This is the blog, but if you want to know more about me and my projects, check out the Projects and About pages.

Apple's App Store Policy Solution is Staring Them in the Face

Apple App Store Demo

Apple has a problem with their App Store. It’s potentially a big problem if it turns in to an official antitrust case, but at best it’s a problem with developer relations and looking like a bunch of greedy jerks. You may say that Apple has lots of problems, but this is problem I’m referring to: Payments on the App Store and the forced 30% cut of purchases.

There is been an ocean of ink (and podcast chatter) spilled over the last few weeks talking about this problem, but briefly, Apple forces everyone who has an app on the iOS App Store to use the Apple payment system, and part of that system is that Apple takes a 30% cut of your purchase [Note: It’s a bit more complex in that subscriptions can earn a drop in Apple’s cut, but generally, 30% is the requirement]. This isn’t illegal (yet) but developers are starting to get more than a little annoyed about the whole thing.

Apple has dug in on changing the price or bending the rules, so what can they do to fix this? Let’s put a pin in that question, and let me tell you about the latest Apple service that was rolled out and mandated in the App Store: Sign in with Apple

Sign in with Apple is…a way to sign in…with Apple. Meaning you can use your Apple ID to sign in to an app rather than making a new account or using other similar solutions from Facebook, Google, GitHub, etc. Apple has baked privacy forward features in to their login to make it attractive to Apple’s customers, and they required that Apple login be an option on all apps that use other login solutions (Facebook, Google, etc.). While a lot of eye-rolling occurred over yet another Apple mandate, it has been successful. Apple isn’t stopping developers from using the login they want, Apple is offering choice for users, and with their login’s feature set, they can appeal to users on the merits of their solution and get people logging in via Apple. Most importantly? No one is complaining about “Sign in with Apple”.

So just do that with iOS purchases.

If Apple just tweaked the requirement on iOS purchases to match the Apple login things could clear up pretty quickly. What would that look like? Well, the mandate would change to say that if you offer purchases in your app, one of the options must be Apple Pay and the other options are up to the developer. This means that Epic could have their own payment method for Fortnite, but it has to be right along side the Apple option. If users’ use the Apple payment option, and for only the Apple payment option, Apple gets their cut. Yes, some payments would drop off, but my hunch is it wouldn’t drop off much because Apple’s option would be faster, more focused on privacy, and would integrate better in to iOS so it would still be very appealing. Plus, smaller developers don’t have another option and won’t support multiple paths anyway so there would be no change for the vast majority of apps. If Epic can convince it’s users to go through it’s slower payment system and user’s understand the trade-offs then good for them. While Apple won’t be seeing 30% of that, I bet they see far less of the inside of a court room as well.

Yes, there’s a lot of details here. Apple could require that the price difference between the payment options has to be within some range (or non-existent). They might also want to mandate the initial buy screen so that the options are all clear, such as they require with the “Sign in with Apple” mandate. Regardless, this seems like the best way for Apple to trade some revenue for good will and not seem like they are walking back the rules they have been fighting to protect. The announcement on stage at a keynote could not be easier: “Today we are standardizing our iOS requirements in an easy to understand way and to give both developers and users greater flexibility in how they sign in and pay for products within the apps they love.” …swoopy slide action…wait for thunderous applause…then move on to those touch screen iMacs they’ve been working on.

DEFCON 28 Wrap Up

Devil Cold Caller

DEFCON, the world’s largest hacking convention and always one of the highlights of my year, was last weekend and, of course, remote. I missed being in Vegas with tens of thousands of hackers, but there were still some fantastic talks and conversations over Discord.

A quick “Top Five” highlights:

  1. If your password is eight characters or less, you essentially don’t have a password. With a small amount of money and a few hours, eight character passwords can be broken with a fair amount of ease. Your password should be at least 12 characters.

  2. That wifi security camera you bought off Amazon for $40 is completely insecure and shares your video, credentials, and even location, with other cameras unencrypted.

  3. Two-factor authentication is an important security measure for every account you have, but it can be beaten with a good phishing attempt. You can’t sleep on phishing just because of 2FA!

  4. The disinformation campaign to instill doubt in mail-in voting is real and huge. Researchers have seen preparations for “time and place” digital attacks since 2017 that can shut off internet or power to voting locations on election day…but then COVID-19 hit and those kinds of attacks don’t work if everyone voted by mail! Since the pandemic has started various nation states launched campaigns to poison the public’s belief in mail-in voting so they can get people back to the polls on election day and back in the target radius of their attacks.

  5. I passed my FCC radio Technician exam!

A Home Office DND Button

I’m extremely fortunate that I have a true home office at our house. It’s my favorite room in our whole place with an both an internal door and a door to to the back yard, and it affords me plenty of room to store my various projects and geeky collections. Of course, the most important aspect of my home office is that it’s a room where I can get some time work on…well…these days I work on work in there. Not exciting, but it is important.

This has made Pandemic Life pretty easy for me but, and of course I have a but, there is one problem that has come up. When I’m in my office, and the door is shut, it’s really hard to tell if I’m on an important Zoom meeting that shouldn’t be interrupted by a family member creeping in from the door behind me or not.

This is a problem that needed a solution.

A solution far more complicated and awesome than any of the following: knocking, a small white board, a post-it note, or a shared calendar. Those are fine solutions that any sane person would be proud of, but…I mean…honestly…no. No, we won’t be doing any of those.

Here’s what I came up with (click to see a short demo video):

Demo Video

The Problem

The core issue is that I want to be able to remotely trigger some kind of visual indicator that I am busy and can’t be disturbed at the moment. The additional problem is that there is no existing power source in the little area outside of my office door so unless I add a new plug to the wall I can’t hang a Raspberry Pi screen or a tablet to be a little billboard, also that kind of stuff wouldn’t have been as obvious.

The Solution

I replaced the one ceiling light bulb in the landing outside of my office door with an color LED bulb from Amazon. If the color is the standard incandescent yellow then all clear, but if the color is red, please hold. Yes, it makes the back of our house look like a hooker might take up residence there when I’m in a meeting, but it’s a fairly elegant solution that didn’t involve and moderate house surgery.

To control the bulb I have a multi layered solution that involves a complete software solution augmented by some hardware. The software part is really what’s doing all of the actual automation, but the hardware…that little glowing button…is the fun part, and does actually serve one real benefit in that it shows me when DND is on as it’s easy to forget. Also, clicky buttons are awesome.

Let’s start with the software.

The Software

We’re a Google Assistant household as that platform seemed to work the best and better fit how my family and I want to use various “smart home” features. That’s important context, because the automation path I settled on is through Google Assistant. It wasn’t my first or most likely path, but it’s where I ended up after starting with trying to find the API for that random Amazon bulb (Nope!), then looking in to Home Assistant (I already have this running in my home) but found their component for those bulbs has been broken for some time (Strike Two!). Then I realized that my Google Assistant devices could manipulate the bulb just fine. How do you “talk” to Google Assistant over a script? The answer is Assistant Relay. Check out their site for the details, but for my story, I got an Assistant Relay instance running via Docker on my home server, configured it and managed to send text commands to Google Assistant from my computer within 15-30 mins. I then wrote a very simple script that I can put on my primary computer to simplify the command to > on or > off.

Success! …and this could have been enough. Certainly typing the above commands in a terminal window I always have open anyway is trivial…but it’s not as fun as a button! Let’s make a button with some stuff I have lying around my workshop!

The Hardware

Final Button

I had a small Arduino board, the ItsyBitsy, laying around from a previous project so let’s start there. I also had one of these small clicky buttons with an LED in it, so let’s throw that in as well. Wiring the button with the LED was straight forward once the right resistors arrived from Amazon, and I soldered it down to a proto board I also had in my stash.

Button Wiring on Bread Board

I then flashed the board with this code tell tell the computer it is a keyboard and to toggle the LED while executing a set of keyboard commands to start the script.

Yes, I could have designed by own button housing, but that is a skill I haven’t yet mastered and I found this lovely little box design on Thingiverse and after scaling it up a bit, it fit my proto board perfectly. It’s bigger than it needs to be but it’s stable and looks fun on my desk. Once the print was complete, I used a stepper bit (these are great for drilling in to plastic) to create a hole in the lid and in the back for the USB cable to connect to the ItsyBitsy.

The Final Result

This was a fun little project that solved a problem in a way that makes everyone in the house happy. There are still some issues on the hardware side such as it firing a “DND OFF” command when the board first boots, but they are minor enough that I’ve chosen to ignore them for now.

The Parts List



The Infosec Cold Call

Devil Cold Caller

I get asked occasionally about ways to improve corporate information security or what kinds of things get easily missed, and while I’m no expert, and there are an endless number of little things you can miss these days, there’s one way I rarely hear mentioned and I like to remind technical leadership about:

Don’t talk to security sales cold calls!

Studio71, where I’m the CTO, isn’t some huge enterprise company or constantly in the news garnering press and attention, and yet I still get at least a couple of these kinds of calls every week.


Me: “This is Mike Flynn”

Them: “Hi, this is __ from WhateverSec. I just have a few questions for you.”

Me: "Ok, but I really need to go." (No I don't.)

Them: “Sure, I’d just like to tell you about our new AI-powered blah blah crypto currency security solution. Let me ask you, what are you doing now for your corporate security?”

Me: “Ah, we’re happy with our current solution.”

Them: “What is your current solution? What kind of firewall are you currently running in your office? Are you using any monitoring devices on the network?”

Me: “I’m not going to detail our security infrastructure over the phone to someone I don’t know.”

Them: …

Them: “Ok, right. That makes sense.”

Me: “Thanks for calling, but I have to go.” (No I don’t)


How many people do you think happily gave up the brand of firewall…maybe the software version…maybe the network appliances they have at their office? A lot, I bet…but please don’t. What this person trying to research a hack? Honestly, probably not, but it only takes one, and even if they are legit they don’t need to know anything anyway. Oh, did they say they were from Rapid7 or another established company? No they weren’t because they usually don’t ask those kinds of questions, but even if they did, it doesn’t matter.

Feel free to buy whatever it is they have to sell, but whatever it is they don’t need to know your security infrastructure to sell it!

The Sandwich List

Little Lucca Sign

I’m a sandwich guy. Ok, that’s an understatement. I’m really in to sandwiches. I love the variety, the simplicity (or occasionally the complexity), the different textures, the bread, the meat (yes, meat), and usually, the cheese! I’ve spent my nearly 40 years in existence looking for the best sandwiches and then going to great lengths to eat them again and again. For example, I once flew in to San Francisco for business in the afternoon and realized I have just enough time to grab a particular favorite sandwich. I raced out of SFO and after three different and hurried Uber rides I managed to get settled in to my hotel with that beautiful white paper tube of sandwich sitting on one of the two queen beds in my room.

Yes, I rank the sandwiches because of course I do! I’ve told people “Oh you’re going to Portland?! One of my top five favorite sandwiches is from there!” but I’ve never actually written the list out in a place where I can refer back to it. It’s only fair that I do that now as I always feel like there’s an element of cheating when people say something is “one of my favorites.” Out of how many and how often does this list change?! Today’s the day I write that list down, throw it in to the internet, and make my favorites as official as some middle schoolers current Facebook relationship status!

…but first a few ground rules. Well, one really. When I mean sandwich I don’t mean hamburgers, burritos, gyros or any other “sorta sandwiches”. Yes, in a technical sense they are all sandwiches, but also they aren’t because you have to draw the line somewhere and I love all of those things too much to get a “Top Five” out of them that didn’t engulf me in angst. For this list, a sandwich is defined as various non-patty ingredients stacked between two pieces of bread.

5. Sugarfire’s Grilled Cheese (St. Louis, MO)

Sugarfire Smokehouse is a BBQ chain in St. Louis, MO. I love Sugarfire, and I always hit it up when I’m back in St. Louis, because they are great BBQ but also really inventive and downright weird with their specials. So many places have great BBQ, but Sugarfire does some weird stuff and it’s brilliant. I was there in June and say “grilled cheese” as a special and thought to myself “Who the hell would come to a BBQ joint and get a grilled cheese?!” …and then right before I ordered I heard the three guys in front of me all order the same thing: Grilled Cheese. Then I looked at the ingredients and it…well…it’s not…I mean, there are multiple cheeses and it is grilled, but there’s also a ton of meat and a jalapeno popper on top…that was stuffed with smoked pork.

It was messy and it was top five good.

4. Dan’s Super Subs’ Hotel California (Los Angeles, CA)

Comes With: Canadian Ham, Turkey Breast, Swiss, Cheddar, Our Avocado Spread, Crispy Bacon Deli Mustard, Mayo, Lettuce, Tomato, Onions, Our 1000 Sauce, and Diced Pickles.

It’s just a great sandwich and one time I was there I saw Mark Summers eating at the counter. What else do you need to know? The bread is great, the avovado spread and 1000 sauce are in the perfect amounts, and it seems like a small thing but damn I love that chunky diced tomato and pickle “relish” on top.

3. Joan’s on Third’s Fried Chicken Sandwich (Los Angeles, CA)

With jalapeño cole slaw, garlic aioli and butter lettuce on rustic roll

Another LA institution, but this one is tucked in the middle of Beverly Hills off of…wait for it…third street. As you might guess, this sandwich isn’t cheap, but good god is is amazing. For one, fried chicken is one of the world’s most perfect foods and then you put it on a lovely roll with aioli and a little heat from the slaw?! It’s a beautiful thing. The key is to get your order and get the hell out of there before the paparazzi show up chasing Justin Bieber while he’s grabbing a coffee.

2. Lardo’s Porchetta Sandwich (Portland, OR)

It’s a delightfully simple sandwich: porchetta, piquant gremolata, and caper aioli on a crunchy roll and it tastes extra awesome on a rainy day in downtown Portland. I love Portland, and there are so many good places to eat that have great sandwiches (hell, Lardo has several others that are amazing), but nothing is a beautiful, simple, and delicious as the Porchetta at Lardo.

1. Little Lucca’s Ultimate Club (San Francisco, CA)

Turkey, Ham, Bacon, Cheese

Look at that description. It’s a bit of a lie. There’s more to it than that, but also not really. It is truly turkey, ham, bacon, and cheese (I go with swiss), but it also includes the Little Lucca garlic and pepper spreads and your choice of huge fresh roll (I go with the soft sweet roll). I also will add jalapeno bacon because that’s how I roll, but it’s not needed. This sandwich is just unquestionably awesome. It’s huge, it’s relatively simple, every ingredient is fantastic and eating it makes me happy and then very full and then happy and then sad that it’s gone. When I describe this sandwich to people they never sound impressed, but if I bring them along they take a few bites and look up from across the picnic tables we’re sitting at behind the South San Francisco location that was clearly someone’s little house at some point, and say “You were right. This is amazing.”

mikeflynn @ GitHub thatmikeflynn @ Twitter