 Hi, this is Allison Sheridan of the NoCillicast podcast. Go to thepodfeed.com, a technology podcast with an ever-so-slight Apple bias. Today is Sunday, March 3rd, 2024, and this is show number 982. In this week's episode of Programming by Stealth, Bart Bouchots is back to teach us how to alter arrays and dictionaries in JSON files using JQ. Bart went through his challenge solution on cleaning up the Nobel Prize database, and I learned a lot from it. Maybe he'd already taught all of it to us before, but I sure wouldn't have been able to get there to put the pieces together the way he did. I had to confess during the show that I did not get my homework done last week, but I used two excuses. One, I'd been playing with the grandkids, but the other one was that I was having so much fun working on the XKPassWD web app with Helma and Mike Price, and Dorothy's been weighing in on it, and Steve Matan's been doing a little bit of help in there. So we've been having a lot of fun with that, and I kind of forgot to do my homework. In any case, for the new content, Bart taught us how to alter arrays. We mastered sorting and reversing arrays, how to add and remove elements from them, how to deduplicate the values within, and how to even flatten nested arrays. From there, we learned how to manipulate dictionaries by adding and removing keys. It's a very focused lesson that continues to show how powerful the JQ language is. I think my favorite part of the show, though, was when Bart made an existential philosophy observation, and he said, everything exists with the value of null, Allison. All right, let's get started with our first CES interview this week. You see a lot of interesting things at the shows at CES, but inside PEPCOM, I've never been before seeing what looks to be a helicopter, but I think Greg Larry's gonna correct me immediately and say it's not a helicopter. This is a personal aviation vehicle, also known as an electric vertical takeoff and landing aircraft. Okay, so tell us about it. What's the, I'm just gonna get in my own little VTOL and go flying, huh? You do have the opportunity to fly wherever you want with this aircraft. It's designed under the FAA's part 103 regulations, which means that you can fly the aircraft in Class G airspace, which are typically rural or unpopulated areas, which represents about approximately 90% of the U.S. land in the United States. Nothing where I live in LA, but everywhere else, right? As with me, so. So this is an unusual-looking aircraft. Can you describe it for our audio listeners? Yeah, so this again is an electric vertical takeoff and landing. It'll take off directly from this position, pivot straight up, and then convert to cruise flight. And from that point, then it utilizes the fixed wings or the fixed wing and tilt architecture for efficiencies in flight. Whereas if you did not have the wing, you exert a lot more energy in that forward flight momentum. So this particular aircraft has been in design for quite some time, about 10 years. It's built with complete safety with dual redundancy and, in some cases, triple redundancy. So you'll see that some of the safety features on the aircraft are dual elevons. We put floats on the aircraft and the FAA gives us a little bit of a weight benefit by doing that. So in the event of water landing or an emergency water landing, the aircraft will float. Not an intentional water landing. Not an intentional one. And we have tested the aircraft to do takeoff and landings from water, but that's not what the aircraft is designed for. Okay, so across the back here, we've got four propellers. Yeah, you have four motors. Again, with redundancies, there's two batteries per propulsor, as we call it. The aircraft also has radar altimeters below the wings, one on each side. And that enables the aircraft to self land and also take off automatically. So two different modes of flight there. So you can take off and command the aircraft to go from cruise, I'm sorry, take off the cruise flight and then take over the aircraft and control it from then. And then when you come down to land the aircraft, you pitch the aircraft in the landing configuration and at 15 feet above ground level, you can program the aircraft to automatically land at that point, literally hands. So the tricky parts are better done by machines in this case than they are by the... And again, those are the most critical phases of flight of any aircraft. And we try to make that as simple for the pilots. So it took me a minute to put together that you said E before VTOL. So it's an all-electric. That's crazy. That's really cool. The aircraft can be charged on a 120 volt circuit. It'll take about eight hours to charge the aircraft at that point. But there's also a fast charging option for the aircraft that allow it to, in some cases, charge as low as 45 minutes up to two hours. And then that allows the pilots to get back up into the air and you go have fun. I was gonna say, I think that's faster than my car. That is, so how long can you fly? A little over 20 miles and 20 minutes at a limit. So again, under FAA part 103, we're limited to 62 miles an hour. So we use 60 miles an hour as the speed, so. And you said 20 minutes you can fly? 20 minutes or roughly 20 miles. So depending upon where you're flying to, if you're going from point A to point B, then you have terrain obstacles, heavy traffic that you can go around in a relatively unpopulated manner. That's a significant commute opportunity for somebody. This could be really interesting. So this is obviously a prototype we're standing in front of, but when do you expect to actually have this in production? The aircraft was announced to sail for the general public about three hours ago. Oh my goodness. For delivery after June 10th. All right, now I gotta ask you, what's the price point on this? The base price is 190,000 with the ultimate package, if you will, $260,000. It's actually a lot less than I expected it to be. So if people wanted to learn about Pivotal, where would they go? They go to Pivotal.arrow, and there's a website. If somebody wants to purchase the aircraft, there's a nominal $250 nonrefundable deposit, and then there's a process that flows from there that secures your shipping window date, and then the aircraft delivers beyond June 10th. Are there pilot qualifications for the human? Again, there does not have to be a pilot's certification. We train the pilots, and we've already trained some initial owners, some early adopter owners, and it ranges anywhere from 10 to less hours, depending upon their skill sets and capabilities. In some cases, it might take a little bit longer. Wow, that's really cool. Well, thank you very much, Greg. This is really neat. My pleasure. Thanks for coming. Now maybe that is out of most no-silicast-ways price range, and maybe you live a place where that's not exactly affordable, but it's one of those really fun things to see at CES to see the future that maybe will finally have what is essentially like a flying car. BG and R Slack posted an interesting question, and with a little help from Graham S, he was able to find the solution to his own problem. BG is a big fan of Project Gutenberg, which is a resource for downloading public domain free e-books. The flashier titles are the classics, such as Little Women, Frankenstein and the Great Gatsby, but there are 70,000 free books for you to download in Project Gutenberg. Before we get into the problem to be solved in BG's solution, there's one caveat to using Project Gutenberg, and I'm gonna quote from their website. Project Gutenberg is entirely based in the U.S., and we follow the United States law for copyright. Not all items that are public domain in the U.S. are public domain in other countries and vice versa. If you are operating outside of the U.S., you should get professional guidance on how to proceed for things like redistributing Project Gutenberg's content for basic information about copyright elsewhere, try this link to the online books page. All right, that's set aside. Now let's talk about the problem to be solved. BG posted that he was having trouble moving Project Gutenberg e-books to his Kindle using his Mac. He said it was easy to download and open an Apple's native app Books, but he wanted his downloads to open in the Kindle app on his Mac, not Apple Books, because that would allow him to sync the books across multiple devices. He said that using a Mac to try to interface with Kindle seems more difficult now that it was in previous Mac OS iterations. However, if one uses iPad OS, all one has to do is press the correct format and it automatically downloads to the iPad's files app. From there, it's easy to share directly with the Kindle app. He was trying to figure out how to do the same thing using Mac OS. While the discussion was going on in Slack about this, I installed the Kindle app on my Mac and downloaded a book from Project Gutenberg. I right clicked on the file and chose open with, and as Bob said, the option to open in Apple Books was right there. I tried it and it opened up right in Books. I right clicked it again, and since the Kindle app wasn't visible in the list, I had to override recommended applications to choose the Kindle app to open the file. The weirdest thing happened though. As soon as I chose open in Kindle.app, the file disappeared from my downloads folder. I couldn't find it. I didn't know where it was. I ran a search inside the Mac OS version of the Kindle app and the book I requested was not there. I did a finder search and the book had moved to my user library containers.com.amazon.lassen.data.documents. Seriously, there were no other Kindle books in that directory, so as Bob said, something between the Kindle app and Mac OS is definitely broken. At this point, Graham asked, broke in with a solution that when he said it, I don't think either BG or I actually understood what he was trying to tell us. We'll kind of circle back how he actually told us the answer, but we didn't get it. Graham S wrote, I just went to PG, downloaded a book in EPUB3 format, opened Send to Kindle, selected the file and Bob's your uncle. As a quick aside, I love that Graham S used Bob's your uncle because BG's real name is Bob and he's actually Steve's uncle. All right, back to the discussion at hand. So Graham S included a very helpful screenshot of the Project Gutenberg page. We showed that you need to download the version that says EPUB3, parentheses E-readers including Send to Kindle, not the one labeled Kindle. The one labeled Kindle is a Moby format. So you'd think it'd be the right choice, but in November of 2023, Amazon stopped supporting Moby format on Kindle. Be great if Project Gutenberg renamed that one for us. BG eventually found a way that works for him and it's pretty elegant. I'll let you hear it in his own words, the path he found to discovery and success. He wrote, I finally discovered a better way to download Project Gutenberg e-books from a Mac. I complained before about the difficulties using copy and paste configurations because I was not using Finder properly to email it to my specific Kindle devices. Initially, I wanted to do the same thing with my Mac as I do with my iPad. For my iPad, it's a simple one-click procedure of downloading to the iPad's files and then share with Kindle. It then downloads to my Kindle library where I can open it with all of my Kindle devices. But with a Mac, I had to email the books to each specific Kindle device. Today, I discovered a better way. I downloaded an app from Amazon that makes the process much better. I installed the app called Send to Kindle that I downloaded from Amazon. So this is me talking for a second. Let me take a quick break here. This is what Graham S. was trying to tell us. When he said he opened Send to Kindle, he was talking about an app that he had downloaded called Send to Kindle. Neither Bob nor I had that app. Now, I suspect that Graham has been using it for so long that he kind of forgotten that he had to download it for the option to exist in the right-click menu when selecting e-pub books. All right, back to BG's solution. He says, now that all I have to do with my Mac is a simple download. I go to my Mac's downloads and simply slide it over to the new Send to Kindle app icon I keep in my doc. It then uploads the e-book to any individual Kindle device of my choosing without manually entering an email address for each device. And it stores it in the Kindle library which is accessible on all of my Kindle devices. This is the solution I wanted from the beginning. After BG shared this final solution, I decided to give it a try myself. I downloaded the importance of being earnest by Oscar Wilde from Project Gutenberg in e-pub3 for Send to Kindle. You hear that? It's called e-pub3 for Send to Kindle. Again, there was another hint that there was something called Send to Kindle but it wasn't obvious. Anyway, I downloaded the Send to Kindle app and while it's a rather janky looking and clumsy app, it mostly does what it says on the tin. I don't like to clutter up my doc with a lot of apps so I tried to follow the directions in the documentation. In the documentation, they have a screenshot showing Send to Kindle in the right-click menu at the bottom below Quick Actions. Unfortunately, it's not there in Mac OS Sonoma so the instructions are kind of old. I tried to open with and Send to Kindle wasn't on the list. All right, let's look at other. When it showed the list of recommended apps, Send to Kindle wasn't there. I finally figured out that Amazon's package installer puts Send to Kindle in a separate folder of the same name along with an uninstaller app. This is really the old school way of delivering software. Once I pulled the app out of the folder, it was visible as a recommended application. It also showed the option to always open EPUB files in Send to Kindle. This would allow you to double click on any EPUB file and simply open it in the app. When using the right-click method to open the book Importance of Being Ernest.epub with the Send to Kindle app, Mac OS did something strange. You know how if you try to open an app from an unsigned developer, you'll see an alert that Mac OS can't verify the developer? Well, it did that for the book, not the app. It said, I can't verify the developer of the EPUB as though it was an app. It says Mac OS cannot verify the developer of Importance of Being Ernest.epub. Are you sure you wanna open it? Oh well, a lot of confusion here. Once I got past that hurdle, the Send to Kindle app showed me the 28 devices I had registered with the Kindle app. I hadn't cleaned up my devices in so long, there was an iPhone 6 still on the list. I went to Amazon via a web browser and found the Manager Content and Devices page. And under Devices, I was able to clean things up so it'll be a lot easier the next time I use this. After I beat all this into submission, I found the Importance of Being Ernest and the front page reiterated the warning that I gave upfront from Project Gutenberg, the books are only licensed for people in the US and your mileage may vary if you're from another country. Now I have to side with BG here, something between Amazon and Mac OS has really made it more difficult to send books to your various devices. I'll be sticking with using email to send to my Kindles probably, but I'm glad BG was able to find his solution with Graham S's help and that he shared the solution with all of us. The power of the community in our Slack at podfee.com slash Slack is really great. One of my favorite podcasts is BBQ and Tech with Chris Ashley and Rod Simmons. So we had to stop by the GE booth right away to see the GE Profile Smoker. I'm talking to Andre Zodanov. That's correct, great to meet you. Yeah, and welcome to the GE Profile Smart Indoor Smoker with active smoke filtration. Okay, so I'm gonna warn you upfront, this is an audio podcast, but some people will watch videos to describe everything in detail. What are we looking at here? All right, so this is a countertop oven that is a wood pellet smoker. So what truly makes it the first of its kind is the active smoke filtration technology that we've brought into the product. It catalyzes the smoke to remove almost all the particulate and carbon monoxide so that it's safe to use inside the home. Okay, that was gonna be my very first question, but I gotta tell you, wafting towards me, nobody on audio or video is smelling what I'm smelling come up in that smoker. So you get the smell, but you're not getting the particulate. That's correct, not the particulate, you're not getting the unhealthy CO, you're getting mostly just vapor, de minimis particulate, some CO2, so it's safe to have in the home, but you are gonna smell good home cooking. Yeah, there you go. So it looks like a tall square microwave oven to me is the way I describe it in size. Yeah, that's a fair way to put it, a bit like a countertop oven, but flipped on its end, so it's a little taller than it is wide. Right, right. So how does this work? I see some nice displays and a dial that's going around and something delicious cooking. Yes, that's all I know so far. So we have about a eight pound pork butt in there? Well, how big is that today, chef? So we've got a seasoned eight pound pork butt in there, and so this is a wood pellet smoker. One of the other things that's interesting about it is, because it's a countertop oven, it's electric, it doesn't use the wood pellets as a heat source, so we consume very few pellets. You're able to dial in how much or how little smoke flavor that you want in the product. So for those who are watching, this is the pellet hopper where you would load your pellets in the top, then I will mess with things that I do that, and so we have a nice auger that moves those pellets past the igniter and gets them to just release the sweet aromas and flavors that you just love. The first thing to burn in wood are the sugars, and that auger will move the pellet down to our waistband here in the bottom right of the unit, then we have the user fill that with water, we extinguish that pellet while it's still in ember, and that lets us get all those sugars, all those sweet flavors and aromas, but not the accurate or sour flavors that you would get if you burn it down to ash, so we're extinguishing them first. Okay, okay, that makes sense. So I'm gonna mess with you here. Chef Dallas McGarney is on the side here. What is it we're cooking here? So we have about an eight pound pork butt in there, I rubbed it down with my barbecue rub and just popped it in there with some of the Kona pellets and we got it going. So I'm guessing that you use a quote unquote real smoker from time to time, right? Oh yeah, this is for personal use, mainly for me at home, but I'd have the big smoker outside, but it's a lot more of a mess and takes a little bit more of my time to work on it. So this is easy for me to do at home and I got the app and I can look at it online and all that stuff, so it's easy. So you can still do the creativity part of making a smoked meat, but not have to go outside and deal with the timing issues as much because this is more automated? It's more automated, it's also more consistent because the heat is more consistent than what you have to mess with outside. So outside, you're messing with the heat over and over and over. This, it's a very consistent heat, so you know it's gonna be done at a certain amount of time. So it helps a lot when you're playing at dinner for four people at home, you know? And so it is about four people at home. I mean, if they weren't Americans, you could probably get 16 people, but four of us, I'm thinking you could get off this pork butt. So this is all app attached and all that kind of stuff? It is app attached. That's gonna allow us to continue to drive continuous improvement to the product. That's one of the things GE Profile is known for with our smarter products. The app lets us launch updates and also some guided cooking with some of our products, but it also really allows you to be kind of the master of your domain because you're gonna get alerts as to what's the temperature of the thing that I'm cooking. We have an integrated probe in there that's sitting in that pork butt. So Chef knows exactly what that internal temperature is, whether he's multitasking, answering the door, mowing the lawn, and it'll let you know if you need to empty your waste bin, add pellets. So it really lets you be in control without having to be his hands-on. That's a nice compromise. So you just released this just recently, right? That's correct. It's just launched at retail here in January. It's rolling out at retailers nationwide. Suggested retail price is $9.99, and it is a brand new launch for us. It's really, really exciting. I know we've done a little bit of smoking here. Steve has done some smoking inspired by barbecue and tech, gonna give them another plug. But the idea of buying a big outdoor smoker has been kind of prohibitive for us. He's got a question here. You can buy it now? Yes, I believe you can buy it now. Yes, you can buy it now. It's shipping now multiple retailers nationwide. That's fantastic. Well, I'm just gonna get off here and find out when Chef McGarrity's gonna be done. Get me a little bite of that pork belly. That sounds fantastic. Enjoy the rest of your show. All right, and where would people go to find this? It's available at Best Buy, William Sonoma, Amazon. Many retailers, Creighton Barrel as well. Very good, very good. Thank you very much, Andre. My pleasure, thank you. Well, I would like the record to show that we did not get to eat any of that wonderful smelling meat that they were smoking. Another thing Steve has been doing a fair bit of smoking lately, he's been talking a lot to Chris Ashley of barbecue and tech, and he's been a big influence. And a couple of times recently, Steve made ribs for us, and he did some down at Lindsey's house where she had borrowed her brother-in-law's smoker, and they were absolutely spectacular. So he have decided absolutely positively not to buy a smoker, because we would be smoking meat all the time and eating that, and it would not be good for us. It was so delicious that we need to keep that as a once in a while kind of thing. Are you ever listening to one of my shows or maybe reading one of my blog posts and realize that's something I've reviewed solved a real problem for you? Or have you discovered software that makes your life easier? Or have you maybe just been entertained? Maybe at those times you think, I really should support this free content I'm enjoying so much. Well, that's exactly what John Murray and John Atwood independently did this week. They marched over to podfeed.com slash PayPal and typed in a dollar figure that showed their appreciation for the work we do here at the Pod Feed Podcast. And they both write very nice little notes about what they enjoyed about the shows. You know, you too can be awesome like John and John. Well, it's that time of the week. And it's time for security bits with Bart Bouchard's Happy March. Bart! Indeed, yes, it is the third of the third. Not 2023 though, 2024. So we don't have that many threes. Still though. No. All right, well, let's jump right in. Yeah, we have plenty of follow-ups on sort of stuff we've been talking about before. So our friends at the NSO group had a bad week. Let me find the world's smallest of violin for them. A U.S. court has ordered them to hand over the source code for Pegasus. To Metta, because Metta are also suing them. So Apple are suing them in a whole different court case. But because they attacked WhatsApp, Metta have a court case against them as well. And it's that court case that has resulted in, as part of discovery, the NSO group having to hand over the source code for Pegasus to Metta, which is nice. Now, the implication of the handing over the source code is... Metta will know exactly how it works. We all get to look at it? I don't know if we will get to look at it, just because it's being handed over in discovery, it may or may not make it into evidence in open court. But at the very least, Metta's engineers will be able to tell us what they found in court. So whether we get first hand or second hand, I'm not sure, but the secret is leaving Israel. So that is definitely good. Good. Also, Redmond have followed through on the promise they made to the U.S. government when they had their nasty... Redmond? Microsoft. It's a city. Microsoft. Sorry, yes. Like Cupertino is Apple, Redmond is Microsoft. I keep forgetting. I need to also say the name of the company. Sorry about that. Okay, so start over. Yeah, so Microsoft have followed through on the promise they made to the U.S. government when they... There were a bunch of U.S. government Office 365 tenancies hacked by what turned out to be China. About a year ago-ish. And it turns out that the attack left traces in an audit log called Purview because Microsoft have a brand name for everything. And by default, you get Purview for 90 days. One of the ways Microsoft promised to do better in future would be to up that to 180 days for government customers. And that is now true. So would that just be so you can figure out what happened? Right, it makes it way easier to understand did they get... Like if something bad happens... I know this for first time experience when something bad happens, the question is what did they do? So if you just... Oh, what did they do while they were in there? So if you discover at 91 days that something happened, you would have lost your logs. Whereas now you have half a year basically to... And to say this audit log is detailed to put it so mildly. This thing is so chatty, so many gigabytes per day. It is pretty much every individual action in Office 365 a user does. Bart opened this Word document. They inserted a paragraph here. They scrolled down here. They edited a comment here. So with these audit logs, if you know an account has been compromised, you can actually say the baddies got this, this, and this, but nothing else. I get it. It's a very powerful log. So you can either sleep at night or just hide in the corner. What is a tendency? I don't know that. Yeah, it's the word of what we've ended up using, right? Because you think of Office 365... No, no, let me explain. It's a word that was picked because there isn't a better one. It's not a sensible word. It's just a word we picked. So when you buy Office 365, you actually get like a little private copy of Office 365 for you. And then if I buy Office 365, I get a different copy of Office 365 for me. And so each of our little copies are little islands and they're called tenancies. And all you do, your data is islanded in your tenancy. So the tenancy is like a little boundary. It's like you're a lot in a housing estate or something. It's like your little backyard. Everything you do is entirely trapped in your tenancy when you're a corporate customer. Oh, oh, sorry. This is for corporate customers. It's the difference between buying Office 365 for an organization. It doesn't have to be a company. It could be a school. It could be anything, right? But when you buy it as an organization, you get a private copy. When you buy a one-off license, you and 100,000 people share a tenancy. But you have no idea you're sharing a tenancy, right? It's the difference between an organization versus an individual. When you're an organization, you're organized. Okay, but when you said Allison buys a copy of... Office 365, she has a tenancy. Okay, no. Podfeat buys a copy of Office 365 because Podfeat has become a big corporation with three or four people. Oh, okay. So you said it backwards. Yeah, okay. So when companies install for a corporation, that's a tenancy. Yes, and it's a little island where your universe... So when you go into your admin panel, you control that. I was just trying to get to... This was a corporatey word. This isn't something regular people would be using. It's organization, so even a family plan will have it. So our family use this plan. So anyway, it's organization. Think organization, which is actually the word Microsoft use. Okay. The difference between one password for families. Sorry to take so long. It's important. Long haul, I just... Words that we don't know. It's actually very important because a lot of cloud services like this. So one password for families versus one password as an individual. One password for families, you have a little tenancy, a little island where your control panel lets you control users and control vaults. That's your little tenancy within one password. Is that an allergy help? Sure. I haven't ever heard it used anywhere else though, like that. Yeah. Yeah. Anyway, it's a thing. We talked last time about the Federal Trade Commission cracking down on one of those famous tax companies. I think it's the most famous one. But anyway, they're cracking down on another famous tax company. H&R Block have been ensued, in fact, by the Federal Trade Commission for deceptive online ads where they offer a free online filing service that costs you money, which obviously is not free. And this is all in the lead-up, obviously, to April when lots of people will be making use of these kind of services. So now is the time. So I'm glad to see this continue. If this was a podcast about filing your taxes, I would have a perfect pallet cleanser. There's a woman on TikTok who does these great things where she's playing two different characters. And one of the characters she is, is the federal government. And the other person is the person trying to file their taxes. And as the human, she says, so why don't you just tell me how much money I owe? And the government goes, no, gas. She goes, yeah, but you know how much I owe. Yes, I do, gas anyway. Okay, but how am I supposed to answer the questions on these files? She goes, oh, you mean the pre-prison forms? These are, if you file it wrong, you're going to jail. And it goes on and on. It's absolutely delightful. That sounds wonderful. You do know that you're in a country that's in a minority for not giving you your tax forms pre-filled. Most of the world, the government know what you owe them. They send it to you. You go, yeah, I agree. You sign it and you send it back. That'd be lovely. So you know we're in the minority or just the countries that you know do that? My understanding based on an episode of Planet Money is that you're in the minority and apparently it's down to lobbying by the large companies that do the tax filing websites, Intuit and the like, because they make a fortune. Intuit was the company you were trying to do. It was, yeah, they are exactly the people who successfully lobbied Congress because it was actually an act that nearly passed into law to have the government pre-fill your form and Intuit got it killed. Anyway, they've been cranky. Okay, stop. Yeah, sorry, that was meant to be a palette cleanser. Not an opportunity for me to rant. Anyway, we talked the last two installments about ransomware because first we said, yay, it's going away. And then we said, oh, no, when you look at the numbers differently, it isn't going away. But it's been a really busy two weeks in terms of ransomware and a bit of a roller coaster. So I'm just going to read you the headlines in the order they happened. Police arrest lock bit ransomware members release decryptor in global crackdown. For context, lock bit has about 25% of the entire world market of ransomware. They are like, if you do a pie chart of the ransomware people, they are the biggest piece of the pie, quite substantially the biggest piece of the pie. They're the single biggest actor. So seeing Interpol successfully take them down was a big deal. The fact that they stole the private keys and released a free decryptor so you could decrypt yourself was also particularly nice. And the fact that they were to make a few arrests was also very pleasing. But everyone was pretty sure that in the cat and mouse game you cannot take out one of the largest, the largest cyber criminal organizations on planet Earth in one police raid. But nonetheless, it was a big deal. The United States government doubled down and said, we will give out a $15 million bounty if you can lead us towards some more arrests which is not insubstantial. And they discovered the source code to what would have been their next release which was a redesign of their entire software which they had actually called lockbit-next-gen or NG, so the file is actually called lockbit-ng. So they stole their source code for what was about to become their newest release which is another kick in the whatever's. And they discovered a $110 million of unspent Bitcoin, which was all the good news. And then midway through this week, lockbit resurfaced with brand new servers and new victims. So they took them about a week to start up again. Cat and mouse. Still though, it's nice to see them get a fairly substantial knockback from police. Some progress, absolutely. We have also talked a lot about malicious advertisers sneaking their way into various things and attacks sneaking through systems that used to not let them through. And we were wondering how, how are these kind of things happening? I just noticed my show notes haven't quite been updated. This isn't actually malicious ads. This is spam getting through Google's spam filters. It's not ads, it's spam in Gmail. And not just Google's ad filters, lots of people's ad filters, not ad filters. Spam filters. Wait, could this be my problem? Could this be my problem in Apple Mail Bart? It is certainly, it is likely one of the sources of your problem. There are many sources. I'm not sure, I've complained about it on programming by stealth yesterday, but I am barraged with spam in my inbox and real replies to emails I have sent go into spam. So I sent an email to Brett Scherpstra. He replied it went into spam. I said, moved in box, when I replied, then he replied again, it went back to the spam box. You know. I've been going on for six months now. As much as I would love to say this is why I'm afraid to say that's a false positive. This is having false negatives. This is the opposite problem. No, it's both Bart. It's both though. I sent you a screenshot just yesterday of obvious spam, something filled with 00 dash dash, 00 dash dash, an entire email, that's all it is. And that came into my inbox. And I get them all the time. But then half of your problem could be related to this. The half of these stuff getting in the chute. What has been discovered is a massive campaign where major brands have misconfigured sub-domains. We have gotten quite good about enforcing the DNS level email protections. So if you own a domain like potfi.com and you don't have what's called an SPF DNS record, you will now get all of your email will be blocked by the major providers like Google and so forth as being probably spam. All of your legitimate email will be blocked, which makes it very hard for the spammers. Okay. So these DNS records, if you don't set them up right, they don't just give permission to your domain domain, they also leak permission onto sub-domains. And so if you're careless and a sub-domain again would be like beta.potfi.com would be a sub-domain. Exactly. And so if you're a major corporation, you will have lots of sub-domains and you may use a sub-domain for some sort of marketing campaign and then forget all about it and stop using it. And the attackers have managed to rest control of hundreds of sub-domains on legitimate companies whose DNS records allow them to send spam. So they are piggybacking off of the reputation of real companies because those real companies are being careless with their email protection. So they are literally stealing reputation from large organizations. Really important that you set your settings correctly. So again, it explains why, because I've been trying to figure out how are they getting by really big companies like Google? Well, this is one of the hows. There are many hows, but this is a new how. And when I saw how it worked, I was like, oh, yeah, that'll do it. That'll do it. The last bit of follow-up then, we also talked a heck a lot about the DMA, the Digital Markets Act in the EU going live. And that is rapidly approaching. It is March. It is due to commit to effect on the 24th of March. The law and Apple, I believe, are dropping their software update next week. I believe it's the date we've been given. So this is all happening. So there's been lots more news about this. And thankfully, I get to do a TLDR, sort of a rundown of a lot of this stuff instead of going into detail. So there was briefly a horrible kerfuffle about the almost never-used feature of the Progressive Web App, because Apple took it away in the EU in the beta of iOS 17.4. And everyone got very cranky. And EU lawmakers said that they were gonna fix to make a plan to do an investigation. And Apple said, well, we can't allow Progressive Web Apps to use any browser engine, or it's a giant big security problem. That's why we took them away for Europe. And then people kept getting cranky and up. I said, okay, fine. We'll just leave it the way it is. They're WebKit only. And now everyone's happy. And everyone's saying that Apple did a U-turn. And what Apple actually did was successfully managed to exempt themselves from having to let third-party browser engines do a pretty scary thing, which is the Progressive Web App. So probably. So I'm really surprised that they're okay with that. I would think that the Apple would get, again, another black eye for having anything to do with that. Yeah, they're getting the opposite of a black eye. Put it in the back. That's crazy. So to make sure everybody knows what we're talking about with Progressive Web Apps, there's where you take a website and you say, I wanna save that to my home screen. So for example, maybe you wanna escape past WD to be your available as a web app. You could just make it as a web app so you don't have to open a browser and you don't get all the Chrome, if you will, around it. Yes, and your web app that is now sort of a kind of a hybrid-y app can do push notifications. It can ask for permission to track your location and stuff. It can, but it can... Yeah, I didn't realize it could do to all that until I started reading about this. Yeah, that's what makes them Progressive. Other than that, it's just a link in your homepage. The Progressive Web App uses extra APIs that only exist for PWAs and they have a lot more power, which is why Apple are very keen to not let a third-party engine do that because the engine is responsible. So imagine you download a PWA for Google Maps and you give it access to your location. If a browser engine that is not Safari or WebKit is powering that, if you install a second PWA from a dodgy source, which could be anyone because any app could just have a button saying add me to your homepage, then the permission could be leaked by the other browser engine into the other app. And the only way Apple can protect you is if Apple control the sandboxing of each individual PWA. So I have a question on that. In my reading, I saw them saying you have to have certain entitlements and I don't understand how you request those entitlements because you're not in the app store. The engine has entitlements. How do you request an entitlement? The engine has, sorry? You don't request a permission. So the PWA says, I want location and then the user gets a pop-up. So it's a user permission it's getting. Okay, and that gives you the entitlement when they say yes. Yes, exactly. So the user says yes and the operating system goes out. Okay. The user has said yes to that app. But all of the PWA is run by a hypothetical Firefox engine would be the one app in the background. So all of those entitlements are collected together and it's up to the app to correctly sandbox that when Apple have lost control, which means the possibility of a bleed between PWAs is impossible for Apple to protect from. Therefore, they are saying, we're going to make it WebKit only because we know we can enforce these firewalls within WebKit because we have been doing it for years safely. Okay, I got it. And at the end of the day, almost no one uses PWAs. So this is a very big storm and a very small teacup. But Apple got their way, which is interesting. Spotify are still cranky and Apple along with Epic. They have written an open letter saying, dear EU, we don't like Apple's compliance plan with your law. And the more I have been studying this, the more I think that Apple's compliance is actually pretty darn good because the digital markets act isn't what Spotify wish it was. It also actually is written into the law that companies like Apple have a responsibility to protect security. So Apple are both charged by law with allowing competition and with allowing competition in such a way so as not to compromise security and privacy. So I think Apple are more in tune with the law than people realize. And the fact that the head of enforcement was over in Apple HQ about a week and a half before Apple made their big announcement and tweeted about it and including a photo of her with Tim Cook. I think Apple may be on more solid ground than Spotify and Epic realize. I find it hilarious just because like, Epic, did you really think they weren't gonna do this? Right. I mean, hopefully they had their filing papers ready because they knew Apple would do it. Oh, it's certainly right. Anyone clever within their legal department had been doing their homework for months, right? We shall see. Right, right. Speaking of writing, Apple released a detailed white paper. It's 32 pages. I read it all. I'm not necessarily recommending the Silicon Stateways read it all but I am recommending you give it a skim because the headings are quite clear and then you can dig into the bits you care about. But basically it lays out what Apple is doing which we already kind of knew but also the why and it's full of history. We have observed over the last 10 years that attackers like to do X thing. Therefore, we have added Y feature to our app stores processes within the EU. And so it's all of the why's behind the things Apple have chosen to do and they're all backed up with we have experience of this happening, example, blah, blah, blah. We have experience of this happening, example, blah, blah, blah. And it's also the most detail I have ever read from Apple about what it is that app review actually does because they make a big point of explaining the difference between notarization and app review. And the only way they do that is by describing in detail both. And one is a subset of the other. Oh, okay. App notarization is a subset of app review. Right. They also lay out numbers of employees because they also explain that the reason that you need to have a decent amount of money on file is because running an app store is really difficult and you are constantly going to be playing cat against a whole bunch of mice who are all trying to defraud everyone because cyber criminals are very real and that only a large organization can do it and they lay out how many employees they have to do this work and how setting up an app store is not something you do on a whim. It is a lot of work and they back it all up. It is a fascinating read and it is the most under the hood I've seen of Apple and it does a pretty, there was none of their justifications seemed silly to me. But you may come to a different conclusion based on the same facts, but it's all reasonable. It's all sensible. So you think it's out there now as a warning to companies who want to create their own app store? I think it's out there as a justific. Like don't forget all this stuff. It's more of a justification for why they have not said anyone can make an app store. Why are there still rules to be allowed to make an app store? This is the why. And it's a preempt of strike against frankly epic saying you're not complying with the law and Apple are like, well, actually no, we have a responsibility to protect users and this is why these rules exist. This is the problem they solve. It's actually a very good document. I was rather impressed. Now it does contain some extra fluff. They decided to, I'm assuming with permission, publish a whole bunch of letters to Tim Cook decrying how terrible it is that Apple are being forced to make the reuse users less secure. I'm sure they cherry picked with the world's finest harvesting companies those emails they chose to put into that white paper. But I'm sure they are also genuine. But I wouldn't read too much into those. A lot of the media got very caught up in the emails to Tim but the rest of the document, the dry stuff is the bit that I found absolutely fascinating. So it's a PDF, it's available to all link in show notes. Also linked to two stories from Apple Insider giving a bit of a review as well. And then finally, this stuff is real. The set up aren't just fixing to make a plan. The beta version of the set up third party app store has launched. If you are a beta developer running the beta versions of iOS you can also run the beta iOS app store from set up. Oh, that's interesting. It's a lot of betas. It's an interesting maneuver. Yeah. So it's real. I think that's a Ukrainian company as I believe. I do believe they are, yes. Yes, they are. Yeah. That's MacPaw, right? MacPaw precisely, yeah. Yes, exactly. So when people said no one is going to set up an app store well, there's one. And also while being busy writing open letters Epic are also busy creating an app store because Epic have confirmed that they too are releasing an app store. They just haven't done it yet. Where is it? I'm shocked. I'm shocked. I hope it cuts them a trunk. I was listening to someone explaining it like we think that 50 cents per user per year. Oh my God, if you're a big company, that's millions of dollars. And someone pointed out, have you seen what the profit margin is for someone like Meta? They make tens of dollars per user per year. So 50 cents per user per year is not actually catastrophic. It's probably saving those mega corporations who are monetizing their users effectively over the 30% that they would be paying now. Right, but they don't want to pay anything. They don't want to pay anything. Tim Sweeney wants to pay nobody nothing. Yeah, that's Epic CEO. But yeah, anyway, that's where things have developed since last we spoke. So that's all catch up, a lot of catch up. And then Apple gave us a little deep dive to dig into. Apple have announced the post quantum future for iMessage. So Apple were one of the early people to the game with end-to-end encryption that just on by default. So we as Apple users have had that for ages and ages and ages. And all of that is based on public key cryptography using standards certified by all sorts of big organizations primarily from Apple's point of view, the National Institute for Standards and Technology or NIST in the United States. Because A, they are world leaders in this stuff and B, Apple are American and they're American. And so Apple's current cryptography is very robust. In 2019, they upgraded from old style public key crypto to the fancy pants new elliptic curves, which means it's actually stronger math. It's not based on factoring primes. It's based on solving curvey things. It's elliptical curves. It's a whole different type of math. I don't understand either, but one is better. But both of those types of math are vulnerable to whole new types of math that can be done with quantum computers, which don't exist. So right now Apple are joining... Wait, wait, wait. Just clarify that quantum computers do exist. There are labs which contain devices, which contain a few qubits, which can do a calculation every now and then. For all intents and purposes, they don't exist because they can't do anything real. They are... It's like with those... They're still theoretical, isn't it? Very, very. It's like, you know, you see that research like we can use a laser beam to eavesdrop on a conversation by looking at the vibrations of the window from 20 miles away. It's like, well, in a teeny, tiny situation, you can make that and you can publish a research paper, but actually you can't. It's like that, you know. We are so far off and we have so few qubits and they have this horrible habit of decohering. So if you observe a quantum system, it falls out of superposition and these things fall out of superpositions in fractions of a second. So, you know, for the dearest of tiniest amount of times, you can sort of kind of do a calculation and then they literally fall out of being quantum. OK, I'm glad I asked. I thought they did. OK, keep going. They're not... Yeah, exactly. Anyway, the point is the threat now is basically non-existent. And yet, Apple have rolling this out in iOS 17.4 in a week or two. Why? Well, the answer is because of an attack called harvest now decrypt later. It's become quite cheap to store data for a long time if you're a large organization. So you can build a massive data center and just you know that there are a conversation between a Chinese official you care about and so when you think might be an informant in the United States or you're China and you see some stuff going to engineers at Intel and I really would like to know how they make their CPU so cheap or whatever. You can harvest that now and then when you have your quantum computer, you're working very hard to build, you can then crack it and go back and read all the stuff. And if you've picked important enough people, what they have to say is still going to be relevant five years from now. And five years from now, it's quite realistic that we will actually have some real quantum computers doing actually useful quantum calculations. So we can't dawdle about this forever. And so actually now is the time. And Apple are not first to move on this, but they do deserve some credit here because now that they have moved in a very Apple way, they have now leapfrogged the first movers. And right now they are doing some stuff that I don't think anyone else is. So I was a little skeptical at first because Apple sometimes oversell a little bit what they've achieved. And I wasn't sure if they were really ahead of the curve but no, they actually are taking things one step further than the other leaders in this pack which is the open source signal app. They actually already have post-quantum cryptography deployed now, but their deployment isn't as powerful as what Apple are about to release in a week or two. So they have leapfrogged signal, which is cool. Right, so let's dive in a little bit too. So they've called it PQ3, which I infer based on their blog post they released, which goes into amazing technical detail. Actually, they deserve credit again because the blog post at security.apple.com, they are not hiding the details. They are being extremely open and transparent about how they are protecting people's privacy and stuff, which is how cryptography should be. The algorithm should not be a secret. The only thing that should be a secret is the secret keys. And they have really, really shown us their homework. Really shown us their homework. It's even longer, I think, than the week. Bart in heaven reading this, isn't it? Yeah, I did. I spent my entire lunchtime walk today reading all of it. I read it all. I don't recommend the listeners read it all, but I do recommend you read the opening few paragraphs and the closing few paragraphs and skim the headings in between. Because actually, if you do that, you'll get a really good idea of what's going on and why. But anyway, in order to, I think the engineers to explain to management what they wanted permission for, Apple have created their own categorization for encryption in messaging apps. And they say very explicitly, we have invented this crude categorization. They actually call it a crude categorization. So this is not some sort of formal standard. This is Apple have made four boxes and everyone has been put into a box. And they're called level zero to level three. And Apple are the only company to be in level three. No one else has made it there. And the reason it's called PQ three is post-quantum level three. Okay. So level zero is no encryption or encryption, but not by default. So unless you have encryption by default, you don't get to leave level zero. And I'm kind of amazed that in 2024, the list for level zero is not empty. The list for level zero includes Skype, hardly a small app. Go Microsoft. Yeah, QQ, Telegram. I don't know who QQ are. I'm gonna guess they're Chinese. And WeChat who are definitely Chinese. And therefore I imagine why they don't have default encryption. I don't think the Beijing government are very fond of default encryption. So we already knew that about Telegram. We did. We know that since we started using it, Bart. We know that you can enable it or not. In my mind, I thought they had joined everyone else and gone to on by default, but they haven't. No, they haven't. That's always been so. Anyway, there are levels. It doesn't mean you can't. It just means it's not on by default. So there are level zero apps. Level one apps, encryption by default, but it's not quantum safe. It's just ordinary encryption by default. And there's a lot of apps in that category. Line, Viber, WhatsApp. WhatsApp obviously the biggest one there. Level two then is when things get fun. Level two is the first apps that are quantum safe. They have used quantum safe cryptography. And that is a category of one at the moment. That is signal. So the signal app is the only level two app. And Apple are saying, we're better than signal because not only are we using quantum proof algorithms like signal are, we are doing regular quantum safe key rotation. And this is the bit that's genuine in novel. So we are pretty darn sure that you can't cryptographically crack one of these quantum safe keys. But you can leak a key, right? There could be a software bug in the app that accidentally puts the key in a part of memory it shouldn't be. And then it ends up falling in the hands of an attacker. So just because you can't crack a key doesn't mean you can't lose a key. And so while signal successfully negotiates a key in a post quantum world safely, the key remains with the conversation for the entire conversations history. I don't know about you, I've had a chat with my parents for years, right? Years, right? So that key actually could be very long lived. So if it leaks, it's actually a big deal. What Apple are doing that makes their algorithm or their implementation level three is that as part of the standard process every few messages, the keys rotate and there's no relationship between the previous key and the next key. So cracking one key or stealing one key or losing one key is very, very limited in damage. They call it self healing cryptography because the thread becomes safe again very quickly. So that is why they're getting level three and why they're genuinely better than what's going on before. If you go into the paper, you will know that they are using the Kyber algorithm which is one of the ones that NIST has given candidate status for being the officially approved post quantum stuff. Lots and lots of detail there. So I have lots of good things to say about this paper. I think Apple have done a really good job of explaining why and they have given due credit to their competitors which is so pleasing to see and they haven't hidden that away in the bowels of the article no one will read. The first line of the paragraph is the conclusion and you know everyone reads two things, introduction and conclusion. They are the two things people read. The first line of the conclusion is end to end encrypted messaging has seen a tremendous amount of innovation in recent years including significant advances in post quantum cryptography from signals PQXDH protocol and in key transparency from WhatsApp's auditable key directory. That's their opening sentence basically, WhatsApp beat us to key transparency that we now added this January into our message and signal were first to post quantum. We've just made it better. That's nice to see the engineers acknowledge that reality. So, as I say, I'm really pleased with this description from Apple of what they've done and they really have done something original. They're also running. Is there any downside to them being transparent? It seems like there's only upside to that because they can help teach other people how to do it and yet they haven't given away a secret. They've just said, you know, here's a good way to do it, follow me or tell me what I've done wrong. Yes, exactly 100% degree you're absolutely spot on. I also wanna draw attention to two of the things I learned from my deep dive. So they have given their algorithm to mathematicians which is what cryptographers are to mathematically test the validity of basically mathematical proof on their algorithm and they have two major researchers and pretty big institutions basically go, yep, we have analyzed this to the best of our ability and this thing is sound in our judgment, which is cool and they basically have citations, who these people are, you know, all of that kind of stuff. And they have also explained how they're running the two in parallel for a while. So the algorithms we're using now have had decades of testing and had all of the rough edges knocked off and we know they're secure because they have been tested in the field. Without a time machine, none of these post quantum algorithms are that robust because they simply have not had the decades of eyes and bits that these current algorithms have had. So there may be problems found in the Kyber algorithm. What Apple have done is they have chained the post quantum algorithm with the current elliptic curve. So to crack a message, you need to crack both the elliptic curve and the Kyber. So cracking one doesn't get you into the message. Is the ordering important? So what that means is that if you have a quantum computer and you can break the old elliptic curve, then you still don't get into the message because you haven't gotten by the Kyber. If it turns out that Kyber is fundamentally flawed and we haven't noticed yet, we are no worse off than we are today because the elliptic curve is just like it was yesterday. Is anything about this, this is just a naive question, is anything about this likely to make it harder to get into your own messaging? Unless Apple make a terrible whoopsy, which they could do with elliptic curve crypto, right? They could make a whoopsy with the current crypto. Nothing about this makes it inherently more fragile. Or anything, if Apple mess up their crypto, they will break people's messages, but that was true yesterday, it will be true tomorrow, it will always be true. Okay, okay, that's good to know. So for this year, they're gonna be running in parallel. So if everyone in a conversation is on a new enough version of iOS, which is iOS 17.4, iPadOS 17.4, MacOS 14.4 and watchOS 10.4, then you will get PQ3. But if any one person in a conversation has one device that is not new enough, the whole conversation has to fall back because otherwise the one device that isn't new enough can't decrypt the messages in the chat, which means the chat isn't a chat anymore, right? So for this year, one-to-one conversations will probably end up being upgraded quite quickly for a lot of people, but bigger group chats will probably be slower. But Apple have committed to finishing the transition period by quote, end of 2024. So I imagine in the fall, we'll get another message from Apple saying on Bladate, you must have updated to Blah version of BlahOS or iMessage will stop working. They may backport this to cover older OSs. Oh, wow. In fact, they probably will backport it. They better. Likely they will. But they want to get real world usage now. So it's rolling out now. And when I say they better. They believe I better. I just mean from a, well, I just mean from a publicity standpoint, I'm sure it'll be, look, they obsoleted my device, garbage. Oh yeah, they would go very badly. So they have to. I think so. Yes. I think so. So all in all, I was really. How far back? Yeah. So I started off a little skeptical. Ah yeah, or Apple just being Apple and claiming more credit than they deserve. But no, they really do deserve a pun on the back here. This is really good work. So nice. Right. Action alerts just the one, but it's not good news. If you are a Linux desktop user. So not a Linux server, but a Linux, you know, a laptop or a computer computer or an Android user, there is a software update you really, really need. If you're on Linux, that's not a problem. You should have it. But if you're on Android, your guess is as good as mine. There is a thing that is part of your WiFi system on any open source platform called WPA supplicant, which I've always found a weird name. I come across it with my work hat on quite a lot because when it doesn't work, your WiFi breaks. But the WPA supplicant in Linux and Android has a very nasty bug, which means that if you know the SSID of a network the user's device trusts, you can trick the device into giving you the password for that network. So if you go to the lobby of a company and you can see the SSID of the company's WiFi network, you can make a malicious network with the same SSID and you can get the password of the real network to be leaked to you by anyone using a vulnerable Linux or Android device. I remember you telling us about that, yeah. So that is not good. There is a workaround, but it's awfully cumbersome. You can manually force your device to use a specific certificate authority and not to accept untrusted certs. It's not easy to do. So really, patchy, patchy, patchy, patchy as soon as you can is very much what we're hoping we get out of this. If you can. And that's the bit that I always hate about these stories. If you're under a device. Yeah. Yeah. And in related news, just in case people think I'm being too easy on Apple or something, the App Store is a safe ur than the Play Store. But it doesn't mean you're perfect because actually this related story should be plugged into it. It could be a different story now that I look at it. But anyway, now that I've started, I'll finish. If you're installing more risky stuff even from the Apple App Store, like say cryptocurrency apps, even there, be careful. Some malicious stuff briefly made it into the App Store but of course, with cryptocurrency there is no undo button because there is no central authority. That's the point. Briefly was enough for people to lose $100,000. So that's real money. So be careful. We'll find somewhere else in the show notes where I had meant to put that as a related story, by the way. I'm sure we'll come across it, but. Okay, when we get to it, I was looking at going, oh, I get it, but what's it got to do with Linux and Android? No, there's a story. WPA. There's a story somewhere about something malicious getting into the Android App Store. That's where it should be hanging off. But anyway, yeah, we'll find it. Okay, we'll find it. It'll be correct by the time you see the show notes. Indeed, worthy warning. There is an active attack targeting Europeans who run Android and they have succeeded yet again in sneaking their malware into the Google Play Store. Again, briefly, but nonetheless, 150,000 downloads before they were discovered and gotten out. And the last few of these have been targeting Eastern countries, sort of Singapore in that neck of the woods, but this one went after European users. So I think more Nacilla Castaways are more likely to be caught out by this kind of thing. So just be extra careful about banking apps on Android at the moment. There is an active campaign to sneak malicious banking apps into the Google Play Store and some of them are getting through some of the time. That is not happening. Would that be a good place to put that related item? Actually, that's exactly where it should be. It's literally an out by one error. Yes, that is exactly where I had meant to attach it. Okay, I'll drop it in. You have unfortunately against your wishes been converted from a fan of wise to an anti-fan of wise. You have more ammunition. They had another little whoopsie where they managed to give 13,000 people access to the wrong camera. Oh, bird, is that that big of a deal? It's just your children and stuff. Yeah, it's just secret internet connected cameras in your house. Why would you need to trust a trustworthy company with that kind of a thing? That is, yeah. Ufi for the win. Actually, yes, and I like Ufi. They're a good company. 20 million users of a service called cutout.pro have had their data leaked and the company has been spectacularly unresponsive to security researchers. Users have not been informed that they've been caught up in this data breach, which is why I'm telling you about it. It has been added to have I been pwned. So if you are subscribed to have I been pwned, you will have been notified or you can go to have I been pwned and check. The breach did include passwords. They were sorted and hashed, which made me go, oh, that's not too bad. And then the next word in the sentence was MD5. That is an obsolete hashing algorithm. That is not strong enough to protect you anymore. So you nearly did it right. You had all the right buzzwords, but then you went and used an obsolete hashing algorithm to implement your buzzwords. Or fell asleep. Or haven't changed. Hey, look, we made this cool web-based tool to cut out backgrounds on photos. Okay, what else can we invent? That might be it. I set that one up. It's making us money. Let's move on to the next shiny thing we want to build. That's actually quite plausible. I think you've hit the nail on the head there. Also, I don't like to tell you about every dangerous WordPress plugin, but sometimes they reach a level where I think I probably should mention it to our community because we have a lot of WordPress users. 200,000 websites are threatened by a vulnerability in a very popular plugin for managing memberships called Ultimate Member. If you use Ultimate Member, patchy, patchy, patch, it is patched, but you just gotta be sure you are. And a very popular web server these days is something called Lightspeed because it's built into C-Panel and it's way more efficient than Apache, way more efficient. There's a plugin to make Lightspeed and WordPress best of friends and that plugin had a nasty bug. And I thought 200,000 websites, yikes! Try 5 million websites. So patchy, patchy, patch, patch on that one. And then lastly, if you have an anycubic 3D printer, patchy, patchy, patch, patch, at the moment the vulnerability is being used by sort of kind of good guys to print, to 3D print a warning that your device is vulnerable to hacking, which is, I was trying to picture what would the heck be? Would it be like you're a Star Wars fan and it starts printing Star Trek characters instead? I believe it actually prints the text as a 3D thing. It's a bit like the equivalent of the old printing a message on a printer, this vulnerable thing, but in 3D. So patchy, patchy, patch, patch if you're an anycubic user. That brings us on to notable news then. Oh, so that subdomain story we already talked about that had the wrong description on it, that's because it has the right description down here. So you can delete that one from up above, Alison. Okay, you'll have to tell me afterwards what we were talking about. I'll delete it afterwards and do a post notification. So I knew I had corrected my description, but I forgot to delete the wrong description. So anyway, I fixed it as I talked live, but I have the right one down here. Signal have rolled out the feature to allow you to use a username instead of a phone number, but only to their beta users. On the one hand, I really want this. On the other hand, I don't wanna run a beta, so I'm still in the waiting pile, but it is coming. I can see it on the horizon, me and half the planet. So that will be a nice improvement to Signal. Bitwarden, who are the, I would say the world's leading open source password manager have improved their auto fill to make it phishing resistant. I read the description of how it works and I went, that sounds like how one password works. But if you're a Bitwarden user, becoming phishing resistant where you weren't before is a big upgrade. I don't think they're doing anything one password isn't, but they are doing something they didn't use to be doing. So yay and upgrade yourself. Yay. GitHub also get a little pat on the back. They have been testing a feature to protect all of us against one of the most common sources of data breaches in the last couple of years. It is very, very, very easy to accidentally put an API key into your source code and then go git commit and push it up to get on your open source project. You should not have secrets hard coded into code. Your secrets should exist as environment variables in the OS, not as text files in your source code, but the amount of source code on planet Earth with hard coded secrets in it is large. So GitHub have been, I'm assuming they're using AI. I'm gonna guess this is one of the things that Copilot has been learning, but they've had a beta feature for a while that will scan your git commits looking for secrets. So they know that an Amazon key looks like this and a Microsoft Azure key looks like this and an SSH private key looks like this. So they're proactively scanning your source code looking for keys and if you turn this beta feature on, it would stop you doing a push until you fixed it. They have now said this is going, how does it recognize an API key? Because they all have the same shape, right? The API is very specifically formal, they do, because every company has their own different rules on them. So if you see a hexadecimal string that's exactly 33 characters long or whatever, you can be pretty darn sure that's a key. So with a little bit of intelligence and they've been tweaking this while it was in beta and now they're confident they don't have false positives or if they do have false positives, not enough of them or not too many of them, shall we say, and they're confident to make this the default on all new repositories. So they're not gonna bankport this to existing repositories and make people's heads explode, but from now, if you make a new repository, it will have this feature by default, which they call push protection. So basically when you do a push, you are basically virus scanned to check your push before it goes actually into the repository. I just think it's a really nice feature. And this allowed me to pop a little hook here because neither of these two stories are worthy of the Nacilla Castaways on their own, but there has been a constant background noise for the last year and a half that I have wanted an excuse to tell everyone about, but none of the stories individually are worthy. But there is a class of story and there are two examples of it this week. Attackers are proactively trying to trick developers into downloading the wrong thing when they go looking for open source software. So you go to a place like Node.js, sorry, the NPM repository, and there will be malware, a typo away from the open source library you actually want to use. And that has been a proactive campaign for some time now. And this between now and our previous recording, Huggingface, which is basically a Node package manager for AI models, they have had malicious code snuck into models in Huggingface, and Python is a very, very major language, and they have a repository called PyPy, and the Lazarus Group, the state-sponsored hackers from North Korea, successfully poisoned PyPy with a bunch of malicious repositories that are just a teeny tiny typo away from really popular Python packages. So be careful. Okay, so what is a developer to do? A developer is type careful. Yes. Don't just do a quick search on the repository, actually go to the home page of the open source project and get the link from them. So if you want jQuery, go to the jQuery page and follow their link to the package. Don't go to the package manager and search for jQuery, because if that search is poisoned, you'll get the wrong jQuery, but if you start at jQuery.org, you're going to the right place. So it's like, don't click on the link in an email, go to the bank and follow their number, go to the package you want and follow them to the repository. Don't go the other direction. Okay. Okay, we probably shouldn't talk about it too much because most of the audience doesn't know what we're even talking about, but thank you for that advice. That's a good idea. I also wanted to make sure I had an easy answer before I put this in the show notes because I knew you were going to ask. I'm ready for it. I have two more American stories that I think fall in the good news category to finish this up for the day. The Federal Trade Commission again, very busy people, yet they have burned a vast, the antivirus company for making a little bit of extra money from their for pay antivirus because they were selling your browsing data to make a bit of extra money. Your antivirus was spying on you and selling the data. The one you're paying for, the levels of wrong here, just defy belief. So they've been told not to buy the FTC. Thank you. And the president has signed an executive order which gives the FCC the right to label certain countries as being problematic. And then that institutes a ban on the transfer of personal data from American companies to those countries, shock and or horror, that would be China and Russia at the moment. That's the sale, not just handing it over, but selling to those countries. Wow. Well, I like that one. So as I say, these are all terrible though. It's like, wait, they were gonna do what? Yes, so anyway, good news there. So I also have two stories in the just because it's cool section. And I very, very, very, very intentionally put them down here. So remember I said earlier that there are security researchers who do amazing attacks that work in theory in the lab and that make your head explode. Like how could you possibly do that? Well, they work in a lab when they're completely impractical in the real world, but they're very cool science. These two stories fall into that category. So do not set your hair on fire, but wow is this cool science. So some researchers have discovered that in very carefully controlled situations, you can use a charging pad to issue the appropriate type of interference that will cause sound waves inside the microphone inside your phone to make the microphone think you said, hey, voice assistant person, do X. It's not real sound. It's magnetic fields making the magnet inside the microphone think it heard something it never heard, which is cool. Which I already thought was cool, but then they went, ooh, there's other circuitry in there for controlling how much charge this device takes from this charging pad. If we can start to mess about with the EM stuff and send fake messages, could we trick the charger into catching fire? Yes, is the answer. In their very controlled lab situation, they could trick the controller inside the phone into taking so much power over Qi that it caught fire. So Qi not MagSafe? Well, yes, and right? Because MagSafe2 is Qi2, so. Well, but if it wasn't Qi2, then no. Yeah, but Qi1 is compatible, sorry, MagSafe is compatible with Qi1, but not all MagSafe is compatible with Qi, but Qi is not compatible with MagSafe. Oh, it doesn't really matter, right? It's just not the same thing. MagSafe and Qi1 are not the same thing. So if they weren't doing it with the MagSafe adapter, then it didn't affect it, but it doesn't matter. We don't know. It doesn't really matter, because again, this is really cool science in a lab. This is not- Still fun. Exactly. Don't panic. The other one, which has, I just pictured the nerds in the room at the time, going, oh, look what we can do. This is cool. Yeah, I mean, they started off with, can we make S-Lady do something? And then they went to, can we set it on fire? Of course that's where they went next, right? Can we set it on fire? Yes, we can, yay. And then the other one, which is very, very low success rate, but has success rate enough to publish a research paper. If your app has microphone access, and you can make the user do enough swipe gestures, then the subtle vibrations that your finger, as it moves in perfectly across the glass, because you have greasy fingers, those vibrations are picked up by the microphone. And if you do it long enough, and you're prepared to accept a low enough success rate, you can guess a person's fingerprint from their swiping on the screen. It's like 5% success rate. Yeah, we have to go read that one. It's like 5% success rate. But I thought that would be zero. I didn't think that would be five. Yeah, I don't know, I've got some doubts thinking on that one, like how much of the fingerprint could you get? Enough to trick a fingerprint reader. 5% after about an hour of data, right? I might have to go read that. Look, it's very low success, right? But it's not zero. I thought this would be zero, but it's not zero. So the fact that they can do it at all in a very controlled situation was kind of like, wow, that's pretty cool. I'm almost certain that one involved running it through AI. I don't remember exactly how they did it, but I'm almost certain that involved running it through AI. So, some pilot cleansing. I'm gonna let you go first, because otherwise I'll forget. Yay. So the best thing about the Podfeat Slack, podfeat.com slash slack is the channel called Delete Me, and that's where people just post funny stuff. And basically Alistair Jakes owns this channel. Whenever I see something come in to delete me, I go, yay, there's gonna be some joy and fun in there. And he posted the funniest one. This is from Mastodon. And I've gotta read the whole thing for you to get the whole flavor. So someone posted on Mastodon who, it sounds like they might actually be from Google or they were describing something about Google, but it gets funnier all the responses after that. The first person says, we're introducing a new offering called Gemini Business, which lets organizations use generative AI in workspace at a lower price point than Gemini Enterprise, which replaces duet AI for workplace enterprise. Somebody responds, hey Thomas, can I pay for it with Google Pay and Google Wallet, which replaced Google Pay, which replaced Android Pay, formerly known as Google Wallet? Somebody else, oh, and then they responded, if not, can we jump on a call and discuss billing? I'll send you an invite on Google Meet, the Enterprise Google Chat, previously duet, which replaced Aloe, the replacement for Hangouts, the rebrand of Hangouts Plus, which replaced Talk and Voice. To that, someone else responded, just to clarify, do you mean you'll send an invite on Google Meet or Google Meet Original? And there's a screenshot in the Google Play Store. Both exist, Google Meet and Google Meet Original. The final response was, great question, Michael, as a Google Workspace user, formerly G Suite, otherwise known as Google Apps for Work, previously Google Apps Premier Edition, AKA Gmail for your domain, which would you recommend? That's brilliant. None of that is fake. Every bit of that is true. Those things all existed. My pet peeve is that Microsoft changed the name of everything every week. Every time I look at the control panel, it's different, but I'd forgotten how bad Google were. Maybe I'm still cranky at Microsoft on this one, and every time they say, would you have some feedback? I always say, I don't know what anything's called. But if I was a Google user, I think I'd give the same feedback more vocally. Yeah, well, but in this case, these are not just changing the names of things, it's abandon, change name, abandon, change name, abandon, change name. So it's both happening at the same time. Microsoft's just renaming. That's true. But the thing's not necessarily abandoned. Yeah, that's true. They're just rebranding it because they're on a vision. Yeah, anyway, yeah, I laughed so much, especially because it started off as a serious thing and it just went downhill from there. I love it. Now I have a follow-up, actually I have two things. So I have an easy one first. It was a leap year this year, which means that we had a 29th of February. And how we got to do that every four years, unless it's a century, but if it is a century, we do it anyway, if it's divisible by 400. It's quite a complicated rule. How did we get there? The answer is it starts with Cleopatra. And there's a few popes involved and the English messed things up for a while because they were Protestant. It's actually fascinating and History Daily is a podcast that's very short. It's only about five or 10 minutes every day, but it's every day and it's something that happened in history on that day. And so the episode four of the leap day was the history of leap years. Five, 10 minutes of fun, how do you recommend? Not at all what you would expect. Added to overcast, 16 minutes of 59 seconds to learn that. That's what I was saying, it's good fun. Now, the last time I was on, I told you that one of my favorite economics podcasts had decided to do a pod feat and say, well, we named our show Freakonomics so we can talk about anything we like. And they dedicated a mini series to Richard Feynman. And they had promised a three-part series and then they made it a four-part series with a bonus extra episode, which is cool. So the first yay is that all four episodes are out and linked in the show notes, which is yay. But if you listen to those four episodes, you're gonna hear lots and lots of clips recorded quite near the end of Feynman's life when he sat down to do a traditional face-to-face interview with a friend in the United Kingdom and they made it into a documentary for the BBC that no flashy graphics, it's almost 100% Feynman talking to the camera. I don't even think you hear the interviewer. I think it is 100% Feynman's voice and every now and then a screen pops up and says, when he was 20, Feynman went to work on the Manhattan Project. And then we cut back to Feynman. It's like almost all Feynman. It is fabulous. And I found the whole thing on Vimeo. So you can just, it's from 1981. So it's in the wrong aspect ratio and it looks like poop because it's 1981 and they didn't have any more pixels back then. It was 480 lines. If you've never heard Richard Feynman talk, one of the most brilliant minds in the history of time who can also explain everything to anyone at any level. He could explain to school children how astrophysics works. I mean, he was phenomenal instructor and kind of a wild character, but yeah, definitely a favorite of mine. I'll be checking that out. Imagine someone who's as good at explaining science as Neil deGrasse Tyson, who's as good at actual science that he genuinely won a Nobel Prize. How rare is that superset of those two things? And not with the overblown understanding of his own amazingness as Neil deGrasse Tyson. Right, a very, very humble man. Very, I loved him a bit and actually I had... It wasn't about him. The documentary is called The Pleasure of Finding Things Out. That sums up Feynman perfectly. And I had so much fun because I discovered, to my shock, that my darling beloved didn't know who Richard Feynman was. Oh, how fun to be just learning about it. So we watched the documentary together and I got to see Feynman for the first time through his eyes. It made it even more fun. And it was already a lot of fun, so yay, yay, yay. I just really wanted to share that. I had so much fun. I think I've told the story a few times before, but I did get to sit in on a lecture he was giving at my work. For one, there was a program manager I needed to get something from and he was in the class, so I snuck into the room. And for the time he was talking, I understood a hundred percent of what he said. And by the time I got out the door, I was like, wait, what? He's a magical speaker. I read, actually, our physics textbooks were the Feynman Lectures on Physics, and that was rough. Let me tell you, that was rough reading, but I've read a bunch of books about him as a character and he's a fascinating person. My favorite is Surely You're Joking, Mr. Feynman. It's a fantastic book. Which was written by a friend of his who was a schoolteacher, I believe. Oh, I forget. It was a long time ago that I read that. I have it in my closet. I might just re-read that one and have a read. But anyway, there you go. That is some four podcast episodes and a feature-length document, or not a feature-length, though, an hour-long documentary from the BBC. There you go. There's your Feynman quota. A lot of fun. That should hold us for the next two weeks. Absolutely. And until then, folks, remember, stay patched so you stay secure. Well, that was a mammoth show, but we're going to wind things up for this week. Did you know you can email me at allicentapodfeed.com anytime you like? You know, a friend of mine once asked me, what's your email address again? And he listens to the show. I say it every week, allicentapodfeed.com. If you have a question or suggestion, just send it on over. Remember, everything good starts with podfeed.com. You can follow me on mastodon at podfeed.com slash mastodon, where you can see the cool telescope pictures I posted this week. If you want to listen to the podcast on YouTube, YouTube, you can go to podfeed.com slash YouTube. If you want to join in the conversation, you can join our Slack with people like BG and Graham Ass at podfeed.com slash Slack and talk to me and all of the other lovely no-cellicasterways. You can support the show at podfeed.com slash Patreon, or you can be a one-time donation like John and John at podfeed.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no-cellicasterways. Thanks for listening and stay subscribed.