 Daily Tech News show is made possible by its listeners, thanks to all of you including Justin Zellers, Pepper Geesey and Eric Holm. Coming up on DTNS, what you should not fear from TikTok's in-app browser, and what maybe you should. Plus, why Apple's latest security update touched off a backlash, and does Janet Jackson's Rhythm Nation really crash laptops? We enlist some help to find out. This is the Daily Tech News for Friday, August 19th, 2022 in Los Angeles. I'm Tom And from Studio Redwood, I'm Sarah Lane. And from Columbus, Ohio, I'm Rob Dunwood. Drop top tech stories and click on them for all of them. And on the show's producer, Roger Chang. My friends, you're going to have to imagine some music in today's show. You're going to have to imagine some other things like safety in today's show. Let's start with a few tech things you should know. Back in June, cryptocurrency exchange Crypto.com said it was laying off around 260 employees, about 5% of its workforce. The verges sources now say that the company has quietly let go of hundreds more employees since those initial announced layoffs. CEO Chris Marsalik declined to answer a question about the total figure in a recent employee town meeting when employees asked him very pointedly what's going on. Somebody I happen to know within the company says that actual number might be much more. Probably is. YouTube will start adding watermarks to downloaded shorts videos over the next few weeks in order to show the source of the content when you share it on TikTok. I mean other platforms. In other short video news, the Verge reports that downloading an edited Reels clip from Instagram on iOS prior to posting now exports without any audio. Downloaded posted Reels retained audio Instagram on Android will still allow for exporting unposted Reels with audio. Well, nice little perk for the Android. That is why I could not get audio on a funny thing that somebody sent me today. Now I know why. There you go. The Wall Street Journal reports that SNAP CEO Evan Spiegel informed employees that it halted further development on its Pixie Drone line as it re-prioritizes company resources. The Pixie Drone remains available from SNAP site for $250. Although I'll sell you mine for cheaper. The shrinking smartphone market affected Xiaomi in its latest report. Smartphone sales which make up more than half of the company's revenue fell 29%. Xiaomi got a bump last year when it took market share from Huawei after that company was hurt by US sanctions. However, the effect of that bump has now faded. Bloomberg sources say that Qualcomm will attempt to re-enter the server processor market based on the acquisition of the chip startup Anuvia last year. It's reportedly seeking customers for the new chips with AWS agreeing to test out its offerings. Qualcomm last released a server chip in 2017 with the ARM based Centric 2400, but shuttered the product a year later. Alright, I don't know if some of you have seen social media before, but apparently on social media sometimes people get angry about things. One of the things they got angry about is Apple's latest security update. But that is a thing that people get angry about. Alright, so here's the deal. Apple releases emergency security updates as often as any software maker. If you use Apple products, you were familiar with this. It last released one for its operating systems in March. Usually Apple doesn't release a lot of details of why it just says do it. Often there's a recent vulnerability report that you can look at and get a little bit more information and make an educated guess as to the reason. But Apple's latest patch seems to have caused a bit of unusual attention, as is normal Apple's notes on the update being pushed out are light in details. It says an anonymous researcher discovered CVE 2022 3289, which could be exploited to execute arbitrary code with kernel privileges. That's bad. If you were if you were compromised by this exploit, the attacker would gain admin rights to your device. Apple also fixed the vulnerability in Safari that will let an attacker execute code patches have been issued for Mac OS Monterey 12.5.1, the iPhone 6S and later most supported iPads and the iPod Touch 7s Gen. So these are both zero day vulnerabilities, which means they may have been exploited by someone, or at least somebody, but there are no confirmed reports that that happened. So it's good to update your software as soon as the patch is issued. That's good advice across the board. Two zero day vulnerabilities, one that grants admin access are serious, but not that unusual. Yeah, I saw all the Sturman drawing out there about this and thought it would be worse than it was. I didn't think it would be as bad as people were saying because it usually isn't. But but this is rather mundane. I mean, there's zero days. So that's never good. But zero days happen a lot. And you just got to go out and get patched. Zero days that they have no confirmation are being actively exploited happen more often than zero days that are being actively exploited. So I look at this and I think Apple usually just puts bugs were fixing bugs, and they don't say anything else in their notes. The fact that they put a CVE in here, made a few people sit up and take notice and go, Oh, this is a little more serious than usual. They're actually acknowledging the vulnerability. And then other people who I don't know, maybe aren't as used to this sort of thing, let their hair on fire, not realizing that that while this is bad, as Rob said, it's not exactly unusual. And it's good because they're patching it. It's not the kind of bad where it's like waiting for the company to patch the vulnerability. I think one of the issues for a lot of people who use Apple devices, not necessarily folks who are listening to this show, but just people who just they have iPhones, they have iPads, they have Macs. The issue is that they don't necessarily believe that this stuff happens to their hardware like it does on pretty much all where it happens. We all know that this happens just as much as the Apple as it does to everyone else. But when Apple actually tells you, Hey, this is going on. It was kind of a serious one. But they handle it like they always handle it. I think just there's a segment of the population is please, Oh, wow, this is somehow different than what they normally do. Well, and it's Apple, you know, Apple not being super forthcoming about all sorts of things, whether it's new products or vulnerabilities or anything in between just, you know, makes the curious folk that much more curious. Yeah, I think that's it. I think it was Apple said something. And it was about a thing that was bad. It must be really bad if Apple said something about it. And yeah, it's, it's bad, but it's not the end of the world. Just go patch your stuff. Do make sure you patch your stuff. Indeed. All right. We ready to talk about urban legends on the show? Oh yeah, always. Well, all right, because we don't always get to do so. We have a bit of one here. But there might be more to it. So hear me out. Microsoft developer Raymond Chen claims that if you played Janet Jackson's 1989 hit song rhythm nation, perhaps you've heard of it was pretty big deal. Certain laptops made around 2005 would have hard drives that would crash. You might say, why would that ever happen? That sounds impossible. This happened apparently to laptops play in the song and to laptops near the laptop also play in the song. Here's a little bit of a grain of salt. Chen writes in a blog post that he heard this from a colleague. Doesn't say who doesn't really give any more details of what's going on. Very Apple of him. According to this colleague, an unnamed major computer manufacturer discovered rhythm nation crashed its laptops and also its competitors laptops. So as the story goes, this colleague who worked in Windows XP support found that Jackson song contained one of the natural resonant frequencies used by those hard drives on those laptops. So if the laptops heard the frequency coming from Miss Jackson, if you're nasty, it confused them enough to crash. Chen didn't say which brand of model of hard drives only that they operated at 5400 RPM, they ran Windows XP. But he did say that the major computer manufacturer created a workaround by adding a custom digital audio filter that detected the frequencies and removed them from any sound during playback in such a way that the listener wouldn't notice but the hard drive wouldn't crash. Although that would not have stopped your friends from blasting rhythm nation at your laptop from the outside and crashing it, I suppose, if they had figured that out. The vulnerability has now been given a CVE number CVE 2022 38392. But that only cites Chen's blog post as a source. So it's almost like the CVE folks are having a little sets of humor there. Oh my goodness. Okay, so here, here is our plea to you, dear listeners or viewers, DTNS family as a whole. If anyone could try to replicate this, we can. Can Janet Jackson control hard drives? Let's find out. Go forth and find 2005 era 5400 RPM OEM hard drives copies of rhythm nation. See what happens and please report back. The first person who I am satisfied, I believe made this happen that lets us know gets this copy of Corel word perfect sweet seven that I use the pixie cam to compose my first website. Hmm. Word perfect. I remember it. Yeah. I do. This, this story would be not that I don't believe it. I absolutely believe that someone has made this happen, but it would be so much believable, more believable if this would have been like on Windows Vista or something like that. Right. It's like, come on now. It's pretty solid. Or Windows is one of the most stable operating systems ever. So, you know, Vista on the other hand, I have, she would expect something like this to happen. There's so much about the story that it's like, okay, first of all, it's like, is this really true? Let's just assume that it is. Let's assume that this is possible. In 2005, you know, you're playing rhythm nation. Rhythm nation was a big hit in 1989. So, doesn't mean that you don't like Janet Jackson, but you know, you're going back into the, into the vault a little bit. We're, we're getting into, you know, classic recurrent as they call it in radio. Right. Exactly. And, uh, you know, there's someone to be playing that and going, what's going on with my computer? That's weird. Huh. Could it be the song I'm playing? Let's pause the song. It might be the song. This has all the makings of believability to me, which is not that many people are playing rhythm nation in 2005, but some are not that many people who are playing rhythm nation have this model of laptop with this hard drive in it, but some are. So it's not frequent enough that it catches the internet's attention because again, the 2005 internet isn't as big as it is yet as it is now. Uh, and, and this support company doesn't want this getting out because they don't want people to think their hard drives are defective. So, they hush it up and I bet it didn't reliably crash it. I bet every time you played rhythm nation, it didn't immediately crash, although it might have. Uh, it might have worked intermittently, which means that's another reason why people didn't catch on until these support people tried it. Well, they couldn't let it out because in my head, I'm making this up that the, the speakers that alert you to hurricanes and disasters in towns all across the world would have started playing rhythm nation. You would have seen just like a blackout of things going down across earth as hard drives crashing like crazy. Yeah. I do like Sarah's challenge though, and I will back it up with this copy. That's in a pretty, pretty decent shape. Two scratches, but only got run over once or twice. Well, word perfect. Sweet. It's the sweet. The sweet. Yeah. On CD-ROM. All right, folks, if you're feeling social, you could tell us you discovered this on, on social media. Our social media is DTNS show on Twitter and DTNS pics with an X, DTNS PIX on Instagram. If I described a browser in a scary way, it might go something like this. This piece of software knows every site you visit and every character you type into every site you visit. It also knows your browsing history, your device type, your operating system, and pretty much every technical spec on your machine. But a browser has to know those things because it wouldn't work as a browser if it didn't. The question isn't that it knows those things, but what it does with them. Browsers are very closely audited by lots of folks, and they generally don't send your information anywhere themselves other than the URL you're requesting. Not only that, but browsers also give you control over your data. Browsers famously give you the ability to delete your browser history, your cache info. Sometimes they'll even set it up automatically. In fact, browsers are usually viewed as being on your side when we're talking about privacy issues. We bring this up because it's important context in understanding what is and what isn't unusual about the stories out there about TikTok's iOS in-app browser. A word about in-app browsers. On iOS, an app can send you out to an external browser like Safari, Chrome or Firefox, etc., or it can render a web page inside the app. Keeping you inside the app sometimes offers a better user experience that in-app browser, like all browsers on iOS, must use WebKit, but it doesn't have to use all the Safari. Apps can customize on top of WebKit to roll out their own JavaScript. Facebook and Instagram do this for tracking purposes, tracking that you agree to allow the app to do. So doing so in the in-app browser is covered by that permission. And remember, an in-app browser can do all the things that any browser can do, but inside the app from a company that doesn't necessarily make browsers outside of in-app browsers and isn't audited as closely. The question is, what does a company do while or with the information that it can access? Yeah, exactly. So that brings us to the TikTok story. Developer Felix Kraus found that TikTok's iOS app contains some JavaScript that could be used to log all input, aka your taps and your typing. This is slightly different than just accessing it. As we noted, any browser has access to what you type and tap. In fact, any program you type in has access to what you type and tap, but they don't all log it for storage. To be clear, Kraus found code that could be used to log. He did not find evidence that it was being used to log. There's no way to know from outside what TikTok might do with that code. It may not run the code at all. It may collect the code data immediately for some purpose and then discard it. It might store the code in an Oracle database waiting for Larry Ellison himself to stumble upon it in an audit. It might even encrypt it and use a hidden Tor service to send it straight to President Xi's laptop. We have no way of knowing other than to ask TikTok. So Rob, what does TikTok say? Well, TikTok said we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring. The devil's into details though. TikTok says it uses the code to check page loading time and detect crashes to allow for better browser performance. That's plausible. It's also repeated a previous assertion that it analyzes keystrokes to detect bot behavior and fight spam accounts. That couldn't make sense. If keyboard presses come exactly half a second apart every time, it's probably a bot. TikTok also says the code in question was from an SDK. So not all of it is used. It is just plugged in some of the off the shelf code that can do a lot of things. Okay, that definitely happens. TikTok also reminded us that granting code permission is not the same thing as collecting data with that permission. TikTok argues that Apple's approval process would likely catch collection. Maybe you're going to have to decide what you believe and act accordingly. Yeah, that's good point. In the meantime, it's wise to remember that TikTok isn't the only app with an in-app browser. To that end, Krause has published a tool at inappbrowser.com that can show you what JavaScript commands are executed by the app as it renders a web page. If you visit inappbrowser.com from within an app, then the page will report as many JavaScript commands that were executed as it can detect. Now, keep in mind that app makers can hide JavaScript commands behind something in iOS called WK Content World. Ironically, Apple introduced this in iOS 14.3 to stop websites from collecting data for the purpose of fingerprinting you. Fingerprinting is basically when a website can detect something like JavaScript demands and then use that to identify you when other tracking behaviors are blocked. But not all in-app browsers are untrustworthy. Krause notes that apps that use Apple's provided SF Safari View Controller to display websites in-app tend to be on the safe side. That includes Gmail, Website, and others. And almost, I should say, WhatsApp and others, and almost all other apps that give you the option to open a link in a default browser instead of in the in-app browser. The only one Krause analyzed that didn't offer that option was TikTok. Oh, I was so ready to say this was overblown. I was so ready to say maybe they're not doing anything. That is the big problem for me. So one of my favorite Adam Sandler movies is Water Boy. And Kathy Bates in that movie, she played mama and she played that role wonderfully. But one of the things she always said for anything she didn't like was it's the devil. And I'm not saying that TikTok is the devil, but if I was Kathy Bates, I probably would. It's like they're the only ones that are doing it this way or the only ones that he analyzed that are doing it this way, where you cannot use a default browser. Just as a habit, I always will use my default browser because you just never know. I never knew this, but I just rather use my own browser. They're usually better and offer you more abilities inside those browsers. The fact that you can't use one here, it just throws up flags to me, not saying there are any that should be there. It just doesn't feel right to not be able to open something up in that browser or any built-in browser. Yeah, to send it out. Look, I don't feel comfortable with some JavaScript code that can do key logging being in the app. And I don't feel comfortable with the company saying like, oh, it's just an SDK. What I want to hear is, oh crap, that was in there and we didn't realize it. We're taking it out. Like that's what I want to hear them say. They're not saying that. But even then my reaction would have been like, so it's probably best if you see a Lincoln TikTok that you want to open up, open it up in the external browser, but they don't let you do that either. You would have to copy paste it, which would now be my advice. But the fact that they're also like, why, why, when even Facebook gives you that option because they know most people aren't going to take it, why wouldn't you have that option in there? Like, are you that bad at coding that you let this off the shelf SDK JavaScript in there without noticing and never got around to adding the code that lets you open an external browser? Like, that starts to not make me feel good about the security of the rest of your app. It sounds a lot more to me like TikTok knows it's, they're not bad at coding. They know what they're doing and they're saying, well, we're just not doing anything bad with the information. So yeah. But if you say, okay, even if I kind of trust you, well, why do other apps not perform the same way? And how hard would it be for you just to make us feel a little bit better about this? That's the, you know, and the TikTok has, they've been on the news for all sorts of stuff along these lines recently. And sure, it's a Chinese company. And so some people are feeling like, okay, well, it's, you know, even scarier than, you know, some other company that's maybe not, you know, bite dance created. And that's, you know, you either feel that way or you don't. And, you know, some people have their reasons. But I do feel like if, if your app performs differently when it comes to privacy stuff, like keystrokes, I mean, that's, I mean, I'm not even that much of a privacy crazed person, you know, most of the time I'm like, eh, I'm pretty boring. You couldn't see my keystrokes, but no, not really. Not really. I want to be assured that this data is being collected in a, in a way that is meant to make the app better. And that's it. And just explain why. Yeah. For me, it is many companies do this. You know, this, this happens with Instagram. This happens with Facebook. It happens with WhatsApp. But they at the very least give you an out. You can click a button that says use a alternate browser. You don't have to use their built-in browser. So when I, when I think about a company like TikTok, they aren't some small scrappy startup with three or four people working out of a garage. This is a massive software company that does things for billions of people on earth. This is a decision in, in my opinion, for them to not do this. Somebody said, we are not going to allow people to go to an external browser when they click on links. So immediately I wonder why are you making this decision? I hear all the things you're saying about how you're not using all the ability that you have the ability to use, but why are you not giving me an out just so I can make sure that you aren't? That is problematic to me. Yeah. They, they said that they don't offer users an option. They said this to TechCrunch, that they don't offer users an option to not use the in-app browser because it would require directing them outside the app, which they argue makes for a clunky, less slick experience. Those are TechCrunch's words, not their words, not in a quote. But they say it's for usability, to which I say, how very Apple of you, like you definitely learned the, the, the pattern of what Apple would say if they were you. But Apple tends to be okay protecting privacy. And, and I don't know, maybe, maybe Apple would do this. Maybe they wouldn't, but TikTok is doing it. And listen, I'm not, I'm paranoid enough not to be bothered by the prospect of key logging in TikTok because I assume there, I assume so many things are collecting data and collecting my keystrokes that I'm not going to type anything in there that I wouldn't be comfortable with it being logged and tracked anyway. But that's no excuse. That's not, that's not an excuse for the company to be like, oh, that JavaScript in there. Well, don't worry about that. We aren't going to use that. Take it out. Get it out of there. Yeah. And at the same time, like, interesting search ideas, Tom, even if he didn't hit search. Well, I mean, not about it. That's the thing. I would, I would never use the TikTok in app browser to go do searches, right? Because I, I wouldn't have any way, even if I didn't think they were key, key logging me. It's, it's, it just doesn't look good. And where there's smoke, there's often fire. Even if someone was telling you it was a bonfire before, and you could say it's clearly not a bonfire. Maybe there's a smaller fire there. Yeah. Like I just, I just look at this and it just, as I said to me, I'm not trying to be cynical or anything like this, but you know, last time I checked TikTok sells ads. So there's absolutely reason for them to collect information because that gives them the ability to target ads more specifically to you. They're saying that they're not doing those kinds of things, but you have the ability to and you're not giving me an out that just makes you look sus, you know, from, you know, from my side. I try not to have the knee jerk reaction of it's evil to things because it isn't always evil. In fact, it's rarely evil, but sometimes it is. And so what I try to do is go, okay, if it wasn't you know, conspiracy, if it wasn't bad motivations, what would cause them to do this? And with this set of circumstances, the only thing I could think is that it's because of a cultural difference in the company at the high executive level of like, well, of course we take all that stuff because we're allowed to and nobody cares. And in the United States, that doesn't fly in Europe, that doesn't fly. And so they need to adapt to operating in those markets better. That is the most charitable reading that I could give this. Well, moving on to travel, if you like to travel, especially no matter where you are in the world, if you want to travel internationally, you're going to have to deal with some jet lag, whether you're going east or west. And for some people that's really hard. So Chris Christensen has an app that might be the answer for you. This is Chris Christensen from amateur traveler with another tech in travel minute. This is an interesting resource. I don't know if I completely agree with it or not, but it's fairly unique. And that's a time shifter app. And the idea here is you're going on a trip that's going to give you jet lag, you give time shifter your flights and it from that figures out where you're going from and where you're going to, what the time change is, and then makes a plan for you for a couple days ahead, how to shift gradually to that time zone and when to get light and when to get caffeine and when to avoid one or the other, when to take a nap and what time to get up. And you can use this as a plan to ease your transition to jet lag. Now I've traveled enough that I eat jet lag for breakfast. So I'm probably not going to be using time shifter, but if you're interested, you can try it once for free. Check it out at timeshifter.com. And this is Chris Christensen from amateur traveler. Well, I will definitely check this out. Yeah, jet lag has been a huge issue for me, particularly when I'm going east. If I'm going to, you know, Europe, for example, from the West coast. And I never really know. It's like, do I just suffer as long as I can so that I'm so tired? I sleep whenever it's nighttime. Once I get there, sometimes that works. Often it doesn't. This could be a good answer for that. Yeah. Well, you probably need multiple tools. I use the take melatonin at 9pm wherever you are to put yourself back on the schedule. And that helps. But I've always wanted to do something like what timeshifter makes possible, which is like ease into it before you leave so that your body is adjusting to a new routine. And if you do shift work, and you're like, you guys have jet lag every day, timeshifter actually has a program for shift workers as well. It's not just for jet lag, which I thought was pretty interesting. Yeah. For me, I can see how useful this app would be. But I'm one of those blessed people that let me knock on some wood here. I don't get affected by jet lag. I have the ability to sleep almost on command. I could be asleep within five minutes of whenever I feel like going to sleep, regardless of how much sleep I got. But I mean, I literally could wake up and I need to go back to sleep and literally lay back down and go back to sleep. So jet lag has never affected me now. I'm on the East Coast. So it's only really when I go to Europe, which is not terribly often. But even then, I just, you know, as soon as I hit the plane, I'm usually before the wheels are off the ground and I'm asleep. And I'm on their time zone by the time I get there. So I mean, just imagine someone saying, I got 15 minutes, I'll sleep now. Yeah, that's never once happened to me. That is that is me. Shakespeare's here's a foolproof three part way to beat jet lag. One, melatonin, two, time shifter app, three, a vial of Rob's blood. Oh boy. Well, just a reminder that if you ever have thoughts on anything we talk about on the show, boy, this was a fun Friday. We got Janet Jackson, Rob sleeping on command, you know, is Apple lion is tick tock lion and all the things feedback at daily tech news show.com is where to send questions, comments or ideas for future shows. Thank you in advance. Indeed. And thank you, Len Peralta for being with us today. I, I think I know what you drew, but what did you draw for us today, Len? You know, it's so weird. I think I actually created a wanted poster for what you, you know, for the throw down you put up earlier in the show about Janet Jackson. You know, the the image is of course, Ms. Jackson, destroying a laptop. And it's saying that yes, I can destroy certain laptop. Therefore, go forth and find a 2005 era of 5400 RPM OEM and cause a laptop malfunction, which is what this piece is called. Call to action. What is the who, who, who? Yeah, so you had to do it. I feel like this image is destroying the laptop with the power of dance. Well, yes, kind of, but also her music possibly we'll see both. This is the call to action. They work in tandem. Yeah, exactly. This image is available right now. If you're my patreon, subscribe to patreon.com forward slash Len also at my online store at lend prop store.com. And by the way, folks, I'm open for gigs and commissions right now. So if you're looking for something, throw it my way, I can barrel you. I will destroy your laptop. No, I won't destroy your laptop. If you want him to, he will. Yeah, I will. That's a picture of destroying someone's laptop. There you go. Perfect. Well, thank you as always, Len. Also, thanks to Rob Dunwood for being with us today. Rob, what has been going on since we saw you last? Not a whole lot. I had a blast hosting the DTNS reaction show last week, so I had fun doing that. And I just let the folks know, you know, you can find me anywhere on pretty much everything at Rob Dunwood. And I'm also the host and producer of a will you tech show called the tech John where we cover the week's tech headlines and discuss how techs affects and disaffects people of color. So would love for you guys to come check us out. It's a great show, everybody. Do, do give it a subscribe. You will not regret it. We also never regret having people who have supported us for a long time. Special thanks to Ragnald Varmadal, who is one of our top lifetime supporters for DTNS. Thank you for all the years of support Ragnalds. Also patrons, you know who you are. And you know, you can stick around for the extended show Good Day Internet. If you're not a patron, that's a good reason to become one. You can also catch this show live. DTNS is live Monday through Friday at 4 p.m. Eastern. That's 2100 UTC. You can find out more at daily tech news show dot com slash live. We hope you have a wonderful weekend. We'll be back on Monday with I as actor joining us talk to you then this week's episodes of Daily Tech News show were created by the following people host producer and writer Tom Merritt host producer and writer Sarah Lane executive producer and Booker Roger Chang producer writer and host Rich Truffalino video producer and Twitch producer Joe Coontz technical producer Anthony Lemos Spanish language host writer and producer Dan Campos news host writer and producer Jen Cutter science correspondent Dr. Nikki Ackermann social media producer and moderator Zoe Deterding our mods beatmaster w scottis one bio cow captain kipper Steve Guadirama Paul Reese Matthew J Stevens aka gadget virtuoso and JD Galloway modern video hosting by Dan Christensen video feed by Sean way music and art provided by Martin Bell Dan Looters Mustafa a a cast and Len Peralta live art performed by Len Peralta a cast add support from Tatiana Matias patron support from Dylan Harari contributors for this week's show include Shannon Morse Scott Johnson Justin Robert Young Rob Dunwood and Chris Christensen and our guest this week was Charlotte Henry thanks to all the patrons who make the show possible this show is part of the frog pants network get more at frogpants.com diamond club hopes you have enjoyed this program