 Hi, this is Allison Sherian of the New Silicast Podcast, hosted at podfeet.com, a technology podcast with an ever so slight Apple Bias. Today is Friday, January 5th, 2024, and this is show number 974. You're getting the show a few days early this week because Steve and I are off to CES this weekend to learn about as much cool new tech as we can possibly absorb. You can look forward to both video and audio interviews coming out of the show thanks to the work Steve will be doing in the coming weeks. We always have a blast at CES and it's been a full four years since we've been able to go, so we're pretty darn excited. Last August, I told you about an automated pet feeder from a company called Pet Libro. My goal was to have my two cats, Ada Lovelace and Grace Hopper, get regularly scheduled feedings when we're away from home, but not have the near infinite supply of food from a plain old gravity feeder that we've been using for years. You see, Grace will regulate her own food, but Ada seems to balloon up when we go away even for just a few days with that gravity feeder. While we do have a pet sitter who comes in daily to change the water and remove their waste, controlling Ada's weight had to become a priority. I explained in that review that the Pet Libro automated pet feeder allowed us to now have scheduled feedings of known portion size. Over the last four months or so, we've come to really like the fact that our cats are fed on a schedule even when we are home. The seamless operation made us stop even thinking about feeding the cats, which turned out to be a problem. A few weeks after I wrote the initial review of the PLAF 203 grainery pet feeder from Pet Libro, we went on a trip to a cabin in the High Sierra Mountains with our friends Bill and Diane. Before we left, we knew our internet connection on the trip would be dicey, but we didn't realize it would be completely non-existent during the trip. We managed to survive this by hiking, playing cards, and eating. On our last full day, we decided to drive over to the Mammoth Lake ski area to take Diane and Bill up the gondola to the top of the mountain so they could see the spectacular 360-degree view of the Sierras. It's a bit more populated there, so when we got into the Mammoth area, we had cellular service. We immediately began ignoring each other like normal people and played on our phones. While we were up in the area, we took the opportunity to take the tram down to Devil's Post File. Since I was obviously bored on the bus ride, it occurred to me to bring up the Pet Libro light app to check in on the kittens. From the app, I can watch the cats on video, I can talk to them, and look at the logs to check on their feeding status. Imagine my horror when I saw that for more than a day, the logs said that the feeder had been out of food. Now, the Pet Libro Pet Feeder had been doing its job so efficiently and without effort on our part that we entirely forgot about checking the level of the food before we left. We didn't tell our cats or even look at the feeder to see if the red light was on the front, which would have indicated some sort of problem like a jam shoot or being out of food. On the tram, we only had little dribs and drabs of internets, but I was able to finally squeeze out a quick text message to our cat sitter and he raced over and fed the poor things. While Ada could stand to miss a meal or two, Grace is fairly svelte, so I felt terrible for her. While we as pet parents clearly fell down on the job, the Pet Libro software fell down on the job as well. I get notifications constantly when the cats or anyone really walks in front of the feeder or if sound is detected. I get notifications when they're fed. I can control when I get these notifications and which ones I receive. But I never got a notification when the feeder was completely out of food, even all during the day when we were in Man with Lakes. I kind of put this in the you had one job category. It really should have done this. I began what became an extended discussion with a support person at Pet Libro named Orne. It's taken a fair bit of time to get to the bottom of the problem, but Orne stuck with me. And of the two of us, he was actually much better at closing the loop in our conversations. I was the procrastinator in the conversation. Orne and the team behind him gave me all kinds of suggestions, including uninstalling the app on our phones and such. And while it seemed improbable that this would help the situation, in my tests it did seem to solve the problem. But then it happened again under controlled testing. I was able to leave the feeder without enough food and I didn't get a notification, even though the log files clearly knew that it was out of food. I was finally able to articulate to Orne exactly what the problem was in the app. The Pet Libro Lite app that controls the feeder sends out notifications based on what are called bulletins. Bulletins notify you that scheduled tasks are completed. Log files on the other hand contain information about the success or more importantly, failure of the portions of food to be delivered. But log file information is never sent via notification. So I think the bulletins are actually like the mechanism successfully turned, but it doesn't know whether there was food or not. That information is over in the log file, which is never sent via notification. I sent two screenshots to Orne. The first was of the bulletins and the second was of the log file over the same period. While the bulletin page happily announced that the scheduled tasks had been completed, the log file showed that the feeder was out of food. I think the bulletin page, like I said, is just reporting that signal to churn the mechanism, nothing about whether the food was actually dispensed. I was quite strong in my opinion to Orne that the notification system simply had to be improved. Orne explained to me that the software I was using, as I've mentioned, Pet Libro Lite, was written by a third party and that Pet Libro had very little ability to modify it for customers with, and I'm quoting here, specialized needs such as myself. Personally, I think gaining a notification when your pets aren't fed is kind of a mainstream need, not a specialized need, but I didn't quibble with him because I liked his solution to my problem. Way back when I got the original feeder, I explained to you that one of the weird things about it was I had to look up the serial number, which is annoyingly underneath and inside the battery compartment, in order to know whether to download the full Pet Libro app or the Pet Libro Lite app. My serial number required the Lite version. At the time, though, I didn't know the difference between the two apps. It turns out that the non-Lite version of the Pet Libro app is one that Pet Libro does control, and Orne suggested it would better meet my needs. Now, Orne's solution included sending me a new PLAF 203 granary feeder exactly like the one I had, but from the new serial number range, allowing me to use the new and improved software. Orne sent me the new feeder back in the middle of December, but I only had the time to set it up now that the holidays are behind us. Spoiler, this new software rocks. It's very similar in layout to the Lite software, but it's so much better. Since the hardware is identical to the original one, I'm not going to go through how to physically put the feeder together, but I do want to tell you about the installation from a software perspective. I attached the double bowls to the bottom of the canister for the food, and I plugged in the USB-C adapter that has a really nice braided USB-C cable on it. I may actually steal that cable and use it for something else and put a plain one there. Anyway, I downloaded and launched the full-size Pet Libro app and I plugged in the hardware. The app asked if I wanted to add a new device. Why yes, thank you, I believe I do. It immediately found the new feeder connected to my Wi-Fi and guess what it did next? You didn't hear me say I'd put food in the canister, did you? So as soon as it was connected, I got a notification that it was out of food. Happy days are here again! Now I have confidence that this is the device I need. I like so many things better in the new app than the Lite version. In the Lite app, we had to tell the feeder how many portions to feed the cat. And nope, they don't tell you how big a portion is. We had to push the manual feed button, pour it into a cup, and then compare that to what we've been giving them before. The big girl version of the app lets you define it in twelfths of a cup, or you can use units of ounces, grams, or even milliliters. I'm not sure why they use one-twelfth of a cup, but it's pretty easy math to figure out that a quarter of a cup is three-twelfths, and a third of a cup is four-twelfths. So I'm not complaining. Both feeders let you create a recording that can play multiple times when it's feeding time, and as a joke, I made mine a pig call. And it goes like this. Suwee, pig, pig, pig, pig! I have to tell you, this makes Steve laugh every single time the cats get fed. It is worth it for that, but it does make them come running. Now, I like it even better in the new version of the app. You can name the scheduled feedings, so it's easy to name them, say, breakfast, lunch, and dinner. With the new app, let me name the feeder, and I knew immediately what I wanted to name it. I simply had to name the new feeder Pig Slop. Now, that makes us laugh, too, when we open the app. Now, speaking of feeding time messages, you can create multiple recordings where the light app only allowed one. On the scheduling page, you can even control whether the meal call is played on a meal-by-meal basis. Maybe you have a feeding schedule during your nap time, and you don't want to be disturbed, so you could disable the pig call during that feeding. You can also change how many times it plays by meal. At this point, Steve and I were pretty excited about the improvements. He downloaded the full Pet Libro app to his phone and logged in with my account just as he'd done with the light app. To my annoyance, I saw that the app on my phone logged me out. I logged back in and it bumped him off. Well, I was afraid for a minute that was going to be a non-starter because we both need to be able to manage the feeder. I started poking around in the settings and found a lot more cool stuff, including the ability to share my feeder. He created his own account, which is much better anyway, and he was able to log in and we can both manage the little piggies now. I mentioned that the Pet Libro feeders plug into power via a USB-C charger. But what happens to the little darlings if you have a power outage? Pet Libro anticipated this problem. You can insert three C-cell batteries into the base of the unit for just such an emergency. With the original feeder, we tested the batteries by unplugging the feeder from power. And not only did the feeder entirely stop working, the darn thing lost all of our scheduled feedings. I worked with Orn on that ages ago and their engineering department was convinced my Wi-Fi signal was too weak, even though the feeder is 10 feet and kind of line a site to an euroma mesh router. If there's a power outage, it would seem that the feeder would need to have the schedule stored locally, not dependent on Wi-Fi at all. I argued a bit with Orn and his engineers without success. I didn't keep fussing around with the batteries again though, because we have a whole home battery backup anyway, but it concerned me for others considering this pet feeder. With this new unit, I put in the same three C-cell batteries and unplugged the feeder from the wall. I immediately got a notification on my phone that it had lost power. Then I got one that said it would soon be disconnected from Wi-Fi to save power. The Wi-Fi light on the front of the unit turned off and so did the lock light. Normally, you have to press and hold on the lock in order to use the manual feed button. That's so your more intelligent pets can't press the feed me button on the front. With the wall power removed, the unit unlocked itself and I was able to use the manual feed button to kick out a portion of food. You know, Ada came running and ate it right away, right? But the real test was to find out what happens when the feeding time comes and you're on battery backup. Without wall power, will the new unit know about the scheduled feedings in its firmware and will it execute the feedings on time? With the power still removed, I sat and waited to see what would happen when their dinnertime feeding came and the pet Libro feeder fed them exactly on time as you would hope. While it successfully dispensed the food, it did not make the pig call to alert the cats. This gave this felt cat grace time to beat the more Rubin-esque cat Ada to the food and get a bit bigger share than usual. Back on the subject of notifications, you get way more granular control with a full app. You can set custom notification times. You can be reminded of a defined number of minutes before the feeding schedule starts. By default, you're notified when the food level drops below 10%. If you rely on the batteries, you can be notified when they're getting low. Motion detection has more options. Unlike the light app, you can even set the area for motion detection. You definitely get a notification when the device is offline and one when the food outlet is jammed. There's also so many more options on the device camera itself. You can have it on all day or custom time. You can change the resolution from 1080p to 720p. You can decide whether you want to use night vision. You can save video to the SD slash TF card continuously all day or to custom time or just let it record when it senses motion. I am having a little bit of trouble getting it to recognize my SD card, but Orn's working with me on that. You can even tell it to record during feeding time. That might be good for us to be able to see whether Grace is ever getting any food at all or if Ada is eating all of it every time. The bottom line is that while I thought the original Pet Libro automated pet feeder was good, the new version of the software makes me so much more confident that if something goes wrong, I'll get a notification so I can do something about it. If you'd like to get the Pet Libro automated pet feeder, Orn assures me that if you buy through Amazon now, you will get the new version of the software and the new serial number of the hardware. The dual pet granary feeder is $150 and there's a 5% off coupon right now at Amazon. If you buy it directly from Pet Libro, there's a 12% off coupon bringing it down to $132. I haven't checked the shipping though. Check out all of the Pet Libro products at petlibro.com and don't tell Steve, but I've got my eye on the pet water fountain next. It's that lovely time of the year when we make resolutions to do things better. Maybe we resolve to eat fewer carbs. Maybe we promise to be nicer to people. Maybe we set a goal to read a certain number of books this year. Perhaps I can suggest a New Year's resolution that's easy to keep. You could resolve to help a certain tech podcaster fund the shows you like so much. If you just go to podfee.com slash Patreon, you can enter any dollar or euro or currency of your choice that you prefer to support the work we do here at the PodFeed Podcast. I thank you in advance for making this year's resolution a reality. Hi, my name is Allison and I'm not very smart. Over Christmas, all of our kids and grandkids came to visit. It was positively glorious. Kyle and Nikki and their three little darlings flew in early to spend a full week with us. They came early to miss the flight rush and so they had to work for a couple of days on and off what we took care of the little ones. Then Lindsay and Nolan and their two angels came up on Christmas morning. You can imagine the chaos that was our house with six adults and five children from ages seven down to six months. Just the luggage and clothes and toys were crazy and then add in all of the Christmas presents and it was just nuts at our house. Now, when Steve and I visit our kids, we always forget something. There's only two of us, but both of our kids and their spouses are amazing and sweeping through each room and gathering up what's theirs even when there are multiple families at the house. But this year, the level of anarchy was just a bit too high and quite a few things got left behind. Most of the things left behind were things like parts to toys or a random sock, but one really important thing was left behind. We have a charging station in the kitchen and after everyone had left, I found the charger for Kyle's Dell work laptop sitting on the counter. This was the worst possible thing to be left behind because Kyle was leaving Texas on an extended business trip on Tuesday, the day after New Year's. I found the charger on the Friday before. I packed up the charger in the smallest box I could find and I raced over to the local shipping store that does FedEx and UPS. I said that I had to get the box overnight shipped to Texas. The guy said, ugh, that's gonna be expensive. I explained that I had no choice because he simply had to have it before he left on his trip. I said I'd pay whatever it cost. Tell me, what do you think it cost to overnight ship a one pound, eight by two by four inch box from Los Angeles to Texas on a Friday? Whatever you think, you guessed too low. It was $170. I about fell over when he told me the price. I said, well, okay, it doesn't have to be Saturday delivery. How about Sunday, two day shipping? He said Sunday would be the same price. Then I realized, wait, wait, he's not leaving till Tuesday. So I asked, how about Monday delivery? Lady, that's a holiday. They don't even deliver on Monday. I was stuck. I couldn't figure out what to do. The worst part was I couldn't ask Kyle what I should do because his flight was still in the air back to Texas. So I paid the $170. When Kyle got back home, I texted him the cost and said, boy, I sure hope you could expense this to your company. He was floored at the cost as well. And he said, I can't expense it. You can imagine how thrilled he was about this. Now you might be wondering why I didn't offer to pay, but I wasn't the one who forgot it, right? As we texted him about it, he said that he could have overnighted a new charger via Amazon for a lot less money. And that's when I realized something that perhaps you've realized already and would have known when you were standing there. When I saw that Dell logo on the giant black power supply in the middle of two power cable pieces, I assumed this was one of those proprietary laptop chargers from back when I was working. I'm certain the rest of you have guessed by now, it was a normal old USB-C charger. I couldn't believe it. What a terrible mistake of judgment I'd made. He probably could have bought a replacement at a grocery store. Even the official charger for Dell from Amazon, I looked it up. It's only $26. I felt so bad when I realized this that I told him I'd at least split the cost with him. Fast forward a few days later, and I was talking to Kyle on the phone and he said the strangest thing. He said, we confirmed that Nikki's laptop charged just fine using her dock. Wondered why he was telling me that. And that's when I realized the only way this story could get even worse. It wasn't Kyle's charger. It was Nikki's. It never had to be overnighted in the first place. I'm Allison and I'm not very smart. I tell you what, let's hand off the show to two people who are smart. Bart Buchatz is joined for the first time with Jill from the Northwoods to do security bits. I'm not sure how we should intro this because I'm pretending to be Allison or you're pretending to be Allison. Anyway, I promised a solo security bits but I covetched about how much I don't like them and the Nacilla Castaways are wonderful people. So of course, a Nacilla Castaway jumped in and offered to help out. So jumping in as my co-host is Jill from the Northwoods. Jill, thank you. You're welcome. It's good to see you. Well, I guess since you're pretend Allison and I'm pretend me, I guess you're the host. Oh, well, that's true. So I got to have a squeaky voice and then say with an ever so slight Apple bias. Yeah, what about three more octaves higher than that? Yeah. Right, three more octaves higher and then a plank, right? There we are. Well, I guess we should probably jump in. There was no stories for feedback and follow-up which is very rare for that section to be empty in my show notes but I've just noticed I have an empty bullet point floating in midair. So I guess that didn't happen. But we do have ourselves quite the little deep dive since last we spoke. So I guess we should always start with the TLD or, you know, don't panic. None of the Nacilla Castaways are likely to suffer from this in any way, shape, size or form but it is nonetheless a very major piece of news. So I am talking about operation triangulation which my one paragraph summary is Kaspersky labs have discovered that they and Russian government officials were targeted by very advanced iOS malware that completely took over iOS devices for the last four years. Apple have patched all the expanded vulnerabilities and regular users were not targeted. Kaspersky say there is not enough evidence to link the XY to any particular group or government. So yeah, four years. Wow, that's amazing. Yeah. And these actors are getting so huge but this is going after big key figures not us little people, right? Right. I mean, the best write-up I've read by a million miles is Dan Gooden on Ars Technica and that doesn't surprise me because Dan is one of the best cybersecurity writers for a general audience out there. And I've linked to his full article in the show notes if you want to detail blow by blow but I sort of picked out some bullet points to summarize the whole story quickly. So the first thing is they went undetected for four years which gets to the point that it took so much effort to develop these things that you use them sparingly because if you're caught, the jig is up. Right. As it now is because of course Apple responded patchy, patchy, patch, patch. So it's already patched or is it soon to be patched? It is already patched because I guess... Well, Kaspersky have just told us the details but the patches have been in a while so I guess it took them a while to figure out the details. So the good news is if your iOS devices are up to date you're golden which is important and the other good news of course is that we... Kaspersky estimate between 100 and maybe up to a few thousand people were targeted. That's not us. That's just not us. Yeah. The attacks were delivered via an iMessage and it was the holy grail of iOS attacks in that it was a zero-click exploit. So the way it would work is your phone would be lying there without you noticing it would receive an iMessage and without you doing absolutely anything whatsoever that iMessage would hack your phone and it took them... Yeah, it took a chain of four vulnerabilities to do that and they're not simple vulnerabilities and even after all of that because of the level of security on iOS devices a reboot would remove the malware but the attackers had a workaround for that they just sent more iMessages. Wow, that's something. It is so to sort of... to put a picture on how complicated this is the thing starts with a bug they found in TrueType which is a font handling library and I think one of the lessons from security bits from the last decade is that parsing stuff is hard. You probably remember when PDF bugs were the thing we talked about every single week well a very close relative of that is TrueType which is a font rendering library and so they found a bug in the font rendering code and then they used that bug to exploit another bug in the kernel then they used that bug to exploit another bug that gets them into an undocumented hardware feature and then after that they still needed one more bug to actually run their arbitrary scripts on the device which was a bug in Safari, a JavaScript bug they were able to find. So they had to find four zero days. So if you think about how much work that must have been like I think that's a billion dollar bug like I think that is stupendous resources have gone into this which again is why it's not aimed at us as regular folk. When you're talking about state you know in attacking state actors you know on the Russian side or any side of course then it's going to be the big powerhouses behind it. Yeah, it's got to be someone with really deep pockets and I don't think it's cyber crime which also has deep pockets. So some of these cyber criminal groups are getting to be as big as countries but given who they went after I don't think we're looking at criminals this time I think we are looking at you know one or more nation states I guess you could say maybe the five eyes got together and pooled the resources or something like that maybe but again pure speculation. Right. The really interesting one is this hardware feature because iOS security has been advancing and advancing and advancing and one of the things Apple have done in more recently is they've added hardware protections to stop arbitrary codecs or arbitrary menu or sorry memory writing even when there's a bug in the kernel. So the hardware is stepping in to stop even an exploited kernel from writing to random pieces of memory and the kernel is the most privileged part of the operating system so that is like a stupendous feature to have hardware protections from a kernel bug like that's such a big bar to cross for an attacker but they found a set of undocumented registers which can be used to write to arbitrary memory if you know what to do and knowing what to do involves generating checksums and all sorts of things it's not straightforward to figure out what to do which is why Kaspersky were a bit perplexed and the best they can come up with is our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory or that it was included by mistake and I will just throw in and the other obvious elephant in the room here is some sort of supply chain attack because Apple designers will have built the spec for the chips they wanted manufactured and they would have sent that to a manufacturer and if at some point in between someone added in a few extra bits and bobs then out comes something like this That makes sense Yeah So as you said, definitely fully patched Great. Well, one of the things I always think of too is I always talk about you never have to reboot Apple things they'll go on and on forever without really reboot but maybe because of my Windows experience I reboot all the time at least once a day because I know that if anything is attacking your computer it clears it out Yeah, and the reason I guess we should say because I think we've mentioned a few times on security bits that iOS is very I don't remember the last time we had an issue that was persistent in iOS and the reason for that is secure boot because each time your phone boots up there's cryptographic checks of the operating system being loaded into memory and so if an attacker succeeds in rewriting the flash memory on your phone then the phone will fail to boot So the choice they have is their exploit goes away on a reboot or the phone doesn't reboot in which case their exploit has gone away by default so the best they can do is reinfect and secure boot is the key to that which is why jailbreaking is hard and why Apple locked jailbreaking down so heavily and that's why there are no jailbreaks on modern iOS's that we know of I already mentioned this is fully patched and obviously the other thing here is that this is very very advanced we don't really know who did it and I think there's a lot of conspiracy theorizing out there but I just want to share what Kaspersky have concluded they were the people targeted the people with the skills to check this out and they say the following Currently we cannot conclusively attribute this cyber attack to any known threat actor the unique characteristics observed in operation triangulation don't align with patterns of known campaigns making attribution challenging at this stage so they don't know and they're the best place to know so if you hear people speculating that's what they're doing speculating but again just remember none of us are important enough to be worth being targeted by something like this which I take great pleasure in I am completely not interesting yay yeah that's right well and the good thing about it is I mean I do work in healthcare I'm not interesting but I have access to things that are interesting and so you know you feel glad when they fix them but eventually these things trickle down unrained in they eventually get to us and so it's good they fixed it that's it exactly right because once the secret is out then you know the cyber criminal people are putting their resources into reverse engineering whatever information they can get from the patch that's one of the big ironies actually one of the big ways cyber criminals get in is when Apple or Microsoft patched their operating system the cyber criminals reverse the patch to try find what's changed and then based on what's changed they can probably figure out the vulnerability and so if there is a patch and you don't have it your exposure has just jumped through the roof right which is why I always say stay patched so you stay secure which I repeat to myself all the time I just sit there and say that every time I patch so yay I have a catchphrase it's not very exciting but it is a catchphrase unless you have anything else to add Jill I think that sort of covers off that rather large piece of news it's great so jumping on then to action alerts just two little bits of patchy patchy patchy patch and Google Chrome fixed their eighth zero day of 2023 and it is now 2024 so I guess eight is the total for the year so patchy patchy patch patch which for Chrome users means doing that thing you hate doing and turning your browser off and turning it on again because it will auto update but you do have to restart it for the update to take effect and I don't know about you but I'm Mr. 20 million tabs person oh I try not to but like I said that might be a leftover from my windows life so I keep them trimmed down well I guess if you reboot every day by default you're forced not to do what I do which is everything I must remember is a tab and it's not just tabs in one window it's actually I'm dead curious I haven't prepped this at all if I go to Safari and click on show me windows how big is the list this should be fun window okay so my tabs are spread over 15 windows none of those windows have one tab none of them have one tab I can promise you that so yeah I am guilty as church here but I am a Safari user at least so not a Chrome user because unfortunately having once been the lean mean browser Chrome is not so lean these days oh I always related it as a two year old tripping over its own shoelaces that it tried to be fast but sometimes it was faster than it could be and it would just fail so when you work in enterprise software you beg people don't use Chrome it's not you know going to render your page the way you might expect it to yeah I'm very happy that Microsoft Edge is now a remaking a basically chromium without Google's cruft and it is now a snappy browser without too much faffing about which is pleasing yeah our second action alert is Apple have released Mac OS Sonoma 14.2.1 which has one security fix so if that is you patchy patchy patch patch there were a lot of other updates from Apple but they are they're not security they're just bug fixes so you know you probably do want to patchy patchy patch patch because well it's nice not to have bugs all over the place but it's not mission critical great where are the warnings then I regularly tell people not to pirate software A because I think it's evil as someone who writes software it's how dare you steal that from people but B it's really really dangerous so we have proved that fact by a new story that broke the week before last people who were pirating games like Grand Theft Auto, Assassin's Creed or The Sims 4 accidentally ended up with some bonus extras in their download fake VPN extensions forced installed into Chrome and it happened 1.5 million times based on the download numbers yeah so a lot of software piracy out there and that's not good so yeah don't steal software no I mean I agree with you I tried to tell people it's like walking into a store and grabbing a CT and stuffing it in your shirt it's that bad and no one would believe me until they kind of became software developers themselves and then they understood but yes one it is stealing but two that was around in the 80s too and people would steal games and it would just be loaded full of viruses and that was back before virus protection so didn't have a lot of and it's been that way forever and then the hard way when I discovered what a boot sector virus was having reinstalled Windows 3.14 times before I discovered what a boot sector virus was so yeah I haven't stolen software since yeah don't steal stuff just even just to protect yourself yeah I think I was 12 and it was a silly game like Commander Keen 5 or something like that right you know and those of us in Europe are probably familiar with an app called Easy Park because it is probably the widest used parking app here in Europe it is used by many many many cities and they had a wee bit of a data breach I guess the good news is there were no passwords in the breach and there were also no full payment details so they can't steal your money but unfortunately what was included was your name your physical and email address as well as those sort of the last four digit kind of bits of credit debit card numbers and iBans which are your banking details these days is iBan European or global I can never remember which is us and which is everyone do you guys have iBans I don't think I recall that term being used around here like that in fact I'm not even sure what it is so why don't you tell us what it is it is it is a I think the I is for international so you probably have them under the hood but basically instead of having a short code and an account number your iBan is like you're all in one this is how you get money to me and so European banks have really moved towards iBans for everything because in the European Union there's a lot of inter-country trading you know interstate is kind of easier than inter-country and I think that's why we were so big on our iBans but I think if you wanted to send money to Europe you'd need to find your iBan sorry if you need wanted to receive money from us Europeans I think you have one but you wouldn't know it whereas we use them all the time and therefore like you're used to maybe seeing the last four digits of your social or the last four digits of a credit card the last four digits of your iBan is a thing here and so the attackers have those partial credit debit or iBan numbers which means they can make extremely convincing and automated targeted phishing because they know who you are where you are that you park and they know enough to pretend to know your full payment details that could be very convincing we have applications here like Venmo and transfer money systems that way do you think it's less safe to have a unified iBan system or less safe because we're private organizations well we have those as well so I don't think they kind of move I don't think they really meet each other they solve different problems so you'd generally be using your iBan or something for a direct debit or you know corporations would use them a lot for paying invoices and stuff but you wouldn't they wouldn't replace the Venmo where you'd quickly throw someone a bit of money or whatever gotcha okay interesting so I imagine the iBans are there actually because Easy Park is big enough that if you owned a fleet of corporate vehicles you would have some sort of probably a very large monthly contribution going over to Easy Park for your fleet is probably why those iBans are there gotcha this is the time of year when lots of people get you know new iOS devices from Santa Claus and so it is not surprising at all that this is a time of year when the good folks at Intigo have noticed a rise in iCloud scams specifically iCloud free storage click here and hack yourself emails so yeah don't do that you manage your iCloud from the iCloud setting inside system preferences whether it be on iOS or macOS or from Apple's actual website you do not manage your iCloud from an email because it's probably not from Apple and they're also not big on giving away free stuff Tim Cook is convinced that services are the future for Apple so he's not giving away a lot of that I know who knew who knew but that's a great point because I get emails constantly from my web host provider oh I can get free extra storage I can get free this and iCloud I get those two and don't I don't click on any link I get from any email I go to that website Chase wants to talk to me I log into Chase you know I don't yeah exactly and I'm guessing Chase and banks are probably like our ones here so when I log into my bank I have a little bell icon in the top corner and any advertisements they once throw my way are sitting right behind that little bell button where they will tell me all about the cheap loans I don't want but they want me to want yadda yadda yadda right right notable news then it was Christmas so I guess I shouldn't be surprised this section is a little on the sparse side a whopping two notable news stories and one of them is one of those ones that I changed my mind on about five times as to whether or not to included and if Allison was here I might get shout at that but I'm going to say it anyway I think it's important for people to understand how cybercrime works because it always comes down to follow the money and initially ransomware was going after regular folk and saying give us money or we're going to delete all of your family pictures you value so much and then they went ooh corporations have more money than people so then they started ransom wearing corporations saying pay us up or you're never getting your data back and then they realized that it will be really embarrassing to leak data so then they started doing what's called a double extortion pay us up or you're not getting it back and we're publishing it but now there's something called a triple extortion where they go one step further and when the company doesn't pay they go straight after the victims and individually extort each of the victims in the data they stole that they are going to hold the company to ransom for so I am sorry to say if you live in Oklahoma that your largest not-for-profit health public healthcare network has been compromised it's called Integra's Health they run lots of hospitals and clinics of things and the attackers have given up on getting the money from Integra's because they quite rightly are not giving into this kind of extortion and the FBI and everyone tells you you do not pay so now they've started to send ransom emails directly to the victims i.e. the patients of these not-for-profit healthcare facilities so charming charming individuals that that did happen to me my company that I used to work for got hacked they downloaded our HR database with social security information about the workers and then they reached out to when the company wouldn't pay they reached out to us and said make private deals with us wow yeah yeah so there you go and it's you know it's all about the money so follow the money and it was inevitable that they would decide that that is a way to go and the extract money but yeah the advice is still the same don't pay because you have zero guarantee paying them will achieve anything and there is a possibility that in paying them you are literally breaking the law because if they are a Russian entity you could be in breach of sanctions yeah they did pay after our information was up on the internet for 24 hours which is forever on the internet so yeah it was the worst of all worlds that doesn't seem like it achieved anything other than draining the bank balance because there is no undo button for the internet well it turned out they had other information that became juicier for other people to want to prevent that from getting to the internet so we were okay the other information was a little less less yeah they didn't want that gone right yeah then that is another technique of course you leak a little bit and then you threaten to leak more and then you hint at how juicy the more might happen to be as Sony pictures how that feels right yeah so yeah these hackers but here's the thing is I think I heard and you could tell me if this is true or not that they started going after the bigwigs the companies the deep pockets because we're little people but then little hackers ended up buying hacks against people you know so now these companies migrated up yeah well there's now a thing called ransomware as a service so if you're a small operator you can basically buy yeah ransomware as a service like you would buy Dropbox which is storage as a service you can buy ransomware as a service and the people doing the hard work of the hacking take a cut bit like an app store 30% is quite normal and so you get 70% of the hackerry you do and they get 30% for providing you with the tools and you really don't need any skills whatsoever you just need enough operational security not to get arrested tomorrow but other than that that you know it's all you need you just give away 30% of the profit and that's that so yeah it's cyber crime is money money money money money and understanding how the money flows I literally do an hour long talk to Mac user groups when that's the basic theme follow the money because it gets you everywhere so yeah these people will get everybody the little people will get the little people and the big people will get the big people and then the big big people will go after the big big people yeah and you know sometimes sometimes law enforcement have a big success and they shut things down so it is a cat and mouse game but the probability is high that someday sooner or later you're going to be involved so back up back up back up is definitely your friend yeah and switching from cell phone authentication to two-factor authentication through an app that's how we got caught with cell phone authentication and um yeah so as much as you can do to stay secure pass keys right go to pass keys yeah I've started to use pass keys through one password and it is such a magical experience that it follows me from operating to our operating system to operating system it's just there you know it's I just say to get hope here use my pass key and one password pops up scans my fingerprint and then or my face depending on where I am that's brilliant anyway I have a good new story thankfully the other new the other notable news is way less depressing Google Chrome which is still bloatware but nonetheless it is safer bloatware um Google have announced that they are expanding what they call their safety check feature and one of the things they're doing is having it run automatically in the background all the time and it will then present any information it finds to you in real time which is way more useful so just two little quotes from the bleeping computer article safety check compares login credentials against those exposed in data leaks it also checks for weak and easy to guess passwords that expose users to brute force attacks and so it'll just do that in real time as you're doing your thing and then Google are broadening it so safety check is also going to automatically revoke permissions such as access to the user's location or microphone for any websites you haven't visited for a long time so if you've granted some random website microphone access and you haven't been there in ages that access will evaporate which is great because permanent permissions are dangerous evaporation is good is that going to be both on desktops is that both on desktops and on mobile devices too or is that the safety checks from the article it would appear that this automatically always running in the background thing is a desktop feature which may have something to do with hardly these things are architected it's not to say they won't get something useful to mobile but there was no mention of it in the article so I'm going to assume if there was they would have you know bragged about it right now so we have no top tips this week but I do have one excellent explainer I thought I would link people to the good people at Apple Insider have a nice simple article on how to protect yourself from QR codes gams and I'll give you the quick summary remember a QR code is just a URL so like any other URL look in the address bar to see where you have actually landed it is now a thing where attackers are going on places like say public parking in some cities is done with QR code and they are printing out malicious QR codes and sticking them over the legitimate ones and then the URL takes you to a website that looks like the city's website but isn't the city's website and you see where this is going so always look at where you end up right doesn't really matter how your browser opens if your browser opens and it's on a page where it's looking for you to tell it something always glance up at that address bar look where you really are not where you think you are and the other really good tip is that if you're iOS user the safest way to actually scan a QR code is not what some sort of third-party app you downloaded from the App Store because a lot of those are really quite dodgy it's actually to use the camera app because the camera app will detect them automatically as you're pointing it around without even taking a picture just you know turn on the camera and point and it will show you the URL and you then have to click on it before you go anywhere so it's it's a nice little double check and I always like to to use it in fact I use it about an hour ago because here in Ireland when we have to pay import duty on something our post office very kindly gives us the bill so we get instead of getting the package we ordered we get a little piece of cardboard that says you always blah euro so that you can get your package but it has a QR code on it so instead of having to type in the tracking number like we used to have to do which is always a pain in the backside you to scan the QR code but when using the phone app I could immediately see you went to on post dot ie forward slash customs great that's where I wanted to go tap then I safely completed my credit card transaction then my bank rejected the transaction because and I found this out when I rang them up at this time of the year there are so many fraudulent customs declarations that we block them all automatically or rather visa block them all automatically and make people phone in to say it really is them so that's that's so my day of what Christmas is like I guess so anyway yeah I know I was at my gas station that used to get those I don't they've been targets of scams before but had a big qr code right on the gas station pump and I thought I wonder what this is so I went and did it like what are you doing you don't know what that is so I put my phone away and put your phone away yeah but as I say ultimately they're just links so as long as you check the URL where you land you're fine I mean they're not magic they're they're just links in a form the phone way the phone can go there instead of you the human having to type being w w w yeah yeah yeah it was smartly a tiny link and so oh you couldn't really tell what it was you know I'm like oh no that makes no sense actually why would you if you're gonna encode a URL in a qr code why send oh no I know why you send it through tiny link because that way you get statistics you get tracking statistics that's what that's about slash right oh yeah the attackers wanted for obfuscation but a semi legitimate use is to tracking cookies right and I use the word semi there because I don't think it's legitimate if I'm into if I'm engaging with a company you shouldn't be doing that to me I'm your customer but you know it's not oh this was definitely fake yeah this was definitely fake yeah interesting I was I just read this article yesterday was a cycle and I noticed that QR codes are now becoming so common that the local secondary school their welcome board doesn't have the color the the school's website it says you know bloody blast community school and the QR code a giant big three foot by three foot QR code not a web euro a giant QR code so yeah they're everywhere but they are just links so the ideas don't click on links you don't know and don't click on either and I think the most important thing is that when you get to a web page from a QR code look up like look up at that address bar that that is like that advice can never get you wrong because no matter how many redirects you ended up bouncing through at the point in time where there's a text box saying please tell me things if you look up at that point in time that's what matters and particularly look for the little padlock and make sure that you are at the URL you think you think you are because if the padlock says hacker dot com well then you are securely talking to the bad guys it's like yay right I can be security hacked oh wait no now unfortunately I have no palette cleansers because I have never seen my feed reader as empty as it has been in the last couple of weeks because all of my favorite websites let all of their staff have like holidays and things how dare they so I guess this is as close to a palette cleanser as we get the iOS camera app is great for cure codes use it I don't know well I did come up with one um haha recent aha so I've recently been you know getting involved in quiet hiking and I hope I didn't hear this from you but there's a fellow name Herman Hoke H-O-E-K he's on YouTube and I can give you the link and he just hikes places and he doesn't talk you just hear him crunching leaves you know as he walks right and so he's just going on a eight day hike through Yosemite and you just watch it on YouTube and so when I'm working I just have this beautiful nature vista in front of me instead of music or a podcast and it's so relaxing so I recommend Harman Hoke who does these amazing silent hikes that is a really cool recommendation it reminds me of a channel I used to be fascinated by it was a Scandinavian country they had attached cameras to the nose of their trains and it was just a TV channel with no sound or it might have been some quiet music or something and it was just the countryside pootling past you with the the difference instead of it being crunching leaves there was always these two parallel lines in front of you because you were strapped to the front of a train but you never knew what you were going to get and it didn't change very quick but it was just a thing to have cool thank you very much and actually let's see another bonus since yeah since you're not normally here why don't we use this as an opportunity to plug your very as cool podcasts Oh well thank you I got started because Allison got me started and I have start with small steps podcast and it's productivity I try to keep most of my podcasts around 17 minutes but I'll usually talk about a book you know but someone's famous book I sort of summarize it and then say whether or not I think this book offers people a lot of good advice and that they should read it too so it's almost like a book review or I call it a book report but that's the one that I that's my first podcast well given the time of year when people are thinking of making improvements in their lives I think that is the most perfect podcast plug that could be because a small step now is the time and for what it's worth I am someone who has succeeded over the last decade or so when making some in better the reason I succeeded was because each step was always small and sustainable and then when you have one done and it's become a habit do another one let it become habit do another one though that's absolutely right and I'm trying to get the whole small steps empire I have small steps with God small steps in the Bible and then I'm going to do a nature one which is small steps but it doesn't say small step but if you're interested in small steps there's a fantastic book by oh gosh now I can't save his name but he it's called tiny habits and so if you're looking to sort of expand on your small habits empire of gradually changing your life the book tiny habits is the way to go I'm intrigued with the concert of nature small steps what would you be teaching people well what we're going to talk about is how to see nature outside your front door there are podcasts out there that will talk about how science works the blood of a frog keeps him from freezing in winter this is really about how to go outside find nature see stars see auroras what's the weather mean and it's just about observational nature so okay you have a subscriber straight away because I a lot of time out walking and stuff and I am always on the lookout for cool and interesting things and stuff to keep an eye out and one thing the pandemic taught me is that there is fun and interesting stuff on your doorstep because you know my world shrank quite a bit but I still had a lot of interesting stuff going on because I was looking more carefully more closely yeah well this one's called Buzz Blossom and Squeak and you can use small steps if you like it is not yet live because I'm working on a friend and we're trying to get our groove you know it's easy to do a single podcast where you're just doing your own thing but obviously getting a chemistry together with someone takes a little bit longer so we're getting there with small steps well excellent what a great cover look the very best to look at that sounds absolutely fascinating and I'm sure you will let us know when it's live and I'm sure Allison will be so kind as to plug it for you because I I'll definitely be your subscriber that sounds really cool well and I follow your I follow your social media because you post beautiful pictures of nature so I I love that too and and the thing is it's all within walking distance of my front door because that is that is what I do I go for two walks every day and that's where those photographs come from and so it's I'm always trying to learn more about what's around me and there's a lot there's a lot around you no matter where you live I really love yeah cool right I'm supposed to say something oh yeah remember folks until next time stay patched so you stay secure well how fun was that I'm starting to feel like I'm working myself out of a job here maybe I'm going to be semi retired from podcasting now you can never get the microphone away for me but anyway that is going to wind us up for this week did you know you can email me at Allison at pod feed .com anytime you like if you have a question or suggestion just send it on over you can follow me on mastedon at pod feed at chaos .social remember everything good starts with pod feed .com if you want to join in the fun of the conversation you can join our slack community at pod feed .com slash slack where you can talk to me and all of the other lovely no silicast ways remember you can support the show at pod feed .com slash patreon like Linda Gouche or with a one-time donation at pod feed .com slash pay pal if you want to join in the fun of the live show you're going to have to wait until January 14th and when you do head on over to pod feed .com slash live on Sunday night at 5 p.m. Pacific time enjoying the friendly and enthusiastic no silicast away thanks for listening and stay subscribed