 Hi, this is Allison Sheridan with the No Silicast Podcast, hosted at podfeed.com, a technology game podcast with an ever-so-slight Apple bias. Today is Sunday, April 14th, 2024, and this is show number 988. Amongst other things in today's fun-filled show, during security bids with Bart Muschatz, you'll hear a very brief appearance by my four-year-old granddaughter, Sienna. This is the same Sienna who brought you the tiny tip just last week about unmuting the iPhone when playing videos. I promise it's very brief. She sort of broke in on her recording, but she went back to mom pretty quickly. Well, Steve and I had a great time watching the total solar eclipse out of an area near San Antonio, Texas, a little place called Burnie, Texas, which is oddly spelled B-O-E-R-N-E, but they do things differently in Texas. Anyway, it was not our best viewing of a total eclipse. This was our fourth one, and the forecast for the day of the eclipse was cloudy and thunderstorms. Most of the week looking forward to that date, it looked terrible, and it was terrible that day. It was Sunday the day before, but the day of the eclipse, it was all clouded over, but shortly before the eclipse, the clouds partially parted, and we got these tiny slivers covered with wispy clouds. And the weird thing was, you could actually look at it without solar glasses. In fact, you couldn't see it at all with solar glasses. And then it went away for a little while, and then right before the diamond ring, which is the last thing that happens as it goes into totality, you get this bright flash and a shimmery edge of sun around the moon. We did get to see the diamond ring very briefly, and then the clouds covered it up for a while, and then we saw totality, where you could see the corona coming out of the sides all around the moon. So it was still a great experience. We had a lot of fun. It was a great trip. Met up with some old friends. I'm also bringing all of this up because Steve did a really nice little video of the eclipse, and the nice thing is, it's a short one. A lot of people do these videos that are very, very long, showing you the entire length of the eclipse. But since we saw a very, very short piece of it, I believe it's maybe one minute, possibly? Maybe two. I'm not sure. It's a very, very short video. But it's great. Steve always does a good job. And there is, of course, a link in the show notes. In this week's episode of Chit Chat Across the Pond Lite, Barbu Shots joins us to talk about Dyson vacuums. I know that doesn't sound too technical, but you would be surprised at how advanced the tech is in these new devices. I share a few of my Dyson stories as well, and we both talk about our love for everything Dyson and why. I really recommend that you hide your pocketbooks before listening because all Dyson products are super expensive. But we keep buying them because they're that cool. Anyway, there's a great blog post by Bart describing everything that he talks about in this episode, and it's kind of fun as he says, and pun intended, he dusted off the Chit Chat Across the Pond Lite feed this week. This week I got a text from my friend, Ryan, that really surprised me. We haven't seen each other in ages, but he saw something on his iPhone that he thought might be of interest to me. You know how on occasion your iPhone or other Apple device will demand that you verify your Apple ID? It's a message that pops up and says Apple ID verification, and then it tells you to enter the password for and it's your Apple ID in settings. Your choices are not now and a button to go into settings where you can enter your password. You've probably seen this, but the reason Ryan thought it might be interesting to me was that it was not asking him to enter and verify his Apple ID, it was asking him to verify my Apple ID. He sent me a screenshot and it was quite clearly my email address for my Apple ID on his iPhone. I immediately called Ryan to see if we could figure out how the heck this had happened. He's a brilliant technical guy, so it was really fun to noodle with him, even though I had a cold pit in my stomach about the security of my account. When the pop-up happened, he clicked the button to go to settings, but everything there looked like his own account and information. He could find no trace of my Apple ID. We went back through what he had been doing around the time it happened and while he was messing around in the sense app, which I also have, and using one password, which I also have, we couldn't think how either of these would prompt an Apple ID verification of even his own account. I told him that a couple of days earlier than this, while we were on travel in Texas, I'd seen a notification that a new Apple Watch had joined my account. While that was unsettling, all of my queries to view my devices revealed no unknown Apple Watches, but adding the two events together was too much of a coincidence. We had a nice visit, Ryan and I did, and we made plans to meet up soon for dinner, but I then went off to undertake the arduous task that is changing an Apple ID password. My first stop was to go to beta.xkpasswd.net to choose a new password. The new shiny version of XKPassWD, just like Barbuchette's original version, has a configuration option for an easy-to-type password for Apple IDs. As the site explains, the Apple ID preset is a preset respecting the many prerequisites Apple places on Apple ID passwords. The preset also limits itself to symbols found on the iOS letter and number keyboards, in other words, not the awkward to reach symbol keyboard. I let XKPassWD generate a bunch of passwords until I found one that was pretty memorable and easy to type, and then he opened up the settings section and I tailored it just a bit more to my liking. I plopped it into one password and then I got to work. I headed off to appleid.apple.com to change my password. Interestingly, it told me I couldn't do it on the web because I've enabled stolen device protection on my devices, and I suggested, and it suggested, I used my iPhone to change the password instead. I tried that and it worked a champ. And then I had to authenticate on my iPad Pro, and then I had to do that on my MacBook Air, and then I had to do it on my MacBook Pro, and then Steve did it on our five Apple TVs where we're logged into my Apple account. I was notified when I originally changed it that any site-specific passwords that had been generated earlier were now gone. I can't remember all of the places that will bite me later, but I'll tackle that when the time comes. The next morning I decided to call Apple to see if they could explain how such a thing could have happened. I didn't have high expectations that the mystery would be solved, but I like to get my money's worth out of AppleCare. The lovely Tatiana from the front lines of AppleCare took a few stabs at the problem, but when I suggested, perhaps we need a senior advisor to get involved, she readily agreed that she would be delighted to handle this one off. Senior advisor Makaya took the call and she was fantastic. She very quickly realized that I could go quickly and outline the scenarios of how someone else might get prompted to verify my Apple ID. She asked me, had I ever shared my Apple ID account with Ryan? No, I had not. Had I sold or given a device to Ryan and then maybe forgotten to sign out? No, I had not. Was Ryan a member of my family sharing account at any time in the past? Again, the answer to all of these questions was an emphatic no. I told her that I did a search on the interwebs for being prompted for someone else's Apple ID and I found many people asking about this problem in the past, like past half dozen years and as recently as just a few months ago. I suggested that the combination of a notification of an Apple watch getting on my account, which I never did, and this errant Apple ID verification request of Ryan, the two of these at the same time was it possible some streams got crossed in iCloud that didn't just affect me? I knew that question was fruitless and of course she said I couldn't possibly have happened, but you know I had to ask. She suggested that we take a gander at what devices I had connected to my Apple ID. There's two ways of doing this. In system settings on macOS or settings on iOS, you select your avatar at the top where it says Apple ID and below that you'll see maybe a half a dozen settings below. You can see a list of all of your devices. The second way is to go to appleid.apple.com and choose devices. As Makai and I looked at the two listings, while many of the devices were on both lists, there were also devices listed on only one or the other. So that was fun. The third place she suggested we look is in find my on the devices tab. This is where things got even more interesting. We found a slew of random devices with very little description on them. For example, two of the devices were entitled Mac and their icons were of an iMac. I've never owned an iMac. Steve's had a couple of them, but not me. She explained that if I'd ever had a login on any one of them, they might show up here. She had me click on the little i on each device and remove them from my account. Every single time I asked it to remove a device, it prompted me for my Apple ID password. This meant that she had to stop and start viewing my screen over and over and over again. But the good news is I got a lot more practice typing in that brand new shiny password. There was an iPhone listed, but before I removed it, I wanted to make sure it wasn't the spare iPhone I use for continuity camera and for screencast online tutorials. That one was turned off and in a bag for travel. I booted it up while still talking to Makai and as expected, it joined the party of devices demanding I log into my Apple ID. I entered the password and it failed. I tried again, it failed again. After four tries, she asked me if it was saying that the Apple ID or password was wrong, but it wasn't. It was saying something has gone wrong. She said, yes, something else is going wrong. I tried again and now I was locked out of my account. Now I thought this was one of those things where I just have to wait a while but with trepidation, Makai told me, you're fully locked out. You have to change your Apple ID password. Again, now, technically I didn't yell at her but the moaning and whining could have been heard from miles away. I was so distressed that, believe it or not, Siri kicked in and suggested that in times of stress, sometimes it's just better to take a break. I kid you not, Makai and I both had a great laugh about it because she could hear it talking to me too. So I fiddled with my ID password I just created and it turns out there was one thing about it that I didn't like anyway. So I went back through all of my devices yet again. Steve was a saint using the Siri remote to dictate the password over and over and over again to our five Apple TVs. I also had to do it on my Apple Watch which turned out to be interesting. It triggers it to let you type it on the phone. So you're actually typing into the watch but you're using a keyboard on the phone which is kind of a funky thing. Now there's one more thing of interest about the find my part of the discussion with Makai. We found a set of AirPods that I'd sold to Ed Tobias. You've heard him on the show before and he's a good friend in real life. There was also a MacBook Air of Pat Dengler's on which I'd briefly had an account for testing purposes. I told Makai that both of these devices had been problematic after I'd given the back even though on my Mac at least, I had logged out and I had deleted them from my account. They weren't in the list of my devices. For both of my devices, yeah, I'd gone through the my devices so I forget which way I did it but I had definitely removed them from my devices. She said that they should have disappeared from find my and I agreed that they should have done that too. She said when this happens, it's called a device mismatch and the solution is to remove them from find my manually which I just have this faint feeling I did try that but they were still in there. So Ed, that's why we probably had trouble with your AirPods. I'm telling all of this in part so that you'll know when you sell, give away or trade in a device to not only remove it from devices and system settings or appleid.apple.com but to also go to find my and remove them from there too. Now here's the fun thing. Since I wrote up the article about this earlier in the week, I am continually getting prompted to go verify my Apple ID. I've just started to say not now and it's fine. If I say, if I let it go to settings and I enter my password, it goes, okay, yeah, I got you but it's just asking me over and over and over again and I'm getting it on my phone on my Mac I'm getting it on my watch. So I don't know, Makai and I might have another conversation about this. The bottom line is that I'm relatively sure that my account wasn't actually compromised since I never lost the ability to change my password but I'll never know for sure. I still think the streams got crossed on Apple servers but you know, it's better to be safe, right? Now remember that the email address you use for account password recovery is the single most important address to protect. I'll sleep better at night knowing I've relocked the door to the kingdom even if the keys were never actually lost. I enjoyed Makai very much and I guarantee you this will not be the last you hear of her. All right, let's head back to CSUN's Assistive Tech Conference for another interview. I'm at a booth for a company called Belman and Simphon with Peter Jungvid and he's gonna talk to us about devices for people with hard of hearing. That's correct and nice meeting you and welcome to our exhibition here in Anheim. So yeah, we are a 35 year old company. We've always been focusing on products for the hard of hearing and with us in this exhibition we have three categories of products. We have our smart home, wireless alerting system that helps people to be connected in their home to know what's going on and to stay safe. We have alarm clocks to help people to wake up in the morning to make sure they come to work and school and we also have hearing amplifiers on that side to allow people to hear better what other people are saying listening to TV and podcasts, et cetera. Oh great, well let's go through each category then. So we'll start with the hear your home section here. Absolutely, so the hear your home or the home alerting system, smart home system comprises of different transmitters for the door, for the telephone, for the baby cry, for the smoke and carbon monoxide and upon an event they will wirelessly transmit a signal to the receivers and the receiver you can pick any receiver you like but we have a flashlight receiver which is flashing with very strong light. So this is a little cone sitting up that's about maybe six inches. Oh, there's the doorbell. I think lights are going off all over the place. So you see now it is flashing and the green light meat, it is the door. If I instead push the transmitter, the telephone transmitter, you can see it's again flashing but it's yellow. So in our system door is always green, telephone always yellow. Let me guess, fire is red. Fire is red and baby cry is orange, right? Oh, okay. So yeah, this is the flash receiver. People typically put it in the living room or the kitchen but some... You are not gonna miss that light. I'm not gonna be able to see when I leave this thing is so bright. That's great though. But actually you can also twist the head so it flashes into the wall if you prefer that. Oh, so it can light up a whole wall. That's neat. Well, yeah, it can and if you feel that it's too bright for your eyes you can turn it a little bit to flash into the wall so you feel more comfortable. In some ways a whole wall lit up might even catch your attention even better. I would agree. Then we have a pager receiver which you can bring with you which vibrates. So would you clip that on your belt? So you click it on the belt or you put it in the trousers and now you can see it's a green light again to indicate for the door and you feel maybe the vibration. It's a long vibration. Do you feel that? Yeah, yeah, yeah. You're not gonna miss it. Again, it's yellow and you feel it's a little bit different vibration, right? Okay. Which helps you to recognize why you are alerted. So that medium one there, I know that's a spam caller, I can ignore it but that one for the doorbell, I might want to get. Yeah, it could be. Oh, and the baby is still another one and so is the fire. And you know some people or most users, they learn very quickly. So if they keep it in the pocket, they don't need it even to bring it up and look. They feel directly. Is it get to know? Yeah, they get to know which vibration it is. And this is a good day solution. And if you like, you can have also the accessory which is a night cradle which charges this one. Well, maybe I should say you can run it on a normal alkaline battery if you like. Very easy to take out the battery. But if you like to have a rechargeable unit, the rechargeable unit comes with a rechargeable battery that you put inside. You put it in here. And then at night, you can use the bed shaker. A bed shaker. Which... So this is a puck that's maybe just the size of the palm of my hand with a little rubber thing on it. So now I press the door. Oh yeah. And you can feel it's vibrating. So this provides you with a 24-7 solution, right? Right, right. Day time, you can use the pager at night. At night, you have the bed shaker. Sorry, we're laughing to the audience. Do it one more time. The transmitter or the receiver for the bed is bouncing across the table. But you just set that on the bed or under your pillow or something. Under the pillow, typically, yeah. Or under the mattress. You are not gonna miss that. No. And you can stop it once you've woken up by pressing this red button. Gotcha. And also when you wake up, you can see why am I alerted? Because you can still see on the pager the color, you know? Right, right. Yeah, good. Another very popular receiver we have is the alarm clock receiver. So this is an alarm clock that helps you to wake up using flashlight, vibration, but also sound. And the sound goes through different frequencies and escalates over time. So it's a soft waker stepping through different sounds. But using sound to wake up someone who is out of hearing? Yeah, but we sweep through different sound frequencies, optimizing the hearing, and then the sound escalates. But also you have the light and the bed shaker, right? Okay, okay. So you have three ways to wake up. You're gonna work whether you like it or not. So you can see here now I press the doorbell. Again, you see it's a green which is always, as I mentioned, the color for the door. And again, you can see the bed shaker is bouncing around, right? And this game- I love the bed shaker, right? I just want that, that's so fun. You know, also it's shaped in a soft way. And with a rubber here or a rubber here, so it's not sliding around in the bed. And as you maybe saw, you can snooze it from some of the sources. But let's say that you have a fire. Then let's press the push button. Sorry, let's, yeah, let me press the test button here. Now, now you cannot snooze. The whole table is lit up. And that's a safety issue that you cannot snooze it because you don't want the user to wake up and say, oh, let's snooze. Oh, okay. You like the user to really take action. How do you make it stop? Well, you need to make sure that the smoke alarm stops transmitting. And then after the smoke alarm stops transmitting, it will stop automatically after 20 seconds. Okay, I'm just trying to save the audio audience hearing it. Okay, so I will. Okay, there we go. Wow, you are not going to miss that. So now can we go around to the sound amplification for? Absolutely. Okay, we're going to step around here. Maybe this one is also of interest. This is a Bluetooth bed shaker. And it's a little different form factor. What he's got here is maybe three inches on the side. It's got a micro USB charger there. And this is, but it's not rubbery. What does this one do? This is to also to wake you up. It's very popular. It's not part of the old former system I showed you. So when you buy that, you also download the VBL app. And the VBL app allows you to set a time for waking up. So let's say 10.31, I save it. It vibrates three times just to confirm that the alarm time setting is received. And now even if you remove your telephone or your telephone goes out of battery, it will still work, right? So this would be great for going on travel. Absolutely. But also many people use it at home, right? Okay, because it's not tethered. Sorry, it's not. It's not tethered. It doesn't have a wire. No, no, no. It's wireless. Yeah, yeah, yeah. So here people put it normally under the pillar or that mattress. And if you like to snows, you can snows from the app and stop it from the app. Or you can do that from here. You just pull this once like that. Oh, it's got a red tab on it that he pulled and that paused it. It snowsed it. And you see, you can snows it. And if you like to stop it, you can pull it twice. And now it's done. Very cool. Interesting design. Never seen anything like that. Why people like this is because of what I showed you. But also if Yolanda is now calling to my cell phone, my, this VBU Bluetooth Bad Shaker will again alert you. Only if the cell service works in here. Oh, there it goes. It's vibrating. Yeah. So again, this is a good way to, I mean, if there is an emergency at night, you can still reach the person this way. Very cool. Same if Yolanda would send a text message to me or somebody sent a text message to me. Yeah. Very cool. All right. So now what are these products here? These are hearing amplifiers. And we have different models. Maxi Pro is- The problem these are solving is? Is to help, to help hear what other people are saying. Okay. And in this case with Maxi Pro, it also has Bluetooth. You can connect it to your tablet and listen to podcasts. You can connect to a cell phone and you can have a two way communication, amplified amplification. You can hear what the other person is saying amplified in the headset. Okay. So you were headphones plugged into this? Yeah. You use headphones plugged into that. And so with the headphones you can hear. Let me use it. So I put them on. This device has a microphone. It has a digital amplification. So this looks about like a remote control what he's got in his hand? Yes. And with a volume control, large tactile volume control, you can increase or decrease the amplification. Also tone control, which is accessible to further optimize your hearing. And so with this product in microphone mode, I can hear what other people are saying around me using the microphone. So are these four people who don't have hearing aids? This is for a device for those who do not have a hearing aid. Maybe they don't like to use a hearing aid. Maybe it's difficult to use a hearing aid because of dexterity issues or maybe they just like some temporary listening device. Right, right, right. All right. This has been very interesting. So the company is Bellman and Simfon. Do you want to tell people where they can find it? Yeah, it is. Our US website is shop.bellman.com. Shop.bellman.com. But it's not just a shop, it's useful information. And we have videos on our website where you can see why these people, why these products are helping you. And if you like, you can also see other how to use videos. Very good. And Bellman is spelled B-E-L-L-M-A-N. Correct. Thank you very much, Peter. This is really interesting. Oh, well, it's been a pleasure meeting you. Thank you so much. This next interview is actually from CES, not from CSUN, but it's another assistive tech demonstration from a company called Occutrix. Mitchell Freeman from Occutrix is about to tell us about a pair of AR glasses that are supposed to be able to start helping people with macular degeneration. That's a topic very interesting to me. It's a loss of sight due to damage in the retina from a very specific cause. But let's talk about what you're working on here. Yeah, so this is central vision loss. It runs in my family like in yours. My father had this. So these AR glasses, you put them on, it does a visual field test on the headset. Then it defines what the defect is in each eye. The defect is called a scatoma. And then we create what we call a scatoma marker on the live video feed. So whatever they're looking at, it moves the visual information out to the edges where they still have good retina. And it's really exciting because people haven't been able to read in years after just a few moments of wearing this headset, they start reading at a regular rate. We have several different modes. We have, because this is what we built this headset for, we have to be able to correct over a wide field of view. We have the widest field of view of any AR glasses out there, 60 degree field of view, 5K resolution. We think it'll have a lot of other uses, but where our heart is is helping people with macular degeneration. So is it, is your brain adapting to this information now moving from the dead spot out to the outer periphery of your vision? It really is, the brain does an amazing job of interpreting for the eyes. So when you have that blind spot, it's a very frustrating thing. My father told me that, but this basically helps their brain perceive words again. You can't, they can often see one or two letters at a time. And I remember my dad trying to collect the letters in his brain and then read it in his head. That's very laborious. But with this technology, people can sight read it. You know, you read by grabbing the whole word at a time. So now they can see the whole word. They take off reading at a regular rate. It is so exciting. We wore a, hopefully the other interview will record play right before this one maybe. But we were with the people who had created a headset that simulates macular degeneration. And it was a really, really frustrating thing. It's like, I liken it to when you try to look at a star and you can't see it, but if you look away, you can see it. It's like that. It's like you've got this dead spot in the middle of your vision. If you look away, you can see it in the periphery. But you're saying they could look right at something and now it's gonna collect that information and put it to the sides of their vision? So what some of the optical therapists do is they try to teach them to look off to the side and focus on that. What this kind of allows them to do is use both sides of the good retina because we're stretching all the visual if not the word is now stretched out. And so they don't have to kind of have that training. They can just start reading. They seem to be able to just read and pick it up. I gotta tell you, this sounds too good to be true. My dad said, this is very frustrating. We need to do something to help people. So when he was still alive, we filed some patents, had some ideas on how to do this. Actually, one of the first things that kind of pointed this out to us, remember back in the day when there's a lot of curved TVs, we were testing different things out. We had him look at a curved TV and he said, you know, I can't see the 50 yard line, but I can see more than I could back here. When it was flat, oh really? So that's kind of what headed us down this path to kind of get the visual information where they still have good part of the retina. All right, well, so Oculens is what it's called. It's A-R-M-R-X-R, it's got all the Rs, it's got AI. It's not VR because we still want the patient to be able to seat through there if they need to, so it overlays, but they can still, you know, if they lose power, they can still seat through them and see the world. That's a good idea. So when would you expect a product like this to be on the market? You know, these are our final prototypes that we're doing trials with patients and we think we'll be able to start shipping second quarter. Really, really? Do you have to go through any FDA approval or anything? This is 510K exempt, but we're still doing some of the FDA trials because the next people that want to use this are surgeons. They saw this for the patient, they go, we need this for surgery so we can comfortably, you know, it's very uncomfortable looking in the Oculens for hours. So yeah, it's very lightweight, very comfortable. We've had a lot of comments today that this is so lightweight. The battery, we were running this yesterday for six hours. It's got a battery that'll come off. We're very excited about this. These are all 3D printed parts. We're in production on most of this right now with the injection molding. So we'll put all this together really quickly. It has the XR2 chip set in here. It's running multiple cameras. It's doing everything your phone can do, plus a little bit more. We think this will really become the phone for low vision people where they can, we had a young lady that had Stargardts, juvenile version of Makler degeneration. She had her PhD, she was teaching, but she'd done everything by just listening to it. She put this on, she had a very large defect in her eye in both eyes. She put this on, started reading, and then we turned on the video and she was like, oh, this is so clear. She was, you know, she tries to watch video, but she was so excited to be able to watch a video. It must have been so transformative, how fantastic. All right, so if people want to learn more, where would they go? Just look for the Accutrex, oculins.com. Accutrex is spelled O-C-U-T-R-X.com, very good. All right, thank you very much, Mitchell. Thank you guys for coming by, thanks. Well, I certainly do hope Accutrex is able to keep moving on this product because it certainly sounds like something that a lot of people could use, Makler degeneration being the leading cause of blindness. Well, on a lighter note, the lovely Christopher Wagner is our hero of the week as he is the newest patron of the Podfeat podcast. That's hard to say, patron of the Podfeat podcast. Anyway, he went to podfeat.com slash Patreon and he pledged an amount of money that showed his support for the work we do here. I really appreciate his generosity and his vote of confidence. You too can be a hero like Christopher. Well, it's that time of the week again. It's time for security bits with Bartmuse shots. How horrible was this week, Bart? I don't think it was too bad for regular home users. There is a story where I say to buy your friendly neighborhood sysadmin a coffee, but that's a corporate-y problem. So it's more a case of be nice to your friendly neighborhood sysadmin rather than our listeners being directly affected, probably. Apart from people who work in corporate IT. Right, which are definitely some of those. That is true. We have some catch up through from last time. So as we were recording two weeks ago, the XZUtil story was still relatively fresh. We knew it was a big deal. We had a fairly good idea that it was, you know, a supply chain attack, an attempt to try to sneak malicious code into open SSH through a back door and, you know, try to spread poison for a very, very big part of the internet. But we've had a lot more detail since, and I think the best write-up is at R's Technica. So I've linked in the show notes of that story on R's Technica that I think kind of does the best job of telling that story. We came very close to a gigantic big problem. And I hope a lot of people do a lot of learning. That's fingers crossed. Our friends at AT&T have not actually told us how they lost their customer data. But they now said, yeah, that's 7.3 million we mentioned last time. Make that 51. Oh, wow. Now, we thought it was 73. So we thought it was 73. They said 7.1. Now they're saying 51. I guess we're having a negotiation. It will mean in the middle. I don't know. Either way, they have contacted affected customers. So if it's you, you will know. You still won't know why or how, but you will know. Some time ago, before Beeper Mini distracted us, there was a thing called Sunbird, which was a terrible, terrible idea because it was an iMessage client for Android where you had to enter your iCloud username and password, which is already a terrible idea. It was also riddled with bugs. So it leaked your iCloud usernames and passwords. And it went away. It's back. Apparently they fixed the vulnerabilities. So it doesn't leak your stuff. It's just a fundamentally flawed design that you should absolutely positive. You'd never go anywhere near. So now it seems to be a well-improved idea. So a bad idea is back. Yeah, yeah. So don't do that, basically. Also, we've talked a lot about supply chain attacks against developers. Well, don't let your guard down. A new technique has been discovered in use by malafactors, as we shall call them, baddies. You can do a bit of jiggery pokery, which allows you to game the search results in GitHub. So you can make a malicious project with a name that looks similar to a real project, play your little game and have it bounce up the search rankings so that people who search on GitHub instead of starting off at the project's homepage and then following the link from there, like I tell people to, may get the malicious library before they get the not malicious library. Okay. Well, for the listeners, Sienna has just joined us. Four-year-old Sienna. I don't normally do this to security bits, but say hello. Hello. Hello. Okay, you wanna go find mommy now? No. I don't think you can stay here. Well, this isn't normal. We do this during the live show pretty often, but let me send a quick text to Lindsey. Oh, she wants the headphones. Okay. I guess you're gonna talk to Bart for a second here. Hello. Do you know much about security? Okay, say bye-bye. Bye. Bye-bye. Okay, go find mommy. That's adorable. Sorry for that brief interlude. I forgot to tell them to maybe try to keep her out of the room this time, but okay, let's keep going with Grim Reaper stuff here. Yeah, and we're heading close to a fire extinguisher. We haven't arrived yet, but we're heading close. Yeah, so keep, you know, if you want jQuery, go to the jQuery website and then follow it to the repository of your choice. Don't search on the repositories. Don't search on NPM. Don't search on GitHub because that's where the baddies are playing. Because they can- See, I would have really assumed that searching on GitHub would be the best place to go. But no, huh? Well, certainly not now. All of the attacks have been with look-alike names. So how do you know if you get five results for jQuery? Which one is the real jQuery? The only way to know is to start on jQuery's website and they will tell you which one is real. Well, but what if somebody wants xkpass.wd, is there isn't a website for that. The place to go is GitHub. No, xkpass.wd.net. It will link you to the right GitHub. Okay. Yeah, there is a link at the bottom, right? Right, yeah, exactly. So I mean, that is generally the approach, is start at the source and follow it. Don't start. If you insist on, if you start on GitHub, just be really careful. Make sure that you're ending up at a place with thousands of weekly downloads, although that may or may not be legitimate. They could be fake downloads. Look for a project with some history that at least can't be faked, right? If the project was set up last week and it has a million downloads, there's something odd. Yeah, just be careful because that is a lucrative well that is being very actively tapped at the moment. So you don't want to be there. All right. Well, hopefully there'll be a point in time where you tell us that's okay, but if we never hear back from just from today forward, start from a library's homepage. Yeah. I don't always have home pages, but okay. Well, the big ones do, usually. They're a recommendation from someone you trust. Start from an anchor of trust if you can. Otherwise, be careful. Okay. Okay. We've talked a lot about the various changes coming about because of the Digital Markets Act in Europe. Reuters decided to ask the question, so does giving people a choice of browser on iOS, does it change anything? And they have included that, yes, it does. And Europeans seem to have a thing about privacy. Europeans, when given a choice, are gravitating towards the privacy-focused browser. So the browser's whose main selling point is privacy. What are those being very heavily biased by the fact that Germany is a very privacy-conscious country with a lot of human beings in it, which would obviously throw the statistics off. I don't know, but it is certainly notable that when given the choice, they're not running over Chrome, it's the privacy-focused browsers. No, they're not the ones you would know because they're often French language. Actually, the French was better too because they're French language ones that you may not have heard of, like Aloha I think is one of them. But the focus is privacy, which is interesting. We shall see how it develops. It's early days yet, but it's certainly noteworthy. And it's Reuters, so I trust that they've done their homework. And then finally, the fire extinguisher. You may or may not have heard a lot of panicking on the internet because there is a working Spectre 2 explode against the Linux kernel. They are facts, that is true, but home users don't need to worry about this stuff because if your Linux desktop is hacked, then they can, oh wait, yeah, your Linux desktop is hacked, you have a bigger problem. And for the people running data centers and stuff, the large Linux vendors are on top of this. So your cloud providers have fixes from the various distros and home users. It's just not a thing. So fire extinguisher there. You know, it's interesting computer science, but it's no need to panic. That brings us on to action alert. So this is a bit where you pay attention. It has been patched Tuesday. I was actually paying attention earlier. It has been patched Tuesday, patchy, patchy, patch, patch. 150 of them from Microsoft, including 67 remote code execution bugs. So that's definitely worth paying attention to. And on- It's a big month. Yeah, it is actually. It was initially reported as the biggest ever, but there were no zero days. And then two days later, someone was like, oh, there were zero days after all, Microsoft just didn't flag them. So two zero days as well. So yeah, patchy, patchy, patch, patch. Google were also busy, another Chrome update. So at Pone2Own, there were a bunch of Chrome exploits and one of them had been fixed within days of Pone2Own. We're still well within the 90 days. We're about three weeks into the 90 days, but another one has been fixed. So yay. And to emphasize, when you say the 90 days, that's the 90 days they have to fix it before the person who found the hack gets to tell the world. Yes, before there's a public disclosure. So before the baddies get to know what Google now know. So Google were responsible to be disclosed to. A zero day means it's being actively exploited in the wild already, right? So a zero day means it was exploited before the vendor knew about it. So if the first we find out about it is attackers, this is the inverse of that. So this is responsible disclosure. So the first anyone finds out about it is the vendor. Okay, so it's a zero day, but a zero day that was told to the vendor. Well, okay, so right, it was discovered at the conference. There is no patch for it. Revealed at the conference. The world got to know about it at the conference, which is before there was a patch, which makes it a zero day. So if we know there's a problem and there is no fix yet, then it is a zero day. Okay, so what's important to the 90 days if the world already knows about it? No, the world, no, no. So it has been assigned a CVE number and we have a very, very broad description that there is a bug in Chrome and that bug allows attackers to do X, but the how is still a secret. Okay, so when you said it was revealed, it was revealed to the vendor. The details are with the vendor. The specifics were revealed to... Yes. Yes, got it, got it. Dark matter. So it's not an interesting... We know it's there, but we don't know what it is. Yes. So yeah, that's an interesting, that's like a zero day with an asterisk. Yes, yeah. And of course, now that Google have fixed the other one, now it's a proper zero day because once the patch is out, the attackers will simply compare the patched version of Chrome to the unpatched version of Chrome and then the horse has left the barn here. So that one is now a full on zero day, but there's a patch available. So it's a zero day on the right side of the good side. The equation, yeah. Okay. Now, this is one that's a little different than normal. So normally when there's an update that involves Android devices, I say, I have no idea if you can protect yourself. Good luck, have a go. See if you can patch yourself. But this is one of the ones where it's very easy. There is a problem in Google Pixel phones. It's not an Android problem. It's actually a problem in Google's firmware and their bootloader. So I know exactly who is affected. Pixel people and there is a patch. So patchy, patchy, patch patch. That's in a rare easy one for Chrome land. An easy one for people for Android land. That's the one. An easy one for people in Windows and Telegram land, patchy, patchy, patch patch. I kind of find this story interesting because it illustrates a point I like to make when people ask for my opinion on things. So, okay, so there is a file extension that only exists on Windows, which is the Windows version of Python. So it's P Y N. So sorry, P Y W. There's an extra W on the end of what should be a Python file because it's the Windows version of Python. And if you double click on such a file, where you have Python installed, you will run arbitrary code. So it should be like an XE file. If you get sent it in Telegram, it shouldn't run when you double click on it, right? Like if someone emails you, if someone telegrams you an XE file and you double click on it, Telegram will say, oh, danger, danger. Don't do that. You've just been sent an executable file by a randomer. Yeah, are you sure? And the right way to design a feature like that is to allow list known good extensions. So like allow.gpg.mp3? Yeah. Instead of trying to say everything that shouldn't be allowed? Precisely. And unfortunately, Telegram is old enough to be from a more innocent time when it was really very normal in the cybersecurity world to deny list instead of allow list. Our first firewalls were lists of ports not to allow. We've stopped doing that a long time ago. That's laughable now, right? Absolutely. I scoff at that. Right, but there's still lots of old code that has a long history that no one's looked at that code in a long time. And so a lot of that code is still mirror universe where unknowns default open instead of unknowns default enclosed. And so this is a good illustration of the danger of an allow list instead of a deny list. Or sorry, a deny list instead of an allow list. So whenever possible, say what you want, don't say what is not good. Okay. You know, it's a nice teaching moment. Yeah, it makes sense. Yeah, and it's an easy fix. Just that's what you do. That's a lot easier in coding anyway, right? Right, yeah, exactly. Just try to keep patching to add things to allow or things to deny. To the deny list, yeah, exactly. Because the allow is usually a shorter list. Right, yeah, exactly. Because what do people want? Pictures and music and videos. It's really quite a small list. That's pretty much it. Yeah, and maybe spreadsheets if they're Alice and Sheridan. But I don't know. Look at that. Well, and you do run into problems with that allow list thing with some types of file types on the Mac or package files. And so when you try to, I've seen situations where I try to give somebody something in a messaging app or in Dropbox or something like that. It goes, oh, no, no, no, this is like an executable. And you're like, well, no, what is it? Okay, let me zip it and they give it to you. And they go, okay, it's fine. I think that's, yeah. Maybe a file representation problem. And maybe when it arrives on the other end, it doesn't come as a single thing and it gets very confused. Right, yeah, yeah. Now, wait, let me make sure I get my story straight here. Okay, so first off. I think we're on LG. We're on the LG televisions here. Patchy, patchy, patch patch. First off, you shouldn't have your television connected to the internet. Or rather, you shouldn't have your television visible from the outside world. But apparently when someone scanned the internet for LG televisions, lots of people have their televisions exposed to the public internet. So that's just a bad idea in general. How? How would you even do that? I guess you would be some sort of a small office, home office user who has public IP addresses instead of being hidden behind a router. So if you get a corporate... I think that would be a small number, doesn't it? Yeah, 90,000 though. That's how many were found. The world is a big place, so maybe 90,000 is a small number. That were only LG televisions though. Maybe people are exposing them. Yeah, that's just weird that that many people, yeah. I'm wondering if it's something to do with trying to share media or something, that there's some sort of reason that people want to expose them. Okay, huh. But either way, there's 90,000 of them on the public internet. But the really, really big takeaway is, televisions are of course smart home devices these days. So either don't plug the ethernet cable in and don't let them within a million miles of your wifi, which is my advice, because these are internet connected devices made by companies with no track record of making secure software. But if you will insist on plugging it in, make sure that it's not visible from the internet. But in this very specific case, you're gonna go into your LG television, you're going to go into the settings, you're gonna find the update app, and you're going to change its default of not automatically checking for updates, so that it does automatically check for updates. And then you'll get the patch from March when this problem was fixed. But by default, these televisions don't update themselves and don't tell you they need one. So if you're an LG television owner, good luck. Guess. Yeah, in my opinion, plug it into a Chromecast or an Nvidia Shield or an Apple TV instead and then secure that. Much easier. The article you linked to says the potential attacks hinge on the ability to create arbitrary accounts on the device using a service that runs on ports 3000 and 3001, which is available for smartphone connectivity using a PIN. So that's why they're showing up. Okay, I don't know why I want smartphone connectivity to my television, but okay. But it's apparently a capability they provide. And that's why, so it wouldn't be all these people going, I think I'm going to open a port and put my LG TV on it. That would be, that's what seemed kind of unlikely. So that's why. Maybe it's built in Skype or something. Or like some sort of built in video conferencing feature. Yeah, I don't know. If you're using the television in a meeting room, maybe you would want some sort of V over IP connectivity, right? Yeah, I don't know. I don't know what the smartphone piece is for. Yeah, either way though, the really big thing is set them to auto update. Cause really, if they're going to be on the internet at all, they should be auto updating. And a big slap on the wrist to LG, it's 2024. Why are you shipping a device that has software updates and they're turned off? Why are you doing that, you know? Probably because people get really annoyed when their TV says they want to be updated. So they just turned it off. Probably. Now, another thing I say a lot is when your hardware reaches the end of its support from the vendor, there is only one place it goes and that is the responsible recycle bin. Well, if you have a D-Link NAS, it has now been discovered that they contain a back door. They are out of support. Therefore, if you have one of the affected D-Link NASs, it is time to turn it off, take the hard drives out and put them into something newer that is under vendor support. For anybody who hasn't been listening for a long time, I spent some quality time with the CISO for the Chief Information Security Officer for D-Link. And after talking to him, I would never buy a D-Link device again. He was not on the same page with us security-wise. Not in the 21st century now. I don't know if he's still there. So I shouldn't blame the company forever, but boy, was that guy, like he used words like, oh, it's too hard when I asked about updating certain devices, you know? And if I'm trying to remember which of the named bugs it was, but it was a big one. It was one of the ones that got lots and lots of media attention that you were asking about. It's one of the Wi-Fi ones, wasn't it? One of the really big name ones. I remember being very cranky when you told that story. Right, moving on to where the warning is while we're in cranky land. We'll stay here for a bit. There is a website. Where's Vienna? Bring her back. There is a website called Pandabye that is apparently very popular for buying. I think it's cheap clothes, I think. It's cheap stuff anyway. They had a data breach where 1.3 million user details were leaked and their approach has been absolute silence. They haven't admitted or denied. They have just been silent. So if you are a customer of Pandabye, pop over to Have I Been Pwned and check if you're in the breach there because you're not going to have been notified by the website. That's sort of where I've been drawing the bar here. I generally speaking don't warn me. Yeah, I was wondering why you were doing, yeah, I was wondering why you were doing just 1.3 million users. That's chump change, but 1.3 million users that you didn't tell them, that makes the list. I like that line. So what you don't see is that there were about 20 other breaches this week and I just scanned through the news story for and customers have been notified. And once I see that line, I go, not for the show notes, and I move on. But this one didn't meet that line. And then a worthy warning in the sense of, our little description paragraph says, public interest groups or the security, government organizations, public interest groups or the security community, a warning about, sorry, a relevant warning from. Anyway, the FBI is definitely a relevant government group. They are warning that in the United States right now, there is a big spike in SMS phishing attacks pretending to be unpaid tolls for roads. So. Oh. And that's a thing, right? Because if you have number plate recognition, it's certainly a thing in Ireland, but if you have number plate recognition and you don't have a membership, you need to pay the toll within 24 hours or you have to pay a fine and you may or may not get a message saying, oh, you drove through bloody, blah. So anyway, fake ones of those, be careful. Now, our biggest section of this show notes by far, which is unusual, is notable news. And it might have something to do with Google having had a big conference because there's a lot of Google news in here. So first off, Google have launched their, what they are calling, Find My Device. And if that sounds awfully familiar and like Apple's Find My Network, well, the similarity isn't just in the name. Everything about how it works sounds awfully familiar, which is good. I'm actually very excited about this. Yeah, this is, in the old days, we'd go, and then he has it and now it's like, oh, cool. Excellent, yeah, copy that, that was good. So Apple implemented their system with cryptographically enforced privacy and Google have implemented their system with cryptographically enforced privacy. I read through the technical blog post from security.googleblog.com and I just, I got deja vu all over and I didn't see any clangers. I didn't see anything that made me worried. This looks like a good system, which if you live in Android universe is very good. I have also seen that some third-party vendors are making single trackers that are compatible with both networks, which if you're a switcher, if you're a night-wise kind of person who likes to straddle the universes, you can buy single trackers and how they're available from your iPhone and your Android device, which is particularly cool. Regardless of whether or not you can track your device. So Apple device, Apple's Find My Network will only work with Apple's ecosystem and Google's Find My Device Network will only work in Google's ecosystem, but the protections against stalking are cross-platform because that was adopted as a standard standard. And so iOS devices will be warned if one of these Google trackers is following them and Google people will be warned if an Apple tracker is following them. So the anti-stalking stuff is cross-platform but the actual tracking itself is not cross-platform. So there isn't one unified network. Soak. One thing, and I'm terrible at names, Daily Tech News Show launched a new Android show with the people that ran Android faithful before on the Twitter network. And one of the gentlemen whose name I should know off the top of my head talked about this and he said that when it was originally presented Apple and Google were gonna be working together where iPhones would be able to add to the noise of the network, identifying where the Google, I'll call them air tags are, and so that they would be part of one unified network and Apple for whatever reason has not done that yet and Google decided to march ahead. So I think it's in the future, but Apple hasn't done it yet. Hasn't done the work together. They haven't released the ability for them to be able to create the mesh network together but it will be there. I hope that's correct. I have, it doesn't line up with my understanding of things but I pray I am wrong, I want- Yeah, it's an Android guy who follows this stuff real closely so, and again I apologize for not knowing the name. Tom Merritt is yelling into his phone right now saying, yes, name is, blah. And I'm frantically searching. I may yell out a name in the middle of the show that little bit later, but. I hope I'm wrong. This is one of those cases where I want to be wrong and it would be really good if it was one unified federation of networks. That would be fantastic. That would make all of our stuff easier to find. That would make me happy. From the department of, I can't believe this wasn't true until now but it is now true that Gmail is going to block email that originates from IP addresses with more than 5,000 emails per day that do not pass the basic email validation protocols that we've had for a decade. That would be the sender protection framework or SPF, the digital keys identification message, I think that's what DKIM stands for. And I completely forget what DMARC stands for. Anyway, these are three protocols for validating that email is not spoofed because email is one of those protocols that's so old it was invented before the concept of security. And to a large extent, it's like a postcard. The return address is, well, it's just editable, right? You can write anything you like on the back of a postcard and send it and pretend it came from Glacier National Park when you were in fact sitting in Ireland or something. Write anything you want back there. But SPF, DKIM and DMARC use various cryptography and stuff to actually tie an email to a domain name and you can't fake a domain name, right? You own podfee.com, no one else owns podfee.com. And I thought everyone was already checking for these headers but apparently Google was letting them through. Yeah, whatever, you failed. Not so much, huh? But now they're not. And apparently a whole bunch of bulk mailing services are going, oh, my emails aren't getting through. What's going on? It's shaking a lot of things loose from a lot of trees which I think is fantastic because everyone should be configuring their email securely. And I might say everyone, I don't mean you and I. Full stop. Yeah, I don't mean regular home users but people who have servers sending an email, that needs to be done properly. Right. Hey, backing up a story. Oh, did I miss one? Tom does not need to send in an email. It was Daily Tech News show 4744 for April 9th. The man's name is Ron Richards and the current show is Android faithful. That's the one that's under the DNS umbrella now. So he's the one that talked about it. If you want to go back and listen to that, you can find it at DailyTechNewsShow.com. Excellent, excellent. So yeah, good. Google is cracking. Google is making Gmail more resistant to receiving spoofed email. Yay, this is good. And this is going to force lots of people to look after their domains better because Gmail is a big mail receiver, you know. If your stuff doesn't arrive in Gmail, it makes you go, ooh, what have we done wrong? And the answer is you haven't done SPFD, came in DMARC, now go do that. So this is good. There was also, we talked, I think at the time, in fact, I know we did, there was a class action lawsuit against Google because their incognito mode implied it stopped you being tracked but there was a giant big caveat that it was websites couldn't track you as easily. Your local, actually, no, sorry, let me back up, it wasn't even that. Your local desktop computer wasn't tracking stuff so that you could basically buy birthday presents for your spouse without them knowing what you'd bought them. But Google was absolutely still tracking you but the verbiage didn't make that clear. And there was a class action lawsuit which Google settled. And part of the settlement is that everything from before they changed the disclaimer page should be deleted. So they have said, yep, we're gonna do that. So billions of their records are being scrubbed because they were collected before they were clear about what incognito actually means. So nice to see them follow through. Wow. Yeah. Billions, that's nice. Billions. Incognito, except for these billions. Did you mean that? Yeah, exactly. Now we switched to good news mode. So one of the things Google has been quite good on the whole is being a good steward of the internet and generally working to make the internet more secure. We have Googled a thank for making HTTPS so popular because they basically went, we're gonna rank secure websites above insecure websites and all of a sudden I was like, oh maybe we do want to secure our websites. And they are trying to make Chrome a safer browser as well as one that gathers more information for them. And they have put some work into making, this is the kind of stuff I love, right? So security researchers work off the assumption that humans make mistakes. So how can we make stuff more secure even in the presence of mistakes? And so there's a new feature been added to Chrome called the V8 sandbox because V8 is the JavaScript brain inside the Chrome browser. And what this does is it makes it harder for a coding mistake in V8 to lead to a security compromise. So it sandboxes the stuff JavaScript can do so that it's way more tightly contained. And so that if something goes wrong, the detonation is contained instead of a full takeover of the browser. So you will still have bugs, but their effect will be massively dented. This is equivalent if you're living in the Apple universe of a feature, Apple called Blast Door, which is in the Messages app and a few other apps where Apple are trying to do the same concept of if there's a bug in Messages, don't let it take over the whole iPhone. If there's a bug in the JavaScript engine in Chrome, don't let it take over the whole browser. So this is great. And this is now in the versions of Chrome that are shipping. So I really like this. And then thinking much bigger, there is a really big problem at the moment that with my work hat on, I have seen this go from a hypothetical to something real that I have seen actually happen. So, well, we were bad about passwords. Attackers stole passwords and then they could just become you. And then we started to require a multi-factor authentication. So if an attacker steals your password, it doesn't get them nearly as far. And even if they can trick you into doing your one-time code through a malicious proxy service, they only get your stuff once. They don't get to keep your password forever because they have your one code now where they don't have your future code tomorrow. But they've decided to lean in. So instead of trying to steal your password, they're just trying to steal your login session because most login sessions are good for a week or two. So if they can steal your login session, they can be you for long enough to do plenty of damage. And so they're trying to steal session cookies. And so Google, right now, if I take your session cookie and stick it into my computer, my computer is you. Everything you're logged into with that cookie I'm now logged into. So it really is hijacking your current identity in Gmail or in X or in whatever, right? Whatever the session cookie's from. One service at a time. Yes, exactly. One service at a time, though. Well, unless you're using single sign-on, in which case the session cookie could cover everything on the same single sign-on. So if you do sign in with meta and you're signed in with meta to 20 websites, if they steal your sign in with meta cookie, they're now into 20 websites, right? So with the single sign-on stuff, where, you know, signing with Google is very popular. So a single session can be quite big, right? That's why the attackers are there, right? That's why this is now happening. So this is now what I'm seeing in the real world, what they're doing. They're just sticking to the session cookie. And so Google said about making that not work anymore. And so they have developed a new protocol that they're hoping to turn into an official W3C standard where you have a private key in the browser and you cryptographically sign the session cookie. So the session cookie is useless anywhere that doesn't have the private key, which you can't get out of the browser. So stealing the session cookie ceases to steal the session. Now it's gonna need buy-in from website owners and stuff, but if you get buy-in from the biggest single sign-on vendors, you just put a giant dent in this problem on the entire internet, and they have moved on to testing. So it is going to be Google servers are ready and Chrome is ready. So they're going to test it on Google to Google and they're simultaneously working to make it a standard. So if they succeed, this could come to all of our browsers and all of our websites and then this whole avenue of attack disappears. So pass keys- So as a newscaster that we both like always says, watch this space. Watch this space. Basically, pass keys are gonna kill the password and this is gonna kill the session stealing if this works. So yay, this is really cool. I'm really happy with this. It's very elegant as well. I loved reading the detail. I was like, ooh, clever. And then finally, speaking of clever, this is no one here is exciting, but it's still a nice feature. There is now an optional extra that you can turn on in your Google workspace. So Google workspace is like Google's equivalent of iCloud. It used to be there. Oh, it's changed names so many times. I'm not going there. It's basically your grouper thing, right? Your corporate Google docs. And if you have more than one admin, you can now optionally enable a feature where the really dangerous settings need two admins to agree. So like in a nuclear submarine, you need to have two keys. Two keys. Yeah. So basically it's a little easier than the two keys because you don't do it simultaneously. The first admin goes in and ticks the box and that triggers a notification to all the other admins and the moment another admin says, okay, it happens. So it doesn't have to revert back to the first admin. It's just the first admin says, I want to do this. It's in series. It's in series. And then as soon as another admin goes, sure, that's fine. Then it happens. It's so clever. If someone's session gets hijacked and they have administrator rights, this is such a great break. I hope to goodness everyone turns out their photocopiers and that this becomes a feature across all of these similar services. If you have a multi-admin setup, this should be an option. Just turn it on. It takes two of us to change the dangerous settings. It's brilliant. So really happy to see Google do that. Right, moving away from Google. There's a lot of Google news, right? So moving back to, yeah, exactly. Moving back to Apple land, Apple have had a thing for a while now where they notify people they have reason to believe or targeted by state level actors. And so we've seen that go off a few times with the NSO group and stuff like that. They have now expanded that to cover mercenary ransomware as Apple's word. So basically gray hat spying software like Pegasus, but not just being deployed by governments, being deployed by anyone who buys it. And so the Apple are now going to warn people of that and they just issued warnings to an unknown number of people in 92 countries. So that means at least 92 people. I'm going to guess there's more than 92 people. So they obviously found some sort of indicator of compromise and then checked all of their logs to see how many times this signal is in the logs and they have now notified all of those people. So I'm happy to see Apple do it because this is the only way to fight back against this industry, but you know, I'm not sure that counts as good news or bad news, but I guess better we know, so. Probably not for most of us to worry about, but good to know they're doing it. Precisely. Oh yeah, exactly, exactly. A timely reminder that impersonation attacks are only going to get better. AI is going to make this worse. The Federal Trade Commission in the United States has warned that in 2023, impersonation cost Americans 1.1 billion with a B dollars in reported cyber crime. And remember, most people don't report cyber crime. So be very, very careful just because it sounds like your mom, it may not be your mom. Right. X have launched PASCY support on iOS. I have turned it on. I found my way to it. This is not an obvious setting. So you go to your face in the top left corner, then you expand settings and support, then you click settings and privacy, then you click security and account access, then you click security, and finally there's a toggle for PASCY. You click that toggle and then it says, would you like to save a PASCY? And then you say, yes. And in my case it said, would you like it to go into your key chain or into one password? And I went into one password, please. And so that's now done. But anyway, that is there for X users. DuckDuckGo are experimenting with a new privacy focus to VPN. It's a paid for service. This is how they're trying to monetize because they don't use user targeted advertising. It is US only at launch. It uses the WireGuard protocol, which is two thumbs up. That is the future of VPNs and it is a 10 or a month or a hundred books a year, which is not a bad price. It's a pretty, fairly high price, but not as bad as some. Yeah, and given that you know the profit is coming from the money, not from selling your stuff. Because you know, I hate cheap VPNs, because it's like, well, I'm not saying, well, cheap VPNs don't mean bad VPNs. Remember, PIA was in the top seven by consumer reports after they went through 64 of them and it's about $3 a month. Yeah, there's somewhere there's a line between this is impossibly cheap but this is good. And it uses the WireGuard. Yeah, good, good. Yeah. Yeah, I mean, I'm not saying that anything less than a 10 or is dodgy, but anything more, anything less than... A 10 is a reasonable price. It's a reasonable, yeah, exactly. That's what I'm saying, exactly. Now, if you work in an organization where you have SysAdmins and they look a bit haggard on Monday morning, buy them a coffee, they've probably had a terrible weekend because one of the biggest vendors of networking equipment, Paolo Alto, and they are from your neck of the woods, California company, competitors to Cisco, you may have heard of. They're one of the biggest vendors of networking equipment for larger organizations and there's a giant big unpatched zero day back door in a bunch of their firewalls. There is no fix yet, there's only a workaround, which means that every SysAdmin has to assume breach, see if they can find any evidence, apply the workaround and clean up. Not a pleasant thing for any SysAdmin to be doing this weekend, so they're going to be very appreciative of a nice cup of coffee if your place uses Paolo Alto. So this technically fits in security bits because we can buy our SysAdmin's a coffee, but there's nothing we can do about it and we are probably not affected by it. If you're a home user who's buying Paolo Alto networks equipment, you're not listening to us, you're listening to some sort of high end stuff to get your security information. Yeah, yeah, exactly. But do buy your SysAdmin a coffee and if you've heard about it on the news, this is what it is and it's a big deal. Excellent explainers, tip of the hat to Tom Merritt since we haven't mentioned them enough today. Know A Little More has covered the wonderful world of chatting GPT. If you've been wondering what all the hype is about, it is an excellent explainer on the whole, you know, how we got here, what do they actually do, why they're not magic and they are powerful, but they're not all powerful. It was a good episode, I really enjoyed it. So I do love it. So it's not large language models in general, it's specifically chat GPT? No, it's large language models in general, but named chat GPT because that's what people are going to know it as. It's Elevates. Anytime Tom explains anything, it's worth listening to. So I'm glad to know there's a new one out there. Great. Exactly. Just because it's interesting, I'm not going to go into this in detail, but Intego have done their quarterly review of the world of Mac malware. My summary is if you don't install random stuff, particularly piracy software and cryptocurrency software, you're probably fine. And that continues to be true, which I think is good. So basically all of that being careful, I keep saying, if you're doing that, you're probably fine. That is not a bad summary to come out of that. That's good news. Yeah, I like that. Exactly. Just because it's cool, did you ever wonder what magic happens when you double click a file in the Finder? How does it know what app to open? If you think the answer is simple, you're wrong. And the Electric Light Company have explained it in great detail with big diagrams because there's a lot going on here. It's not the Electric Light Company, it's the Eclectic Light Company. Yes, it is, and I know that. You have the link correct, but I just want to make sure if people heard that. Yeah. It's a great resource for the internet. I love their stuff. Every time they... I don't know if it's one person, it may well be just one really cool nerd. Everything I've ever read. If I see that Lighthouse icon at the top of an article, it's like, ooh, got to read this. I'm going to leave you to correct that typo because I really can't type eclectic while trying to talk. Well, you got the URL right, so if anybody followed truth to the link, they would be taking care of it. Just keep your eye out for eclectic light. Always read this stuff. It's really great work. Agreed, agreed. Okay, some palette cleansing then. Alison, you've probably talked about this on the show already. There has been a wee bit of a solar eclipse. One of the things I always say to people who say things like, ah, yeah, I saw an 80% eclipse. It wasn't all that impressive. It was like, you may as well have seen a 0% because the cool stuff, 100% and 99% is as different as 0% and 99%. It is, that last percent is where everything is. And SKCD have illustrated that point perfectly. Like the Pseudo, can I make you a sandwich one? I am keeping this one and printing it out big. I'll probably stick it on my cubicle and work because this is one of my pet peeves as a people. I've seen most of the solar eclipse. What's the big deal? Unless you see it all, it's nothing. It's sort of like smelling bacon versus eating bacon would be a good way to describe it. I like that. No, I'm hungry, thanks. Now, there was another SKCD that I really liked that I could just explain very, very quickly. It was someone furiously refreshing a website for the weather where they were to see if they had clouds. And the person in the background says, so let me make sure I understand this. You wanna see the moon, the sun covered up, but you wanna see it covered up by something specific. Not clouds. Right, right, right. Actually, if you could stick that one in the show notes, actually, because that is funny. Yeah, I like that. I enjoy that one a lot. I'll try to find it. It's from recent. It's from a week or two. It's from within the last week or so. And then, finally, there is a podcast I have been enjoying and I haven't had an excuse to plug it here because the topics haven't really been in our bailiwick, but they have crossed into our area of interest. This is a weekly 15-minute podcast. So not a big offering. It's called The Economics of Everyday Things and they have tackled top-level domains. And there's a heckin' lot more going on in that .io domain name than I had even thought and I thought I knew about this stuff. There's a heckin' lot more going on there. So I was utterly fascinated and I think a lot of our listeners will be. So The Economics of Everyday Things and if you enjoy it, they have a back catalog full of really cool stuff. But this is the first time it's lined up with our area of interest. Right, I thought. I like it, that does sound fun. I thought this was a short show. Apparently not. Well, it was pretty interesting. I enjoyed it a lot and I was paying attention. Sometimes I'm not, you know that, but. Yeah, the listeners can't see you type what you're going to do but sometimes I know there's going to be 50 corrections all perfectly ready for me because I can see Allison working away as I try not to end the sentence at an inappropriate moment. But no today, none of that today. Anyway, until next time folks, you all know what to do. Stay patched, so you stay secure. Well, that's going to wind us up for this week. Did you know you can email me at allisonatpodfeed.com anytime you like? If you have a question or suggestion, just send it on over. You know, you can do reviews too, if you like. We haven't had a lot of listeners' reviews lately. I am going to be going on an extended trip later this year. Don't tell Bart and Alistair yet. I haven't told them. But anyway, if you want to start thinking about reviews you can record, you can email me, ask me questions about how to do it. It's a lot of fun if you can. If you have a question or suggestion, like I said, just send it on over. But remember, everything good starts with podfeed.com. You can follow me on mastodon at podfeed.com slash mastodon. If you want to listen to the podcast on YouTube, I don't know why people do that, but people do. You can go to podfeed.com slash YouTube. If you want to join in the conversation, you can join our Slack community at podfeed.com slash slack, where you can talk to me and all of the other lovely New Silicastaways. You can support the show at podfeed.com slash Patreon, like Christopher did this week, or you can use a one-time donation at podfeed.com slash PayPal. And if you want to join in the fun of the live show, head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time to join the friendly and enthusiastic New Silicastaways. Thanks for listening and stay subscribed.