 Hi, this is Allison Sheridan of the NoCillicast podcast, hosted at podfeed.com, a technology geek podcast with an ever so slight Apple bias. Today is Sunday, April 16th, 2023, and this is show number 936. Well, I'd ask you all last week what you think about having an intro at the beginning telling you what I'm gonna tell you about. And I've gotten a bunch of votes from people. A lot of people on Slack have talked to me. Pat Dangler cornered me in real life to tell me your answer. And the vote is 100% split. Half the people say, no, I can't stand it when podcasts do that. I know what I'm gonna hear. It's in the title. I don't need to know that. And the other half go, yeah, that'd be really great if you told us upfront. I'm not sure what I'm gonna do. I may still do it from time to time, but I'll tell you one reason not for me to do it. A lot of times during the live show I underestimate how long the show is gonna be, and I look and it's gonna be really long. And so I cut something for them a show after I've already recorded the intro. So that's one of the reasons I actually never do it. By the time you see the title of an episode, that's what's actually in it. But when I'm at the beginning of the show, you might never know. So I'm probably not gonna make that change. After a completely unexplained, and I don't even know why, hiatus from doing chitchat across the pond light, we have a chitchat across the pond light. Adam Angst of Tidbits joins me this week to talk about the changes Apple made recently to the file provider extension. And I had actually never heard of the file provider extension until he came on the show to tell me about it. But these changes had a fairly significant effect on how cloud storage providers like Dropbox, Google Drive, OneDrive and Box work with Mac OS. Whether you realize it or not, you've very likely been upgraded and transitioned to new versions of these services. While the new file provider extension improves several things about our interface with these cloud storage providers, there are also some serious gotchas that may affect you. For example, before talking to Adam, I didn't realize that the change caused us to have local copies of our entire Google Drive and anything added there isn't necessarily being synced to the cloud. Being Adam, he's written an extremely well-research and well-explained article over on tidbits.com. And of course, there's a link in the show notes to that. So you can follow along with our conversation and learn all about this from the great Adam Angst. Well, this week we actually have two chitchats across the pond because we have a programming by Stealth by Barbu Shatz. In this rather mind-bendy episode of programming by Stealth, Bart takes us into the weird world of POSIX special variables and options. He refers to some of them as being like handling nuclear power. At one point, he suggests mind-altering drugs must have been involved in the design and he even compares one of our newly learned tools to a chainsaw. He powered us through amidst my many interruptions with questions to where we can now write shell scripts that take flags and optional arguments using get ops. The final form of the syntax is very readable but knowing the reasons behind each bit is crucially important and that's of course, Bart's strength. You can find Bart's fabulous tutorial show notes to go along with this episode in the links of course in these show notes to pbs.bartificer.net. Hey there, I'm talking over here, hush, just hush. Hi there, fellow castaways. This is Terry from Texas with another long overdue review. First, the problem to be solved. As an online professor, I record videos for my students. As previously mentioned, I live in Texas where it gets hot. To solve the hot problem, we use an air conditioner. Air conditioners make noise. Noise ends up in my videos. I also live very near Fort Kvazos. You might know that better by the old name of Fort Hood. My house is right in the middle of the training flight path for both cargo and attack helicopters. They don't respect my recording sessions at all so often helicopters fly right over in the middle of my recordings. Again, noise ends up in my videos. We all know what makes a good video is clean, well-done audio. So noise in the audio, yeah, that's a problem. A problem we need to solve or at least a problem I need to solve. That brings me to the app of concern, hush. Yes, just hush. Hush uses state of the art artificial intelligence, AI, to suppress background sounds and room reflections. Hush is available on the Mac App Store or from the developer Ian Sampson's website at hushaudioapp.com where you can try it for free. As the website states, hush will mute all the noise, make every room anechoic, debark, de-chirp, de-honk, automate your workflow, stay cool with Apple Silicon and own it for life. The developer has hush app priced for a one-time purchase of $49.99 rather than the subscription model. I actually prefer that type of purchase for this app. I'll use it all the time and I don't mind paying for an app that will actually do its job. I listened to the sample that Ian has on his website and immediately bought the app. It's been less than a week and I've already cleaned up all my new videos and I've even started going back through my old library of videos that are previously done for my students. The way this works is you make some audio or you make a video and render out just the audio file. Open the hush app, set some very basic parameters, pick a folder for the cleaned audio to end up and then drag your raw audio onto the app's target window. Reach into the folder where you told hush to see your clean audio and now you've got a clean audio file. If you're working on a video like I am, drag the clean audio track in to replace the original noisy track and then render your video. If you record audio or video, you just might wanna check out hush. Now that you've listened to me talk about hush, you might want to hear how well it works for yourself. So I will ask Allison to play you a short audio clip. First, you'll hear a bit of audio I recorded with two fans and a TV running in the background. Then you'll hear a clap as an audible separator. Finally, you'll hear the exact same bit of audio after a quick trip through hush. Allison, hit it. This is an attempt to check and see how well hush does at silencing a very noisy background. Let's give it a shot. This is an attempt to check and see how well hush does at silencing a very noisy background. Let's give it a shot. Wow, that is incredible, isn't it? Well, I tell you, I often get teased by listeners that I cost them a lot of money with my reviews. I now know how you feel. When Terry sent me this review of hush, before I read it and listened to it, he bet me that Steve and I would both want this app. Without even knowing the price, I was dubious that I needed it. I have a very controlled environment for my recordings with lots of sound absorption, a really good microphone, and a clean audio interface. But what I don't have control over is the recordings from listeners. Most of them are really good quality, but even the best ones often have room echo or fan noise or air conditioning. Heck, Terry himself sent in a recording once where the refrigerator was running in the background and it was highly distracting. After hearing Terry's review, I decided to download the free 21-day trial of hush. 21 Days is a very generous trial period for developer Ian Sampson to offer. Later in the show, you'll be hearing a quick review from the lovely Sandy Foster. She's worked really hard to create a good environment for her recording, no more fan noise, and she's got a big girl microphone, so her recordings are very clean. When I listened to Sandy's recording for this week's show, my very picky ears heard a very slight room noise. It's kind of hard to describe. Room noise is not like a fan or anything like that, it's just kind of the room itself reverberating at a low frequency. Now, 98% of you would have never noticed the room noise on Sandy's recording, but I thought I'd just give hush a try. I downloaded the free trial, like I said, from hushaudioapp.com. And I'm gonna walk you through exactly what the configuration is. Terry referred to it a little bit, but I'm gonna get into some more details. When it first opens, it tells you that the trial is 21 days. Yeah, you again. As soon as you click the Start Trial button, you'll see the very simple configuration options for removing noise from your audio. In the upper left, there's a slider from zero to 100% labeled Mix. Now, there's no explanation of what Mix means, so I asked the developer Ian Sampson. He explained that it simply blends the processed output with the original output. He said that if the AI inside hush completely erased a dog bark and you set the slider to 50%, it'd be about half as loud in the original. The reason you might wanna set the Mix to anything other than 100% would be if the resulting clean recording sounded maybe artificially clean. For example, we've got another interview from the CSUN Assistive Tech Conference this week, and since I'm sure you've noticed in previous recordings, there's a fair amount of ambient noise in the exhibit hall while we're doing these recordings. I ran the latest recording through hush three times. I did it once at 100%, then at 50%, and I finally settled on 75% feeling pretty good. At 100%, it sounded like the interview was conducted in a super quiet but large room. At 50%, the noise level was still a little more than I wanted, but at 75%, it sounds natural. You could still tell I'm in an exhibit hall, but it's not distracting at all. Now, Steve and I were talking about how the CSUN environment wasn't super loud, but if we ever get to go back to CES, hush will definitely be set to 100% for those interviews. Now, hush has just a couple more settings to play with. It asks you to tell it where to put the resulting denoised file, like Terry mentioned, and it gives the option to add a prefix or suffix to the resultant file. I like that, so you keep your original and you can have a prefix or suffix to be able to tell which one's the clean one. Finally, you can set the sample rate and file format of the output to wave AIFF or FLAC, which are all uncompressed formats, or you can choose to, there's a toggle switch there, you can set to the same as the original file, which is what I choose. After setting up hush, you simply drag your audio file onto the main area on the right and hush immediately gets to work as soon as you let go. Now, speaking of drag and drop, I tested hush for accessibility. The mix slider, file info fields, and formatting controls all worked really well. There's graphics next to each one of these settings and they're not quite labeled as well as they could be, so I let Ian know that he might need to do some cleanup on them. A bigger issue though is that drag and drop is problematic for those who use voiceover. I thought that might be the case, but I wanted to be sure, so I sent out a toot on mastodon, asked if maybe there was some trick they knew that I didn't know about and it wasn't a problem. Kevin wrote back, most screen readers have a way to drag and drop, but they're often not as efficient. You can do it, but it's really annoying. Or sometimes you can select a file in something like Launch Bar or Alfred and then send it to the app that only has drag and drop. Most of the time drag and drop with a screen reader is not enjoyable as it seems to be for sighted people. Now, Alison Malloy wrote, in my experience, this would make it functionally inaccessible. On the Mac, for example, drag and drop is possible with voiceover, but it rarely behaves the way I would expect it to. Well, armed with that feedback, I passed that along to Ian and man, it's this guy responsive. I had asked him, you remember about what mix meant and he got back to me in like 20 minutes and on the accessibility question, I told him the things I thought needed to be improved like these buttons being labeled weird or these icons being labeled weird, I should say, and the drag and drop problem. He wrote back and he says, I have a list of things I'm gonna work on. I'm glad you gave me this list and the top on my list already is to fix the drag and drop problem for voiceover users. And he does have some people who are helping him test. So that is fantastic, I love that. Now, one final point I wanted to make, Hush really does want an uncompressed file to work with. I tested running an MP3 file through it and it took a really long time and it actually spun up my fans, which I'm not sure I've ever heard before because I have an M1. And even though I told it to save it as my original format, it doesn't have a way to save as MP3, so it saved it as an AIFF. I also tried it with an AAC M4A file, which is a lossless format, but it is a compressed format. Hush did save it with the .M4A extension, but the file was triple the original size. So I think it was probably exported as an ALAC, that's Apple Lossless Audio Codec, which also has M4A at the end. So it wasn't an AAC, I think. Now I'm getting into the nitpicky details of audio codecs here, which is pretty much the road to madness, so I'm gonna stop. On hushaudioapp.com, Ian says that when you buy Hush, you own it for life, and Terry mentioned that too. Ian says neural networks with this much power usually require a server, along with a hefty usage or subscription fee. Instead, Hush runs entirely on your Mac, your data stays private, and the app is yours forever. So while $50 is a lot for an app, Hush is in the Mac App Store, which means I can still share it with Steve for his videos and that made it a little more palatable for me. I like owning software, the software does something really complex and specialized, so I think it's really great. The fact that on the first day I tested Hush, even though I had 21 days to play with it, I found two good uses for it, tells me Hush will be a tool that will live in the top drawer of my toolbox for a long time. I'm very cross with Terry for costing me $50, but you'll all be the beneficiaries. You'll be able to hear it in the recordings even in this episode. I bet a lot of you are grinning knowing how much I've cost you over the years, so you're happy with what Terry did to me. All right, let's jump into another interview from the C-SEN Assistive Tech Conference, and this is the interview that now has a 75% mix on top of it with the great app, Hush, fixing the audio so you don't hear a lot of background noise. I'm not entirely sure what this has to do with accessibility, but I'm talking to Mark Wavius at WonderPacks, and he handed me something delightful, which we are gonna reproduce for the video audience, but he's handing me a small, let's see, you describe it. It's a reusable ice or heat pack, so you can put it in a fridge and use it for ice first. However, there's a little metal coin on the inside, and then you just click it. From there, it'll begin to heat up to 130 degrees, and then some moist heat, so this is gonna increase blood flow and circulation, and then you can use it for spot therapy as well. And it's an expanding crystal-type structure, it looks like, that came out when he squeezed this little metal disc inside. Yeah, so anytime that you do click it, it begins to crystallize itself and heat up, but when it cools off, you can reuse it with just boiling water. So you boil it back into a liquid, and then you click it again when it gets back to room temperature. That's so interesting, so it's hot now, but when it cools down, then I boil it. That makes it just be the little metal disc again floating around in a clear liquid, but I squeeze it again and then this gooey stuff comes out. That is so, that is something that I've never seen before. It's Wonder Packs P-A-X, right? Yes. Now what he's handed me is like the size of the palm on my hand, which I will just wanna hold on to, because this is wonderful, my hands get cold, but you have other things here. Yes, so we do have bigger ones too. I'll show you one really quick. This is our top seller. Okay, so this is for your neck and shoulders here. Could I borrow your shoulders really quick? You can, but describe it to the audience what it looks like. Gotcha, so pretty much this is gonna form to your neck and shoulders, it has shoulder ridges and they have built-in pressure points on the inside too. So with the built-in pressure points, you're gonna be able to use it for massage, not electronically, but manually, and even with it. So this thing is maybe the length of his arm and I don't know, maybe six inches wide and he's gonna, you're gonna put this on me? Yes. All right, let's give this a try. Actually, just pretty much let them sit and rest like so wherever you're hurting. So this one goes over the shoulders here and then you can use the pressure points for a massage if you ever need to. Oh yeah, that's, I know, keep going, keep going. Don't stop while you're talking. I got you. And then even with the resting too, it's more of a moist heat, so it's gonna penetrate a lot deeper and faster into the muscles without burning you. Also, these are safe to sleep with, non-toxic and they can't burn your skin at all as well. And each time that you use it, it's hot for up to two hours or it can even be cold for an hour and a half. Wow, and how hot did you say it gets? I guess up to 130 degrees. That's crazy. You put it on all the way on my back before. We need to demonstrate that on my shoulders here. There you go. So this is another way that you can wear it where it gets both the neck and the shoulders and the little pressure points here. You can always use it for massage anywhere that you place it on your upper back. Oh man, he stopped. Oh, oh now it's, oh it's got that flap that's gone up my neck. Or you can even use it on the shoulder individually too. And anywhere that you place this on your body, you can use it for massage on the upper body. We have a lower body one too. All right, am I going to lay down on the ground for this one? What are we doing here? So this one's just for your back, but the back is very versatile. So it works well for any muscles or joints. You can use it for knees, hips, lower back, ankles, pretty much anywhere that you need to. And then, This is a lot better than trying to microwave something and have it go, I don't know if it's hot enough or what. Of course, of course. And then we even have this one for your feet. So for the feet, they have- Oh, it's a foot shape. How cute is that? They help with plantar fasciitis, diabetes, scalp, neuropathy, as well as even coda sorphy. So any general foot pains really. And then you can pretty much wear them like sandals. Oh yeah. So it's got a strap that goes up and around over the arch of your foot, over the top of your foot. So you can do either the top or some Velcro. So you can even use it on the bottom of your foot too as well. That is really cool. So I'm sold. I want all of these. Where would one go to buy Wonder Packs? Is that right? Yes. So you can pretty much buy them at any shows that we're at. Or you can buy them online individually. So online, they do retail pricing. So it's $150 a piece. But here we do bundles. So we sell them in a set where you can get a discount on the price overall. $150 for a set? Well, no, online, they're $150 a piece, no matter like- $150 a piece? Yes. So here we do show specials. So it's a lot different here. So for example, you can get the neck, the back, the feet here for just $240 instead. And then that's $119 a piece for the first two. And everything else after that is free. All right. Well, that's really interesting. Thank you very much. Is there a website people can go to? Yes. So you can go to wonderpackswonderpax.com. Great. Thank you very much. All right. Next up, we have Sandy Foster. And I want you to listen to how pristine and perfect her audio is because of Hush. But actually listen to what she's talking about. That's more important. Hi, this is Sandy Foster with a short review. We all like to take photos with our iPhones. But I have on occasion been a bit nervous about leaning out somewhere to take a photo, maybe on a ship or somewhere like that. The most readily available method of holding onto a phone is a pop socket. I've never been a fan of pop sockets, though, since they're more or less permanent, or if removed, not reusable. Even worse, they mess up chi or MagSafe charging. However, I found a solution and couldn't be more pleased. It's called the Anchor Magnetic Phone Grip. And it comes in several colors. I chose a very pretty lilac. The cool thing about it is that it's, as its name says, magnetic, gripping the MagSafe ring quite firmly while still being easy to remove for charging or when it simply isn't needed. The ring through which your finger goes also works as a handy prop when needed for video or similar. The description on the Anchor site says that the Magnetic Phone Grip is for iPhone models 12 and 13. But I can't see why it wouldn't also work on the 14. The price is very reasonable too at around $16, though there's currently a 15% discount code available directly on the product page. Well, after Sandy made this recording for the show, she learned that pop socket does now have a MagSafe version. But the Anchor Magnetic Phone Grip is quite a bit different from a pop socket. It has this lilac flat ring. You could get in other colors, but why would you? Anyway, this lilac flat ring connects to the magnets on the phone. And then instead of a little pop out thingy of a pop socket, there's a steel ring that flips out from the center of that lilac ring. This means your finger is 100% captive to the phone grip and it would be incredibly difficult to drop it. I think this looks terrific and I asked for it for my birthday. Of course, in lilac. For $16, it sure looks like a useful accessory to me. Well, I hope you're enjoying all of the content created this week. You've got a chit chat across the pond light, programming by stealth and the no silicast. All of this is brought to you by our fine patrons of the PodFeed podcast. Whether they donate via Patreon or make a one-time donation using PayPal, they all make this happen. If you'd like to help make these shows happen yourself and help pay for things like hush, even though it was totally Terry's fault, I still spent 50 bucks. If you wanna help make these shows happen and could spare a dollar or two, please go to podfeed.com and push one of the big buttons near the bottom to find out the best way for you to support the show. Well, it's that time of the week again. It's time for Security Bits with Bart Boo Shots. How dismal are things this week, Bart? They're grand, actually. There's not that much news. So I actually did two sort of deep-dive-y security medium-y sort of stories instead. Really? Oh, good! Which is fine. And I think, I was thinking actually, so last time we talked about, you know, why are there less stories than there used to be? And I think it's because most of our security is automatic now. We spent all of our time in the past telling people to manually go do things. Whereas now, if you take a computer and do everything by default and turn your back, it's updated. So why did the blogs have to keep telling you update your Firefox? I mean, how often was it update Firefox? That just happened. Oh, right. You open it and it's just always done its update. Exactly. And then with operating systems default to yes, I'll update automatically. So I think actually the answer is because security has been automated for muggles. And that's good. Yeah. Yeah, maybe it's still, if you're using an old device, throw it in the bin. Maybe you still get to say that one because it's not getting all these auto updates. That is true. Yeah, so I guess it's aging out. The problem is aging out. But I think that's honestly the reason there's so much less mundane stuff in the feed every week, because we're getting better at just having it happen automatically. So I think that's why we're left with fewer meaty stories, which I prefer. It's much more fun having these kind of shows. Yeah, so I get to have small, less nice things per episode instead of having my show notes full of little fiddly bits. So our first deep dive is, I should probably call this one a medium, to be honest. It was a story that could have gone as a bullet point in a story, but I scratched the surface of it and decided I wanted to go a little deeper. So Opera had a big media announcement to say that their VPN service is now available for free in their iOS app. It's like, well, that set off two alarm bells for me. One, free commercial company, VPN. Those words, they're not good together. So that means you follow the money. Secondly, VPN by toggling a button in the browser on iOS, which is completely locked down. That's not technically possible as far as I know. So how are they doing it? Or are they not actually doing what they say they're doing? What is it actually? What is it actually? And how is this fiscally saying that it can genuinely not be selling all of your data? Cause they do very explicitly say that they're running all of this stuff in those Ramoni VM style things like Nord VPN and stuff do so that it really isn't logging and it really is properly private. So that was a bit, hmm. So I went a looking and I started reading the articles and I immediately recognized something. Every article was saying the same thing in very slightly different words because all they had done was copy and paste the bloody press release and tweak the wording so it's in the style of their publication. There was no actual meat in any of these stories which really made me very cranky. And I found myself saying, well, these people is earth being replaced by chat GPT. If all you're doing is summarizing a press release, chat GPT is better at it than you. I hate it when people do that when they're just getting juiced by linking to the other one, to some hard work somebody else did. Yeah, and in this case, it's actually worse because the press release is pure. So if I read a press release on opera's page, my brain is switched to this is a pure person I need to apply the appropriate filter. If I read the same sentence on, I won't know, not tidbits cause they don't do this. What are the, what are the Apple Insider, Mac rumors, whatever, if I'm reading the same verbiage but it's got a byline of some Mac guy and it's in the context of an Apple news site, I'm assuming that's informed opinion. But if all they've done is copy the pace of the press release, what they've done is basically given that they've converted PR into unearned, yeah, unearned juice. So I wanted the answer to my two questions. And I actually had to go and do a bloody search for other articles from other sources to actually find the answer. And I'm happy to say I did find the answer to both questions. So TechCrunch gave me the answer to the question about following the money. So I'll just quote from the TechCrunch article. The company is able to offer free tools to end users because it generates revenue through other channels including search and ad revenues as well as technology licensing fees. It's projecting 370 million to 390 million in revenues for 2023 from its current sources of revenue. So that's how they can afford to basically spice up their numbers by having a free add on to their browser because it's actually hard to get people to do a non-standard browser. So basically this is giving us out for free is like a marketing feature to get people using their product which they then monetize in other ways. So okay, I'll buy it, I'll buy it. TechCrunch actually took a little further. So they actually went into the whole fact that the opera was actually bought by a Chinese company a few years ago. And so the question is if TikTok is a problem. Yeah, so they've actually rejiggered their financing because everyone was suddenly so suspicious of China. So there is still Chinese shareholders but they don't have a majority share anymore and the company is in Oslo and it is GDPR compliant. So I think actually that issue has been resolved by changing their management structure again. They basically bought back a bunch of shares but it was nice of TechCrunch to go into that stuff. And given TechCrunch's origin as basically all about tech startups and stuff I guess it's not surprising they had the money angle covered. They didn't have anything of use for me on the technical angle though. So I had to do more Googling. It wasn't Googling, it was duck-duck-going but that's a terrible verb. So I eventually ended up on techwees.com and they actually dug into it and actually did their homework and no it's not a VPN. Like at a technological level this is not a VPN. It does not use the VPN protocols. In tech jargon VPN has a specific meaning. It's a virtual private network. It is a virtual network adapter at the operating system level that encrypts all the packet sense through that pretend network interface. It shows up in your routing table. It has a meaning. In PR speak, if you just pretend they're English words and have no actual meaning you can spin anything you like into a VPN and that's what they're doing here. All they're doing is creating a... That quote needs to be pulled out. If you want to pretend these words have no meaning you can put them in a different order and mean something completely different. That's what they're doing here. It's like well in English these words don't have a specific meaning so we just ignore the technical meaning for this technical thing we're selling and use these PR words instead. So what they're actually doing is they're creating a TLS which is basically the same protocol that runs HTTPS. A connection from the browser to their servers and all of your browser stuff is going through that connection. So does nothing happen at the operating system? That isn't a bad thing. That's an interesting possibly good thing but you should call it what it is. Correct. And they're saying that they're better than Apple because they're giving a VPN which makes me really cranky because I'm sorry what Apple are doing with their same browsing thing. Yeah, they're private really. Thank you. That's the buzzword I was looking for is the same functionality delivered in a more anonymous way. So what Apple is doing is better. They're just calling it a VPN. It is not a VPN. It is not using tail scale. It is not using wire guard. It is not using any VPN protocol. It is not a VPN. Not using a VPN protocol. So it's not about service, right? It's actually taking all of the browser traffic but when you call it a VPN you're giving people this feeling that if I use this thing I can safely send email. I can safely do all sorts of stuff and it's protected by a VPN. No it isn't. It's just what you do in opera. Does it protect your location or anything like that? No, it does from what you do in opera. Right, but if I'm doing something in a game exactly, yes. No effect whatsoever. Precisely, because it's not at the operating system level. It's within the browser. That makes me really dislike opera right now. Yeah, my basic conclusion is yeah, not going there, not recommending these guys. I was already pretty suspicious of the idea of a for profit browser company in this day and age. To be honest, I don't think there's a business model there unless you're being icky. So yeah, I'm just cranky. Anyway, I dug deep, I found the answers. Follow the money, it was tech, tech wheeze. Maybe we got to start paying attention. It's T-E-C-H-W-E-E-Z. Yeah, yeah. So that's my first semi deep dive. I guess we call it a medium on reflection. And then I take requests apparently. So you sent me a telegram message about a week and a half ago, I think it was. It was not this week, but it was after we last recorded saying there's this new thing from Apple called Rapid Security Response. Can we talk about that, please? Like, okay, your wish is my command. So, good. Last summer, Apple announced this thing we're going to talk about now, Rapid Security Response in WWDC. But it was one of those features with an Elastrix expert that says, coming later. So when they launched iOS 13 and iOS, sorry, Mac OS 13 and iOS 16, it wasn't there yet, but it was on the way later. And I sort of, I don't like to talk about things on this segment with you that aren't real. I intentionally keep my powder dry until it's actually available. And so I have been, this has been in the back of my mind for ages since last summer. And when this finally rolls out, I want to talk about it. And I never did because I didn't think it had rolled out. But it has. So I went and did a bit of digging. It rolled out with Mac OS 13.2 and iOS 16.2 in January. But I went through the news archives. No one mentioned it because that was the release that brought us advanced protection for iCloud. So everyone talked about advanced. Which one is advanced protection? That's the one that you only use if you're possibly targeted? Certainly what I would say is we have true end-to-end encryption where Apple can't get you back in if you forget your stuff. Okay. But some people return numbers. Recommended for the normal people, right? We absolutely did not recommend it for normal people because it's a feature, not a bug that if a normal person messes up, Apple can help. Right, okay. But that got all the headlines because that was a big deal. And it was also with the hardware tokens were able to be used as a second factor authentication which is useful for everyone who has a hardware token. By the way, that's not one for only special people. It's only for people who have hardware tokens. So that was way more newsworthy than this small little feature. And therefore I checked. It just wasn't mentioned in the news. So it's okay. And I never noticed. I wasn't alone in not noticing. Most of the internet didn't notice. So it's actually been live since January. So what is it? Well, the way- Let's say the naming and rapid security response. Which is a very good name. Which is a very good name because it actually does do what it says in the tin. So before I can say why this is better, let's have a look at how things were in December of 2022. And in all versions of iOS and Mac OS before 13 and 16, by the way, because Apple are not backporting this, right? This is only for people who stay current. If you're continuing to take security updates on iOS 15, you're secure, but you're not getting new shiny. You're only getting to keep what you had before. So the way Apple have handled their updates is that each update contains three distinct things. New features, possibly. Bug fixes in terms of functionality problems. And security fixes. So those three get lumped together into iOS 16.1, iOS 16.1.1. They're all mushed together. And you notice this all the time that I will tell you there's a new version of iOS out and you will tell me what, my phone hasn't updated yet. And we now know why that is because Craig is a Craig. I think it was Craig who actually said it on the talk show with John Gruber. You know the way they do an interview every year at WWDC, he actually explained it to John and therefore the entire audience. They intentionally only actively push it on the first day to a very small, I think he said 1% of users. And they wait to see if the internet explodes with people shouting at them. And then over the next month, they throttle up. So after a week, a whole bunch more people get it. And then after two weeks, a whole bunch more. But it takes a month until everyone gets it. But if you- I don't think they did a slow roll, but I didn't know it was that slow. That's for a month. That explains it, okay. Now he did also say that if you open the settings app and go to software update, that jumps you to the top of the queue and you will just get it immediately. So everyone who looks, it's always ready. But if you don't look, it could be up to a month until you get it, which is fine for new features. Okay for bug fixes, not okay for security. Right? Sorry. The fact that they're automatic is good better than it was two or three years ago, but yeah, no good fix. And Apple knows how good fix, which is why there's a new feature. So what they're now doing is security fixes are being pulled out of those regular, okay, there may still be some security stuff that isn't critical in the regular stuff, but the AUGA AUGA, there's active exploits. This is a really big problem. The serious security stuff is now being separated out into a separate process. And that process has a daily check with immediate rollout. So there's no waiting, there's no queuing. It's just, it's rapid, right? Rapid security response. So your machine checks in every day and it will take what it's given straight away. And everyone's offered it straight away. Has it happened since January? I don't believe so. I don't believe so. Okay. But we might see one day where it's like, hey, I don't remember asking for that or doing anything manually. You wouldn't even notice it because what they're doing is, so their individual security fixes being packaged as a single, it's like it does one thing and does it well. So because they're small and targeted, they're much, much less likely to need a reboot. They're also- But would they change the OS level? Yes. A little bracket and a letter will appear after the number. Oh, okay. That's good. So letters never existed before. Yeah. Letters never existed before. It was always number dot number dot number. Well, now if you see bracket letter, then you have a rapid response. We got everybody pay attention looking for it now. Yeah. And that's on iOS and MacOS. Yes. They basically, I think the operating system share a brain now. So I think for these kind of things, we can expect them to always come in sync with each other. So because these are focused on security and they're fixing a specific problem, they're tiny. Like they're not hundreds of megabytes because generally speaking, a security problem is an if statement with the wrong value or something, right? It's generally speaking teeny, weeny, tiny. It just has a big effect. So these are tiny little updates so they don't need to wait for you to be on good internet. They're only, they're surgical strikes. They're not carpet bombing. So they're much, much, much less likely to need a reboot. They're not promising never to make you reboot, but they're telling you they're going to go out of their way to avoid it. Are they, if you don't have automatic updates on, do you still get these? So that depends. Okay, the default is yes, you do, but they are a separate checkbox. So you know the way when you go into automatic updates, it's expandable. Even now, it's already been expandable where you can have different options like download only and all those kind of things. Well, if you go to the show me more detail of the software updates, there should be a new checkbox in there for rapid security response. Let's see. Oh, okay. So I see check for updates. I see download new updates when available. Unchecked, I have install macOS updates. Unchecked, I've installed application updates from the up store, but checked automatically without me having noticed is install security responses and system files. Yeah. So don't uncheck that. Don't uncheck that precisely, precisely. And so that gives Apple a fast track way of pushing the stuff straight away without changing their process for the giant big updates. And also these are all reversible. So if you have one installed, there's an interface right there to pull out the specific take away the B or take away the A or whatever. So they can be backed out quickly as well. Should it ever be needed? But because there's small surgical strikes, the probability of them doing something bad is way lower because you're not changing thousands of lines of code. You're changing like five or six lines of code because there's a specific bug to be fixed. So this is just the right way to do it. So I do see letters. I do see characters, I should say, after the version number it says macOS for Ventura 13.3.1, parentheses 22 E261. Close parentheses. I think E261 is a build. I don't think that is. I wonder what it looks like. I wonder what it looks like. It's parentheses. I haven't seen it. I'm only going by what was in the article linked in the show notes. So I'm sort of regurgitating on the people's work because I don't believe Apple have actually pushed one yet. So I geek blog, have a nice explainer which is linked in the show notes. So that's what it is. That's what it does. And it's a really good idea. I'm glad I brilliantly asked for that. I'm laughing because Bart said he was going to talk about it today and I said, really? I asked for that? My memory is just, I can tell you that like the middle name of somebody I knew in high school and I can't tell you what I talked about last week. I also thought it was hilarious that your entire chit chat across the pond was about a blog post you hadn't heard of that I told you about that you said at the time. Oh, I must read that. That sounds important for me. I laugh. If I, I could probably count on one hand the number of things I remember to go back and read after we talk about them. But. It was a great chit chat about the pond. Not with the ill intention. Absolutely. Yeah. It was a great episode and I'm delighted that you had Adam on because he did a way better job explaining it than me saying, go read this post. Like it was a really good discussion. Yeah. Read the post. It is really good, but you have to read the post. It's not spoon fed to you. Like having Adam on to tell you about it. Precisely. And it's much easier to do that while cycling than reading a blog post while cycling. I haven't tried the former or the latter but I don't plan to. Right. So with that out of the way, let us jump into our action alerts. Auga, Auga. So Apple have released a bunch and they didn't use these through rapid response actually, which is a bit weird. They released iOS 16.4.1, iPadOS 16.4.1 and MacOS 13.3.1. I don't know why they went with that route because these were actually nasty zero day fixes and they rolled out one week after 10.16.4. So I'm not entirely convinced. Wait, 10.3. Sorry, 16.4 and 13.3. So they just did point releases like literally just a week or two ago. And now the point one is almost immediately out and it's because there were some zero days and they haven't been very explicit about it but the credited people are the, oh, those Canadian crowd who discovered Pegasus, Citizen Lab. Oh. And they involve kernel level zero days which could be used to install spyware. And they came from Citizen Lab. And Apple said they were being exploited in the wild. So I think there was another case of someone discovered some spyware being used in a very targeted fashion. Did this one roll backwards to older machines or older OSs? They did. So maybe that's why it didn't end up in rapid response. That's a very good point. Because they did within, so on the Friday we got the update for iPadOS 16 and MacOS 13 and by Monday we had the updates for iOS 15 and Monterey. And I think it was by Wednesday we got the HomePod and TVOS. So there was, I think there was a two day gap between the three rounds of it but very quickly all three rounds rolled out. Okay. And there's also Safari 16.4.1 for the really old operating systems. So they really went full court press on this one. So good. And I normally put security patch Tuesday first because normally that's the biggest security news but to be honest, Apple's one is bigger. So patchy, patchy, patch, patch. And now just to say it was patch Tuesday. Microsoft also fixed some zero days but to be honest, they're not in the kind of things most people have turned on for regular home users. Like we don't use Microsoft's DHCP server. That's what our router does. We definitely don't use the enterprise message management queue that's an optional extra on Windows server that isn't even turned on by default. We don't do that at home. So those two zero days are not scary to us and home users tend not to be the world's biggest users of Apple or of Microsoft's corporate disc encryption features. So the fact that there was a bypass for some of the secure boot stuff isn't an issue for home users either. So patchy, patchy, patch, patch but this is not hair on fire stuff whereas Apple's one seems really serious. So patchy, patchy, patch, patch. Now where are the warnings? This is not a happy section of the show ever but this one seems, I don't know, seems a little bit worse this week. So the first thing we have is a story from TechRunch telling us that those Twitter circle tweets. So remember Twitter, we're like, oh, if you're over sharing too much and you don't wanna get shared as much online we have this way of you sending a tweet to only a few trusted people. It's like a DM but it's a little bit broader, you know, a nice and private way to have a conversation with just your friends. Yeah, it turns out they broke the security on that so they're actually public tweets by mistake. So, be careful. Always or somebody can hack into it. If you know, it won't show up in your timeline it won't be pushed at people but they're available which means that if someone discovers one and wants to make your life miserable they can share the link that will work and bypass the restrictions. So here's, can I give you some comedy in here? Oh, go for it. I think it's circle tweets, I believe you can be invited to circle tweets where you have to pay to be in the circle and Elon Musk is charging $4 a person to get people to listen to him in these, actually no, it was spaces, that's what it was. Spaces, yes. So where he's gonna talk, $4 a month. The richest man in the world is charging $4 a person for people to listen to him. But he's very keen that Twitter's cash flow is about to go positive. He said so, I heard him say it and don't believe worried of it but anyway. So my advice is if you're typing it into Twitter whether it's a DM or whether it's a circle assume it's a public tweet because if it isn't, it probably will be. There's somebody there to fix it, so. Exactly, so I just treat Twitter as dangerous, all of it. Okay. No privacy. Next up, this actually is so bad that the US Cybersecurity and Infrastructure Security Agency, CISA actually issued a notice warning people. There is a company called NEX, NEXX, who make, to describe as an IoT vendor but they make garage door openers and home alarm systems. Their security is catastrophically flawed. You can send replay attacks, if you capture the packet that says open the garage door you can just replay it and the garage door will open again. They are using the IDs of things as a security token which is absolutely not the right thing to do. Just like saying, if you know the MAC address that you purely do whatever you tell it, so you can basically, if you know the ID of someone's garage, you can just make it open. That's utterly insecure. And there was something else they were doing that was catastrophically bad. Basically if you have a next product, assume that anyone can open your garage door because frankly anyone can open your garage door, disconnect it by something else would be my advice. Wow. Wow. Here we go. Toss it in the bin. Toss it in the bin. Yeah. Which is a bit difficult for a garage door opener unless you have a very big bin. But yes, that is my advice here. And like I say, even CISA went as far as to issue a notice on it. This is not good. Similar category. I actually almost deleted this from the show notes because you don't like, you don't let me do bad news, but then I realized that actually there is something listeners need to do if they felt, if they were affected by this. So there is an officially sanctioned way of filing your taxes online in the United States called e-file over at e-file.com and they're fully accredited from the IRS. They were serving at Windows malware for weeks in the lead up to tax day. So if you're a Windows user who uses e-file, get yourself an up-to-date virus scanner and do a full scan of your machine because while it was the kind of malware that is a Trojan rather than a run automatically, if you click the wrong button or if you're not sure if one of your family members may or may not have clicked the wrong button, basically if you're an e-file user, just check will you? Because they were actually serving actual malware on this official site sanctioned by the government. Bad, bad, bad, bad. That's terrible. I'm afraid to ask my Windows friends, I'm going to put my head in the sand. That's fine. We've said it on the show. Yeah. Now, if you're a gamer, there is a very good chance you use products from MSI because they make really good motherboards and things. If you're the kind of build your own PC person, MSI motherboards are king of the heap. I know this because there's one just a few meters that way. Not mine. They have had a breach. They haven't really been all that clear about exactly what was taken. The bad guys say they have the private keys, which means if the bad guys are telling the truth, MSI have not said one way or another whether or not they've lost their private keys, possibly because they don't want to make a definitive statement until they have the facts. They're probably investigating. But right now, the baddies say we have your private key and the goodies are saying nothing. Private keys to what? Private keys are used to sign things. Drivers have to be digitally signed these days. Drivers. There we go. I'm picturing a piece of hardware and trying to figure out where the private key is. I've got a motherboard. It's the drivers. The big thing gamers want to do is get the most performance out of their hardware. They're very picky on their hardware and they're very, very picky on their drivers because the drivers makes the same hardware go better. It's very, very common for gamers to be getting all sorts of firmware updates and everything. They're very, very quickly installed them and normally digital signatures would have your back. So it doesn't matter where you download the driver, if it's digitally signed, that should be fine. So you can get it on a gaming forum and if it's signed by MSI, it's fine. Well, MSI have probably lost their private key. So that means you cannot trust an MSI driver that you yourself did not get from MSI's own website. That is... Oh, if you got it from MSI's website, you're okay? Yes. Because MSI... They've explicitly said that they are in control of the website, the stuff on the website is known good. So that is the one thing MSI have said. We have been hacked, we are investigating, do not get drivers anywhere but here. Which implies to me they know they've lost their private key but they're not quite prepared to own up to it just yet. But the attackers say they have the private key. Let's say you have MSI motherboard and you downloaded the driver for the graphics card that's on it or whatever and you got it from a gaming website. And you now go to MSI and download the new one and you're okay? Yes. Is that how that works? Okay. Is that how it works? You definitely want to do that. Then it sort of depends on your risk profile because the danger with a low-level driver is a root kit. Which means it gets... And if it already did it? Yes. Yes, that's it exactly right. If it gets in first, can you really be sure you've cleaned up? Yeah. So if you're just a home user, it's probably fine. But if I were the tech guy for my CEO, whose laptop had had a driver installed of dubious origin, I would be doing a wipe and install on the CEO's laptop because that's a high-risk person. If I were a journalist, if I were the techy person in the New York Times, I know what I would be doing, wiping all the MSI drivers. But the chances of your typical New York Times journalist going around installing firmware from goodness knows where is very slim, right? If they're going to get their firmware from software update or whatever, so it's fine. But yes, that is a thing to know. Okay, so there's something to do about it probably. Correct. Under any condition, you should do it. Yes, exactly. And just basically, if you're an MSI person, be very careful not to just grab stuff from a forum anymore. That's not safe anymore. Those keys have probably leaked. And in a similar, please hold, news story, Western Digital have said we have been compromised. We don't know how bad it is yet. We have turned off our cloud services as a precaution until we figure out what happened. So basically, we don't know if customer data is safe. So if you're a Western Digital customer, he uses what they call MyCloud. Your service is currently broken. It's not because something's wrong with your stuff. We've turned it off and you need to watch Western Digital's website for updates. They will, I'm sure they will communicate when they're ready to. They explicitly said, we are investigating, please stand by. So this is a flag for me saying if this affects you, stand by. This may or may not make the news again. So I may or may not tell you again. I'm telling you now, if this affects you, it's your, over to you. You go pay attention. Right, right. I have no flag yet. Can I read you a security announcement that it's not in the notice here, because there's an email that came to me that I think was probably the best written, holy crap, we just got hacked email I've ever seen. It was from Affinity who make Affinity Photo. It's from Sarah, actually. But the Affinity team, it says, unfortunately, we have become aware of the personal data relating to users of the Affinity forums may have been accessed from outside the company following a cyber attack on 6 April. It appears that an administrator's account was compromised, allowing access to our forums members list. What data was accessed? The data which may have been accessed is what's on your public forum profile, username, post count, reputation, joining data, et cetera. But it additionally includes your and embold email address and last used IP address, which would ordinarily be private. Thankfully, we can be sure it would not have been possible to access your form account password. So that has bold definitely not been compromised in this breach. I mean, I don't think you've ever seen anything more clear than that. Good. Yeah. Here's what happened. Here's when it happened. Here's what got lost. Here's what didn't get lost. That's what it goes on. But it was just like, yeah, that's what you want. There was no PR person watering that down. That is just. Or a really good one, did it? Or a really good one, actually doing their job. Jason Snell said in talking about PR from Apple, he said, the thing you need to remember is that a PR person's job is to sell more of the product. Yes. And I thought that was really interesting. If you look at it that way, this would sell more of the product being, even though their first instinct might be to hide it and sweep it under the rug, it doesn't sell more product, see last pass. Yeah. I think that comment was actually in the context that comment was very good as well because a lot of people didn't like Katie Cotton, who unfortunately recently passed away, but she was a long time Apple PR person. And a lot of journalists didn't like her because she wasn't on their side. But that wasn't her job. Her job. It was so insightful hearing him talk about that, wasn't it? Yes. Because he saw that. He said, I was terrified of her. But this was her job was to sell more Apple products. But every PR person's job actually is that. Yeah, it's to have the best interest of their company and to put their company's best foot forward. Right. So you know that they're not on your side as a journalist, and they shouldn't be. You're supposed to be in an adversarial relationship, right? That's your job. Well, and it gets back to how people are always complaining about, oh, I got blacklisted by Apple. I'll never get invited again because I said something mean. Well, yeah. Maybe you deserved it. Well, no, not deserved. Just it is in my company's best interest to not let you have access if you're going to talk poorly about us. Yeah, you don't have a right to it, right? It's not that you're being titled to it. Anyway, right. Notable news then. Just two stories, nothing to... Well, OK, I won't say that, but the first one. So this new story here is from Citizen Lab. And they have released their findings, highlighting the fact that the NSO group were not a one-of-a-kind group. There is another grey hat security company in Israel selling a software that is a lot like Pegasus. This case is called Regan or Reagan. And the company is... I think that's Rain. Rain. That's how that's pronounced. R-E-I-G-N. Rain by Quadrim or Q-U-A-D-O-E-A-M. OK. Oh, good. Yeah, there is more of this than just the NSO group. So it is actually a thing to be aware of. And Apple are doing a lot. That is why Apple are putting so much effort into stuff like the advanced protection for iCloud and stuff. It's because they're going against these kind of things. So I guess just don't think the problem is solved because the NSO group is basically going bust. And then the last thing is you may have noticed this, but I certainly noticed that all of a sudden, my newsfeed was full of warnings about juice-jacking. Just out of the blue. And juice-jacking is again. I was getting there. So juice-jacking is where if you plug a USB-style lead from your phone into a plug that isn't yours, there could be all sorts of malware lurking in that plug. It is really dangerous to plug your device into someone else's socket. Just don't do that. And it's called juice-jacking when you hack someone's phone that way because you're juicing up your phone, but actually you're getting it hacked. So it's getting hijacked by juicing it up. And I was afraid that it is true that the US government put out a PSA warning people against juice-jacking. And my fear was, oh my God, something has happened. That's why they're pimping the juice-jacking, but no. They just have a thing where every two years they just revamp their PSAs because they're going stale. So they just revamped their PSA. And for some reason that no one could understand, all the media sites suddenly went, oh great, let's talk about that. And it just went viral across the internet. And everyone, I think, was assuming there was a reason for it, but it was just some PR person who had, oh, it's been two years, copy, paste. Well, that's good though. It is good. It's a reminder. I started looking at those and going, oh man, I'd really kind of, oh yeah, that's right. That's a bad idea. Thank you to Joe McKinley for posting this first in a, the first time I saw it was in our Slack and at potfee.com slash slack. Cause that's how I saw that it had been updated or that it was in there again. I kind of assumed it was the same thing, but she said I've heard this for years, but a good reminder, so it was in the right context. But it is a good reminder to go, no, no, no, it didn't get safer. Just cause time passed, it's the exact same thing. Probably not better than it was, but that's good. Yeah, you know, Schreider's second law attacks only get better. If it used to be dangerous, it's dangerous or now. That's not going to get less dangerous. Right, anyway, that brings us on to some pallet cleansing. I only have one and it may not be your cup of tea, Alison, but I thought this was fascinating. So mathematicians spend their leisure time nerding out with the same level of geekery as you and I do on the terminal and playing around with stuff, but they do it on different things because they're mathematicians. And one of the things they're fascinated by is what's called tiling, which is literally covering a surface with a shape. And the aim has been to find a so-called Einstein tiling, which is a one stone. So Einstein has a pun on one stone, not a, it's only a joke that it rhymes with. It has nothing to do with Albert. It's a joke that it is Albert. Einstein means one stone. Oh, okay. It does actually, right? And so what they wanted to do is, is it possible to find one shape that you can use to cover the plane. So in other words, the entire universe, so it never repeats. In other words, a tile like pie. So pie never repeats itself, but it goes on forever. What does it, what isn't going to repeat in this? You're repeating the tile on the floor. Right, but the pattern the tile makes will never repeat. So you can cover your floor with this tile. A fractal or the opposite of a fractal almost. Yeah. So if you have like even the fanciest tiling seems like I have my kitchen tiles I chose because they're really cool because they come in four different shapes and the pattern they make is really complicated. And it only repeats itself once in the entire size of my kitchen because it's a really complicated pattern, but it does repeat itself eventually. And Einstein tiling uses one shape and two infinity will not repeat itself. And they finally found it and someone made a cookie cutter. So you can bake a shape that you can make an infinite tiling with. It's, I mean, it's a weird shape, but it's not, you know. Oh, they named it too. Yeah. See if I can see it. Triscaidecagon. Yes. Triscaidecagon? It is a Triscaidecahedron because that's how many times it has. No, it doesn't say hedron. I think hedron is the three of them. Oh, a gun, sorry, no, sorry. A gun. So a 13-sided figure that's just, so there are other... 13-sided figures. Cade decagons, but that aren't the hat. This one's called, the hat, that's easier to describe. Yeah. And so there it is, that shape. And so it answers the question of, can you tile the plane with one shape and have it never repeat? So this basically is like hardware pie. Like pie doesn't repeat, this shape will not repeat. Einstein was cool. You had me at mathematician. Why did you think this wouldn't blow my dress up? This is exactly what I love. No, you don't like arithmetic. No, no, I don't like arithmetic. Please do not say I don't like math. No, I just corrected myself. I got there one millisecond before you. Oh, by the way, since I've been talking endlessly for the last coming up on 18 years about the fact that I can't do arithmetic, Helma sent me a little game for my phone to practice my arithmetic. And it's not helping, but it's adorable. It's called Duolingo math. And it's just got these little problems where it's like here, do these fractions and stuff like that. But I still, the other day I needed to subtract 1987 from 2023 and I simply just sat there with no idea how to do it. I mean, I could sit there and go, okay, 83, let's see, plus a seven would give me to 90 plus 10, 17. Okay, 17 gets me to year two. I mean, that's how I have to do it. Can't see it, can't feel it, can't breathe it. It isn't in my head. But I'm having fun playing Duolingo math. I played at lunchtime every day. What an interesting idea to take their learnings from teaching language and flip it to teaching arithmetic. Yeah, well, maybe it'll get hard enough. I'm still up only to like the sixes. So it's the eights that always throw me. Those are always tough. But anyway, I thought it was funny that she sent me that and I'm doing it. Well, this is very cool. That is, that's a fabulous polyclinzer. I love it. Excellent, excellent, then my job is done. And with that, I will remind everyone that they should stay patched so they stay secure. Well, that is going to wind us up for this week. Did you know you can email me anytime you like at Allison at podfeed.com and I will probably answer you. If you have a question or a suggestion, just send it on over. You can follow me on mastodon at podfeed at chaos.social. And remember, everything good starts with podfeed.com. If you wanna join in the conversation, I highly recommend joining our Slack community at podfeed.com slash slack, where you can talk to me and all of the other lovely no-silla castaways. Even Bart is known to dip in and out with conversations here and there. You can support the show and help pay for hush if you go to podfeed.com slash Patreon or do a one-time donation at podfeed.com slash PayPal. And if you wanna join in the fun of the live show like Michael King did after having been gone for a long time, simply head on over to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time. Enjoy the friendly and enthusiastic no-silla castaways. Thanks for listening and stay subscribed.