the United States. And it needs to be combined with social engineering. So the best defense is awareness because it's harder to social engineer you if you know this is the thing. Hence I think it's worth sharing. So it is very difficult to get malware into the iOS app store. Therefore, attackers are always trying to find ways around Apple's app store. And one of those ways is beta apps because there is a legitimate need for developers like you were lucky enough to get to do the beta version of call sheet. I'm very jealous of you. So you were in a beta program legitimately and you were able to install an app that is not available in the app store. Now imagine the same thing with malicious intent. So what is happening is bad people are tricking people into joining beta programs on the promise that this is a very exclusive app and it's so exclusive that it can't be available anywhere else. Therefore, install this developer cert and then install this beta and a butterfly has just flown into my bedroom. Okay, that's nice of you. And so basically don't install betas from random people on the internet. And if they're promising you cryptocurrency, NFTs are frankly money of any kind. The answer is no. Probably not legit. Yes. And it's worthy of the FBI telling us about it. So it's obviously happening. Yeah. Now I just moved the thing I wanted to talk about up into this section. I think it fits better in worthy warnings than tips. Alistair Jencks alerted our Slack community at podfee.com slash Slack to a thread on mastodon about a very interesting attempt to hack a guy's bank account. And it's a pretty long thread, but I'm going to give you the gist of it because I thought it was fascinating. A gentleman named Bjorn Toft Madsen said that he got a call from his bank saying they wanted to verify some suspicious activity on his accounts, a transaction. And he said, they asked him, did you make this charge of 2900 pounds on a travel booking site? And he said, no, this was definitely not me. And they said, okay, great, we're going to cancel that charge. And then they said, okay, there's another transaction occurring right now that seems odd. It's for 5900 pounds at a boat hire service. And the guy says, nope, that wasn't me here either. They then told him, okay, sir, we're going to send you a verification code. And we need, we need you to read it back to them to cancel the transaction. So he gets this text SMS message with a six digit code. And he starts to look at it. And then he realizes the full text of the message says, don't share this message with anyone to approve the purchase from the boat hire for 5900 pounds use code blah, blah, blah. He says, hang on. It says to approve the purchase. And the bank says, Oh, all right, sir, we've had a few problems with our messaging system. So I'm not 100% sure what the message actually says. We just need the code to get the purchase blocked. You can ignore the start of the message. So his spidey sense is tingling, right? So he says, no, no, I'm not I'm not going to do that. And so they said, okay, that's very smart. I'm sorry about our messaging system being odd. Let me send you a notification inside your banking app instead. So the notification arrives and he opens his banking app thinking a hitherto unseen red warning labels about to show me a button that cancels a transaction inside the app. But again, it just says to approve the transaction. So now from what I can follow, this seems to be inside his his bank app. So at this point, he says, I'm going to call my bank directly and naturally the person hangs up. He calls his bank and verifies that it was them. So very clearly, what they had done was they got him to believe that he was talking to his bank by first doing a successful fraudulent transaction. So they really did do it. They got one through, but they didn't get the second one through. And they were going to get him to give that that code in order to to approve the transaction. But do we know they got the first one through? They told him about a transaction. Yeah, he verified it on his bank. He verified it in his bank in his bank app that the first one had gone through. Now he says, this is part I wanted to ask you about, though, he says, they got me to read a 3D secure code. And I'm not sure what he means by 3D because he starts talking about banks not using 3D codes. So I would imagine that's the barcody thing, right? Aren't they called 3D codes? The QR codes that are the QR codes that are yes, squares instead of lines. I would call that 2D instead of 1D. Yeah. I wonder one dimension and this is in two. I think I've heard people call them 3D codes before, though. So I think that might be what would be a way of getting you to a URL of their choosing without you typing it. Yeah, maybe he said they were able to do this because the first transaction had happened on a site that didn't use 3D secure. I'm not really sure how that part worked. No, sorry. In that context, in Europe, we're in the process of bringing in strict regulation and credit cards and the banks don't do it themselves. They outsource to other companies and I think one of the companies that does verification for many European banks is called 3D secure. Oh, okay. Okay. Anyway, I thought it was a really interesting thing. By getting one through, they were close to able to convince him to let them do a second one. What really strikes me right, so from the point of view of the second transaction, what was happening to him was the normal flow of transaction verification, but they had social neared themselves into the middle to try and make the same steps that are the normal process for approval look like the process for disapproval. So what he was seeing on his screen is what happens when someone tries to use your card without your consent and you should immediately go, oh, that's not me. Don't approve. That is a text message with a six digit code asking me whether I am making a transaction. I know because you're not in Europe. So we have this new EU legislation. So for me, when I buy stuff online, every time it goes above 150 euro, I have to either approve in my bank. So in the app, which is the other thing to describe, right? Because when I open my banking app, I get a push notification to the app and there's only one button approve. And so if I can't approve, I have a button on the website saying can't access my app. And then I get a text message. So the first time the attackers did it, they click the button, I don't have access to my app and he got a text message, but they were on the phone to him. So that normal text message, they were on a website in real time stealing his money. And it was the two factor off was happening in real time. And they were telling him a different story around the normal process. So anyway, under worthy warnings, this guy did everything right and yet it got close, right? It got close. It smelled right, but enough wrong. And the takeaway I would say to people, if you want to take a one sentence takeaway, read the text of the notifications, that's what saved this guy. He read the text. And I say, no, that text does not say what you friendly person on the phone are telling me. Right. Right. Oh, I'm sorry. We've had trouble with our messaging system. I have trouble accepting that. Yeah. Yeah. So that's interesting. That's very good. Yeah. So good. Okay. So we've read you get the show notes. So we are jumping to notable news. We, I joked years ago, when the first spectrum meltdown happened that we'd be talking about speculative execution for years. Yeah, we're still talking about speculative execution. Another one. This one is called meltdown. The same basic story. Well, this is from a few weeks ago. I didn't cover it last time because I didn't think it was important. Oh, no, I mean, ages ago, I thought it was called that. But just very quickly, my memory of speculative execution is that in at least in Intel CPUs, there's a method where it starts to predict what you're probably going to do next and that way it's ready for the possible transaction. It's going to be asked to do and that speeds things up. But there are flaws in that that cause issues. It's a side channel attack. So depending on the outcome of the speculation, something else is different. So a side channel is like, if, if I guess your pass would ride, it takes 10 seconds to come back to me, but if I guess it wrong, it takes 15. That's a side channel. So you haven't been told, but the timing tells you. And so all of these speculative execution basically what the computer, whether or not it's a hit or a miss affects something else. The attackers can then use to derive information. Hence it's a side channel. And usually what ends up leaking out by inference is the content of memory that the attackers shouldn't be able to see. You can basically infer what is or isn't in the memory by guessing, basically when you guess right, you know, so you know what's in the memory. And the real danger with all of these is when you have code belonging to different people sharing the one CPU, because in our day to day lives, we are the only user of our computer. So if we have malware on our computer, that malware can mess with the other operating the other stuff on our computer through the CPU. But if we have malware on our computer, that malware can mess with our stuff directly. It doesn't need to faff about with side channels. We have malware on our computers. But where this comes into play is if you are renting a VM, right? You and I have web servers that are sitting in a VM form. There's not a server with pod feet and a server with let's dash talk. There is a server with 5000 virtual machines. And so while that server probably has literally hundreds probably of CPUs, it has thousands of VMs. So some of those CPUs are shared. And now you have code belonging to potentially me and you in the same CPU, leaking information over and back through these side channels. That's bad. That's very bad. And so as soon as one of these things comes out, Intel release microcode, which is basically firmware for the CPU. So it's like firmware so deep down it has a different name. Because it's, you know, firmware is usually outside of the chip, but this is like the CPU's own internal internal firmware. It's very deep down stuff. Anyway, Intel have released for code fixes, microcode fixes, those microcode fixes get there either by the operating system injecting them on boot, which is how Linux does it. So Linux has been updated to inject these new microcodes on boot. Windows is probably going to get that update soon. The other way to get those updates is by actual firmware that injects the code by the BIOS injecting it as you're booting up the machine. And so Dell have released firmware updates for their machines to inject the microcode at boot time. And so the bottom line is if you're operating system or your firm or your computer vendors firmware says install this patch by all means install this patch. Unless you're running a server farm, don't set your hair on fire about this one. But do know that the people who are running server farms are on this and this is one of those things where they've had a terrible month of it and they've been busy patching like crazy. And as is always the case with speculative execution fixes, it's physically costing them money because speculative execution speeds up CPUs. When you have to disable a speculative execution, you slow down CPUs. And when your money is selling compute, it was not insignificant too. Was it like 15%? It was pretty high as I recall. Yeah, 15, I believe is the number I saw. Yeah. So that means if you're the likes of AWS or something, that's not nothing. That's not nothing. So there's crankiness. There is crankiness in the industry. But just patchy patchy patch patch as and when and don't set your hair on fire. This one isn't really a big deal for you. Intigo point out that they haven't been able to get a clear answer on whether or not Intel based Macs are affected. But again, I wouldn't stress over it too much, even if they are, we're not running server farms on them. So I, you know, most home users, the advice is not to enable these protections because you kind of want all of your CPU. You kind of don't want, you can get slower. Sure, sure. Awesome. Now I like to, yeah, well, I'm just kidding, M3 right for myself. I like to end these on a happy note when I can. So the FBI took the lead with partners in a lot of countries, France, Germany, Latvia, the Netherlands, Romania and the United Kingdom all work together to take down a botnet called QuackBot. And it's great that they took it down. They also got permission from a court in the United States to do a little bit more than take it down. They got permission to go in and patch the infected machines, which on the one hand is being a good Samaritan, but on the other hand, kind of sounds like any, a little Richie any, so I'm conflicted on that one. But anyway, the botnet is gone and that is very much a good thing. The other thing last year, the FBI entered into a partnership with Have I Been Pwned, where they have low level API access to push data breaches they find into the database so that if they find a cyber criminal, if they arrest a cyber criminal, they can just put that data straight into Have I Been Pwned without a big process. They just push the data into Have I Been Pwned. And basically lots and lots of people's stuff was compromised with this botnet. It's all in Have I Been Pwned. So if you check your email address in Have I Been Pwned, it now knows whether or not you were caught up in this mess. Among all the other things it knows. So basically, it knows, which is cool. And that's, I like these kind of systems working like that. On then to excellent explainers, I've just forgotten his name now. I wanted to call him out by name. Oh, right click on link part, vamp for a second while waiting. Oh, come on computer. Ah, I've even had him on my podcast. I've talked to him. Okay. And sorry, my author of the article. Yeah, because my editor app is deciding I want to change the text of the link instead of just open the bloody link in Safari, please. So is this the Intigo link? The Intigo links? Kirk McAlurn. Thank goodness, Kirk. Yeah. So I've had Kirk on the Let's Talk Photography podcast. He's actually a photographer and he does another photography podcast as well. But Kirk is a freelance article writer for lots of people, including Intigo. And he has two fantastic explainers in the last two weeks. What is SMS? How it works? Why it's insecure? And why we still need it. It's a good article. And the other one, again, it does exactly what it says on the tin. What every Apple user should know about software updates. I don't think our listeners are going to be surprised by anything in this article. But it's a really good one to give to friends and family who are ignoring the red badge. Just, you know, it's a little nudge. Here's how you not have the red badge and why you might want to have the red badge. Because if you toggle these settings automatic, you won't have the red badge and you'll be better off. So and that brings us on then to palette cleansing. I'm going to go first because your own is better. And that way we get to end on a higher note. So I have been utterly enjoying the JWST. And you'll notice I don't like to use its full name because the person is named after was distasteful as the politest word I will use for the man. You're talking about the Space Telescope. I'm talking about the Space Telescope with initials JW. Telescope's amazing. The scientists are amazing. The person they named it after is the opposite. I just want to be clear to people what you're talking about since you're not saying what you're talking about. I know if I know. It's obscure. Okay, we were talking about the amazing Space Telescope that was launched that Steve and I got to go see. Actually, and they told it, they told them a full 100% scale mock-up of it around the world about a decade ago. And I went to see it in Dublin when it was here. So I know what it looks like. Very cool. Obviously, you saw the real one, which is infinitely cooler than seeing a one-to-one scale model. But even the one-to-one scale model was rather cool. Anyway, we all watched with great anticipation what a thing took a month to travel from Earth to its final orbit out at Lagrange 2. And it unfolded its solar panels made of immense origami with great delicacy. And we all crossed our fingers. And the thing finally got first light and we all celebrated. And I know I've picked it as a palette cleanser quite a few times because it's done some really cool stuff. But anyway, it caught my eye again. Because if you start off on astronomy, the first thing you look at is the Andromeda Galaxy. Sorry, the Andromeda Nebula. The second thing is probably the Andromeda Galaxy. And the third thing is the Ring Nebula, M57. Because it looks like a perfect ring nebula. It's a perfect little smoke ring in space. Now through a telescope, when I say little smoke ring, I mean little. It's bloody tiny. And there's no detail in it. When you look at it through a backyard telescope, it's just a star with a hole in it. It's cool. It actually looks like a ring. Well, the JWST pointed its telescope at it. The level of detail in that nondescript little ring I have seen 101 times through a telescope, it blows my mind. It puts it into context that this telescope isn't a little bit better. This is just jaw-droppingly better. It's such an amazing image of the Ring Nebula. And so anyone who's ever looked at the Ring Nebula through a telescope at a, you know, a backyard astronomy event or something or on their own telescope, you can notice what this little thing looks like and how nondescript it is. And now look at this. It's, oh, it's beautiful. That sounds fine. I just sent Steve a note saying we need to watch this, this Netflix documentary on it. You really do. It's, it tells the story of the telescope's launch from the point of view of the scientists and the level of emotion in the scientists when they're describing the work it's doing. I almost teared up watching a science documentary. It was so good. I myself on the better half watched it over dinner in the last couple of nights and it was really good. It was really good. So I figured I'd share that too. Very cool. All right. So here's mine. Found this again on Mastodon. This is such a great story. There's a, there's a wonderful account to follow called Nyxcraft. And it's often Unix, Linux, nerdy kind of stuff and, and very funny often, but this one was really sweet. Someone named Myesa Raponen sent in a bug request fix for the Linux kernel. And it says in, in the body of her email, it says, when I was reading the documentation, my four year old niece wanted to see what I was doing. After telling her, she noticed that something was very wrong and asked me to fix it. Instead, I helped her to fix it herself. She noticed that in a line of the documentation, there were dashes below a bunch of, a set of words to kind of set it off as a, as a heading. And the last S is sad because all the others have those lines below them and this one does not. So basically somebody in a, in a, you know, a fix with type font had hit dash, dash, dash, dash, and stopped one dash early. And the best part is they fixed it for her. So she's a four year old submitted a, a fix to the Linux kernel. How fun is that? That is amazing. And what's extra cool is because it's the Linux kernel. Remember, GIF was invented for the Linux kernel. She has a pull request for ever and ever and ever. There is a pull request from this four year old in the Linux kernels gate repo. That is so cool. Like, is that GIF? It absolutely does. And like, there is very little to give you more nerd credit than a pull request in the Linux kernel. And this four year old has a pull request in the Linux kernel. It's, oh, I just thought she goes into computer science, right? And puts it on a resume. Oh goodness. Yeah. Absolutely. Yeah. Oh, so cool. So cool. No, she, she might actually end up being a copy editor instead because she just noticed a typo. Great. We need more people who can write good documentation in nerd space. I'd like to be able to read man pages that don't suck, please. There you go. Be good. Yeah. I think it's, I think so. It really, really made me smile. I think it's wonderful. And the other thing that makes me smile about it is the Linux maintainers who have so much stress in their lives, they took the time to do something nice. This is well done. Nice work, guys. And it was a guy who approved the pull request. Nice work. Made me smile. So yeah. And that is a cool, you've linked to that account a few times. You're right. They do very cool stuff. Yep. Righty ho. Well, with that, we have another, actually, I think this was three weeks worth of news, actually, because we've been all wibbly, wobbly, tidy, wimey. I think it's been two weeks since the listeners heard us, but nearly three weeks since we recorded because we did one at a weird time. Anyway, another, another bunch of security news wrapped up. And the advice is always the same. Remember, folks, stay poached, so you stay secure. Well, that is going to wind us up for this week. Did you know you can email me at allicenapodfeed.com anytime you like? If you have questions or a suggestion or that recording you're going to do for me for the show so I can keep goofing off, you send it to allicenapodfeed.com. You can follow me on mastodon at podfeed at chaos.social. I'm having so much fun over there. It's such a nice place to be. And it just feels like a good community over on mastodon. And remember, everything good starts with podfeed.com. If you want to join in the fun of the conversation, you can join our Slack community at podfeed.com slash Slack, where you can talk to me and all of the other lovely no-seller castaways. You can support the show at podfeed.com slash Patreon, or with a one-time donation at podfeed.com slash PayPal. Or did I mention you can do a recording like The Awesome Jill by conceding it to me at allicenapodfeed.com. And if you want to join in the fun of the live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. pacific time and join the friendly and enthusiastic no-seller castaways. Thanks for listening and stay subscribed.