 Hi, this is Allison Sheridan of the NoCillicast podcast, hosted at podfeat.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, October 29th, 2023, and this is show number 964. Before we get started, if you're listening to this thing, say first thing Monday morning, then today is the day of the October Apple announcement. As is our custom, Steve and I will be hanging out in the Discord chat room, which you can get to by going to podfeat.com slash chat. Now, you probably know that it's at five p.m. Pacific time, but I want you to realize that if you're in Europe and planning to watch, you might not realize that the United States did not change times on Sunday, like most of the rest of the world. Well, most of the year Barton in Ireland and I are eight hours apart, for just a short time here, we're only seven hours apart. That means for him, the show is only at midnight tomorrow on Monday. Anyway, I'm not gonna do time zones for anybody else, but I hope you all can join us for the chatter. As always, Steve and I will not be talking verbally and there will be no video from us, it'll just be everybody chatting. So I hope you'll come to podfeat.com slash chat. Back in the day, I was a huge fan of a company called Wise, which sold very inexpensive security cameras for like 25 bucks. They seemed to be unstoppable as they came out with pan cameras, outdoor cameras, then they started doing vacuums and even scales. But then a couple of years ago, they confessed having a security problem with their original Wise cams that they'd known about for some time, but they never told anybody about it because they couldn't fix it. Instead of leaving it up to us whether we wanted to throw them away or buy something more secure, they figured they just didn't want us to worry our pretty little heads about it. At the time, we had four indoor Wise cams, only one of which had the security flaw. But I threw them all in the bin. We have four additional cameras that view the outdoors, tour indoor cameras and tour outdoors, but point outdoors through the windows. Anyway, we decided to keep those because they're not looking inside our house. I swapped out the indoor Wise cams for cameras from Eufy. Now, Eufy is owned by Anchor, which is a Chinese company that may influence your decisions in this area. I'll be providing a reason why this still works for me. We went along happily with a mixed camera household for several more years. We have Wise cams and rings for outdoors and Eufy for indoors. Then in September, Wise messed up again. Wise provides a browser-based portal through which you can see the feeds from your camera. Unfortunately, they made some mistakes and for a period of time, people were actually seeing other people's web cams. It was bad enough that the wire cutter officially removed them from the recommendation list and wrote a blog post about it. I still wasn't overly worried about this because as I said, my Wise cams don't point indoors. However, both of my kids were using Wise cams on my recommendation to monitor my grandchildren. Because I had suggested this great camera for only 25 bucks a piece, I felt responsible. So I replaced all of their Wise cams with Eufy cams. My kids are security conscious, especially when it comes to their children, so they were quite happy that I took this step for them. And two weeks later, the Eufy cams I just bought for them went on a crazy good sale during Amazon Prime. Now, while I was annoyed that it hadn't occurred to me to wait for Prime Day to buy all of those cameras, I decided to take the opportunity to replace at least some of my remaining Wise cams. I chose Eufy because their home kit compatible and I'll get into what that means after I explain the models I chose. The first thing to say about buying a Eufy cam is that the model numbers are very confusing and they've been known to change the model number of a camera while not changing the camera itself. My original Eufy cams appear to be identical to my new ones, but they have a completely different model number. The second thing to be cognizant of is that some of their cameras, mostly the outdoor wireless ones, need a hub. I find their explanation of the hub-based models to be very confusing, so I've shied away from them. They may be awesome, but I can't speak to them at all. Now for my needs, I bought a pair of Eufy security indoor cam C120 wired cameras for the standard price of $76, which makes them $38 a piece. Not really that much more than the insecure Wise cams when you think about it. These are small cubic cameras bounded on a pivot base so you can rotate them into any position you need. The software will accommodate being mounted upside down if that's a requirement for you. Now these two cameras will replace two cameras that, as I mentioned, faced outdoors but live indoors. One is bounded at the top of our front window and watches for people coming up to our front door. The second indoor but looking outdoor camera is mounted very cleverly. It took Steve, Kyle, and me to get this working, but Steve wanted it to be stuck up against the glass of our garage door looking outward. When the garage door is closed, gives a nice wide angle view of the driveway. And when the door is open, we can tell because we're looking at the ceiling. The tricky bit was figuring out how to run the cable so it didn't get tangled up as the garage door opened and closed but with some clever mechanical engineering, we got it working. One caution if you try this method of buying indoor cameras to look outward. You need to disable the infrared light for night vision. Turns out that light reflects off the glass and makes it impossible to see outdoors at night. The advantage of using indoor cameras to look outdoors is you can buy cheaper non-weatherproof cameras and easily plug them into indoor power. Because the Wyzecams were so inexpensive, Steve mounted a third one outdoors on the corner of the house also looking forward from our house. He snaked the power indoors beside the garage door and figured if it didn't last outdoors, it was only out 25 bucks. As it turns out, the Wyzecam weathered our rainiest year ever. But my plan was to put it in the bin anyway. To replace it, I bought the Eufy Security Outdoor Cam E220 to replace it. However, I bought this wired version so he would be able to do this snaky of the power cable into the garage thing and it should have worked, except when I started to work on it after I got it on our network, I realized it wasn't home kit compatible. So remember what I said about watching out which model you buy? The Outdoor Cam E220, which is wired, is not home kit compatible. So we're trying to figure out what to do about that for now that Wyzecam in the corner is gonna live another day. I said earlier that I would explain why I chose Eufy to replace the Wyzecams. The main reason is that they're reasonably priced cameras that are also home kit compatible. There are a few reasons why that's important to me. My theory is that companies that have to go through at least a wee bit of vetting in order to qualify to be inside home kit might be a little better security wise. Also, when you move a camera into home kit, many of the controls for the cameras are removed from the vendor's application and moved over to home kit. When you have a security camera, you'd really like to be able to retrieve footage from the camera if something unfortunate was to happen, such as a break in. You can put an SD card into most of the cameras and hope the thief doesn't steal the entire camera or you can pay a fee to the camera company to provide you with cloud storage of your videos. But you're trusting them to store your videos securely. Turns out there's another way to store your streams in the cloud and it may not cost you any extra money. If you're already paying for iCloud Plus, you can use home kit secure video. In December of 2022, Bart in one of his security bit segments outlined some real concerns about how Eufy stores its videos. And he also explained that using home kit secure video was the solution to protect your personal videos. This is why I'm okay with using cameras from a Chinese company. Now here's a little blurb from an Apple support article about home kit secure video. It says record video. If you subscribe to iCloud Plus, you can view the last 10 days of activity from one to an unlimited number of cameras. The 50 gigabyte iCloud Plus plan supports a single camera. The 200 gigabyte iCloud Plus plan supports up to five cameras and the two terabyte iCloud Plus plan supports an unlimited number of cameras. Note, video content doesn't count against your iCloud storage limit. Well, for the last year or so, we've had our four existing indoor Eufy cameras in home kit and it's been lovely. One of the coolest things I discovered recently is that you can view all of your Eufy camps on your Apple TV using the home app. I feel like I'm running an official security service with this grid of cameras. All right, now that maybe you're sold on this idea, I wanted to walk you through a little bit of the Eufy Camp setup process. At first, I took screenshots of every single step, but to be perfectly honest, I don't think you're gonna need a lick of help. You install the Eufy security app on your iPhone or iPad, click the plus button and choose what kind of camera you have from the list. They even give you pictures, so it's not hard. Once you're in the right device family, you'll see pictures of the specific cameras and you choose the one you have. The C120 I purchased is a 2K, not 1080p camera, and that's gonna become important later in the story. You add a new home name or add to an existing home and you're ready to follow the step-by-step instructions in the Eufy app. Plug it in, wait till the light turns blue, scan the QR code on the bottom of the camera. Now it took me a few tries to get the camera to recognize the wee tiny QR code, but it eventually found it. Next, the on-screen instructions tell you to hold down the sync button on the back of the camera until it beeps. And again, they give you a picture so you know which button to press. I really love that. Now the app will ask for access to Bluetooth to connect to the device, and then it'll show you a list of the Wi-Fi networks it found. It says quite clearly to please select a 2.4 gigahertz Wi-Fi network. Like many of us, I have a mesh network, mine is from Eero, and it's a little tricky to get to just the 2.4 gigahertz radio. In the Eero app, buried under troubleshooting, you'll find a way to disable the 5 gigahertz radio for 10 minutes. But I decided to test Ufi to see if I really needed to do that, and I charged ahead with my combined Wi-Fi radios. Ufi came through like a champ and immediately connected to my Wi-Fi after I gave it the password so you don't need to disable the 5 gigahertz radio. As soon as I connected to my network, I heard Steve say, hello? But he wasn't home. It was coming out of the camera. You see, when my camera joined the network, he got a notification from the Eero app. He tapped into the Ufi app and started watching me. Freaked me out a little bit, but it was good to see it was working, and he had fun freaking me out. Once the camera's on your network, the Ufi security app will start to help you walk through some of the settings, like how you wanna get notifications. It'll also belly ache about the fact that you don't have a microSD card installed and offer to sell you some cloud storage. I suggest you just skip over these steps if you're going to enable HomeKit Secure Video. Before you can put your cameras into HomeKit, you need to enable Home in iCloud. On your iOS device, open Settings, tap on your name, and then select iCloud. You'll see, you'll have to select Show All because they fold up the list and it'll drop down all the different apps and one of them is Home, and then you can toggle it on. I assumed at this point, I would need to do something in HomeKit to pull in the cameras, but it's actually the other way around. Ufi has to give the cameras to HomeKit. For a given camera, when you see the grid of them in the Ufi app, tap once to see the gear, go into Settings, and then under General, you'll see HomeKit Portal and then add accessory. This is the piece that was missing on that outdoor camera I bought. I kept looking and there was no HomeKit Portal. Anyway, at this point, the Ufi app will explain some of the downsides of moving the camera into HomeKit. Now remember I said these cameras I bought were 2K cameras? Turns out Apple only support 1080p for HomeKit cameras. I suspect it's because of the size of higher-resolution videos since you're not paying extra to show them in iCloud, but you'll also lose some more Ufi features like on-device AI, sound detection, and pet commands. The pet commands are kinda cool. You can point a camera at your living room, define, say, the couch as a pet zone, and then if your dog jumps on the couch, the camera will automatically play back a recording of you and your voice saying down spot, but you don't get to do that if you put your Ufi cams in HomeKit. You'll also lose activity zones, which are areas you define in the field of view, where you wanna monitor for movement. It's super helpful if you, say, got a tree that's constantly moving in the wind and you wanna kinda work around that. But don't dismay about losing this feature because HomeKit itself supports its own activity zones. Before I enabled HomeKit secure video for my Ufi cams, I'd enabled video storage on my Synology using a capability built into the Ufi software. Unfortunately, NAS storage is also disabled if you use HomeKit to manage your Ufi cams. It's a good trade-off for me to have storage in the cloud, but if you're using NAS storage, that's something to consider. And finally, remember that we have the option of using a microSD card on the Ufi cams? Yeah, HomeKit can't access the SD cards clips. It really does sound like Apple sandboxes the cameras inside the walls of your HomeKit home, and that's comforting to me since these cameras are from a Chinese-owned company. Now, the rest of the steps are the normal ones to add a device to HomeKit. You know, you name the device, you tell HomeKit in which room you're gonna place the camera. Now, as the Ufi software did earlier, HomeKit will start asking you questions regarding under which conditions you'd like to have streaming and recording take place. I like the granularity in HomeKit. You can set recording differently when you're home versus away since it knows where your phone is, and you can decide whether it's when nobody's home versus just you aren't home. When you're home, maybe you wanna be able to stream on the fly, but you don't want every little thing you do in your home recorded. When you're away, you might wanna stream and allow recording. This way, if the cat sitter is there, you'll have a recording to make sure they showed up, but you can also just stream to watch your cat sleep. There's also an option to detect activity, but it can't actually stream and record with this selection. It can, however, use activity detection to trigger automations and send notifications. I haven't fooled around with that setting yet. In HomeKit settings for each camera, you can select whether to record when any motion at all is detected, or you can toggle on specific items, such as whether people, animals, vehicles, or packages are detected. HomeKit's secure video even enables face recognition if you choose to enable it. Once enabled, you can see a list of recent times it recognized people, along with these tiny, tiny little thumbnails, and it's astonishing how well it recognizes us from these images. The one thing Steve and I have struggled with in setting up a new Ufie cam in HomeKit is how to manage the notifications. Our existing Ufie HomeKit cameras don't bother us very much, but the new one pointing out the window was sending us notifications like crazy. We set up zones, and you can do multiple zones by tapping on the screen to draw geometric shapes, but it still kept notifying us. We shut off vehicle detection because of all the cars that go by our house, but the notifications continued to pour in fast and furious. We noticed there's also a toggle for notifications over in the Ufie app. It was toggled on, and even though it says it's not able to do much, we turned it off. Now we're not getting any notifications at all, even when we have person detection on, and I'm waving my arms around like crazy in front of it. That was true for a while, but I was just noticing today, I talked about this earlier, but I was walking around in front of it, and all of a sudden I got a notification that there was a person detected. So maybe it is working now. And I know we'll get the hang of this, but one of the downsides to having this many controls is it's kind of hard to tell which one's controlling things. At first I had trouble getting the video recording working as well, but while we were away on a little vacation, it recorded video when my cat sitter showed up. So I think it is working, but it was surprising that it didn't seem like it was working. So if it doesn't work right away when you get it set up, just give it a couple of days. I think it's better. All right, since I replaced a 1080p wise cam with a 2K UV cam that was down sampled at 1080p, you might be wondering, how does the video comparison about the same? Before removing the wise cam from its front window view, I put the UV cam right up beside it and took screenshots of both cameras video. The improvement with the UV was remarkable. The main problem with the wise cam was that it looks super pixelated as though the image was moving far too quickly for it to keep up. And this is kind of like a static view out my window. To be fair, the wise cam was pretty old, so it's possible their newer models have faster video processing, but I'm super happy with how good the UV cam video looks. The other screenshot I took was the UV cam at night. Remember I mentioned that if you're gonna point out a window, make sure to turn off the night vision mode? With the wise cam, the IR light just blew out the view completely. The effect on the IR light in night vision mode on the UV was different, and yet still made it impractical to use. I looked at the camera view at night and I accused Steve of mistakenly putting the camera behind the blinds rather than in front of them. You see in the home app, I could see the back of the blinds perfectly. When I accused him of placing the camera incorrectly, he laughed and he said no, that's the night vision light causing that effect. I literally did not believe him. He suggested I toggle night vision off and sure enough, the outdoors came perfectly in view and the video was fabulous even at night. This optical illusion caused by night vision mode was fascinating. By lighting up the glass with an infrared light, all the camera could do was see its own reflection which included the curtains behind it. Well, the bottom line is, I'm really happy that Ufi supply a camera that I can rest from their control and put into HomeKit secure video. The video quality is fantastic and they're very easy to set up. I just set up this fifth Ufi recently and I did crack the code eventually on notifications of recordings, but like I said, it took a little while. At $38 a piece in a two pack, I think they're a good solution to replace the Wyze cams. I am bummed that that outdoor cam E220 was in HomeKit compatible but we'll figure out a solution for that. Now, if you're a HomeKit user and an iCloud plus subscriber, you might wanna look into Ufi for your security cameras inside and outside of your house. All right, one last thing. You can find Ufi cameras on Amazon and at Best Buy and if that's an easy way to go for you, you go for it. But if you wanna help me out, I have a referral link in the article you just heard and the referral link is inside your podcast or along with all of the others I use. But you don't get a darn thing out of using this referral link. I get a $40 Amazon gift card if you spend $200. In the Programming by Stealth podcast I host with Bart Wuschatz as the instructor, we've covered a lot of different programming concepts. One concept we covered twice is test-driven development. We covered it twice because the tool that was available the first time we covered it called QUnit was far too cumbersome and when a tool called Jest became widely popular he covered it again. Quite naturally you may be wondering why are you bringing up a programming topic outside of Programming by Stealth? It's because I wanted to tell you a story of what happened when Helmo from the Netherlands came to visit Steve and me and it has to do with test-driven development. When Helmo told me she was coming to visit for about a day and a half on her way to an origami convention in San Francisco I started asking her what she'd like to do while in the Los Angeles area. We have such a broad set of cool things to do I wasn't really sure what she might want to do. I explained we could go to the Getty Museum which is high above the city giving extraordinary views of the coastline and I hear there's like art inside. Anyway, we could maybe hike to the Hollywood sign which is a tradition for us specifically with people from other countries. Klaus Wolf came here from Germany and he said I want to hike the Hollywood sign and that's where that started. We could go down to the beach for a walk and talk. We could go out to a cool restaurant. The Museum of Modern Art is right next to Disney Hall and that's pretty nifty to look at too. We could drive up into the city of Palos Verdes and look at multi tens of millions of dollars homes. I gave her all these different things to choose from and you know what she said she wanted to do? She asked kind of apologetically could we just stay home and program together? Why yes, Helma, we could do that and I'd love it. Now you may not remember that Helma is the third listed author of the book we published called Taming the Terminal based on the podcast series by that name. Bart had written all of the blog posts as tutorials for the series. I produced the podcast and I was of course that invaluable stooge in the front row asking questions but it was Helma who figured out how to programmatically turn this set of blog posts and audio files into an actual book. She is amazing. Over the years we've scheduled many a play date over the interwebs where Helma helps me with my programming by Stealth Homework. Programming is the basis for our friendship so why wouldn't we do that when she was here? Now I did drag her down to the beach for walks on both days but after some healthy exercise and a couple of cups of coffee we sat in the kitchen and coated for hours and hours and it was so much fun. Now that you can picture two little nerds spending their precious time together coding I wanted to tell you why test driven development was such an interesting part of our time together. I promise I am not going to get into all the nitty gritty of programming and I think I can explain this in a way that will be interesting to the non programmers of the audience. I decided a while back to write a program that would help me add elapsed time. Excel numbers and Google Sheets can all add time but they do it on a 24 hour clock basis so if you ask these tools to add say five hours to 23 hours instead of the expected 28 hours it'll return the answer of four because they think it's 4 a.m. These tools think 23 hours is 11 p.m. so when they add five hours to it they give 4 a.m. Now I covered this problem extensively in a blog post in 2018 and then again in 2021. While you can beat these tools into submission and coerce them into adding and subtracting elapsed time it is not pretty. Now Bart says the best programs are the ones that scratch your own itch so armed with the tools Bart has taught us I've gotten to scratching. Imagine you're me and you've been slaving away at your keyboard for months and months and months and you finally have your little time matter up that app up and running and you decide to show it off. I sent my little web app off to a couple of people and pretty much the first thing they did broke it. Well that's exactly what I wanted them to do. My process has been to try to think up every weird thing a human might accidentally do but my imagination just isn't very good at thinking these things up. When I asked Bart how do you think up all the weird things somebody might do? He said decades of experience. Well until I get those decades of experience under my belt sending my code to other people to break works quite nicely. However, this isn't a very robust way to test the code after I make changes. I'd have to keep torturing my friends and followers to try to break it again. When Helmholt flew over 5,000 miles around the globe to come sit in my kitchen and code with me we decided to work on a way to help me robustly test my code as I work on it. Now I promised to explain test-driven development in a way that normal humans could understand and we're finally ready for me to give it a go. We know the problem to be solved so we'll use my little app as an example. My time matter app is quite simple visually. It has two rows of boxes where you type in the hours, minutes and seconds you want to add together. As you type numbers into these boxes the total is constantly being calculated at the top. You can type in positive or negative numbers and you optionally can give each row a title. Now the people I asked to test my app tried to type in things other than numbers. They typed in all kinds of letters and punctuation and even spaces. I fixed my code so now it throws errors with these characters. For example, if you type a letter into one of these number fields I pop up a red message that says numbers use silly goose. Well at the moment in time that I fixed the code to tell them not to type any letters everything's dandy but now time passes and I keep massing up my code to do other things. Eventually it's quite possible that I will do something that will break the part that says numbers use silly goose when people type in letters. Most importantly I could break it and never realize that I broke that part of the code. The idea of test-driven development is to write tests which are little programs in and of themselves that record what to test and how to test. For example, I could write a test that says that letters should throw an error. In the test I would also include a sample of doing it wrong, entering letters instead of numbers. If my code is working properly and the test is written properly when I run the test it should pass if the code throws an error when letters are entered instead of numbers. I know that sounds counterintuitive that if the throws an error that means the test passed but you with me so far? Now I save that test and every other test I can think of and when I have my code functioning properly all of the tests should pass. Now fast forward to a time when I'm working on a new feature. After I get done adding the new feature I can rerun the tests I wrote before and if I broke something that was working I'll know it because the test will fail. Instead of having to bug my friends and followers to try and break my code I can reliably try to break it myself. That's test-driven development. Here's where it gets really fun. With test-driven development you can write the test before you write the code. That sounds crazy, it sounds like a lot of work but if your test framework is easy enough to use it can be really helpful. I'll explain with another example with my little app. Now I wanted people to be able to subtract as well as add time. I thought about putting big plus and minus buttons in the interface but I came up with a simpler way. If I allowed negative times to be entered the math would subtract automatically. Now here's the problem. A minus sign by itself is really a dash which is a letter not a number. When you start to type in a negative number you get called a silly goose before you can finish typing the number. If you added a number after the minus sign the goose error would disappear but I was afraid people would think they weren't allowed to use negative numbers because they got yelled at before they could finish. Now also remember I said my time adder app is always calculating the addition of all the values? As soon as the user puts in a minus sign the math breaks too because the minus isn't a number. Now before we started writing code to allow people to type just a minus and not suffer this name calling Helma and I decided to use test-driven development with anger and write the test first. This forced us to think about what the math should do if someone types in a minus sign. We figured hey minus could be the same as zero and it would be no harm. So we wrote three tests that put the minus sign in the hours then the minutes and then the seconds fields but we had real numbers in all the other fields. Then we told the test what the total should be for adding them all up where the minus signs would be zero. It might be of interest why we had to test the minus sign in all three fields hours, minutes, and seconds. Why not just test it in one? Don't they all act the same? Well the way I do the math to add up the rows of elapsed time is to add the hours from each row together and multiply that total by 3,600 so I get seconds. Then I add the minutes from each row together and I multiply that by 60 to get seconds and then I have both of those numbers to the regular seconds from all the rows to get the total elapsed time in seconds. Finally I have to parse the total seconds back into hours, minutes, and seconds to get one total elapsed time. Now we discovered that this simple act of multiplying hours by 3,600 and minutes by 60 would actually change whether the test failed or passed. The plain seconds never got multiplied by anything so they behaved differently. We started getting test results back where hours and minutes were calculated properly but seconds failed or sometimes vice versa. We learned that we had to test every field to be sure no funny business was happening. Once we had our test written we were ready to start writing the real code. It took a while to figure out how to allow a minus sign to be interpreted as a zero because we had two problems to be dealt with. When you create an input box like I have in my time adder app you tell the browser what type of input box you want. Since I wanted numbers in the box I originally set the input boxes to type equals number. That makes sense, right? What makes sense until we got this idea to allow a minus sign which isn't a number when it stands alone. How much suggested we change the input box to type equal text? Well that opens a whole new kettle of fish because now you can type in any old glop and you won't be called a goose. How can we tell it to let you use text but only certain text? Enter the terrifying world of regular expressions. Seriously, regular expressions are the weirdest and yet most useful concept I've ever seen in programming. A regular expression is like a secret code and it filters for specific types of characters. I'll explain again with our example. We know we wanna allow a minus sign but we only wanna allow a one minus sign and we wanna allow all negative and positive numbers. In code I will not make you read or listen to. You can create a regular expression that says to allow one and only one minus sign and any number of positive or negative numbers. As we started to write the regular expression I realized there were a couple of other characters that we could allow that might help people out. What if you accidentally entered a space in one of these little boxes? You might never notice it was there since it's blank and you would be sad face time for you because you wouldn't know why the math was broken in the total. What do I care if you put in spaces? Why can't those also be zero? We added some more tests before we finished our regular expression. Ooh, wait a minute. What if you wanted to put in 0.5 seconds? As you started to type a decimal value the dot by itself is a period so that's text two. So maybe I could let a single dot through but not lots of dots. I could let them be interpreted as zero. Update a go-go on the test to allow for a single dot. Now we're ready to write a regular expression to allow one or more space, only one dot, only one minus and as many numbers as you like positive or negative. I tried using chatGPT to write a regular expression because I find the way they're written baffling and chatGPT got a little bit of it right but it was wrong enough that Helmut wrote out most of it for me from scratch with the aid of the tool at regex101.com. Now personally, I think having someone else write your regular expressions for you is the only way to go. I've even tricked Alistair into writing them for me too. Well, what's that you say? You really do want to know what this regular expression looks like? All right, you asked for it. Here it goes. The regular expression that allows all this to happen is open square bracket, space, close square bracket, star, a pipe, which is that vertical line, minus question mark, I think that's called a forward slash D star, open parentheses, forward slash dot, forward slash D star, close parentheses, question mark. I know it looks and sounds like a cat walked across the keyboard, but trust me, when I tell you that it works. This, that glop I just said means one or more spaces, zero one minus sign, zero one dot and any number of digits. Now, when I say trust me, I really mean trust Helmut and trust our test driven development tests. The bottom line is that I had an absolute blast hanging out with Helmut and nerding out. She repeatedly said she was delighted that we got to code while we were together. I loved getting my code actually working the way I wanted it and it made me super happy to actually get some tests working so I could truly understand how this test driven development thing works. Bart's instructions were fabulous but without actually doing it, it never sank in until Helmut and I had our little play date. If you want to play with my fully functioning but not documented yet time at her app, there's a link in the show notes to it over on GitHub pages. It could be changing all the time and it might be broken from time to time but as of the moment that I'm talking to you right now, it is fully functional. Well, it's panhandling time. Did you know that it costs money to produce the podcast? Servers, software and hardware are not cheap and I actually think my time is worth a little bit too, don't you? If you get value from the investment of time and money I put into the show, it sure would be swell if you contributed to the cause by becoming a patron over at potfee.com slash Patreon. Thanks in advance for your generosity. What's that time of the week again? It's time for security bits with Bart Bush shots. How busy are we today, Bart? Well, it turns out we have a month worth of news to catch up on. Did you know it's been a whole month since we did this? So yeah, lots and lots and lots of stuff to talk about. Two relatively deep dives, a lot of news. Yeah, the summer is over, silly season gone. Silly season's over. Yeah, a little bit of sort of follow-up on long running stories. Passkeys continue to slowly march forward since last we spoke, Google has made Passkeys their new default sign-in method for regular users and Amazon has given the option for Passkeys if you would like them. You do have to go hunting for them though, but you know, they're there and that's a pretty big company. Yeah, the CVS is one of the largest pharmacies in the United States and they've done Passkeys, but I was telling Bart this on the side that I don't quite understand what's going on. It asked me, do I wanna save my Passkey in one password? And I said, why yes, I do. And it's a scam with your phone, blah, blah, blah. And then it wouldn't do it until I enabled Passkeys in iCloud Keychain. And I didn't wanna use iCloud Keychain, I wanted to use one password. But apparently there's a glitch in the matrix and I have to in order to use it. So I'm not quite sure why that is. I wonder, could it be that the APIs are turned off if you don't have them turned on and that actually the Passkey did go to one password, but you know the way on iOS, the password sharing even though it's coming from one password is happening through the OS. And this is a newly nuked machine, so maybe something about it. Should I be able to see if there's a Passkey in an entry? I don't have one. Oh, it says there is. In one password? Yeah, it says Passkey created October 24th, 2023 under CVS in my one password. And if your Keychain has nothing, then you're guaranteed that must be it. Because that will be if you check Keychain access, if there's none in there, then mission accomplished. Yeah, interesting. Well, we'll see. The other thing I wanted to explain was that when last we talked, I was complaining about Passkeys getting all weird with Google and that I had this extraneous alsonapodfeed.com Google account that no longer existed and it would always get tangled up in that and get me all scrambled. When I did the nuke and pave on my Mac, all that was there was the correct Google account and now it works. Aha, okay, so wherever it was bloated. I'm sort of caching somewhere in my Mac. So I have no idea how I fix it, but it's fixed, so I'm happy now. Oh, good, excellent. Right, well, let us get into the first of our two deep dives, the eye leakage of vulnerability, which made a lot of news. So the TLDR on this one, so the too long didn't read, the threat is real, but at least for now, the risk is low. So unless to whom? To regular folk. Oh, okay. So if I were working for the US government and might be of interest to the Chinese government, I would not consider the risk to me low, but the risk to us regular folk is low. At least for now, we shall see how this evolves. So that's the TLDR. So with that out of the way, what actually happened? So we have talked for a decade, I think about speculative execution, ever since Spectre and Meltdown first crossed our news feeds all those years ago. And most of the time, speculative execution is only a big concern for cloud vendors or other sorts of shared computers, because the problem happens when two things are on the same CPU and data can leak between them. So if you're running, say, Allison's virtual machine for podfeed.com and Bart's virtual machine for BartB.ie, both on digital ocean. And if they were to share a CPU in digital oceans cloud, then theoretically your VM could see data from my VM through speculative execution. So the cloud vendors have all been forced to disable multi-threading and half their capacity in order to protect users. So this is a big deal for them. But for us home users, most of the time, the only reason it would be a problem is if your machine had malware, then the malware could interact with your other processes through speculative execution. But my argument has always been, if your machine has malware, why bother with the difficult task of speculative execution? You already have malware. It should be if you have malware in your system. Full stop. Yeah, exactly. So I've never been all that stressed about speculative execution for home users. But this one is a little bit different because this one is a combination of speculative execution with a very deep understanding of Safari and the attackers have conceived of a way to make two browser tabs interact, leak information between each other. And so the attackers can use JavaScript to, you need to visit their website and they need about five minutes of your CPU time to get themselves all set up for the leaking of the data. It needs to be a page that stays open for a long time. And then they can start to quietly use JavaScript to make little hidden tabs with say your Gmail and then read the content of your Gmail and then maybe your YouTube and read the content of your YouTube. And so they can use JavaScript to make multiple processes share the CPU. And so normally the browser stops two domains talking to each other, right? So JavaScript running on Google can't talk to JavaScript running on BartBee.ie. It's called, you know, that's fundamental of the security. But the data is leaking through the CPU. And so because Safari has the two tabs sharing the one CPU, the data can leak if it is an M-series or an A-series chip. So this is Apple specific speculative execution this time. So when it's an A-series, it's the iPhones and iPads and the M's. Well, some iPads and the M-series are some iPads and all the newer Macs. Correct. So basically everything but the Intel Macs. And it is very much leveraging a quirk of how Safari works. So this is not a generic attack, it's very much a Safari attack. And the attackers themselves describe it as very difficult to pull off, which is why they're saying, you know, unless you're a very high-value target, it's not panic stations here for regular folk. But nonetheless, over time, attacks only get better, they never get worse. So this is going to become more of an issue. But there are a few silver linings here. So first and foremost is that Apple have already a fix in development. In fact, they've had it in development for a while. So we know that there is a secret menu in Safari called the developer menu, which you can turn on by going into preferences and ticking a tick box. There's a super secret menu called the debug menu, which you can't turn on in preferences, you can only turn on with a terminal command. And then you get a new menu that appears in Safari. And in the debug is an option that is disabled by default, which Apple have been experimenting with for segregating tabs into different CPUs, which removes the problem. So why are they bearing that, hiding that in a double secret because it's in development and they will have a warning on it saying that they can't guarantee its stability if you enable it. So it's baked, sorry, it's baking, but not baked. That sort of seems like they're showing their hand a little bit, they're letting people bang on it. To some extent, the other thing is, I think one of the reasons it's in there is because we also know that lockdown mode protects against this vulnerability. So my expectation is that lockdown mode does enable this beta feature, is how else is lockdown mode protecting users from this exploit? Hmm, okay. So that's the really big set of relining actually, I've somewhat buried the lead here. So if you're important enough to be a target of this attack, you should have been running lockdown mode from the moment lockdown mode was released, which means you should have been protected from this vulnerability before we even knew the vulnerability existed. Right, right. So hopefully Apple get this fixed they have in beta all the way through to the production safari for everyone. And if you're the kind of person where this is a danger to you, you should be in lockdown mode anyway, but now you've run out of excuses. Turn on lockdown mode. Okay. So that's our first deep dive. We won't worry our pretty little heads about it as general people, but it'll be fun to see when they get it fixed. I'm sure you'll let us know. I will. Another thing, of course, that could happen is the attack could get better, in which case I will let you know that we do have to take action. But again, I'll monitor it and everyone else can stop worrying their pretty little heads about it. For now, we're fine. Okay. Okay. Deep dive number two then, iOS private Wi-Fi addresses have been fixed because turns out they hadn't been working as well as we thought. So we need a little bit of a history lesson here. I did a lot of deep dive to try to figure out how old these, there's two related features involved here. And I tried to figure out how old both of the features are. So we need to go back all the way to the iPhone 5 for the start of this story. So before the iPhone 5, your iPhone, well, your iPhone still has a Mac address for its Wi-Fi card. And that has always been true. Before the iPhone 5. And this is for those who are new to this. It's not Mac as in Macintosh. It's what does Mac stand for? Media access controller. Okay. So every network card, if you will, has that, right? A Wi-Fi, your Wi-Fi radio, your ethernet card has it. Bluetooth, yeah. Okay. So that address is baked into, it's unique to each network card. And so that is unique to your phone. And so before the iPhone 5, as you wandered around the streets of London or wherever you lived, your phone was scanning for Wi-Fi networks to join. And in the act of scanning, it sends out packets which say, hello, is there a wireless space station here? Hello, is there a wireless space station here? And that packet has a from address, which is the Mac address the packet came from. So people, the advertising industry, shockingly, realized they could abuse this to trick people around London and have billboards show custom ads everywhere you went. Literally, the ads would follow you around because your Mac address was unique forever. And Apple got very cranky about people being spied on in this way. So with the iPhone 5, they introduced a feature that before you joined a network, so while the phone was in beaconing mode, is what it's called, it would just use a random Mac address for each beacon. So every time it went, hello, it would just pretend to be someone else. And so there was no way... You're all excited about that. We should have been. And that feature has never been broken, by the way. So that is a good thing. So while you are not connected to a wireless network, the beaconing has been anonymous since the iPhone 5, and that is still true today, and it wasn't broken. So that's the good news. So for a long time, it was the case that when you were beaconing, you were anonymous, but the moment you stopped beaconing, you had your real Mac address so that things like static leases on your DHCP and stuff would work. Because otherwise, if your Mac address was changing randomly and you were trying to have your Mac always have the same IP address, it would never work and your file sharing would break and people get cranky and it would be all, you know, wow, wow, wow, right? So for a very long time, your real Mac address came out the moment you joined the network. But in iOS 14, Apple decided we can have our cake and eat it, and they added a new feature, where presumably by taking, say, the Mac address of the Wi-Fi router or something, they would make a random Mac address that was forever tied to that, to your device on that network. So it was a once-off random Mac address that's different for every phone and every network. So your phone would always get the same Mac address on the same network, but your phone would get a different Mac address and a different network. Right. Forever. So it was still static, so every one network could give you a static IP address and stuff because you weren't changing, but you couldn't be tracked from public Wi-Fi network to public Wi-Fi network to public Wi-Fi network because you would be constantly changing Mac addresses. So again, the spying on people is more difficult, even on free Wi-Fi, where you are connected. Turns out that the implementation of that feature, which they called private Wi-Fi addresses, that had a bug adjacent to it. So at the actual Ethernet level, so the Ethernet protocol is what drives Wi-Fi, and at the IP protocol level, the feature worked perfectly. The packets were addressed with the randomized Mac address. And so at the low-down network level, there was nothing wrong. But Apple have this legacy protocol called Bonjour, which is used for automatic device discovery. So when you turn on your Mac, it automatically shows up in everyone's finder sidebar. How does that happen? The answer is that your Mac sends out a broadcast address saying, hello, I'm a Mac and I offer all of these services. And every other Mac on the network sees the broadcast and it does the appropriate thing. It's like, oh, I see you're offering file sharing. Okay, I'll pop you in the sidebar of the finder. Oh, I see that you're an AirPlay speaker. I will show you on everyone's AirPlay list. That's all happening with Bonjour. How does my Mac know this printer exists? It's all Bonjour. And the Bonjour... Can they change the name away from Bonjour to something else? MDNS. That's right, but Bonjour is more fun to say. We'll stick with that. Yeah, if I say MDNS, no one's gonna have a clue what I'm talking about. Yes, and Bonjour is a good name. So the Bonjour protocol happens above the Ethernet level and above the IP level, they're actually UDP packets. And inside the UDP packets of that, hello, here I am, is some metadata. And one piece of metadata that had been in that UDP packet was the MAC address of the network card. The true MAC address of the network card. So if you use a network scanning tool like Wireshark, you could intercept the UDP packets on the Bonjour port, find the appropriate metadata field and pull out the real MAC address, and therefore track people from network to network. If you were doing the same scan on multiple networks, you would recognize that this is the same iPhone, even though it's pretending not to be. Okay. The interesting thing is that network tools are not going to see the problem because they only work at the lower levels. So in order to actually discover this MAC address, it's not that the MAC address is being used, it's that the MAC address is in an unencrypted packet. So it's a way more subtle bug than you might think from the early reporting. So you're not just going to show up with the wrong MAC address on someone's network control panel. If you go into your ERA Wi-Fi, you won't see the iPhone with the wrong MAC address. You actually have to proactively become a person in the middle on the network and scan all the network traffic to seek out these MAC addresses in the metadata. So it's a little more involved than a lot of the reporting kind of implied. Anyway, they fixed Bonjour, the ancient legacy protocol that they're still relying on. So it does not embed the true MAC address in the Bonjour metadata. So they have fixed the problem and it has taken them until iOS 17.1 to remove a problem that in hindsight has existed since iOS 14 when they introduced the feature in the first place. So does that mean if you're on 16 or 15 which are supported OSs, you don't get this fixed? It does mean that. But again, the danger here is excruciatingly low because this is one of those nice to have features because the beaconing before I connect wasn't and isn't broken. And that's the really important feature, the beaconing. So unless you have your iPhone configured to automatically join open networks, hint, do not do that. That is spectacularly dangerous for a million reasons. This is a reason million and one, right? So unless you have your phone automatically joining random networks, you're safe. And even if you do, you're in danger from all sorts of other stuff because you're randomly joining other people's Wi-Fi. But the risk is that the people whose Wi-Fi you join could track you. That's the only risk. So it's a very low risk even if you are quote-unquote vulnerable and you do wander around connecting to random wireless networks. Okay. I'm not gonna lose any sleep about it at night, but I will, what I was actually remembering was it changed in 2005. It used to be called rendezvous and they changed it to Bonjour. Yeah, rendezvous was a cruder name but someone else owned it or something, wasn't it? I forget why, but okay. I need to probably get over that, is what I'm saying. I'd forgotten it was called rendezvous. Yeah, they stuck with the French theme though. Right, right. Well, that's good. Okay. Right, so there are two deep dives. So now let us get to some action alerts and we have a month worth of action alerts. So it's not that things have gone to hell in the handcart is that we've been slow. So we have a lot on our plate. So first off, security researchers have released details of an unpatched vulnerability in a bunch of popular D-Link Wi-Fi extenders after the company failed to respond to all of their attempts for responsible disclosure. So, do you remember when I went and met with the CISO of D-Link at CES and he was like, ah, yeah, you know, like I'm really busy. We like don't really have time to like fix these things. It was a camera that they sold that they hadn't fixed some security vulnerability on and that's when it went, as Bart would say, into the bin. Yeah, so I'm afraid to say if you have one of these D-Link extenders, you should power it off until D-Link get their act together or replace it. And in fact, if I may give you a bonus tip, a Wi-Fi extender halves your Wi-Fi bandwidth. So maybe now's a good time to get a mesh network. It halves your, explain that? So for an extender works by basically being an echo. And so half of your bandwidth is sent telling the repeater what to repeat and then half your bandwidth goes on the repeat. So the amount of usual bandwidth for every repeater is that your network drops by half. So you get a bigger area, but you can only put half as much data through. And so I would say- So with the mesh network, they usually have a separate backhaul radio. So you're sending in with one and receiving with the other or vice versa. You're sending it back to the main station. Exactly. So there's two channels. One for sending all the wireless access points what to say and then the wireless access points can all do the saying so they're not stomping at each other. So the relaying and the saying are not sharing the same radio waves. Not radio waves, frequency, that's the one. And yeah, you have an excellent episode with Dave or who's that with? You have a really good episode on that. It would have been Dave Hamilton. Yes. So that is why mesh is great. And so if you're gonna do anything, I would say maybe if you need an extender, what you'll really want is a mesh. Because you obviously need more than one access point so get a mesh. In related news, since D-Link just have their copy book all blotted, they also confirmed that they leaked the names and email addresses of most of their customers. So it makes you a little bit more prone to some phishing really. They didn't leak any payment cards, so yay. But put a pin in that little theory for later. Our friends at ARM have patched their Mali GPU driver, which rang no bells to me whatsoever. I'd never heard of a Mali GPU. Apparently they're the GPUs in lots of Android phones which is maybe why I'd never heard of them. So if you have an Android phone and you know what graphics card is in your Android phone and the vendor of your Android phone has dained it appropriate to give you a security update, there is a critical security update maybe. I have no idea how to tell you whether you're vulnerable or how to fix yourself because you're on a train wreck of an operating system. With some notable caveats being if you buy a phone from Google, you get a really good experience in Android. So pixels are great because it's- Wait, where did that come from? Where are you getting that from? Well, because the pixel is only one vendor. So a pixel is like an iPhone. It's Google all the way down instead of Apple all the way down. Whereas if you have a random phone from Jeremy, how are you supposed to know what to do when I tell you there's a problem with any Android phone with a Mali GPU? I bought my phone, my Android phone from Google and then they said, yeah, it's a Motorola phone. We're not gonna take care of you on that. That is very disappointing. And I don't know if you noticed that they made it a feature of their most recent line that they're promising. Was it seven or eight years? Can I remember if it was seven or eight? Of support? I think it was seven, yeah. So if they live up to that and don't do their usual Google thing of getting bored and sodding off, that would be an impressive feature. But I guess time will tell until you trust Google. But anyway, I have more nice things to say about the pixel in a later story as well as it happens. Very much a related story. Google have released the October Android security update. It contains fixes for zero days. So hopefully your Android vendor is quick to give you those October patches because you need them and don't dawdle on them. Now, if we have any Smog Linux users, your turn. Two major vulnerabilities for you to patch. There's one called Looney tunables, which is yet another cool name for a bug. That's a, basically it gives attackers root privileges on, you know, without root privileges. It's a privilege escalation vulnerability. It's quite nasty. So you browse, you know, I think this one was in media files. So you open the wrong audio or video file and all of a sudden the attackers have root. That's not good. And then in a similar vein, there was a problem in the very popular GNOME desktop system. So on Linux, you can have different desktops, you can have KDE or GNOME or XFCE or a whole bunch of them. GNOME is a very popular one and there was a remote code execution in GNOME where if you downloaded a file through a browser, you could end up with remote code execution. So you don't want that. So the important part of the story is they've been patched, run the patches. That is it exactly. So whether you know, app to get update or you'll update whatever flavor of updating your Linux flavor has patches are there, patches are out and Linux is very good about getting them to people. So patchy, patchy, patch patch and you're all good. While we're in patchy, patchy, patch patch mode, if you are one of the many, many, many people who have a Synology disk station, we now know that the security update they released in June fixed the nasty bug that has now been responsibly disclosed. So you've had since June, if you've been dawdling, stop dawdling, patchy, patchy, patch patch but really you should be good. And again, continuing our theme, if you live in Microsoft land, it has been patch Tuesday some time ago as we record this. So if you have been dawdling on those windows patches, patchy, patchy, patch patch because we had four zero days this month which is more than the three we had last month which I think is more than the two we had the months before. I'm hoping that isn't a trend. But anyway, patchy, patchy, patch patch. And finally- I used to make Snir turn my nose up at Microsoft having too many patches and too short of a time. And even though it's good to be patched, it's like, oh, how annoying. I can't believe those windows people have to put up with that. I'm no longer snir at them since we get one every half an hour and it's always everything, right? Yeah. Because they're all interconnected now. It's your Mac, it's your iPhone, it's your iPad, it's your Apple watch. So it'll help you if you've got more than one of those. If I had listed all of the patches, there will be three links here because we had 17.0.2, 17.0.3 and now 17.1. I've only listed the most recent ones. So you should now be on iOS 17.1, Mac OS 14.1 and there have also been lower point updates for the older operating systems and lower point updates for Safari on the older operating systems to keep your Safari patch on those older operating systems. So everyone has had at least one. WatchOS and TVOS didn't get them too? Oh, they did, sorry. They just didn't make it into the headline on the sans link. All of them. All of them. Okay, because it's WatchOS, 10.1 is what I'm running and hopefully my Apple TVs are pretty good about doing their own. I'm almost afraid to show you, Alison, but since I went to 10.1 overnight, my weather is working again. I'm afraid to look away from it, but right now I have weather again on my iPhone or on my Apple Watch. On your Apple Watch. So people won't have heard what you're talking about, but we recorded a segment yesterday that's gonna play later and in that segment, he talked about the fact that weather was gone again on his watch and now it's back. It's back to touch wood. Not gonna look at it funny, but so far so good. I had a whole day of it and it was a very showery day. So it was great to have the warnings again to tell me whether or not to bring the umbrella. The answer is yes, by the way. I should just have a thing on my watch that says yes. Do I need my umbrella? Yes. Bert and I like to compare the fact that he's worried that he doesn't have the, whether it's gonna rain icon on his watch and complication and mine is the UV index. Am I gonna burn? Yeah, am I gonna dry or are you gonna burn? They're both important. Arguably yours is more important as rain doesn't give you cancer. Anyway, where's the warnings then? So that was our action alerts for patchy, patchy, patch, patch, which is basically everyone. So where's the warnings? So there has been a very major breach at 23andMe and it's actually quite difficult to figure out for absolute sure what's going on. We definitely know that people's 23andMe accounts have been broken into. It appears to be through password reuse because the attackers are simply going in with the right username and password. 23andMe insists it's password stuffing. In other words, the passwords were stolen somewhere else and people reuse their password on 23andMe. Steve Gibson is convinced there's more going on because the numbers are too big. I don't know who's right, but there's a very interesting multiplier here. If you sign up to 23andMe, they have a feature where you can try to find lost relatives by agreeing to share. Your security has now become as weak as the weakest person whose DNA matches with you. So maybe the multiplier effect is from the sharing feature only and maybe there's nothing more nefarious than password reuse going on. Now I would argue that like banks and Google and Apple's iCloud, 23andMe should have been enforcing 2FA or MFA for quite some time now. They hold very sensitive data in people's accounts. So I would say that they're not blameless here, but either way, if you are on 23andMe, no matter how good your password is, if you've enabled that sharing feature, you are as weak as the worst person on that platform. So disable the sharing would be my advice. So if you disable your sharing, but somebody who shares DNA with you doesn't disable theirs. There's leaks, but yours doesn't. And they can't leak into you? Well, I mean, they can't leak your... Once you stop sharing, their bad password can't leak your genetics. Okay. So less bad, right? Okay, well, that's good, I guess. Yeah, so it's a difficult story. There's definitely bad stuff going on. 23andMe are rightly being castigated for not forcing MFA on something so, like, that's sensitive. It's very hard to find more personally identifiable information. Like what's more PII than your genetics? So they definitely deserve a finger wag at the very least. But anyway, that's going on there. Now, while we're wagging our fingers, the, I believe they're a budget airline. They are Spanish, they're called Aer Europa, and they have had a rare kind of data breach, one where they have actually lost all the payment cards. They've lost the card numbers, the names, the expiry dates, and the three digit code on the back. They have lost the whole kit and caboodle. And their advice to customers is, ah yeah, phone your bank and cancel your card. And that sort of... Well, that is the answer, right? Right, but not, we will give you free credit monitoring. We're really sorry. Just, ah yeah, it's up to you to phone your bank and cancel your card because we lost it. So what? Ah, this just stank to me of like, oh, come on. It's been a long time since I've had to say, and yes, the payment data is in it because most breaches these days end with, and it only contained the last four digits of the credit card. Or it didn't contain the credit card numbers. It's been a long time since I've had to say, they lost it all, the whole kit and caboodle. Verification codes and all. And according to the payment standard, you're not supposed to save the verification codes. Like that's part of the standard if you don't save the bloody codes. Well, anyway, yeah, spectacular. So I know for those countries that can't have the Apple card yet, this is just gonna be annoying, but I enabled the feature a while ago that I probably learned about from you where with the Apple card, you can have a rotating CVV number. Yeah, especially a fresh card every time. It's kind of annoying because you have to open up your phone or look on your watch to get the number every time, but I feel good about it. It's the way to go. If it keeps changing, then the people can't lose it on you. No secrets to keep, much easier. The next story rather surprised me, Casio have released a data breach affecting customers in 149 countries. Apparently, pocket calculators now have all sorts of cloud features and stuff. Casio's still around. I, yeah, my darling beloved just started university again as a mature student, which is what we call old people who go to college, which I think is hilarious because he's not very mature. And he went to buy a calculator and honest to goodness, it looks almost no different to my Casio from when I was a student. That's funny. It's still the same scientific calculators. Now his screen has higher resolution and it can do graphs and stuff. And then he had to go by a second calculator because he's not allowed to use the nice Casio in exams. So now he has a really crappy one with a terrible screen with no features. From our, it's an owned brand from our local supermarket. It's a Tesco's calculator. Why doesn't he just use the calculator on his phone? Oh, probably can't use his phone. Can't use your phone in exams either. That's that is uber verboten. Yeah. That's funny. When I think of Casio, I think of Steve had a Casio digital watch, you know, when that was all the rage and he needed a battery replaced and he took it into like JC Penney or something like that. They had a little jeweler would pop it out and put in a new battery. And the guy's putting in the, taking the screw out and all of a sudden we saw him just kind of look up and start looking around and then brushing his clothes and looking on the floor and he'd lost the little screw. They're very cool. So he found another screw and he put it in and then he turns the watch over and the screw was too long and it cracked the LCD. So he broke the watch. So it's okay, no, you know, we'll cover this. We'll cover the repair. We'll send it off for repair. They send it away. The place they sent it to got flooded and destroyed the watch. No, no. Chris Casio. As a kid, there was only ever the one guy in the school who had the Casio calculator watch and everyone was jealous of that guy and it was not me. I always wanted the Casio calculator watch. Why I particularly needed to calculate teeny tiny buttons no finger could use. I have no idea. But I definitely wanted it. You're a nerd. Yeah, exactly. And then they really helped themselves. Didn't they also have the TV remote watch? Wasn't that Casio as well? You could change the channel. And by the way, I made nerd in the most complementary way in our world, that's a compliment. Absolutely. Anyway, so they've had a data breach. From what I can tell, the biggest risk there is phishing. They did not lose payment card details. So that is good. Okay. There has been a massive international campaign of SMS based phishing. And what they are doing is spoofing major national postal services. So UPS in the United States, but it's actually over multiple countries. And NL post was in it. So Helma is potentially in the firing line. And on post, the Irish Postal Service was one of the 12 nations on the planet whom the attackers went after. And this podcaster here got three of them. Steve got one. Yeah, while I was expecting deliveries. Oh, that's interesting. Now, luckily I checked the domain names where I land on things because always check the final domain name where you land on things. And the domain name was onpost.secure.com or something. It's like, hang on, the second on post is not the last thing on that domain name. This is fake. And indeed it was. Right. And so watch out, if the Postal Service wherever you are says something couldn't get delivered and you probably owe them a small fee. It was customs fee, this one. You have a delivery. If you do not pay the customs, we will return it to sender. You have one day remaining. Click this link to pay. And yeah, it was secure-pay.com or something like that. And then the name of the Postal Service before the other domain name. Anyway, your typical stuff. But they did a good job of faking all the graphics and stuff. They had really gone to town on being a fake Irish Postal Service and other countries too. Finally, if you're the kind of person who leaves ads enabled, don't click on any Google ads because there is an absolute explosion at the moment of malware successfully spreading through poisoned Google ads. So the attackers are succeeding in placing ads for popular software. The first one that made the news was KeyPass. So KWPAWSS, which is an open source, one password alternative. You need to self-host the backend and stuff. But if you're the kind of nerd who wants to own everything from the ground up and have nothing to be trusted by a third party, KeyPass is, you know, you have to do the appropriate amount of work for I'm hosting it myself. But it is a good option for the kind of person who wants to own everything from the ground up and run their own servers and things. Anyway, that was taking you to a fake KeyPass site, which was using puny code, which allows you to have odd letters and domain names. So they were able to have a letter that wasn't a K but looked like a K, being the key for KeyPass in the domain that the Google ads took you to. And they completely copied all the icons and the logos and stuff. And they let you download a copy of KeyPass that did work and contain the virus. And that was the first news story. And then it turns out that the attackers decided that, oh, this is working so well, we shall expand. So Notepad++ and a whole bunch of other PDF readers and stuff are now in the mix as well. And Google do seem to be trying to shut them down, but they seem to be finding ways back around. So at the moment, the attackers appear to have the upper hand on this one. So don't click on ads, basically. Moving on to notable news. A lot has happened in the last four weeks. So just in case you needed a reminder that if you have, say, a NAS or a router or any other device you plug into your network that has a web interface for configuring it, do not expose that web interface to the internet and absolutely positively do change the default password. A scan of the internet by a security company found 40,000 router admin portals where the account and the password were admin admin. On the public internet. That reminds me of when I went to my friend's house and they were having trouble with their network and I was trying to explain to them that Wi-Fi doesn't go really well through refrigerators. And they were like exactly on the opposite side of a refrigerator, but I ended up dragging a wire over it and I said, well, let's just log into your router and figure out what's going on. And they said, oh, we don't know what our router password is. So I typed in Verizon Fios router password and it said, oh, it's admin and admin. And it was. So yeah, don't do that. That was a few years ago. I was hoping those were gone by now. Yeah, apparently there are still 40,000 of them at least sitting out on the internet. So there we are. Security researchers, it was Pone2Own. It's always fun when Pone2Own is on. So the Pone2Own contest is where hackers hack things responsibly disclose how, so the vendors can fix them before revealing how it was done. And the gimmick is you get to keep what you hack. So Pone is code word for hack, to own, to own it. So Pone2Own, so if you hack an iPhone, you get to have an iPhone. If you hack a laptop, you get to have a laptop, et cetera. So the Pone2Own competition was on. The iPhone 14 and the Pixel 7 remained unscathed. No one successfully pwned either of those two phones, hence me saying nice things about the Pixel 7. The Samsung Galaxy S23 was literally hacked four ways from Sunday, literally four times. So this was before the 15s came out, apparently. I must have been actually, yes, it was earlier in the month because it was right near the bottom of my RSS reader. So it must have been earlier. Okay. So anyway, that was interesting. The iPhone's been hacked before though. Oh, yes. But this year, the two flagship phones from Android and Apple are doing well. So that means that they're opening their game. I would say Pone2Own is somewhat responsible for these things getting better. Yeah, that's interesting. I would say so. I don't see how it could be making any worse. It's basically a very high profile bug bounty with a whole bunch of street cred as well as money. So, well good. And the responsible disclosure being a condition of the competition is just such a nice feature. So that makes me very happy. Less happy news, a reminder of why we need pass keys. So we have talked a few times about the fact that it is possible if you do it in real time to bypass many forms of two-factor authentication and multi-factor authentication by in real time getting the person to give you the code instead of typing it into the browser themselves. So it involves paying someone in a low-income country to simultaneously attack the person in real time. But that's now available to buy as malware as a service. It's called Evil Proxy because they're not hiding what they're doing. So you can buy Evil Proxy to get real-time man and the basic person in the middle attacks against MFA. Although we now have a new acronym to be more gender-appropriate, it is now AITM, Adversary in the Middle. So Aatom is now what we say instead of middle. Yeah, I've been looking for it. We've been trying to come up with that. Adversary in the Middle, A-I-T-M. That's certainly okay. Anyway, this is real and it is happening to large US corporations at the moment that's being used against executives. The idea being if we can get into your corporate email, we can then do a business email compromise where we send an email saying, by the way, we need to have our vendor just called and we have to change the bank details before the big invoice goes out next week. That kind of stuff. And so that is now, because again, follow the money. It's worth paying hackers $20 per attempt if you can get a $20 million transfer, 1% of the time. Right. So this is a toolkit that they're selling to hackers to allow them to do this? Yeah. So basically they're paying for someone in India or somewhere in a call center to, in real time, fish people's codes and use them and give access to the bad guys. Sorry, baddies. I'm trying to be gender non-specific. Baddies, goodies, and adversaries in the middle. So that's happening, unfortunately. No slam on India. Yeah, you intended. Exactly, it's one of those things. Some place other. Yeah. Now, I think we now switch all the way to good news. I think it's all good news from here. I hope so. Good. Oh, no, sorry. Sorry, I'm jumping the gun. One other piece of bad news. A report has been released by the US Department of Homeland Security's Inspector General. They confirm that, quote, CBP ICE and the service, sorry, the Secret Service did not adhere to privacy policies or develop sufficient policies before procuring and using commercial telemetry data. Translating to English, the Department of Homeland Security and their subsidiaries illegally purchased location data from people's phones and used to track people, contrary to the law. The Inspector General made eight recommendations. DHS will be doing six of them. One of the eight was don't buy anymore until you do the other seven. One of the ones they have said no to is they don't do anything until you fix the other thing. So they're gonna keep doing what they're doing now even though it's illegal technically speaking. And they're going to retroactively do the six things and then there's one more they're just not going to do. So, interesting. And for those of you who don't speak American ease, CBP is Customs and Border Patrol and ICE is Immigration and Customs Enforcement. And why do you need two agencies for customs? Do you collect customs twice? Sorry, that just struck me now. Those two acronyms, why do they have a... I'm sure they have different responsibilities. ICE is the ones you think of as breaking down the door to grab you and drag you out of the country. And Customs and Border Patrol is the people you think of that are terrifying as you come into the country who look at your passport and tell you what to do. But I have no idea if that is the technical definition of the two organizations. It is certainly a soap set of their juvies, but yes, I don't know what else they do. The next story starts with the timing right now. And I do not mean to disparage any of the people performing those duties. Yeah, they're not making the... Well, if they're high enough ought to be making the policies, I will feel free to disparage them. But the people on the ground doing the hard work, no disparagement from me. Exactly. I worked in government institutions. It is not easy. It is quite difficult. Anyway, if you are the kind of person who buys things from social media, whether that be from influencers or from ads, you should probably be aware that despite the fact that we think the rate of reporting is 5%, we know for a fact that in 2021, $2.7 billion with a B US dollars was lost to fraud on social media. So it's probably 20 times that. So don't buy stuff on social media. You are likely to get an empty box or a box with a brick. So, boy, the ads are really good, Bart. They're really, really... I mean, they're often, I mean, especially like TikTok ads and Instagram ads, they're really effective. When you think about ads on websites, you think blaring in your face, annoying. But when you're on TikTok and you see somebody using like this special scrub brush and they're getting a grout clean in the bathroom, it's everything I could do not to reach for my credit card and buy it. I mean, they're really, really effective ads because there's somebody who, maybe even somebody you're following who's done a bunch of funny stuff or music or whatever you like, and then you're like, oh, well, you know, I know I can trust them. I bet that's a good thing. And I'm sure the vast majority is real. But that doesn't mean you aren't gonna end up with an empty box. Yeah, or a box with a brick is usually a classic. Ways are right amount, only it isn't what you think it is. Okay, now we're done with the bad news because my next two stories have fire extinguisher. So that must be the turning point. So there was a rumor that there was a zero-day bug in signal. The signal people were very quick to say, absolutely positively not. We have double checked everything from top to bottom. We are continuing to double check everything. There is absolutely no sign of any problems whatsoever. That was fake news. So if you heard something about a nasty problem on signal, it was fake news. And also fire extinguisher, different type of fire extinguisher, one password very responsibly disclosed the fact that they were caught up in a data breach at a company called Akta, who are like a provider of multi-factor authentication for companies. So they're like you outsource a multi-factor to Akta. And Akta was behind the multi-factor for support forums for one password. And one password noticed something weird and shut it down immediately. So no actual damage was done to anything, but in the interest of transparency, one password disclosed the fact that they discovered something weird and stopped it before anything went wrong. So that to me is the ultimate two thumbs up. But a lot of the reporting was like, one password discloses incident or one password caught up in Akta breach. And that is factually true, but it implies a problem as opposed to a good news story of one password around the border enough that they spotted it and nipped it in the border and all as well. So that gives me faith in one password. And of course the related to it. They never said they might not lose data. But we trusted them that it would be okay if they did. Yeah, and they didn't even do that, right? So we're not even in the region of and their vaults are properly encrypted, unlike some people's. So anyway, all good news. It does obviously tell us that if you are running a company and you use Akta as a provider for your company, you probably have some work to do to make sure you're not caught up in the Akta breach. It shouldn't affect regular home users too much though. Now, I was very happy this month to hear two pieces of news out of Microsoft because for years now, two technologies have been used to hack people's Windows machines at home and at work five different ways from Sunday because of legacy technology that just will not die. It's not dead yet, but the end is in sight. Microsoft have deprecated VBScript. It is being turned to a feature on demand which means that if you really want to use VBScript because you've written some macros 20 years ago that your entire company depends on, you can still run VBScript for a while but it's not going to be a part of Windows in the future. So you'll have to go fetch the insecurity instead of having the insecurity delivered for free as part of the OS. So why are you so excited about a feature that people really liked being deprecated? Well, because it's been utterly replaced at this stage. VBScript is very, very legacy. There hasn't been an update to VBScript. I believe it was 2016 was the last time VBScript got an update. It's with the death of IE 10, all but the most legacy weird systems in the bottom of a joint big industry somewhere have gone away from VBScript. So it shouldn't be affecting any of our listeners. None of our listeners should want VBScript at this stage because PowerShell and everything else has replaced it or Excel formulas or it's very, very, very legacy now and massively abused by malware, massively abused by malware. Another feature that is ancient, it's so old it predates Microsoft. It goes back to, oh, what the heck was this? I've got the name of the company now. They did network-y stuff. Was it Netware or something? Microsoft bought them to make Windows NT. Oh, I don't remember who that was. Oh, my God. Anyway, bloody ancient. They had a protocol for authentication called LAN Manager which became Next Generation LAN Manager or NTLM. It is colossally insecure, uses terrible hashes and is at the bane of security people's life all over the place. And for home users is a problem too to have these NT LAN man hashes lying around. Microsoft are killing it, replacing it with the industry standard. So not Microsoft specific, but the industry standard authentication protocol Kerberos. So Kerberos gets a nice big update from Microsoft. So they're spending money on an open protocol, yay, and NTLM goes away, double yay. So bright futures there on those two fronts. And I figure since we're saying nice things, we may as well add one more. The audit logs in Office 365 are being extended in length. I think it being tripled, no, doubled, sorry, doubled. So that it's easier for corporations to retroactively see if security vulnerabilities you would discover later affected you before they were discovered. And this is in foot of the Chinese government having been discovered to have hacked into US government Office 365 tenancies a few months ago. And they weren't able to get as much information as they would have been able to had the audit logs gone back further. And one of the things Congress asked, I think it was Senator Wyden asked was can we have more logs please? The answer is yes, you can. Everyone can, logs for everyone. So, oh good. Now, nice things about Google. I promised you more of those. Google Play Protect has gotten a nice update. The main thing to say is that they have found new protections against advanced techniques that are currently being used by the attackers. So the cat is now beating the mouse. And these protections extend to side loaded apps. So better antivirus on Android and protecting side loaded apps as well as Google Play apps. So that is, I think. What are they doing there? If you have the Play Store. Detection on the device. Yeah, so the Play Store on your device runs antivirus that scans all software on your device whether or not it came from the Play Store. Why don't they just run the malware stuff on their own store before they let you have it? Well, because this, well actually no, they're detecting malware that changes after it's downloaded. So they're now protecting from, this is now a new trend where you download the app and it's completely legitimate and then it uses either a time delay or it goes and fetches something from a server and becomes malicious after the fact. So the malicious code wasn't there when you loaded the app to the store, but it comes later. It's called dynamic malware. And so now they're protecting against that as well. So that would mean the hash though of the real software is not the same. Right. Well, I guess it's unique malware. So it's not like this is a copy of Excel. It's an application to turn on a flashlight or something and you don't know that it's got malware in it to start with or it's going to download malware. Exactly. So these are always throw away apps. So it might be like every PDF reader and you download it and for three months everyone's downloading it and it's showing them all their PDFs and then it detonates. And then from that point forward that hash becomes marked as bad. But at this point, it's been downloaded for three months and it's all over the place. So it's too late, a horse, barn, et cetera. So this way, because the scan is going to be on the device actively, it will catch the malware as it morphs and still nip it in the bud and report home to say what had happened which means the developer gets booted off the store as well. So we win, we win all around. So basically it's a nice update to deal with the current threats. So that is good to see. Again, talking about making things better for everyone, Google have expanded their bug bounty program. If you find ways to trick its AI into doing things it shouldn't, you can now win a bug bounty. So if you can engineer a barge to do naughty things, you can win a bug bounty. Naughty as in... Whatever it's not supposed to be able to do. So I think barge isn't supposed to be able to tell you how to make a bomb or something. So if you can trick it into telling you how to make a bomb and you can find how to do that, then you can win yourself some money. I think one of the things that they've got guardrails of like, if you try to get it to answer a political question, it says, yeah, nice try. I'm not going into the middle of that. That should win you a bounty too, I think. It's not only like, you know, blowing things up. It's anything that it shouldn't be able to do. If you can bypass the safeguards, you get your money. Yeah. And they've also announced a new feature called IP protection, which stands for all the world like iCloud Private Relay. So that is a feature coming in future to Google's Chrome. So that's all good. Excuse me. Sorry, trying to siphely on here. And finally, I think it has been a good week for the goodies. No, good few weeks for the goodies. All good news stories. Ukrainian activists have hacked a ransomware gang and wiped all of their servers. Yay. India has shut down a whole bunch of tech support scammers taking them out of business. The United States has taken 17 North Korean scammers off the internet and Interpol has dismantled the Ragnar Locker ransomware infrastructure, which was doing a heckin' lot of damage. So really good work there by law enforcement across the world from Ukraine to India to the US to Europe. So I thought that was a nice way to end. We then have two, if your propeller beanie is still functioning after this very long bumper episode, you can exercise it a little bit more. There is a nice how-to for the check-in feature in iOS 17 that we've talked about. It's a nice walkthrough from Cult of Mac. They say every parent should know this essential iOS 17 feature. I think that's a fair description, so link in show notes. And Apple have a nice write-up. They have updated recently to help you buy a second-hand phone safely, although they call it pre-owned. So they have a whole bunch of tips for how to check whether a phone you're thinking of buying is safe to buy. And one final propeller beanie. This is a really cool article. It describes a new technique researchers are working on to make AI in such a way that it can't go rogue. It's a different way of training AI that basically as part of the training, it aligns the AI's interests with our interests and stops those two becoming misaligned because when they become misaligned, bad things happen. So it's the misalignment problem. It's interesting concept. So is misalignment as in tries to kill us all? What that means? Yeah, exactly. So the ultimate misalignment is the paperclip example, right? You train an AI to make as many paperclips as possible and it thinks that that's the most important thing in the world, so it kills all humans and steals all metal to make infinity paperclips. Misalignment. So it's very, very nerdy discussion, but very interesting. So we'll link that in the show notes. And then I have some pallet cleansing. It is Halloween in two days. And the good folks at the Mac Observer have released a bunch of really pretty wallpapers for people who like those kind of things. And I have uncharacteristically gone all Halloweeny on my lock screen now, a really pretty wallpaper. It is number five or six on the list. They are gorgeous. And this one seems to be a line so it fits between complications on my phone's home screen. It's extremely pretty. So 10 of them. I think it's actually number three, the haunted castle and blood moon. That's the one. Is that the one you have? Yeah, it's very pretty. Oh yeah, that's beautiful. So these are for iPhone. Now, do y'all do Halloween in Europe? Oh, well, we here in Ireland invented it. And then you guys in America made it cooler. So we did it and it was kind of like, you know, pumpkin, not pumpkins, turnips and really boring things. And you guys made it into pumpkins and you had a trick or treating, which turned it into instead of a bobbin for apples, we get to eat candy as opposed to bobbins. It was the salts of ancient Britain and Ireland. Okay, we share it with the other island too. But yeah, this bit of Europe does it. The European continent, not so much. And you guys made it into Europe. I was going to say, Helma was like, what? Helma was looking around and I go, what is this here? No, we don't do this. No, you guys really mean it. From the Netherlands. And we've imported your traditions back to Ireland. So it's gone over the Atlantic and back to us. And it's way more fun now. So thank you for that. I also then have. Fun, Bart. Sorry, I'm just sitting here scrolling through. There's Pokemon ones, but then there's Pennywise, if you actually want to be terrified. This is so cute. These are really fun. They are. I was really impressed with my observer guys. If you would like some more longer lasting media, there is an excellent documentary about the Newton, which has been released for free on YouTube. I watched it all. It's got interviews with Scully and a whole bunch of really big people. It's really nice. It's a really nice documentary. It's very well made. And if you're a Newton fan, it's full of lots of little Easter eggs things. Oh, that's really fun. Yeah. And then finally, I'm going to recommend a podcast. So in case we have pictures, we have video and we have audio. So whatever your media is, I have something for you. Business wars do little mini-serieses. And their most recent one that they completed, because I only ever listen to them when they're complete, is called The Rise of AI. And it's all about the companies that we've all heard of now and then end up being bought by Facebook and all these kind of things. So it's kind of like where the AI we have now came from and how it came to be. Very interesting story, given all the developments we've had in the last year or two on generative AI and stuff. And this is episode one, huh? So the link is to episode one, but they're all out, so you can listen to, you can binge them, because that's what I do. So I collect them. I have a folder called Work in Progress. And all of these kind of mini-serieses, I let them finish. And then I binge them. And if they're good, I recommend them on the show. There you go, there you go. Bert spends a lot of time on that bicycle, doing his, so he's got a lot of podcasting time. That is true. That is very true. Right, I am done. My goodness, that is a record, I think, for a longest-ever security bits. This is definitely a security- That's a bonus. 101, 101. All right, so well, we had to make up for a month. So that's really just two 30-minute episodes, right? Fair point. When you put it like that, we're bang on schedule. Regardless, though, the most important thing is, as always, remember to stay patched, so you stay secure. Well, that's gonna wind us up for this week, but don't forget to come to the live chat room at podfeed.com slash chat to talk during the Apple event on Monday night. If you're listening to this after Monday night, never mind that. Anyway, did you know you can email me anytime you like at allisonapodfeed.com? If you have a question or suggestion, just send it on over. We haven't had any good dumb questions in a long time. I like those. Questions I can answer, but maybe require a little bit of thought. Those are the best ones. You can follow me on mastodon at podfeed at chaos.social. Remember, everything good starts with podfeed.com. If you want to join in the conversation, you can join our Slack community at podfeed.com slash slack, where you can talk to me and all of the other lovely no-seller castaways. You can support the show at podfeed.com slash Patreon or with one-time donation at podfeed.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeed.com slash live like Helma did this week on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no-seller castaways. Thanks for listening and stay subscribed.