Hi, this is Allison Schultz. Nocella Podcast or Nocella Cast Podcast. Allison Sheridan of the No Cellar Cast Podcast. podcast with an ever so slight apple bias. Today is Sunday, May 11th, 2025. This is show number 1044 and today we're celebrating 20 years of the nocilocast. On May 13th,
2005 was the very, very first episode of the No Cellicast, and that intro you heard was my high, squeaky little voice and how I thought it was going to be a completely different show than it is. That first episode was 9 minutes and 38 seconds. I'm pretty sure that my intro is going to be longer than that. As you might guess, I'm pretty chuffed about hitting the 20-year milestone for the show. I'm also very proud to have the longest-running Apple podcast now.
But I can't celebrate without honoring those who came before me. Adam Curry created the first podcast, The Daily Source Code, which came out in August of 2004. Adam Christensen launched the MacCast in October 2004, and it ran for 19 years. That's when he moved over to the MacGeek app to join Dave Hamilton and Pilot Pete. I'm so glad his voice and knowledge are still out there on the internets for us.
And then there's one of the kindest men to ever walk this planet, Tim Verporten, who ran the MacReview cast. Tim passed away far too young, but I know that many people found the nocilocast because of the little segments I would do on his show. If you ever hear me say, this app does one thing and does it well, I'm quoting Tim Verporten. I thought a little bit about the software tools I've used over the years, and I think I'm only using two that have been with me from the beginning.
My website has always been built on WordPress, and ever since it was invented, I've been creating the podcast feeds with Feeder from Reinvented Software by Steve Harris. I asked him if he by any chance had my original registration, and he found it. It's from September 2005. Before that, I actually hand-coded my feed.
I know that Steve appreciates my input on his software since the About page says, Thanks to Allison Sheridan for use of her feed and screenshots and for being generally annoying. He is so awesome. Now, if I was to attempt to thank everyone who's made this show happen, I would most certainly miss too many people, so I'm going to keep it down to just two people. Without Barbie Shots, this show would not be what it is today. I don't know if it would even exist.
It's not just security bits. It's not how we host the shows when I'm away and shows we do together like Programming by Stealth and Taming the Terminal. It's also that he's one of my dearest friends. Now, I embarrass him a bunch with thanks again and security bits this week, so I'll keep this short, but I could go on and on and on about how wonderful he is. And then there's Steve, or as he likes me to call him, Husband Steve.
When I started the show, we were both working full-time, winding up the raising of our children and sharing all of the household duties. But when we retired in 2013, he took over virtually all of the work around the house. Now you might think I mean things like, you know, fixing small plumbing problems, which he does also do, but I mean things like grocery shopping, cooking, feeding and cleaning up after the dog, and the laundry. I do so little around here, it's actually kind of embarrassing.
I do wash the dishes, and I wax his car, and that's about it. On top of all that, he produces all of the videos you see in here of our interviews, but beyond the task-based work, he supports me in what I do here. He's my champion, and I love him dearly for that. I lied. There's one more group of people to thank, and that's you, the listener.
Maybe you've dropped me a note to tell me I'm wrong. Maybe you're in our Slack community. Maybe you've done a pull request in one of the Git repos for programming by stealth. Maybe you've sent me a financial donation. Maybe you sent in a dumb question. Or maybe you just sit politely listening to the shows in your headphones and only occasionally yell at your device and I've never heard from you. No matter your level of engagement, I'm really glad you're out there listening.
Now, if that celebration was not enough for you, you can hear me on the Daily Tech News Show Live, number 5015, from May 8th, where Sarah Lane, Rob Dunwood, and Amos and I all had a walk down memory lane about the show and how podcasting has changed in the last 20 years. My segment starts around 26 minutes into the show, if you want to jump right to it. I had a really good time with them.
Now, I also got to be on the Clockwise podcast with Micah Sargent, Dan Morin, and Chris Lawley, where we talked about the Epic versus Apple ruling, where I actually go against current sentiment about that. whether and how we report bugs to small developers, how we balance a single or multi-device Mac setup, and finally, what was one feature we'd like to see in the upcoming WWDC.
Oh, and they did applaud the 20th anniversary on that show, too. But I think the really fun part was talking to Dan Morin about the fact that he was on Jeopardy this week. And at the time, he couldn't tell us anything about it, but Steve and I watched the two episodes he was on, and Dan Morton won $35,000 on the show, and he was amazing.
Now to wind up my media blitz tour for the week, I also recorded an interview with Stephen Scott and Sean Preece of the Double Tap podcast, but I don't think that one has aired yet. After they appropriately stroked my ego about the 20th anniversary, we talked about the CSUN Assistive Tech Conference, and I'll be sure to let you know when that episode airs, because as always with those guys, it was hilarious. Now, I have a public service announcement. Next week! There will be no live show.
We'll be in Texas playing with our grandchildren, and it's a bit hard to tote all of the gear to do the live show onto a plane. Also, their house has super high echoey ceilings with hardwood floors, and count them three kids five years and younger. so it might not be the best place to record live. Of course, the show will come out on time or early, but it just won't be recorded live. Alright, let's finally get started with the 55th and final interview from CES.
and then we'll have part three of Brian Hoffman's Astrophotography by Stealth series, and finally we'll start the interviews from CSUN's Assistive Tech Conference, and we'll wind up with Security Bits. Slow cookers are all the rage, but I'm here with Todd Oliver from Chef IQ, who's got something much cooler than what you have at home. Tell us about it. Sure. So this is our smart cooker.
And this was T-Magazine's Appliance of the Year three years ago. And this is a multi-cooker. So it's a pressure cooker, it's a steamer, it's a slow cooker. Multiple functions. When you invest in this great solution for your kitchen, your smart cooker gets smart over time as well. So for example, we did not start with a sous vide function. However, we did a free over the air update about a year and a half ago.
So everybody free of charge now has that smarter sous vide function with that as well. I'm going to describe this a little bit because some people are audio only. So this looks like a large pot with a handle on the top and a beautiful display on the front.
And it's got red stripes on it that make it look scary because this is going to be a hot thing at some point. Yeah, this is just some labeling that we have to ship it on because it's Wi-Fi and Bluetooth connected. So you can remove these labels at some point. However, it's a large six quart capacity. You just opened it up. It's just a nonstick pot.
And then it also comes with a steaming rack, okay? And then a meat rack as well, so just your roast is elevated from the water that's down below. Perfect. And then it also comes with a premium heat-resistant material here. And this can be used either as a trivet on your counter.
Or you can use it as a lid as well. Just to keep it warm? Um, really for storage, if you're putting something into the fridge. Oh, okay, I got you. Something like that. Okay. So, what problem are we trying to solve here by having this be smart? So a few different things. So a pressure cooker, a lot of people sort of remember to their mother's pressure cooker of years past a manual one. And one of the problems, one of the issues is people do not like to release the steam.
so a lot of people take their wooden spoon and release the steam that way with this unit here you can automatically do it through the app And you can release the semen in three different methods depending on the food type. So fast, if it was a pasta. uh pulsing or slow and it'll automatically i'm no cook obviously i don't understand why there's a thing about the steam um
Something like a pasta, you don't want it to get saturated with the water that's in there. So you want to get it out quick? You want to get it out quick. Okay. Yeah. and then it'll automatically release it after giving you three beeps notice and that way you don't even have to and you're not near it so you don't get steamed exactly Another thing is this has an integrated scale built into it. No way! So it will automatically...
adjust the cooking time and temperature based on the inputs that you give that either manually through the screen or through your app. So if you are doing a roast Is it from fresh? Is it from frozen? What is the weight? And then what is it supposed to figure out the weight? Well, yes, and then you can either input the weight...
Or you can just say use the scale. Okay. So I like that use the scale lazy thing. So it'll automatically come up with the time and temperature based on the cooking method that you want to do, the weight and all of that. And then most likely it will ask you to add water to the recipe before it starts to slow cook or pressure cook or steam whatever you've chosen.
With that built in scale, you don't have to get out a measuring cup, another item to clean. This is really one stop shopping here. Exactly. One stop cooking. So it also integrates to our free of charge app. It has over a thousand recipes built into the app. It will give you the ingredients, the cooking time, the total cooking time. あーん
And with the recipes, with the ingredients, if you don't have all of them at home, it's actually integrated with Instacart. Oh, nice. That's genius. I like that. And then what I love about the recipes is that... I cannot read a recipe for the life of me. Really? I have got all kinds of wonderful cookbooks at home, and I can't do anything out of them. Just not in your DNA. No. So every single recipe gives you step by step. instructions and it will show you in
And then it will show you in a video as well. Okay. So I can duplicate the video. There you go. So I can create a lot of things that normally aren't within my comfort zone as a home cook. So how much is HomeIQ? The Chef IQ smart cooker is... Sorry, what did I just call it? Home IQ? Chef IQ. Chef IQ is $1.99. Oh, wow. I'm sorry. I was kind of going, yeah, yeah, yeah, here comes a $700 thing for my counter. $200, wow. Now, Chef IQ is all about value. So, and ease of use.
So value doesn't necessarily mean the cheapest item out there. It just means that you're getting a ton of features, great displays, meaningful innovation. You know, not just paying extras so you can turn something on and off from your bed. Meaningful innovation. And all at a great retail. You sure you don't want to use AI in this at all? You want to say AI a couple times? I think it's a law this week, right?
Yeah, we currently don't use AI. Okay, that's fine. I'm just messing with you. No problem. Now, Steve just handed me another thing. It looks like some meat probes. Yeah, these are our IQ Sense smart cooking thermometers. And we have them in a 1, a 2, a 3, and a 4 pack. They each come with their own recharging hub. So these are rechargeable batteries. It's not AA batteries or anything like that. And then each recharging hub is actually a built-in speaker.
what yeah fantastic like for music no so i thought we're gonna rock out to our tunes while we're cooking so you can use the probes in a stove stovetop in an oven. You can use it on the barbecue, in an air fryer, deep fryer, roaster. Can I use it in my Chef IQ? You can use it in your Chef IQ as well.
So these temperature... 1000 degrees. Holy bananas. So that is way more than you need for most appliances that are out there or your stove. Even the barbecue. With the barbecue, though, you might get a flare-up. So that's where we have... A thousand is more than some of the other devices we have that do this. Yeah. So what's your price point on, say, a three-pack of these? So we go anywhere from $89 to $199. So from a single-pack to a four-pack.
I assume these are some sort of Bluetooth connectivity errors. These are Bluetooth and Wi-Fi. Oh, okay. So... So are they tied into the Chef IQ? They're not tied into this. However, they will be tied into our smart oven moving forward. These won a Global Innovation Award at the Houseware Show two years ago. We have a new iteration that comes with five sensors, so it's phenomenally accurate. It's the world's thinnest thermometer. It's the world's most accurate thermometer.
and it's a greatly growing category. So at this point, one of the advantages for people who are listening is that if you use these kind of probes that are over Wi-Fi, that means you don't have to stand next to the oven or the cooktop, whatever it is, the barbecue, while these things are working. Exactly. so for something like if you were putting this into a a smoker
That's something that you're smoking for the full day or something. You really don't want to stand there. You don't want to stand there. You can run to the grocery store. You've got unlimited range with the Wi-Fi. So the box slash charger that I'm holding in my hand, is that what's connected to Wi-Fi? This connects both to Bluetooth and to Wi-Fi. Okay, but not the probes themselves. The probes probably talk Bluetooth to this? Bluetooth to that, and then the hub is Wi-Fi.
Okay, and I assume we plug this in somehow. Yeah, this comes with a charging port. There it is. USB. There's our USB-C. That's what I'm looking for. USB-C. You've got a green light on it. You've got to love that. A hinged lid.
there you go when you have more than one probe they come both numbers and then different colors as well it's excellent that way you can program this one to be a chicken this one to be a steak medium rare and this one to be a steak well done there you go show color quoting or color coding that's beautiful beautiful and then it will tell you on the app
It's almost ready to flip or your meal is done. But it'll also give you an audible as well. I love it. I love it. So especially for, you know, if you're hearing impaired, you can see it for... on your phone perfect but if you like that audible
you know, sound and notification. You can be sitting outside by the barbecue and it will tell you time to remove your steak. Very good. Now, we're almost out of time here, but did you need to say anything about the IQ mini oven? Yeah. We have just a picture of this. This is a, yeah, coming soon. This is coming soon, next month. We have our samples over at the show.
This is also integrated with our app. It has over a thousand recipes as well that you can do guided cooking through the screen. So what kind of oven would this replace? the big oven it really could replace the big oven so it has 11 different functions today over time we'll add functions with free of charge over the air updates and now we trust you to do it because you did the sous vide over on the chef i can see we trust you It's full edge-to-edge boss. It has a premium extended rack.
so you can extend the rack out without any loss of stability i want that everywhere it will have three different lights for the three different rack positions so it will guide you and say if you're broiling the top rack will be lit up if you are doing something like a chocolate chip cookie. It will probably be the bottom rack. I will be doing the chocolate chip cookie. Very good. So this is, when is this IQ mini oven coming? This will be out in March.
Do you have any idea how much that's going to cost yet? That'll be about $3.99. Again, that's a really good price. Great price. It does 11 different functions today. And one of the things that I'm most excited about with this is you can use it as a standard toaster oven. So time and temperature 375 for 40 minutes.
But once you bring your Chef IQ Smart Cooking thermometer close by, it will give you the option, because it'll pick up that recognition that the thermometer is close, it'll give you the option to switch from time and temperature. to choosing a doneness level. Even for chocolate chip cookies? You can use it for chocolate chip cookies.
But more likely for a steak or a roast. Okay. So instead of just having it in there for an hour. I can't stand there for eight minutes and watch the cookies. I'm sorry, Todd. I don't have that kind of time. No problem. Yeah, great screen. It also has the speaker on that as well. Very cool. So if people want to learn more about these products, where would they go? ChefIQ.com. Very good. Thank you so much. Thank you so much.
Astrophotography by stealth. From looking up at the night sky, to hanging a picture on the wall, which will take your breath away. This is part three. Time to go bigger or go home. Hello and welcome back. I'm Brian Hoffman, and in our last episode, I'd gotten to the limits of my Right Ascension or RA Tracker-based RA camera. or longer exposures, I needed to take multiple pictures I could stack, and I needed to learn how to edit my pictures in something more than preview.
I knew I needed a stronger tripod, a tracker which could do both right ascension and declination, a telescope, a guide camera, the main camera, and a control system to drive it all. I'd have decided I would go with a simpler system which would do a lot of the work for me and allow me to level up once again. Oh, but the budget. This was not going to be cheap.
Think of it like any other expensive hobby. However, there are cheaper options which can get you into this hobby for less, like buying used equipment or an all-in-one setup. If you look at a new low-cost refractor telescope, you're in the $500 to $900 range. and it's easy to set up and get started quickly. If you want a little more capability, $1,000 to $1,500 gets you a much better refractor telescope.
Then they have the all-in-one telescopes, which are now available. They can get your foot in the door for around $400 to $550. They have limited ability, but with patience, you can capture some outstanding pictures. Did I mention you'd have the opportunity to learn some patience? Further, these astrophotography setups are not as robust as other scopes. so you will need to take care of them. They can be looking at broken equipment which is not repairable. Think plastic parts.
If you go with a reflector setup, you'll get a bigger scope for the same money. But setting one up takes more patience, and they're less handy to travel with. Think more sensitive to movement and change, but they gather a lot more light for the same money. It's a trade-off. Stepping up to $2,000 or more gets you a better scope, which will continue to be useful for a much longer time and will yield better pictures.
The choices you make early on your quest matter. Plan your budget wisely. Wanting my setup to last longer and give me years of excitement and entertainment, I went for a best value setup and spent a little more. CWO is a brand of astrophotography equipment. It's a bit of a wild garden if you use their equipment, but it does afford an easy entry and great results. I decided I'd use their camera, their control system, and their strain wave tracking mount.
The amount I chose was the AM5N with its tripod. On the street, it cost around $2,200. I could have used its little brother, the AM3, but I have other possible plans down the road, and the AM5 will be necessary for that setup because it can handle more equipment weight. The camera I chose was the ASI 2600 MCR. It combines the main camera and APS-C, a guide camera to direct the mount, and a computer system to drive it all.
Best of all, the camera had a cooled sensor, which meant I could take longer exposures and gather more light without blowing out the picture. It was one of the limitations I needed to overcome with my current camera. While this was not the cheapest way to go, again to me, it was best value, as it was a single unit which did three things well. I had the integrated main camera, the guide camera, and the brains. So now I needed a telescope.
The telescope most people start with has between 50 and 70 millimeter aperture that can be purchased for $600 to $1,500. I wanted more light. Further, some of the cheaper scopes do not have excellent lenses, which requires more post-processing to correct their errors. I went with a NASCAR 85mm refracting telescope for its clarity and ease of use. I was not disappointed. It cost $2,300, and it was worth it. My picture's straight out of the camera.
are far better than the ones from smaller telescopes and I'll be able to use it far longer before I need a bigger, better scope for the things I want to photograph. I started to learn the system and taking pictures of, you guessed it, Andromeda and Orion. I was instantly amazed at the clarity and the ability to select targets. I do some prep work and start taking pictures. It became that easy.
One thing I knew I could use to focus my camera was a Bathinoff mask. It's a slotted cap which fits over the opening of the telescope and sends light through the lenses at three different angles. When the camera's in focus, the light source, a star, shows you six evenly spaced rays of light extending from the middle of the star. It's a quick way to ensure focus manually. Learning the software for the new camera setup only took a few YouTube videos.
I was shooting pictures of things I wanted to capture the first night. I knew I wanted to capture hours of light. Yeah, hours of light to create the image I wanted to hang on the wall. I was getting close and I knew it. I was motivated and I was at the next level. But I still had not picked my editing software.
One thing I learned earlier was cable management. Mine was good as it gets. No matter where the telescope was pointed, all my cables remained properly placed and had the correct amount of slack. It's a simple thing, but if your cables catch, it could be done for that session, or worse, damage your equipment. I was comfortable setting up my telescope and taking pictures. After a while I would set it up, do the polar alignment, check focus, pick out an object and start taking pictures.
i would tell the camera how many pictures to take and how long each should be i was comfortable enough to then go inside for part of the time i was capturing images i was on a roll The only thing left to automate was focusing the telescope. Yep, there's tech for that too. An AEF, or Automatic Electronic Focuser, works with the main camera and the control system to properly focus the telescope anytime you want.
By this point, I had very good pictures, but I still wanted to reduce my error even more. I then learned about another tripod, and of course they called my name. The only problem was, it was only available in Japan, and they weren't making it anymore. I got really lucky just after Christmas of 24, when a friend let me know there was one for sale, and it was new and bought.
Of course, it was in Japan. As it turns out, I have a friend who lives in Japan. I asked him for a little help bidding on it. We won. Next, I needed to go to Japan to pick it up. No problem, though. I had a trip there the next month. I was able to pick up my tripod and bring it back to Texas with a little coordination. The tripod was so good it allowed me to further reduce my tracking error by half. It was worth it. I was in heaven. Or at least I was staring at it and loving every minute.
My pictures were awesome. After taking hours and hours of pictures of 15 different targets, I knew what I had to do. But my laptop was really old and was in desperate need of replacement. i was at another inflection point do i just bite the bullet and get a new macbook pro after all mine was a 19 model and it was starting to show its age m3 or m4 do i look at the macbook errors
I reached out to Allison. I knew she was a big photo buff, and she has an ever-so-slight Apple bias, so who better to ask? Turns out Allison had written an article about MacBook Airs and MacBook Pros. Our discussion led me to the store to pick them both up. The heirs were missing a lot of pork.
but it was way lighter. I decided to go with the MacBook Air. Then, even better news came. Apple is about to release the M4 version of the MacBook Air. I patiently waited two more weeks, all the while taking more pictures. I had hours and hours of pictures by now. I was finally ready to learn how to edit.
Truth be told, I knew a while back Pixinsight was going to be the software I was going to use to edit my astrophotography pictures. All the people I learned from were using it, and their results were spectacular. The learning curve is going to be steep. I took the first step and stacked, you guessed it, my 108 5-Minute Andromeda pictures and my 132 5-Minute Orion pictures. I was one step away from being able to hang them on the wall.
Well, I'm finally ready to start editing pictures using high-level software. I had this season's pictures of 15 different objects, I had a new computer, and I had the software to do the work. Now I just needed to sit at my desk and learn how to process each of them. I was excited. How long was it going to take for me to gain mastery of the next level and to be ready to print a wall-hanging worthy picture? Or two? In the next episode, we'll all find out.
Well, I am loving this series. I find it fascinating. I'm really surprised at how expensive all this stuff is, but it seems like Brian is on quite the journey, and I can't wait for part three. But I do want to add something to this particular installment. You know how he said he consulted with me on what laptop to buy and when? Well, I'll stand by the timing of when I told him to buy.
I pushed him away from the MacBook Pro and towards the MacBook Air, and while he did tell me he wanted it for his astrophotography work, I had no idea that it entailed stacking hundreds of photos. I didn't know what went into making these spectacular images like he's doing now, so I should have asked more questions before telling him what I thought he should buy. He loves his MacBook Air, so that's great.
But I'm betting an M4 Max MacBook Pro would have done this stacking a lot faster, but it would have drained a lot more out of his pocketbook and not given him as much money for all of his gear. I wanted to get that out there before all of you wrote to me asking me, what were you thinking when you suggested a MacBook Air over a MacBook Pro for astrophotography? I've walked up to the HTL tech booth to talk to Glenn Barfield and he's got some stuff up here about designing accessibility.
into the products. And I told them, the best way to really do this is to bolt it on at the end. And I found that always to be a tried and true method. Absolutely. If you're looking to waste money, time, create problems, and basically sink your company and lose it.
to the competition bolting it on at the last minute the way to go yes all right all right all right so acl tech provides uh accessibility as a service is that right so you guys work with other companies to help them have accessible products. Correct. So a lot of comments, they come to us initially and they're in that kind of, we need to be accessible. We don't know what we're doing. Please help us. Maybe they got a section 508 violation.
or somebody's filing a lawsuit, or they're worried about the Accessibility Canada Act or European Accessibility Act. So we help them, we do the auditing, we give them the bugs, they fix them, we do the verification, help them with the VPAT, ACR, everything like that. But then we say, okay, great, you're not done. Some companies, they think, okay, we... We fixed the problem. It's like you fixed a problem. But it's more like security, right? You got to keep designing it in. Exactly.
You cannot assume that where you are now is what your product is going to be like in three months, six months, or a year. Regulations will change. Technology will change. Your product will change. You need to stay up to date. So what we work with a lot of companies now is a lot of design work.
a lot of development work, the remediation work, the verification work, and then sustaining. And we will put together an entire team that works with their products. We actually have the world's largest accessibility team. A thousand people have gone through the Trusted Tesla Certification Program for the U.S. government.
have been certified by the US government as trusted testers for accessibility. We have 75 people who are people with disabilities on staff along with consultants. How many did you say? 75 people with disabilities. We are literally the largest accessibility company that no one's ever heard of. There's a lot of competition we have. But what we're looking for is the large-scale organizations. The Microsofts, the Metas, the Googles, things like that.
and we're working with them to make their products accessible. Now, they could certainly, they have the money that they could build a team like this of their own, couldn't they? Why wouldn't they do that? Well, for one thing, they have faced a problem in building a team up like that. It takes a lot of resources. It takes a lot of time, a lot of expertise. We've already got a team ready to go.
The other problem is that they build a team like that, and it works for right now, but then they go into a valley, or they change their product, or they do a re-organ. They don't need so many people, so they have to lay them off. But then again, six months later, they need them back.
So what we're able to do is say, that's fine. Scale up, scale down, scale up, scale down. We have the resources to do that, and there's no impact on you, and there's no impact on us, because for our team that... scaled down those people go to work on a project for another company right so we can move people around this gives us the advantage of seeing a lot of different products a lot of different stages builds up the expertise and experience that our people have
I really like this idea because getting into those big companies and getting this stuff built from the ground up And I know, obviously, I was joking at the beginning there. But I think it inspires everybody to keep that in their front center focus. Even if you're just a one-moment shop writing an iPhone app, you're thinking about these kinds of things now. Yeah.
And the other thing, too, that we've seen a big change in is that a lot of people were initially worried, oh my gosh, we're going to get sued, we're going to be in trouble with the law, there's violations against some regulation we have never heard of, and there was kind of a stick hitting them, right? Now it's shifted to a carrot situation.
where they're looking at people with disabilities like, oh my gosh, they have money. They spend money. Why? There's also a lot of them. Yes. Yes. Millions. And it's like, my gosh, we're not getting their money. What the heck is wrong with us? So it's become more of a carrot situation where companies are looking at people with disabilities as a demographic.
that in some cases has been ignored, but is no longer being ignored. And we help them bring those people into their products. Basically, any online application, any online product, we can help them make it accessible and bring those people into their world. Well, this is fantastic work. So if people wanted to learn more about what you do, the company is HCL Tech, how would they find out about the accessibility as a service piece?
So they would go to acltech.com. They can look for accessibility. I also have a QR code here. You guys can take a photograph of that. Put that on your blog, on your post as well. and they can learn more about accessibility team and also if you're curious about another realm of accessibility Amputation. I am an amputee. I have a YouTube channel. Shameless plug here, guys. Shameless plug. Okay, yeah. There it is.
Look at that. That is so cool. So what do you do on your YouTube channel? So Amputee Outdoors on YouTube channel. I do a lot of hiking and backpacking in the Pacific Northwest up in the Cascade Mountains of Washington State. And what I'm trying to promote is the idea that if you're a person with disabilities, it doesn't cut you off from exploring nature. Now, you may not be able to go hiking up mountains like what I do.
But you can get out there. You can do things. You can explore. You can get into the world and be involved in the world and explore the world. Go for a nature walk. Go for a walk anywhere. Go for a roll anywhere. Go out and explore and get out into the world. And that's what I'm trying to promote with Amputee Outdoors. Very cool. So look for Amputee Outdoors on YouTube. Yes, absolutely.
Very good. Thank you so much. Thank you very much. Enjoy CSUN. A lot of great products here. Some of them are in our competition. They're not as good as us, but we like having them around anyway. There you go. Makes you stronger. Yep. Well, this is normally the time that I panhandle for money, but this week I'd like to ask for something completely different and it will not cost you a dime. I'd like you to go to Apple Podcasts and rate the Nocilicast.
If it's a five-star review, that would be even niftier. But, you know, vote with your conscience. Ian in Kentucky and Jay Denning gave us the most recent reviews, and they were fantastic. By the way, Jay Denning, in answer to your thought, yes, Steve and I would very easily be friends with you. I put a direct link in the show notes to the NoCillaCast page for Apple Podcasts, but I had to ask ChatGPT, how do you find the place to review the show?
Turns out you have to scroll past all of the episodes. I hope you'll take a minute and make this how you celebrate our 20th anniversary milestone. Oh, and don't forget, you can also show your love by getting yourself a 20th anniversary shirt to advertise for the show at podfeet.com slash shop.
Well, it's that time of the week again. It's time for Security Bits with Bart Booth Shots. And happy 20th anniversary, Bart. This show would not exist without you. According to ChatGPT, the first Security Bits was an episode... 104 released on August 5th, 2007. How many years after you started is that? That's a little more than two years. So it's like a little under 18 years. We've just turned 18. Interestingly enough, JetTPT gives credit to IMDB for that answer.
No! I'm not kidding! Holy cow! The Nocella cast is in IMDB. I'm not kidding you. i'm sending you the lincoln and cool yeah i just sent you the lincoln telegram how bizarre is that Oh, it's got the original logos. Okay, I don't know. I knew it was done by volunteers and industry people, but I did not know it. Stars, Alison Sheridan and Bart Bouchotts. Oh, I'm starring.
All right. Well, maybe I'll throw this down in palate cleansers. That sounds like fun. Cool. All right. Well, anyway, congratulations, Bart, for all your hard work. I think it might go to you more than to me. You do do this whole, like, show around this segment. I think that might count for something. Yeah, sure, I'll take a little bit of credit. All right, let's get stuck in. Indeed, let us start with a little feedback and follow-up, which is basically follow-up.
I keep saying that it's important to stay a patch to stay secure, so QED, there is a vulnerability in airplay that was making lots and lots of headlines but the headlines left out a very important fact If you were patched, you were already secure, because it was responsibly disclosed, and so those security updates we talked about two weeks ago patched this bug that was media released last week. I was trying to safely pass.
By the way, there might be a typo in the show notes. It says RCE is remove code execution. Yeah, that would be an autocorrect going wrong remote. Remote. That's what I was thinking it might be. So what was the flower? What would happen? It was called Airborne. It was called Airborne, and basically someone nearby you enough to interact with Airplay could run arbitrary code on your Mac. Patchy, patchy, patch, patch. Yeah, exactly. And that's why we do it, right? Because all software has bugs.
Somebody just wrote on one of the... forums that I you know user groups I chat with and I like to help out a lot and they were going to be upgrading to a brand new MacBook Air and she talked about how she has a 27 inch 2015 iMac Running Monterey. on the internet. And I was saying, so, okay, you might not want to do that. So several of us had been suggesting ways she can make it still be like a dumb terminal if not connected to anything anywhere ever.
Anyway, running it in a museum environment would make sense. Running on the internet, not so much. Yeah. Anyway, but I was using what I learned from you. Yay! Speaking of me repeating myself, the other thing I keep saying is, when you have a router that has stopped receiving updates from the manufacturer, What you do is you remove the little plug from its bottom, you walk to the nearest recycling place, and you place it there, responsibly. You do not continue to connect it to the internet.
In case you don't believe me, the FBI just issued a warning that there is a group of hackers abusing end-of-life routers to build networks of proxy servers that they rent out to cyber criminals. Because you want people's home internet so that you're really hard to filter out. If you do a distributed denial of service, if you can spread those connections from home internet connections, then you don't look suspicious, you're not coming from a data center.
So they love hacked routers. Oh, interesting. So yeah, no. Yeah, exactly. I was going to say binny, binny, bin bin. No, I like it. I like it. We all know what you meant. True. Okay. So we have also talked many times about the charming grey hat security company the NSO Group from Israel and their long history of running fairly nasty spyware against everything they can, including Apple devices. and
They were being sued by Apple and Meta and Apple dropped the case because they didn't want to do Discovery because then they'd have to reveal that inside Apple things happen. You know how secretive they like to be. Right. But Meta didn't drop their case. They kept going. They have won. So they just got a judgment of $167 million against the NSO group. Okay, your sentence implied it was meta, but yeah, the NSO group was the ones fined. Oh, meta. Wow. Yeah, so yay.
Apple dropped their similar case. Oh, they had a case against them, but they dropped their accusation against them because they'd have had to reveal internal data. Meta doesn't care about any other internal data. But that's good. It's not just our privacy, right? Yeah, yeah, right, right, right. So that was on WhatsApp users, the link says. Wow. Yeah. Do the WhatsApp users each get 27 cents or something?
I don't believe it was a class action, I believe it was Meta saying basically you besmudge that reputation, how dare you. And you made our cybersecurity team have to be really busy. How dare you? Oh, and by the way, this is illegal. So, you know, out of the ground. In related news, Apple have been doing this for years and I've stopped really making it a story because it's just what Apple do, but it seemed appropriate to mention it since it happened at the same time.
Apple have monitoring in place where they keep an eye on whenever they see evidence that someone NSO group likes. is targeting users of their platforms and they send them a notification to say we have reason to believe that you may be being targeted by state level actors. And we know that another batch of those emails went out and that we know from people who have volunteered that they received them that those recipients are spread across the world in at least 100 countries.
So Apple knows when they've been targeted by Pegasus? No suspects. Apple sees evidence from their iCloud logs that has indications of compromise. that look like what their intelligence says the current NSO group attacks are doing right now. Oh, compromised, not just targeted. So targeted could mean they tried. Okay, that's a word of art. Sorry, that's a word of art. IOC is a word of art in cybersecurity.
It means an indicator of compromise is what you call a suspicious IP address or a suspicious packet or a suspicious file. A suspicious something, we just call it an indicator of compromise. Because we have to have a name for weird thing. So when I say, sorry, that was me accidentally using jargon. Okay, so were they targeted or compromised? Which is it? Because targeted means somebody trying to poke at you. Compromised means they succeeded. Those are really different words. You are correct.
but an indicator of compromise means someone tried. I know it's not a good word, and if you worked for the cybersecurity industry, you would say their jargon is wrong. I used jargon by mistake. I confused you. I'm sorry. So the answer is they were targeted. They have evidence that they were targeted. That's all we know. Okay. Interesting that they can see it. Evidence to reasonably conclude they were probably targeted. Let's put every fuzz on this because Apple can't know for sure. No one can.
Okay, right, right. And I had another related story. Oh yes. And so how is it possible that this spyware keeps existing? Because for this stuff to exist, there need to be zero-day bugs found in the popular platforms like iMessage or iOS or Android. And that is not easy. So where are they getting it from? Well, the answer is it's being bought on the black market. And we know this because Google have a group called their threat analytics group, the Google Tag.
And they monitor the cybercrime happening, and they release a report every year. And again, I don't usually put them in the show notes. But the headline of the 2024 report was that there is a big increase in zero days from 50 to 97. And of those, 50% of them were first seen in spyware. So the NSO group are buying zero days at a high rate of speed.
Just the NSO group or anybody doing spyware? Those kind of companies. Those kind of companies, okay. So this is a Google Threat Intelligence report that's not about Google. It's about threat. correct okay they have a group yeah most of the big companies have it these are their intelligence arm they're just looking at the universe to understand what's going on so that google can adjust their shields
But they're looking at the universe. Microsoft have one. Apple have one. That's how they can know that you're being targeted and stuff. And they release... Sorry, Apple don't release reports. But Google release reports, Microsoft release reports, a lot of the AV companies release reports. So these are called threat intelligence.
And it's just the community sharing with everyone, hey, this is what we've seen last year. What have you guys been seeing? I love reading them with my professional hat on because it tells me what's happening in the cyberspace. It seems odd to be 50% spyware attacks. I would think all would be in spyware attacks. What am I missing? Well, no. There's another group of people who want zero days and who have a financial incentive. That is ransomware cybercriminals.
For them, it's an investment. But ransomware, how does that get done other than... Okay, spyware versus ransomware, what's the distinction? The distinction is why you want to break in. So governments are incentivized, NSO group are incentivized to pay big bucks for a zero day because they make profit selling their spyware. So it's just intention. The tools could be the same. Or the technology should be the same. It has to be someone with deep pockets.
I'm trying to figure out, is the technology different? You're saying it's just the intention. Got it. Okay. Yes. That's what I was poking at. Okay. Yeah. Like I say, I don't go into these every year, but these three stories just... aligned. And then you said it went from 50 zero days exploited to 97. I assume that you meant from 2023 to 2024. And those are zero days in all different operating systems? Or again, this is in Google's stuff?
No. Everything Google have observed. Okay, so these other companies, everybody's throwing out what did they observe? They're overlapping. Got you. Okay. Yeah. there'll be money in it and you always follow the money right that's always my answer to things Okay, one very short little dip into the American administration because we have talked about
a story where the administration overlaps with a very important technology that's actually really good. It's the really nice end-to-end encryption platform signal. and it is one thing to say that signal was used wrongly But the way it gets reported in the popular media isn't they were badly using a good tool. We start to get the tool being blamed or conflated with being somehow flawed.
And so that's why I've corrected the record here on the show a few times. And there has been a development which gives us another teachable moment. So thanks to the fact that the now former National Security Advisor was bored in a meeting and the press get invited into cabinet meetings these days, and modern telephoto lenses are really good. He was photographed using his phone under the table like a student in class being naughty.
which I think is slightly funny. This was the National Security Advisor, right, Mike Waltz? Yeah. Yeah. And he was using his messaging app, so we know exactly which signal client he was using. It was not the official signal client. It was a third party client that is sold by a private company and their feature is that they provide the ability to centrally archive all chat logs.
into the cloud. So they're designed to be used by corporations because in a corporation you probably have auditing requirements or so forth. And so does the United States government as well, right?
So that could have been a legitimate use of, well, saying the wrong things on the wrong platform that you're not allowed to use might be might be is a big issue discussing classified information that way but you are supposed to archive it I think the government rules so this is kind of interesting right so
they are under a legal requirement to archive these conversations. They're also under a legal requirement not to use these kind of tools for privileged military information. So by trying to comply with one law, Regardless of the fact that there are other laws being broken, they ended up using a sort of a, it's not a hack in the malicious sense, it's like a clued. this third-party app that adds archiving to an end-to-end encrypted service
And unfortunately, when some cybersecurity experts had a wee poke at the servers where all of these chats are going, it turns out they were terribly secured and they broke in within half an hour. Oh, really? So did they break into the cloud hosting? Is that where they found... Did they just get to metadata or did they get to the actual messages? Do you know?
They got to messages in transit, so they didn't have historic data to look back in time. They could just see snapshots of what was flowing through the system at the moment, which was enough to show that there are a number of US government conversations happening on that app. or they were Because once the vulnerabilities were found, the company turned it off. They just went blink. Pull the plug out. That was that. Wow. Not to mention he was texting his wife this information.
There's a whole lot of issues here in this whole story. One thing that might make you feel a little bit better, I was worried that Signal would get a bad reputation as a result of this, and you sort of implied that. I heard I was listening to the fantastic podcast, Random But Memorable, done by the 1Password folks. And they quoted the CEO of Signal who said that they have experienced a 300% increase in downloads since last year in the last three months since this hit. Okay.
So, okay. Silver lining, ahoy. I like it. Yeah, yeah. So, no, bring this home to us, though, on what this means for end-to-end encryption. Yeah so it's a case of understanding what's the problem it's supposed to solve. So I like to say that we don't get cranky because seat belts don't prevent fuel tanks from exploding. A seatbelt is an important safety tool in your car, but its job is not to protect the fuel tank, it's to protect you.
End-to-end encryption is a really important security tool, but its job is to get a message from you to your recipient so that the chain of encryption is never broken between the two.
so in the olden days you would have an HTTPS connection to the server which would then end that connection have the message in plain text and then make a new HTTPS connection to the recipient and then send so it would be encrypted while flying over the internet but it wasn't end to end because the middle person could see the message.
with end-to-end encryption the wrapper is placed on when you send it and no matter how long the message rests in a cache or something like if you're offline when i send you a message It gets saved on a server somewhere until you come online. But the encryption can't be removed while it's in transit, even while it's sitting waiting on a server. It's end to end. so its job is to keep it safe all the way no matter how long that takes and no matter how many servers it sits on
But it's end to end. So before I hit send. The information is on my device unencrypted. It's probably in my chat history unencrypted. It's sitting on my device. and when you receive it, the same thing, the wrapper is removed, it has now arrived at its end, and you now have that message, so your phone has it.
Now, any piece of malware running on either of our phones could intercept these messages before or after the encryption. But one place that can definitely see it is the client doing the sending and receiving. So if you choose to use a client that's not known good, end-to-end encryption is not helping you with your client being a mess problem at all. But it could have been good.
are fine. Oh, sure. Well, except for not supposed to be using that tool at all, not supposed to send military secrets to your wife. Skipping over that part. Yeah, apart from that bit. Right. Let's say it was health information they wanted protected within a family.
that third-party client tele-message could have done a good job of keeping the end-to-end encryption going. It's possible to do that? It wouldn't have been about end-to-end encryption. Because it's in the middle. It's about what it does. it's not in the middle it's at the end so the encryption is over
what the app is in play. So you should not install malware on your phone because your phone has the unencrypted messages. Back up, I'm not talking about the malware. I'm talking about using an archiving tool like the signal client telemessage. If it had been written properly, would that data have still been considered end-to-end encrypted?
It would have been a second end-to-end encrypting. It would have had to re-encrypt it to archive it in a secure way. That would have been a second end-to-end transaction. So there would have been an end-to-end transaction. So there's a spot where it's unencrypted and re-encrypted. Okay. Yes. So it's truly not end-to-end encrypted if somebody's in the middle of decrypting it and re-encrypting it. Yeah. Okay.
Good lesson. You can't have a non-stop flight if you have to land at an airport. Even if you don't get off the plane, it's still a stop. that is a really good description remember that one that's a good one given your recent travels i thought you'd approve yeah Okay, alright, is that it? Yes, that is it for follow-ups. We have no deep dives because nothing that interesting happened. I do have just one action alert if you are an Android user. Patchy patchy patch patch if you can.
or consider responsibly recycling that phone that you can't secure. It is the monthly May Android update. It fixes a zero day in the free type font library, which means that you can basically be in trouble by being on the internet anywhere that has text. Oh, jeez. Great.
Okay, so prepare yourself for the icky bit of the show notes. Worthy warnings. Remember that I have raised the bar here quite a bit, so I'm not flooding you with meaningless stories. And unfortunately, even with my high bar, I need to do two stories here. Okay. So the first thing I want to get the attention of any Nosilla castaway who would have a reason to work with the education company Pearson who do proctored online examinations.
They are used by schools and universities and they are used for professional certification. including people who are Microsoft certified, like, oh, me. My Microsoft cybersecurity credentials were done through Pearson. Okay. Unfortunately. They have admitted to having a data breach in April. Or actually, maybe that was the co-op was in April. Some time ago, I won't put an exact month in it. But they say, don't worry, because it's legacy data.
Well, is that actually helpful? Is the fact that it might be old data? What kind of data though? So it's personally identifiable information. They haven't been clear on what they've lost. Okay. This is why it's here. If you're a Pearson person, you need to watch this story. I am raising it once and I'm telling you, you need to watch Pearson. This is developing.
and then i'm not going to bring it up again what i can tell you is this is the latest so bleeping computer are on the case and this is their this is the summary when Bleeping Computer asked Pearson about whether they paid a ransom, which I don't care about. what they meant by legacy data, how many customers were impacted, and if customers would be notified, the company responded if they would not be commenting on these questions.
That is the wrong answer. That is the wrong answer. No matter what the... Yeah. You put in the show notes but didn't say out loud how much of your PII has changed in the last 5 or even 10 years. I mean, I just retired my phone number after 42 years. It was the same one all along. I'm pretty sure my social security number is the same, but the government lost that a long time ago, so no big deal.
But yeah, that just means if you have been certified through Pearson that you may have data out there that the only action is ever present vigilance, right? On phishing attacks and such. fishing is the biggest danger always here where they can fish you believably because they know what you are qualified in probably so they probably know what area of interest
Yeah, and that's an obscure one, right? It's not just, you know, you have a dog or something you would have thrown up on Facebook anyway. It's like, well, they know about my Microsoft certification, so this must really be Microsoft I'm talking to, for example. and they probably have the dates and so they could very convincingly say hey your certification for microsoft mc 9001 or whatever silly number my qualification has expires in three weeks
Get a discount on being recertified. Click here. Yeah. Yeah. You're right, icky. Yeah, exactly. We're going to need all those palate cleansers when we're done. We are. This one is for a UK nocella castaways perk up your ears. This is another developing story. I'm going to mention it once and I'm not going to waste our time with it again. There is a store in the UK called Co-op. They're an institution in rural UK.
they're a community run store so they used to be for farming equipment like fertilizer and stuff but they now do supermarkets at a good very good value they're a nice place to get food But they had a data breach. Or rather, they were hit by ransomware some months ago, and they are only now admitting it, and they're doing a bit of a piercing in that they're not telling people the real information. So they haven't actually said that we will notify people.
What they have said is that the quote, personal details, without saying what that means, but not passwords or payment details, so okay. of a significant number without being specific of current and past members without putting a timeline on it What do we do with that? A grocery store... having username and passwords and payment details and not having lost passwords and payment details, what else would a grocery store have other than, you know, Bart often buys aubergines there?
Do you guys have a store where you have to be a member to be able to shop there, don't you? Well, we have loyalty cards, so you get a better price. Let's put that... Oh, Costco. Thank you. That's exactly what I was thinking. The co-op are owned by their customers, so I think when you're a member, it's like being a Costco member. Okay. But still, what would they have? I mean, they'd know that I bought a giant inflatable dragon boat at Costco once.
but if they don't have my payment details, name and address. Yeah. Name, address, contact details because you're a member. So they could then... I mean, probably not the worst breach we've ever talked about. Let me put it that way. Probably not. But they're going to get you on those aubergines are on sale, Bart. That's how they're going to fish. It could be agricultural people, special offer on fertilizer. Do you need to have your herd certified for TSB? Not TSB, Jesus.
foot and my disease, whatever. Here, we'll get your certification through Pearson. But I guess we should take this as another case of a company doing it poorly. Precisely. I shouldn't be saying it's not clear. Okay. Sorry, no. All right. Notable news. Good news. And I'm not being sarcastic. I'm not doing it with the... Sarcasm emoji. Professor Watts' face. Anyway.
WhatsApp have added a new feature to their messaging app and it's inspired by Apple's private cloud compute. So they're adding AI tools into their chat apps and stuff. and they're doing a very very similar thing to Apple where they're providing true end-to-end encryption from you to the cloud where an ephemeral server processes your request and then destroys itself
and sends you the answer without anyone other than you effectively seeing it. So you and the server that destroys itself are the only place where the information is seen. And this is cloud-based AI that you're talking about? Okay, correct so this is very very inspired by apple's tools and they've also copied and this is the good kind of copy
We like this copying. So they've also copied the auditability that Apple added into their system so outside researchers can verify the claims that Meta are making. i was trying to find like niggles and the only thing I can say is that Apple have done something that I believe no one else has which is they have taken the strong hardware security of the iPhone. and put those same motherboards in the cloud to give you hardware level protection for private cloud computing
And I can't find any evidence meta have gone down to that same hardware level. But at the software level, they are very much completely on par. I can't find any difference. Which is great. Yeah, that is great. Good news. Another thing I've said a few times is that on balance it is my professional opinion that AI is more of a help to the defenders like myself than to the baddies at the moment at least.
And that help is going out to more regular folk because Google Chrome is adding on-device AI detection to help spot tech support scams and so forth, which are easier to spot using AI. than block listing URLs because you can change a URL every five minutes. So its very bad method for protecting people is to say, oh, someone's already been hacked by these people, don't you join them. Whereas with AI, it can stop at the first time I see it because it's suspicious from moment zero. Uh, okay.
I like this. Yeah. I really like use of AI in diagnosing things. They've seen so many cases of where AI is better at looking at chest x-rays. or MRIs, and obviously with humans double-checking. But I learned on a podcast, I forget which one it was, that 800,000 Americans a year are misdiagnosed and either die or suffer permanent disability as a result.
That is a massive number. So letting AI step in and do what it's good at, I think is wonderful. And this is, I know this is a little bit of a different example, but it's that kind of thing where we can't, there's just too much information. We can't see it. And yet AI can find those patterns. It's an amazing pattern matcher. That is its absolute superpower is finding the patterns we can't see because it's not blinded by intuition.
Or bias. Well, it can't have bias. That is one of the problems that they're having. No, it's ours. Yeah. Damn. When they figure out how to not do that. Okay, now, I'm gonna mark this as good news-ish. So I think you should suffer when you do things that are naughty. So Google are having to pay the state of Texas 1.375, which I think is an AI written headline because no human would write that headline.
1.375 billion b-b-billion with a b US dollars for unauthorized tracking and biometric data collection Just to Texas? Why were they only targeting Texas? It was a state law. It was a state law what? what do you mean so texas was one of the first states in the united states this is the case that's been going for a couple of years but Basically, there is no federal protection for your biometrics yet, but a bunch of states have state laws. And one of the early adopters was Texas.
And the hope is that like California likes to go first on like emissions regulations and stuff and then the federal government follows. Texas is usually quite good at leading on privacy stuff, actually. And in this case, with biometrics, they're one of the early states. And so Google fell out of their law first. So that's why they're being sued there. Oh, actually, I'm reading in the article. It says in November of 2022, it paid $391 million to a group of 40 states.
January 2023, it paid $29.5 million to Indiana and Washington, and later that September, still in 2023, it forked out $93 million to settle with California. So it sounds like this is the fourth or fifth one. Yeah, it's happening in state life. I guess there's a lot of Texans. Yeah, there's a lot more Californians, but yeah, that's fantastic.
Yes, and then our friends in TikTok, they got a little bit of a slap on the wrist from the European Union, joining Apple and some others. Their fine is 530 million euro. for sending European data to China. Okay, your sentence... implied that Apple was sending user data to China. You mean they got slapped like the European Union did to Apple? Not for sending user data to China.
Correct, yes. Apple absolutely positively is not getting privacy violations. It's getting... All the other ones. All the other ones, yeah. Okay, just want to be clear. punctuation matters right? Yes, I do. And now we're really heading into the happy stories here. So for years now, May 1st has been World Password Day. And the intention was to give people good password hygiene.
1Password was always big on this kind of thing. Getting people to use a password manager. Don't use password123. Don't use monkey. For some reason, everyone loves the password monkey. Well, there's a new spin on that. The Fido Alliance are like, we're trying to kill the password. We're renaming this Passkey Day.
So the Fido Alliance are doing a big media blitz about passkeys, which I'm fine with. And in... Actually, I may not even have... Did I put it in the show notes? Oh, I should have put it in the show notes here. It's later down in Accent Explainers. Troy Hunt did a post. Passkeys for normal people.
it's another one to send to your friends and family Everyone learns from different styles in different ways, so if you've sent them stuff that you've done or that I've done and that didn't gel with them, maybe Troy's way of saying it will gel with them. Maybe it'll convince me to try pass keys again because I am so out on this right now. I just...
All the sites that were great at the beginning, like the first ones to do it I saw was Home Depot. It was great. You went in and said, do you want to pass it? I said, yes. From then on, it was like,
passkey, yes, boom, and I'd be in. And now it's like four or five clicks before I get in. And now I'm just like, oh, forget it. I'm just going back to my password. It's so much friction has been added back in. And I think we've talked about this before, that part of it appears to be Apple getting in the way. popping up things that are confusing that look like they're part of 1Password, but they're not. I don't know. It's getting worse.
We should have a discussion perhaps offline, but yes. Yeah, I'll try to collect some examples. There are two passkey managers on your Mac. Yeah, where I can't get rid of one of them. That's the problem. Yeah, yeah. But you haven't gotten to the big part, the fun part of this story is in addition to World Passkey Day, what did Microsoft do, Bart? Yeah, so the Fido Alliance is an industry group, so one of their big members is Microsoft, who have the odd user, let's just say.
And they have changed their onboarding flow. So if you create a new Microsoft account, unless you go out of your way, and they will let you go out of your way if you insist, but you have to insist. You will have no password. You will have a Microsoft account with recovery information so that you can recover your own account if you lose your passkey.
but you will have a passkey, the ability to recover your account, and you will never have a password. That's the dream. That's where it gets good, right? Yeah. And if you already have a Microsoft account, assuming you're prepared to add a passkey and to make sure that your recovery data is up to date, you can go in and remove your password. You can now go in and say have no password. So you want to know who has the most guts of anybody I know?
Tom Barrett. Go on. Live on the show. He had David Spark, the guy that runs the CISO series podcast, who I'm going to be talking about a little bit later. He had him on there. And he goes, Tom, do it. Do it. Take it off. Get rid of it. Do it. Do it right now. Do it. And he did it. Live on the show, he removed his password. Have you done that? Excellent.
I don't have a personal Microsoft account, and my professional Microsoft accounts have forced multi-factor. So I have a password, but it can't be used without my authenticator. Okay. So I almost have it. I haven't done it. It's hard enough to figure out how to download Microsoft Office these days anyway when I do need to log in, which is pretty rare. It's so hard.
So, I don't know. I wonder if it works from inside Excel, because that's where I get stuck. Excel will go, yeah, you don't own this. Yeah, I did yesterday. Not often. Not often, but anyway. Yes, okay, let's not go there. Right, so I thought that was really nice. So that's a good word, past key day, May 1st. Yeah, yeah.
In terms of top tips then, I just want to give a little heads up to any Nosilla Castaway who's involved with running a small business or something where someone who makes IT decisions might listen to you. In light of the co-op breach, which was actually one of many affecting UK retail, it seems that the baddies have just realized that UK grocery stores are a rich target. So the government was like, whoa.
And they issued advice for how someone running a small shop or whatever could keep their 10 staff safe. It's just really good advice. So if you're running any sort of a little organization, have a look at the advice. It's just good advice. Cool. Very cool.
Excellent explainers then, I've already mentioned Troy Hunt's past keys for normal people, so just mentally put that up above. And then I want to loop back... to a story that you were quite fascinated by and that we talked about a lot when it happened which is that nearly hack of ssh because of a small little library maintained by one person who got cranky and a chinese
with the Chinese government basically went oh you're all depressed and sad why don't we take over running this little software project for you and he was like oh thank goodness some help Meanwhile, that library was part of SSH, and if some Microsoft engineer hadn't been trying to get rid of a 200 millisecond delay, we'd never have known until all of our SSH was vulnerable.
Well, the Killswitch podcast, which I recommend anyway, it's a fascinating look at the pros and cons of AI, but they have an episode which is dedicated to the biggest hack that never happened, the XE util story. Oh, that could have, huh? Yeah. Interesting. It was our nearest mess. Yeah. And now we can cleanse our palates. Do you want to go first or shall I? Um, you can go first. Okay. I have two podcast recommendations because that seems to be where I get most of my fun content at the moment.
There's a really fun weekly show. It's only about 20 minutes a week, so it's very easy to recommend someone take on a new show if I'm only saying, hey, have you got 20 minutes a week? If I tell people there's this amazing two-hour show it's on every day, they don't like me very much.
Anyway, it's called The Economics of Everyday Things, and it's absolutely fascinating, because, like, how do vending machines end up making money, or how do undertakers make money, or all these weird little things. Everything makes money. How does that work? Well, they intersected with the Nosilla cast in a lovely way. The question was, what are the economics of closed captions? so we have you know you can have this amazing focus on accessibility
And those closed captions are amazing. But how did they happen? Which humans do that for a living? Which they do it for a living. And how do they make a living? Well, I'm not sure they make as much of a living as they used to. It's funny because AI is not doing a great job and the closed captioners are like, no, no, no, we get more work because people try AI and then they come to us.
Have a listen. I know you're skeptical. I know you're skeptical. Yeah, well, that sounds like the people who don't want their jobs to go away answering that question, and that's not necessarily the source, I would think. Yeah, I will give it a listen, because that's... I don't know. I make all of the closed captions for our videos on YouTube using AI, and they're spectacular. I mean, spelling people's names that are obscure and odd. I mean, it's really good. The issue is real-time sports.
Oh, well then you can't be using AI and then fixing it. Oh, you're saying they try AI and then they can't. Okay, real time. Yeah, I'll give you real time. And the other one is news, where when the AI gets it wrong, you accidentally say, just ask Apple how news with AI works. Humans make mistakes too. Humans make mistakes doing that all the time. It's very common to see mistakes in closed captions.
Well, if you wonder where all those court stenographers went with that typewriter that types 20 letters with one keystroke, they're doing closed captions on CNN. Oh, that's interesting. So it's more efficient, huh? Interesting. Okay, that was one of my two picks. The other one is there's an amazing podcast called 99% Invisible.
And they have a really recent episode that overlaps with one of my little pet joys, which is the emoji. And the name of the episode is a laughing emoji and a scales of justice emoji. Because the show is about how the legal profession and judges are dealing with the fact that emoji are language. They have meaning. That meaning is subject to interpretation just like any language is. It has nuance, and that can affect legal cases. Did you mean to say...
Thanks, I received that contract or I agree to this contract. Oh. Thumbs up. That's rough. You're right, it's a language, but is it an agreed-upon language?
Exactly. It's a fascinating discussion. And one of the real takeaways is that if a lawyer or a judge is doing court transcript and it says, emoji in square brackets instead of which emoji you know that court is doing it wrong because some of them think emoji are so irrelevant they just record them like you know the way in a transcript it might say it cough
They just stick emoji into the transcript. That is the dumbest thing ever. You can't do that. That's tough, though, since people don't know what emoji necessarily means. I mean, I will never use an eggplant because I understand it means something that I probably don't ever mean to say, but I do like eggplant. It's delicious. or aubergine
Well, let me go next. I mentioned earlier that David Sparks of the CISO Series podcast was on DTNS Live, and that's where he goaded Tom into removing his Microsoft password. But the end of the episode, or the last third of the episode... He had three game shows that he did with the other members of the panel that day, and they were fantastic. They are so, for this audience part, you would love. The first one was he put up on a slide.
a series of names one after another, and they had to guess whether that was the name of a Star Wars character or a cybersecurity company. And you would think that you would know the answers to those, but, I mean, Tom is way up there on the nerd scale, and there were several of them that he didn't get, which I thought was really, really fun. The second game was pick your CISO Disney Princess Edition.
So two of the people were assigned, got to choose a Disney princess, and they had three to choose from, and then the other two had to choose a Disney villain, and they were given three. And for all three of them, he gave them, here's why they might be a good CISO. Like Belle, well, she's good at doing research because she reads and this kind of thing. Each one had their own strengths and weaknesses. And then the game was the two teams had to compete on why theirs was better than the other one.
It was very, very funny. And the last one, I wish they'd had more time to play, they got cut off, is called The Public Interest. In this game, he shows two security teams and asks the players to guess which of the two words were, sorry, terms, and asks the guests to guess which of the two words were searched for more than the other by the general public. Fishing and smishing. Things like that. Those were the two words. It was something else with Michigan. It was something I hadn't heard of.
Since then, I've heard his vishing, by the way. That's another one. But anyway, they didn't get enough time to play that one, but I highly recommend this episode. It was DTNS Live 5011, and there's a link in the show notes. It was fantastic. Cool, and you did tell me I should watch it if I had time before recording, and I was so busy writing show notes, it's on my to-do list for while I'm cooking this evening, so I will look forward to that.
And I think the other word you're probably thinking of is quishing, which is two more codes. Oh, quishing was the new one I just heard of. And I learned about that back, circling back around on the Random Memorable podcast on From One Password. Perfect. But you're not done with AI fun. I know. I went overboard on the color cleansers because I knew we weren't taking up too much time. The second one was researchers have unveiled something called Lego GPT.
It's an AI model that designs physically stable Lego structures from text prompts, and it currently supports eight different standard brick types, so you can tell it, make a guitar. And you'll see it build up a guitar in front of you. And they're able to be built by robots or humans. So there's little videos showing robots building these things that they've done prompts for.
I don't think you can use it yet that I could see, but it's up on GitHub on adalovelace1.github.io. How is that for nerd for you? And that just takes- All of my nerd boxes. I'm a huge Lego fan. I'm fascinated by this whole AI thing. And Ada Lovelace rocks.
There was one more I wanted to put in, but unfortunately it's an Instagram link and I just won't do that to people who don't want to go to Instagram. But it was a woman showing, apparently at some... race type event they built a Hot Wheels track for real cars and you can see these race cars go up and do the loop-de-loop like Hot Wheels only the cars go really slowly And she says, you want to know why, don't you? And she whips up an iPad and on it she's written, physics!
And so she goes through and does the math on how fast you would have to drive on that track in order to stay, how the centripetal force affects you and how you would stay on the track. And so they're actually not going quite as slowly as they could, but she said they like to add a little margin on that one and not go exactly just more. If I can find it, I'll send it to you, but not on Instagram, but it was a great video. She's fantastic. Wow. Cool. All right. I think that wraps us up, Bart.
Congratulations on all your support. I mean, I can't thank you enough. Everyone knows that this show wouldn't exist without you, 100%. I so so so so appreciate it the amazing community you've built that I get to be a part of because I can't do the community building thing I'm an introvert I would never have a community without you and I just love the fact that I get to be a member of this community you spent so much time and energy building
And I get to write show notes and do the fun stuff and then show up and end up in a podcast that's around half the world with massive listeners. So I'd win for me. Well, I think that's what's great about how people are different. I thrive on the building of the community. That's what gives me energy. So that's not work at all. That's the fun stuff, Bart. So I'm glad we have complementary skills and personalities.
Precisely. Anyway, folks, at this stage, you know what I have to say. I'm contractually bound, I think. Remember to stay patched so you stay secure. Well, this is going to wind us up for this week, for this 20th anniversary week, and did you know, no matter whether it is 20 years or not, you can still email me at alison at potfee.com anytime you like.
If you have a question, a suggestion, send me a message to tell me I'm wrong. I love those. Just send it on over. By the way, there is one in the queue of somebody who told me I'm wrong, and I'm still trying to figure out why I'm wrong. So just because you sent it to me, I'm still working on it to try to figure out why. So I will respond to that publicly.
Anyway, remember, everything good starts with podfeet.com. You can follow me on Mastodon at podfeet.com slash Mastodon. If you want to listen to the podcast on YouTube. Where do you go? Podfeet.com slash YouTube. Do you want to join the conversation? Where do you think it is? You can join our Slack at podfeet.com slash Slack.
I'm in there. Bart's in there. Alistair's in there. Joe from the Northwoods. I mean, all the cool kids are in there. Come on in and join us. podfee.com slash slack. You can support the show at podfee. Donate with Apple Pay or any credit card or through podcasts. And if you want to join in the fun of the live show, weeks on Sunday nights at 5pm Stay subscribed.