New Loose Leaf Security episode: Covering your webcams! Plus, our new newsletter and articles!

A new episode of Loose Leaf Security is out to remind you to cover your webcams when you aren't using them, and it features my favorite episode art yet:

A teapot by a laptop with its webcam on, but the image of the teapot is relatively obscured on the screen because the webcam is covered by a piece of translucent tape

Covering your webcams

Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to Firefox for Android.

Head over to Loose Leaf Security or click the link above for the full audio and our detailed show notes.

Loose Leaf Security's new articles section and newsletter

In addition to podcast episodes, we'll also be covering some security- and privacy-related topics in blog-style articles, where we can go into more detail than we could in an episode and write for multiple audiences, where appropriate. Our first article is already up: Instagram 'Unusual Login Attempt' verification loop failures.

Geoffrey and I are also starting to compile a weekly newsletter for Loose Leaf Security that will include short summaries of interesting security news as well links to any new Loose Leaf Security content. You can sign up here.

As always, you can subscribe to Loose Leaf Security in your favorite podcatcher and follow the project on Twitter, Instagram, and Facebook.

New Loose Leaf Security series: More on authentication and password managers

Three more episodes of Loose Leaf Security are out, a series about authentication and password managers:

A Loose Leaf Security logo teapot pouring a strong password string into a teacup

Using a password manager effectively

In a deeper exploration of password manager browser extensions and features for sharing as well as a survey of alternatives to password managers, Liz and Geoffrey go back to the topic of Loose Leaf Security's very first episode and discuss how password managers keep them safe in practice. In the news, a research firm makes dramatic claims about password manager security, and Facebook expands data tracking in worrisome ways.

A teacup with two security keys on the saucer and a stack of two-phones, the top phone showing a QR code for setting up two-factor authentication

Two-factor tidying

With a wide variety of possible two-factor authentication methods, it's difficult to keep track of which ones you're using - and which ones you could be using. Liz and Geoffrey talk about their personal strategies and how to handle difficult cases like custom authenticator apps. In recent news, there's improvements to using security keys with Google accounts and some surprises with automatic updates.

A password manager autofilling for a login screen for a website listed in the password manager as 'Loose Leaf'

Password managers: how they should work and when they didn't

Liz and Geoffrey discuss password manager extensions in depth: everything from how they keep your passwords safe from malicious websites to how they sync your passwords between your devices to how they've made mistakes in the past. If you haven't picked a password manager yet, this hard look into the security records of popular password managers sheds light on which companies have earned your trust, but even if you're a long-time password manager user, knowing about their usual pitfalls helps keep you safe from potential future issues. Also, the new iOS 13 has a variety of security implications, and Firefox and Chrome change third-party cookie settings.

Head over to Loose Leaf Security or click the links above for the full audio and our detailed show notes. As always, you can subscribe to Loose Leaf Security in your favorite podcatcher and follow the project on Twitter, Instagram, and Facebook.

New Loose Leaf Security series: Securing your personal finances

Two more episodes of Loose Leaf Security are out, a series about securing your personal finances:

A restaurant receipt with a credit card near a teacup

Credit and debit card security

An important part of your personal digital security is making sure your credit and debit cards are secure. In this episode, Liz and Geoffrey take a look at how attackers clone credit and debit cards, how newer cards resist these attacks, whether it's safer to use mobile payment apps, and how to keep an eye on your credit reports. Also, cell phone carriers continue to sell your location data, and phishing attacks against accounts with two-factor auth have become more powerful.

Two teacups near a check that has just been filled out

Checks, mobile banking, cash transfer apps, and a bit more on credit cards

Liz and Geoffrey take a closer look at the security of checks and bank account numbers - a timely topic after a fraudster attempted to steal thousands of dollars from Liz with a counterfeit check - and also at mobile banking, cash transfer apps, and a bit more about credit cards. Plus, better encryption for Android, a major FaceTime bug, and practical lessons from Wells Fargo's day-long outage.

"Checks, mobile banking, cash transfer apps, and a bit more on credit cards" is our longest episode to date (just over 50 minutes!) - when going over the topics for that episode, we felt they should really be in one place. But don't worry: we've put in many musical breaks that make good places to pause. FYI, we don't expect future episodes to generally run this long.

Head over to Loose Leaf Security or click the links above for the full audio and our detailed show notes. As always, you can subscribe to Loose Leaf Security in your favorite podcatcher and follow the project on Twitter, Instagram, and Facebook.

Podcast submission notes

Getting started

Web stuff & RSS

Podcasts are distributed via RSS feeds that people can subscribe to. You need to generate podcast-specific RSS: start by reading Apple's requirements and looking at the RSS feeds of other podcasts.

Some specific RSS fields

<itunes:type>: You need to decide if your podcast is serial, which means it needs to be listened to in order, or episodic, where episodes can more or less stand alone. Episodic podcasts often still have mini-series of a few episodes which might want to be listened to in order, but fundamentally, you don't need to start at the beginning.

Categories: You can have multiple iTunes categories, but your primary category is the most nested one in the category that shows up first in your RSS. For example, the following is primarily in the Performing Arts category, but also shows up in Arts generally and Comedy:

<itunes:category text="Arts">
    <itunes:category text="Performing Arts"/>
<itunes:category text="Comedy" />

Sometimes, there's a natural fit for your podcast in iTunes's categories, but other times, things might not be so clear. (Notably, there's no audio drama category - often audio dramas put themselves under Performing Arts.) Check out which categories similar podcasts picked.

Non-iTunes/non-Apple podcast clients don't necessarily use the same categories as iTunes, but only iTunes categories are configured in the podcast's RSS feed. If a podcast client offers different categories than iTunes, it asks for them when you submit your podcast, and I'll talk about this more later in this post when I discuss places to how to get on popular podcast clients.

<itunes:explicit>: If will you have any explicit language, you need to set <itunes:explicit>yes</itunes:explicit>; otherwise, set <itunes:explicit>no</itunes:explicit>.

Dates and publication

When you publish your podcast RSS, whatever is there is live immediately. Definitely don't add draft podcasts to your feed if you don't want your listeners to hear them, and know that whatever date and time you put in the <pubDate> field is what shows up in podcast clients. If you date your episode a week in the future, it will stay at the top of clients that list most recent episodes first, but that's rude.

Podcast feed validators

Once you've made your podcast RSS, you can validate it at and

After validating, you can also subscribe to your podcast directly in iTunes via its RSS feed (as opposed to searching iTunes's podcast library), and it's worth doing that to make sure everything looks ok and shows up they way you expect.


There are a lot of different options for where to host a podcast. For Loose Leaf Security, we generate the website and podcast RSS directly with custom Pelican templates and host on Amazon Web Services because it was significantly cheaper than other podcast hosts summer of last year and because we can customize our setup infinitely. It's worth noting both my co-host Geoffrey and I have substantial experience creating and hosting websites; it you don't, you might not want to have as much control over it. Fun aside: Apple has left Amazon's CloudFront SSL off their list of acceptable SSL certificates, but I've never had a problem using them.

Wherever you end up hosting, you'll want to host your feed and audio on separate subdomains for maximum portability. We use and for this. If you change hosts for either of these components, you'll be able to seamlessly repoint where that subdomain goes - you won't have to write lots of redirects for just your audio or feed.

If you ever do have to switch where your feed is with an HTTP redirect, make sure the old location uses a permanent 301 redirect, not a temporary 302 redirect. Another podcaster's old feed host used a temporary 302 redirect, and once the old feed host stopped hosting the temporary redirect, podcast clients that subscribed to the old feed just stopped seeing new episodes.

Cover/album art stuff

Podcast cover/album art is shown at a wide variety of resolutions, so you'll want to make sure it's crisp large and clear enough when it's very small. You can find more information about cover art image requirements at Apple's requirements and Apple's "Podcast best practices", and people have written lots of things about how to make a good, clear image for this. Since I'm only a hobbyist graphic designer, I'll leave having opinions about this to others.

Audio stuff

There's not a particular standard for what bitrate to release your podcast mp3s at. Talk-focused podcasts seem to not mind being as low as 96 Kbps mono and are frequently at that level. (I've even seen lower bit rates.) On the other hand, some music and effect heavy audio dramas will often release at 320 Kbps stereo. Loose Leaf Security is a talk-focused podcast, and I encode it at 96 Kbps mono because it is still clear and easy to understand without weird odd artifacts on good headphones. Some podcasting people seem to believe that using iTunes's mp3 encoder is better than LAME (though honestly I don't really hear obvious differences in my talk podcast either way), so I export my cut as a mono .wav and convert to the 96 Kbps mono mp3 in iTunes.

Make sure you don't have to have your volume turned up to max when you listen to your podcast - it's always easier to turn your volume down than to make something louder. If your podcast is too quiet, it could be hard for people to listen to. If you need to increase the volume of your podcast, look for compressors not amplifiers.

There's not a standard naming convention for how to name your podcast's mp3 files - you technically can do whatever you want. However, there are some general best practices, and Blubrry's thoughts on file naming are in line with what I've read about this elsewhere. Loose Leaf Security is an episodic podcast so we settled on loose-leaf-security_yyyy-mm-dd_title-of-the-episode-here.mp3, but if we were a serial podcast instead, we'd probably still do the same thing because episode numbering is error-prone.

Make sure to credit all musical clips you use in your podcast.

Why you probably want to make a trailer

After you submit your podcast to various podcast clients, your podcast won't show up immediately. Some clients have pretty automatic processes and only take a couple hours, but others require manual approval and take a few days to a week. Even if you don't think you need a trailer, making a trailer is a good idea because you can submit it to the various podcast clients and get everything set up before you release your first full episode. If you just submit your first episode, you won't be able to immediately tell everyone it's everywhere when it's live, and when it finally is live in the podcast clients that require slower manual approval, it won't show up at the top of people's "recent podcasts" feed because it's <pubDate> will be a few days stale.

I suppose you can delete your trailer from your feed when you publish your first episode, but it might take a while to get out of podcast clients' caching. Since I've never done this, I don't know if anything else unexpected will happen. Also, anyone who has directly downloaded it directly from your website or in their podcast clients will still have it.

How to get on popular podcast clients

Generally, you submit your podcast's RSS feed to get it in a podcast client, though some podcast clients also request additional information.

You should probably read all the fine print on all of the terms of submission yourself - I am not a lawyer and generally don't touch on any of that here.

Apple Podcasts/iTunes

The last time I submitted to Apple Podcasts was in August 2018.

Submit at; you can see more information about submitting podcasts in Apple's help pages.

You probably want a separate AppleID for your podcast, especially if you ever want to share access with someone else because there isn't a way to share access with another account. Apple mentions you need an iTunes Store account which "is an Apple ID that was previously used to sign in and make purchases in the iTunes Store, App Store, iBooks Store, or Apple Music", so you should log into iTunes before trying to submit. In my experience, I've needed to add an address to my account, but I have not needed to add credit card information. Of course, that might have changed since August.

Blubrry says, "The Apple Podcasts process can take up to 10 days, though most submissions are approved within 3 days and on occasion only a few hours." In my experience, this took a couple days.

Google Play

The last time I submitted to Google Play was in August 2018.

Submit at

You have to verify that you own the email in your podcast RSS feed (though you don't have to submit from this email), so make sure your <itunes:email> is one you've set up before you submit to Google Play.

Submitting under a Gmail account you use isn't weird and messy like submitting under your personal AppleID might be - you can add more Gmail accounts to share access to your podcast with other people who work on it later.

In my experience, it takes about a day for Google Play to accept your podcast and another day for it to propagate.


The last time I submitted to Stitcher was in August 2018.

Create a content provider profile and submit at

You cannot share access to a podcast after submission, so you probably want to make an account that isn't tied to your personal email if you ever want to share access.

Stitcher allows you 140 characters of comma separated keywords in addition to a category you pick, though it is unclear how much listeners find podcasts from these keywords.

My Stitcher confirmation emails said, "You will hear from us within 5 business days confirming whether or not you have been accepted." My podcast was accepted in under 24 hours.

Once your show is listed on Stitcher, you can join Stitcher's Facebook community for podcasters. It's pretty active and people generally seem pretty helpful in answering all levels of questions, though I haven't personally asked anything there.


The last time I submitted to Spotify was in October 2018.

It used to be really hard to get on Spotify, especially if you hosted somewhere outside of the big podcast host providers, but now submission is much easier for everyone. I believe their old less-indie-friendly submission via a podcast aggregator/host (e.g. Libsyn, Blubrry) is still around; however, submitting that way could make changing your hosting later hard, so you might want to submit directly at their new portal instead. (Reminder that I have never used one of the big podcast hosts, so I have no direct experience with this.)

The new portal for submission is at and is tied to a Spotify account. Note that this website has not always made it clear that it's using a Spotify account, so make sure you aren't logged into your personal Spotify account before you submit. If you do submit while logged into your personal Spotify account by accident, you can share your podcast with someone else (at least as of October 2018) by contacting support. Note that this was not a straightforward process, so I'd strongly recommend making a new Spotify account just for your podcast that anyone working on your podcast can use.

You agree to a "Podcast License Agreement" and might want to think about whose names should go on this. (Reminder: I am still not a lawyer.)

Spotify has you pick categories that don't necessarily overlap with iTunes categories.

I forgot to note how long this took, but I believe it was a couple days.


The last time I submitted to TuneIn was in August 2018.

Submit at

When I submitted Loose Leaf Security, TuneIn offered the option to have a cover image, too, but lots of podcasts, including very popular pods with big budgets and teams, don't have them. It looks like this has since been removed from the form.

When I submitted Loose Leaf Security, TuneIn did not use the iTunes categories and allowed you to pick up to three, free form genres. Now, it looks like you pick a single genre from a drop down menu in the form.

TuneIn asks for a Twitter account, which it will put on your podcast's TuneIn page if provided.

In my experience, getting accepted to TuneIn took a few hours, and they mentioned my podcast would be live within another 24 hours.

Pocket Casts

The last time I submitted to Pocket Casts was in August 2018.

Submit at; Pocket Casts also picks up from iTunes automagically.

When I submitted directly to Pocket Casts, my podcast was listed on Pocket Casts in about 24 hours.


The last time I submitted to Acast was in August 2018.

Submit at

If you have your RSS feed up already and are not hosting on Acast, you're likely looking to "Get started" with a "Non-hosted show."

I forgot to note how long this took, but I believe it was under a day.


The last time I submitted to Blubrry was in August 2018.

Submit at You don't have to host your podcast on Blubrry to be in their aggregator.

You need to make a Blubrry account, and you likely want to use an email/account you're happy to share with others who work on your pod.

You will have to pick a "community category."

I forgot to note how long this took, but I believe it was about a day.


The last time I looked at how Overcast picks up podcasts was in January 2019.

Overcast picks up from iTunes automagically, so you don't submit directly. Overcast mentions that your podcast "will typically show up in Overcast's search within 1–2 days," which I assume means after Apple accepts it.

When someone is playing one of your episodes on Overcast, Overcast will show "$" button that will link to where listeners can support your show if you use the rel="payment" attribute on a standard HTML <a> link in the episode's show notes.


The last time I considered submitting to Pandora was in January 2019.

Pandora just got started in podcasts, but they seem to 1. be very focused on only starting off with big name/big listener base podcasts and 2. have some pretty bad terms for submission.

You can learn more about podcasts at Pandora on their blog, but I don't have more to say as I haven't submitted there yet.

Seeing every BAM Next Wave Festival show

From October to December of last year, I saw a lot of shows at the Brooklyn Academy of Music - specifically, I saw all 26 of the Next Wave Festival productions.

26 tickets to BAM Next Wave production in 2018

I've been coming to BAM regularly since I moved to New York in 2011, and Next Wave is always an exciting time of year because there are so many different types of productions that highlight a wide range of forms and perspectives. A few of my favorite performances this past Next Wave were Circa's intimate and lyrical Humans, Folkoperan & Cirkus Cirkör's meditative production of Philip Glass's Satyagraha, Jesper Just's immersive Interpassivities, and Dorrance Dance's marvellously playful Elemental, though I honestly can say I took away something different and meaningful from every production.

I documented my pre-show and post-show impressions and talked more about why I chose to see every 2018 Next Wave production on BAM's blog.