 Hi, this is Allison Sharon in the Little Silicast podcast, hosted at podfeed.com, a technology podcast with an ever so slight Apple bias. Today is Sunday, December 10th, 2023, and this is show number 970. Well, we have two episodes of Chitchat Across the Pond this week, the first one being a light version. Jason Howell, podcaster and producer for the Twit network and musician, joins me to talk about what it's like to use an Android phone with a Mac. I live in an Apple-centric bubble, as you know, so I was very curious about how he works with these two different operating systems. We talk about his origin story on the Mac and his Android hardware of choice. We talk a lot about how he manages his photos and what messaging is like in this mixed blue bubble, green bubble environment. Jason is great fun and he's introspective, and we had an absolute blast chatting. If you'd like to find out about everything Jason does, go to raygun.fun, he says it rhymes and it's fun. Anyway, you can find Chitchat Across the Pond Light in your podcatcher of choice, or you can find it under just plain old Chitchat Across the Pond. As you probably would have guessed, the second Chitchat Across the Pond is another installment of Programming by Stealth with Bart Buchatz. In this installment, Bart continues his instructions on learning more about how to use the JQ language to query JSON files. We get into the thick of it as Bart teaches us three important JQ concepts, filter chaining, operators and functions. To get there, we learn about the literal values in JSON and JQ and how only null and false are false. Armed with that information, Bart explains the not function and once we put all of those concepts together, this ridiculous command will make perfect sense. JQ minus N, true and true, not, that resolves to false. I love that so much. It just, I got such a kick out of that when I first read it in the show notes that I posted my enjoyment of it on Mastodon and one of the actual developers of the JQ language commented that he was excited to learn that we were covering JQ in Programming by Stealth. How cool is that? Anyway, the any and all functions are not nearly as silly sounding, but they're equally useful. By the end of the episodes, we can successfully query the Nobel Prize JSON file to show us all of the prizes won by anyone with the surname Curie. We even have three fun challenges at the end of the episode and I gotta tell you, I really am a data nerd because I love this stuff. This is so fun, I can't wait to do the homework. Anyway, you can find Bart's fabulous tutorial show notes for this episode and all of the Programming by Stealth episodes over at pbs.bartifisher.net and you can look for Programming by Stealth in your podcatcher of choice or under chitchat across the pond. In August of this year, Jill from the Northwoods told us about a terrific Mac-based transcription service called Mac Whisper by Jordy Bruin from Good Snooze. As you may recall, the naming convention for this app is very confusing. It also goes by Whisper Transcription. So I think if you search for Mac Whisper in the Mac App Store, you find Whisper Transcription, but when you download it's called Mac Whisper, again, very confusing, but just search for Mac Whisper and you'll be golden. No matter what it's called, it's a terrific way to use your local processing power to transcribe audio. You can do a lot with a free version of Mac Whisper, but I chose to pay the $35 lifetime fee for the pro version. It's also available for $15 per year. You can buy it through the Mac App Store or directly from the developer, Jordy Bruin. You might also be perfectly happy with the free version. For free, you get the tiny base and small transcription models, but with the pro version, you can use the larger models to get better results. I put a link into the show notes to the page where Jordy outlines all of the other features that you get with the free and paid versions of Mac Whisper. Anyway, in September, just a month after Jill told us about Mac Whisper, I wrote an article suggesting that we all question whether or not we need MacBook Pros or whether the MacBook Air might meet even our more challenging computing requirements. I consider myself a pretty high-end user, you know, with the podcast creation and the video tutorials I create. And I found that even for me, this was a good question to ask. In the article from just a few months ago, I included some timing tests I ran comparing my $5,000 M1 Macs MacBook Pro to the $2,500 M2 MacBook Air, so half the price. Even though the MacBook Pro is an M1 and the MacBook Air is an M2, I thought the speed comparisons were still pretty interesting. Now, I chose the highest compute-intensive things I do on my Mac for my tests. One of those was running audio files through Mac Whisper for transcription. I also tested running audio noise removal using Hush, transcoding audio using Hindenburg, and transcoding video using ScreenFlow. I ran all of these apps on the M1 MacBook Pro and the M2 MacBook Air, and I charted out the results. The $5,000 MacBook Pro was 32% faster than the $2,500 MacBook Air, cutting the 27 minutes of tests down to 18 minutes. Of the different tools involved in the timing tests, Mac Whisper's tests contributed more than 10 of the 18 minutes for the MacBook Pro and 17 of the 27 minutes for the MacBook Air. With MacBook Pro coming in over 30% faster overall, sounded like it was justifiable to buy the more expensive machine if you run these apps. But when looking at a total of only nine minutes saved, I wondered if machine costing twice as much was worth it. You might also have to do how often you did these kinds of things, right? Anyway, you might be wondering why I'm judging up all of this old news from August and September. Well, this week, Jordy Bruin, the developer of Mac Whisper, just announced the release of version six, a free upgrade to People Who Paid for it. In his newsletter announcement, he explained that Mac Whisper can now use your GPU if you have a Mac with Apple Silicon and that you should see audio transcriptions two to three times as fast as before. Well, you know I had to rerun my timing tests on the new version of Mac Whisper to verify his claims. When I ran the timing test back in August, I used an audio recording of my Mac stock presentation to test the speed of audio transcription with Mac Whisper on the two Macs. When Jordy released version six of Mac Whisper, I used the same audio recording for Mac stock. The M4A audio file is 25 minutes long and weighs in at 56 megabytes. The original tests were with that file running the large AI model and the small AI model with Mac Whisper on both the M1 Macs MacBook Pro and the M2 MacBook Air. I repeated these four tests this week, but this time I used the new version six of Mac Whisper and the results are in. The M1 Macs MacBook Pro transcription of my audio file using the large AI model went from 511 seconds down to 155 seconds. That's 3.3 times as fast as it was with the older version. That's bananas, right? Well, Jordy claimed two to three times faster and the MacBook Pro with the new version of Mac Whisper exceeded his claim. I just can't believe it. I'm really shocked. Well, next I ran the same large AI model on my Mac stock presentation, but this time I ran the test on my M2 MacBook Air. On the old version of Mac Whisper, it took 845 seconds to complete, but on Mac Whisper six, it finished in only 343 seconds. That calculates out to 2.5 times faster. Not quite as impressive as the speed increase on the MacBook Pro, but it still supports Jordy's claim of two to three times faster. Since we know the improvement in speed due to Mac Whisper is due to Mac Whisper now using the GPU, the difference in speed increase is completely understandable. My 2022 M2 MacBook Air has a 10-core GPU, while my 2021 M1 Macs MacBook Pro has a 32-core GPU. In all my years using Macs, I have never before been able to actually measure the difference that a GPU could make in my real work. I always looked at it and wondered, I mean, I don't game. I mean, what am I doing that actually uses the GPU? Now I know. This transcription software is using my GPU and it does make a big difference. 32 cores versus 10 cores is finally measurable for me. In a super nerdy way, that's kind of exciting. You could tell I'm really thrilled by this. Anyway, it's also notable that while the MacBook Pro was already significantly faster in the original test with the older version, it widened its lead from 40% faster overall to 55% faster than the MacBook Air. Now the timing differences using the small AI model in Mac Whisper were not as dramatic, presumably because the time it took to transcribe was so much shorter, I don't know, it couldn't get revved up, I'm not sure. Anyway, the M1 MacBook Pro transcribed the same MacSoc presentation 2.1 times faster than it did with the old version. The M2 MacBook Air was 1.8 times faster than its previous speed. That's a smidge lower gain than Jordy said we'd see, but we'll allow it since the large model transcription speed exceeded expectations. Now as exciting as it is to finally have justification for this higher end GPU in a MacBook Pro, let's back up and see if I can really justify double the cost of the MacBook Air. I updated my original chart that included not just the Mac Whisper test, but also hush removing noise from audio, Hindenburg compressing audio files and screen flow transcoding those large video files. In my original test, the MacBook Pro took 18 minutes for all of these tests and the MacBook Air took 27 minutes total. When I updated the chart with the results of the new version six of Mac Whisper, the total time for the MacBook Pro was 11 minutes for all of my tests and the MacBook Air was 17 minutes. Percentage wise, the spread between the MacBook Pro and the MacBook Air had widened, but the total time between all of these tests went from a nine minute spread to a six minute spread. So it's taking me six minutes longer to run all of these tests on the MacBook Air than on the MacBook Pro. So if we're gonna be rational, we have to look at whether six minutes is worth doubling the price of the machine. Everyone will have to answer that question for themselves, right? How many times a day or a week do you need to run a large AI model on your audio files? Are there other things you can be doing with your CPU while the GPU is off doing the heavy lifting? You make more money if you could get more of these tests done at a week? All those things are going to change the answer for you and it could be something like you need a bigger display, there's a lot of other reasons you might wanna go with the MacBook Pro. So I can't answer these questions for you, but I can for me. I now know that I don't really need a MacBook Pro and I definitely don't need to spend the money on an M1 or another Max version of the MacBook Pro even if I do buy another MacBook Pro someday. Now as irritated as I continue to be that Apple have not solved my battery problem on my MacBook Pro after more than seven months, I'm very glad I bought a MacBook Air so I had a computer to use during all of the tests they've made me do. I love this little machine and these tests proved to me that I don't gain much benefit from the high cost of the GPU cores and CPU cores in my MacBook Pro. If you're interested in Mac Whisperer, you can find it in the Mac App Store or like I said, you can buy it directly from Jordy at goodsnews.gumroad.com. In 2019 at CES, I interviewed a company called OmniCharge about their power banks. While they have the usual assortment of small power banks, the one that really caught my eye was the Omni20 USB-C charger. I bought it for $169 four and a half years ago and it's been one of the most useful accessories I've ever bought. The Omni20 is a 72 watt power bank with two USB-C power delivery ports and two USB-A ports for charging smaller devices. It also allows pass-through power so I can charge it while using it essentially as a power providing hub. It couldn't quite charge my 16 inch MacBook Pro at 72 watts because the MacBook Pro wanted 100 watts but it was a good companion for a long flight back then. But the main use for this power bank has been to use it as a bedside charging station when we're away from home. When we're on the shipped Antarctica, my side of the bed had a power outlet and the desk away from the bed had one more but that was it in the entire cabin so Steve didn't have one on his side of the bed. Two power outlets for two nerds on vacation were definitely not enough. But I gave Steve the Omni20 and he was able to charge his phone and his watch overnight and be able to use his phone as a clock at night. And by the way, he uses an app that was written by our very own Alistair Janks as his clock. Every morning he plugged the charger into the desk outlet and get a charge for the day. I should say plug the power bank into the desk outlet and then he would be ready for another day when he came back from our adventures. The Omni20 is a brick at five by five by one inch and weighs 1.1 pounds. So it's not something to carry around like in your purse. It has a very tiny three eighths inch by one inch LCD display which shows which way power is flowing at what levels and how much juice is left in the battery. Now I'm bringing you up to speed on this power bank because I've just bought a replacement for the Omni20. I didn't need a new power bank but I wanted a new power bank. I chose the Basius Blade HD 100 watt 20,000 milliamp power bank for $80 on Amazon. The most important thing about this new power bank is that it fills the exact same need as the Omni20. It has two USB power delivery ports and two USB-A ports also for charging. Like the Omni20 it charges via USB-C and it can be used as a pass through power delivery device. Interestingly, both the Omni20 and the Basius Blade HD do lose charge while providing power pass through which I didn't expect. I thought that was a little strange. Anyway, I upgraded to the Basius Blade HD for a few reasons and they're all about the form factor. The Basius Blade HD is 28% smaller in volume primarily due to how much thinner it is. It's 0.7 inches thick versus one inch thick. It also weighs 12% less than the Omni. That's a big advantage for something you're carrying around but it's even more impressive because the Blade HD is a 100 watt power bank while the Omni is only 72 watts. Both can charge your laptop but you're gonna get it faster with the 100 watt charger. So for this device I now have something that's 12% lighter than my previous one and 28% less volume which is fantastic. But the other reason I wanted to upgrade was for the display. I mentioned that while the Omni20 had a lot of info on the display it was wee tiny and I actually didn't list everything that comes out on that little display. The display on the Blade HD is giant in comparison taking up about 25% of the face of the power bank. It's much more readable and even though it seems to provide less information I feel like it provides more actionable information. For example the Omni20 packs in the volts and amps at which it's both charging and discharging and includes little symbols for the USB ports through which power is flowing. It tells you it's total battery left and it even tells you it's temperature and Fahrenheit. Well the Blade HD's display text is huge and readable. It has the total percentage left in giant three eighths of an inch tall numbers. While you're charging a device with the Blade HD you can see how many volts and amps you're providing to that device and it shows you how many hours and minutes are left until your device is fully charged. I'm not sure I understand that number though. I had charged my MacBook Air up to 98% and the Blade HD was telling me it would be over four hours until it was done charging it. When the MacBook Air got to 100% the Blade HD still said four hours and 22 minutes. I thought maybe it was showing me how long it would take to charge the power bank itself back up but I unplugged it from my laptop and into a charger and it changed to say just a bit more than an hour left to fill it back up. But back to the volts and amps display. This sounds super nerdy and I often have to ask my pocket electrical engineer to remind me of why I care. The most important thing to know is that volts times amps equals watts and watts is the measure of power being delivered to your device. And what problem does it solve to know that? If you've been around battery power devices for any length of time you have piles of little charger blocks lying around. If you inadvertently grab one from an older iPhone and use a USB-A to USB-C cable to say charge your power bank it will show you on the big display that it's only charging at five volt to one amp or a total of only five watts. And the Blade HD will tell you what it takes that it's gonna take ages to charge itself up. If you switch over to the cute little 35 watt USB-C charger Apple cell with the MacBook Air then you'll see on the display on the Blade HD you'll see it change to say 20 volts at 1.78 amps. Sorry, 20 volts at 1.7 amps which from our new fond math we know is 34 watts. While I wondered where that last watt had run off to you can see it a glance and a tiny dab of arithmetic whether you've grabbed a good charger or not. I think after some extended use of the Blade HD I'll be able to just look at the time remaining to charge and if it looks like it'll charge that it'll take longer than I'm used to and then I'll go look at that volt amp thing. I should mention that the maximum power in the Blade HD can take is 65 watts which is the full side charger for all except the largest MacBook Pros and big PC laptops. Now every charger or power bank I've ever seen seems to have a little chart to tell you how much power you can deliver based on how many devices you plug in. The Blade HD is no different. Their chart shows ports one port through four port modes with all kinds of combinations that'll make your heads spin. But think about this, both of the USB-C ports can provide 100 watts but since we know this power bank has a total of 100 watts that it can provide that can't be at the same time, right? Very deep in the graphic for two port mode it says C1 plus C2 65 watts plus 30 watts. Now that gibberish means that the 100 watts gets divvied up into 65 watts and 30 watts and again, I don't know where that last five watts wandered off to. But what I do know is this power bank could top up both my MacBook Air and my iPad Pro at the same time at pretty good speeds. I'll leave it as an exercise for the student to peruse the other 10 combinations they give in the graphics. The Omni20 has a big power button on the front and if you forget to push it before plugging in your devices it will not charge them at all. Likewise, if you forget to turn it off after charging it keeps the lights on waiting for you. In contrast, the new Blade HD has a power button but you only need to use it if you wanna check the battery status when you're not using it. When it appears to be off you can plug in a device to be charged or a USB-C cable to charge it and the display will light up to show you all the stats I've described. Now I've gotten pretty good and used to remembering to turn the Omni on and off but if I don't have to that's one more thing I can offload for my little P-brain. Now I'm a little worried about scratching the display area on the Blade HD because that whole top 25% is shiny plastic. They provide a little sleeve to slide it into for protection but it's kind of a creepy feeling felt. It's really just like you don't really wanna touch it. It's also got a flap but there's no way to secure the flap closed. It'd be nice if I could include the two foot provided USB-C cable in that little sleeve too but without being able to close it it's just gonna fall right out. I have a perfect solution for this though. I bet if I wind enough, friend of the show and good friend of mine, Sandy Foster will make me a better one. The bottom line is that I love having a huge power bank that can not only charge my laptop and big iPad but also my smaller devices. I find it one of the most useful devices when I'm away on travel because I never have to hunt for that elusive power outlet beside the bed and have to decide whether to unplug the lamp or the clock radio at the hotel. The Omni20 will always have a place in my heart and will probably live out its days as a spare for friends and family in my home. I'm really happy with the Basius Blade HD with its beautiful display and especially that it's more powerful while also thinner and lighter than my previous device. Now one thing you might be wondering about here, this device is 20,000 milliamp hours. Steve has a battery power bank that's also 20,000 milliamp hours but it's really good at charging a lot of small devices. It's not appropriate to try to charge a MacBook Pro or I'm not sure if we could do an iPad or not but so I'm not dissing those smaller chargers that you might be saying, well, wait a minute, I've got a 20,000 milliamp hour battery and yours is 20,000 milliamp hours. Why is yours better than mine? It's better because I can charge my entire laptop with it. So I wanted to make that clear at the end. Again, I'm super happy with the Basius Blade HD. I was listening to some folks talk about subscription fatigue and I get that it's a real thing. I feel it myself with all of the television subscriptions we pay for, because I'm pretty sure we pay for all of them. If you're feeling subscription fatigue and that stops you from becoming a patron of the Podfeat podcast through Patreon, boy, do I have a deal for you. For a one time only $100 donation by going to podfeat.com slash PayPal, you can get at least four ad-free episodes of the NoCillicast chitchat across the pond light and programming by stealth from now until I stop creating the shows. Yep, it's good for the lifetime of the podcast. Okay, so technically you can get the same offer for a dollar or for nothing at all but please think about the value you get from the shows and consider making a donation no matter how small or how large. Well, it's that time of the week again. It's time for security bits with Bart Ruchatz. Well, according to what Bart's been telling me, we better buckle up for this episode, huh? Oh, boy, it's a long time since I've started. I start writing the notes and then I know what I have and normally it's fine. Wow, I was so surprised. So surprised. Well, it's been sleepy lately. That's true. Now, I think there's a reason why it all happened at once is because there's a little thing called Black Hat Europe. One of the most important security conferences of the year and while not every paper was presented there, I think the whole community is in sharing mode because the media are on board. So I think that's probably why it all came at once but wousers do we have a lot to dive into. And we have some follow up first. You are definitely on the more skeptical side last time when I mentioned that Google had promised to eliminate third party cookies in 2024 and I won't say I disagreed with you violently. But they have put a little bit of wood behind that arrow and they have released some more details. They are phasing out personalization in some of their ad products. So if you don't do as much personalization, you have much less need for tracking of any kind, you know. So would this mean if this comes to completion that cross-site tracking would disappear? Not completely. But certainly in the current privacy very hostile way, yes. So Google have some... Within Google search? Yes, Google have some interesting technology that is a less invasive way of giving somewhat personalized ads that we might talk about when it becomes more rolled out next year. So I'd be very curious to watch how 2024 develops. OK, it's all good news though. Not bad. Absolutely. Yes, absolutely. Very much switching tack here. We've talked about the 23andMe breach already and at the time I expressed some skepticism of my own and shared the fact that many in the security industry felt that 23andMe were not being open, honest, transparent and that there was a lot more going on than they were letting on. And we now have confirmation that exactly what we thought was happening is in fact what had happened. And they now admit that, yeah, well, we said it was only like a small percentage of our users. What we actually meant was 6.9 million. Are you kidding me? No, 6.9 million. Well, how many users do they have? I mean, if they have seven billion, like everybody. No, so... Still let be a big number. Like we suspected, the issue is that anyone who used a sharing feature ended up being massively exposed. So it was actually only 14,000 passwords that were compromised if memory serves. But because of the effect of all of the different linked profiles that exploded into 6.9 million users. Oh, OK. So 14,000 people, I'm connected to you, connected to Wing, connected to Steve, connected. Oh, geez. Yeah. Now, and then just in case I was judging them too harshly, they decided to prove that I was not being too harsh on them. They have updated their terms of service. And unless you reply within, I think it's 14 days of you getting the email, you have been forced into arbitration. Should you, for any reason, crank you with the company? You. Oh, wow. So obviously, you know if the reason is because they want to avoid being sued over this data breach. So yay. Charming company. Then briefly. So last time we talked about there was a service, I think it was called Nothing or something that was catastrophically awful in terms of security for Android people doing iMessage. And for most of this week, right up until about yesterday, it looked like we would have the inverse story this week about a company having found a safe and secure method for Android people doing iMessage. And that story has taken a bit of a turn because I feared it would be a cat and mouse game. And yep, it is a cat and mouse game. So Beeper Mini is an app that does exist. And depending on when you hear this, may or may not be working. What the people at Beeper did was rather than take your iCloud login details, use them on a Mac virtual machine in the cloud and then sort of relay iCloud messages or iMessage messages to Android, which is how the bad service did it. And that's regular Beeper, not Beeper Mini. Beeper Mini did not route you through a virtual machine. Nothing to do with Beeper did the horrible thing of taking your username and password like the people from last week who we were so scathing about. So what they right, but Beeper also had a service like that. But Beeper Mini is the one that that was more interesting that we're talking about right now. OK, I've got to say I didn't know about Beeper as history, I just know about the Mini one. OK, so they reverse engineered the protocol. And so they effectively acted like an iPhone. And so they sent an appropriately formatted SMS message to the appropriate Apple server to do that thing your phone does to register itself. Now, you don't see this happening because. It's all behind the scenes on iOS, but they tell you when you enable iMessage that you may end up being charged for one SMS message. And that's because there's a validation step that happens behind your back using the SMS protocol to prove that you are the owner of the cell phone number you are registering with iMessage. But instead of you having to manually type that the operating system does it all for you, but there's an exchange there. And so the Beeper Mini people figured out all of the specifications for how you do that and all the formatting needed on the private keys. And they basically reverse engineered the whole protocol. And they were successfully able to get their app to talk iMessage to Apple's servers. There's even a really fun piece in the middle of that. The person who figured it out was a 14 year old who posted to how to do it on GitHub. Oh, I didn't know that. That's even cooler. Yeah, it is even cooler. Right, right. So it seemed like the perfect solution. Apple had that out there in their API. Beeper Mini is going to talk to it, allow Android people to talk over iMessage. Now the Beeper piece. Yay, everybody wins. Yeah, the Beeper people assumed it will be difficult for Apple to change things in the back end to lock them out because they assumed it would mean that every single iPhone everywhere in the world would need to be updated to new software. And they assumed they would be safe for ages with their reverse engineering prowess. Turns out it took Apple two days to distinguish between the Beeper pretend iPhone and a real iPhone. I have no idea how Apple are able to figure out which requests are from actual iPhones and which requests are from Beeper Mini. But something about how the message arrives tells Apple that they're not really Apple devices and Apple block their access. The Beeper Mini people say they're working on a workaround. Powered, either. Wow, our delay is bad, Ellison, because your video is even behind. Well, that'll explain if we talk over each other. I had a little bit of trouble with editing the show the show from yesterday, so maybe. Anyway, yeah, so that that can't mouse didn't last very long at all. No. And initially we didn't know if it was Apple or if it was just something broke. But Apple have confirmed that, yeah, we blocked it because we considered this to be a security vulnerability because they're reverse engineering our stuff and it opens iPhone users up to being spammed. You know what I would love to see is if Apple sent them whatever it is, the $30,000 for a bug bounty. I think there's rules around that. Yeah, that's not quite how it works. Oh, fine. But they could do it just for the comedy. True. True. So, yeah, that was the story of Beeper, not the story I thought I'd be writing in the show notes. Probably a good thing. I don't have to go into too much detail on it because what we have instead is our first deep dive is a collection of unpatched vulnerabilities, which are the ones that I hate talking about most because you always make my life very difficult when I have to tell you about these because you make me say, OK, what can we do about this? And so I have some advice, right? But the advice is not patchy, patchy, patch patch because what all of these bugs have in common is there ain't none. So, yeah, I don't like those. That's what that's what the word light was for or a security bit. We were supposed to be. Yeah. But in this case, these are kind of I guess it's good to know. Be aware. Yeah. So, OK, what I think fine, the takeaway here is that the reality of our security has changed and we need to remake our judgments. Do we accept the risk and keep living our digital life as we do now? Or do we alter our behavior to take account of this new reality? And I would suggest that for people who are not working in health care or somewhere where they have sensitive data that they they actually may have a legal obligation to protect or if they are working in an industry with trade secrets that someone would be very interested in knowing how the widget works or if they're, you know, doing some sort of activism or lawyering on behalf of someone who someone in power is cranky with let alone, you know, being a diplomat or something. So those people actually probably need to change their behavior. And our New Zealand castaways, they're probably not diplomats. I don't know about their own likely to be world leaders that we don't know about yet, unless I'll go or listens or something. You never know. You never know. We got people from all walks of life here. But thinking there might be someone with medical information and stuff, that seems a lot more plausible. So I thought, yeah, OK, we should talk about these things. So the first off, we have two completely different Bluetooth problems. And the reason I'm making a point of saying this, too, is because they broke so close to each other. I think a lot of people think it's the one problem. No, no, we have two whole different sets of problems. So the first set of problems has a fancy pen's name. It's called Bluffs, B, L, U, F, F, S. And it is a background for something, but really it's just called Bluffs. And what makes this one interesting. Is that it's not a bug in someone's implementation of Bluetooth. It's a problem in the spec. The spec itself, I hate those. Yeah, the spec itself allows for a combination of things that no one had quite thought of, which makes the security so weak it can be brute-forced in a matter of a couple of seconds on modern hardware. So it's not completely open, it's just effectively open. And the effect of this whoopsie in terms of the level of security is that someone who's within Bluetooth range, this is the thankful saving grace with all of these Bluetooth things is to attack Bluetooth, you have to be close. So public transport, a conference, those kind of places, airports, they're all risky, but your office, you're fine. Your home, you're fine. Wait, wait a minute. Your office, you could have somebody in the next cubicle over. OK, if you're sorry, generally speaking, if you're in an industry you're at risk, you're in it, you're working in an area that is behind a security barrier, right? You've badged in or whatever. So you're assuming that you're in a safe place. OK, I'm making better assumption. Well, OK, so I work in a place where we badge in. So once we're badged in, we are now in a clean environment, so we're not. Sometime I'll give you a list of the things that people did that I had to fire. OK. Where people badged in with security clearances. Well, the insight I tried is not zero, but yeah, it's not perfect. You know, it's all risks, right? That's all we're doing, we're just balancing risks, because the only way to be safe is to take your phone in case it in concrete and throw it in the river. Well, this doesn't have anything to do with phones, though. Well, yes, and? Well, or it does. Actually, let's let's I haven't heard. We haven't heard what the bug is, right? So if the baddies are within Bluetooth range, they can use this weak encryption to inject their Bluetooth device as a machine in the middle or an adversary in the middle between your Bluetooth device and your computer or phone. So if you're wearing a set of headphones and you think you're talking a private conversation, the person in the middle can hear everything you're saying and being said to you because their Bluetooth device is between your headset and your phone or computer or probably scarier. They're keyboard. They might inject themselves between your keyboard and your computer. And then they see all the keystrokes coming through because they're proxying those through. So it's a it's a Bluetooth key logger. Yeah, it's basically a Bluetooth anything. So whatever you're doing over Bluetooth, someone can be in the middle and be watching what you're doing. And I guess hypothetically even altering it if they really wanted to. I guess if they wanted to put a city effect on your voice, they could alter it on the way through as well, because they are now in the middle, so they really could do anything, which in terms of keystrokes is actually scarier. It means that you could think. I haven't even scared your scenario, Bart. Our phones are doing a lot to work with our cars, our Tesla's over Bluetooth. I do like security updates and software updates. They could trigger a software. They could trigger a software update, but they couldn't put malware into the car because the software update itself is digitally signed. So nothing you do on the Bluetooth to trigger the update could cause the car to accept invalid firmware because the firmware is checked itself. OK, it has to be if my phone has to be in my car talking with Bluetooth on for me to be able to drive my car. So the question then is how it like is the security of that key dependent on is it built on the assumption that Bluetooth is secure or is the security actually end to end and Bluetooth is just a carrier? And if Bluetooth is just a carrier, there's no security implication. So the answer is I just wanted to make sure we weren't sleeping at night at all. Yeah, absolutely. Be absolutely sure. But again, it's all within Bluetooth, including driving my car. Yeah, so, you know, the key here is within Bluetooth range. So if you're a high risk person, the answer is you turn Bluetooth off when you're in a place where you're not sure that there's no one within Bluetooth range and that's the answer. And then a few days after that news broke, we got a completely different piece of news which sounds very similar because this bug allows an attacker not to become an adversary in the middle, but to attach an extra keyboard to your device and inject keystrokes. They get to pair a keyboard silently without you getting a pop up saying would you like to pair this keyboard without you basically seeing that a keyboard has been paired, an extra keyboard is just accepted by the operating system and whatever they type, the operating system goes, sir, yes, sir, I will enter those characters. Wait a minute. Wait a minute. Wait a minute. I can't even I can't even plug in a power supply without my Mac asking me, is it OK to or do you trust this accessory? How can it connect and be listened to without because there's a bug in the dedicated like that? Because there's a bug in Bluetooth implementation. Is this the same bug? The same bug? No, this is our second bug. This is completely unrelated. Yeah. So this is not an adversary in the middle. This is an extra keyboard. And it only works for keyboard. That's awesome, Bart. Yes, it is. So they can then if they have a reason to believe that you're in a terminal window, they could very quickly throw in a little command to do whatever the heck they want, and it will just appear on your keyboard. And you will see it, right? So none of this is going to be invisible because if someone types in a keyboard, you will see it. So if you see spooky characters appearing out of nowhere, either someone's broken into your screen sharing, in which case, Auga, Auga, or someone's broken into your Bluetooth, in which case, Auga, Auga. But if you see mystery characters in your computer, the answer is always turn it off now, straight away. Well, check first to see if a cat has walked on your keyboard then. Okay, fair. Yes. Yes. Look left, look right. Unplug. So you sort of dropped it in the middle of it. On the bluffs one, that was a weakness in the encryption that's in the spec for Bluetooth. But the second one is something else. The second one is, yes, it's not in the spec. It's in the actual implementation in a whole bunch of operating systems. I assume there must be some sort of open source component that's broken because what else do Android, iOS, Linux, and macOS have in common if it isn't some sort of open source library? So not Windows. That's a fair point. So that does actually point the finger even more firmly at open source. I've just noticed that's missing from the list. Yeah. Sorry. My brain hadn't processed that little. Yeah. Yeah. The first one bluffs, is that on both, on all of them as well? Universal, not just computers. That is, it's in the Bluetooth spec. So that is everything that has a Bluetooth between version 4.2 and 5.4. And 5.4 is the current, by the way. So that doesn't mean that if it's very, very, very new, it's safe. No, no, no. Anything less old than 4.2. So my Apple TV talking to my HomePod as a speaker. Yeah. Hypothetically. It's in between those. Yeah. Hypothetically, an adversary could get in the middle, very little value, but yeah, they could, they could inject themselves. But I totally want to do this to Steve. I'm going to start like singing when he's watching CNN and he's broadcasting it to the, to the HomePod. I hope you figure out how to do that. You could gaslight some mint. Yeah. What are you telling? If you, if you inject an extra audio stream, you could have so much fun with people. That's up there with that, the proxy you can inject onto the public Wi-Fi to make every image go upside down. It's just a transparent HTTP proxy that uses image magic to only flip the images. So all of the text comes through fine, but the internet goes upside down. It's called the upside down to net. It's a very cool way to mess with people. That's awesome. Yes. You can run on a Raspberry Pi. Anyway, nothing we can do about it. So again, it's a case of if you see mystery characters, this might be why, but really, if you're an at-risk person, don't have Bluetooth on in a place where you're not sure that there's no baddie within, you know, Bluetooth range of view, so say 10 meters or whatever. So separating these two, if we look at the Bluffs one, that's for the adversary in the middle, do the spec has to be updated and every vendor of ever to use Bluetooth, would have to update to that new version? Not quite. They've found an interesting workaround. Well, what the Bluetooth coalition people, the people who manage Bluetooth, what they have said to every vendor is, you should do a firmware update to stop using this part of the spec. It won't actually break anything because as a part of the spec, no one really needed. That's why we never discovered it was so broken. So the answer is that you're a... I thought you said it was encryption. It downgrades, it causes a downgrade attack that allows the baddies to jump themselves into the middle between the two devices. It's about the negotiation. Like when you set up an encrypted discussion, there is a negotiation that happens to agree the protocol, right? Because everything that does encryption these days can negotiate the protocol because otherwise you could, everything would have to be in exactly the same set of Cypher suites and stuff. So there's always a negotiation to set up encryption and this negotiation allows a really, really, really, really bad negotiation to be possible. So if you get rid of the feature, you can make it so that the negotiation can never give this answer. Okay, okay. So but that does still mean everybody has to comment out or whatever it's necessary. Don't wonder about a term, yeah, sure. On the Bluetooth spec, on every single device that uses Bluetooth everywhere. Yes and no. Okay. Yes and no, right? Because in order for a negotiation to work, both parties have to agree. So if your phone stops accepting that part of the spec, it doesn't matter that the cheap Bluetooth headset you bought five years ago will never get the update because your phone has decided it will never negotiate that. Therefore, right, the chain is broken. So if Apple Update iOS and Google Update Android and Apple Update Mac OS and TV OS, then actually that's probably fine because as long as one of the two parties in the negotiation. One of the pair. Okay. Okay. So it's not doom, doom, doom, but yeah, at the moment, turn off Bluetooth if you're not sure you're safe. Now the next one is one of those rare ones where we Mac people get to be smug because this time it's not us. It is a problem with many, many, many implementations of UEFI, which is the follow up to BIOS. So the Apple were first to UEFI compared to the PC industry that stuck around with icky, icky BIOS for years and years and years. But the PC industry is named. This is firmware, right? Yeah. This is basically the thing that helps your motherboard to boot. It's the operating system of your motherboard before it even knows what a hard drive is. And it needs that operating system to find your operating system and then boot from there. And one of the things you can do with UEFI is put up a pretty logo while your machine boots, right? Apple put up the Apple logo and nowadays Dell machines put up the pretty Dell logo. And that logo can be changed because maybe your corporation wants to personalize your boot up on your Dell laptop. So instead of it being a Dell logo it's my company logo or something, right? I've never seen anyone use this ability. But like with so many things in IT that it's in the spec, it's there as a function which means that UEFI contains a library to process images. It contains a parser and parsers are notoriously difficult to write well. Look at all the PDF books we've had. No one's ever thought that maybe we should be updating that image processing library every now and then so that we're not shipping 20-year-old code full of bugs that everyone knows about. Only that's exactly what lots and lots and lots of vendors have been doing by omission. When they wrote their first UEFI 10 years ago they got the latest version of image magic or something, probably not image magic but the libpng or goodness knows what but some reader of image files and they baked it into their UEFI and they never thought about it ever again because the logo still looks fine. But it's full of bugs. So that's problem number one. Old buggy code. Problem number two is that the cryptographic so secure boot means that we cryptographically verify your firmware before we boot and it does that by making a checksum of the firmware comparing it to the digital signature and then letting it boot if it passes. That's why you can't run an arbitrary OS on an iPhone. But the images are not considered part of the code. They're just awesome stuff that the code reads. So when calculating the checksum for secure boot the image is not included. So the buggy code passes secure boot loads the hacked image and is then taken over. So it is an unremovable permanent pre-boot malware. So that means a firmware update can't fix it? Firmware update can because Oh it can't but nothing short of a firmware updates you can do and you can pave. And completely you could take the hard drive hit it with a hammer drive over it with your car and then burn it stick it a new hard drive when you're hacked again within seconds because the problem has happened before the machine boots. It's in the it's in the UEFI. Wow. Wow. So the vendors will update can fix it then. Yeah. That's what's going to happen eventually but how many people actually apply these things? Very few. I when I've had a firmware update I haven't been given a choice. That's because we're Mac users. And Apple just goes yeah you know we're update so they could do that couldn't they force it? Well no because on a Windows machine Microsoft don't control the motherboard because it's not vertically integrated. So if you have a motherboard from ATI or someone how are ATI going to get into the mix or AMI whatever the you know Phoenix are these big vendors how are they going to get into the mix? Now they can't force you because they're not vertically integrated. So I think anyway it doesn't really matter because actually cooperatively actually we need to step back a minute. How does a malicious image get into your UEFI? When your machine is hacked the hackers can put this firmware in. Wait a second maybe we should stop this problem by not letting them malware in in the first place. So this is a way of malware getting persistence but your defense is all of your existing defense is not to get the malware in the first place. It means that if your machine gets hacked to be Jesus you now need to make sure that the firmware maybe just reflash the firmware to be sure just get the latest firmware and just reinstall it because then you've nuked everything in there but if you don't get hacked in the first place no one can just exploit this without hacking you first. So it's persistent so yes it's bad but actually the takeaway is it just means that you need to be sure you're not taking silly shortcuts. Don't download random stuff which you shouldn't be doing anyway because you're a high-risk person. So actually the message here is carry on and your IT department need to be very aware that if you get hacked they have to check that there's nothing gone horribly wrong in your UEFI or you'll just be rehacked and rehacked and rehacked. So this brings up something that I've heard a lot of people say a friend of mine who's been hacked twice Windows user who knew that they got hacked realized it lost a bunch of money they take their machine into Bob's PC shop or Sally's PC shop and she says don't worry I cleaned all the malware out of it and we've always said you know no a nuke and pave is all you can do but now there's an extra step yeah reflash the firmware yeah you're actually a good point if someone if you're not able to have someone who has the chops to do what we just said then your answer is throw it in the bin in the efficiently electronic recycling bin yeah yeah and if you're a high-risk person that's probably what your IT department are going to do they might reuse that laptop for an underling but you the high-risk person is not getting that laptop back if it's been hacked but you could be a high-risk person who isn't you could be a freelance news news person yeah then it's your money and then you're having to make decisions yeah yeah risk management so it's all risk management Allison all the way down now the next one but I'm glad there is a way to fix it that is a good point yes silver lining found well done it's no medium again phew but this next story is almost in here because I think it's funny and the takeaway here is that we we regular folk don't need to panic just yet but nonetheless it would not be news if I said to you there's another speculative execution book because you would say oh really is it a day ending in why this one is hilarious because it exploits a feature that Intel haven't got around to shipping yet it's a brand new feature in their upcoming CPUs AMD have one model of CPU that already contains it but it's in all of their future designs this thing is so new almost no CPU has it and they've discovered it's a speculative execution train wreck it makes old speculative execution easier and so the answer is we're just going to disable this feature in the os so the Linux kernel already has an update this is don't use that feature so wow I would have thought Intel etc would have learned by now apparently you said this is AMD right and AMD too oh no no it's on both it's on both AMD have managed to ship one I don't think you said the name of it well so that's called slam yeah we call it slam because the feature is lamb which stands for something but really it's all silly stuff at this stage so they've added a new feature to the CPU no one wanted it turns out to be a train wreck and then we're going to disable the feature and that's the solution anyway I just thought it was too funny not to mention then we have you think it should be on the checklist by now wouldn't you think I thought so I genuinely Alison I thought that the end to this eternal nightmare of speculative execution was that the CPU vendors would stop rolling this feature into their CPUs nope nope they haven't got the message so so speculative execution though can still be useful right well I mean it is very useful do we we're not allowed to ever have it again is that the answer I think the answer is a hybrid so what's happening now is that what the CPU vendors are doing is they're adding new CPU instructions to temporarily disable speculative execution and so software vendors like say you're writing open SSH the point in time when you're manipulating the SSH key you send the CPU an instruction disable all speculative execution you do your secure work and then you send the signal to the CPU saying we're good and then the CPU goes back to being efficient and saving you lots and lots of processor time until you maybe go to log into a website and then your firefox sends the signal to the CPU saying oh on this core over here that I'm using turn off speculative execution it does its thing and then speculative execution goes back on so this isn't in fact this isn't even the whole CPU right because our CPUs are multi-core so this is each core at a time is normally doing many things at once and there's now instructions to say don't do that for a couple of minutes here not minutes a couple of CPU cycles couple of microseconds let me do the secure thing okay and now go back to your risky behavior that saves lots and lots of CPU cycles so that is actually what's happening got it yeah okay so we're having our cake and eating it in the sense that we do get optimization and we get security but the problem is we now have added a workload onto software developers to remember to issue the low level commands to the CPU to say go into secure mode so it's a new avenue for vulnerabilities if they forget swings and roundabouts swings and roundabouts the next one is we're still in the list of unpatched problems aren't we two left but they both have nice names if that helps so five ghoul is a collection of bugs in 5G chips made by the two biggest makers of 5G chips a wee company called Qualcomm and their upstart rival media tech Qualcomm dominate the market utterly so I was disturbed to read that there were lots of CVE numbers so lots of separate vulnerabilities and then I was relieved to read that every single one of them is denial of service none of them are remote code execution or anything scary like that it's denial of service so like as in DDoS well so denial of service no DDoS is distributed denial of service denial of service is a broader term for it stop working so if a bug makes something break that's denial of service if you make a web server break by sending it traffic from all over the internet so that there's no one source that's distributed denial of service because the problem has been spread out so you can't defend yourself that's the D in DDoS okay so if I've got a 5G chip and it's got a denial of service it just stops working yes and in this case so most of the bugs just downgrade from 5G to 4G so they basically the chip goes and it just goes to 4G and so this has the advantage that you don't lose your cell connection the disadvantage is that you are now using 4G which is a security train wreck compared to 5G which is a security pile-up 5G is less insecure yeah 5G isn't great but it's I didn't know 4G was insecure oh yeah when people talk about the cellular network is not safe they mean 3G, 4G, GSM 5G is less bad because they've retired some of the protocols that were written in the 80s but there's the problem is there's a lot of backwards compatibility bad back anyway so one of the reasons you might use this was if you were going after say the actually this actually happened the chancellor of Germany her phone was hacked so if you're going after the new chancellor of Germany who's not female anymore you could trick their phone into 4G which would make your job of attacking them easier because they've now gone to a less secure network so that's one way it's harmful the other one of the other one a bit he's a little bit more annoying it basically makes the chip lose its mind so completely that the only fix is to reboot your phone so you're basically just the entire cellular chip just goes and your phone stops being a cell phone and just becomes a Wi-Fi device because it's not just that it can't use 5G it just so how does one get this but this exploited unfortunately you just need to be connected to the cellular network so all 5G chips from these two companies you can just be not your phone stop working correct until there is new firmware don't tell us about these things well we can't do anything about this well you kind of can you can reboot your phone if you're going to lose 5G because the most likely way this is going to affect an a silicast away is a prankster of some sort you know the way we have these things where if you're on an internet game and someone's winning too much you knock them off the internet well this is a new mechanism for knocking them off the internet and so if your phone suddenly loses internet connectivity give it a reboot but I think really the biggest thing is we are going to get firmware updates for all of our phones soon now for those of us in iOS land we're not going to have a choice and we won't even know that it is a firmware update it's just going to be a software update from Apple we'll get a red badge and we'll do it but people in Android land should be on the lookout for firmware updates from their vendor of choice and should apply them because it's kind of important that your cell phone talk to the cellular network I wonder whether firmware updates will come to phones that are not supported by Android anymore of course they won't well it's up to the vendor shake your head people can't hear that Bart yeah I figured you Bart's answering me by shaking his head I figured you would fill in for me yeah it's up to the vendor they could hypothetically decide that even though we've stopped doing updates we'll do one for this I'm not sure I'd hold my breath in fact I'm quite sure I won't hold my breath is actually what I mean right last bug auto spill password managers in Android that use the official Android API for password managers are all vulnerable to leaking the password to a malicious app so here's where we immediately jump to the silver lining here if your Android phone is hacked then the hackers can use auto spill to steal passwords as they auto complete by your password manager they can't read all of your vault but they can sniff a password that gets revealed as the malicious app is watching this is to do with a bug in Android's operating systems API so Android can fix this and Google will almost certainly do that and push a software update but of course if you're on one of those Android phones that never gets an update then you really should stop using password managers and thought this is fixed or don't let malware onto your phone so is this only affecting like the built-in password manager of Android or is it the real password manager companies it's every real password manager company that uses the official API which ironically means Google's password manager isn't affected because it doesn't use the Google API I have no idea why they don't use their own API but they don't so one password but what about one password one password top of the list last pass key pass yes now one password have said we are we are deploying our own mitigation that will protect our users even before Google fix the API so they're saying give us a couple of days we're on this we're actively working on a mitigation on our end so we can work around the problem now that we know about it so that's actually one password is going to get a fix before Android does which is probably for the best given how difficult it is to get Android phones patched and last pass bless their cotton socks have also said they're on it in fact everyone who the bleeping computer journalists reached out to they all answered to say yeah we're going to do a mitigation we're on it so this is probably going to get fixed quickly so I think the really big takeaway for our listeners is when one password on Android offers you an update yes yes yes yes yes yes ASAP right and I would suggest if they offered it to you on iOS you should just say yes to that one too fair yeah to be honest whether it has anything to do with this true although to be honest they very rarely have security issues on the Android on the iOS updates they're usually my app crashes less and my app is nicer but hey I like it when my app crashes less and my app is nicer features are fun right so Bert you know Dr. Gary prides herself on calling herself the crusher of dreams but I think you're you're coming in a close second here I'm just I'm just a messenger I'm just a messenger remember for all of these there are if you if you decide to take the risk you're probably fine there's very there's nothing on that list today that is likely to affect a typical person today if that ever changes I will let you know that regular folk need to be careful but people who are not regular folk need to be a little more careful and everyone needs to patch everything ASAP so it's not quite doom and gloom it's not happy no okay completely doom and gloom okay now this the second deep dive is the one I was expecting to be spending the day on so you guys in the States have a wonderful wonderfully rare thing a politician who's good at technology in the form of Senator Ron Wyden if there was an award for a most commonly praised politician in these show notes Senator Wyden would win because he is very on the ball and I have yet to see him do something stupid when it comes to technology no idea what else he gets up to because I don't care he's not my politician but when it comes to technology and the law he's fighting the good fight often and continuously and he very cleverly discovered he became aware of a classified program which none of the tech companies were allowed to tell us the regular folk about because they were under a gag order because it was technically secret but he wrote an open letter which means it's not a secret anymore so now Apple and Google have been able to tell us actually there's a whole other type of government request that we haven't included in our transparency reports because we were legally prevented so now we know that it is possible for law enforcement to send a request to Apple and Google saying give me all of the metadata for push notifications to this Apple ID or this Google ID and the biggest reason they want this is because it de-anonymizes anonymous services so if you are using an anonymous username on something like signal or whatever your push notifications can tie that username to an Apple ID which means you have certainly despite the fact that you're using an amazingly secure app the push notification has outed you and connected the dots and de-anonymizing it doesn't the push notification often include like Bart sent a telegram? it can include a lot depending on the exact nature of the app and the exact content I believe it's also possible for some of the content to be encrypted but I'm not 100% sure what is and isn't in the clear so it's described as metadata so it may not be everything you see that is always in the clear but it's nonetheless a significant avenue it's a significant amount of information that definitely is being used to de-anonymize things because even now we don't have all the answers we just know that metadata is being shared with government's plural don't know which ones and interesting now so the other silver lining here is that both Apple and Google were very fast out of the gate to say from now on every transparency report will include reporting on this avenue of surveillance so the next biannual what's the current word we use for semi-annual that isn't confusing I think it's biannual anyway six monthly I would contend both are confusing but okay semi-annually someone somewhere can move with a new word recently that wasn't confusing twice a year twice a year yeah so from now on we're going to know about these things we're going to know which governments we're going to know how many so that is a definite so we're going to know you're saying you're saying we're going to know who asked for the data and what they got or and well like with all the transparency reports which countries how much okay because they're always anonymized aggregates right so we just know how many an interesting tidbit because obviously Apple and Google it's very unlikely Apple and Google were able to talk to each other about this program so Apple and Google are both forced to accommodate this and we're both forced to be silent about it but they've ended up with a different process Apple we're happy with just a subpoena which means there's not always a judge involved whereas Google managed to get away with requiring a court order which means there always was a judge involved so they obviously were having separate conversations with the government and didn't know what the deal the other had gotten and they ended up negotiating a different arrangement and Apple's one was worse which is very unusual just an interesting little side note that Apple were just accepting a subpoena whereas Google needed a court order so you know on the whole we're better off for no one but we also don't know what else we don't know if you want to be depressed if you'd like a reason to be depressed there you go but let's not do that right we're not done yet action alerts this is the patchy patch patch bit this is the bit where there is a very easy answer to everything I'm about to tell you patch now okay so first up Google Chrome emergency update fixes sixth zero day exploit in 2023 patchy patchy patch patch and if you're using another Chromium browser like Edge or Brave you should also patch because that too those browsers too have released updates to address these same problems Apple have released lots of updates to address two zero days in Safari that are under active exploitation so if the Apple stuff is saying I'd like to patch yes yes yes yes patchy patchy patch patch if you run the very popular app own cloud on your NAS patchy patchy patch patch because there has been a nasty zero day in that for a couple of weeks and I didn't quite mention it on the show before because it's like I'm not sure Alison would consider that appropriate for security light but it's under active exploitation now and I know people run it on their own NASs so if you know the way you can install an app on your NAS like to do say what's that media thing people love doing Plex yeah well you could also install own cloud and then you could have basically a private a private one drive in effect only own cloud is full of nasty bugs you're such a show for Microsoft your first instinct is one drive sorry I would have said dropbox but that's what my brain tried to say but yeah I I mix up names I actually meant dropbox because it's a much it's not really one drive it's a dropbox that's even funnier yeah a popular brand of NAS is Zaisal not as popular as the not Drobos the new ones we like that you and I both have Synology Synology not as popular as Synology but there are a lot of of Zaisals out there Zaisal have patched lots of bugs so if you have a Zaisal NAS patchy patchy patch patch because they're quite serious if you have an Android phone you really want the December update so as soon as you're permitted by your vendor do that because it's got some fairly nasty zero days including a zero click remote code execution which is basically browse wrong website phone completely hacked very very nasty zero click remote code execution worthy warnings then a lot of our audience or no there are quite a few people in our audience who use WordPress say me and you for a start but many more too and we have mentioned recently that one of the cool features in WordPress is they can auto update its own plugins which is why it's interesting to me that there is a new type of spearfishing that has been spotted in the wild by wordfence who are a WordPress security company there are there's so much WordPress on planet earth that you can actually make a business securing WordPress as the entire reason for your company to exist which is kind of cool so wordfence do that professionally and they have a blog and they're often do some really cool stuff on that blog and one of the things they posted in the last two weeks is a new story warning everyone of a new approach being used by WordPress hackers they are sending out fake emails pretending to be from WordPress security or the WordPress security team is actually the wording in the fake email telling you that you have a vulnerable plugin on your WordPress site and you should patch yourself straight away and here's a download link three prizes for guessing what that download link is and the answer is not a fix to your problems the answer is a plugin with a back door so you will hack yourself if you do this so WordPress don't email you if you want to update your WordPress you go into the WordPress app and let it pull the updates for you from the right place don't randomly install a plugin even if it pretends to be an update that someone emailed you even if they say they're from the WordPress security team that's not how it works so you're are you suggesting we don't click on links and install software yeah yeah I am yeah if someone emailed it to you out of the blue no right I have to tell you since we last talked about this I did turn on the auto updates to plugins and I think Bart might have told me this before because I had a couple of them updating but I went through and I turned them all on auto update and I realized a really big advantage of auto update is I get an email telling me when they auto updated so if something goes belly up I know what just changed when Allison goes to WordPress to my WordPress site and I see a red three I go through and I go update update update and then I forget completely which ones I just clicked update on I mean to be fair it's almost always my theme but man they they're busy over there they're always updating but now I don't have to I get little email going I updated this I updated that and now I have essentially an audit log of what went what got changed yeah and so I guess you can correlate it in time oh this started happening on the 14th of the month and oh look on the 13th this plugin was installed ha that'll be that then yeah exactly right I'm getting low on energy here but don't worry we are into our final section that has content in it we are in our notable news section so I don't understand how these things happen what memes are these strange things where some of them just take off and someone in a law enforcement Twitter account in the United States posted a completely wrong headed and factually incorrect warning about the dangers of iOS's shiny new feature namedrop that's been around for months now telling everyone that it was going to steal their kids data and they should turn off the entirety of oh the that whole continuity just turn all of continuity off because otherwise you're in deep trouble so in that continuity the sharing thing we love to hate because it works half the time well named that airdrop no no or airdrop but the setting is for all of airdrop right so they they were telling people to turn off all of airdrop anyway it's just wrong like someone walking by you on the street can't just magically true namedrops steal your stuff Apple implemented the feature really well so I have two links in the show notes one to Cult of Mac explaining how Apple made it completely safe and secure and another one to tidbits making the argument that if you see this you should push back if people start saying this to you you should correct them so that this stupid meme doesn't spread all over the place it's just dangerous and bad it's misinformation stop it it's fine this yeah like you say this is amazing how far reaching that news or the uh it was a police department I think to start with and it just spread like wildfire but as fast as it was coming out I was seeing companies saying no no no no no no no no no no but still didn't stop it which is just like why why is this still being spread by all their police departments it's like just like a social network of police departments who are like oh well they tweeted it we better tweet it too because otherwise we let bed so yeah anyway it spread far too fast anyway uh next story we have then is a positive example of artificial intelligence making things better because that is going to happen too I know we have all these worries and they're not unfounded but it's not all one way so fishing is about fooling humans it's not about fooling computers it's about fooling humans which means that they do things like use letters that look a bit like other letters and spellings that look a bit like other spelling so it's all very fuzzy and computers without AI are very bad at fuzzy because they're very algorithmic but AI is very good at fuzzy pattern recognition is what AI does so google have reinvented the back end of gmail so that its spam detection is now using an AI which looks at email like a human and recognizes all of those tricks we humans fall for because it's doing the same sort of fuzzy looking at things so the end result is that people using gmail should end up with way better spam filtering because the spam filter is now looking at it in an analogous way to how humans look at it so it's just going to be way more effective oh excellent excellent I heard Tom Merritt talking about this and I don't know why this just never occurred to me he said you ever wonder why the spam has misspelled words in it it's because that gets it past the spam filters which I thought was fascinating because that's one of the things they can do but I just had no idea that's one of the reasons they do that and the other one is what we call homoglyphs which is letters that look like other letters so you have Cyrillic letters that are different code points in terms of UTF-8 but for all the world it looks like an AI to me the human and so the computer is completely fooled but me the human is not and that's another trick they love doing so anyway this is just a much better approach don't do it the computer way do it the human way yeah yeah I like it related story the US the UK and frankly 14 other countries who I couldn't be bothered listing have created a set of development guidelines to help secure AI a lot of people got all cranky because this isn't the answer to life the universe and everything it's like we went from zero to this this isn't perfect therefore we should be cranky about it and my thinking was we went from zero to this yay now do the next thing and the next thing and the next thing so you know yes they're multinational yester guidelines but heck you know responsible companies have something to work with and they didn't a week ago so yay and I just keep doing better there you go and then finally I get to wrap up on two good news stories about meta how's that for an unexpected ending to this show yeah I know what so first up what's up has developed a new feature where you can lock your secret chats with a separate code to your phone's code so in that typical scenario where your phone is unlocked and you hand it to a friend to go look at your photos and they go haha I should go look at all other secret messages when they go into what's up if you have set things up there can be messages they can't see and to see them they would need to know a secret code that you would know and they wouldn't and what's really cool is you type the code into the search box and when you type the magic word into the search box it unlocks the secret messages so it's not even that there's a giant big locked message for the people to be all tempted by it's like obfuscated and hidden and then you enter the secret code into the search box and magic happens I think it's cool makes you feel like a spy oh that is nifty so I thought that was cool and then part of me was like wait a second I thought this had happened years ago but although Facebook Messenger has supported optional end-to-end encryption now it's on by default and the turning of the default means that all of a sudden a lot more of the internet has just gone end-to-end encrypted so well done at long last meta Facebook messages are now default end-to-end encrypted for one-to-one messages that's a miracle yeah now palette cleansing I actually so I put my palette cleanser in the show notes and I sent Alice in a message I probably wasn't clear enough I say please pop yours in nope I never saw that yeah I sent you a great one yeah but I took it out of my brain as soon as I barfed it into yours yeah and it seems to have missed I'll do a search seem to have missed my brain because it didn't end up in my in my pocket app which meant that when I went to look for it I was like oh poop there should be one and I don't have it anyway I'll vamp I found it okay I found it do you want to go first since you have it right there okay go ahead no you go you go first okay you go first so the nasillic castaways are a wonderful bunch of people like Alison says you're our people but like us a lot of you love learning and so the most recent episode of the compiler podcast was just so up our ballpark it's basically a whole bunch of advice for how to continue to learn forever and some good techniques for doing it and being successful at it so I figured that sounds like something our listeners would listen to so link in show notes and over to you Alison I love it I love it okay so the thing I found was just this is just so spectacular on TikTok somebody posted a video of a 1984 radio shack commercial and it's showing how they've now got this this cell phone in the car and it's great because the little girl asked her mommy can she call daddy on the cell phone and it's that giant brick that you've seen in the old movies and everything but then they talk about a fully portable version and it's only $2,500 well I ran cost of money on that from to $20, $23 that would be $7,400 for a cell phone I think you could buy a car for that let it own a car phone well I bought a car right around that time for $2,800 so you could buy like three cars for that I was just gonna say yeah no my old fiesta that was my first ever car cost significantly less than 7,000 euro significantly less yeah I mean that is just that is just amazing and it's just a delightful commercial to watch because you know it's just everything that's beautiful about that time period so there is a link in the show notes if you can stand to watch TikTok yeah and I shared the video with my darling beloved and he made a very interesting observation that the period of time when cell phones were so stupidly big is so small that today's youth don't remember it in any way and they think it's a parody when they see these videos they assume they're parodies because they look so silly but I was like no that was real my dad's first cell phone had a handle because it was the size of a briefcase and you carried it out of the car like a briefcase and you put it down opened it up and picked up the handset the talk you know what's funny is they still know what phones look like like if you hand my granddaughter was three years old you hand her a you know a play telephone she knows to pick it up and hold it to her ear but they look at this and they don't know what it is yeah I guess cartoons or something it must be must be something that gets it into everyone's memory but yeah the time period of these stupidly large portable with every air-quote imaginable phones is so short that we don't remember it which is kind of cool we do have a family video that I cannot share but it is one of the funniest things I've ever seen it's Forbes when he was not quite two years old and he's unfortunately butt naked which is why he can't watch the photo but he has picked up the remote control for the bidet and he's holding it to his ear and he doesn't he doesn't know how to talk very well yet and so he's just going he's going mommy daddy mommy daddy Dodger mommy daddy okay bye bye waves at the phone and he hangs it up oh they do absorb everything but that looked like a cell phone to him yeah you know yeah they absorb everything that's wonderful it's really wonderful really right all right I think our pallets are cleansed that was very good actually that was the perfect out there that that security bit's worth of news that's not a security bit that's much bigger anyway the message is always the same until next time stay patched so you stay secure well that's gonna wind us up for this week did you know you can email me at alisonatpodfeed.com anytime you like if you have a question or suggestion just send it on over you can also follow me over on mastodon where I'm having a great time at podfeedatchaos.social remember everything good starts with podfeed.com if you want to join in the conversation you can join our slack community at podfeed.com slash slack where you can talk to me and all of the other lovely and silly castaways you can support the show at podfeed.com slash patreon or if you have subscriptions of fatigue remember you can send a million dollars and a one-time donation at podfeed.com slash paypal and if you want to join in the fun of the live show head on over to podfeed.com slash live on Sunday nights at 5 p.m. pacific time and join the friendly and enthusiastic no-silly castaways thanks for listening and stay subscribed and happy birthday kelly I hope you're under full sail with dad