 Hi, this is Allison Sheridan of the No Silicast podcast, hosted at podfeed.com, technology podcast with an ever so slight Apple bias. Today is Friday, December 23rd, 2022, and this is show number 920. Well, we made it to the end of 2022 without missing a show. This show is coming out a bit early as I'll be doing Christmas festivities with family on the 25th. That means there is no live show this Sunday. It also means I'm a little bit lonely, but since I'm going to be reading I'm still using it as contributions from so many great No Silicast ways, I don't feel like I'm alone. Anyway, we'll be back in the saddle with the live show on January 1st, so be sure to bring your New Year's Day for Vality. Tim Chatton does a delightful show called iPad Pros, and I have the honor of being his guest for episode number 161. Now his show is all about using the iPad for everything possible, so we dive into my uses for the iPad Pro, my pick of the hash photos tool for iPadOS and iOS, and we do get a little bit off topic by talking about how I use my Synology. We talk about the iPad mini, and that no matter what I try to do with it it just never seems to find a place in my workflow. Anyway, you can find Tim's iPad Pros podcast in your podcatcher of choice, or you can watch a video version of our conversation over at ipadpros.net. As I mentioned in the introduction, today we get to hear from the No Silicast ways about the hardware and software they're still using after many years. This is actually part two of I'm still using it, and we have some rather extensive stories mixed in with brief moments of delight from the castaways. We'll start with Tim Jar, and here's what he has to say. I'm still using my Tevo, specifically my Tevo Romeo from circa 2014. First of all, if you haven't used a Tevo, especially if you've used some other kind of knockoff DVR, and believe me, all of the other ones are knockoffs that copied Tevo, you haven't really experienced how watching TV should be. The half hour buffer of whatever is live, the ability to record multiple channels at once, the best and easiest method for skipping forward or backwards in a program, the 30 second instant replay button, the skip commercials button, the best grid for live viewing and picking programs to record, a dead simple, even my grandfather could learn it interface for recording and playback, both individual recordings and the famous off copied season pass for all seasons of a show. I'm sorry for all episodes of a show. It's all genius and basically all of it was pioneered on Tevo and everyone else just copied a watered down version of the same. As an added bonus, my model supports both cable TV and antenna, something that Tevo has sadly moved away from in recent years. So when I was living in rural places much of the last 10 years, I could plug in that Comcast coax cable and be set to go. And with enough pleading, I could even get them to give me a cable card and configure it the best way to DVR. When I moved to the big city again and I could get the network stations over the air, I can plug my $10 Walmart antenna into this just as easily and record that way. Yes, streaming is likely the future and I subscribed to several services and I love them but they don't match the ease of Tevo and none of them become even close to precision rewind and fast forward functions that you could stop exactly where you want. Tevo even pioneered the idea that there's some lag between when you see what that your show is returned from a commercial and when your brain sends a signal to your hand to press the button and compensates accordingly by jumping back a few frames when you hit play so that you always land precisely on the frame you wanna land on. Finally, the Tevo remote might be the best designed remote control in existence. Why no one else has copied the peanut shape that actually fits comfortably in your hand is beyond me. It's so comfortable and natural. Your hands land naturally on the most commonly used buttons and when you need to reach something at the top or the bottom of the remote your hand easily slides the remote up or down in your hand without feeling like you're going to drop it. Kara's even placed in things like having the instant replay and skip forward buttons in logical spaces easily reach from the main play pause select hub in the middle of the remote. Heck, they even included four ABCD buttons below this for future improvements. For years that seemed just like a myth but then they made one of the shortcuts to turn on off closed captioning and more recently converted the D button to a skip commercials button. Then it vaulted Tevo even further ahead of the competition. In short, this remote was the exact opposite of the first generation Apple TV remote. You know the one you can't even tell if you've picked up correctly or if you have it upside down. And as I say that as a guy who hates this remote way less than a lot of reviewers. And of course the whole idea of time shifting TV watching to when it is most convenient to you was something Tevo was at the forefront of. Turning out a game 20 minutes late being able to catch up by the end by skipping commercials was the coolest thing ever. Same with a TV show with even less lead time needed. Sadly, the years haven't been kind to Tevo. They tried to package themselves as hardware that cable companies could use for their own DVRs but Comcast and the like followed their usual playbook releasing far inferior products and charging their customers more for the poor man's version of a DVR. In 2016, Rovi acquired them and immediately made their presence known by changing the UI. Instead of a pleasing soft yellow highlight showing your active selection we instead got a blinding white orb. They also dramatically decreased the number of days worth of upcoming TV listings while simultaneously being wrong about them consistently. Especially if there were changes made closer to airtime something Tevo used to excel at with its frequent guide updates. Then Xperia bought them in 2019 and another hallmark of Tevo their fantastic customer service for the clients also went to the dogs. So the brand and the joy that came from using it aren't the same anymore but some version of it remains and there's still no better remote nor no snappier and easier to understand interface for watching standard TV and I still love it for that. Well, Tim, I agree with you 100% and that is very rare for Tim and I to be on the same side of a discussion. I'm really glad you still love your Tevos. Now, if it weren't for channels acting much like Tevo as my DVR for YouTube TV and saving $1,120 per year I would still be on Tevo today. Next up, we'll hear from Kurt Liebesite. Hi, Alson. I'm still using an iPod Nano sixth generation MP3 player. In fact, it is what I usually use to listen to podcasts like the NoCillicast. Your listeners have all almost certainly seen or even owned a sixth gen. It's a little square one with a color display and the touch interface that you navigate through with tapping and swiping. The iPod Nano 6G came out in 2010. The one I use most of the time is not the original one that I got in 2010 but rather one I got off of eBay a few years ago. I love the small size and the clip that fastens onto your clothing. I usually wear button down shirts at work and I clip it onto the front of my shirt down near my belly button and then run the earphone cord up and around my neck before plugging the earbuds into my ears. That's not the most high tech of MP3 players. It doesn't even have Bluetooth, for instance, but has just enough technology. You can navigate around to the song or the podcast you want. It holds enough content to be useful and the battery life is long enough that I hardly ever run it down too low. How much do I love it? Well, let's just say that I have a fully functional backup unit and enough parts and reserve to assemble two more. My runner up candidate for I'm still using it would be my 24 inch Apple Cinema display and my 2010 classic Mac Pro still running Monterey. I know the display is not retina resolution but it does just the job I need while looking darn stylish and the Mac Pro just keeps chugging along handling everything I throw at it. It seems like the 2010 era was a time when Apple put out some products of immense value. Wow, Kurt, you brought back a lot of memories for me with the sixth gen iPod Nano. I loved my red one. I used it for running and of course it was filled with podcasts and not music. I remember the first time I plugged it in and I was delighted that iTunes represented it as red. I thought that was so cool. I think I remember breaking that one and I bought another one on eBay too and I still have it. Haven't used it in a long time but boy, that was a great device. I also still have an Apple Cinema display chugging along but it's not my original 24 inch. That one died 35 months into the three years of AppleCare and Apple replaced it for free with a 27 inch. That was when I first discovered that Apple making displays that don't adjust up and down would be a problem for me. While the 24 inch was the perfect height, the 27 inch was too tall for me to comfortably see without straining my neck. It has a place in my home as the display for our M1 Mac Mini and I love the contrast and technical years between them. So thanks for the memories, Kurt and it's so swell to think of you listening to podcasts on that little iPod Nano. Next up is Bruce Wilson and we get to hear from him in his own voice. When Allison first announced the, I'm still using it segment, my mind immediately went to an application I've been using since 1985. That application is Emacs which is a text editor for Unix and Linux systems. I joked in the general channel once like that I should write about this to start a religious war but in reality it's not a matter of religion for me. I'm just a curmudgeon who learned this particular text editor almost four decades ago and many of the keystrokes are muscle memory. I'm still using it because it works. Why did I start using Emacs and wind up on that side of the Emacs VI divide? It's like a lot of things in science. It was the tool that the graduate student a year ahead of me was using. So that's the tool I started using. However, what cemented it was learning how to use keyboard macros in Emacs. I learned I could type control X, control left parenthesis, then type the set of commands I needed, then type control X, control right parenthesis to close the macro definition. Then control X, E to execute the macro, control X, then a number, then the E would execute that macro that number of times. This was a great tool for massaging text files full of data, which is much of the grunt work in my graduate education. Emacs also had regular expression search and replace, which has been discussed over and tabbing the terminal. The other killer feature for me was that Emacs had rectangular cut and paste. That let me cut, for example, columns 30 through 42 out of a text file and either just delete them or move them to a different set of columns in the rows throughout the file. By the way, did you know that Microsoft Word will do rectangular cut and paste? Click and drag while holding the option key sometimes, though this is best done in a file formatted in a monospace font like Courier. Emacs saved me months of time working with text files as a graduate student, so it still has a very warm place in my heart. V.I. probably could have done the same things, but I learned the other tool. And every once in a while, I find a text file that needs some serious massaging and I get that trusty tool out of my toolbox. So I'm still using it. This is great, Bruce, and I really hope somebody comes back with a response to your Holy War throwdown. Maybe William Reveal will jump in on this one. When he donated so much of his time helping me fix those pesky character encoding problems in my SQL while migrating podfeed.com to a new database server, we spent a lot of time in V.I. Now I don't have a religious affiliation with V.I., but I fell into it as you did with Emacs. Somewhere back in my ancient history, I remember working on a device that was kind of a cross between a computer and a typewriter. And I do remember that it had a flat plastic typewriter print wheel that you could change out, but I can't remember what it's called. I don't remember, but I know that the keyboard part of it had a series of keys that were highlighted that I later on learned with the V.I. key commands when I learned V.I. for real. So I had been using V.I., but didn't know it. When I finally needed to use V.I., I found out it was pretty comfortable for me. I wish I could remember what that was called or even what job I was working on, but I haven't shaken the cobwebs loose on that memory. Now I'm definitely not proficient in V.I. as you are in Emacs, but it was fun and familiar to use it with Bill. Thanks for sending that in, Bruce. That was really, really fun. Lynn York is up next, and here's what she said. Hi, Allison. We are still using a D.L.O. home doc that we purchased in January of 2006 with a fifth gen click wheel video iPod from 2005. It holds a copy of our own music and serves up over 6,000 songs when we want music through our Devon receiver and infinity speakers in the living room. We have iTunes match, not Apple music, so this still works for us. Getting our home pods to play music from our library has been a frustrating struggle, but that will have to go into dumb question corner sometime. I look forward to hearing about the other golden oldies that still serve a purpose. Well, Lynn, there's just something so joyful about seeing all these old iPods still standing, doing their jobs. I'm glad yours continues to provide value to you and Gary and that you get so much joy from it. This year brought a smile to my face. You'll recognize the next voice. We have Alistair Jenks. In a couple of months, I will have been using Hazel from Noodlesoft for 10 years. It has done many different jobs for me over the years and while those jobs almost always become redundant in time, I always find new ones. I decided recently to export my entire Big Boy photo library of over 42,000 images into a folder of lower quality JPEGs in order to have an easily viewed catalog should something happen to me and my family be looking through my stuff. Because I am pernickety about my photos, this is not a straightforward job. I export the photos from Photolab to a fixed location using a preset, but I want them in year month folders and I want to also export them from Lightroom and copy the Lightroom keywords to the Photolab exports. Right now, Hazel is churning through the Photolab exports, filing them into the right folders and then when I export the same from Lightroom, Hazel will push those into the same folders and then copy the keywords across before throwing the unneeded Lightroom files in the trash. Many of my other current rules work on images. The same keyword copying task occurs for photos I export for Flickr. A couple of special folders that I can export images to will cause Hazel to launch those files into a specific application where such native functionality does not exist and one folder runs an image magic script on each image. My downloads folder is purged of zip and DMG files beyond a certain age and also images and documents of a certain age are sent to my pictures or documents folders. I forget many of the other rules I've had in the past but most will have been along the same lines. Some do often needed tasks on a few files. Others work on masses of files. All of them provide me a level of automation that means I get the job done consistently and reliably. And that's Hazel in a nutshell. Consistently and reliably making my life easier. Well, I've never looked back to see how long I've been using Hazel to Alistar but I don't think it's quite as long as you have. I think I started using it in anger when David Sparks did a video tutorial on how to use it to collect scan bills, change the titles and match the name of the company and bill due date and more. I remember when I did a presentation at the Command-D conference put on by Sal Sagoyan and I explained how I have Hazel move my podcast files after they'd aged out from my local disc to my NAS. There were two fun things about that. It turned out that the developer of Hazel, Paul Kim, was actually in the audience. He was tickled that I'd showcased it and luckily I didn't do a botch up job of explaining what it did. The second fun thing was that Dave Hamilton was there and when he heard what I was doing with it to clean up podcast files, he slapped his forehead, realizing it was exactly what he needed for his own workflow. It's not often that you get to do something Dave hasn't thought of, so that was a big moment for me. Just this week, Steve asked me what tool he should use to make sure that when he deletes the Drobo dashboard software that gets rid of all the cruft. I explained to him that Hazel, which he already uses for scanning in bills, would do it for him. He was quite pleased when he threw the main app in the trash and Hazel popped up and said, do you want me to get rid of this pile of P-List and other glob too? Hazel is one of those tools that sits in the background cleaning up for you and doing the tasks that are tedious and error prone for humans. If anyone listening is not using it, head over to noodlesoft.com and give it a whirl. It is amazing. Thanks so much for this Alistair. It's the first software, I'm still using it that we've had. And after I just said that, we have our second piece of software. This one is from Klaus Wolf. He says, there is no denying it. I'm a bit of an aviation enthusiast and while the app I'm about to introduce is very much targeted to this demographic, it is quite useful for many. I'm still using FlightRadar24 available online at flightradar24.com. So what problem does it solve? Have you ever wondered, what airplanes are overhead and where are they going? Open FlightRadar24 and it will let you know that and more. If you stuck at an airport and wonder if your delayed plane has even left its previous airport, type in the flight number into FlightRadar24 and click on the live map. On Thanksgiving Day, I was waiting in Antalya for a delayed flight. As I wrote to Allison on Telegram to remind her about a visit to the Hollywood sign seven years ago, I watched my delayed aircraft leave Istanbul. I mean, literally, I could see a little aircraft icon move along the runway as they departed. And to me, that's really cool. But how do you know which flight comes before your flight? Quite easy. You search for your flight, such as TK2409 and then you tap on aircraft info. This will show some useful info about your aircraft, things like the aircraft type, registration, and even a picture. But more importantly for this use case, the other flights the aircraft has recently been on. FlightRadar24 also offers a lovely replay feature which will let you relive your epic flight to someplace far away and help you identify that landmark which you couldn't easily or readily identify before. All you have to do is remember the time. The app slash website operates on a freemium model and I enjoy the business account as I have a little Raspberry Pi that serves as one of the nodes providing data to their service. Well, this sounds really neat. There's a lot of times I could have used this, Klaus. This is cool. You know, there's a lot of, quite a few aircraft enthusiasts in the no-cellicast community, especially Alistair Jenks. So it's really cool to learn about it. One of my favorite things about the internet is that we can now point our phone's camera at a flower and know its proper name or have our devices listen to a bird and tell us what it is or even find out what plane is flying overhead. Kenneth Berger brings us the next I'm Still Using It and you're gonna start to notice a theme. He says, we won't discuss the airport express that I decommissioned a number of years ago but we will talk about my 30 gigabyte iPod Classic which was called a video iPod when it comes out. I bought it around 2007 which was about two years after I bought my first Mac. Both of my sons had Mac computers before that but my 2005 iMac was my first one after spending about 10 years living with those wonderful blue screens of death on several Windows PCs. Although I didn't know what a playlist was I managed to figure out how to download music to the iPod that I had ripped from an assortment of CDs. This now brings us to what I call the great podcast conspiracy. I had heard of podcasts but I didn't really know what they were. I certainly didn't know how to get them out of my iPod. One day after I completed my daily syncing process I noticed something I'd never seen before on the iPod. It was something entitled TWIT this week in tech. I didn't know what it was and I didn't know how it got there but I listened to it. It appeared to be some type of panel discussion. I listened to the whole program and I didn't know quite what to make of it. The following week another episode appeared and then I was hooked. My podcast list is now quite extensive. It might have been on TWIT's Mac Break Weekly that I heard about the NoCillicast so I've been hooked on that too. My first iPhone was the 3GS which I bought in 2009 so I no longer needed to carry my iPod anymore. Instead of retiring it I bought a Sony Dream Machine Stereo Clock Radio which has a 30 pin dock connector and I set it sleep timer every night at bedtime and fall asleep to music being played by that 15 year old iPod. Thanks for the show and have a wonderful holiday season. Wow, this is, I love this. Kenneth, this is like this weekend I'm still using this iPod. I do love your conspiracy theory on podcasting. You know, we did have a meeting and discussed how to get you started but no one had ever caught on before that it was an insidious plot hatched by me and Leo. It looks like it worked. Now, while I don't listen to music myself I'm so glad that after 15 years the iPod classic is still singing you bedtime lullabies. I didn't know what to expect when I threw out the idea to the Nocella Castaways for this I'm still using it series but the next entry from Kevin Jones was probably the biggest surprise. I thought the most ancient tech was going to be Bruce on Emacs from 35 years ago but listen up, here's what Kevin wrote. When I was in elementary school a talking calculator with the four basic functions cost $500. So in fourth grade one of my teachers taught me how to use an abacus. This was huge because math on paper in Braille was slow, difficult and cumbersome. Several years later Sharp released a basic talking calculator costing $70 affordable to most people including my parents for Christmas when I was in high school. Calculators were not allowed while taking the ACT test so I took in my abacus. The proctor was convinced it was electronic and took five minutes trying to find out where the batteries were and finally gave in and let me use it. More recently I found I could do math in binary on an abacus and used it on a Cisco networking exam. No subnet calculators are allowed on those either. With several computers around me as I write this I still have an abacus on my desk. It's still more efficient for me to grab it and add up a few numbers than to open up a calculator program and leave where I'm currently working. I know the abacus hasn't been updated in decades but it still gets amazing battery. Well, no, still no batteries. When Alice asked for examples of old technology listeners were still using, I just couldn't resist. Isn't that crazy? I had no idea that an abacus could still be handy. I am absolutely adding this to my list of things I want to learn. Thanks so much for sending this in Kevin. It was a real eye-opener if you will. Terry of Palo Alto brings us another blast from the past. He says, as a government-certified old person I'm still using some vintage technology. For instance, I'm typing this on a 35-year-old Northgate 102 keyboard that has served about 20 computers along the way. Also, I'm proud to say I still own and maintain my first car, which is a 1972 Datsun and I play a 1952 electric guitar. These items are examples of superb engineering lasting over the years and enjoyed by lots of folks today. A car and guitar are now considered vintage and collectible and at least Steve Gibson and I prefer the old Northgate 102 keyboard. Now let me turn to a piece of tech gear that is approaching 40 years old and is still working on a regular basis. But this time I'll argue that it may be the last working example and that I may be the last person on the planet using one. What is it? Let's start with some clues first. It was purchased in 1983 as part of my first computer system and IBM PC with two floppy drives instead of just one. About 20 years ago, it suffered a catastrophic component failure but was fixed by a small piece of wood with a DIY repair. I use it on a monthly basis and it would be hard to replace it with modern technology. So what 1980s technology could survive 40 years and still be uniquely useful? Give up? Well, it is a brother HR-15 Daisy Wheel printer. In 1983 I was working at the Stanford Accelerator Center and was the third person to venture out and purchase a personal computer. My goal was to support a sideline business and I needed to write technical proposals. The computer was just to run a word processor and I got a Daisy Wheel printer instead of a dot matrix so that my proposals would look more formal. In those days, brother made traditional typewriters and the engineers simply made the HR-15 by removing the keyboard on the front and installing an LPT port on the back. All was good writing proposals but as business needs grew, my attention turned to managing inventory and finances. In those days, there was not much commercial software available outside of Lotus and a few word processors. I heard there was something called D-Base which had no useful user interface but could be programmed to make your own. So propelled by my intrinsic laziness, I started automating all of the typical business processes like inventory management and financial control. The best part is that I could design my own user interface and get things done with the absolute minimum number of key presses. It didn't take long to include printing checks in my chain of laziness. With one screen entry, I could capture the expense, print the check, log it in a searchable database, update account balances and print out a year-end report for the accountant. Thus began my long relationship with this printer. My D-Base programs have evolved over the years and they still manage all of my financial records. The HR-15 still prints checks every month but sadly about 20 years ago it could no longer print. The printer used a hard rubber cylinder as the hammer that struck the daisy wheel and over years it cracked and fell off. There didn't seem to be any prospect to get replacement parts so I just gambled and made an identical shape out of an oak dowel. I installed the oak striker and has been working fine ever since and so is the story of the venerable brother HR-15 still pounding on after all of these years. Well, this is epic, Terry. I went out and found the daisy wheel printer in the Computer History Museum. I put a link to it in the show notes. I love the part about how you made a replacement part with an oak dowel. That is simply awesome. My father would have done that. I love it. You also solved a mystery for me. Remember what I said about learning VI in response to Bruce and Emacs? I said that I used a device that was kind of a cross between a computer and a typewriter and I do remember that it had a flat plastic typewriter print wheel that you could change out. Guess what that was? It was a daisy wheel printer. I am so happy that you solved this for me. Now if you could help me remember what I was using that was driving the printer at the time that actually had VI written on the keyboard, that's the other piece of the puzzle I need to know. We have four more I'm still using at segments and they're just as great as the ones you've heard. We got a security bits coming up in this show so I'm saving these last four for the January 1st show. I know it's a tease but you're just gonna have to wait. The I'm still using at segments you just heard are piled into two long blog posts but in the audio you should also find chapter marks to each person's contribution with a link to one of those two blog posts. Thank you so much to all of the contributors. I loved all of these segments. For this week's pledge break, as Frank likes to call it, my request is that you have a safe and happy holiday. I know it's rough goings weather-wise for a lot of you out there and maybe you won't be able to get to go where you planned but please stay safe and at least have a relaxing time. Well, it's that time of the week again. It is time for the last security bits of 2022. How you doing today, Bart? Hi, I'm good. You can't see this dear listeners but I'm in my Santa T-shirt. If you watch Chuck Joiner's Mac gift guide, I wear something stupid every year and it was the same T-shirt that I wore but that was recorded a month and a bit ago so I have laundered it since. And we have a little Christmas tree icon to make the security bits look a little more friendly, right? Yay. Yeah, we do actually. I put it in the show notes. I was just in that kind of a mood today. What can I say? On my one bit of home kit is working again. I can walk into the house and when I shout jingle bells, all the Christmas lights go on and when I shout home bug, they all go off. Perfect. One when I shout neighborhood cheer, just the ones outside go on. Put the ones inside. Oh! So when I'm leaving the house, I shout neighborhood cheer and then I leave. Oh, that's perfect. Yeah, I thought so. Anyway, security stuff, security stuff. Some follow-ups to start the ball rolling. Apple have released to United States customers their opt-in advanced data protection for iCloud. If you live in the US, if you have only the very, very latest devices and if you are brave enough, you may turn it on. I don't have the option. If I did, I wouldn't because you want everybody else to go first? Yeah, this is one of those cases where what's most likely to hit you? Are you most likely to need Apple's help to recover your vital family pictures or are you more likely to end up the victim of some sort of state-sponsored attack? If you're the CEO of Intel or a politician or a journalist, yeah, turn it on. But you know, for the rest of us, maybe just sit back and let the first round go. Maybe just let some people be the better casters on this one. I think so. Well, you and I both don't have the option of going because we have spare devices that are a little longer in the tooth and so we can't go. So we didn't even have to make the decision. Yeah. If you're still thinking of going for it, there's another article linked in the show notes from Apple Insider. They're basically pointing out that there are Apple devices without screens, which become much more complicated to set up out of the box for a while because they may have shipped from Apple's factory with an older version of iOS, but they're now arriving for Christmas. And if you've just enabled this feature, you then have a chicken and egg problem where you may have to use someone else's Apple ID to get the device patched and then search it over your Apple. Yeah. Oh, yikes. Now it is an interesting conno... So if you get a Mac Studio or Mac Mini, it doesn't have a display. It particularly the... Well, I mean, you would have a display but it's the HomePod in particular, the tricky one. Oh, the HomePods are in the game too. Yeah. They need to be on the... Okay, I see what you're saying. Yeah. Oh, wow. They're in to your iCloud, right? They get your calendar and all that stuff and they're awfully integrated. So they all need to be updated too. So like I say, this is an early adopter's game and unless you're game for being that, just sit back, sit back. You know, it's only America, it's only in beta, well, I think it's officially out of beta but just don't rush in. Similarly, if you really are a beta person, if you're actually running actual beta software, iOS 16.3 beta has been released because 16.2 went public and you can now, if you like, use a physical security token with your Apple ID if you are. Oh. Yeah. So that was one of those features now. The other shoe that's been hanging in the air that we have known we would learn more is LastPass. So when last we left this story, they had released an initial report to say, we were re-hacked using information taken in last summer's hack. We now know a little bit more detail. It was basically a successful spearfishing attack against an engineer based on information taken in the previous attack, which allowed them to construct a very well-focused attack against the engineer. So it really was a second attack? Yes. It really was a second wave of the same attack. They're related, but not the same, I guess. But yeah, definitely related. And they got quite a lot of stuff, actually. So the biggest danger, so the takeaway if you're a LastPass user is that you need to be really, really, really aware of the possibility of very convincing phishing attacks because the attackers were able to get the customer database. So they have your email address. They have potentially your phone number. They also have your IP addresses you regularly use, which could really be used to construct a very convincing address. Like, we usually see you connecting from, you know, one, two, three, four, five, six, but now we've seen you from, is this you? Like, that could really, that could feed into making a very believable fish. Interesting. Okay. I'm not sure they would, if you think about most users, wouldn't have any idea what their IP address is. I wouldn't know what mine is. Okay. I never looked at it. Second, maybe the IP address is that's important. They have your email address. They know whether you usually use a Mac or a PC because, again, they have your regular usage data. So they have enough to say that we normally see you from Safari and Windows and now we've seen you, you know, or even they could even say, we know you're normally in Ireland and we've seen you from Jamaica, right? The IP address can be used in all sorts of ways. I wonder whether they'll be, that's interesting. I think that it's likely that they would do that, but on the other hand, my experience with most of these attacks when they do a broad swath of people is they aren't particular. They send Mac users or somebody on an iPad, they send them a picture that's a Windows screenshot that's got the X in the upper right, you know? And so they don't seem to tailor per user. It depends on the dataset the bad guys have available to them and the competence of the bad guys. If the bad guys have a dataset that tells them how to find this. Well, the finesse that they choose to use, yeah. Yeah, yeah. I mean, they certainly have the ability to do it. Yeah, and it depends on the value of you, right? And they may be able to tell the value of you, like your email address may give away that you work for Intel or that you work for, your email address could give away a lot, right? That could really help target you down. The other thing is, so the secrets in people's vaults were not compromised, but the actual encrypted vaults were leaked this time. So the bad guys have the encrypted vaults. The encrypted vaults are obviously protected by your one password, which is not called your one password, but you know what I mean, right? Your master password. It's called your last password. It's called your last password, okay. If you followed last pass's rules, last pass have laid out their full algorithm. They had already laid that out before, but they have reiterated their full algorithm. If you had followed the rules and used a 12 character password, it really will take the age of the universe to correct your account. So you really are fine. But if you ignored all of their advice and you set yourself a weak password, you may need to go change all of your passwords everywhere because those encrypted vaults are very high value. They are going to be tied back. So the encrypted vault as downloaded at the time is protected with the password you had at the time. So changing your password now doesn't do you any good. No, not your last password. You now have to go change your passwords everywhere. That's what I'm saying. The reason, you can't go to last pass and change your password now and protect that vault. Because that vault is encrypted with the password you had when it got hacked. Yes, because actually what the bad guys got into was the backup system. So they were able to restore from backup. So they didn't get into the live production environment, but of course a good live production environment is backed up for everyone's safety. So they got into the backup system. Right, now if you're a one password user or what's the other one that's gaining bit warden, don't sit back with a little smirk going, well my password manager's better than yours and I don't have to worry about this. If you don't have a long, strong password on that, go change that now because this is just again, one of those when not if. I mean, maybe those companies are doing something better than last past it. Maybe last bad made some mistakes, but this is like blaming somebody for getting COVID is what it feels like to me. It's like, well, you know, it's certainly, it's, I mean, you can be stupider, but you also can't, maybe can't be smart enough. Yeah, there was no such thing as perfect security. I know this is literally my job now. All you can do is your best and someone is perpetually moving the goalpost. So you're always running at a target that never stands still long enough for you to arrive. And you always get to where you needed to be last year, but the problem is now is this year and you need to be somewhere else. And so you will never catch up and even the best possible world. Skating to where the puck is, right? Yeah, exactly. Where it will be. It never ends. And the other thing to point out is that these last passes vault does something that I don't know of one password still does, but I know for a fact it used to do. So there are plain text pieces of information in your last pass vault because that allows the browser to search for which passwords are available for it to fill. Oh, so that metadata would tell them that there is a password to Bank of America? Yes. And now think about the phishing you can do. When you combine that with everything else that's been leaked. So that is the real sting in the tail here. Last pass of basically, last past have lost their belts on their suspenders and the only thing holding them up is the braces of their zero trust design. They are now actually completely reliant on the zero trust design model, which I mean, there was always a case that that was the last line of defense, but that is now the only line of defense. So this is like the drawbridge and the moat and the alligators, but now they're down to just the moat is all that's left. Or the castle keep if you want to keep to the analogy, right? The castle has fallen with the keep is still standing. Assuming so one remember to lock the door. If he stretches really too far. Just to make sure everybody leaves this story with no optimism whatsoever. Quantum computing is coming along and that age of the universe problem starts to change as quantum computing exists, right? Not necessarily. Not necessarily. It would depend on the algorithms used because only some algorithms are prone to acceleration through quantum techniques. And it's a key crypto that has the issue. So I actually don't think quantum is an answer to... So basically the algorithm involved here is PBKDF2, which is password based key derivation function two, if you're curious. Which takes your password and does millions of iterations of a hash to turn it into a key. And then that key is used to encrypt your data. And I do not believe that quantum speeds up PBDFK2. So I actually don't think that's the answer. Oh, well that's good. Oh, I'm glad I brought it up then because I would have gone to... I would have left this story still queasy, but that's better. It is better, definitely better. No, I think if you have a good password, you are fine. The whole point of their architecture was that if the worst happens, you'll be fine. The worst has happened, you should be fine. Right, right. As long as you made a good password, as long as you went over to xkpasswd.net, created a long, strong, memorable password and you use it religiously. Pretty much. And like you say, Alison, another really good takeaway for everyone who was not at the last pass user, now is the time to make sure that your one password or your bit warden or whatever the hell you're using, make sure it is good because it is doing the same job. So you can change it now before it gets high. So you need to. Right. Our second deep dive is kind of a follow-up and I wasn't sure if it was a deep dive and then I tried to write it as a quick bullet point and then I realized it was too much to it. So what the hell? I've made it into deep dive. So when last we spoke, Twitter were about to relaunch their Twitter blue thing with the tick marks to get your blue checkbox. And we had said that at that moment in time, what Elon was proposing seemed sensible and good. And it pretty much actually has come to pass, but it is actually worth looking at exactly what is and isn't being offered. And if I'd been a little more forward thinking, how to put a link to the most recent chit chat across the pond where we talked about what it means to be verified because it's important. But Allison will put a link to it. Thank you. It's important to understand what is being promised because the tick cannot deliver more than is being promised. So the TLDR version, does this mean that Twitter accounts are verified again? The TLDR version is that no, if you see a blue tick market does not mean the account is verified, but the gold ones and the gray ones might be verified if you trust Twitter, maybe. But anyway, we'll get to that. I'll justify that sentence. Okay, one second. So what Bart just referred to is we did do a deep dive on what verification means and how it's done in different systems and what does that check mark mean in different systems? Not only how is it created, how is it managed, but what does it mean when you see it? So that's what I'm gonna put a link to in our chit chat across the pond. Which we start with the really big question of, well, what does it actually mean when someone says this is verified? You have to ask yourself, what is the claim that they're making? What is the evidence? How is the evidence being checked by whom? And how is that being communicated? So when you run all of that against what Twitter are doing, you get to the conclusions I'm gonna bring you towards now. So the first thing to say is that only five countries get to play and a lot of Nacilla Castaways will get to play, but not to me. I'm entirely sure I want to play, but if I wanted to, I couldn't. Australia is in, so Rose can play along as she would like. Canada is in, so Stephen Gates gets to play along. New Zealand is in, so Alistair gets to play along. The UK is in, so that's loads of people get to play along and the United States is in. So that's lots and lots and lots of Nacilla Castaways. But that's it, it's just those five countries at the moment. If you buy a blue, if you buy Twitter blue, you have the right to a tick mark, but you won't get it immediately. So you'll pay your money, but you won't immediately see a tick mark. What will happen instead is that your account will be put into a queue to be verified by a human. Not validated, verified. Actually, sorry, reviewed, sorry. Let me check my, yeah, reviewed is the wording Twitter used. They are not checking that you are who you say you are. That is not the promise that the blue tick mark is making. They are not saying that you really are Allison. What the only thing they are asserting is that your account does not appear to be deceptive. So basically, if there's a giant, big obvious, you're pretending to be Elon, you're going to be out, but you'd want to be doing something fairly obvious, really, for this to sound much of a chance. So this will definitely get rid of the jokers, but it isn't, it isn't a very strong claim. It's a very, very weak claim. Yeah, I wonder what the reviewing to say whether or not you appear to be deceptive. I mean, if I'm really sincere that I'm claiming to be the president of the United States, does that, I don't know, I don't know what criteria you'd use for that. Well, they've told us two criteria, but not really much about them. They've given us two hand-waving things they're going to be checking for. They want, they should, the account should quote, show no evidence of being misleading. So show no evidence of is again a weak bar of being misleading. It also sounds like a lawyer wrote it. It does. And show no evidence of being an automated bot engaged in platform manipulation or spam. Well, okay. That's it. That is the bar. They do not tell us how they validate people against the bar. We do know how they communicate that they have validated and they give you the blue tape, but that is it. So they're saying that you're not obviously deceptive. You're not obviously misleading and you're not obviously a bot. Other than that, that's it. There's some total of other blue tape mark means. It kind of sounds like the old validation except the original one was also, and you're maybe kind of famous. But also, no, they verified your identity. No, no, they verified your identity. So the old one was asserting that if it said that you were Tom Jones, you were Tom Jones. If it said, so they were asserting identity. That's a very strong point. Oh, and they're not doing that at all now. No, no, no, there is zero. No, no, it is only that you're not deceptive, that you are not misleading, and that you are not a bot, right? That is all that is being assertive. It is very, very, very weak. They are not telling us how they are doing this review. They are not telling us what evidence is feeding into this review. So the only things we know is the claim and how it's being communicated. It's being communicated with the blue tick and the claim is just that very weak thing I said. Everything in the middle is missing. So from our four things we need to understand, two of them are completely missing, so it's basically trust us. We're making a weak claim, trust us, and we'll show a blue tick mark when we have done our whatever it is we do to verify the weak claim. So, you know, that's what it is. So not that strong. Now, maybe there is some strong validation happening all the same on the platform because they also announced two other programs. So they also announced a, they're calling it a test, not a beta, they're calling it a test for a corporate version of Twitter blue. And these will be, they use the word verified, and these verified companies will get a gold tick mark. Now, the verification is probably in the form of we gotta check and it'll have the company's name on it is probably how that verification is done. I'm guessing there's money changing hands and that helps make all this easier. But they are claiming verification of these corporate identities, but they're not explaining how whatsoever what these companies have to do. They're just saying that you can apply here. And that's kind of it. So, I don't know. Not even the corporations, they're not telling us what they're doing for that? Nope, I read the full docs. There is a paragraph. It says that companies can get a gold, verified companies can get a gold tick mark. Okay, thank you. Wow. Okay. Even more fuzzy is that people vaguely remotely connected with government of any form anywhere can get a great tick mark. And they again say that they will be verified as being, I think it's government agencies, government offices, government employees, official spokespeople, elected representatives, the staff of elected representatives. Like the criteria is very, very, very, very broad, but they do use the word verified. But again, there's nothing between, this is what we're claiming, and this is how we're showing it by having the great tick mark. So how they're verifying any of this is completely up in the air. And they also say local and national government. So if I run for office in the local town council here in Manus, I theoretically am entitled to a grade check mark. How would they even verify that there is a town council in Manus? Let alone that I'm on it. Wow. So I don't know how much stock to put in either of those two tick marks. I think all we can do is wait. And if they screw up, we'll know. There will be much bigger pointing and laughing. And then we will know. And you know, people are going to try, right? That is the one thing we can be guaranteed of. This will be tested. So we shall see, but I would not be in the market for gambling on whether this will be a successor or not. So in other news on the whole check mark verified thing, I'm sorry, paying the fee to be verified. You know that Elon has been taking polls to make decisions, policy decisions. In fact, one of the polls was should I step down as CEO and 17 million people voted, which is a lot more than he has followers. And they said he should step down. But after that, someone said, why are you letting people who are not verified have a vote? You should only let people who pay vote. And he said, okay, we just made that policy change. So you can only vote in his little polls on policy if you pay him money. I, in the abstract, I actually don't think it's a bad idea that people with a stake or that people get to make the decision. Yeah. In the case of this particular clown show, I'm not sure it helps. Yeah, I really thought I was on Mastodon as just a, you know, give me a fun place to play until Twitter comes back to its senses. But I don't know. It's not feeling good this week. There's another real breath of fresh air to Mastodon that I hadn't appreciated until now that I've been there a while. There's no algorithm. You just see the stuff in the order it happens. There is no one trying to make you outraged. You know, I miss that whole outrage because I always use Tweetbot, which just shows you chronological. So I've never seen an ad on Twitter. And I've never, except for when somebody sends me a link and it opens in a browser, then I'll see it. But I never see the forced order algorithm nonsense. So I've been insulated from that. Okay. So for you, this is a new, for me, this is a whole new experience. Oh, that's gets better and better, right? It really does. Yeah. I was like, oh my God, now I remember why this is better. This is like old Twitter. This is like how it used to be. Yeah. It really does feel like Twitter to me, except without the creepy. Yeah. So anyway, there we go folks. There we go folks. Here's yet another reason Mastodon's good. When somebody posts something, they can put a CW in it that is a content warning and it hides it. So if I'm reading my feed and I'm reading somebody that I really like that, you know, they post funny things and they post astronomy, but then suddenly they want to rage at the government they could just put a CW on it and people do. And so, and you can use it for spoilers of movies, things like that. So I see a fair number of CWs and I just don't click them usually because I don't want to be outraged. Just to make it clear to people, the CW, you as a person get to, to describe what it is you're hiding, right? So you can say, Yeah, I don't always see that. You get to give it a title, don't you? Maybe, maybe. Yeah. It's like movie spoiler or politics rant or yeah. Yeah. Yeah. It requires the politeness of people to do it, but they do it. And again, you're only seeing content for people to choose to follow. So if people fail to or abuse the system, well, just don't follow them, right? Because there's no algorithm shoving anything at you that you haven't asked for. So you're kind of in full control. I just love the idea that you get this blank box and the person who wrote the post gets to decide how to describe what it is they're not showing. So it's just, if you want to be polite, I'm giving you all of the tools to be nice. Yeah. Yeah. It's good. Okay. So on to regular business then, action alerts. It has been busy since last we spoke. Patch Tuesday has been in gone. So in Microsoft land, that means it has been a big update with two zero day bugs patched. And there was also a bit of a kerfuffle where some malware was out in the wild that was digitally signed as a driver, which means it has really low operating system access. And Microsoft have now revoked the keys, but it's still not quite clear how exactly that happened and how exactly Microsoft is going to stop it happening again. So they have solved the short-term problem, but I'm not clear on the long-term implications of this patch Tuesday. Yeah. Well, another thing on the zero days, one of them at least is an actual honest-to-gosh worm. So for a refresher, a worm is something that you can catch not by any user action on your part. And my understanding is that the worm actually wasn't from this patch Tuesday. Was that a week ago? So basically we now know that a vulnerability that was fixed in September was actually wormable. That is extra news about a previous vulnerability. So people who didn't patch in September are aware of the worm. Yes. But the problem was that Microsoft marked it as, you know, you should probably do this one, not as, you know, Danger Will Robinson, you have to do this one. It escalated its importance. So if you were like, well, I can take my time on this one because it just says, you know, I forget what the terminology was, but it was less alarming than it should be. Yeah. I have to say that the emerging consensus is that you apply all patches and the risk of patching is much lower than the risk of not patching. Sure. Sure. But not everybody follows that advice. Well, certainly home users don't spend time triaging fixes, right? Home users just apply them. Yeah. And that approach is now spreading into the corporate world. There was certainly a time where it would be someone's job to check every Windows update and decide whether or not to bother rolling it out. A, you couldn't hire enough people to do that well. And B, the risk arithmetic has completely flipped. Yeah, I'd really like to know what that's like in my old company because that was definitely not the case before that you just did it. You know, a program manager could call you and say, no, we're too busy. You can't apply it. And we had to follow that rule. I don't know what it will be, but it won't be quite that. I can promise you it's changed. I don't know what it's changed to. Definitely. And then over in Apple Land, it was also busy, Apple basically patched everything. So iOS 16.2, iPadOS 16.2, MacOS 13.1, WatchOS 9.2, TVOS 16.2. And then the older OS has got back ported fixes. So Big Sur, iPadOS 15, and iOS 15 also got patches and Safari got a patch as well. Oh, I didn't know that. I need to fire up the older Mac and run that those updates. I didn't realize those had come out. By the way, for the I very, very, very rarely run into a problem with an OS update. So I am a big old, you know, why haven't I gotten the update yet person and I make sure I hit it right away. But last week's show, Bart and I were struggling a little bit with the audio because the Mac OS 13.1 update broke all of the Rogue Amoeba apps. It broke Audio Hijack and Sound Source and Loopback and the ACE component. It was all broken, but it is all fixed now. So there was, it was basically whack-a-mole trying to figure out where the audio had gone and trying to get it into the right pipe. And we eventually got there, but it was, we lost about 45 minutes trying to get my audio to Bart. I don't even remember where we ended up in the end, but we did do that. I think it worked. Yeah, we recorded it three ways. We recorded it three ways. Oh yeah, we went into Zoom and then we went into StreamYard and then I think we ended up back in Zoom in the end. I think we did, and I think it was Skype effort in the mix. We hit the record button in the meeting. We hit the record button on my end and we hit the record button on your end and we, you know, felt suspenders and braces. We did get there, but yeah, that was interesting. Yeah. Also, in very similar news to the Microsoft news, we have also learned that an older update to Apple's stuff also patched a bug in the past, which has now been revealed in detail. So the bug was discovered by Microsoft and it was responsibly disclosed to Apple who patched the bug and now that the bug is patched, Microsoft have released the details. So that's all it has to be. But it's back from macOS 11 and 12. So that's big Surin Monterey. Interesting, but they just kind of wanted to say, hey, look what we found. I understand that it was patched recently in those older OSs. It was just not in the other OSs. Oh, okay. So just for extra confusion. It never affected iOS and it doesn't seem to have affected 13, but it's a recent fix in the older OSs. And your notes say that it was similar to a Windows bug? Yes. So one of the zero days fixed in Windows is a bug which stops the... In Windows, they have this thing called the mark of the web, which sounds ridiculous. If you download a file from the internet on Windows, it gets a special piece of metadata. And if you try to run that file, Windows will pop up a warning that says, yeah, you downloaded this from the internet. Are you sure you want to run this file? And so that stops the drive-by download from running automatically. So the mark of the web is kind of important for protecting you. It's part of a chain of attacks. It's not enough to get you hacked on its own, but it is enough to make something run. And then if there's another vulnerability that they can leverage for pre-visculation or something, you chain them together and you get a real attack. So the mark of the web was important and there was a logic flaw in how the mark of the web was applied so it was possible to bypass the mark of the web. Apple has something really similar called Gatekeeper, which is supposed to do things like not let you run software that isn't properly signed. And there was a logic problem, and it meant that it was possible to craft an executable that it wouldn't flag up the usual warning of this is from an untrusted developer. Therefore, it could be used as part of an attack chain when chain together with another vulnerability, dot, dot, dot, dot, right? It's basically the same thing. It's not a catastrophe because for most of my life we didn't have any such a concept as signed software, but it is nice that Apple gave us these extra protections over what we used to have, and so having the extra protection disappear is not nothing, but it's not the sky is falling. It's a medium severity. The Microsoft engineers had a sense of humour and they named their blog post the Achilles heel of Mac OS. And the media didn't bother with the facts or the details. Why would they? They went with the most high, perventilating headlines about this major fundamental Mac flaw and if we weren't patched you were doomed. And I just really enjoyed reading an security article going, we thought we'd miss something, but we read everything. There's very, very little here apart from a cool name. But that doesn't seem to be enough to get the headlines going. So if you heard something about the Achilles heel... Well, Microsoft just poked Apple in the eye for whatever reason. Well, the thing is, if you read the actual blog post, it's not even hyperventilating, it's just they went with too clever a title. Right. Well, that's what I mean by poking them in the eye. They didn't need to do that. They could have come off as the good hats and looked like heroes, but they had to poke them in the eye to get it. Oh well. I guess. I don't know. I think it was just a sense of humour. But anyway, if you heard something about the Mac being doomed, no, it wasn't. Anyway, patchy, patchy, patch, patch, and you're all good. It was good. It was a post facto release of something that's already fixed, which is the way I like it. That's responsible disclosure. We like that. Moving on then to our worthy warning section. This is the bad news bit of the show. Because why would I warn you about something nice? So the first bit of news we have is that Epic have managed to set another record. They have paid the biggest fine for, quote, or not quote, for the way it was described by the Vox.com headline. Epic Games has to pay $520 million for tricking kids and violating their privacy. They used dark patterns to trick people into in-app purchases, and they violated COPA. And COPA was the child online protection, something Privacy and Protection Act? Something like that. Yeah. So I don't put this one in the bad news category. They did it. They got caught. They paid $520 million. We knew they did it before, right? Did we? I guess I haven't had a particularly good opinion of that company for some time, but I think being that Fortnite was one of the most popular games on planet Earth ever and that was targeted at kids. This is ick. I guess you're right. Yeah. We'll give you that, but the good news is they're caught and that's a huge fine. That is one of the biggest. The biggest so far, yeah, of its time. Wow. Record setting. Epic. Epic win there, guys. Anyway. Meanwhile, Equifax, that story that doesn't stop giving. The settlement is being paid out at the moment. So there are legitimate emails going into people affected by the Equifax breach with their share, allowing them to claim their share of the money. For most people, it works out like $5 is the way these things always go. This is the breach where they lost all of the social security numbers, like eight years ago. Your credit score for basically all of America, yeah. But yeah, not just our credit score. It had our social security numbers in it. That was why that's the one. That's the one I really care about. Yeah. Every possible piece. Yeah, so assuming you did the paperwork to claim your share of the money, you should never be getting an email helping you claim your share of the money. At the moment the email is going around our legitimate, but Brian Krebs has pointed out quite rightly that it is probably a matter of hours until this camera start to fake these emails. So he is in a blog post describing how you verified that the email you got is the real one, and that you are not being yet again violated while trying to get your compensation for having been violated. So if you're going to do the Equifax thing, read Brian Krebs's article, it will help you navigate those rocky shores. They should have made them send paper mail to pay $0.50 as a paper mail. Yeah, but think of the trees. Yeah, there's that. And then another thing, definitely this falls in the worthy warning category. So Naked Security are reminding people and they have basically Naked Security do this thing where they get spam emails and they click on all the links to see what happens and then they take screen shots so we don't have to. Basically we click on them so you don't have to, is there a theory? And it's a timely reminder that the bad guys will fake anything. Right? So a trend at the moment is fake. We have noticed the suspicious login email. So that is immediately making you think that this is the good guys trying to help you out. Oh, we've noticed someone tried to log into your Facebook account from Paris. Was that you? Only it's a fake one of those emails and they go through the whole step. So remember even emails pretending to be alerting you to a security problem could actually be fake and could in fact be a security problem. And the way you always start is by typing the URL into the address bar and never clicking on a link in an email ever, ever, ever, ever. Right. Right, right, right. A friend of mine just got hacked for the third time. Third time he fell for a scammer. I have great sympathy the first time. I have some sympathy the second time. Well, the first time it happened, he's got a PC and he told me after it was done that it was okay because he had someone clean everything up for him. And when I talked to his wife after the third time I said, I said, yeah, you know, back when that happened, I remember telling him there's no way to actually clean it up. You have to burn it to the ground and start over. And he didn't. And I don't doubt he has yet. So for all I know they've still got a key log around there and there'll be a fourth time. I told her to get him an iPad. Don't let him use a PC. Absolutely. If you do not need the power of a completely open operating system that can do anything, don't run an operating system that can do anything because it's probably doing things you don't want it to do. Yeah. Basically, they are now specialist devices that unless you know what you're doing, you should not be using a general purpose computer. They're a power tool. You don't wear the appropriate goggles to stop your eyes getting destroyed. Bad things will happen. Notable news then. Tiktok appeared to have done an Uber. It's the best way I can describe it. So Uber would abuse the fact that they had location data for people to notice when government regulars were trying to watch them and I think they called it, I think they called the system black ball just to really be as on PC as they could possibly be. Well, Tiktok have been caught using the location data from the Tiktok platform to watch Forbes journalists to try to figure out when a Forbes journalist and a Tiktok employee came into contact because that way the Tiktok employee was a leaker. Oh. So they were utterly abusing the information they have access to for their own personal reasons. The obvious argument they could do this on behalf of, they could do this if the Chinese government told them to as well, which is also true, but in this case it really didn't. So I would just instantly remind that of Uber, not of state stuff. This is just what they were using location data from the cars. Yeah. Yeah, so anyway, it's ache. It's just not the ache I was expecting. Yeah. And all the details are reported by the journalist themselves from Forbes. Right. Yeah, that's interesting. So they figured it out that it was happening to them. Yeah. Pone to Own has been and gone. 53 things got hacked with 63 bugs and there was a million dollars given in bounties, which sounds really cool. I can also tell you that no one successfully hacked the iPhone, Pixel phones, any of the major smart speakers, no one got into a home pod, no one got into an Alexa, nothing like that, which in at first glance sounds fantastic. No one tried. So that means one of two things. Either no one had an exploit, they were prepared to stand up on stage with and embarrassed themselves because they weren't confident they could actually exploit the devices, which is the sunny side of the coin. Yeah, that's the rose color glasses view. The other is that the black market for these bugs is more lucrative than Pone to Own. And therefore it's just not worth revealing the bugs at the Pone to Own conference. But we don't know. We do not know. We do not know. We do not know. So the Pone to Own was once one of the most important things in security. I fear this is evidence that it isn't the driving force it once was, because it was a time when the prestige of winning Pone to Own was enough to make you, because like the prices for Pone to Own could never compete with the black market. They never could. But it was such a prestigious conference, people did it anyway. We seem to have left that world. Here's a delusional optimistic point of view. What if the bounties that Apple and Google are giving on their phones were worth it and that's why they didn't do it at Pone to Own? That could have happened, right? It is absolutely possible. There's also grey hat companies and there's also arguably white hat services where you can report a bug so that you don't, they act as a middle person, so that if you're afraid the company will react badly, you report it to the middle person who reported to the company and you get to be anonymous. There are... Interesting. It is an information vacuum and the chances are the answer is yes. All of those things are happening. It's probably the actual answer. The question is I don't know what the ratio is. But it didn't say, this didn't say that Max weren't shown as being hackable or PCs. Exactly. If anyone just the phones. You could write a factually correct and utterly misleading headline that no one succeeded in attacking the iPhone. Yeah. Yeah. But we know that the whole Apple platform has an Achilles heel, right? Oh, yeah, there we go. That's it, exactly, yes. Then we also have an update from Australia. A few months ago, the Australian e-safety commissioner asked all of the major companies to tell them what they're doing to prevent CSAM. And they got all of their answers and they are now digesting the answers and they have released reports on the first two they have digested which were Microsoft and Apple and they're not happy. And CSAM again is the child sexual abuse materials. Correct. They are enraged that Apple are not scanning everyone's iCloud all the time. They probably should check the news and scroll up in these show notes because I think they may be ready to blow a gasket over there. Yeah. Yeah. Apple's new approach is to prevent the creation as opposed to continuously scan for the existence. Now my understanding was that even with it even if you had everything encrypted and Apple did not have the key to the encryption they could still tell from metadata whether it was like from the hash they could tell whether it was CSAM. Not if it's end to end encrypted. Okay. I That was all the controversy about Apple's system, right? Apple's system, the controversy was they would scan the hashes before they left your phone before they were end to end encrypted because once they're end to end encrypted it is pseudo random gibberish. You can't get hashes out of it. So it was on the accidental tech podcast and I think it was John Syracuse talking which would be there's something there Well, you would have to scan it before you do the ends to end encryption which is what Apple were proposing to do and then they got told in no uncertain terms about privacy if that was a terrible idea. Okay. They were applauded massively by child protection advocates for that same idea but they have abandoned that idea. Okay. Let's assume that Bart is 100% right and if I find out otherwise I will make a correction later but I'm 98% certain Bart is right so let's just go there. Okay. And if not, there's a very very subtlety and it's way more complicated than either of those two answers. Okay. All right. Last thing then is a bizarre story. So we know that it's against Netflix's policy for you to share a password and that Netflix are entirely within the right to boot you off Netflix if you share your password. In the United Kingdom it is now the official government opinion that it is also against UK law to share Netflix's password. And at the moment there is no one prosecuting this crime but they could if they wanted and Netflix could press criminal charges. So that is an interesting data point that password sharing... Why would that not have been an obvious statement? I mean I just assumed if it's in their terms and conditions that makes it illegal, no? No, terms of service aren't illegal. They're just grounds for terminating your service. You are not allowed to swear on many platforms in their terms of service. It's not a crime. Just not allowed to swear on their platform. You're not a criminal. You're just in breach of their terms of service. They can boot you off and you have no recourse. Okay. I guess I thought there were aspects that would be considered illegal. In America you have the Computer Fraud and Abuse Act which criminalizes of terms of service. That is an American thing. That is a terrible idea. People are trying to repeal that insane law from the 80s or the 90s but that is a really American thing. Most of the world is not criminalized breach of terms of service. Okay. So I think that's what you're thinking of the CFAA, which is a train wreck of a thing. Oh, I have lots of empty sections. Oh, we're down to pilot cleansing. Yay. Oh good. One of the earliest games that I remember playing on my iPod Touch was a game called Jelly Car and it's a physics based game and it's just really good fun. It's a squishy little car. It's really childlike and playful but it's all physics puzzles you have to solve to get your car to do whatever it needs to do. They have made a new version of the game called Jelly Car Worlds, which is on the arcade Apple Arcade. So if you're an Apple Arcade subscriber where you can just get Jelly Car I promise you it is so much fun to waste some time over the Christmas holidays. It is just a pure fun physicsy game. You could argue it's even educational. Definitely fun for kids. I think it's fun for everyone. It's just such an adorable game. So Jelly Car Worlds is now available on Apple Arcade. Well, that sounds like a great one. It has nothing to do with security but I love it. I'm downloading it now. Yay. Well, we love physics. Always love a good physics game, definitely. All right, Bart. Well, I guess that wraps us up for 2022. We will see you in the new year, right? I will talk to you next year and let us hope there's no security issues between for the whole rest of the year. Fine for the whole rest of the year. But seriously though, when you get all of your new tech, do remember to patch it so that you stay safe. And above all, just have a good time, enjoy your family, do fun things and start 2023 all relaxed and revitalized. So until we chat again, I'm going to cheat on this one. I'm going to wish everyone happy computing. Well, that is going to wind up the last NoCillicast for 2022. I hope you had fun along with us. Did you know you can email me anytime you like at allisonatpodfeet.com? If you have a question or a suggestion or better yet a review, just send it on over. You can find me on mastodonatpodfeetatcaas.social and I'm occasionally on Twitter at podfeet. If you want to join in the fun of the conversation, I highly recommend joining our Slack community at podfeet.com slash slack where you can talk to me and all of the other lovely NoCillicastaways. Remember, everything good starts with podfeet.com. You can support the show at podfeet.com slash Patreon or with a one-time donation at podfeet.com slash PayPal. And if you want to join in the fun of the live show, the next one will be on January 1st, 2023. Head on over to podfeet.com slash live on Sunday nights at 5 p.m. Pacific Time and join the friendly and enthusiastic NoCillicastaways. Thanks for listening and stay subscribed.