Would You Pay $60 For A Browser? (ft. Firewalls Don't Stop Dragons)

Alright, hey everybody! So Brave has released a minimal, but a paid version of their browser. That's very interesting, we're gonna talk about that. Meta has started keylogging their employees. And we're finally gonna talk about Anthropic Smithos tool. And all this and more coming in this week in Privacy Number 50, so stay tuned.

(Music) Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we're working on within the Privacy Guides community and this week's top stories in data privacy and cybersecurity. I am Nate, and joining me this week is a very special guest, Kerry Parker, the host of Firewall's Don't Stop Dragons. So thank you for joining us this week. Kerry, how are you? Hey man, I'm really glad to be here.

We just did this recently when you guys were on my show, so it seems like only natural for me to come on yours. I'm really looking forward to this. This is great. So thanks for inviting me. This is gonna be a good time. Yeah, I'm super excited. I've definitely been wanting to collaborate with you on something for quite a while, and I'm glad we're able to make this happen now. Yeah, me too, for sure. Alright, with that, we'll go ahead and jump straight into the news.

And we're gonna start off with a pretty hot story that has gotten a lot of discussion this week, which is Brave Origin. So for those of you who have not heard, which is weird, because Brave didn't make a blog post, I don't think. I don't know what their official method of distributing this news was, but Brave Origin. So the Brave browser, as many of you may know, is a little bit controversial for a lot of reasons.

And one of the reasons is that it just comes with a lot of stuff that some people don't necessarily want. I think it comes with a ton of crypto integration. It comes with an AI assistant called Leo. I think those are kind of the two most controversial ones, but you know, stuff like that. And some people, you can disable it, you can ignore it, but some people still argue like you shouldn't be there in the first place.

And so now Brave has announced this new browser that they're calling Brave Origin. And it strips all of that stuff out. I looked at the original press release, and they had everything at a bullet point, oh, here we go, here it is in this article. So it strips out rewards, Brave ads, the built-in crypto wallet, Leo AI, their news feature, their VPN, the Tor integration, and it turns off all the analytics by default. So yeah, it's a minimalist stripped down version of Brave.

The catch here is that it costs $60, and that's a one-time fee. So I mean, there's pros and cons, right? Like, it's a one-time fee, and it's actually free on Linux. So if you're a Linux user, you can just go download this right now, no biggie. Actually, for the record, I think it might be in beta. I'd also explain why they haven't made a blog post about it. But when it comes to Linux, whenever you're ready, if you want it, you can go get it for free.

The $60 fee does come with 10 activations, meaning you can use it on up to 10 devices. We'll get into that in just a minute. Actually, I mean, I guess we could get into that now, because I think that's kind of the meat of the story there. But why don't I... I'll start by throwing it over to you, Kerry. Do you have any particular thoughts on the story first? Or I can start it. Well, this doesn't... No, we can go together. But I think it's weird, right?

I mean, basically, they're saying, "Here's all these really cool features we've been releasing." They've been touting these features as they release them, certainly. You know, these are things why you might want to use their product. And now they're saying, "Or for $60, we could take a lot away." So, it kind of gives a really mixed message about what they're doing, right?

I mean, if these things are bloatware that people don't like enough that paying for them makes them go away, why are they there in the first place? I don't know. Brave is... We were talking before the show. Brave is basically my second browser. I use Firefox, as I think a lot of my listeners know. And Brave is certainly the easy button option. If I think somebody doesn't, you know, want to do anything to get privacy, I'll just... Easy button is brave. I mean, it's a great browser.

I like a lot of things about it. But, you know, the attention token thing and the Leo stuff, everyone's shoving AI at everything. I would like this. The other thing that I think that was in the article, and you could tell me, but it was $60 lifetime, right? So, even as a method for making money for Brave, I mean, we all hate subscriptions, but I mean, if this is going to be an ongoing thing, I can't imagine a $60 lifetime is really going to cover it.

I mean, those are just some of my initial thoughts. Yeah, for sure. Yeah, it's a one time $60 fee. We've already got quite a few people in the chat, actually. Yeah, somebody said it's not out of beta yet, as far as we know. Lucas kind of has my thoughts, which is why would you pay for it when you can just turn it all off? To be fair, if you get the paid version, you can download... So, there's two ways to go about this. And let me recap this real quick for those who don't know.

You can pay for it and you can download it fresh. And all that stuff is gone. Like, it is not there at all. It's not even like an option you can turn on or off. It's just completely gone. Alternately, you can upgrade, quote unquote, your existing browser. And then basically, it turns all that stuff off and then you can turn it back on, which I will say personally, if I was going to pay for this, I would do that. Because there are a few things like, I think like Speed Reader gets removed.

We were, like you said, we were talking about this before we went live, but I do use Leo a little bit, mostly for like research. It's a real good time saver for research. I can type it in. Yeah, there was this story about AT&T had a data breach and here's the details. And it's like, oh, you're talking about this 2019, blah, blah, blah, blah, blah. And it spits out all the links. And I always double check it for the record. I do it sometimes.

So, I mean, I like the idea of being able to turn things back on. But yeah, I mean, this has been a really polarizing story. And I don't know if I have a... I don't know if I really have a strong one way or the other, because I do see both arguments. Like you said, like some of the people here are saying is like, you have to like pay developers somehow. You know, but you also made a really good point about like, why would you pay for something that people didn't want in the first place?

Like that's kind of silly. I don't know. It's certainly a mixed marketing message, right? I mean, obviously, as again, as these features came out, I know they were touting these things. Oh, we got this really cool thing. What'd you get this in the next version of Brave? And now to suddenly say, or you could take all out of the way if you pay us money, just seems really... I mean, just as a pure marketing thing seems like a really bizarre message.

I mean, and yes, all this stuff costs money. We should absolutely be supporting these folks. You know, I try to donate where I can. A lot of people don't. I don't know if that's a sustainable model for a lot of these companies. I wish it were. I get that part of it. Just the marketing aspect of this just is what I guess confuses me the most. And it also is really interesting. All right, so let me ask if you see if you know.

So is there a way to get a better idea of what you're doing? Let me see if you know. So if you pay the 60 bucks to get the second version of this where all these things are disabled, can you, if you re-enabled everything, would it be right back where you started? Or is there still some difference? No, as far as I know, it would basically be like as if you just downloaded the free version fresh. Huh. Strange. So, yeah, I don't know.

I mean, my other concern is, you know, this Charles said here, the whole thing about like, you have to be able to pay developers. I don't want to shoot myself in the foot or anything, but $60 one time isn't really sustainable in my opinion. Right. I feel the need to point that out. But also like, I don't know.

It's, I do want to, I do want to point out, I actually kind of sympathize with Brave a little bit here because a lot of people, I know I just mentioned it a minute ago, but like, you're paying to get rid of features you don't want. Yes, but that means they have to make a completely separate version of the browser every time. They have to make a completely separate version that has all this stuff taken out. And then they have to like put it out there to the public.

It's completely different upload. And so that is actually true. And from a software development standpoint, that is, that's actually incurred cost because that basically doubles the amount of testing you need to do against that browser. You'd have to test the features that are removed, but you still got to run it through everything else that doesn't work and make sure you didn't break anything by removing those features.

So it actually does incur them some overhead to support two different versions of their browser. So yeah. Yeah. I actually, uh, I'm glad Jonah reminded me here. I wanted to go ahead and run a little poll and see who, who would be willing to pay for this? Yes, no, or maybe. Um, for those of you who don't know how the polls work, you leave one, two or three in the comments, but, um, yeah, I'm, uh, I'm curious. I haven't, I keep waffling.

Cause on the one hand, one thing I hear people defending it is this is really good. If you've got like, um, if you've got friends or family who are maybe not a little bit more tech savvy. I mean, brave has really good built in out of the box privacy protection features. I don't think that's really arguable regardless of how you feel about them.

I think it would be really cool to have, you know, to get your friends and family on brave and to, to be able to give them this like minimalist version where you can just be like, you know, install this origin, but like I bought it, but I'll activate it for you and install it and it's good. And there's no chance they're going to accidentally wander onto the Leo page or the crypto page or any of that kind of crazy stuff. So that's an interesting point actually.

And I want to support these guys too. So I may just pay for this just to support them, but as a gift for people, like you're saying that, that I don't want to take the time or it's too tedious because we all know this, you know, the tyranny of the default is Steve Gibson likes to call it, right? Whatever, whatever comes out of the box is what almost everyone's going to use. And if you have to start tweaking that to get to the point where you want to people often won't do it.

Certainly a lot of the, you know, my, again, like my mom is often my avatar. She's not going to do it. Then, then most of my audience is not going to do it either. So yeah, if it could pay to give it to pay to give somebody else a version of this that is already ready to go. That might be actually more interesting as a gift thing. Yeah, for sure. And I mean, I forget what I was listening to lately.

I think it was about ad blockers, but that was a point that came up is like, I mean, even I've had times where, you know, my ad blockers stop things from working or my wife's, you know, she also uses brave and yeah. No, Jonah, I don't think polls are broken. I think I forgot to hit resume on that one. But yeah, I don't know. It's it's it's interesting. It's a tall order. I think it's really cool.

I think I don't know if he was being tongue in cheek, but I did see somebody asked the CEO of brave why it's free on Linux. And he's like, try to push people towards links. So I don't know if he was joking around or not, but that was pretty cool. So yeah, that's weird too. I mean, did they, did they say why they're, I mean, why are they, is this just a matter of we want, this is another way for you to support us basically going this way or. Because I'll give it away for free on the phone.

Get it for anyway. I don't know. No, I think that's I don't know. I mean, that's I'm not much of a business person, but I feel like that's the only explanation that makes sense to me is like we wanted to try and support the Linux community. I think it's also I know I think you you mentioned this a little bit, but I think it's.

Kind of like trying to find that middle ground of, you know, like people complain about the bloat and it's like, OK, here's a bloat free version, which of course now they're going to complain that it's paid. But yeah. Right there, we want Linux to win. So. But yeah, you think it'd be the way around, right? Like the basic one to be free and then all the stuff with all these features we've spent all this time putting into there, that would be the for pay for. Yeah, that's what's getting me.

Not to be cynical, but one thing I've noticed is the average person doesn't care. Like I love my wife. I mentioned she uses Brave. She still has the sponsored backgrounds turned on, which I don't know how she does. I just hate ads personally. I'm like, oh, I do too. With a passion. Yeah, so I don't understand. Like every time I have to use her computer for something and I pull up Brave or I see her pull up Brave and I'm like looking over her shoulder for whatever reason.

And it's just like I see a little sponsored thing. I'm like, how would you not turn those off? But it doesn't seem to bother her. So I don't know. I just have the tyranny of the defaults if there's good defaults there. So I guess that could be another argument going back to my whole like not playing tech support for the parents is, you know, you get this, you install it on their computer and guess what? They have good defaults right there. Like all the analytics are turned off.

So. I do imagine that people that watch ads, this is the same experience I have is want to look at anybody like on Chrome. And it doesn't have you block or something installed and there's ads and stuff all over the place. And I can all I can guess is that they've already looked their brains tune that out. Like they they're so used to it. They're so numb to it that they don't see it. Whereas you and I who don't see ads all the time, it's just it's

glaring to us because they're trying to get their attention. They've already ruled them out. And for us who are not used to it, you know, it's like anyway, we haven't built up the resistance to it like they have. I I've stopped saying it because I feel like I'm a party pooper every time. But on that note, every time I see certain like TikTok videos or something, I'm like, why were they filming this moment? And that's to me, that's a good way to tell if it's an ad.

But real quick, I didn't want to call out. Jonah said he's going to keep using Zen browser on the topic of competitors. I know we're going to get ahead of it because a lot of people have asked about this is the helium browser has been a really popular subject lately. It's popped up on the forums a few times. I know there's some videos have been made about it. So Jonah asked me earlier this week if I could test it out and kind of take a look at it.

And actually, I guess you guys can't see the whole window here, but I'm actually using helium browser today. And it's you know, I will go on record and say I was I was really a hater when Jonah was like, hey, can you test this out? And I was like, why? But you know, I got to say it's been pretty pleasant. Like some people have been promoting it as a let's see if I can pull up their website here real quick.

It's coming up because you know, we're talking about things like Zen or like helium, like why pay for this when you can just do this or you can just manually debloat it. I've definitely found little things here and there like every once in a while my my well on this computer, I have a solo key. But every once in a while my solo key won't work with it quite right for some reason. But I mean, I got to admit it was it was it.

Ironically, it was a little bit longer of an install, I feel like than most browsers because you know, most browsers like they just want to get out of your way and get going real quick. But this one's this one had like a whole page of like what settings do you want to enable? What search engine do you want to use? So it felt like it took a little bit longer to get started. Not not by much longer, just a few seconds, but it definitely felt like it was a little more involved.

But I mean, once I got up and running, it's it's it's been treating me well, pretty, pretty well so far. I'm always a fan of anything that comes included with you block origin. I don't I just realized I didn't pull the page up. I'm sorry. I'm talking about it. But yeah, I don't know. I mean, I just I know people are going to ask us about it. So this is kind of an unofficial review. I don't know if there's enough there for us to do an entire review of it specifically.

But I thought it was okay. I thought it was pretty cool. You could check it out if you want. I don't think I'm going to switch from brave to be totally honest. Like this has been an okay experiment. I think after this, I'm going back to brave. But yeah, I mean, doesn't seem to be anything wrong with it in my expertise, at least. So it's actually amazing how many browsers we have. And even even how many different privacy oriented browsers we have.

That's I mean, it's a good problem to have, I guess. Yeah, for sure. I mean, we've got, I mean, for the record, I think they've all got most of them, you have to do some various tweaking to like really get the most out of it. But we got brave, we got Firefox, we got mobile, we got Leberwolf, we got even things like Vivaldi. And comparing them to like mainstream like Chrome, for example, like even Vivaldi comes with like a built in ad blocker and all that kind of stuff.

So I mean, have you used Zen browser at all? I haven't used it. But I know Jonah speaks very highly of it. And I think Jordan's used it too. So I know Zen's a really popular one. But so like you said, it's a good problem to have for sure. Yeah. All right. I don't think I have anything else to add to that story. Did you have anything you wanted to? Oh, here we go. We got a question for you. What browser are you using? I thought you said it a minute ago.

I use Firefox and I've been using Firefox for a long time. And sadly, I saw the numbers on Firefox. It's down to like single digit percent usage. It's really, really sad. I mean, I guess maybe some of that is the fact that we've got so many browsers to choose from. But I don't know. I've been a longtime Firefox user. One of the reasons I like Firefox, though, and I like to support Firefox is I really want something besides chromium.

I'm honestly surprised that Google I know that Google is the browser and we're or was the search engine on Firefox for a long time. And that was kind of how they indirectly supported. But there were times in history with Apple, for example, where Microsoft gave a bunch of money to Apple because they didn't want Apple to die because they needed a competitor. Otherwise they'd be a monopoly. And so for that reason alone, maybe Google should kick in some money to the Mozilla Foundation.

Anyway, I like to support these. I want something besides chromium. And so for me, it's Firefox and you block origin. That's my go to. Yeah, I am. I'm not gonna lie, I kind of want to go back to Firefox for the same reason you said like just to support the the wide range of browser choices.

But I'll admit I use Leo quite like most of the time, okay, most of the time, I'm either going to like the things that I would log in with a with a YubiKey like my next cloud instance, my mastodon instance, or I'm doing research for a video at which point, like I said, I kind of come to rely on Leo pretty heavily for that, just because it speeds up the research process so dramatically. So I don't know, but I'm trying to use Tor a lot more as well.

And I know there's that like ask mode in Brave, I think I need to play play around with that a little bit more. Well, of course, Tor is Tor is based on Firefox too. So what happens to Tor if Firefox goes away? I don't know. Yeah, that's true. That is that is very, very true. Normally we save questions till the end, but the chat is really popping tonight. So I don't want to lose questions. Somebody said, do you use Arken Fox with Firefox? Do you have an opinion on the Arken Fox project?

I've looked at it. I've basically gotten Firefox to the point where I've tweaked it. And so I don't know. I've not gone through. I've looked at some of the things that Arken Fox has done. I've kind of looked through their bullet list of of modifications. Some of them are a little further than I would that I go. I've got other things going on, too. I use Next DNS and some other things, too. So some of them kind of overlap, perhaps. I'm not, you know, I'm not super, super hardcore.

Plus my audience is not. So I also kind of try to do what I recommend so that I'm more familiar with it. So you know, so there's some of that going on there, too. Yeah. And I mean, my personal opinion is like I feel like the Mulvad browser has closed the gap so much. I actually thought I heard that Arken Fox was going to stop developing because the Mulvad browser was so good. I mean, I use it sometimes, too.

Yeah, I was going to say, I don't like it again, like we were saying earlier, it's great that there's so many choices out there. So I'm not like mad about it. If they want to keep developing, that's that's cool for them. But yeah, I have I literally I have four browsers on my computer. I brave Firefox, Tor and Mulvad. And I've got all those bus safari. Well, OK, OK, yes. We want to talk about the Mac. I only use this when I'm traveling, to be honest.

Otherwise, I'm either on Linux or Windows. But the keys just the keys. I don't know. I might I might I feel like I should buy origin now just in case it does turn into like a subscription or like prices go up later. Like price now. Had your bets. These are pretty straightforward. Don't they just work like keyboards? Like how do they fail? I'm sorry, we're getting off topic, but you're talking about the Mac.

No. Well, you said some of these keys don't work with some of the browsers or something that some of your hardware. Oh, no, I don't. Oh, yeah. Yeah. On Helium. I don't know. Just the other day I went to log into what was I trying to log into? It might have been it might have been massed on. I don't know. I went to log into something and I hit my my solo key and the key was fine. But like it gave me some kind of error about like could not parse something or other.

And I like I made a note of him in my head. But then by that point, I was like, whatever, I'm going to bed. But it's been a long I went to New York this week. I went to upstate New York. So I had to travel and everything. And yeah, that's that was fun. Yeah. But yeah, I think before we move on, I do want to point out this new Keith person here, I think is actually a member of the brave team. So thank you so much for stopping by and answering. Oh, hey, we really appreciate it.

But with that, I think I will turn it over to you to talk about this new law from Maryland. Yeah, yeah. OK, so Maryland has passed the first and first in the US law for banning surveillance pricing. They called it the Protection from Predatory Pricing Act. Actually, I think New York actually has a law, but it's only about transparency. New York, I believe, has a lot that says if you do it, you have to tell people you're doing it. But this sounds going to outright ban.

It was Westmore is going to sign it. Apparently surveillance pricing, if you if you don't know, is this notion of the collects all this information about all these data brokers, all these things that we've been talking about on shows like this in mind, where all this data, personal data has been collected about you often without your knowledge, supposedly with your consent. But we all know how that goes.

And then when the time comes to show you a price based on all that information, if they think you're desperate, they might charge you more. If they think you're rich, they might charge you more. Or if they haven't seen you in a while when to get you back, they might charge you less. There's all sorts of things baked into these algorithms. But the point being is that people get different prices. And there's been all sorts of studies that people have and they've asked questions to people.

Do you like this idea? And everyone says no, like nobody likes this idea. And yet there are still other things like loyalty programs or whatever your croaker card. But the thing with those is everyone gets the same deal. Like if you've got the card, then you get the price. So anyway, this is a situation where potentially you like your particular person might get a different price than someone next to you.

And so I guess food retailers as in grocery stores are a big place where this happened. Obviously a lot of this would be online so that two people not sitting next to each other are noticing that the prices are different. Though Walmart and some other stores are going to those electronic tags now. And some people are envisioning this like I walk up to a tag and then the price changes for me. I don't think that's going to be happening anytime soon.

But anyway, so Maryland has come up with this law saying that this is bad and we're going to treat it as a fair and deceptive trade practice, which is great. We need more things like this. I think this is a good idea. I've got some questions about how this is really going to work out. And the devil's always in the details like, you know, how are they going to enforce this? How do you catch this, for example, how do you prove that this is happening?

And then how do you then even if I get a different price, how do I prove that it was because I'm different than somebody else that I got this price, that it was some algorithm behind the scenes and not just, well, we just changed the prices five minutes ago. Also, what is not clear, I looked at the I tried to look at the law before we came on. It doesn't appear to have a private right of action built into it.

Now, sometimes in different states, there are other laws that would come into play that might give you this. So it doesn't have to be directly in the law. But a private right of action basically says if I figure out and can show I'm pretty sure I can show that I was just discriminated for some reason and I was given a way worse price than somebody else.

Let's say through surveillance, they figure out that I just had a death in my family and I went to go shop for a flight at Delta dot com and Delta dot com gets information to the back door carries hard up right now. You really need to fight. Let's charge you more. Now, maybe it's a bad example because I know some airlines actually have bereaved net fares and whatnot that are usually cheaper for a last bit of flights. But anyway, let's just say that that's what happened.

I can show and prove that that happened. I if I had a private right of action could personally sue. Whereas if you don't have a private right of action, which is what I think is going on here, you actually have to get the state attorney general to sue on your behalf. So probably have to have a lot of people complain about it or they have to be a really egregious case because they've got other things they're doing, too. Right.

So without a private right of action, some of these things sound good on paper, but in reality, don't have a lot of teeth to them. Also remains to be seen if someone gets brought up on this with the you know what the remedy is going to be. Is it going to be the margin of a lot of money or is it like a lot of things with meta and all those companies? It's going to be the cost of doing business. Right. Like, oh, it's a fine. It's a small fine.

We'll pay that whenever you can make that happen. We'll pay that because we're still going to make money. So I don't know about that. I will also say that I just did an interview with Justin Brookman from Consumer Reports and Eric Gardner from More Perfect Union.

They did a real interesting study about this actually, where they got a whole bunch of people into a room together at the same time on the same phone on the same IP, the same websites and said, OK, everybody find this item and buy it right now. And they found that there were differing prices for a lot of these things and they kept track of this and looked into it. So if you're interested, you should definitely check that out.

But there are things that we kind of do this for already today to the kind of muddies the waters like if you think about it like airline tickets, like no one gets the same damn price for an airline ticket. It depends on when you buy it. Depends on what not just what fare you want, but like what things are going on right now. And it could be fuel prices, but airline tickets are weird this way. There's surge pricing for Uber. Does that fall under this category? You know, I don't know.

So those are just some of my initial thoughts on this after I read this article. I think it's good that we're calling it out. I think I don't think a lot of people understand this. I think that surveillance pricing is one of these issues that is finally going to make a lot of people sit up and notice all this data gathering is a real problem. And this is why we care. Some of the other things are just kind of nebulous and like, yeah, I don't care. I get targeted ads.

Fine. I want to look at an ad that I don't want to see. Show me those ads that are targeted. That's good. I like that. This is where this is going to hit home. I think this is actually an issue that's going to get traction. What do you think? No, I totally agree. And it's funny on that note. I am so backlogged on podcasts today. I finally listened to your freely episode with McNeroll.

Oh, you mentioned that like, okay, coming up, we're going to be talking about, you know, consumer reports and how they put everybody in the room. So while you were talking, I'm like, was that his podcast or was that somebody else? Where did I hear that? But, um, yeah, no, I, it's another podcast I listened to. Um, they talked about this and that was his take.

He's like, he's like, no, I think like, um, I mean, he didn't come right out and say like, I think this would be awesome, but he, he's just such an optimistic person. He's just like, I wouldn't mind if they use my data to like, give me a discount or something. I'm like, yeah, but the difference is they're going to give you a 10% discount and somebody else a 20% discount or like, they're going to charge you a little bit more and then give you a discount.

So it's the same price, which Amazon already does that anyways, but yeah, that's actually the point that came up with the thing is that, is that what often what they do is they changed it's all psychological games, right? So it's, they show you a list price that wasn't the real, the MSRP or whatever, and they show you seven bucks for you, but you know, five bucks for me. And then they sell it for three bucks. One of us thinks they're getting a $4 discount.

One of us thinks they're getting a $2 discount. You're both paying the same price. So it works in other ways too. This whole surveillance thing. Yeah, for sure. Um, but no, I, I agree with you. Like I feel like this is where this is unfortunately one of those moments where like privacy, a lot of the time the hypotheticals have to become real before people start to notice it.

Like we've, we've already seen with cars now, you know, that that stuff is used to influence your insurance rate, which I, I think I told this story on a previous episode of like, I just moved to a new area and I decided I would take the hit and get like the little, um, the little tracker thing you plug into your car. It's not on my phone. It's on the car. Well, because it was like, it would cut my insurance rate in half, but it kept being the ODB two dongle. Yeah. But it kept dinging me.

When I asked them, I'm like, I need to return this thing because my insurance is going to be more than if I hadn't bought the damn thing. And you know, they were like, it was so funny because they were like, okay, well, um, I mean, some of it is like, you're, you know, you're driving, which I explained. I'm like, yeah, I'm in an area with really aggressive drivers. Like there's nothing I can do about that.

And then also some of it was like, you take a lot of short, inconsistent trips and I'm like, cause I work from home and I just, I just run to the store when I need to, like I don't commute to an office every day. What do you want from me? But yeah, it's, you know, anyway, sorry, that was a, you know, we're, we're at the point now where like our car data is being used to determine insurance rates. And now like this stuff could be used to determine individual pricing. And this is different.

Um, I know I've said this before, but for anybody who doesn't know, this is different from surge pricing or dynamic pricing, right? Cause that affects everybody. You know, if you, the example I use is if you're at a concert and the concert's over and you call an Uber, it's going to be more expensive because it's a concert. It's crowding. Everybody's trying to get home, but it's going to be more expensive for everybody.

The surveillance part comes in where it's more expensive for you because your phone's at 10% and they know that you can't afford to wait for traffic to die down. So you say that, but that was a thing. Uber was one of the things, if you give it permissions, the Uber app was looking at the charge on your phone. And if you were charged was low on your phone, they figured you were desperate and they would give you a different price.

Also, as Cory doctor was very common to point out or very, um, the drivers themselves are subject to kind of surveillance pricing as well, as well. Like what they are offered for a ride before they accept it varies depending on factors on their end too. And it's just, it's this whole algorithmic game that is all, you know, it's very untransparent to the people that affects, but the companies are using it to make a lot of money.

There was, when I was talking to these guys, uh, one of the things I thought was interesting was the whole, the whole point of this is they don't want to leave money on the table. Right? So all these companies want to charge you as much as possible and still get you to buy you personally. Like what, how much can I charge Carrie and get him to buy without charging him too much so he walks away? It's same thing with Nate. That could be a different price.

And so, and it's called a customer surplus. Whatever they, whatever they left on the table of Carrie, if I charge Carrie seven bucks for something turns out Carrie would have paid 10. And so that that's three bucks. I didn't make that's the way they look at that. And that's what they're trying to solve with this surveillance pricing. Yeah, for sure.

Um, for the record real quick on the Uber one, I don't know if they were ever like convicted of that, but yeah, I do remember that was like a, um, somebody alleges that was, that was the thing. But yeah, it's a Vonnegate here says Wendy's had plans to introduce surge pricing that they pulled back because of backlash. I vaguely remember that. What was the brand? Oh, surge price. Okay, sure. Yeah. I don't, I don't know. Uh, that's weird.

Everybody's trying to get in on, which I know like for the record, I understand like welcome to capitalism. Everybody's trying to make as much money as possible, but like it's still just crazy. Like is nothing sacred, man? I don't know. There's still some basic fairness that needs to be in there. And this is something I bring up all the time when people talk about capitalism, unfettered capitalism is still not good.

I mean, the way I usually put it is that any game worth playing has, has rules and any game with enough consequences needs a referee to enforce those rules. Do you need fairness or it's capitalism has to be fair at its basic level or it's predatory. Yeah, for sure. Um, yeah, I don't think I have much to add to that one, um, personally. So I guess, uh, let's move on to our next section.

Um, in a little bit here, we're going to talk about meta and a meta is basically key logging their employees, um, to train AI. But before we talk about that, which should be fun because I love making fun of meta. Um, first we're going to give some quick updates. Um, we're going to talk a little about a little bit about what's been going on at privacy guides.

So for anybody who is not subscribed to our newsletter or our YouTube channel or any of our socials or anything, uh, you really should be because we have a new interview out with Carissa Bailey's and, um, she talked about AI and actually just this thing we were just talking about now about how, um, AI and predictive algorithms are making things less fair and not more fair and really taking away a lot of opportunity from people. Um, amazing video. I don't have it on me.

It's in the coffee table. Um, but I, uh, I preordered her book and it got to me like the day before it came out. So that was super cool. I got to read a little bit of it on the plane. It is so far. It is amazing as always. Um, she's an amazing author. Uh, in other news, Jonah put up a video about the parents decide act that we covered a little bit last week. Um, we covered that last week before the text of the bill was out.

So we were kind of going off of PR statement that the representative put out, but Jonah actually read the text of the bill and kind of had some, it's actually pretty short. Oh, okay. I, I didn't have time to read it, but, um, yeah, Jonah had some hot takes. Uh, he kind of disagreed with everybody. And um, you know, I mean, it shows there's so many comments on that video, which that's great.

I mean, you know, we're, we're having discussion, which I think is awesome, but, um, you don't have to agree with him obviously. But I think if you want to hear a different perspective on it, I would say definitely go check that out. And like I said, you may not agree with him, but it's, it's another opinion. Well, for what it's worth, I agree with him. Um, and I, and I don't like the age gating stuff and I don't like the ID verification stuff. That is not what this bill is.

So that's the, that's the thing. It's not that long. It's like almost a one pager. So it's, it is worth listening. It definitely, I watched Jonah's video and it's what it watched that before you make your decision because I, I, I have knee jerk reaction to whenever I see these kinds of bills because so many of them are bad. This is one you need to take a look at because it's none of this is good, but I think this has an interesting approach. So I think it's worth at least considering.

Yeah, for the record, I don't really know how I feel about it because I think Jonah really did make a lot of good points, but I think a lot of it is also like, at least the, the what I heard from it was like, assuming this doesn't get abused and I'm very cynical of government. So I don't know, but I also full, full honesty, I think Jonah's a lot smarter than me. So even if I don't fully believe him, I'm still going to listen. Oh yeah. I mean, there's still problems with it.

I mean, it's, it's definitely not perfect. And there's always a slippery slope article, uh, argument against a lot of that's true. That's what it starts out being good and then ends up going wrong. And so as soon as you enable it once it might start out being good and then go to crap. That is most definitely possible. But it's worth the debating by looking at this bill. Yeah, for sure. And that's, that's a really good point.

Like we can make the slippery slope argument about anything doesn't always mean it's going to happen. So that's true. And we do have another video is already in the editing phase. And all I will say is that it is a tutorial that some people have been asking for for a while. I'm really excited about it. Like I just, I've told you all, I do like the initial cuts. Like I'll record something. I'll do like a rough cut to get rid of all the pauses and the starting over.

And, um, even that initial cut, I was like, damn, I don't, I'm not normally one of those like, I'm so good at this kind of people. But even I was sitting there, I was like, I think this is going to turn out really good. So I'm excited to share that with y'all. But, uh, and then we wrote a bunch of articles this week. It was a really busy week. Um, Apple has fixed the, uh, the issue that was causing signal notifications to be stored on phones.

Uh, Madison Square Garden, I think it was wired, did like a real deep dive into their facial recognition software. I got to walk by MSG this week, so I'm pretty sure I'm on there. Um, fingerprint.com, fingerprint.com discovered a vulnerability that can link your tour browsing together. Definitely go check those out. Cause unfortunately we're not covering any of those stories on the podcast this week, but they're good, important stories that are worth knowing about.

And on that note, I'm going to turn it over to Carrie and you can tell us a little bit about what's coming up over on Firewall's no stop dragons. Right. Well, you beat me to all the interviews. So, uh, my interview with Chris of Lee's is going to come out Monday and I have had a chance to read the book. It is amazing. Privacy is power, which you've got behind you on the wall. There is still my go-to. Like if I recommend one book to anybody about privacy, it's that one.

If you have not read it, you need to read it and buy it for your friends and family because it's, it's just that good. Um, she's a philosophy professor and she approaches this from a, from a very human angle and a very, very interesting and provocative angle and says a lot of things. I've been doing this stuff for a while when I read that book. And there were still points of view in that book. They're like, wow, I really liked it. That it really, that I really took home.

So anyway, so that's really good. Uh, Chris is amazing and I got a chance to talk to her as well about her new book. So she and I have an interview coming out Monday. I also talked with Cindy Cohen. You've already talked with her. Uh, and so I did talk to her as well. Another amazing woman and another great book. She's got out privacy's defender. That's well worth a read. Uh, so both of those interviews are coming out, uh, for me, the next two.

Uh, then this is something I've been wanting to talk about for a while. Uh, we talk about surveillance all the time and mass surveillance all the time, but I wanted specifically to talk about employee surveillance and which is a great, it's going to be a great segue when we get to the meta article. Um, and so I found a couple of people to talk to me about the technology behind it.

Like the, the, the MDM profiles and things of what really happens when you use your own device at work and what you should expect for privacy when you're using company resources or on company property, which spoiler alert is nothing. You have no privacy. Um, so we talk a lot about that. So I get, those are kind of the interviews I got coming up. Um, and also maybe I could say this for the end when we wrap up, but I've got some big news to talk about with the, uh, the book and the podcast.

I'll say that for the end when we wrap up. All right. I'm excited. And I'll definitely be listening to those interviews. Yeah. Karisa writes in plain English, um, but like so articulate. I love it. So, um, yeah, so all this is made possible by all our supporters for privacy guides. You can sign up for a membership or donate at privacy guides.org. You can pick up some swag at shop.privacyguides.org. Like this awesome water bottle that I take everywhere.

When I travel for firewalls, don't stop dragons, you can head over to firewalls, don't stop dragons.com, or I will fully admit your little, uh, FDSD.me. I use that like crazy. So just type that in. If you're, if you're like me and that's a lot to type and you make a lot of typos. Oh, I make so many typos and I'm a writer for a living. Can you tell? But, um, but yeah, that'll take you to his website. You can get a copy of his book and learn more about the podcast.

But for now, um, I'm going to leave it with Carrie and we're going to talk about Mozilla and anthropics mythos that you guys may have heard so much about. Yeah. Yeah. So I guess, uh, you guys haven't talked a lot about this show, so I want to start by giving a little bit of background. Cause I think that's going to be important. I honestly, the, the takeaway from the art that we have a couple articles, the tip takeaway from the articles is pretty short.

So, but I do want to talk about what mythos is and just general, general generative AI and coding. So I'm a retired and recovering software engineer. I did it for, I mean, I've been writing code for 40 years. I've been doing it professionally for 30. Um, and I'm here to tell you this stuff is for real. I, you, there's a lot of problems with AI. I say this whenever I do it, my show, I've got these disclaimers, like, like, yes, there are a lot of environmental problems with the AI.

We didn't have to do it that way, but we did. There's a lot of copyright problems and content things with AI. We didn't have to do it that way, but we did. But all that aside, if just from a strictly, from a coding perspective, gen AI, LLMs, large language model, chat bots, you know, your Clods, your Gemini's, your chat GPTs. Um, turns out code is, is just ideal for working in these situations. LLMs training on code is, is almost perfect. Um, there's always bugs in code.

I would have would have said that for my entire career. We maybe get to the point where that's not true anymore, but in, but before we get there, we're going to be finding a lot of bugs and that's kind of what we're going to be talking about today. So mythosis, the latest version of Claude, which is from anthropic. And so they did this big song and dance release recently where they said, we've got this new version of Claude. It is so amazingly powerful.

It is so unbelievably powerful in coding and finding bugs and exploiting vulnerabilities in software. It is so good. We can't give it to you yet. So, so they created this thing called project glass wing and project glass wing is this, I don't know, pseudo charity thing where they said, okay, we're going to let the quote unquote good guys have it first. And so I think there's like 40 different companies that they're giving it access to before they release it to the public.

They're running it on a lot of open source projects, which especially a lot of the big ones, which is great. Uh, we're going to find out in this next article when I finally get to it, that Mozilla has used it to good effect. But I'm, I'm here to tell you that this, these tools are the real deal and there's a lot of hype behind this. A lot of people are saying, oh, they're going to IPO this year. They're just trying to get a lot of interest. They are getting a lot of interest.

Uh, they're making such a big deal out of this. It's all hyperbolic. It's just, you know, it can't be this good. It can't be this dangerous as a software engineer, in my opinion. And that actually, it's just, it's not just my opinion. There's actually a lot of cybersecurity researchers who share this opinion. And I can, if you're interested, I can maybe try to give you some links, but, um, this is the real deal. They are finding a lot of bugs.

Uh, one of the things that they point to, and then I'll get to the story and I'll have more to say, but I'll finally get to the story is somebody's keeping track of the meantime to exploit how long it takes before a patch is released. Like somebody's fixed a bug and then the bad guys find people who have not updated their software yet and then exploit it in the wild, like eight years ago. It was like two years. It took two years on average.

And I don't know what the, um, standard deviation on that is. But anyway, the point is over the last few years, it's come down very, very fast. It's to the point where so far, I think this year, the meantime to exploit between publishing a patch and somebody exploiting that patch in the wild for somebody who has not fixed their software yet is 10 hours. That's that's nuts. That's basically instantaneous. I just need to chime in real quick.

I remember when I was on surveillance report, it was like three days. So it's going down constantly. That's insane. It's basically immediate. So that is what these tools are doing. So that is why anthropic basically said, okay, we can't, we can't just release this to everybody yet. We're going to let the, we're going to let the good guys have it first and try to fix all their stuff. And so that leads to this article.

And that is that Mozilla used this tool and in the latest version, uh, well, okay. So it's, it's a little fuzzy. They said they found 271 bugs in Firefox. I don't think they're all fixed in here and I don't think they're all critical bugs. Um, they fixed a lot of them in Firefox one 50, which just came out. So it does exactly what they said they wanted to do.

They wanted to give it to the two, you know, in this case, Mozilla say, find all your bugs before the bad guys do fix them now and then release. And, you know, at some point soon, I don't think they've said when they will eventually release this, but now this brings me to another point is I want to say that. Even if this particular version of Claude is not as good as they say it is, the next one will be, but if it's not them, it's going to be chat GPTs. They're next.

They've got a cyber version out now that they think is about as good. And by the way, uh, opening, I released their chat GPT cyber and said, we're also going to, they took a lot of pot shots at anthropic without saying it by name and their press release. But basically they're doing the same thing. They're good. They're not releasing it broadly yet either. But even if these guys don't do it, someone's going to do it and it's going to be out there. That's going to happen.

So all I want to say, well, some of the things I want to say about this, that to you guys, the audience and anybody, you know, that has a business or works for a company that might, well, that's everybody. This is real and we need to be taking advantage of it now. Uh, Steve Gibson on security now liking this to the Y2K thing. It's like, this is coming. It's going to happen. We need to fix our software.

And it turns out back then, it ended up being a nothing burger because we get, we had enough notice and we, we, we worked ahead enough that when that actually happened, it was nothing really happened because all the software had been fixed and we're all good when the clock rolled over on January 1st of 20, 2000. I don't think this is going to be like that at all. There's a lot of existing software out there that's not being updated.

Uh, on devices that are no longer supported, people are not going to be on top of this stuff. And so for all of that software that is already out there and vulnerable, even if all these companies do get privileged access to this tool ahead of time and fix these things at a time and release their updates to this, those updates are not going to be put on everywhere right away. So for, I think companies and there's this white paper that, gosh, I wish I could remember the name of it.

I'll maybe while you're talking or whatever, I'll look it up and say, but these guys basically said you, you need to prepare now. They're talking to like the, the CEOs and the CISOs of companies, the chief information security offers and saying, this is real. This is coming. You guys need to prepare, like hire people, get ready for a big wave of bugs to be found either before you release, because you're using this tool.

You're privileged enough to get access to this at a time or the bad guys are going to find them for you after the fact. You're going to need to be ready to fix these things and quickly. And for just regular everyday people that the company is going to be able to fix, they're going to be able to fix this. And so I think that's the kind of advice I'm giving is the advice that we've always been giving, but it's more urgent. You know, get your old, unsupported devices off the internet.

Make sure that you're not have internet holes in your firewall. You can use tools like shields up and show Dan to find those kind of things. If you've got software that needs to be updated, get it updated. You know, get your data offline as much as you can, you know, because that if you got old there, reduce that as much as you can now while, you know, until because these things are going to be exploited. I've been talking a lot. I'm sure you've got some things to say.

So let me take a breath. Nate, tell me what you think about all this stuff I just put out there. No, you're good. Yeah, I mean, honestly, I agree with you like I. It you said it really well, like AI has so many problems and I'm not an AI Maxi. You know, earlier I said that I do use Leo quite a bit, but I'm fully aware. Of, you know, the copyright issues, the privacy issues, I try to use it sparingly. I try to use it specifically for like, hey, find this article or something.

I generally don't use it for creative stuff, but it is I've heard. I feel like we covered this on an older episode. There was a one of the top Linux maintainers was talking to the register and he said that, you know, historically companies, open source projects have had issues with AI bug reports. Because there's just too many of them and they can't keep up with them. And but now he's in and this was like a month ago. So now he's talking about two months ago or so.

But at the time of the interview, he's like, yeah. And then like a month ago, all of a sudden it was like a switch flipped and something changed. And now, like a lot of these bug reports are really good and they're actually really helpful. And we're we're finding a lot of things and fixing them. And so I think AI, like one of the valid use cases and again, like we should have done it differently. I'm not going to argue that.

But now that it's here, one thing it's actually really good for is technical stuff. And like I use it all the time to help me troubleshoot server. Like you can ask Jonah, he used to be my go to person even before I started working at Privacy Guides. He was like my go to person where I'm like, hey, I'm having a tech issue. Can I pick your brain?

And now I think ever since I've started using AI for that, I think I've only had to hit him up like once or twice like and I've had one other issue that the AI was giving me bad information. But I thankfully I able to imagine that you read the logs and I might tell you what's wrong. But you know, it's like it's really good. Like 99 percent of the time it maybe not 99, but for coding stuff specifically, it's really good. And I think it's very I'm with you.

Like even if it does turn out that it's hype and it probably is some hype like I mean, it's a company. Yeah, they're trying to make money. They're trying to get more investors. Like there's always a little bit of B.S. marketing. But even still, like I'm willing to bet there's quite a bit of good substance under there. And so it's it's good.

I guess what I'm getting at is it's good to see it being used for something useful for once instead of like, oh, let's make fake news and let's make a. Oh, my God. I've been raging the last couple of days because I just uploaded a short video for the new oil. I just uploaded one to like TikTok and stuff. And every time I go to TikTok, I do it on the computer and I'm not signed in. So I get like the generic home page and I swear to God, it's at least 50 percent.

AI slop like obviously a.i. slop. And I'm just like, why are people using this website? But, you know, it's so much like this is such a better use case for that instead of, you know, I don't know. Yeah, it's crazy. All right. So a few other points that I'll bring up is that coding in particular, again, I'm a software engineer. I've done this for a long time. And one of the things that I think makes LLM supremely. Good at doing code is code.

Software code has a very strict syntax and a very strict format. And it's either right or it's wrong. It'll either run or it won't. Now, you can write code different ways to do the same thing. But if you want code to work, it's got to follow rules and they're pretty limited. Unlike the English language, which has all sorts of ambiguities, every language does right. Coding language is very strict.

And so not only can you because it's so strict and the syntax is so fixed, it makes it, I think, perfect for something like an LLM to study lots of existing code that's already out there and then be able to write new code from that. You can also have it write tests and prove that it works, which you can also do automatically. So this entropic, these entropic tools and some of this is from tools that are even before mythos.

But for mythos, what they told him was literally this is the instructions to mythos. Here's some code. Read the code. Find me a vulnerability. And they walked away. That's it. And it found them. It's that good. And it's not some of these bugs. If you're into cybersecurity and you'll know that today, a lot of our software has gotten better. It's gotten more secure. We've put in lots of sorts of safeguards on software to prevent, you know, it's a cat and mouse game.

You know, the cyber hackers figure out, you know, oh, code is vulnerable in these ways. And so we've actually rearchitected entire operating systems to not let that be a vulnerability and where a whole class of vulnerabilities have gone away. So oftentimes today, when you're finding a vulnerability in software and you find an exploit that allows you to take over a system, for example, it's what it really is under the covers. It's usually three, four, five, six chained exploits.

It's not any one bug that gets them in. It's a set of bugs. This bug gets me this far. This bug gets me this far. This bug lets me raise my permissions. This bug lets me access this other software. And by the time you're done, all of these things together in order will get you this vulnerability. This tool in this case found an exploit chain that I think that was six links long. It's it is that it is that good. I'm here to tell you if this is the real deal and we should be worried.

The next 12 months is going to be bumpy. I mean, I don't want to. I am not hyperbolic. If you follow me at all, you know this is I am not a chicken little skies falling kind of guy. And I think there's also a lot of upside to like I think this project glasswing for all the hype and everything. I think it's still a good idea that we're doing it. Once we build these tools into our software development process, we

are going to be shipping much, much cleaner code with a lot fewer security vulnerabilities. That day when it comes will be good. Until then, we have a lot of software that exists already out there that is not going to get patched that is at least not quickly. And it's going to be vulnerable to these things. So it's I'm not a prepper. No, I'm not. You know, but I'm telling you and I usually avoid hyperbole. This is a case where I think the hype I think both things are true.

I think there is a lot of hype. I also think these things really are that good. And we need to I'm glad they're giving it access. We're actually going to talk about the next story. They screwed that up, too. But I'm glad they give them access to ahead of time. I think that's a good call. Yeah, I think you kind of summed up what what there's there's a lot of hype, but I think there's also a lot of substance, too.

So well, I guess real quick before we jump into that next story, I'll give the audience a chance to disagree. We'll try these polls out again. Do you think I will change cybersecurity will be useful? Let us know in the comments one, two or three. But in the meantime, I'll let you keep rolling and tell us more about this. What what's the latest development in the mythos saga? Well, OK, so this is this is one of the downsides to doing what they did.

And so the one thing I think that they got wrong with this whole project glass ring thing where they came out again, anthropic came out and said, we have this tool that is so amazing and so good called mythos that we can't just give it out to everybody yet. We're going to we're going to let the the good guys, the blue teams have access to this first. And that was great. But if I was in retrospect, I wouldn't have told anybody that I was doing that.

I just would have done it and then announced it when you could release it. You know, you don't have to tell everybody you're going to do this. And they went so far, by the way, just just to show you how the hype works in this and the marketing work. Somebody figured this out. What they did was in the press release is they basically said, we found we've already found all these bugs.

We can't tell you what they are yet because we don't want the bad guys to exploit them yet because the people that the software that has the bugs hasn't fixed them yet haven't released the patches. So we're not going to tell you. But we want we so badly want to prove to you that we know that these are real bugs. And what we did was we wrote the report with all the details that explains and proves that we know what we're talking about. And this was a real bug.

And then we took that report and we hashed it. Now, if you don't know what a hash is, it's a cryptographic function that basically takes any amount of input data and distills it down into a fixed link number, essentially. It's a big number to the point where if you took an entire book and hashed it all the text from a book and hashed it, you get a number. If you change a period in that book and hashed it again, you would get a totally different hash. It's like a fingerprint for the book.

So basically what they did, because they wanted to be able to prove so badly that when this thing came out like, see, we told you we knew this was here. They took their bug reports and hashed them and released the hashes so that when those bug reports eventually do come out, you can hash them, get the same value and say, oh, yeah, they really did have that. They knew about that weeks ago.

So anyway, what what happened here is, of course, because they came out and said this thing is super valuable. Everyone's going to want this, but you can't have it yet. Somebody figured out how to get it. And the weak spot is always people. So this article in TechCrunch, the summary basically is some some group of people, I think they had like a discord group where they they evaluate stuff.

They figured out by looking at the pattern of various clawed releases, they kind of guessed where the service was going to live on the Web. Got it. And then somehow through a third party, because there's always a third party, there's always your partners. Always what kills you. They partnered with some people, some partner had a had a vulnerability or something. I don't know. So I don't know if it was social engineering or what. It's a little bit vague.

But somehow through a they've compromised a third party and got access to the mythos tool ahead of time. Now, we could only hope that they're not using it for for evil. I don't know. But but whatever you come out and say that these things are so amazing, you're just paying a target on your back. They should have. They should have just waited. I think that's all I got to say about that. Nate, what do you think? Any comments on that? Sorry, I was having some slight technical difficulties.

Sorry. All right. Yeah, no, I I thought that was funny, too, that. Yeah, it does seem kind of inevitable. I feel like when I read this headline, I was kind of like 50 50 on the one hand. I was like, whoa, that's crazy. And on the other hand, I'm like, yeah, I guess that was kind of inevitable was. But I don't know. My my only real thought, to be honest, is that I'm surprised we haven't seen any further developments yet, because this was you see, this was on the 21st.

So that was like, what, Monday or Tuesday? And I mean, it's a good thing. It's a good thing, I guess. And, you know, the week is young. Like we could still see stuff come out of this. But it's like, OK, they say that they've got access now, but what are they doing with it? And so I guess I'm curious. Because, yeah, we really don't know much, or at least publicly they haven't said much about who's behind this.

So yeah, this this this smacks to me of somebody like almost like, hacker interest group that just wanted to see if they could. And they and they poked around and figured out they could. And they did it. A lot of, you know, a lot of hackers is just for the laws, as we say, you know, it's just to say that we could do it, maybe get a little street cred. But if they can do it, what that really means is someone else could do it, too.

And if I were North Korea or Russia or China or Iran or any one of the other state sponsored actors, I'd be trying this, too. And if they could, if these guys could be in, the chances are pretty good. Someone else can, too. I if again, I know we talk about security through security. And it's not a great thing, but it's also not a bad thing. I entropic should have just sat on this.

They should they shouldn't have gone for all the marketing hype with the we're sitting on something we can't tell you about. And it's it's like I've got a secret, but I can't tell you. Right. I mean, we all know as human beings that never works out. That's funny. That's a really good comparison. Yeah, that's yeah. I mean, that reminds me of the the 80s and 90s hackers, like what it was all about, just because you could. And there was no real incentive behind it.

But yeah, yeah, I certainly hope that's it. And I certainly hope we're not about to see a string of like all these companies were hacked in a way where clearly they must have been abusing me, those because there's nowhere else that you could have done it or something. But yeah, interesting stuff. I think that's all I got. And I feel like we've covered that pretty well.

Yeah, Jonah's, I think, trying to give you a real quick plug again, if you guys are enjoying Carrie, which somebody said that in the signal trap, by the way, they said they're really enjoying you on the show. So fireballs, don't stop dragons. FDSD dot me. Definitely check them out. And we'll talk about that a little bit more in just a moment. But first, we're going to get into a fun story about Meta. We all love to jump on. Oh, yes, that is one of my favorite companies to pick on.

So Meta has started keylogging their employees, allegedly to train A.I. data. I'll be honest, the story is pretty straightforward, but there's still some good takeaways here. So let's start with the facts of the story. Meta is installing new tracking software on employers' computers that will measure mouse movements, clicks and keystrokes for training its artificial intelligence models.

This is called the Model Capability Initiative, and it will run on work related apps and websites and will also take occasional screenshots of the employee screens. And they say that the goal is they're trying to improve areas where agentic A.I. struggles. Well, they said the company's A.I. models. I'm assuming this is an across the board thing or maybe their A.I. really just sucks that much compared to everybody else. I don't know. I haven't used any A.I. agents. I wouldn't know.

I don't trust them enough. I don't mind telling me click. I just it's a control freak thing. I don't mind telling me like, hey, click on this article because that's got the news you're looking for. I do mind when it's like, let me go buy your plane tickets. Like, no, don't. But anyways, they say that they're specifically looking to improve things like like when you have to choose from a dropdown menu or you use keyboard shortcuts. Apparently, that's something where A.I. still struggles.

They also said that. Where did it go here? Oh, yeah, here it is. They said that the MCI would not be used for performance assessments or any other purpose besides model training and the safeguards were in place to protect, quote unquote, sensitive content without elaborating on which types of data would be excluded. So. I mean, me again, I hate meta. I love to take shots at them. So my first question is, it's not going to be used for performance stuff for now.

And like, how are they going to if it's taking screenshots like, OK, first of all, and I think this is probably where we're going to start getting into the analysis portion, but like you shouldn't be doing anything personal or work computer. But hypothetically, let's say someone's opened like an email or something like something that they need to do real quick. I mean, we've all had those moments, right, where it's like, I need to do this thing. It'll take five minutes. I'm at work.

Let me step outside and make this phone call or whatever. So what happens when they open their email and that's the moment that it decides to take a screenshot, there is not a world in which you can convince me that that is going to throw that away. Like, yeah, I'm sure they'll say they will. I don't believe it for a second. Yeah, Lucas says I want them to train their replacement. They may. Maybe you're not wrong. Yeah. So it's one.

So, OK, so one of the things I got from the article was that it seemed like what they were really trying to do is, again, toward this agentic I was talking about, they want to understand how humans interact with this stuff so they can better implement their agentic guy, which will take over and do these things for you. So that's one of the one of the reasons supposedly why they're why they're doing this. And so let me just take a quick segue to say you're absolutely right.

In my opinion, you're absolutely right. Do not use anything agentic at this point. I think it's really cool. I love sci fi. I can't wait for the day when this stuff is trustworthy and I can tell my computer do the stuff. It can do great stuff like my my doctor, of all people, was telling me, oh, yeah. So I started I installed called Kowork and just told it to clean up my Mac for me.

And it went and found all these files and get rid of stuff for me and tweaked all my settings and it's so much better now. I'm like, oh, my God, like I can't trust these things yet to do those things on my behalf. I someday maybe I'd love that. But no, we are not there. We are already. I bet you that story was so close to ending with like and then it deleted all my my kids photo. Right. Right. Yeah. And so we're building some of the things we need to do.

And we're already starting to do them. There's this thing called MCP, which I think is what is model control protocol. We're starting to build in frameworks into our operating systems that allow these things. So you will they're already building in hooks, basically, software hooks into our applications that are operating systems for agentic AI. So it'll be easier for these guys to basically script and automate things on your computer.

So and that's good in the sense of it's coming from the operating system vendor, Apple, Google, Microsoft. Hopefully they're going to build in some guardrails. And hopefully they're going to set up types of permissions that you could give. It's going to be like apps all over again, where you have to go through and say, yes, you can have access to my microphone. No, you can't look at my this folder that has my taxes in it. You know, you're going to have to go.

You're going to have to go through that. But right now it's the total Wild West, you know, Claude, was it Claude Baut or Molt? Originally, what was the what was originally called? Open Claw. It's Open Claw now. I think originally it was Claude Baut and then it became like Molt Baut. And now it's Open Claw. I can't remember exactly either. And so so when I read that, first of all, like that is that again, I'm an engineer. I love to automate things like that's totally cool.

But I would never do that. I would never trust this thing. So I was like, OK, how do I do this? So I'm actually building my own server to do this on, because I first of all, I've got to sandbox this. And so I've got to keep this totally separate from I would never run these things directly on my machine because then they run as me. They could do anything I can do. And in most cases, that means you're admin, so they could do anything. No way am I going to do that on any computer I care about.

But so I bought a dedicated computer for this and I'm running local models only. It's using Olama, if anybody's familiar with that. So it's all local. There's nothing cloud based on there. And I want to try to get this thing to do this kind of things. But it's going to be more like an assistant, like it's going to have their own personality. Like I've already got this box set up. It's OK, this is going to sound horrible. I totally understand that AI is not real. Do not worry about me.

But I called it Sam and I called it Sam because that's the name of the AI and her, which is a movie. If you've not seen, you need to watch. It's very relevant now. That's been on my list for like a year. Oh, yeah. Go watch it. It's in fact, I need to watch it again. It's a weird love story with AI. I'm not spoiling too much. But it's it's really talk. It speaks a lot to what we're doing now with those agentic AI stuff. So I called it Sam. Anyway, Sam's going to have a memory.

Sam's going to have a eye, but it's all going to be local. And Sam is different from me. Sam is not me. Sam is not sharing my accounts. This is the kind of thing where Sam's got her own proton account. Sam's got her own signal account. Sam's got her own phone number. And I and we will communicate my signal. She will only ever respond to me and she will do automated stuff, but she's going to do it as her, not me.

And with whatever sharing kind of permissions, I'm able to set up in like proton or wherever we're going to share stuff. So that that's that's how I'm attacking this. But eventually we will get to the point, I think, where these things will be trustworthy. We are not there yet. Yeah, for sure. I don't know. For me, I think it's just a control freak thing. I don't you like. I don't know. I've never been in a job where I've had an assistant. I've never. You know, I've always been.

My mom raised me to be self-reliant and not have to rely on like anyone to take care of me. So for me, I think I'm just too much of a control freak to like. And also, like I honestly, I do ask myself a lot. I'm like, is there anything where I can offload this to AI and I'll be, you know, like I'm being stubborn, I'm being a lot, even though I know that phrase gets used wrong, but, you know, I ask myself that a lot. And I just I never seem to run into anything.

It's like I've tried having and I know this isn't a genteck AI, but I've tried having like AI write blog posts before. And I won't lie, it's really good. Like I'm not going to lie. I did this with with my interview or my review of Cindy Cohen's book just for fun. I'm like, OK, here's a link to my blog post, like my entire old blog that I've been writing since like 2018 on write as. I'm like, here's a link to that for tone. I want a review of this book. Here were my thoughts about it.

And it was really good. I'm not going to lie. But at the same time, I looked at it and I'm like. But I just I'm not comfortable publishing that like I didn't write that. And there were definitely like a couple sentences that I was like, OK, actually, I really like the way it put that and so I'm going to use that specific sentence. But there were like two sentences out of the whole thing. I just I don't know. I'm the same way. I think it's I think it's a pick and choose kind of thing.

So think of it like I'm the same way I would love. This is something I'm working on as well. It's called RAG and I forget what RAG stands for. It's it's an acronym. But basically you feed it a whole bunch of stuff and I basically want to give it. Here's here's my book. Here's my all my blog posts. Here's the transcripts from my podcast. But I want to know things like have I talked about this before? When was the last time I talked about it? Who did I talk about?

Did I have a guest where they talked about this? What were the points that we brought up then? Go back and look at my podcast that I ever say something like, you know what? If this if this changes, I'll get back to you. And I don't want to forget that. So go back and help me find to do lists from things where I said, oh, that's good. I told my audience I'd get back to you on this and I want to make sure I do that. But yeah, I've done the same thing.

I I would I don't think I would ever let it write an article for me, but I have had it's like, OK, give me some bullet points. Give me some ideas. Here's what I'm looking for. And I've done some brainstorming with it. And I did for fun, kind of like you. Like I would I'm too OCD about it. I would never let them. I've got to write in my own voice. It's me. And I like my tone and the way I do things that I wouldn't trust something else to mimic me.

But I did, you know, I did say, OK, give it a shot. Take this and just write this article as if you were me and see it. It wasn't me. It was a good death. It probably will be Sunday, but it's not there yet. I probably still wouldn't do it. I'm with you. When it comes to things like that, content creation, things that I'm creating, it's got to be for me. But there are so many things that I got on me. Here's here's another one for you that I'm looking at doing.

And I've already kind of started putting some groundwork. I hate most news aggregators. I have an RSS feed where I can actually just, you know, I can get the raw articles into a nice set of folders or whatever. But what I really want is I want to write my own news aggregator that goes and finds these things for me and then highlights the ones based on my criteria that are interesting and then maybe even notifies me like, hey, this is hot. This is happening right now.

You might want to go check this out. I want to and I want it to be tailored to me and I don't want ads and I don't want tracking and I don't want data mining. But in summarize, give me give me three bullets and they can be a slightly executive summary version. And then if I want to go on, I'll read the whole thing. I would love to have something like that because most all OK, every news thing I've used lately just sucks. It's full of ads. It's full of autoplay videos.

And I just can't stand it. I'm going to build my own. And so let me make another point. That's where we are. Another thing I'll make another prediction for you. And Chris Belize would not like it because and that is that we are in the age now of custom apps. We're already there. I'm already doing it. And the rest of us are going to be doing it very soon.

This is going to put some software people out of business, certain a lot of these subscription based ones where you're going to say that I just read this article recently and I think I might talk about this on my next podcast where this guy, no, I actually did my last podcast. He wrote his own word processor because he was so sick of all the other ones. He needs a certain set of features. I don't need 100 features. I need five.

And then I need of the five that Microsoft Word has that I really do use. I need two more that it doesn't have. Like he likes Pomodoro time. Pomodoro timers. He's into that getting things done system, which I've heard of never used. He built that into his own word processor. He just had, he just vibe coded the whole thing. And so now he has a custom word processor that lets him, it has folders where you can bring in source material. Like here's a PDF I want to reference.

Here's a link I want to reference. And now I want to write an article about this. Help synthesize that for me. He wrote a custom word processor. This is what we're all going to be doing soon. We're just going to be writing our own apps. It's amazing. I've heard other people make those predictions too. Yeah, I don't know. And I mean, I guess as far as vibe coding goes, I know for the simple stuff, it's probably fine. Like maybe a note taking app that does this and looks like this.

It's I think right now, once they, the complexity is where it's going to go wrong, right? Like somebody's going to be like, "Oh, but I wanted to do 500 things." And then it's like the next thing you know, your social security numbers on the front page of Google. But you know, yeah. I will say not to like keep getting on the topic, but I will say the, the Cindy Cohen, the article that I had it write, the AI write was actually pretty good.

And I'll be honest, if I published it, I think most people probably would have not noticed maybe, but it's still just, it just doesn't feel right. Like it's, like you said, it's not me.

So, and then real quick, I, I was just going to say, I'd feel bad if we didn't touch on this, the whole like the bossware aspect of this meta story is, you know, just to kind of remind, I don't know about other countries, but here in America, like I don't think, I mean, it does specifically say that this probably would not fly in Europe. The Reuters article here did say that. But I know in America, like they can't make you download anything on a personal device.

I think on company computers, they technically can, which is also why again, you know, we made a point of like, if you can try not to do anything on company computers. I know everybody's in a different situation. Some people are, they're in a situation where like, that's the only computer they have. And that's really unfortunate. But if you can try to, to keep your stuff compartmentalized for sure.

We get into all that stuff in this interview area coming up, I think it's going to be late May. So it's good. It's going to be, I think three, three interviews out, which is six weeks, because I alternate between news stories and interviews for my show. But we talk about that. We get into those details a lot about what they can and can't do and what they are doing. And the fact of the matter is it's their equipment. And you're right.

So if you're using their equipment, you should assume that they can, they know everything you're doing on there and they can legally, you don't, you don't have the right and expect expectation of privacy on a company device. So from that perspective, I don't think just because it's right doesn't mean it's not creepy and are legal. Let me say it's not right. Just cause it's legal doesn't mean it's not creepy. And that's what Facebook is doing here. It's going to be super creepy.

And, you know, the Microsoft recall was, was another thing like that, right? Where Microsoft had this built-in AI agent that's going to keep track, take pictures every of your screen every few, every few seconds, I think is what they were doing. Yeah, I think it was like every three seconds or something. Yeah, read all your texts so that you could ask it later. I mean, what was that website I was looking at before? Or Hey, what was that email I started and then deleted?

I want to do that again, you know, but, but that also means that we're going to mind that stuff. And their security, of course, when they first released, it was horrible. But anyway, yeah. So these devices you should assume, even if it's your own devices, if it's a mobile device, we call it BYOD, bring your own device. If you're, cause it used to be issued a company phone back in the day. And that's a lot less common now you bring your own phone because nobody wants to carry two phones.

And so they put an MDM profile on your device, which allows them to do certain things. Usually it's pretty sandbox is my understanding actually. Again, we talked about this in the interview, but that is actually pretty clean. And like they don't cross the streams. Like they get access to Outlook or whatever the company wants you to install.

It might force you to have a pin or a pin of a certain strength on your device, things like that security, things like that's cause they want to protect their IP. And by that, I mean intellectual property. But yeah, when it comes to the corporate laptop or the corporate desktop, if you've got one of those, you should just completely assume that even off hours, if you've taken it home, they can, they can, they're probably not doing it maliciously right now.

Like there's not somebody sitting in a security room somewhere to like flipping through channels and look at what employees are doing, but it's being recorded. So they could go back at any point and look at logs and look at those kinds of things and, you know, find some reason to fire you. Yeah, I used to at my last job where they gave us a company laptop, I, it was on the guest network. So it was behind a VPN. It was isolated from everything else.

And I would like, I would come home, I would log my hours, I'd send my daily report and I'd turn it off and put it in my backpack and put it away. But, and I really tried to get in the habit of doing that before I even left the job site, just because that way it's like, I don't know, it just felt like it saved up so much more time when I got home. Like I get home and I just go straight into shower, eat, whatever, but yeah. Yeah, setting boundaries. And that was a good way to do it, probably.

Yeah. All righty. So I think we're at the point in the show where we will start taking listener questions. Right on. So if anybody, bring it on. All right. Yeah, if anybody has any questions, I know the chat's been pretty busy, but if you have any more you've been holding onto, go ahead and start leaving them in the comments or in the forum thread, we're gonna check that in a minute. But first on the topic of the forum, we're gonna check in on, well, the community forum.

So there's always a lot of activity. This week has been really busy, a lot of chatter. I mean, we've posted a lot of articles and videos. So a lot of chatter this week. But this week I wanted to highlight specifically a couple of very closely related forum messages. So one of them is, somebody said, "How much privacy can I really have "when I'm being ratted out by my friends?" And interesting choice of words there.

But basically they mentioned that they have a friend that they play sports with. And that friend recently said they chose their team lineup using chat GPT. So basically they told chat GPT all their friends, like playing styles, strengths and weaknesses. And they said, "Although the information "was probably subjective and not highly sensitive, "I'm still uncomfortable with it."

And kind of just went on to talk about, how do we interact with people who may be a little bit less privacy focused than us and may not necessarily see the issues with that kind of stuff. And similarly, there was somebody else who asked about messaging apps. They said they made a friend who uses Line, which is a really popular messenger in Asia. I think it is technically end-to-end encrypted, but don't quote me on that. It's definitely proprietary either way.

So basically like the Asian version of WhatsApp. And they said, "Why don't we use Signal?" But the person declined. They said, "I don't know why they declined to use Signal." Apparently they said Asian mainstream media sometimes intimidates people away from secure messaging apps because it associates them with criminal activities, which is really unfortunate. But they were kind of asking in that specific scenario, like, "What are my options here?

Like I could sign up for a line using this, I could use it this way." But again, the overarching theme here that I really wanna discuss, cause I know you and me, Carrie, both kind of come from a background, like me at the New Oil and you at Firewells, and I stopped Dragons, we come from a background of like kind of trying to meet people where they are and trying to like nudge them towards better security, but also accepting that unfortunately, a lot of people are just gonna do the basics.

And sometimes we'll just be lucky if they even do the basics. But so yeah, what are, I know this is a very nebulous way to word this question, but I mean, what are your thoughts on that, finding that balance between like accepting that you can't always force people to be as into privacy as you are, but also like still wanting to preserve your privacy and respect that? No, I think that's a really good point. And it's something I think a lot of people lose sight of and it takes two to tango.

And so you've got to trust the other people in your group. And that is another actually a great feature, a signal where you can set your messages to be disappearing, which is nice, right? So at least you don't even have to count on the person at the other end to make sure they're wiping the device every so often if you could set that, which is another great use for signal.

In this case, this person was using this other tool, which I don't know if it has such a feature, but even so you've got to, I mean, as far as if you're threat modeling, what's going on, you've got to just take into the account that everybody that you're talking to, end-to-end encryption only goes to the ends. And so any of those ends could be compromised, right? And like, what was it? We're good on ops sec, right? When the guy- We're clean on ops sec, I think it was, but yeah.

We're clean on ops sec. So clean. Yeah, right. So, yeah, it's something you gotta take into account. And as far as how do you, this is a perennial problem with this, with security and privacy tools in general, is that you've got to, and I struggle with this. I mean, you want to communicate to your friends. I'm on several group chats that are just, the ones that drive me the most nuts are Android slash iPhone group chats, where you're getting green bubble messages everywhere.

And some people have older iPhones, so they're like duplicating messages. And when someone puts a highlight on a message, instead of highlighting it says, there's a text message saying, so-and-so it said, "Haha." You know, so you know, technically that's all, you're already screwed, plus it's SMS. So, you know, there's no security. And I would love to say, "Hey guys, let's all go to Signal and do this there." And I just don't, I just shut up and roll with it.

So there's only so much you could do. I've convinced certain sets of my friends to use Signal for when it matters. And I keep trying to get more, but that, well, this is why it needs to be the default everywhere. So, you know, so there's, there is no choice. You don't have to worry about it. Everyone's just, we should all just have it by default. It's not a criminal thing. It should not be, should not raise eyebrows when someone is using end-end encryption. It just should be the default.

Yeah, for sure. And thankfully, like now RCS is starting to come with encryption, but I know that's still in the early days. I don't even think it's out of beta on iOS yet, but, but even then, you know, RCS comes with metadata concerns, but it's certainly a step up from, like you said, SMS, which is, I always tell people, I'm like, SMS is basically a postcard at this point. Yeah. But yeah, it is really frustrating.

Cause like my, my brother, I'm very close with my brother, but he's pretty much all in on Discord. Like you might maybe call me on like a cell phone if there's an emergency, but he's not going to switch to Signal or anything, but it does suck.

But yeah, I think kind of one thing you said toward the beginning, if I heard you correctly, you kind of mentioned threat modeling, and I think that's a really important thing that, you know, I'm a firm believer that like privacy should not negatively impact you. And it's definitely great to try and like encourage people to use these messengers and try to nudge people towards that and offer to help them out.

You know, like it's such a fine line to, between like being pushy and being helpful of like, hey, what if I install it for you? Like, would that make you more likely to use it? Cause I've run into those kinds of people. Like I've mentioned on previous episodes, I have my stepdad on Signal and we have like a family group chat. We're probably the only people he uses Signal with, but like I put it on his phone and he uses it, no problem.

And I guarantee you, it probably would have been crazy to talk him, I think he's almost in his seventies. It, he might be in his seventies now. And he's just, he's one of those, you know, obviously there's a lot of like tech savvy older people, but he's not one of them. And I'm sure trying to walk him through it over the phone or something would have been a nightmare, but we just got together one time and I was like, hey, if I put this on your phone, will you use it?

And he's like, yeah, absolutely. And so it's super awesome having all of us in there now, but yeah, it's, excuse me. But where I was going with the threat modeling is, you know, just remembering that it's, how important is it? It's, it's finding that trade off of like, this person is important to me. I'm willing to, you know, have, have this SMS conversation, but also recognizing that maybe there's some things I'll wait to say until we're in person or, you know, some things, I don't know.

So it's a, it's a top line for sure. Like, well, so when it comes to things like family, like one thing I did for my family is I just went ahead and sucked it up and paid for proton family for everybody. And that, you know, so once I'm paying for it, it's, it's, it was easier to talk them into doing it a little bit of, little bit of a guilt. Cause that was my first thought. If I did that for my family, I'd have to guilt them into it. Guys, I spent like $600 on this. Come on.

Right. I wasn't, I wasn't above doing that for my, for my family. So yeah, I totally agree though. Helping other people do it could be a big, can be a big way to go. Back to threat modeling. I wish we could come up with a more, less scary term for that. Threat modeling sounds really technical. It sounds really scary and people like that immediately turns people off. I wish we could come up with a better marketing term for evaluating your situation, right?

Yeah, that's why I did give a talk recently and I basically had to like recap all the basics. And I started with threat modeling and I always tell people, I'm like, it's just a fancy way of saying, what are you protecting? Who are you protecting it from? Like it's, it sounds scary. I think we use it cause it makes us feel like spies and that's fun, but it's a, it definitely sounds intimidating. But yeah.

The privacy dad said I put graphene on my partner's phone and I don't even think she realized. Honestly, yeah. I kind of want to ask my wife that because she also has a pixel, but she's at the point where she settled in. She's got all her apps on there and everything. And I've asked her before, I'm like, hey, can I flash your phone? Like put something on there. And she's like, yeah, but I mean, at first she was like, yeah, sure.

And then when I told her, I'm like, you're gonna have to reinstall everything. She's like, oh God, that sounds awful. So I think next time we buy phones, I'm gonna be like, okay, before you sign in, can I flash this phone? And then it's all yours. So. I think browsers are a thing that really fit in that category too. I mean, surfing the web, there are some nice features here and there. Most people probably don't use them.

If you replace somebody's browser, I think the chances are pretty low they're even gonna notice because they basically function the same way. I have seen multiple stories on Reddit of more tech savvy people who were like, oh, I went to my mom's house and found out she was still using like Windows Explorer or Microsoft, whatever it's called. Internet Explorer. Internet Explorer, yeah. Yeah, and so it's like, I replaced it with Chrome, but I changed the logo.

So it still says Internet Explorer and she hasn't even noticed that it's been like six months. Oh, that's funny. I mean, some people for sure could definitely do that, but I feel like Chrome is different enough that I think most of the people in my life would notice like, wait, something's different, but yeah. So, all righty.

I think on that note, we'll dive into questions and we'll start with the questions on the forums, specifically if we have any paying members or if we have any questions, I don't think anybody did, but I'll take a look. And if you want to become a paying member, you can go to privacyguides.org and there's a little red heart icon in the top right corner of the page.

So I told you all this brave story was extremely controversial and I'm not kidding because if you go look at the forum post for this episode, it's mostly people discussing amongst themselves. So the first question came from Nisromo who said, "I'm sure you'll talk about it, "but please be sure to make a case "both before and against." I hope we did that because I personally feel very split on it. So I apologize if I came off as very like either way because I don't know.

I see both sides of the argument personally, but. Yeah, yeah, me too. And yeah, again, to me, there's a difference between the marketing aspect and the financial aspect of this. I think the marketing was kind of weird, but that doesn't mean you still can't do it. And if you want to support them, that is a way to do it. And if it gets you a better version of the browser or automatically turns off all those things that drive you nuts, sure, I guess. I can see either way.

So we did have Cs listed a couple of questions here. Let's see, "I'd be interested to hear your thoughts "on the following topics and stories if you have time. "I know some of these stories." So we can go through them pretty quick. Did you hear about the Bitwarden CLI? I did. Was it compromised in the supply chain attack? Yeah, I did. Do you have any thoughts on that one? Not on that one specifically, but supply chain attacks are a serious, serious problem that needs to be fixed.

We need to lock, that is, we found another soft spot in our processes. And as a software engineer, I can tell you that that is, for example, one of the things that's often done in software is that you say, "Here's a list of software libraries I depend on." Because software today is not, no one writes their own software top to bottom anymore. We're all using, it's a Frankenstein. You're taking a piece of this, a piece of that, because someone's already done it. So why reinvent the wheel?

And so you bring in all these various parts and libraries, some are open source, some are not. And if you don't specify, by default, what usually happens is it's like, "Okay, here are the 10 things I depend on." They'll get you the latest version every time. When you do a new version of software, it will go and fetch the latest version, because it figures you want that. That's where the supply chain attacks bite.

So one of the things we could be doing and should be doing for all these things is what we call pinning, where you say, "Okay, here's the 10 things I depend on, and I want these specific versions unless I tell you otherwise." So at least if you get to the point where you can trust the versions that are there, you're not gonna get bit because one of those got taken over by somebody and the next version has got built-in malware, because you're not gonna go get that version automatically.

There are things like that. There's processes that we need to, the new best practices that we need to adopt, but that is a definite soft spot today with software engineering. So I don't hold it against the Bitwarden-Steel Eye folks. It's probably one of those kinds of things that bit them. Supply chain stuff is a serious problem. Yeah, and I do wanna say for the record, for those who aren't familiar with the story, because it is pretty new. It just happened like the other day, I think.

So this was a, like Kerry said, supply chain attack. So it wasn't Bitwarden itself. It was one of the libraries they used. The library itself was actually only compromised for about two hours, not even. I think it's like an hour and a half, 557 PM to 730 PM on April 22nd. Bitwarden confirmed the incident. They said that the breach affected its NPM distribution channel, and only those who downloaded the malicious version. So hopefully nobody downloaded it in the hour and a half window.

They said there's no evidence at this time that any end user vault data was accessed or at risk, but they've already fixed it up. So yeah, I mean, I'm with you. You talk about the supply chain. What do you call it? The bill of materials? Or a manifest. It has different names, but yeah. You mentioned that a few times on the podcast, and that's definitely, I think, I was real hopeful for a minute there. We were seeing a whole bunch of supply chain attacks.

Oh, S-BOM, software bill of materials. Yes, I have talked about that several times. Keep going. Yeah, and I remember thinking, I'm like, we might finally start making some progress on this, but I haven't really heard anything, so I don't know. That is something that as a software engineer, I would say we should all have. And it sounds maybe easier than it is, but basically what that is is that ingredients list for your software, and you publish that with the software.

So you can say, these are all the things that my software depends on. Now, some companies are gonna say lots of proprietary secret, even if I'm using a public library of some sort, OpenSSL, let's say. Even if I'm using that, I don't wanna tell people I'm using that, because maybe, again, security through obscurity, maybe it's gonna expose me to people who's gonna find an exploit in the version I'm using, and then try to exploit me.

Okay. But the flip side of that is it also tells people, if we had software bill of materials, if every piece of software you downloaded came with a machine readable list of ingredients that went into that software, then your operating system could keep track of all that and find like, oh, OpenSSL version this, which you have in this app, in this app, in this app right now, is been compromised, which means those apps are then compromised, you

should stop using them, or update those apps right away. It would give us that transparency and that visibility that will allow us to react to those things. So I think, yeah, you could look at it, it's just kind of like open source software. A lot of people say, well, if I show you, if I open Kemono this whole thing, you're gonna know how to exploit me.

Okay, but the upshot, when you look at net net, it's better for everybody, if people have had a chance to review that stuff, and now we've got tools that'll do it, like Mythos, that will find bugs in it, hopefully so you can fix them, as opposed to just hoping that nobody finds these bugs. So yeah, that was software bill of materials or S-bomb, which I think is a fantastic idea, but yeah, it has not really, unfortunately has not caught on.

Yeah. Yeah, it's, oh, I was gonna say, if you haven't, last week's episode, I think we talked about this, because cal.com went closed source. Yeah, no, I heard that, yes, I did listen to that.

Yeah, I was gonna say Discourse, which is our forum software that we use, their maker kind of issued a very, very aggressive rebuttal where they pointed out, kind of like you're saying like, yeah, okay, security through obscurity might slow them down a little bit, but probably not that much, but yeah, it's- Well, they also got into the lighting. Okay, good.

I was gonna say, like, you mentioned earlier that like security through obscurity isn't necessarily bad, and I agree with you on that, because to me, it's like, it should be part of a defense in depth. Like if you're only relying on security through obscurity, that's probably bad, but if you're layering it with other things, like- Correct. Like password logging, password logins, right? That's a really good example.

If your credentials, if you're not using the same password, and you're not using the same username on every single website, that's a little bit of security through obscurity, but then you layer it with like two factors. So probably not the best example. (Laughs) Yeah, so yeah, you definitely don't wanna rely on security through obscurity, but it's also another layer that doesn't hurt you either. I mean, you know, but where I take exception to that is with open source software.

I think it does help to have other eyes on software, and now other tools that can look at that software. And I know you've mentioned this fact, I think you mentioned it maybe last week, where you said, you said that just because it's open source doesn't mean it's gotta be more secure, but it gives you the opportunity for other people to look at it and perhaps find bugs and get them fixed, which is a good thing. Yeah, that's my take at least.

(Laughs) So this person did have a couple other things they wanted us to look at. Did you hear about how Firefox is actually gonna start adding built-in ad blocking? No, I hadn't heard that one yet, huh. Oh man, I'll have to go find you an actual article because this one, they just linked the Mozilla Bugzilla, like their little in-house GitHub kind of thing. I've seen at least one article write up about it, but I'm not sure how good it is.

But yeah, they're basically going to, they're gonna be using Brave's ad block implementation, which I believe is written in Rust. And again, I was traveling this week, so I didn't really read it that closely, but I think it is, let me see if I can go find it here. Yeah, they're gonna be using Brave's ad block Rust engine. And it's basically gonna be like a little bit of a built-in ad blocker, which I think is really cool.

How my YouTube reaction-- Because Brave's built-in ad blockers, because it's my secondary browser, so I don't surf everywhere with it. Is the built-in Brave stuff pretty good for blocking ads? I mean, I think it's pretty good. Is it comparable to UBlock Origin? I was gonna say, I think it's honestly just like a copy of UBlock Origin. I think they make some changes to it, but I think it's largely based on UBlock Origin, or at least it uses a lot of the same lists that UBlock Origin does.

So I don't know why they didn't just go with that personally, but yeah, it looks like this is a pretty... Jonah says here that Brave's is a little bit lighter weight. So, okay, let's see. Oh, this is a pretty short article. Mozilla's bundling, pretty excited to see them finally. It landed in 149. Oh, okay. It's an experiment. It's disabled by default, no UI, no filter lists, but looks like Waterfox rolls it on, and then he talks about how to enable it in your about config.

So I might, if I remember, I will try to add that to the show notes, which means I might do it tomorrow while I'm making clips of these, but yeah, no. I mean, I'm really excited about that because I think personally that's been... I have a lot of little nitpicky complaints with Firefox, and then I have a few that I think are kind of bigger, I think this is kind of somewhere in the middle is... Okay, so actually, let me premise this, or preface this.

So when I make shorts over at the new oil, I'll make shorts about ad blocking, right? And I'll tell people, I'm like, download Brave. And people get mad at me because they're mad at the company behind Brave, they're mad at the guy at the top of Brave, which is fair, that's fine. And they're like, well, you should use Firefox. And it's like, okay, but I'm making a TikTok video. And what are people more likely to do?

Download Brave versus download Firefox and then install UBlock Origin and then make these dozen changes to bring it up to Brave's level. Like Brave is just so set and forget, and we have to make it easy for people. And so I really appreciate that Firefox is like doing that and getting up to that level where it's like, now it's becoming easier to recommend that people just like go download Brave or go download Firefox, they're both equally good.

And I'm excited to see them getting up to that level personally. Okay, so I'll be flipping that back at you.

So one of the reasons that I didn't go to Brave and sometimes the reason I don't tell people to use Brave, as I recall back in the day, and this may have changed, having to like disable their bat token thing and having to disable their AI now and have it, which by the way, Firefox, their new CEO is like, we're all in on AI, I'm like, no. Anyway, so for me, it was like, okay, yeah, Brave out of the box was private, but then I'd also have to tell people

to disable this, disable this, turn this off. So to me, it was kind of a wash. And I mean, don't get me wrong, like if you go to like privacy guides, for example, if you go to our website, we do have like a recommendation, like you should still tweak these things. But I think, I kind of think for some reason, most people just don't care. Like again, when I look at my wife's computer, she's got the bat stuff turned on, she's got the sponsored images turned on.

Like I think, and for the record, I'm not saying this in praise of them because I'm with you. I kind of wish that stuff wasn't there or at least I wish it was off by default because I'm pretty sure the crypto people are smart enough to go looking through the settings and know how to turn things on. Which by the way, Joni just said, that's the point of the new Brave Origin. Yeah, true, good point.

And actually on that note, Cass here said, maybe Firefox should sell a $60 alternative for the app in default. You know what, I'd pay for that. I'm not even gonna lie, I would pay for that. And it would be a sustainable business model, unlike just buying random extensions nobody's ever heard of. And then killing the ones that people actually liked. You mentioned Pocket before we started recording.

That was like the one time Mozilla killed something and everybody on my Mastodon timeline was like, dude, what the heck? Yeah. Anyways. But no, I think it's, for better or worse, I think Brave has designed those features in a way where they're not really intrusive to the average person. So I don't know, it's, at least I've never heard anybody complain about it, but I agree.

It would be nice if they turned it off, but I think it's still just an easier sell to tell people like, go use Brave, that's one step, versus go use Firefox, but also you need to make some changes, so. I will give Brave some credit in trying to find a different way to monetize the internet. Because it seems like, you know, micro payments was gonna save us at one point. Like, okay, we're gonna do micro payments.

And then there was this push for a little while of, let us mine Bitcoin while you're on our page. And it's all running in the browser, it's all contained, but you know, hey, while you're on our site, there's this little thing running in the background that's trying to mine Bitcoin. I thought those were at least interesting. Because ads, ad-based internet is what's causing all of these problems in the first place.

We've got to find some other way to monetize the internet that's kind of free-ish, right? That people don't have to necessarily, I don't know. So I give them credit for trying to come up with some way to do that. I just don't like what they chose. No, and I agree with you. And I find myself doing that too. Like lately I've really been thinking a lot about, I'll be honest, I just think a lot about diet and finances and stuff.

And I'm like, man, why am I willing to buy, especially with inflation and everything, like a soda is like $3 now, and it's gone in like an hour, but I'm not willing to pay like five bucks a month for some kind of membership or something. And it's just, it's so weird. Like marketing's got us all messed up, man. (Laughing) I don't know what the solution is.

Because then on the other hand, there's certain things where I'll admit, like there's certain YouTube channels I watch where I'm like, I like this channel, but quite frankly, I don't get enough value to pay for it. If it went paid tomorrow, I would just stop watching. But then, there's other things that it's like, yeah, but I do get a lot of value out of this. Like why am I not paying for it? I don't know, it's weird. It's weird what's happened to us.

But sustainability is an issue for everybody, I think. The last one we had here is they were asking if we had any thoughts on the way that Signal handles edited messages. So I don't know if you've noticed, but basically when you edit a message on Signal, I guess people can see the changes that you made. Oh, I actually had not noticed that. I don't know if I've noticed that before or not. I personally think that's perfect.

In fact, I've argued for that on social media, especially the damn sites that don't let you edit your messages. Oh my God, that drives me nuts. Let me edit it and fine, keep the original. I'm actually okay with that. So that people can see if you've altered something. I think that, especially on social media, perhaps, you could say maybe for public figures, but whatever, everybody fine. I think that solves the problem with the editing thing.

Edit it and just let people see your past edits. And I think that preserves the, what's the something trail, the audit trail or the log trail. I'm okay with that. Do you have an opinion? Do you do not think that's cool to be able to go back and see, because when I edit something, usually it's a typo or I want to expand on something or realize that something I said was ambiguous. So I want to add a little notes like this.

Here's the context that is missing from this that so you can understand what I'm saying. That's usually why I would edit a message on Signal. Do you have a problem, what do you think, with showing that it's? No, I mean, me personally, no, because I'm kind of in the same boat as you, where I feel bad. I try to reread my, especially longer messages, because like I said, I am pro at typos or just forgetting a whole word. Usually it's a small word, like the, or something like that.

But yeah, so a lot of the time I'll send a message. And then if it's a long one, I'm like rereading it and I'm constantly like, oh, go edit, I miss that word. Oh, go edit, I type of that. Oh, shit, go edit again. And I try to group them because otherwise I feel like I'm just gonna keep pinging the person every time I edit it, which is annoying.

But I don't know, I think somebody pointed out, like I hate to do whataboutism, but somebody pointed out that like, I feel like the bigger concern here is, because basically they were saying like, what if basically you said something you didn't want the other person to see? Like maybe you sent the wrong message to somebody or you like, maybe you're having an argument, you said something hurtful, which-- Could you just delete that though? I mean, delete, just delete.

Well, so for the record, that's my bigger concern is because I've, I struggle with depression. I'm pretty open about that. And every once in a while when I'm depressed, I'll say something to somebody, like not anything hurtful, but like I struggle to reach out. I'm trying to figure out how to word this. But then sometimes I'll doubt myself. Like I'll send somebody a message and then my brain is just like, man, just like, don't bother them with your crap. And so I'll delete it.

And I've actually had times where people were like, like, hold on, I saw you deleted that. I saw the message preview, like, let's talk about this. And I'm just like, oh my God, dude. And you know, like that one's kind of relevant. And that one's a good one, right? Like people are trying to like help me out and be there. But like, that's the bigger concern to me.

And I know this is again, this is kind of like what about is, but like most people have notifications turned on and the previews are turned on. So what happens when you delete the message, the preview doesn't go away, it's still there. So I don't know, to me, that would be the bigger concern is like, they're still probably gonna see that preview even if you delete it. Cause otherwise, yeah, I'm with you. Like that would be the easy workaround is just delete it and redraft it completely.

So yeah, I don't know if this is, I guess that's what I'm trying to say is, I don't know if this is the bigger concern. I think the bigger concern would be the message previews that most people likely have enabled, but.

I thought it was interesting that we talked a little bit about the signal thing where they figured out how to, I mean, this was as far as I was in a bug in iOS, which by the way, they just fixed, where they got into the signal messages to somebody because the notifications, there was a whole database for the notifications. And if you have those set to show in your lock screen or certain situations, they will get put in this database. Even if you delete the app, which was the big thing.

So I think what Apple finally fixes, if you delete the app, it goes to this database and also deletes the history of notifications. But, you know, I don't know. I guess delete should be delete. I think that's, to me, that would be the solution. So delete is delete. So if I delete, it deletes it from all this memory that should not show up anywhere. If they happen to see it, I can't stop them. But if they hadn't seen it yet, I delete it. I think it should just be gone from their phone.

I think that's the delete angle and hopefully that would cover most cases. But I think otherwise edits, sure, I'm fine retaining the edit history, I think. And I wish that, like I said, I wish that that's how they would solve edits on social media as well, because I hate the fact that I will do this all the time. I'll put a notice on Twitter. I don't wanna get an eight-mail. I don't like, but I gotta be there because that's where a lot of people are.

So anyway, otherwise I don't like Twitter. We have a Twitter too. Yeah, it's the curse of being a public figure, I guess. So I post on Twitter, and you can't change it. And so I have to delete it. And it very, by the time I'm posting on the third, I'm copy and pasting to the third thing, I've done Mastodon and Blue Sky, and I'm like, "Oh crap, there's a typo." And I go back and fix Mastodon. I can't fix Blue Sky, I can't fix Twitter, and I gotta delete and re-add.

And of course, by then, someone's already liked it, and I've just lost, anyway, drives me nuts. How long has Twitter been around now? And I swear to God, back when I used to use Twitter, back in like 2012, people were asking for that. And why, is there a reason why they don't have it? I don't get it. Like, what's the reasoning? I honestly don't know, I couldn't tell you. I don't know if there's some kind of technical.

Well, I know, okay, so I know on Reddit, when you make a post, you can edit it within the first, I think like five minutes, because Reddit has a huge problem, or at least had, I don't know if they still do, but they used to have a huge problem with like people would go in, and they would make a comment, and it would get like a lot of upvotes or whatever, it would get visibility.

And then they would go in and like edit the comment and make it say something completely different, like sometimes something borderline offensive or crazy, or like they would like make it seem like the person responding to them was saying something crazy. And I don't think Reddit lets you see the post history, but there is a little star, and that means it's been edited after that little five minutes.

So they give you like a little window where like, if you're like me and you're like, oops, I forgot a word, like you can go edit it and star is not there. Yeah, that's not a bad compromise. But yeah, if you come back an hour later. But I do think if you edit it, it should wipe all likes. I mean, it should start over, because for that exact problem, because yeah, I don't want to put up something like, I love puppies, and everyone says, yeah, thumbs up, and it's like, and also I'm Hitler.

And you said that later, right? Yeah, that's the kind of thing people were doing, I think. Yeah, I mean, Anonymous here is a good point. Like they should make it, if you disable edit history for yourself, you can't see others edit history, which I mean, Signal already does that for like Red Receipt stories. Like I do have stories enabled, but I don't have view history. So I can't see who sees my stories, and they can't see when I like there, it's, you know, it goes both ways.

So I mean, that seems like a good compromise, but I don't know. Yeah, interesting stuff. Interesting fun things to talk about, but. Totally agree. I think that was actually all our questions. It looks like all the other posts were people discussing the brave thing. And man, this was such a very contentious topic. People have, which I mean, I'm not saying that's a bad thing. Did they cover anything that we didn't cover? Are there any angles to this? I don't think so.

They're just kind of explaining, I think, let's see here. They're talking about what counts as a license. Like if you install, if you reinstall your operating system, does that count as one of the 10 activations? How do you get activations back? So if I go through 10 devices when I buy that 11th device, how can I get my 10 activations back? So yeah, I don't know. Oh, can I throw out one more story? I've got one more story. Sure, I love stories. This goes back to the AI coding stuff.

If you can't tell, I'm kind of fixated on this lately. So do you remember, did you ever watch "Halt and Catch Fire"? No, but it's, I've heard of it, or I've heard the phrase at least. The first season satirized a thing that actually happened. And that was back in the day in the, I guess in the 80s when IBM had a proprietary BIOS for their PCs. And of course, and they wouldn't, you have to license or sell it or whatever.

Somebody figured out, hey, I got to take a group of engineers and I got to say, go dig through this BIOS and figure out what it does. I want you to look deep into it. If you can find the code, find the code, but give me a spec. Tell me what this BIOS does and describe it. And then, okay, give that to me. And then what they did is they hired a whole separate set of engineers and said, here's your spec, make this. So what they called, that's called a clean room.

And basically what they did to get around the copyright and the licensing was they reverse engineered it. And they had one group reverse, they had one group actually pick it all apart as a black box and come up with all the specs for it and hand that to another group of engineers who'd never seen the code, never worked with it to create a complete copy that works just like it. And so that's how they got around this thing, they reverse engineered.

Somebody has come up with, and they said this was supposed to be satire, but it works. They've come up with an AI tool that will take a code, you give it any code. I think it mostly works on open source code, but you could, by the way, you could decompile binaries from regular code and still get the code. So even a side open source, you can still kind of get to it.

He created a tool that takes one set of AI agents and picks apart the software, learns it, writes a spec, figures out what it does and comes up with a spec for what that tool does. And then takes the spec to a different set of AI agents. So this is all automated, this is a single click. Takes another set of agents. I think I know where you're going with this. Writes the software based on that.

And then, and the reason, one of the reasons this guy did is like we didn't like the LG LPL license that came with the original code, which means I had a back contributor or whatever. I want to rewrite this with an MIT license, which is much more permissive. So I, they basically had AI, two sets of AI agents rewrite it so they could come, so they could basically say, we didn't look at the code when we did this. That's the point of my mind.

I think I saw the headlines about that one, but I haven't read the story. Yeah, that's funny. They're making like copyright free AI or whatever because of that, that's so funny. People, I love the ingenuity of it. I love it. I'm tired of it. Yeah. All right. I think we're gonna call it here for this week though. Thank you everybody who joined us. All the updates from this episode will be shared on the blog every week.

So if you are a regular listener, sign up for the newsletter or subscribe with your favorite RSS reader if you want to stay tuned. I'm still letting people know. If you didn't know, we send the newsletter out as soon as the show starts at five, well, five Eastern time. And if you are subscribed, you'll get that. And that'll be kind of your reminder that, hey, the show is starting. For people who prefer audio, we have a podcast available on all podcast platforms.

And again, on RSS and this video will be synced to PeerTube. We want to thank Kerry again for coming on and being a guest this week. And I'm gonna let him tell you guys a little bit more about his show and his book. Yeah, just a couple more things. So this has been a, this is gonna be a big year for me. It already has kind of been a big year. So this is the ninth year I've been doing my podcast. I'm on episode, I don't know, what am I on?

477. I've done a podcast every week for 400 seven times. The book is actually about a year or two older than that. And both of those things are got big things this year. So as you could tell by the numbering, I'm gonna be hitting 500 in September, episode 500. That's gonna be a really big deal.

And so in years past, so the funny story, in years past I tried to get, you know, when I was in my tens of episodes, I kept reaching out to Bruce Schneier, who's a cryptographer and well-known security guy. And I kept reaching out to Bruce and he was nice enough to respond, but he always said he was busy. I like, I want you to get on my show. I want you to interview. And finally, I was like, okay, the 100th episode was coming up and I said, Bruce, look, I'm gonna ask you one more time.

I promise I will stop bugging you, but this is the 100th episode. I'd really like to make it special. I'd like to have you do, I guess I'm on the 100th episode. He's like, you know what? I'll do it. So I got Bruce Schneier for the 100th. I was super proud of that. And then I think at the end of that episode, I jokingly said, well, I'll see you at the 200. Like, all right, I'll see you then. I'm like, okay. So I got him for the 200. I got him for the 300. So he's been my pod centennial guy.

So naturally I'm gonna be talking to Bruce to come back, but I really want to try to get some big names. I'm gonna do multiple big episodes. So anyway, we'll see if I can pull that off, but I'm gonna try to do big things to separate and not just for the podcast. I'm gonna do some fun things for that. So be on look up for that. Also, I just am about, I'm this close to, I've got the contract in my hand. I haven't signed it yet for the sixth edition of my book.

So I wrote my book 10 years ago and I've done multiple editions because my book has got a bunch of screenshots. And so those get stale. Like, I think two years later, I need to unfortunately do the whole book and it's getting big. And the screenshots are like 40% of the content. So anyway, I'm due for a sixth edition. And I think what I'm gonna do this time around is a little bit different. I'll make it smaller. I'll make it cheaper. Yeah, there you go. Sucker is 600 pages, no lie.

It is, it's big. It's honestly, it's gotten too big. So what I'm gonna do is I'm going to split out the really volatile parts and make that a free downloadable PDF. So that I can update whenever I want as needed and not have to redo the book every time. So I'm gonna try to write a sixth edition of this book. And I'm about to sign the contract to do that. So it should be out hopefully by this fall. It's gonna be thinner, it's gonna be cheaper.

And then all the PDF, all the downloadable PDF for all the really volatile stuff. So anyway, the book could just hopefully stand on its own for a while after that. So I'm also hoping to do that around September. So they're all gonna, all this stuff is gonna kind of hopefully come together in September. Awesome, can't wait. All righty.

As for privacy guides, we are an impartial nonprofit organization that is focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, then you can make a donation on our website, privacyguides.org slash donate. You could also click the red heart icon in the top right corner of the website. I think it's visible on like any page.

You can contribute using standard fiat currency via debit or credit card, or you can donate anonymously using Monero or with your favorite cryptocurrency. Becoming a paid member unlocks exclusive perks like early access to videos, priority during the live stream Q&A. You'll also get a cool badge on your profile in the forum where Kerry is a regular participant. I see your name pop up quite a lot. And you'll get the warm fuzzy feeling of supporting independent media.

So thank you all for watching and we'll be back next week. (Upbeat Music)