 Hi, this is Allison Sheridan of the NoCillicast podcast, hosted at podfeed.com, a technology podcast within ever so slight Apple bias. Today is Sunday, January 8th, 2023, and this is show number 922. And my voice is almost completely back and I'm hoping it lasts throughout the show. Speaking of that, we've only got one more show to do before Steve and I head off to Antarctica. While we're gone, Bart Buschatz and Alistair Jenks will be in charge of the show, so we will not lose our streak of, what is it, coming up on 18 years. I really, truly need you to give them content. Now, if you're certain, you're already certain you're gonna be providing something, please let me know right away so that we know to count on it. We leave on the 17th of January, so you've pretty much got only one week from the day I'm recording this to get something into me so I can give it to them. I will not be very available, maybe a little bit available for the first week, like a text message here and there, but I won't be able to do anything in the second week, so please get those recordings in. This is a huge ask for them to do this favor for us and I hope you'll make it easier for them. In this week's episode of Programming by Stealth, Bart Buschatz starts building out one more tool in our toolbox, shell scripts. Bart starts with the basics, explaining how to tell our little scripts which shell to run using this shebang line, which is just fun to say. He talks about the structure of shell scripts, commenting, assigning and using variables and how to write strings without having to escape every space and unusual character. Now throughout the installment, Bart refers back to things we learned in Taming the Terminal, which is a podcast we did a long time ago. If you haven't listened to or read that series, you can download the book that Helma helped us to produce from all the content that we made using the Apple Bookstore. You can download that book or you can access it in beautiful HTML. Both of these have the audio of the podcast embedded within and you can find even more formats if you go to podfee.com slash TTT book. And of course, you can listen to this episode of Programming by Stealth, number 143 in your podcatcher of choice. My favorite tutorials to do for ScreenCast Online are the ones for software that I've been using for a long time that solve real problems for me. This week, my tutorial on the awesome tool Under My Roof was published on ScreenCast Online. Under My Roof is available from binary formations. The purpose of Under My Roof is to help you keep track of everything within your home. Now, it used to be called home inventory, but they expanded it to do so much more. Under My Roof helps you store information about your stuff so you can store the make, model number, serial number, receipts and other important information about your belongings. But you can keep track of warranty status for your items too and store photos of your items which is essential in finding an insurance claim. Sadly, I found out about that one firsthand. Speaking of insurance, you can keep track of insurance policies and coverage information for your home in Under My Roof. You can keep track of mortgage or rental documents for your home and get notifications on regular maintenance needs. You can even organize home improvement projects in Under My Roof. If you're a collector, you'll find the features of Under My Roof an invaluable way to keep track of valuations and certificates of authenticity and to group your collections. When it comes time to move, Under My Roof even helps you by letting you record what you put in each box with photos and when you arrive in your new home, you'll be able to find that spaghetti strainer you need on the first night. If you store a box away in a closet to be unpacked later, you can even record that. As you can tell, I'm a huge fan of Under My Roof and it was really fun to make this tutorial. I hope you'll check out the free seven-day trial of ScreenCast Online at screencastonline.com or by subscribing to the service. A few times over the past couple of years, I've mentioned an app called Sizi that Helma from the Netherlands recommended to me. Sizi is a very slick tool for people who are developing websites and web apps. The main problem it solved for Helma and me is that it shows you what your web app or site will look like on a whole bunch of different platforms at once. You might make a site that looks great on your Mac but squished on an iPhone SE, it's not useful at all. Sizi can show you the site on the SE and a Galaxy Tab and a Portrait Mode iPad and more. Helma discovered Sizi in set app and turned me on to it. I kept meaning to do a review but it was a pretty high-end tool and had so much more built-in capability that I didn't use or understand that I never did a review. Well, a few months ago, we discovered that Sizi had been removed from set app and we were both super sad. I looked into buying Sizi but it's a subscription model with the least expensive pricing being $12 a month. For how little I actually code, I simply couldn't justify the price. Now, if you do web development for a living, I highly recommend you check out Sizi and see if it can help you in your work as it does a ton of stuff I don't even understand. It just wasn't right for me but I was sad to lose the responsive design mode that I used in Sizi. This week, Helma discovered something wonderful. The lovely people at Mozilla have come out with a developer edition of Firefox that includes tools to view your sites and just the responsive design on a whole bunch of different platforms. Of course, since it's from Mozilla, it's free. With the Firefox developer edition, you can navigate to the site you wanna test and then in the toolbar on the right side is a wrench and under that is an option for responsive design mode or you can use the keystroke option of option command M. Immediately, the layout of the website you've navigated to will change to reflect one of the screen sizes. Mine defaulted to an iPhone 11 Pro but there's a default dropdown to show many more options. It looks like the list isn't super up to date because it maxes out on the iPhone 13 Pro. It includes the Galaxy Note 20, Galaxy 10, the 10 plus, it's got pixels, it's got Kindle fires. It's full of options. Now at the bottom of the dropdown, it even has an option to edit this list and from there, a grid of lots more devices. You can check and uncheck them to make your dropdown list show just the devices you'd like to see. If you don't see a device you really need in the grid, you could create it yourself with the create custom option. Now you probably wanna explore the new features to help you master the CSS grid, find inactive CSS or work more quickly with their fonts panel and more. Now, I'm delighted that I have an easy way to get the one feature I used in Sizi and for the glorious price of free. Now, after I wrote up this glorious discovery, I tuted it out on Mastodon and a bunch of other places. Scottish Wildcat tuted me back with this, quote, you don't need the developer edition for this. As far as I know, it's available in all versions of Firefox. Chrome and Safari have very similar tools too. Come believe it. So I jumped into regular Firefox and sure enough, under the tools menu in browser tools is responsive design mode, which brings up the exact same thing I was so excited about in the developer edition of Firefox. Here and I thought the helmet and I had made fire. I feel silly, but I much rather feel silly now than never know that the tools were right there. In Safari, you have to do a smidge more work. This was work I'd already done. Open Safari settings or preferences if you're on Preventure or Mac OS, select the advanced tab and at the bottom you'll see a checkbox to show the develop menu in the menu bar. Once you close settings or preferences, depending on the version you're on for Safari, you'll now see the develop menu between bookmarks and window. It's a very long menu with lots of cool stuff in it, but I think it's the seventh item down says responsive design mode. It can also be triggered with control command R. You'll be rewarded with little icons for the major Apple products, but only up to the iPhone 8 Plus, so I guess Firefox isn't actually that far behind. In typical Apple fashion, it doesn't include any Android tablets or phones, but it does have three screen resolutions you can test. Unlike Firefox, you can't rotate to landscape mode either, so Firefox is a lot better. It's sweet that Apple tried, but I'll be using regular Firefox for testing responsive design of my web apps and websites. I'm so glad that Scottish Wildcat corrected me, especially before I talked about it on the podcast. By the way, he also goes by Callum in many of the online forums for the podcast. Wait, wait, this just in. This is the value of having the live show. When I said that Safari didn't let you switch to portrait mode, I was wrong. Alistair pointed out that if you click on the little icons for the iPad, the iPhone, whatever you're looking at, it actually switches to portrait mode, but it has three modes. It's got landscape portrait, and then it's got a split mode. I'm not sure that split mode's really useful because I have it set up for the iPad Pro 12.9, and when I go into split mode, it's this really tall, thin, and that's not what it would look like on a 12.9 inch iPad Pro, I don't think. But anyway, good to know, actually it was Bill who said that the third one was split mode because I was very confused about what the weird one looked like. So anyway, unjustly accused, you can look at landscape and portrait mode in Safari's developer tools in the responsive design mode. Wait, wait, this just in. Alistair just corrected me yet again. It turns out as you keep clicking on the iPads, it's cycling through all of the different split modes that an iPad can show you. So that's why it was real tall and skinny. He says that it's seven total clicks to go through all of the different modes. I am done correcting myself. This is it, this wasn't that interesting of a story, but I couldn't resist telling you one more correction. Mermaid diagrams won't replace diagrams.net as my diagramming tool of choice, but they're still pretty cool. I've been having a lot of fun lately with this tool called Mermaid for making diagrams. I've hesitated about whether to tell you about Mermaid diagram for two reasons. One reason for my hesitance is that they're a pretty nerdy way to make diagrams that's a lot harder than using my beloved drag and drop diagrams.net. The other reason is that Bart already taught us a bit about mermaid in programming by Stealth installment 141. Now Bart's instructions were how to make something called UML class diagrams in mermaid, and these are made specifically for programming. We'll be using UML class diagrams in the project to port XK past WD to a modern JavaScript version. His instructions did everything from the command line in the terminal, which is great for a programming audience, but I wanted to see if I could teach mermaid diagrams in a way where normal people could do it. I've discovered there's a far less nerdy way to create mermaid diagrams that I might talk you into trying. And an example of a type of diagram you might wanna make, a simple flow chart. I first learned about mermaid diagrams back when I reviewed the note-taking app Joplin a year or two ago. In my description about mermaid diagrams, I said, I learned just enough to be impressed and amazed that mermaid exists and then practiced a little bit inside Joplin and learned that it was too nerdy even for me. Well, I pride myself on becoming nerdy or every year and after having Bart walk us through the UML class diagrams example, I got the itch to try them again and they're simpler than I realized. Let's talk about why mermaid is nerdy. Instead of dragging and dropping boxes and lines onto a canvas through a graphical user interface, you create diagrams using only a plain text file. For example, let's say we're drawing a flow chart and you want a rectangular box with text in it. You just type the text between square brackets. If you want the box to have rounded corners, use round brackets instead. Want to line with an arrowhead between the two boxes? Simply type two dashes and a right angle bracket. That's not too hard, is it? Well, let's talk about what problem it solves to use mermaid text files for diagramming instead of a graphical user interface. There are a couple of advantages that may or may not be compelling for you but with any luck, you'll enjoy learning about them even if you never use them in anger yourself. Plain text files are easier to share between people who need to collaborate. If I create a nifty diagram and a GUI interface, I'll usually export it to an image file before I share it with someone. There's no way for you to collaborate with me and edit that graphic file. To collaborate, I'd have to convince you to get an account on the same service I'm using and then the service would have to support sharing and version control and it's messy. Using a text file for collaboration means you and I can use any text editor we want and any file sharing service to do the collaboration. In programming by stealth, we've learned about using something called version control for our code. That lets people keep copies of the same code all over the place on their own machines and online with services like GitHub or Bitbucket. When one person changes the code, the changes can be pushed around to the other copies and yet the changes are tracked. So if mistakes are made or should I say when mistakes are made, they can actually be reversed. If I create a diagram and a text file, we can put it in version control and collaborate even more easily. That's kind of nerd level stuff though, so let's get back to our mainstream needs. If a mermaid diagram is well written, it could actually be an accessible form of the graphical image. A PNG image file embedded on a website would be pretty hard to describe fully in alt text. Having a link to the mermaid text file might be a good alternative. Finally, text files are way, way, way, way smaller than pretty much any other file type. The diagram I made for the Programming by Stealth project has seven boxes on it. It has cute little icons in it. Some boxes around, some are square, they're different colors, and I have solid and dashed lines. The entire file is one kilobyte. Not joking, one whole kilobyte. Well in Programming by Stealth, Bart taught us how to install mermaid using something called Node.js all from the command line. This adds a giant folder of modules to the folder where you create the diagrams. He taught us to create the text file for the diagram in any text editor, but then we had to run mermaid from the command line. So we had to tell mermaid where to put the input text file, what to call the output text or image file, and it takes a few seconds to run and then we are able to double click on the PNG to open it to see if it looks like what we're hoping for. All of this is perfectly normal in Programming World. It works, but to be honest, it's a tedious process. I was delighted to find out that there are text editors out there that will allow you to create your diagrams and see them changing in real time as you're typing. Mermaid has a terrific user manual and one section is all about tools that have integrated mermaid diagrams. There are pages and pages of tools, but I wanted to focus specifically on text editors. A few of the tools listed have native support for mermaid, meaning you don't need to install any plugins or extensions. Apps we've mentioned on the NoCillicast before that include native support for mermaid include Joplin, as I mentioned earlier, Notion and Al's favorite, Obsidian. They all have free versions. There's also a website called Mermaid Live where you can create your masterpiece diagram and see it created automatically right in front of you. The Mermaid Live Editor is a great place to learn the tool, but as my father would have said, it's ugliest sin. Pick any one of these tools and you can play along with this very basic introductory lesson on making mermaid diagrams. Okay, enough about the tools. Let's get in the meat of how to write in mermaid to create diagrams. The documentation on mermaid I've said it once, I'm gonna keep saying it, it is superb. They start you out really slow and they just add on little tiny bits, more and more concepts to help you enhance your diagrams. So as an experiment here, let's build up a simple flow chart and see how far we can get. Let's make a diagram to explain the different shows at the PodFeed podcast. We'll create a box at the top that says PodFeed podcast, then three boxes below that for NoCillicast, chitchat across the pond and taming the terminal. Below chitchat across the pond, we need two more boxes for chitchat across the pond light and programming by stealth. Once we get those basic blocks in place, we can start having some fun styling our diagrams. The first thing to type in your text editor is the type of diagram you want. Mermaid can create a lot of different diagram types, including flow charts, gant, pie charts, mind maps and more. We need to tell mermaid we're going to create a flow chart and we need to tell it whether we wanna go left, right, or we wanna go top down. Since we want ours top down, we simply type in our text editor, flow chart, space, TD for top down. All right, we want PodFeed podcast in a square box or I should say a rectangular box at the top, so we'll put PodFeed podcast between square brackets. Now every node you create in a diagram has to have an ID, but we can make that ID any name we want and it can't have any spaces in it. I like short names because they're easier to type. So I'll call this first node PP. There's the added bonus that's saying PP out loud makes me giggle because I have the maturity of a seven-year-old. Now we get to put the name PP, or we need to I should say, put the name PP cuddled up against the node name in its brackets. So putting all this information together, we write PP square bracket, PodFeed podcast, closed square bracket. That's not too bad, right? Now as soon as I enter those two simple lines of text, the one that says flow chart TD and the one that says PP PodFeed podcast, I am rewarded with a rectangular box that says PodFeed podcast inside it. All right, that didn't hurt too much, did it? If I type NC square bracket no silicast square bracket on a new line, I get a second node, but it gets drawn side by side with the first PodFeed podcast node. That's because I haven't yet told Mermaid about any relationship between the two nodes. On the second line, before it says NC, I can put dash dash angle bracket and this instantly drops the no silicast down and we have a lovely diagram with the PodFeed podcast in a box with an arrowed line going down to the no silicast in a box below it. Works perfectly. Now think about that, I haven't hardly typed anything and I've got this part of the diagram done and literally three lines of text, we've drawn a diagram. And that felt really powerful to me when I did it the first time. Okay, so we have PodFeed podcast above no silicast with an arrow going down, but we need three arrows going down to three boxes. Since all of these nodes should be below PodFeed podcast, we type them on the same line as the no silicast node with an ampersand between them. So the text says arrow, no silicast, ampersand chitchat across the pond, ampersand taming the terminal. Now we see three podcasts and rectangular boxes below PodFeed podcast with lovely arrows going to them. Now it's starting to look pretty good, but the boxes are getting super wide because Mermaid doesn't automatically word wrap text. So it'll just keep growing wider and wider and wider the more you type into the box. We need to add some line breaks in our nodes. In HTML, the way you insert a line break is with the text BR between two angle brackets and we can actually use that same syntax within Mermaid diagrams. With some well-placed breaks, the diagram looks much better now, but the text in Mermaid is definitely starting to look very messy. Building it up piece by piece like this helps us to understand it, but at first glance, it kinda looks like a cat just walked across your keyboard. We're gonna clean it up in a moment to make it more readable. For our final piece of content, we wanna add chitchat across the pond light and programming by stealth below chitchat across the pond with arrows going down to them. Now we could, if we hated ourselves, embed those last two blocks in the same line we just created with a no-silicast and chitchat across the pond, but there's an easier way. Once you've created a node, you can just reference it again by its ID name, like NC or TTT for taming the terminal. In fact, as I was writing this up, I did some experiments and I learned that we can make everything look much simpler. Think of each node as a variable you've assigned. The variable name NC has a value of no-silicast. The variable of CCATPL has the value of chitchat across the pond light. We could define each of these variable nodes on their own simple-looking line with no information about the relationship, so it's not gonna look so messy. Then later in the file, we can rewrite the relationships using only those variable names and it's gonna look much cleaner. So I created a set of node definitions that just says PP, square bracket, pod feed podcast. Next line says NC, square bracket, no-silicast. I did all of them all in a row. Now the beginning relationships are easy and clean to read. PP on one line and on the next line, I put my arrow symbol and I can write NC ampersand CCATP ampersand TTT and I keep going through the diagram. Now it's a lot easier to read and it looks like way fewer cat steps went on that keyboard. I've got a lot of screenshots in the show notes and if you look at these, I hope you'll experience the joy I felt as I learned about more how to do this and I think that's why it's so fun. The discovery of what I could do with this was really cool. So we now have our full relationship diagram created in just a few lines of text, but to be honest, it's kind of boring. We can add some styling to the boxes for our nodes. To each individual node, we could add text to define the text color, the fill color and more, but there's a cleaner way of doing it on every node. We can define classes with that information and then add the class names to all of the nodes that we need to have that change to those colors. The way you define a class is with the word class def followed by the name you choose for the class definition and then the colors. So let's define a class called top and we'll make the text white with the fill color red. We write class def top color, colon white comma fill, colon red, very simple. Then we assign the class top to our top node pp by writing class pp top. I know this is starting to get a little tangled probably if you're hearing it, but again, good graphics in the show notes and all the text is there too. But basically all I did was define a class and then assign that class to one of the boxes. So those two lines can sit anywhere in your diagram of text that you like. I prefer them at the bottom. The advantage of assigning classes is an obvious when you only have one node with the class like top, but now that we know how to create and assign classes, we can assign the same color and fill to the rest of the nodes. I added one more class called podcasts and declared that they should all be color white, the text color and filled with blue. I could then add the class to multiple nodes in one line by typing class followed by each node name separated by comma and then the name of the class def. So now my text file has three sections, a listing of all the variable names for each node, three lines that create the diagram with the arrows and the section that defines the classes and assigns those attributes to the nodes. My diagram now has pod feed podcasts in red with white letters at the top and all of the other nodes are blue with white text. It's rather pretty now. Now I was pretty happy with the diagram but I'd like to have a way to maybe make the propeller beanie shows taming the terminal and programming by stealth have a different shape. I mentioned at the beginning that putting the text of the node inside square brackets makes sharp cornered rectangles and round brackets made them rounded rectangles. Turns out there's a lot more shapes you can easily designate by changing those brackets. Now, I don't bother remembering how to do fancy things like this in mermaid because I can always refer to that terrific user manual for mermaid. In the left sidebar, you can see different types of diagrams you can make and if you select flow chart, now the right sidebar shows you the different sections. I open this as a reference so now I can select node shapes to find a better shape. I wanted to find a shape that looked nerdy so I could assign it to taming the terminal and programming by stealth. One of the options is called a subroutine box which is just a rectangle with an extra vertical line on the right and left. You make those with double square brackets around your node. That was a little bit nerdy but ooh, how about a box that has kind of pointy edges on either side like an elongated hexagon. They call this a code box and you make that using two squirrely brackets on either side of your node. I think green would be a nice color for them. I created another class called nerds and I assigned it to the taming the terminal and programming by stealth podcast. Instantly I had green nerdy boxes for the two nerd podcasts. Now one thing that can make your node stand out even more is to add font awesome icons. Well, this is possible. The developer of the app or service you're using to create your mermaid diagrams has to enable it and mermaid only supports font awesome four and five, not version six. Creating mermaid diagrams from the command line does let you put the cute little font awesome icons in it but none of the easy to use text editors I tested support it. So sadly we'll have to abandon it for this lesson. Now there's a lot more you can do with mermaid diagrams but let's just do one more fun thing. Let's change the way the arrow line looks that goes to our two nerd podcast nodes. We've been using the syntax dash dash angle bracket to designate a line with an arrow head. We can make that dotted line if we just stick a dot between the two dashes instead. So it's dash dot dash angle bracket. Now we have to rearrange relationship lines a smidge to get the dotted line to go just from PP to TTT and that makes the text a tad longer but it was still super readable. We can make the line designation even more interesting by adding some text to the dotted lines for the nerd podcast. Instead of dash dot dash angle bracket, we can interrupt that by putting text between two dots. So I put in dash dot nerds dot dash and then the angle bracket. Well, this was looking snazzy but I wasn't happy with how the lines curved on my diagram by default. I found a section in the manual on styling line curves. Well, I got a warning here. This is gonna look like the nerdiest part of your diagram and I don't even understand all of the syntax but to change the default styling of your lines in mermaid, you put an initialization line at the top in which you can describe the default curve shape. I tried out the different options from the manual and any linear shape looked best to me. Instead of wide swoopy curves, the diagram now has diagonal lines that sharply turn downward and the word nerd sits nicely at the corner. I had to stop here because I could keep tweaking this diagram all day and learning more and more cool things I could do with mermaid. My final masterpiece is a grand total of 26 lines and it's actually human readable. Now you can do a whole lot more with mermaid than I've described here but as I said, I had to stop. Hopefully what I've explained tickles your interest to go play with it and see what it can do to help you make fun, interesting diagrams in plain text. Well, I tried to get off easy and just wrap up this article thinking you might not notice, I didn't tell you what you can actually do with the mermaid diagram after you create it but it bothered me that I didn't know the answer to that question myself. You can see your pretty diagrams in your text editor of choice but how do you share it with someone else? Ideally, I'd like to be able to send them someone a PNG image file. Well, if you're a nerd, there's a lot of great options both GitLab and GitHub have integrated mermaid diagrams into their services. This makes a lot of sense because I explained having version control and plain text files is the whole reason for being for these services. Version control and image files isn't as practical because you have to keep recreating and replacing the images. Instead, or since mermaid diagrams are just text files they're purpose-built to work with Git. But the whole point of this article was to teach the less nerdery amongst us how to make mermaid diagrams. So we need a simpler, muggle-level way to actually publish a graphic image of a mermaid diagram. The obvious solution is to simply export the graphic image from one of the text editor tools I mentioned or so you would think. Let's talk through a few of the options I tried. Now, Obsidian, Al's favorite is a bit weird for my taste as this concept of vaults and I actually ended up in a condition where I couldn't open any of my files but when it was in a good mood it worked well to create mermaid diagrams and view them graphically. While Obsidian won't let you export as a PNG it will let you export to PDF. If you open the PDF in preview you can then save it as a PNG. From there, you can then crop the giant white canvas Obsidian gives you in the PDF to down digest the diagram. Now, while that's an annoying two-step process the good news is that the resolution is really good so you can expand it to be pretty big. The one I created came out 1472 by 945 pixels and it looked beautiful. Notion worked well too to create mermaid diagrams and even has a specific integration for them but for the life of me I could not find any way whatsoever to export the image file in any format at all. If anyone can figure out how the heck to get mermaid diagrams out of Notion, I'm all ears. Now Notion is marketed as a collaboration tool so maybe mermaid diagrams captive inside the tool could still be useful for teams. I prefer tools that let you import and export data. Now Joplin like Obsidian allows you to export PDFs so we have to do the same dance to save as a PNG and then crop a giant white canvas down to that image. Again, the good news is that the resulting image was pretty high resolution so this method does work. Still weird not just to be able to export an image file but that work around does give the desired image size. Now Nerds use a tool called VS Code or Visual Studio Code written by Microsoft and it actually works quite well for creating mermaid diagrams and it's free and you can use it even if you're not a self-proclaimed nerd. That is if you install a plugin for visualization. The one I was using that nicely rendered my markdown text worked perfectly. Guess what? I couldn't figure out how to export from VS Code. I tested a few more plugins that were supposed to allow the user to export the graphic but I couldn't get them to work. Even worse, they disabled the markdown rendering plugin I was using originally. I ended up messing all my plugins up and luckily I opened it a few days later and it was all fixed again so I'm afraid to touch that again. So VS Code export was not successful. And now for a diversion that will eventually answer the question of how you can easily export mermaid diagrams to a PNG. As I was fussing around with all of this I posted a question on Mastodon, I tutored it and I asked what do people actually do with mermaid diagrams if you can't export them anywhere and it resulted in a fun new friendship with a gentleman named Ed Ross. Ed and I exchanged around 20 messages about mermaid and we did a whole bunch of experiments together. The funny part is that Ed had never seen a mermaid diagram before but he started before we started talking but he quickly descended into my madness with me. He learned them on the fly as we were chatting and he ended up down a whole new path. Now Ed decided to try to use ChatGPT to create mermaid diagrams. I know this has nothing to do with how to export them but it was so much fun. In case you don't know about it, ChatGPT is an open AI tool that allows you to ask questions in text and using its dataset from scraping all openly accessible data on the web it develops an answer. ChatGPT is often wrong because humans are often wrong and humans have written the content in its dataset but ChatGPT can be a useful tool if you know how to vet the information it provides you. For example, Ed asked it to create a mermaid diagram to show the relationships of the Simpsons family. Of course he did and it created a correct representation. Now I tried to replicate Ed's experiment but the output from my ChatGPT query returned the wrong syntax for the mermaid diagram. It used two dashes instead of three to draw the lines so the diagram basically just threw an error until I fixed it. Now my second attempt was to ask ChatGPT to create a mermaid diagram demonstrating the relationship between the three branches of the US government. Not only was the diagram correct but the paragraph attacks that came along with it was also correct. Like I said, it's very important to vet what you get out of ChatGPT. So anyway, while Ed and I had fun playing with ChatGPT and making mermaid diagrams Ed suggested I go back and give the mermaid live editor another try. Now you may remember at the start of this article I said I tried it but it was ugly as sin. I had also tried to get it to export an image file but it didn't work when I tried it. On Ed's advice, I switched from Safari to Microsoft Edge which is a Chromium browser and then the export function did work to save a PNG. I got a swoon when I tried that but the evidence does not support me. Anyway, you'd think I would declare victory at this point because I did technically get a PNG on export out of the live mermaid editor but it was wee tiny and barely readable. It was super fuzzy, it was terrible. Mermaid live editor does provide a scaling option for PNGs where you can set it to a specific width or height but it does not work intelligently at all. I changed the width to 2000 pixels wide but instead of enlarging the PNG it enlarged the white canvas background effectively shrinking the PNG even smaller. I was really feeling like mermaid diagrams were just mocking me at this point. I mean, how does anyone export a PNG and one don't turn step from anything? Well Ed didn't give up on me and he suggested I try the SVG's export option from the mermaid live editor. SVG stands for scalable vector graphic which is an ideal format because if you get one of these you can scale vectors to any size you like. You do have to use a vector editor and then save it to a PNG but it could give you the best image quality possible. I tried the SVG export button in the mermaid live editor and then I tried to open the file in Affinity Designer, my favorite vector editor. Resulting graphic was a bunch of solid black boxes. They were the right shapes and the right sizes but they were solid black. I opened up the little thing that shows you all the layers and everything was black. I was baffled by this. Thinking it was some misunderstanding between standards for SVG definitions I tried opening it in the very good and free vector nature application but again, I got the same black boxes. By this time any sane person would have given up but I'm like a dog with a bone I can see a solution just outside of my grasp. There had to be a good way to export mermaid diagrams as high quality PNGs. I posted the problem in Slack and Alistair Jenks had a very interesting idea. He suggested maybe the SVG was actually okay. He suggested as a test that I just drag the SVG into my browser window. He said if the file wasn't damaged in some way it should, the browser should open the graphic. You can't double click and open in it by the way you have to drag it. Sure enough, the diagram opened in all of its glory right there in my browser. I used command plus to increase the size of the graphic and then I just took a darn screenshot of the browser window. Wasn't elegant but for a relatively small and uncomplicated diagram, it finally worked. I said at the beginning that mermaid diagrams won't take the place of my beloved diagrams.net. Then I discovered that diagrams.net has support for mermaid diagrams. It's not hard to make them in diagrams.net but it's not at all obvious how to do it. Under the arrange menu, you'll find an option to insert and at the bottom of the menu, you'll see an advanced menu and in that menu, you'll find mermaid. It's only one click to get there but I'm sure I'll have to look it up every time I wanna do it. This opens a little text field and I mean little, it's not very big to work in where you can type or paste your code. When you hit okay, you'll see your lovely diagram. To edit the diagram, simply double click on the image in diagrams.net and you get the text box where you can change the text and when you hit apply, you'll see your changes. Text box is pretty small like I said, so I'm not sure I'd wanna do my initial creation of a mermaid diagram in diagrams.net but it does work for small edits. There's a huge advantage to rendering your mermaid diagrams in diagrams.net. They're vector-based diagrams. That means when you choose file, export and choose PNG, you can type in a scaling factor. The PNG is actually scaled perfectly. Finally, I have come full circle from my favorite diagramming tool to my favorite diagramming tool. Not only that, I started thinking. Diagrams.net's file format is XML, which is what a plain text format. So the mermaid diagrams I create within diagrams.net can be put in version control. Then that got me to thinking if all diagrams.net files are in text-based XML format, couldn't I create my diagrams with the native tools and use get to do version control on them? Well, that's a thought for another day. The bottom line is that I was hoping to show you how fun it is to make diagrams using mermaid and that even for the non-supergeeks, it can be fun and pretty easy. I'm pretty sure that in the end, by giving you 12 different ways to not successfully export the diagrams, I may have turned you off from the whole idea but maybe you can find one of those ways that brings you joy. Way back in December, Russ Sherman became our newest Patreon subscriber and I totally forgot to thank him and mention it. I feel terrible. I didn't immediately sing his virtues after he made the decision to help support the shows we do here at the PodFeed podcast. He went to podfeed.com slash patron and he committed a dollar amount that was right for him and his family and also showed his appreciation for the content we provide. Also, the delightful Klaus Wolf went to podfeed.com slash PayPal and he made a one-time donation to help the show. He is an equally fine human being and I celebrate his virtues as well. Well, it's that time of the week again. It's time for security bits with Bartmuse shots and we're going to be eating some vegetables today. It looks like, huh, Bart? Well, on the one hand, there's three deep dives. On the other hand, there's very, very little else. So, I think that's kind of what you like, actually. I do like the chewy ones but I'm sad about this first story. Yeah, so we need to revisit our discussion of the last past breach. When we spoke about it last, it was about two weeks ago and at that stage, it was all pretty new and my initial reaction was, okay, they have arrived at their worst case scenario but that doesn't seem too bad. Assuming you have a decent password, you should be fine and we didn't want to be quick to jump to a conclusion I would regret. I would rather arrive at a more controversial conclusion slowly and carefully and considerably. I have arrived at that conclusion, unfortunately. Let's review really quickly what we do know. So, what we knew last time was that they had lost access to some or all of the backups from some time at some point in history and that the only thing protecting those backups was the users, what last pass called your last password, which one password users would call the master password, the password protecting your vault and that the vault contained a mix of clear text. So basically the metadata was in plain text. So the URLs and the user names were in plain text whereas the password secret notes were encrypted. So that's what we knew last time. And we knew that they had disclosed it, maybe not quite as quickly as everybody would have liked but it appeared that they did responsible disclosure. At first glance, yes. That's what we thought. Yeah. So since then, two things have happened. More facts have come to my attention and I have been listening to the well-reasoned opinions of others and taking them on board. And I have changed my mind. I have become much, much less. This is okay and much, much more. This is not okay. So we'll start with the easy stuff which is the new information. So last pass said in their disclosure that they were using 100,100 rounds of PBDSK2 which sounded good to me, but mainly because... I think you said the acronym wrong and I don't know what it means anyway. PBDF password-based PBK, password-based, yeah, it's wrong in the show notes, it's password-based key derivation function. PBKDF2. Okay, and that is... That is the method of turning your password into the key that actually does the encryption. That needs to be different. Okay, and they used 100,100? They said that if you had used their recommended settings then your vault was protected with 100,100 rounds of PBKDF2, password-based PBKDF2. Okay. Turns out that actually the advice of the moment is to use 310,000. So even the vaults using best practice, not really that good a best practice industry-wide. It was what they were advising their users that it wasn't actually best practice industry-wide. That's 310,000. But way, way, way, way worse is that they made the change from 50,000 to 100,100 in 2018 and they did not trigger people's clients to upgrade people's vaults. So people with a vault older than 2018, a lot of them are discovering to their horror that their vaults are only protected with 50,000 rounds, which is not enough. It's not nearly enough. So that's bad. I didn't want to make a strong statement last time because I wasn't sure of my homework. Whether or not this whole thing of having the metadata in the clear was something inevitable and that all paths were shared or if it was something unique to last pass and I am sorry to say it is absolutely positively not inevitable. It is absolutely positively not normal for cloud-based password vaults. It used to be normal when vaults were purely local files, but when other password vaults synchronize up to the cloud, they wrap everything in encryption so that the metadata is encrypted too while it's in the cloud because that way, if the cloud gets breached, it's safe. The other thing that has come to my attention is that having the password be the keys to the kingdom is also not normal. It's also the old way of doing things from before the cloud sync days. So... I thought that was the whole deal. If you had a long-strong single password, that's what it was encrypted with and you were safe. That's not the way it's kept safe. That's only part of the story. So a well-designed password manager designed for a cloud world. So in other words, not the old way where you had a local vault that you synchronized over Dropbox, but a modern password manager as cloud native is designed differently. So there's actually two things protecting your safety. There is your password and then there is a per device key. And that key is randomly generated and that key never goes to the cloud. So this is why when you set up one password, they made you print out a PDF with a 2D QR code. Your recovery kit. That recovery kit is that key. Yeah, that is that 256-bit key. That key is what protects your one password in the cloud. If you had the world's dumbest password of Open123, your vault would be 100% safe if Wordpress... Sorry, if one password was completely hacked, if they lost everything, your passwords are still safe. That is not your last pass. Yes, I had a vague feeling. The last pass were not best practice, but I wasn't sure, so I said nothing. I've now done my homework. They are absolutely positively not best practice. They have taken the old local model, shoved it to the cloud without adding the extra protection the other providers added before going to the cloud. And we didn't... That wasn't a forefront of mind. Maybe you've known it one time, but not... It was in there and I had this nagging feeling that there was one password were better, but I didn't want to say anything last time because the last thing I want to do is tell people half truths. Right. So I've now done my homework, and one password were quite quick to crow about it. They have a very fun blog post, which I think gets the award for Snark of the Year. The blog post is titled Not in a Million Years and explains why it will take a lot less than a million years to crack your average last pass vault. So that claim of, oh, your vaults are safe, it'll take a million years. It doesn't actually stand up to scrutiny in the real world. Unfortunately. So where does it... I'm a little annoyed by the idea of one password crowing about anything here. This is a sad time. This is like... They're not crowing. They're not crowing. It's a really well written blog post. It's very informative. Don't let me give you the impression they're being... Snarky. You said snarky and... It's a good headline. It's... Maybe I didn't express it very well. Maybe I didn't express it very well, but it is not a meaner, meaner post. Okay. It's a here's why we're different. Here is why we're different and here is why you need to be more concerned than last pass are telling you to be, which is that two thirds of the article are why you actually need to be more worried about what was lost and one third is, and by the way, if we were to be catastrophically hacked, here's how we're different. And the key point they say is we designed our infrastructure on the assumption that we could get completely hacked. Therefore, what do we do to make that not be a disaster? Therefore, we have not been, but if we were, then we would have this level of protection which you don't have with last pass. Okay. Okay. So let me see if I can say it again because I talked over you a couple of times with questions right when I think you said crucial bits. So with last pass, you have your last password. That's what encrypts your data. If you have a good 30 character, upper lowercase numbers, special characters, password, then it's encrypted with that and you're probably fine. Finish, at least. Unfortunately, they can see this hash goes with your Gmail account and this hash goes with your GitHub account. They have that kind of information but they still can't bring in the hash. But if you had a bad password, then the encryption is not going to save you because it's not also encrypted with a private key like the way one password does it. That is all correct. You have said nothing incorrect but there's more. Okay. If your vault is older than 2018, there is a chance that it does not have sufficient rounds of password-based key derivation. Therefore, it is easier to crack than it should be by orders of magnitude. So even a strong password is weak. Is it easier? Orders of magnitude. Or easy. It is within reach of, I throw a thousand euro at this cloud provider and they'll crack it in a day or two. Depending on how long your password was. No, no, no. I am saying if you have 50,000 rounds, no matter how good your password is, it is crackable with reasonable resources. Right, that is, that one made my, when Steve Gibson said, I have confirmed from actual users, there really are people with 50,000 rounds, that my jaw hit the floor. I was like, oh no, that's just not good enough. And Steve was also slow to report on this because he also didn't want to go off before he was sure. So if you have had last pass since before 2018, even if you've changed your password since then, it's probably still set to 50,000? No, if you have changed your password, it seems to me that if you have changed your password, it will have redone it right because the new default is 100,100. But if you had been using it since 2018 and haven't done anything, the app won't have upgraded the rounds for you as it really, really should have. Like literally the moment the software update hit the app, the app should have just re-encrypted because the moment you unlock your, the moment you unlock your vault, it's unlocked. So the app can re-encrypt it using whatever stronger algorithm it likes. And it doesn't, it just didn't do it in any way. Exactly, it's a zero user inconvenience. It should have just rolled forward the encryption. It just should have done that. There's just, there is no excuse for not doing that. It's not that, oh, that would have been awkward for users. No, would have had no impact on users other than making them secure. So that is a colossal mistake, colossal. Now the other point that I think I may have gotten a bit lost in our conversation is that humans are terrible at picking passwords. So password crackers are really good at guessing passwords that are human-ish. So even if you take five words from your favorite Harry Potter movie and make them into a 30 character password, the fact that you as a human picked five words humans are lucky to pick means you're no one near as safe as you think. The computer has to pick it for you. That is one of the magic things about XK PassWD. The computer is picking for you. Humans just... Why? Okay, so back when you explained how XK PassWD works and you walked us through all of the ways that you calculate entropy and we talked about password haystacks from Steve Gibson and the logic behind it, I remember you saying that just making it longer created the increased entropy. So even if you put in repeated characters that that still made it stronger. Why would me making up four words, five words, six words, why would me making it up make it less secure than the computer thinking it up? Because you are human. We know how you work. No, no, you are human. You are not picking it random. Don't say no, I didn't say anything, Bart. No, no, but I'm correcting you. You said no before I said a word. Okay, you are human. I understand that. We know and the password crackers are really good at this. We know the subset of all of the words in the planet that humans gravitate towards. Yes. Therefore, when they crack passwords, they stay in the human bit and that speeds them up by orders of magnitude. But the way you explained it was it's not like the movie The Net with Sandra Bullock where they get one character and then they get the next character or anything like that. So if I've got five words embedded in a string with special characters or numbers and it's upper and lower case, how on earth can they get to those pieces logically because I'm a human? They get to them faster than they get to a truly random password because those words shove it into the bit of the search space that's human-ish. So the password crackers know that people wrap symbols around it and they know that people wrap numbers around it. So you are in the bit of the search space that is not the worst place to be because the worst place to be is open monkey, but you're in the bit of the search space that's human-ish. So when they start to search, they start with the really dumb passwords and they move forward and the last place to search is ever get to are the truly random passwords. So are you saying that just like using, if I used all lowercase, versus lowercase and uppercase, it's twice as hard, you're saying that the subset of, say, English words, if there's 100,000 English words, but humans use 10,000 of them, I'm in one-tenth of the search space. Yes, exactly. And they know how to prioritize where to look. So the more symbols you throw in, you're still better, right? But if you think of yourself as being on a spectrum between terrible and wonderful, if the human has done the picking, it moves you down the spectrum. It jumps you closer to where they're gonna find you quicker. It doesn't shift you to, it's a disaster, but you're less safe than you think because you, the human, are predictable. You've added a level of predictability. If I've got a 35-character password with letters and numbers and special characters and upper and lowercase and Allison chosen words, which I don't, by the way, I use extra productivity, but let's say, I am not the low-hanging fruit, but I'm not the highest-hanging fruit. Correct. I'm closer to the, I'm lower than the top of the tree. Yes. Branch, whatever. You are more secure than people who have shorter human pick passwords and having such a long human pick password puts you pretty high on the end of, as human passwords go, you're good, but you are still way down the tree from random passwords. You're still in the bit of the search space that they will get you quicker. Okay. We can also say the same thing about one password's password picker, correct? They don't do it with as much entropy as you do in XK past WD, but they will say, okay, I want words and it'll give you five words. Yes, but again, they don't seem to do all of the different, they don't add all of the options, special characters and... Correct, but again, they're picking the words at truly random from the dictionary, whereas humans don't, humans just are not random. We are terrible at randomness. That's what I'm saying. I'm just saying they're better than a human, but I think XK past WD is better than one password. It's all on the spectrum. You're dead right. Yes, that's exactly the right way to think of it. There's not like good and bad. It's like terrible, wonderful and lots of stuff in between. Yeah, so like if I ask it, tell it, the default is three words and it shows current in all capital letters dash surly dash sundew. Well, I probably wouldn't have picked sundew or even current because it was ANT, but it's just got special characters and words. It doesn't have, and I can change the hyphen, but it doesn't have any special characters or any letters or I'm sorry, it doesn't have any numbers. Yeah, which is why I really like the fact that I add numbers to the end of my random passwords. I think that's just a nice little extra thing to do. And it's not human-y because humans pick on average two numbers, one or two. If human pick passwords, either start with a one or a two or end with a one or a two. And if you tell them they have to use a symbol, it's probably an exclamation point and it's probably on the end. Humans are terrible, terrible, terrible, terrible. Okay, so that's so far we have stayed in the land of fact. Now we're in the land of observation and I am going to do something I do very rarely. I'm going to give credit to Leo Laporte for opening my eyes. So Leo Laporte made a really good point that although the disclosures from last pass on the surface look good, they say, or SA-256, they say we're using 100,100 rounds of PBDFK2, PBDF2. To me, usually you're missing that kind of technical detail. So my first impression was actually very good because they're actually giving us the technical detail. But Leo pointed out that there are two things they didn't tell us and they are simply the most important things to know. The first one is so obvious, I'm kicking myself. Who's backups? Everyone's backups? Most people's backups? Leo may- You have to assume all because if it was some, they would have said some. Yeah, I mean, we're left assuming that, right? Because you're dead, right? If there was wiggle room, they would have wiggled. So there mustn't be wiggle room. But that's an assumption we shouldn't be making. They should just be telling us that. But the second point Leo raised really made my jaw hit the floor. From when? They're backups. Yesterday's backup, last week's backup, last year's backup, 2017 backup because they didn't introduce proper rounds of PBDF2 until 2018. So if the backup is from 2017, is it a full sequence of versioned backups? Is there like a full version history for every person? When? When was that backup from? If I changed my password six months ago because I got scared after the first breach, am I okay? Because this lot of backups were stolen afterwards and therefore my strong password is protecting me. It's vital to know what point in time these vaults are at because that will tell you whether or not you're safe. What state was my vault in at the point in time that they nick the backup from? We don't know. And they haven't given us a clue. They haven't even told us all the backups are less than a year old or all the backups are at least two years old. We don't know. So that means your worst ever password in your entire history of being a LastPass user is what you have to assume is protecting your vault. The worst possible PBDF2 setup that has ever existed on your account is what you have to assume is what's protecting your password. So if you've been a long time user, you have to assume 50,000 iterations. In other words, you have to assume that no matter how good your password is, you're in big trouble if you've been using it for longer than 2018. Because they haven't told you anything to put your mind at ease. Jeez. Ugh. Hey, do you see what I'm saying? I have a family member that we've been working on for about five years to convince to use a password manager. This person agreed about six months ago and did it in LastPass. Well, that means they definitely have 100,000 rounds. Right. And I'm fairly certain they would have used a very long, strong password. I believe they very likely would have gotten it from XKPass to PBD. I don't know that for a fact, but I need to find out. In that case. Another family member who has definitely been in it since before 2018. Okay, so the newer family member, if you can verify that it's an XKPass or PBD password, they are in the category of best of LastPass users. So if you think about it, you don't have to outrun the bear, you have to outrun everyone else. The attackers have so many people to go and compromise at the moment that if you're not in the bottom pile, then why would you spend money trying to crack difficult ones when you can throw resources at it? And once you've cracked 100 of them, well, that's enough to keep you going for a while. And then you might crack another few hundred next month and another few hundred next month and do your nastiness on those people. So your relative who signed up recently is in as good a position as I can imagine being as a LastPass user. Yeah. And then the other person is probably doomed. The other, unless LastPass release some information about when the backups are from, I think it's a case of saying at the very, very, very, very least, email addresses and banks need to have their passwords changed and they need to change the password on their vaults today so that they definitely have 100,100 rounds and a strong password and then go to the actual websites for everything that has money and everything that gives you access to other accounts, i.e. your email addresses. They are the two crown jewels. If those could be fixed and if the password could be changed, then yes, they may have to recover other accounts because they may end up losing something temporarily. But at least if you have the email address and you have your money, you're not in an unrecoverable situation. Whereas if you lose your email address, you can't recover the other stuff. Okay. This is a very unpleasant conversation. This is a very unpleasant conversation because basically we're in the situation of there are bad options and worse options. Here's the bad option. Right. Taking notes. The easy part. The easy part is going forward if a family member says, what password manager would you advise? The answer is no longer LastPass. That's the easy part. Right. I'm also gonna check and see how the one password, how big I can have my one password family and just start adding them in. You can add. I will pay for there. I was gonna say, you can add as many people as you like if you're prepared to pay. I think you get five of them for the standard price and then it's a per person per year addition. I think we have 10 in our family. Yeah. I will pay anything too. I think we have, oh, I have four right now so that's fine. That's dreadful news. So one last question I wanted to ask you. I have heard people who are reasonably intelligent folk on podcasts saying, well, the solution is don't trust someone else to host your vault. You should host it yourself. My first thought is I'm pretty sure that as bad as LastPass did this, they're still way smarter than I am. Or the other way to look at it is there are people who are better than LastPass at this but actually the real at the knob of the question here is the fact that there are two risks to your data. There are two equally important risks to your data. Risk one is someone else gets their hands on it. Risk two is I lose access. Right, if you choose to go away from the cloud the risk of you losing everything goes way, way up. So sure you have reduced one risk but you've massively increased the other. So are you safer? I would argue most people the answer is no. Certainly friends and family whom your tech support for the answer is absolutely positively no they would not be safer without the cloud having their back. If you're really geeky and you're prepared to take ownership, have at it but it is not a solution for the average person. But even as geeky as you are Bart, do you think you could do a better job of securing your password vault than LastPass? I could do. I have no interest in spending my time doing it. I have better things to do in life. But you're confident that you would never make any mistakes that would cause an exposure of your data. If I was forced to do it as best as I could it would take me a lot of time and effort and I'm confident I could do it well. But I have a life. I have a job. I'm not going to spend a few hundred hours engineering a solution and then maintaining it going forward. And you're right, I probably screw it up too. Is this even where you? Well, that's the part I'm trying to get to is, okay, maybe I'm asking the wrong person but the typical Uber geek that is not a cybersecurity specialist. I just don't know. There's a lot of overconfidence in the... I mean, you got to be able to say PBKDF2 and know that in 2018, I mean, you got to know too much. You got to spend your life doing it. There are a lot more people who think they could do it than actually could. Yes, yes, that we can agree on. Okay, well that was fun. I'll lend you on a cliche. A little knowledge is a dangerous thing. 100%. Now, while the world was busy reacting to what is clearly a big deal at LastPass, other news happened and got swamped. So deep dive number two is the first of those other stories that happened. We learned about a Twitter breach. The Twitter breach actually happened about a year ago. Twitter didn't actually notice until last summer and they kind of thought they got away with it but it turns out they didn't. Geez. So what happened is this time last year there was a flaw in one of the Twitter APIs which allowed an unauthenticated user to get information out of the API they should not have been given. And this allowed them to make a request to Twitter's servers and say, is this telephone number a Twitter user? And the answer they got back was yes, and here's their username. So you could probe for the phone numbers that match Twitter accounts. So you know, for example, that AT&T use a certain range of cell phone numbers. So if you throw 100,000 requests at this API with the range of telephone numbers used by AT&T, you will end up with quite a lot of hits. And then you build up a database of known mappings of Twitter user names to cell phone numbers. And they ended up with 400,000 such mappings. This gives you a database which almost certainly contains celebrities, important people, or maybe just, you know, girlfriends, people want to get revenge on and stuff like that. So it's a database of 400,000 people whose phone number and or email address can be mapped to their Twitter username. Okay. That is the total of the breach. It is phone number and email address. So the biggest risk to regular folk, right, to most of our listeners, the biggest risk is if you happen to be in this bunch, the most likely outcome is that you could be targeted with an automated phishing attack that is equally sophisticated as would normally involve effort. So an automated spear phishing attack because they have enough information to be more convincing. So just because something knows your secret, your phone number, which they shouldn't know, it doesn't mean the really Twitter is what it boils down to. If you're someone important to be targeted, then the really big danger is a SIM swap. So if you are a celebrity, a political leader or a government official, it is worth the effort of doing a SIM swap against you to get into your Twitter account. If you are someone who works for a major corporation, if you're Tim Cook or someone, that's worthy of attacking. And the other thing that's worthy of attacking is a cool username. There is genuinely hundreds of thousands of dollars of value in having a username like at Bob. That is probably worth a few hundred thousand dollars. So if you have a nice Twitter username, you are as valuable to a cyber criminal as a celebrity. It's called that. I'm missing one piece here, Bert. Okay. A fundamental piece. Why is knowing my email address and my telephone number and my Twitter name in a combined thing, how does that make me a target for phishing? Well, because you can send the phish that appears to come from Twitter that is extra convincing. Because we can include in the phish, the phish can try to trick you into whatever it is they want to achieve. And they can make themselves look convincing by knowing your phone number, which is not public information. That makes them look like Twitter. And, but what can they phish me to do? Whatever. That is up to them to decide. That's up to them. I mean, maybe they want to see, maybe just want to get into your Twitter account because you're a celebrity or whatever. Right? Okay. That's what I'm trying to figure out. That's the main thing. Possibly. I am not going to say that I am as imaginative as a bad guy. Yeah. Okay. It is extra information they can use to make it appear like they are Twitter. What you then do, with your ability to impersonate Twitter, that is up to the imagination of the attackers. The most likely target is your Twitter account. The most likely thing to do is to attack the Twitter account. But you could use it as some of the way of getting confidence. If that person has a blue tick, then they have a financial relationship with Twitter. So then you could use it as a way of getting out their financial details. Oh, we have a bit of a problem processing your credit card. What's your full credit card number ending in 432? Okay. You see the way it can be coming into something, right? So it is an in they should not have. It is a helping hand up to attack you that they should not have. And it may catch you off guard because they know something that you think is secret. It makes them more believable. That's always... We humans, we fall for things. This makes it easier for us to fall for things. The sim swapping attack is a much, much, much bigger problem because that just bypasses two-factor authentication. So if you're at Joe Biden or whatever, I really, really, really hope you're not using SMS 2FA because the real takeaway here is if you're still using SMS-based two-factor auth, stop. Because then if someone knows your phone number, they can sim swap you. And sim swapping is available as malware as a service. Like the bad guys have cloudified themselves fully. You can get ransomware as a service. You can even get swatting as a service. You can get people physically attacked as a service. You can get sim swapping as a service. So if you are valuable enough, then it's a matter of the amount of money to sim swap you is $100. The amount of value in selling your username is $100,000. Therefore it is financially viable for a bad guy to sim swap you if you have a cool username. Right, right. I know two regular folk. I mean, you know, podcasters of our level of fame and fortune who've had been sim swapped and boy, what a mess. It's really hard to fix. It's really hard to fix and it's really real. Now the carriers are catching up, but they had a long way to catch up from. Long way to catch up from. And before Elon broke Twitter and fired everybody, it was really hard to get anybody's attention at Twitter to help you. Yes. And I can't imagine that's gotten better. I don't think so. So that takes us to deep dive number three, which is a GDPR story. So on the whole, I think most people are quite happy about this story. So Metta have been fined 390 million Euro by the Irish data protection commissioners for not getting consent for ad tracking. So for selling- I'm so sad, Bart. This is terrible. Poor Metta. Poor Metta. Breaking my heart. So the bit that makes your head immediately explode is the next thing I'm going to say. Obviously Metta are appealing the decision, right? That goes without saying. Do you know who else has filed suit against the decision? The Irish data protection commissioner. What? Who issued the ruling, have filed a court case against the ruling. That is weird, but it doesn't make sense. Okay. Okay, sure. So I am going to say, if you really want to understand what's going on here, there's a podcast episode, a certain Alison Sheridan and Bart Bouchard's recorded some time ago, chitchat across the pond episode 534, where the two of us go through exactly how the GDPR works. But for our discussion today, we don't need to know everything. What we need to know is that for something to be legal under GDPR, the data, sorry, for data to be collected legally under the GDPR, you have to be able to map that data to one of six possible legal bases for holding the data. So the basis the GDPR prefers you to use is consent. Just ask. If you've asked for it without lying or cheating, then you can do what you like, because you've asked, right? So the GDPR really just wants you to ask. If you're not going- And they say yes. Correct. Actual genuine consent, informed consent. So that's legal basis number one. If you can get consent, you are in the clear for the GDPR. The other ones that are basically excuses for not getting consent. So legitimate interests, you basically have to argue that you have a legitimate interest. A classic example would be web servers, log IP addresses. IP addresses are technically classed as PII. If you're running a website, then IP addresses will be in the logs. That is a legitimate interest. That's just, okay, that's how it is. Contractual obligations would be, I have ordered at toothbrush, you have my address on file so you can deliver me the toothbrush. Because we have a contract to exchange toothbrush for money, therefore I need to know where to deliver the toothbrush in order to complete this contract. That is a contractual obligation. So you don't have to get my consent for my address as part of the contract we have between us. Legal obligations, the law says I must do X. Well, I must follow the law. So that's a reason for holding data. A vital interest is a more difficult one. Basically, if I don't collect this, something terrible happens. And now you're into, let's have an argument in front of a judge. And public interest is even fuzzier. If I don't collect this, bad things happen to society. And you want to have a pretty robust case to make that one stand, right? So they're on a scale from consent easy to public interest really hard to prove. So the last thing Meta want to do and the reason they are completely against app tracking transparency, they do not want to ask for informed consent. They are doing everything they can to avoid having their ad business on the basis of informed consent. They believe- Because we say no, it's been proven that we say no when we're asked, right? Right. Based on the app tracking transparency data from Apple. Yeah, if you actually ask people the question honestly, they do not in fact want to be tracked. So Meta's argument is that they have a contractual, sorry, they have a contractual obligation to track you. You have agreed to use a website that uses ads and the only way you could possibly make money from ads is to track people, therefore we have a contractual obligation to track you. Okay, that is not a valid argument in my opinion. Well, the thing is the Irish data protection commissioners agreed with that argument. Really? But under the GDPR, we need to have consistency across the whole EU. So the reason the Irish data protection commissioners are in the mix here is because Facebook's headquarters happens to be in Dublin. They're European headquarters. So the Irish data protection commissioners go first. They write a ruling, but that ruling doesn't go into effect until it has been handed to all of their counterparts in every other country where Facebook does business for them to comment on the ruling. And they can come back and say, actually we disagree, we want you to change this. And 99.9% of the time, this is like I want you to put an extra sentence here that says this. Actually, I wish you would rephrase this. Most of the time these comments are utterly boring and banal. This time, that is not what happened. Five countries got extremely cranky with the Irish data protection commissioners ruling. And they objected fundamentally to the very concept that it is a contractual obligation to track people. And so, yeah. So when there is a substantive disagreement, there is like a board of data protection commissioners who sit above all of the data protection commissioners. And so that board had to rule. That board had to look at the question and rule. And that board ruled that it is not a contractual obligation, therefore consent is required. And the way it works is that if that board rules, the Irish data protection commissioner is bound by that ruling. So they have to issue a ruling in their name that they've been dictated to them. Yes. So they issued the ruling. And then immediately filed suit in the European court saying, we think that the board overstepped its authority. So that is why they are appealing the ruling. They're not appealing the ruling, they're appealing the board's ability to rule at all on this matter. So what's their basis for that? They say that they get to decide what is an isn't contractual obligation. So that's not something that can just be dictated to them by the board. I haven't read the exact legal wording of there, but basically they think that the board has overstepped its authority. But the board is there to do exactly that and the rules say they can do that. Correct. But they just don't like it? I am now, this is the facts of the matter. I am now digressing into a opinion. Now put on Bart hat. Yes, I'm now going to give you my reading of the situation as a person who is into privacy living in Ireland and aware of how the GDPR works, which is probably a small subset of people on planet Earth actually never think about it. Because I was forced to do a training course on GDPR as part of my role in work. I need to know this. Wasn't fun, but it was kind of interesting. I'll be honest. So there is a long running issue with all, not all, many data protection commissioners across Europe being very, very cranky with the Irish data protection commissioners. Because Ireland has a very friendly tax regime, there are many major multinationals housed in Ireland. So Twitter, Meta, Google. All of these people- Apple. Apple, yes. All of these people get regulated in Ireland by the Irish data protection commissioner for GDPR. And that means that the Irish data protection commissioner have a very big role. Now Ireland likes to attract those companies to Ireland with the friendly tax regime. If the Irish data protection commissioners got too hard nosed, they would drive away these companies. So there is an amount of political pressure on the Irish data protection commissioners to be friendly to the large companies. The commissioner would argue it has no effect on her. I cannot prove it does, but it can't not affect someone, right? How could it not affect someone? They're all human beings. So that is the situation in which this is happening. So Ireland is well motivated to not go too hard on Meta. The other data protection commissioners in Copenhagen, France and Germany, they have a much more hard line view of privacy than Ireland does. And they want to see the American multinationals really regulated strongly. They want to throw the book at them. And so they want to rule really strongly for GDPR. And the Irish data protection commissioners are ruling really weakly and they're just making them spectacularly cranky. So cranky that all of this becomes a moot point in a year and a bit because- Are they losing the ability? They are, okay. So under the Digital Services Act, any company that meets sufficient size goals which Meta absolutely does, ceases to be regulated by National Data Protection Commissioners and comes under the direct authority of the European Commission. In other words, the DSA is removing Ireland's jurisdiction over multi-billion dollar companies. Interesting. And that is purely because people are so cranky at the terrible job they feel Ireland has been doing. Interesting, wow. So the appeal will certainly go longer than until this act is in law, right? Right, so at that point, do we start over? When the rules change and the commission become the authority clearly in charge, the commission then have to go and reevaluate and the commission have to make a ruling. I guess they could copy and paste, but they do still have to go through the work of, because then they're gonna be applying the DSA to it, not the GDPR, right? So it's a new standard. So I think the most realistic outcome is this drags on until DSA comes in and then under DSA, we get to start all over again with the commission mapping what Meta do and comparing it to the rules set out by the DSA and then deciding whether or not they breach those rules. So long run, I think we're gonna end up with Meta having a problem, but that is probably three to five years in the future. Yeah, that's okay, I can wait. Yeah, but anyway, that is why- Revenge is a dis-best served cold. Yeah, so that is why Ireland is simultaneously suing Facebook and suing the people making them sue Facebook. It's a bit of a headache. Like you said, there's probably three people on the planet that could have explained that entire thing. It's quite, yeah, anyway, fun. So moving on to plain old notable news. Can I interject a story? Sure. So we talk, you don't know anything about this, but we talk a lot about how to keep elders safe and people less technical people safe online. We got an email from Steve's parents. It said, and I quote, we just spoke to Rick in San Antonio, Texas and indeed the account was locked because of three tries on Thursday. He gave us a temporary password and we will use it to change the username and password. Sorry to bother you, but hopefully we'll do it properly. No other context whatsoever. Apparently they had started an email to describe a problem but they never sent it and they sent this. Steve called him, turns out they got an email from their bank. It said they tried to log in too many times and it said to call this number. Not the number on the card. They called the bank, they changed the password, but guess what? It wasn't the money. They did not call the number in the email. They pulled out one of their bank statements, they found the phone number, they listened, they did everything a hundred percent right and it was true, it was from their bank but they still didn't trust it and they won security for today, I think. Darn tootin, that is fantastic. And that is a perfect response. They're in their 80s and they are all on top of it. To me they're like the poster child. I am so proud of them. I don't know that I would have done it better myself. I just thought that was a good news story. Maybe I should have saved it for pallet cleansers but I couldn't wait. I'm going to return to that story shortly because there's a place where I want to just underline it, but that's perfect, right? That is 10 out of 10 gold star, that is perfect. That's absolutely perfect. So in the United States, there is a class action lawsuit against Metta. It was filed against Facebook, never filed against Metta about the whole Cambridge Analytica thing. So it's a class action suit. Metta have agreed to a settlement of $725 million. It has not yet been approved by the judge. Wow. So that is a record-setting settlement if it goes through. We shall see. Okay. The other, the next two stories have fire extinguishers. So there was a lot of Sturman drying on the internet about Chinese researchers having destroyed all of cryptography. Even the most generous interpretation would never have got you quite there. What they claimed was that they had found a way to break RSA encryption. Now, RSA encryption is really important. It is one of the encryption schemes used very widely. So it's not nothing, but it's not all of encryption. It's only RSA. There are lots of other types of encryption in use in the world too. If they had been correct, that they had found a way to break RSA, then it would have been a big deal. So the reporting was wrong. It was quantum computing, Bart. Well, they said that a quantum computer could do it quicker than we think a quantum computer could. But their whole paper is based on an assumption. So we have, there is a quantum computing algorithm that we know is well-founded and we know its effect on RSA. And that algorithm would not cause a calamity. There is another proposed algorithm that is very controversial, but a few people think might be able to break RSA thousands of times for like many, many, many orders of magnitude faster, like infinitely faster. But that's, that's, you know, that's I believe Einstein was wrong about gravity territory of math, right? That is not a valid assumption to base a research paper on. So when you pull that assumption out from underneath the research paper, everything else collapses in a heap. So there's a theory that an algorithm could exist. Well, no, there is a proposed algorithm which the proponents claim does this magical thing, but that is not proven. That is not even vaguely proven. That is very controversial. So that is the underpinning of the entire paper by the Chinese authors. So when you pull that underpinning out because it's not solid foundation, I can't say they're definitely wrong, but the consensus opinion is there is no basis for this article. Okay, cause I saw that article and my first thought was, uh-oh, what about those last past vaults even with long, strong encryption? Yeah, so for now, that is not the end of the world. Now, there's a link in the show notes to an article from, because something else happened, right? That got really lost, but the US Congress passed a bill which asks nicely that the US government work with industry to preemptively upgrade encryption to be ready for quantum computing. I was rather hoping the bill would mandate actual changes by actual dates. It fell short of mandating and basically went, we really strongly suggest, but look, strong suggestion is still better than nothing. So the bill existing is no bad thing. And Naked Security did an article about the bill and this happened before the Chinese paper. And in the start of that article, Naked Security lay out what it is quantum computing actually can do when it gets real. So there's two algorithms, the Shores algorithm and another one I just don't remember right now. And the article actually explains what quantum computers will and won't break. So it's actually a really good article. Even though it's about a law that's a bit, ah yeah, grand. Why not? Why not say it's a good idea? It is a good idea, but you know. Like they wouldn't have thought of it on their own as a good idea. Exactly, exactly. So the law is pretty weak, but the description of the article is fantastic. It's probably the most human-friendly description of what quantum computing is on target to deliver I have read so far. So I've bookmarked it for future reference. Another story that on the surface seems terrifying, but isn't. There was a critical vulnerability in the Linux kernel's implementation of the SMB protocol, i.e. the Windows file sharing protocol. Now, from this point on, it's all fire extinguisher. It was responsibly disclosed on the 22nd of September. The actual book, December. December, not September. Okay, yes, that's what I certainly tried to say. The book was actually patched in either July or August. It was the middle of the summer. The book was actually patched in the middle of the summer. And it's in the kernel implication. Sorry, implementation of SMB. That's not what 99.999% of us use. We use something called Samba, which is a third-party library that has existed for decades. So all of our NASs and all of our Linux boxes that were almost all using Samba. The kernel level support for SMB is really, really new, really, really cutting edge and almost unused. The only distros that use the kernel SMB are the ones being really actively patched where everyone is updating all the time because you're on the bleeding edge. So if your device is new enough to be using this, it has definitely been updated since the summer. So in reality, you're grand. If your stuff is old, it was never affected. If your stuff is cutting edge, you've already got the fixed months ago. So you're good. Excellent. I like that one. Now, the next story is where we're going to tie back to your very happy story. So actually, let's speak it happier. Ukraine, while busy fighting a war, managed to find the time to destroy a ring of scammers who were doing those phone banking scams. So 40 people were arrested in an office where they were doing a fake phone banking scam, which is great. But the Naked Security article is way more valuable than just that. It actually starts by describing what is currently being done by bank scammers, how they are currently tricking people. It's a fascinating read for the telltale science of what they're doing right now. And the reason I was sort of saying, oh my goodness, was it really the bank they called them? Because what you're describing, that initial communication being we have detected a security problem is the current modus operandi. And as the Naked Security article put it, it is technically a true statement. The person telling you your account is under attack is the person attacking your account, but your account is under attack. And one of the techniques is that the, you know the way if your credit card gets attacked, you get a new credit card number. Right? They are saying that if your bank account gets attacked, this is a lie. This is not true. No bank works like this, right? Let me just underline that. What I'm about to say is the fraud. They tell the victims of the fraud that your account has come under attack, therefore we have issued you a new account. We need you to transfer your money from the hacked account into the new account. The bank details for the new account are X. Those are the bank details for the bad guys. They are walking you through transferring your money to the bad guys. And apparently they have the nicest phone manner. They are the most responsive support people you have ever come across. They will give you a phone number and encourage you to phone back. They have given you the phone number. And they will encourage you to phone back and they will answer promptly. And they are really good at making it sound like they're confirming information you have actually given them. So they say, yeah, I just need to confirm that your first name is. And they get you to say it and go, yeah, great. That checks out here. Great, great, great. And so they're just really good about pulling information out of people. And it was a fascinating read because of course the attackers are always changing their tack because the defenders know the trick. So it was actually really good to get a read of what's currently the norm for evil people. So I don't think you said it, but from what you wrote in the show notes and just scanning the article, the reason they know all of this is when they busted these 40 people in Ukraine or Ukraine busted these 40 people, they got into see what their scripts are and how they're doing it. Their playbooks, yeah. The playbooks by the scammers were uncovered. Yes, and the naked security article actually goes further and they also describe other playbooks used by other criminals. So the naked security article says what the Ukrainians are doing and also add more context, which is why it's such a good article. Maybe you should be suspicious when the customer support person is super patient and not at the end of the rope. I'm afraid to say that actually might be a good tell, which is depressing in all sorts of ways. But anyway, let us move on to happier things. I have a top tip for you. The good people at Intigo have given one of those nice, happy new year things, 10 things you can do to improve your privacy and security in your Mac, iPhone, or iPad. None of them are earth-shattering, but you know something I bet you most people are doing, not all of them. So why not have a look, see if there's something you can do to improve your security at the start of the year? Or at the very least. Only change passwords when needed. I'm so glad that NIST have finally, finally told everyone, don't make people change their passwords. It will make them less secure. Thank you, NIST, for making that official. Every time someone says, oh, your password expires, I go, ha-ha. NIST says, that's a terrible idea. And then I make it go away. It's great. And that brings us on then to... Oh, no, I have an interesting inside article. I didn't cover this on our show last month because I don't do rumors in my Apple. So why on earth would I do rumors and security bits? The whole point is we're supposed to be relevant and actionable here. But there has been some interesting reporting about Apple making moves to start supporting third-party app stores on iOS because that is going to be required of them by 2024. And a lot of people... In the EU. Correct, because again, our friend, the DSA, the Digital Service, sorry, that's the DMA, the Digital Markets Act, the close cousin of the DSA. Because they're a market, it's the app store. So we know that that law is coming. What we don't know is actually what Apple are actually going to do. So a lot of this is still fuzzy. And there's been an awful, awful... So Mark Grumman wrote an article leaking the fact that Apple have dedicated a team of engineers and they're proactively working towards this requirement. And there was a whole bunch of speculation. So the internet went mad with all sorts of silly, silly quick takes and nonsense. But amidst all the nonsense, there's a little gem I think is worth reading. It's an Apple insider article and it actually lays out in detail and it's very clear to say what we don't know. But it lays out the things to watch out for as the facts begin to crystallize around this upcoming thing. Like we know this is coming by 2024. So something is going to happen. So what should we be looking for? What are the legitimate concerns? It's just the most thoughtful article amidst a whole bunch of nonsense. So I thought, you know, if anyone wants to do a bit of home, you know, a bit of extra reading, I definitely would recommend this as a good article to read if you want to be informed on the whole concept of Apple being forced to do third party stores. Interesting. Should I change to the show notes to say digital market tech because it says digital services act right now? You probably should actually, yeah. I obviously got them mixed up because the one up above is the DSA. Right, right, right. The madam one was DSA. And then we get to go on to pallet cleansing. Two from me this time. So again on a similar note. So there has been 2022 was the year of sort of generative AI. In other words, getting AI to make things from scratch, which is very, very different to what AI was doing before, right? Telling AI to make my photograph look nicer is a very, very, very different thing in every possible way technologically, theoretically than I have a blank slate. I'm going to say, dear computer, make me an image of, right? That is fundamentally different. Dear computer, write me an essay in the style of, so generative AI was the big thing of 2022. And a lot of people are extrapolating forward from what we have now with chat GPT and stable diffusion and all these things and projecting forward this dystopian future. And Ezra Klein has a podcast where he gets very smart people on and they have really nerdy conversations that go on for it. They're not short. This is a podcast you settle into. It's a one cycle podcast is how I think of it in my mind, right? This is a discussion about what's, what are the limits of what we actually have? And it puts into context everything that happened in 2022. And it is by far the most intelligent conversation on the topic I have come across in any format, whether it be spoken word or written. I learned a lot. I am way more intrigued and way less panicked. Oh, oh, interesting. So yes, we are doing cool stuff, but we are currently in the honeymoon phase where we think these things are actually more powerful than they are on cooler reflection. While they are cool and while they are useful, they are not the end of every, they are not the end of humans. It's a really good take. I mean, it's very hard to summarize an hour and something conversation that have really intelligent people going on to subtle points. But trust me, I have not seen anyone do a better job of this discussion. So I thought it was worth linking to this audience because where are the kind of people who like these things, right? Right, right, right. And then the last one is slightly selfish, but I don't think I'm alone. Apple killed Dark Sky on New Year's Day. And Dark Sky has been a beloved weather app for people who live in places that it rains. I'm not sure it was ever all that high on your list. I know you've had a bit of rain the last couple of weeks which has changed your outlook a little bit, but on the whole rain is not your most regular problem. So you probably weren't a Dark Sky's addict. I have been a Dark Sky's user for ages and ages and ages. When Apple killed it, it made me very sad. But, oh, sugar, I forget who it is. The blog is blankbaby.com. Oh, sugar, I should have checked the person and put their name in too. Anyway, it's a review of the best candidates to replace Dark Sky. Not from the point of view of being an exact clone, but from solving the same problems. If you want an exact clone, the answer is very straightforward, carrot weather. They have released a new theme that is Dark Sky. It's got nicer graphics, but it is Dark Sky. And you just, you pay yourself an annual subscription and you get to keep Dark Sky. Like they have just copied and pasted it. To be clear, everybody's saying Apple killed Dark Sky's. They kept the technology of Dark Sky's and created an API that others could adopt, which is what carrot weather did. Yes, and they also included the data in the Apple weather UI. But Dark Sky's magic was the two-parter. So the part that Apple have saved is the data. So the algorithm to figure out, are you going to get rained on? That bit is incorporated into Apple's tools. It's no part of Apple's weather app. What Apple did not do is inherit the very easy to use UI. Sure, sure, sure, but others can. So it's not as deaf. They got rid of the UI, but allowed others to use the API in order to make a good UI. Correct, correct, yes. But I guess from the point of view... Sucks to be Android. That's where you really care. Yes, and yeah, I've had a lot of Android friends going, so what do you recommend? I was like, well, I have found that the only other apps I like are iOS only, so terribly sorry, but I actually don't have an answer for you. Yeah, that's really... That would anger me. Yeah, so basically, if you want to look at all of the candidates, this blog post does a great job of laying them out where the strengths and weaknesses are. Basically, there's two clear winners. There's Carrot Weather and Hello Weather. Carrot Weather is the best clone of... If the old way of showing data clicked with you, if your brain liked the way Dark Sky showed information, you will love Carrot Weather because it's the same thing. If you are trying to solve the same problem but are open to a different way of visualizing the same data, then actually, Hello Weather is probably a better interface. I think it actually shows more useful information, more quickly, with less clicking, sorry, tapping. So I've actually solved both and I haven't decided which one gets to stay forever, but for this year, I've paid for both. So I now have two subscriptions instead of one, but for now, I'm happy to go with Carrot Weather and Hello Weather, and by this time next year, I guess one of them will just not be renewed. But anyway. So to quote Leo Laporte again, on Mac Break Weekly, you had a real interesting discussion with the other three guys on the show. And one of the things they quoted was a Slate article that I'm gonna put a link in the show notes to, the world's best terrible weather app, and it was talking about Dark Sky. But it was really interesting, something I learned from it, maybe you know this, but weather apps like Dark Sky and the API and Carrot and all the others, they take images, satellite images and project forward what's going to happen. What a meteorologist does is uses physics models to predict what's going to happen. So that's why something like Dark Sky or Carrot Weather or even the Apple Weather app can tell you, is it going to rain when I go on my cycle in the next 15 minutes? But they're really bad at telling you what's gonna happen in three days because projecting forward doesn't work when you're just using images. And I never caught that subtlety that that was that vast difference between the two. Not that meteorologists are right most of the time. 99.9% of the time it's a seamless thing, right? Because if you use Dark Sky, the hourly forecast is done by taking the images and projecting them forward. And the what's going to happen in three or four hours is done based on meteorology. And so the Dark Sky app shows you both, no, no, it's only the rain prediction that is done by the, like Dark Sky will tell you the weather next week. It is not doing that by projecting forward the current rainfall radar, right? It's doing traditional meteorology for the future. Like there is a 25% chance of rain next Thursday. But what's really funny is that there are times when the meteorologists and Dark Sky disagree. And so in one part of the Dark Sky UI, it's showing the weather that came from the meteorologists. And in the other part, it's showing its own prediction. So you can simultaneously see 100% chance of getting rained on in one part of the UI and a few pixels away, 0% chance. Because the two data sources sometimes catastrophically disagree. So I am not going to declare who is right. I'm not going to take an opinion here. But the article in Slate says that it is not using any meteorology in Dark Sky. Says it point blank. I am 99% sure it says for its rain prediction. Dark Sky simply monitored changes to the shape, size, speed and direction of shapes on a radar map and fast forwarded those images. It wasn't meteorology, it was just graphics practice. Okay, that is missing the context of for the future. The radar map was the forecast. Yeah, so Dark Sky also incorporated normal data because otherwise it could only tell you the next hour or two and it couldn't tell you anything more. Dark Sky absolutely, I know for a fact, Dark Sky incorporated other weather data too because it used to tell you in the UI where the source was for the other data. The projection, Dark Sky had two things. Like I said, I'm not going to call it, I'm just going to put a link to the article and... No, no, it's a great article by the way, right? Because the magic source of Dark Sky which did not exist before Dark Sky was, am I going to get wet 45 minutes from now? There was no one telling you that. And they had a genius idea that the wind doesn't change often. So 90% of the time, if I just move the pixels in the same direction they've been moving, it will be right and it is. So 99% of the time, yes, I have to laugh. Kyle was out here, Kyle moved to Texas recently and you might have heard there was significant weather events over the holidays. And he was watching his weather station and it said the wind is coming from the west, from the west, from the west, from the west, from the west, north. And the temperature dropped 40 degrees in 40 minutes. Okay, that's called a weather front. Wow. It was like, Canada's coming. That is amazing. That was that 1%. I mean, I've got a copy of the graph, I'll send it to you, it's just hilarious because the weather direction changes, commensurate with that temperature change. A much more common flow with Dark Sky which I find is great fun. So I really got to know Dark Sky because it's been my weather app for years and I do a lot of cycling. But Dark Sky is useless where I live if the wind is coming from the east, southeast because the Dublin mountains are east, southeast of me and they have terrain effect rain. They make rain. If you have a wet wind blowing from that direction the mountains push it up and it falls as rain. That rain, if you fast forward the radar map the rain doesn't move and Dark Sky moves it with the wind but it's not being moved by the wind, it's being made by the mountains. And so Dark Sky tells you there is a clearance on the way in 15 minutes. It never comes. It tells you you're going to stop getting wet and you keep getting wet. Hate that. Anyway. Well, this weekend weather concludes. Hey, it's important to some of us. We don't all get, what are the low mo, low mo, no. Morning low clouds. Morning low clouds followed by hazy afternoon sunshine. Thank you. Thank you. Rinse and repeat. Command C command V. There we go, done for the year. Exactly. Well, I picked a really good time to be sick. We had about three inches of rain in a week and a half which is massive for us. You know, I think our non-drought rain is about 20 inches a year or something like that, 22. Goodness me. That's a substantial percentage of the rain for the year. Yeah. Geez. You didn't have the clothes for it either. We got lucky, Northern California was a mess. Yeah, nothing is prepared for that. So we just stay home. Sprinkling. Sprinkling. Yeah, I was gonna say, if I just stayed home when it was like that, I'd never leave. I'd just be here. Exactly. All right, well, this was a good episode. Indeed, a nice one to start the year off. Most, yeah, mostly fun. Anyway, you know what to do, folks. Until next time, stay patched, so you stay secure. Well, that is going to wind us up for this week. Did you know you can email me at alisonapodfeed.com anytime you like? And you know when you would like? You would like to send in recordings for Bart and Alistair and hopefully some text to go along with that so we can do a blog post. Not required, but a lot of people do appreciate that. Anyway, you can do that for the next week or so and then it's gonna be really hard to get through to me. So hopefully you won't send anything while I'm gone. Let's see, you can follow me on Twitter at podfeet and you can find me on mastedon at podfeet at chaos.social. If you wanna join in the fun of the conversation, get answers to your questions like the way Alistair answered me when I was asking about what to do with that SVG. You should join our Slack community at podfeed.com slash slack. You can talk to me at all the other lovely no-cello castaways. Remember, everything good starts with podfeed.com. You can support the shows like Russ Sherman did at podfeed.com slash patron or with a one-time donation like Klaus Wolfe did at podfeed.com slash PayPal. And if you wanna join in the fun of the live show, there will be one more live show before we leave. There will be one on January 15th. There will not be one for two weeks after that. You go to podfeed.com slash live on Sunday nights at 5 p.m. Pacific time and join the friendly and enthusiastic no-cello castaways. Thanks for listening and stay subscribed.