Would You Pay $60 For A Browser? (ft. Firewalls Don't Stop Dragons)

All right, hey, everybody. So Brave has released a minimal but a paid version of their browser. That's very interesting. We're going to talk about that. Meta has started key logging their employees. And we're finally going to talk about Anthropics Mythos Tool. And all this and more coming in this week in Privacy Number 50, so stay tuned. Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we're working on within the Privacy Guides community and this week's top stories in data privacy and cybersecurity. I am Nate, and joining me this week is a very special guest, Kerry Parker, the host of Firewall's Don't Stop Dragons. So thank you for joining us this week. Kerry, how are you? Hey, man, I'm really glad to be here. We just did this recently when you guys were on my show, so it seems like only natural for me to come on yours. I'm really looking forward to this. This is great. So thanks for inviting me. This is going to be a good time. Yeah, I'm super excited. I've definitely been wanting to collaborate with you on something for quite a while, and I'm glad we're able to make this happen now. Yeah, me too, for sure. All right. With that, we'll go ahead and jump straight into the news, and we're going to start off with a pretty hot story that has gotten a lot of discussion this week, which is Brave Origin. So for those of you who have not heard, which is weird because Brave didn't make a blog post, I don't think. I don't know what their official method of distributing this news was. Brave origin. So the Brave browser, as many of you may know, is a little bit controversial for a lot of reasons. And one of the reasons is that it just comes with a lot of stuff that some people don't necessarily want. Like it comes with a ton of crypto integration. It comes with an AI assistant called Leo. I think those are kind of the two most controversial ones, but, you know, stuff like that. And some people, you can disable it, you can ignore it, but some people still argue like it shouldn't be there in the first place. And so now Brave has announced this new browser that they're calling Brave Origin, and it strips all of that stuff out. I looked at the original press release, and they had everything in a bullet point, but oh, here we go. Here it is in this article. So it strips out rewards, Brave ads, the built-in crypto wallet, Leo AI, their news feature, their VPN, the Tor integration, and it turns off all the analytics by default. So, yeah, it's a minimalist stripped-down version of Brave. The catch here is that it costs $60, and that's a one-time fee. So, I mean, there's pros and cons, right? Like, it's a one-time fee, and it's actually free on Linux. So if you're a Linux user, you can just go download this right now, no biggie. actually for the record I think it might be in beta which I'd also explained why they haven't made a blog post about it but you know when it comes to Linux whenever you're ready if you want it you can go get it for free the $60 fee does come with 10 activations meaning you can use it on up to 10 devices we'll get into that in just a minute actually I mean I guess we could get into that now because I think that's kind of the meat of the story there but why don't I I'll start by throwing it over to you, Kerry. Do you have any particular thoughts on this story first? We can go together, but I think it's weird, right? I mean, basically they're saying here's all this really cool features we've been releasing. They've been touting these features as they release them, certainly. You know, these are things why you might want to use their product, and now they're saying, or for $60 we could take a lot away. So, it kind of gives a really mixed message about what they're doing, right? I mean, if these things are bloatware that people don't like enough that paying for them makes them go away, why are they there in the first place? I don't know. Brave is, we were talking before the show, Brave is basically my second browser. I use Firefox, as I think a lot of my listeners know. And Brave is certainly the easy button option. If I think somebody doesn't, you know, want to do anything to get privacy, I'll just, easy button is Brave. I mean, it's a great browser. I like a lot of things about it, but, you know, the attention token thing and the Leo stuff, everyone's shoving AI into everything. I would like this. The other thing, I think it was in the article, and you could tell me, but it was $60 lifetime, right? So even as a method for making money for Brave, I mean, we all hate subscriptions, but I mean, if this is going to be an ongoing thing, I can't imagine a $60 lifetime is really going to cover it. I mean, those are just about my initial thoughts yeah for sure um yeah it's a one-time 60 dollar fee we've already got quite a few people in the chat actually um yeah somebody said it's not out of beta yet as far as we know uh lucas is kind of has my thoughts which is why would you pay for it when you can just turn it all off to be fair um if you get the paid version you can download so there's there's two ways to go about right and let me recap this real quick for those who don't know um you can pay for it and you can download it fresh and all that stuff is gone. Like it is not there at all. It's not even like an option you can turn on or off. It's just completely gone. Alternately, you can, uh, upgrade quote unquote, your existing browser. And then basically it turns all that stuff off and then you can turn it back on, which I will say personally, if I was going to pay for this, I would do that. Cause there are a few things like, um, I think like speed reader gets removed. Um, we were, like you said, we were talking about this before we went live, but I do, uh, I do use Leo. a little bit, mostly for like research. It's, it's a real good time saver for research. You know, I can type it in. Yeah, there was this story about like AT&T had a data breach and here's the details. And it's like, oh, you're talking about this 2019 blah, blah, blah, blah, blah. And it spits out all the links. And I always double check it for the record. I'm sometimes, but so, I mean, I like the idea of being able to turn things back on, but yeah, I mean, it's, this has been a really polarizing story and I don't know if I have a, I don't know if I really have a strong one way or the other because I do see both arguments like you said like um or like some of the people here are saying is like you you have to like pay developers somehow you know but oh yeah you you also made a really good point about um uh like why why would you pay for something that people didn't want in the first place like that's that's kind of silly I don't know it's it's certainly a mixed marketing message right I mean obviously as again as these features came out, I know they were touting these things. Oh, we got this really cool thing. Wait till you get this in the next version of Brave. And now to suddenly say or you could take all that away if you pay us money just seems really, I mean, just as a pure marketing thing, seems like a really bizarre message. I mean, yes, all this stuff costs money. We should absolutely be supporting these folks. You know, I try to donate where I can. A lot of people don't. I don't know if that's a sustainable model for a lot of these companies. I wish it were. I get that part of it. Just, the market aspect of this is what I guess confuses me the most. And it also is really interesting. All right, so let me ask if you see if you know. So if you pay the $60 to get the second version of this where all these things are disabled, if you re-enabled everything, would it be right back where you started? Or is there still some difference? No, as far as I know, it would basically be like as if you just downloaded the free version fresh. Huh. Strange. So, yeah, I don't know. I mean, my other concern is, you know, this this Charles said here, the whole thing about like you have to be able to pay developers. I don't want to shoot myself in the foot or anything. The sixty dollars one time isn't really sustainable, in my opinion. Right. I feel the need to point that out. But also, like, I don't know, it's I do want to I do want to point out. I actually kind of sympathize with Brave a little bit here because a lot of people I know I just mentioned it a minute ago. But like you're paying to get rid of features you don't want. Yes. But that means they have to make a completely separate version of the browser every time. They have to make a completely separate version that has all this stuff taken out, and then they have to, like, put it out there to the public. It's a completely different upload. That is actually true. And from a software development standpoint, that's actually incurred cost because that basically doubles the amount of testing you need to do against that browser. You'd have to test the features that are removed, but you've still got to run it through everything else that doesn't work and make sure you didn't break anything by removing those features. So it actually does incur them some overhead to support two different versions of their browser. So, yeah. Yeah, actually, I'm glad Jonah reminded me here. I wanted to go ahead and run a little poll and see who would be willing to pay for this. Yes, no, or maybe. For those of you who don't know how the polls work, you leave one, two, or three in the comments. But, yeah, I'm curious. I keep waffling because, on the one hand, one thing I hear people defending it is this is really good if you've got friends or family who are maybe not a little bit more tech savvy. I mean, Brave has really good built-in out-of-the-box privacy protection features. I don't think that's really arguable, regardless of how you feel about them. And I think it would be really cool to have, you know, to get your friends and family on Brave and to be able to give them this, like, minimalist version where you can just be like, you know, install this origin. Like, I bought it, but I'll activate it for you and install it, and it's good. And there's no chance they're going to accidentally wander onto the Leo page or the crypto page or any of that kind of crazy stuff. That's an interesting point, actually. And I want to support these guys, too, so I may just pay for this just to support them. But as a gift for people, like you're saying, that don't want to take the time or it's too tedious, because we all know this, you know, the tyranny of the default is Steve Gibson likes to call it, right? Whatever comes out of the box is what almost everyone's going to use. And if you have to start tweaking that to get to the point where you want to, people often won't do it. Certainly a lot of the, you know, again, like my mom is often my avatar. If she's not going to do it, then most of my audience is not going to do it either. So, yeah, if you can pay to give somebody else a version of this that is already ready to go, that might be actually more interesting as a gift thing. Yeah, for sure. And, I mean, I forget what I was listening to lately. I think it was about ad blockers, but that was a point that came up is like – I mean, even – I've had times where my ad blockers stop things from working or my wife's – she also uses Brave. even. Yeah. No, Jonah, I don't think polls are broken. I think I forgot to hit resume on that one. But yeah, I don't know. It's it's it's it's interesting. It's a tall order. I think it's really cool. I think I don't know if he was being tongue in cheek, but I did see somebody asked the CEO of Brave why it's free on Linux. And he's like, try to push people towards Linux. So I don't know if he was joking around or not, but that was pretty cool. So that's weird, too. I mean, did they did They say why – I mean, is this just a matter of we want – this is another way for you to support us basically going this way or – because I'll give it away for free. Anyway, I don't know. No, I think that's – I don't know. I mean, that's – I'm not much of a business person, but I feel like that's the only explanation that makes sense to me is like we wanted to try and support the Linux community. I think it's also, I know, I think you mentioned this a little bit, but I think it's kind of like trying to find that middle ground of, you know, like people complain about the bloat. And it's like, okay, here's a bloat-free version, which, of course, now they're going to complain that it's paid. But yeah, right there. We want Linux to win. So, but. Yeah, you'd think it'd be the other way around, right? Like the basic one would be free and then all the stuff with all these features we spent all this time putting into there. That would be the for pay version. Yeah, that's what's getting me. not to be cynical but one thing i've noticed is um the average person doesn't care like i love my wife i mentioned she uses brave she still has the sponsored backgrounds turned on um which i don't know how she does i just hate ads personally i'm like oh i do too with a passion yeah so i don't understand like every time i have to use her computer for something and i pull up brave or i see her pull up brave and i'm like looking over her shoulder for whatever reason and it's just like I see the little sponsored thing. I'm like, how would you not turn those off? But it doesn't seem to bother her. So I don't know. Like you said, the tyranny of the defaults, if there's good defaults there. So I guess that could be another argument going back to my whole like not playing tech support for the parents is, you know, you get this, you install it on their computer and guess what? They have good defaults right there. Like all the analytics are turned off. I do imagine that people that watch ads, the same experience I have is when I look at anybody like on Chrome that doesn't have block or something installed. And there's ads and stuff all over the place. And I can, all I can guess is that they've already looked, their brains tuned that out. Like they've, they're so used to it. They're so numb to it that they don't see it. Whereas you and I who don't see ads all the time, it's just, it's glaring to us because they're trying to get their attention. They've already ruled them out. And for us who are not used to it, you know, it's like, anyway, we haven't built up the resistance to it like they have. I've stopped saying it because I feel like I'm a party pooper every time. But on that note, every time I see certain like TikTok videos or something, I'm like, why were they filming this moment? And that's to me, that's a good way to tell if it's not. But real quick, I did want to call out Jonah said he's going to keep using Zen browser on the topic of competitors. I know we're going to get ahead of it because a lot of people have asked about this is the the Helium browser has been a really popular subject lately. It's popped up on the forums a few times. I know there's some videos have been made about it. So Jonah asked me earlier this week if I could test it out and kind of take a look at it. And actually, I guess you guys can't see the whole window here, but I'm actually using Helium browser today. And it's, you know, I will go on record and say I was I was really a hater when Jonah was like, hey, can you test this out? And I was like, why? But, you know, I got to say it's been pretty pleasant. Like some people have been promoting it as a um let's see if i can pull up their website here real quick um it's coming up because you know we're talking about things like zen or like helium like why pay for this when you can just do this or you can just manually deep load it um i've definitely found little things here and there like every once in a while my my uh well on this computer i have a solo key but um every once in a while my solo key won't work with it quite right for some reason but um i mean i gotta admit it was it was a ironically it was a little bit longer of an install i feel like than most browsers because, you know, most browsers, like, they just want to get out of your way and get going real quick. But this one had, like, a whole page of, like, what settings do you want to enable, what search engine do you want to use. So it felt like it took a little bit longer to get started. Not by much longer, just a few seconds, but it definitely felt like it was a little more involved. But, I mean, once I got up and running, it's been treating me pretty well so far. I'm always a fan of anything that comes included with UBlock Origin. I don't I just realized I didn't pull the page up I'm sorry the whole time I'm talking about it but yeah I don't know I mean I just I know people are going to ask us about it so this is kind of an unofficial review I don't know if there's enough there for us to do an entire review of it specifically but I thought it was okay I thought it was pretty cool you could check it out if you want I don't think I'm going to switch from Brave to be totally honest like this has been an okay experiment but I think after this I'm going back to Brave but But yeah, I mean, doesn't seem to be anything wrong with it in my expertise, at least. It's actually amazing how many browsers we have. And even how many different privacy-oriented browsers we have. I mean, it's a good problem to have, I guess. Yeah, for sure. I mean, we've got, and I mean, for the record, I think they've all got, most of them, you have to do some various tweaking to really get the most out of it. But we've got Brave, we've got Firefox, we've got Mulvad, we've got LibreWolf, we've got even things like Vivaldi. I mean, when we're comparing them to mainstream, like Chrome, for example, even Vivaldi comes with like a built-in ad blocker and all that kind of stuff. So have you used Zen browser at all? I haven't used it, but I know Jonah speaks very highly of it. And I think Jordan's used it too. So I know Zen's a really popular one, but so like you said, it's a good problem to have for sure. Yeah. All right. I don't think I have anything else to add to that story. Did you have anything you wanted to? Oh, here we go. We got a question for you. Dave wants to know what browser you use. I think you just said it a minute ago. I use Firefox, and I've been using Firefox for a long time. And sadly, I saw the numbers on Firefox. It's down to like single-digit percent usage. It's really, really sad. I mean, I guess maybe some of that is the fact that we've got so many browsers to choose from. But I don't know. I've been a longtime Firefox user. One of the reasons I like Firefox, though, and I like to support Firefox, is I really want something besides Chromium. I'm honestly surprised that Google – I know that Google was the browser or was the search engine on Firefox for a long time, I mean, that was kind of how they indirectly supported. But there were times in history with Apple, for example, where Microsoft gave a bunch of money to Apple because they didn't want Apple to die because they needed a competitor. Otherwise, they'd be, you know, they'd be a monopoly. And so for that reason alone, you know, maybe Google should kick in some money to the Mozilla Foundation. Anyway, I like to support it because I want something besides Chromium. And so for me, it's Firefox and Ublock Origin. That's my go-to. yeah i am i'm not gonna lie i kind of want to go back to firefox for the same reason you said like just to support the uh the wide range of browser choices but i'll admit i use leo quite like most of the time okay most of the time i'm either going to like the things that i would log in with with a yubi key like my next cloud instance my mastodon instance or i'm doing research for a video at which point like i said i kind of come to rely on leo pretty heavily for that um just because it speeds up the research process so dramatically. I don't know. But I'm trying to use Tor a lot more as well. And I know there's that ask mode in Brave. I think I need to play around with that a little bit more. Well, of course, Tor is based on Firefox too. So what happens to Tor if Firefox goes away? I don't know. Yeah, that's true. That is very, very true. Normally we save questions until the end, but the chat is really popping tonight, so I don't want to lose questions. Somebody said, do you use Arkenfox with Firefox? Do you have an opinion on the Ark and Fox project? I've looked at it. I've basically gotten Firefox to the point where I've tweaked it. And so I don't know. I've not gone through it. I've looked at some of the things that Ark and Fox has done. I've kind of looked through their bullet list of modifications. Some of them are a little further than I would that I go. I've got other things going on, too. I use NextDNS and some other things, too. So some of them kind of overlap, perhaps. I'm not, you know, I'm not super, super hardcore. Plus, my audience is not. So I also kind of try to do what I recommend so that I'm more familiar with it. So, you know, so there's some of that going on there, too. Yeah. And I mean, my personal opinion is like I feel like the Mulvad browser has closed the gap so much. I actually thought I heard that ArkinFox was going to stop developing because the Mulvad browser was so good. I mean, I don't mind. I use it sometimes, too. Yeah. I was going to say, I don't like it again. Like we were saying earlier, it's great that there's so many choices out there. So I'm not like mad about it if they want to keep developing. That's that's cool for them. But, yeah, I have – literally, I have four browsers on my computer. I have Brave, Firefox, Tor, and Moldad. I've got all those plus Safari. Well, okay. Okay, yeah, so we want to talk about the Mac, which I only use this when I'm traveling, to be honest. Otherwise, I'm either on Linux or Windows. But the keys just – the keys. I don't know. I might – I feel like I should buy Origin now just in case it does turn into, like, a subscription or, like, prices go up later. Like, block in the price now. Hedge your bets. those keys are pretty straightforward right don't they just work like keyboards like how do they fail i'm sorry we're getting off topic but you're talking about the mac no well you said some of these keys don't work with some of the browsers or something that some of your hardware oh no i don't oh yeah yeah on helium i don't know just the other day i went to log into um what was i trying to log into it might have been it might have been mastodon i don't know i went to log into something and i hit my my solo key and the key was fine but like it gave me some kind of error about like could not parse something or other and i like i made a note of him in my head but then by that point i was like whatever i'm going to bed but it's dude it's been a long i went to new york this week i went to upstate new york so i had to travel and everything and yeah that's that was fun um yeah but uh yeah i think before we move on i do want to point out this new keith person here i think is actually a member of the brave team so thank you so much for stopping by and answering questions like that. We really appreciate it. But with that, I think I will turn it over to you to talk about this new law from Maryland. Yeah, yeah, okay. So Maryland has passed the first in the U.S. law for banning surveillance pricing. They called it the Protection from Predatory Pricing Act. Actually, I think New York actually has a law, but it's only about transparency. New York, I believe, has a law that says if you do it, you have to tell people you're doing it. but this sounds going to outright ban. It was Westmore is going to sign it. Apparently surveillance pricing, if you don't know, is this notion of they collect all this information about you, all these data brokers, all these things that we've been talking about on shows like this in mind, where all this data, personal data has been collected about you often without your knowledge, supposedly with your consent, but we all know how that goes. And then when the time comes to show you a price based on all that information, if they think you're desperate, they might charge you more. If they think you're rich, they might charge you more, or if they haven't seen you in a while and want to get you back, they might charge you less. There's all sorts of things baked into these algorithms. But the point being is that people get different prices. And there's been all sorts of studies and people have, and they've asked questions to people, do you like this idea? And everyone says, no, like nobody likes this idea. And yet there are still other things like loyalty programs or whatever, you know, your Kroger card. But the thing with those is everyone gets the same deal. Like if you've got the card, then you get the price. So anyway, this is a situation where potentially you, like you particular person, might get a different price than someone next to you. And so I guess food retailers, as in like grocery stores, are a big place where this happened. Obviously, a lot of this would be online so that, you know, two people not sitting next to each other and noticing that the prices are different. Though Walmart and some other stores are going to those electronic tags now, and some people are envisioning this like I walk up to a tag and then the price changes for me. I don't think that's going to be happening anytime soon. But anyway, so Maryland has come up with this law saying that this is bad, and we're going to treat it as a fair and deceptive trade practice, which is great. We need more things like this. I think this is a good idea. I've got some questions about how this is really going to work out, and the devil's always in the details like, you know, how are they going to enforce this? How do you catch this, for example? How do you prove that this is happening? And then how do you then, even if I get a different price, how do I prove that it was because I'm different than somebody else that I got this price? that it was some algorithm behind the scenes and not just, well, we just changed the prices five minutes ago. Also, what is not clear, I looked at I tried to look at the law before we came on. It doesn't appear to have a private right of action built into it. Now, sometimes in different states, there are other laws that would come into play that might give you this. So it doesn't have to be directly in the law. But a private right of action basically says if I figure out and can show I'm pretty sure I can show that I was discriminated for some reason. and I was given a way worse price than somebody else. Like, let's say through surveillance, they figure out that I just had a death in my family and I went to go shop for a flight at Delta.com and Delta.com gets this information through the back door. Who carries hard up right now? You really need to flight. Let's charge you more. Now, maybe it's a bad example because I know some airlines actually have bereavement fares and whatnot that are usually cheaper for last minute flights. But anyway, let's just say that that's what happened. I could show and prove that that happened. And I, if I had a private right of action, could personally sue. Whereas if you don't have a private right of action, which is what I think is going on here, you actually have to get the state attorney general to sue on your behalf. So probably have to have a lot of people complain about it or there has to be a really egregious case because they've got other things they're doing too, right? So without a private right of action, some of these things sound good on paper, but in reality don't have a lot of teeth to them. Also, it remains to be seen if someone gets brought up on this, what the remedy is going to be. Are they going to charge them a lot of money or is it like a lot of things with Meta and all those companies? It's going to be the cost of doing business, right? Like, oh, it's a fine. It's a small fine. We'll pay that. Whenever you can make that happen, we'll pay that because we're still going to make money. So I don't know about that. I will also say that I just did an interview with Justin Brookman from Consumer Reports and Eric Gardner from More Perfect Union. They did a really interesting study about this, actually, where they got a whole bunch of people into a room together at the same time on the same phone on the same IP and the same websites and said, okay, everybody find this item and buy it right now. And they found that there were differing prices for a lot of these things, and they kept track of this and looked into it. So if you're interested, you should definitely check that out. But there are things that we kind of do this for already today, too, that kind of muddies the waters. Like if you think about it, like airline tickets, like no one gets the same damn price for an airline ticket. It depends on when you buy. It depends on not just what fare you want, but like what things are going on right now. And it could be fuel prices. But airline tickets are weird this way. There's surge pricing for Uber. Does that fall into this category? You know, I don't know. So those are just some of my initial thoughts on this after I read this article. I think it's good that we're calling it out. I think I don't think a lot of people understand this. I think that surveillance pricing is one of these issues that is finally going to make a lot of people sit up and notice. All this data gathering is a real problem, and this is why we care. So many other things are just kind of nebulous and like, yeah, I don't care. I get targeted ads. Fine. Why should I want to look at an ad that I don't want to see? Show me those ads that are targeted. That's good. I like that. This is where this is going to hit home. I think this is actually an issue that's going to get traction. What do you think? No, I totally agree, and it's funny on that note. I am so backlogged on podcasts. Today I finally listened to your Freely episode with McNerol, and you mentioned that. Like, okay, coming up we're going to be talking about consumer reports and how they put everybody in a room. So while you were talking, I'm like, was that his podcast or was that somebody else? Where did I hear that? Yeah, no, it's another podcast I listened to. They talked about this and that was his take. He's like, no, I think like, I mean, he didn't come right out and say, like, I think this would be awesome. But he's just such an optimistic person. He's just like, I wouldn't mind if they use my data to, like, give me a discount or something. I'm like, yeah, but the difference is they're going to give you a 10 percent discount and somebody else a 20 percent discount. Or like they're going to charge you a little bit more and then give you a discount. So it's the same price, which Amazon already does that anyways. Yes, that's actually a point that came up in the thing. Often what they do is they change. It's all psychological games, right? So they show you a list price that wasn't the real MSRP or whatever. And they show you $7 for you but $5 for me, and then they sell it for $3. One of us thinks they're getting a $4 discount. One of us thinks they're getting a $2 discount. You're both paying the same price. So it works in other ways, too, this whole surveillance thing. Yeah, for sure. But, no, I agree with you. Like, I feel like this is where this is unfortunately one of those moments where, like, privacy, a lot of the time the hypotheticals have to become real before people start to notice it. Like, we've already seen with cars now, you know, that that stuff is used to influence your insurance rate, which I think I told this story on a previous episode of, like, I just moved to a new area. And I decided I would take the hit and get, like, the little tracker thing you plug into your car. It's not on my phone. It's on the car. Well, because it was like it would cut my insurance rate in half. but it kept dinging me. The ODB2 dongle? Yeah, but it kept dinging me, and when I asked them, I'm like, I need to return this thing, because my insurance is going to be more than if I hadn't bought the damn thing, and, you know, they were like, it was so funny, because they were like, okay, well, I mean, some of it is like, you're driving, which I explained, I'm like, yeah, I'm in an area with really aggressive drivers, like, there's nothing I can do about that, and then also, some of it was like, you take a lot of short, inconsistent trips, and I like because I work from home and I just run to the store when I need to Like I don commute to an office every day what do you want from me but yeah it you know anyway sorry that was a you know we we're at the point now we're like our car data is being used to determine insurance rates and now like this stuff could be used to determine individual pricing and this is different um I know I've said this before but for anybody who doesn't know this is different from surge pricing or dynamic pricing right because that affects everybody you know if you the example I use is if you're at a concert and the concert's over and you call an uber it's going to be more expensive because it's a concert it's crowded everybody's trying to get home but it's going to be more expensive for everybody the surveillance part comes in where it's more expensive for you because your phone's at 10 and they know that you can't afford to wait for for traffic to die down so and you say that but that was a thing uber was one of the things if you gave it permissions the uber app was looking at the charge on your phone and if your charge was low on your phone they figured you were desperate and they would give you a different price also as cory doctor is very common to point out, the drivers themselves are subject to kind of surveillance pricing as well. Like what they are offered for a ride before they accept it varies depending on factors on their end, too. And it's just this whole algorithmic game that is all, you know, it's very untransparent to the people it affects, but the companies are using it to make a lot of money. There was when I was talking to these guys, one of the things I thought was interesting was the whole the whole point of this is they don't leave money on the table. Right. So all these companies. want to charge you as much as possible and still get you to buy. You personally. Like, how much can I charge Kerry and get him to buy without charging him too much so he walks away? It's the same thing with Nate. That could be a different price. And so, and it's called a customer surplus. Whatever they left on the table of Kerry, if I charge Kerry seven bucks for something, turns out Kerry would have paid ten. And so that's three bucks I didn't make. That's the way they look at that. And that's what they're trying to solve with this surveillance pricing. Yeah. For sure. For the record, real quick on the Uber one. I don't know if they were ever like convicted of that. But yeah, I do remember that was like somebody alleges that was that was the thing. But yeah, it's a Vonnegut here says Wendy's had plans to introduce surge pricing that they pulled back because of backlash. I vaguely remember that. What was the surge price? OK, sure. Yeah, I don't I don't know. That's weird. Everybody's trying to get in on it, which I know, like for the record, I understand. Like, welcome to capitalism. Everybody's trying to make as much money as possible. But like, it's still just crazy. Like, it's nothing sacred, man. Well, there's still some basic fairness that needs to be in there. And this is something I bring up all the time when people talk about capitalism. Unfettered capitalism is still not good. I mean, the way I usually put it is that any game worth playing has has rules. And any game with enough consequences needs a referee to enforce those rules. You need fairness or it's capitalism has to be fair at its basic level or it's it's predatory. Yeah, for sure. um yeah i don't think i have much to add to that one um personally so i guess uh let's move on to our next section um in a little bit here we're going to talk about meta and uh meta is basically key logging their employees um to train ai but before we talk about that which should be fun because i love making fun of meta um first we're going to give some quick updates um we're going to talk a little bit about what's been going on at Privacy Guides. So for anybody who is not subscribed to our newsletter or our YouTube channel or any of our socials or anything, you really should be because we have a new interview out with Carissa Bailey's and she talked about AI and actually just this thing we were just talking about now about how AI and predictive algorithms are making things less fair and not more fair and really taking away a lot of opportunity from people. Amazing video. I don't have it on me in the coffee table, but I pre-ordered her book and it got to me like the day before it came out. So that was super cool. I got to read a little bit of it on the plane. It is so far, it is amazing as always. She's an amazing author. In other news, Jonah put up a video about the Parents Decide Act that we covered a little bit last week. We covered that last week before the text of the bill was out. So we were kind of going off the PR statement that the representative put out. But Jonah actually read the text of the bill and kind of has some – So did I. It's actually pretty short. Oh, okay. I didn't have time to read it. But yeah, Jonah had some hot takes. He kind of disagreed with everybody. And, you know, I mean, it shows there's so many comments on that video, which that's great. I mean, you know, we're having discussion, which I think is awesome. But you don't have to agree with him, obviously. But I think if you want to hear a different perspective on it, I would say definitely go check that out. And like I said, you may not agree with him, but it's another opinion. Well, for what it's worth, I agree with him. And I don't like the age-gating stuff, and I don't like the ID verification stuff. That is not what this bill is. So that's the thing. It's not that long. It's like almost a one-pager. So it is worth listening. I watched Jonah's video, and watch that before you make your decision, because I have knee-jerk reaction to whenever I see these kind of bills because so many of them are bad. this is one you need to take a look at because it's none of this is good but I think this has an interesting approach so I think it's worth at least considering yeah for the record I don't really know how I feel about it because I think Jonah really did make a lot of good points but I think a lot of it is also like at least what I heard from it was like assuming this doesn't get abused and I'm very cynical of government so I don't know but I also full honesty I think Jonah's a lot smarter than me so even if I don't fully believe him I'm still going to listen Oh, yeah. I mean, there's still problems with it. I mean, it's definitely not perfect. And there's always the slippery slope article argument against a lot of that starts out being good and then ends up going wrong. And so as soon as you enable it once, it might start being good and then go to crap. That is most definitely possible. But it's worth debating by looking at this bill. Yeah, for sure. And that's that's a really good point. Like we can make the slippery slope argument about anything doesn't always mean it's going to happen. So that's true. And we do have another video is already in the editing phase. And all I will say is that it is a tutorial that some people have been asking for for a while. I'm really excited about it. Like I just I've told you all I do like the initial cuts. Like I'll record something. I'll do like a rough cut to get rid of all the pauses and the starting over. And even that initial cut, I was like, damn, I don't I'm not normally one of those. Like, I'm so good at this kind of people. But even I was sitting there was like, I think this is going to turn out really good. So I'm excited to share that with y'all. And then we wrote a bunch of articles this week. It was a really busy week. Apple has fixed the issue that was causing signal notifications to be stored on phones. Madison Square Garden, I think it was Wired, did like a real deep dive into their facial recognition software. I got to walk by MSG this week, so I'm pretty sure I'm on there. Fingerprint.com discovered a vulnerability that can link your Tor browsing together. Definitely go check those out because, unfortunately, we're not covering any of those stories on the podcast this week, but they're good, important stories that are worth knowing about. And on that note, I'm going to turn it over to Kerry, and you can tell us a little bit about what's coming up over on Firewall's No Stop Dragons. Right. Well, you beat me to all the interviews. So my interview with Carissa Belize is going to come out Monday, and I have had a chance to read the book. It is amazing. Privacy's Power, which you've got behind you on the wall there, is still my go-to. Like if I recommend one book to anybody about privacy, it's that one. If you have not read it, you need to read it and buy it for your friends and family because it's just that good. She's a philosophy professor, and she approaches this from a very human angle and a very interesting and provocative angle and says a lot of things. I've been doing this stuff for a while when I read that book, and there were still points of view in that book that are like, wow, I really liked it, that I really took home. Anyway, so that's really good. Chris is amazing, and I got a chance to talk to her as well about her new book. So she and I have an interview coming out Monday. I also talked with Cindy Cohen. You've already talked with her. And so I did talk to her as well. Another amazing woman, another great book. She's got out, Privacy's Defender. That's well worth a read. So both of those interviews are coming out for me the next two. And then this is something I've been wanting to talk about for a while. We talk about surveillance all the time and mass surveillance all the time. But I wanted specifically to talk about employee surveillance, which is a great, going to be a great segue when we get to the meta article. And so I found a couple of people just talked to me about the technology behind it, like the MDM profiles and things, and what really happens when you use your own device at work and what you should expect for privacy when you're using company resources or on company property, which, spoiler alert, is nothing. You have no privacy. So we talk a lot about that. So those are kind of the interviews I've got coming up. And also, maybe I can save this for the end when we wrap up, But I've got some big news to talk about with the book and the podcast. I'll save that for the end when we wrap up. All right. I'm excited. And I'll definitely be listening to those interviews. Yeah, Carissa writes in plain English, but, like, so articulate. I love it. Absolutely. Yeah, so all this is made possible by all our supporters. For Privacy Guides, you can sign up for a membership or donate at privacyguides.org. You can pick up some swag at shop.privacyguides.org, like this awesome water bottle that I take everywhere when I travel. for Firewalls Don't Stop Dragons. You can head over to firewallsdonestopdragons.com or I will fully admit your little FDSE.me. I use that like crazy. So type that in. If you're like me and that's a lot to type and you make a lot of typos, FDSE.me. Oh, I make so many typos. And I'm a writer for a living. Can you tell? But yeah, that'll take you to his website. You can get a copy of his book and learn more about the podcast. But for now, I'm going to leave it with Kerry and we're going to talk about Mozilla and Anthropics mythos that you guys may have heard so much about. Yeah, yeah, yeah. So I guess you guys have been talking a lot about this show. So I want to start by giving a little bit of background because I think that's going to be important. Honestly, the takeaway from the – we have a couple articles. The takeaway from the articles is pretty short. But I do want to talk about what mythos is and just general generative AI encoding. So I'm a retired and recovering software engineer. I did it for – I mean, I've been writing code for 40 years. I've been doing it professionally for 30. And I'm here to tell you, this stuff is for real. There's a lot of problems with AI. I say this whenever I do it in my show. I've got these disclaimers. Like, yes, there are a lot of environmental problems with AI. We didn't have to do it that way, but we did. There's a lot of copyright problems and content things with AI. We didn't have to do it that way, but we did. But all that aside, just strictly from a coding perspective, Gen AI, LLMs, large language model, chatbots, You know, your clods, your geminis, your chat GPTs. Turns out code is just ideal for working in these situations. LLM's training on code is almost perfect. There's always bugs in code. I would have said that for my entire career. We maybe get to the point where that's not true anymore. But before we get there, we're going to be finding a lot of bugs, and that's kind of what we're going to be talking about today. So Mythos is the latest version of Claude, which is from Anthropic. And so they did this big song and dance release recently where they said, we've got this new version of Claude. It is so amazingly powerful. It is so unbelievably powerful in coding and finding bugs and exploiting vulnerabilities in software. It is so good. We can't give it to you yet. So they created this thing called Project Glasswing. and Project Glasswing is this, I don't know, pseudo charity thing where they said, okay, we're going to let the quote unquote good guys have it first. And so I think there's like 40 different companies that they're giving it access to before they release it to the public. They're running it on a lot of open source projects, especially a lot of the big ones, which is great. We're going to find out in this next article when I finally get to it that Mozilla has used it to good effect. But I'm here to tell you that these tools are the real deal. And there's a lot of hype behind this. A lot of people are saying, oh, they're going to IPO this year. They're just trying to, you know, get a lot of interest. They are getting a lot of interest. They're making such a big deal out of this. It's all hyperbolic. It's just, you know, it can't be this good. It can't be this dangerous. As a software engineer, in my opinion, and actually it's not just my opinion. There's actually a lot of cybersecurity researchers who share this opinion. And I can, if you're interested, I can maybe try to give you some links. But this is the real deal. They are finding a lot of bugs. One of the things that they point to, and then I'll get to the story, and I'll have more to say, but I'll finally get to the story, is somebody's keeping track of the mean time to exploit, how long it takes before a patch is released, like somebody's fixed a bug, and then the bad guys find people who have not updated their software yet and then exploit it in the wild. Like eight years ago, it was like two years. It took two years on average. I don't know what the standard deviation on that is. But anyway, the point is, over the last few years, it's come down very, very fast. It's to the point where, so far, I think this year, the mean time to exploit between publishing a patch and somebody exploiting that patch in the wild for somebody who has not fixed their software yet is 10 hours. That's nuts. That's basically instantaneous. I just need to chime in real quick. I remember when I was on Surveillance Reporter, it was like three days. So it's going down constantly. That's insane. it's basically immediate. So that is what these tools are doing. And so that is why Anthropic basically said, okay, we can't just release this to everybody yet. We're going to let the good guys have it first and try to fix all their stuff. And so that leads to this article. And that is that Mozilla used this tool and in the latest version, well, okay, so it's a little fuzzy. They said they found 271 bugs in Firefox. I don't think they're all fixed in here and I don't think they're all critical bugs. They fixed a lot of them in Firefox 150, which just came out. So it does exactly what they said they wanted to do. They wanted to give it to, you know, in this case, Mozilla, say, find all your bugs before the bad guys do, fix them now, and then release. And at some point soon, I don't think they've said when, they will eventually release this. But now this brings me to another point, is I want to say that even if this particular version of Claude is not as good as they say it is, the next one will be. But if it's not them, it's going to be ChatGPTs. They've got a cyber version out now that they think is about as good. And by the way, OpenAI released their ChatGPG Cyber and said, we're also going to, they took a lot of pot shots at Anthropic without saying them by name in their press release. But basically, they're doing the same thing. They're not releasing it broadly yet either. But even if these guys don't do it, someone's going to do it, and it's going to be out there. It's going to happen. So all I want to say, well, some of the things I want to say about this to you guys, the audience, and anybody you know that has a business or works for a company that might, well, that's everybody. this is real and we need to be taking advantage of it now Steve Gibson on security now likened this to the Y2K thing it's like this is coming, it's going to happen we need to fix our software and it turns out back then it ended up being a nothing burger because we had enough notice and we worked ahead enough that when it actually happened it was nothing really happened because all the software had been fixed and we were all good when the clock rolled over on January 1st of 2000 I don't think this is going to be like that at all there's a lot of existing software out there that's not being updated on devices that are no longer supported. People are not going to be on top of this stuff. And so for all of that software that is already out there and vulnerable, even if all these companies do get privileged access to this tool ahead of time and fix these things ahead of time and release their updates to this, those updates are not going to be put on everywhere right away. So for, I think, companies, and there's this white paper that, gosh, I wish I could remember the name of it. Maybe while you're talking or whatever, I'll look it up and say. But these guys basically said, you need to prepare now. They're talking to you like the CEOs and the CISOs of companies, the chief information security offers, and saying, this is real. This is coming. You guys need to prepare. Like, hire people. Get ready for a big wave of bugs to be found either before you release because you're using this tool, you're privileged enough to get access to this at a time, or the bad guys are going to find them for you after the fact. You're going to need to be ready to fix these things quickly. And for just regular everyday people, the kind of advice I'm giving is the advice that we've always been giving, but it's more urgent. You know, get your old unsupported devices off the Internet. Make sure that you're not have, you know, not holes in your firewall. You can use tools like Shields Up and Shodan to find those kind of things. If you've got software that needs to be updated, get it updated. You know, get your data offline as much as you can, you know, because if you've got old accounts or old data setting out there, Reduce that as much as you can now while, you know, until because these things are going to get exploited. I've been talking a lot. I'm sure you've got some things to say. So let me take a breath. Nate, tell me what you think about all this stuff I just put out there. No, you're good. Yeah, I mean, honestly, I agree with you. Like I, you said it really well. Like AI has so many problems. And I'm not an AI maxi. You know, earlier I said that I do use Leo quite a bit. But I'm fully aware of, you know, the copyright issues, the privacy issues. I try to use it sparingly. I try to use it specifically for, like, hey, find this article or something. I generally don't use it for creative stuff. But it is – I've heard – I feel like we covered this on an older episode. There was one of the top Linux maintainers was talking to the register, And he said that, you know, historically companies, open source projects have had issues with AI bug reports because there's just too many of them and they can't keep up with them. But now he's in and this was like a month ago. So now he's talking about two months ago or so. But at the time of the interview, he's like, yeah. And then like a month ago, all of a sudden it was like a switch flipped and something changed. And now like a lot of these bug reports are really good and they're actually really helpful. And we're we're finding a lot of things and fixing them. And so I think, um, AI, like one of the valid use cases, and again, like we should have done it differently. I'm not going to argue that, but now that it's here, one thing it's actually really good for is technical stuff. And like, I use it all the time to help me troubleshoot server. Like you can ask Jonah, he used to be my go-to person. Even before I started working at privacy guides, he was like my go-to person where I'm like, Hey, I'm having a tech issue. Can I pick your brain? And now I think ever since I've started using AI for that, I think I've only had to hit him up like once or twice. Like, and I've had one other issue that the AI was giving me bad information, but I thankfully I was imagine that you read the logs and I might tell you what's wrong. But, you know, it's like it's really good. Like, 99 percent of the time it maybe not 99, but for coding stuff specifically, it's really good. And I think it's very I'm with you. Like, even if it does turn out that it's hype and it probably is some hype. Like, I mean, it's a company. Yeah, they're trying to make money. They're trying to get more investors. Like there's always a little bit of BS marketing, but even still, like I'm willing to bet there's quite a bit of good substance under there. And so it's good. I guess what I'm getting at is it's good to see it being used for something useful for once instead of like, oh, let's make fake news and let's make a. Oh, my God. I've been raging the last couple of days because I just uploaded a short video for the new oil. I just uploaded one to like TikTok and stuff. And every time I go to TikTok, I do it on the computer and I'm not signed in. So I get like the generic homepage and I swear to God, it's at least 50 percent. AI slop. Like, obviously AI slop. And I'm just like, why are people using this website? But, you know, it's so much, like, this is such a better use case for that instead of, you know, I don't know. Yeah. It's crazy. Alright, so a few other points that I'll bring up is that coding in particular, again, I'm a software engineer. I've done this for a living for a long time. And one of the things that I think makes LLM supremely good at doing code is code. Software code has a very strict syntax. in a very strict format. And it's either right or it's wrong. It'll either run or it won't. Now, you can write code different ways to do the same thing. But if you want code to work, it's got to follow rules. And they're pretty limited, unlike the English language, which has all sorts of ambiguities. Every language does, right? Coding language is very strict. And so not only can you, because it's so strict and the syntax is so fixed, it makes it, I think, perfect for something like an LLM to study lots of existing code that's already out there and then be able to write new code from that. You can also have it write tests and prove that it works, which it can also do automatically. So this anthropic, these anthropic tools, and some of this is from tools that are even before mythos. But for mythos, what they told them was literally this is the instructions to mythos. Here's some code. Read the code. Find me a vulnerability. And they walked away. That's it. And it found them. It's that good. And it's not some of these bugs. if you're into cybersecurity, you'll know that today a lot of our software has gotten better. It's gotten more secure. We've put in all sorts of safeguards on software to prevent, you know, it's a cat and mouse game. You know, the cyber hackers figure out, you know, oh, code is vulnerable in these ways. And so we've actually re-architected entire operating systems to not let that be a vulnerability anymore. Whole classes of vulnerabilities have gone away. So oftentimes today when you're finding a vulnerability in software and you find an exploit that allows you to take over a system, for example, What it really is under the covers, it's usually three, four, five, six chained exploits. It's not any one bug that gets them in. It's a set of bugs. This bug gets me this far. This bug gets me this far. This bug lets me raise my permissions. This bug lets me access this other software. And by the time you're done, all of these things together in order will get you this vulnerability. This tool, in this case, found an exploit chain that I think that was six links long. It is that good. I'm here to tell you this is the real deal, and we should be worried. The next 12 months is going to be bumpy. So, I mean, I don't want to – I am not hyperbolic. If you follow me at all, you know this is – I am not a chicken little sky is falling kind of guy. And I think there's also a lot of upside too. Like I think this Project Glasswing for all the hype and everything, I think it's still a good idea that we're doing it. Once we build these tools into our software development process, we are going to be shipping much, much cleaner code with a lot fewer security vulnerabilities. That day when it comes will be good. Until then, we have a lot of software that exists already out there that is not going to get patched, at least not quickly. And it's going to be vulnerable to these things. So it's I'm not a prepper. No, I'm not. You know, but I'm telling you, and I usually avoid hyperbole. This is a case where I think the hype. I think both things are true. I think there is a lot of hype. I also think these things really are that good. And we need to – I'm glad they're giving it access. We're actually going to talk about the next story. They screwed that up too. But I'm glad they're giving them access ahead of time. I think that's a good call. Yeah, I think you kind of summed up what I was – there's a lot of hype, but I think there's also a lot of substance too. So, well, I guess real quick before we jump into that next story, I'll give the audience a chance to disagree. We'll try these polls out again. Do you think AI will change cybersecurity, will be useful? So let us know in the comments, one, two, or three. But in the meantime, I'll let you keep rolling and tell us more about this. What's the latest development in the Mythos saga? Well, okay, so this is one of the downsides to doing what they did. And so the one thing I think that they got wrong with this whole Project Glasswing thing where they came out, again, Anthropic came out and said, we have this tool that is so amazing and so good called Mythos that we can't just give it out to everybody yet. We're going to let the good guys, the blue teams, have access to this first. And that was great. But if I was in retrospect, I wouldn't have told anybody that I was doing that. I just would have done it and then announced it when you could release it. You don't have to tell everybody you're going to do this. And they went so far, by the way, just to show you how the hype works in this and the marketing works, somebody figured this out. But what they did was in the press release is they basically said, we found we've already found all these bugs. We can't tell you what they are yet because we don't want the bad guys to exploit them yet because the people that the software that has the bugs hasn't fixed them yet. They haven't released the patches. So we're not going to tell you. But we want we so badly want to prove to you that we know that these are real bugs. That what we did was is we wrote the report with all the details that explains and proves that we know what we're talking about. And this was a real bug. And then we took that report and we hashed it. Now, if you don't know what a hash is, it's a cryptographic function that basically takes any amount of input data and distills it down into a fixed length number. Essentially, it's a big number to the point where if you took an entire book and hashed it, all the text from a book and hash it, you get a number. If you change a period in that book and hash it again, you would get a totally different hash. It's like a fingerprint for the book. So basically what they did, because they wanted to be able to prove so badly that when this thing came out, like, see, we told you we knew this was here. They took their bug reports and hashed them and released the hashes so that when those bug reports eventually do come out, you can hash them, get the same value and say, oh, yeah, they really did have that. They knew about that weeks ago. So anyway, what happened here is, of course, because they came out and said, this thing is super valuable. Everyone's going to want this, but you can't have it yet. Somebody figured out how to get it. And the weak spot is always people. So this article in TechCrunch, the summary basically is some group of people, I think they had like a Discord group where they evaluate AI stuff. They figured out by looking at the pattern of various clawed releases, they kind of guessed where the service was going to live on the web, got it, and then somehow through a third party, because there's always a third party, your partners are always what kills you, they partnered with people. Well, some partner had a vulnerability or something. I don't know if it was social engineering or what. It's a little bit vague. But somehow they've compromised a third party and got access to the Mythos tool ahead of time. Now, we can only hope that they're not using it for evil. I don't know. But whenever you come out and say that these things are so amazing, you're just painting a target on your back. They should have just waited. I think that's all I got to say about that. Nate, what do you think? Got any comments on that? Sorry, I was having some slight technical difficulties. Sorry, didn't mean, all right. Yeah, no, I thought that was funny, too, that, yeah, it does seem kind of inevitable. I feel like when I read this headline, I was kind of like 50-50 on the one hand. I was like, whoa, that's crazy. And on the other hand, I'm like, yeah, I guess that was kind of inevitable. But I don't know. My only real thought, to be honest, is that I'm surprised we haven't seen any further developments yet, because this was, let me see, this was on the 21st. So that was like, what, Monday or Tuesday? And I don't know. I mean, it's a good thing. It's a good thing, I guess. And, you know, the week is young. It's like we could still see stuff come out of this. But it's like, okay, they say that they've got access now, but what are they doing with it? And so I guess I'm curious because, yeah, we really don't know much, or at least publicly they haven't said much about who's behind this. So, yeah, this this this smacks to me of somebody like almost like a hacker interest group that just wanted to see if they could. And they and they poked around and figured out they could. They did it. A lot of, you know, a lot of hackers is just for the lulls, as we say. You know, it's just to say we could do it, maybe get a little street cred. But if they can do it, what that really means is someone else could do it, too. And if I were North Korea or Russia or China or Iran or any one of the other state sponsored actors I be trying this too And if they could if these guys could be in the chances are pretty good someone else can too Again I know we talk about security through security and that not a great thing but it also not a bad thing Anthropics should have just sat on this They shouldn't have gone for all the marketing hype with the, we're sitting on something we can't tell you about. It's like, I've got a secret, but I can't tell you, right? I mean, we all know as human beings that never works out. That's funny. That's a really good comparison. Yeah, that's, yeah. I mean, that reminds me of the 80s and 90s hackers, like what it was all about just because you could. There was no real incentive behind it. Yeah. Yeah, I certainly hope that's it. I certainly hope we're not about to see a string of like all these companies were hacked in a way where clearly they must have been abusing Mythos because there's nowhere else they could have done it or something. But, yeah, interesting stuff. I think that's all I got. I feel like we've covered that pretty well. Yeah. Jonah's, I think, trying to give you a real quick plug again. If you guys are enjoying Carrie, which somebody said that in the Signal Trap, by the way. They said they're really enjoying you on the show. So Firewalls Don't Stop Dragons, FDSD.me, definitely check them out. And we'll talk about that a little bit more in just a moment. But first, we're going to get into a fun story about Meta. We all love to jump on Meta. Oh, yes. Meta's one of my favorite companies to pick on. So Meta has started key logging their employees, allegedly to train AI data. I'll be honest, the story is pretty straightforward, but there's still some good takeaways here. So let's start with the facts of the story. Meta is installing new tracking software on employers' computers that will measure mouse movements, clicks, and keystrokes for training its artificial intelligence models. This is called the Model Capability Initiative, and it will run on work-related apps and websites and will also take occasional screenshots of the employees' screens. and they say that the goal is they're trying to improve areas where agentic AI struggles. Well, they said the company's AI models. I'm assuming this is an across-the-board thing, or maybe their AI really just sucks that much compared to everybody else. I don't know. I haven't used any AI agents. I wouldn't know. I don't trust them enough. I don't mind AI telling me click. It's a control freak thing. I don't mind AI telling me, like, hey, click on this article because that's got the news you're looking for. I do mind when it's like, let me go buy your plane tickets. Like, no, don't. But anyways, they say that they're specifically looking to improve things like like when you have to choose from a drop down menu or you use keyboard shortcuts. Apparently, that's something where I still struggles. They also said that. Where did it go here? Oh, yeah, here it is. They said that the MCI would not be used for performance assessments or any other purpose besides model training, and the safeguards were in place to protect, quote-unquote, sensitive content without elaborating on which types of data would be excluded. So, I mean, me, again, I hate meta. I love to take shots at them. So my first question is it's not going to be used for performance stuff for now. And, like, how are they going to – if it's taking screenshots, like, okay, first of all, and I think this is probably where we're going to start getting into the analysis portion, But like you shouldn't be doing anything personal or work computer. But hypothetically, let's say someone's opened like an email or something like something that they need to do real quick. I mean, we've all had those moments, right, where it's like, I need to do this thing. It'll take five minutes. I'm at work. Let me step outside and make this phone call or whatever. So what happens when they open their email and that's the moment that it decides to take screenshot? There is not a world in which you can convince me that Meta is going to throw that away. Like, yep, I'm sure they'll say they will. I don't believe it for a second. Yeah. Lucas here says they want them to train their replacement. Maybe. Maybe. You're not wrong. Yeah. So, okay. So one of the things I got from the article was that it seemed like what they were really trying to do is, again, toward this agentic AI you're talking about. They want to understand how humans interact with this stuff so they can better implement their agentic AI, which will take over and do these things for you. So that's one of the reasons, supposedly, why they're doing this. And so let me just take a quick segue to say you're absolutely right. In my opinion, you're absolutely right. Do not use anything agentic at this point. I think it's really cool. I love sci-fi. I can't wait for the day when this stuff is trustworthy, and I can tell my computer to do this stuff. It can do great stuff. Like my doctor, of all people, was telling me, oh, yeah, so I started. I installed Claude Cowork and just told it to clean up my Mac for me. And it went and found all these files and got rid of stuff for me and tweaked all my settings, and it's so much better now. I'm like, oh, my God. Like, I can't trust these things yet to do those things on my behalf. Someday, maybe, I'd love that, but no, we are not there. We are already seeing places. I bet you that story was so close to ending with, like, and then it deleted all my kids' photos. Right, right. Yeah, and so we're building some of the things we need to do, and we're already starting to do them. There's this thing called MCP, which I think is model control protocol. We're starting to build in frameworks into our operating systems that allow these things. So they're already building in hooks, basically software hooks into our applications and our operating systems for agentic AI. So it'll be easier for these guys to basically script and automate things on your computer. And that's good in the sense that if it's coming from the operating system vendor, Apple, Google, Microsoft, hopefully they're going to build in some guardrails. And hopefully they're going to set up types of permissions that you could give. It's going to be like apps all over again where you have to go through and say, yes, you can have access to my microphone. No, you can't look at this folder that has my taxes in it. You're going to have to go through that. But right now it's the total Wild West. Was it ClawdBot or Malt? What was it originally called? Open Claw? It's Open Claw now. I think originally it was ClawdBot, and then it became like MaltBot, and now it's Open Claw. I can't remember exactly either. And so when I read that, first I was like, that is – again, I'm an engineer. I love to automate things. Like, that's totally cool, but I would never do that. I would never trust this thing. So I was like, okay, how do I do this? So I'm actually building my own server to do this on because, first of all, I've got to sandbox this. And so I've got to keep this totally separate. I would never run these things directly on my machine because then they run as me. They could do anything I can do. And in most cases, that means you're admin, so they could do anything. No way am I going to do that on any computer I care about. So I bought a dedicated computer for this, and I'm running local models only. I'm using OLAMA, if anybody's familiar with that. So it's all local. There's nothing cloud-based on there. And I want to try to get this thing to do those kind of things. But it's going to be more like an assistant. Like, it's going to have their own personality. Like, I've already got this box set up. It's, okay, this is going to sound horrible. I totally understand that AI is not real. Do not worry about me. But I called it Sam. And I called it Sam because that's the name of the AI in Her, which is a movie, if you've not seen, you need to watch it. It's very relevant now. That's been on my list for, like, a year. Oh, yeah. Go watch it. In fact, I need to watch it again. It's a weird love story with AI. I'm not spoiling too much. But it's really talking. It speaks a lot to what we're doing now with all this agentic AI stuff. So I called it Sam. Anyway, Sam's going to have a memory. Sam's going to have AI. But it's all going to be local. And Sam is different from me. Sam is not me. Sam is not sharing my accounts. This is the kind of thing where Sam's got her own Proton account. Sam's got her own Signal account. Sam's got her own phone number. And we will communicate via Signal. She will only ever respond to me. and she will do automated stuff, but she's going to do it as her, not me. And with whatever sharing kind of permissions I'm able to set up in like a proton or wherever, we're going to share stuff. Right. So that that's that's how I'm attacking this. But eventually we will get to the point, I think, where these things will be trustworthy. We are not there yet. Yeah, for sure. I don't know. For me, I think it's just a control freak thing. I don't think you like I don't know. I've never been in a job where I've had an assistant. I've never, you know, I've always been my mom raised me to be self-reliant and not have to rely on anyone to take care of me. So for me, I think I'm just too much of a control freak to like. And also, like, I honestly, I do ask myself a lot. I'm like, is there anything where I can offload this to AI and I'll be, you know, like I'm being stubborn. I'm being a Luddite, even though I know that phrase gets used wrong. But, you know, I ask myself that a lot and I just I never seem to run into anything. It's like I've tried having and I know this isn't agentic AI, but I've tried having like AI write blog posts before. And I won't lie. It's really good. Like, I'm not going to lie. I did this with with my interview or my review of Cindy Cohen's book just for fun. I'm like, OK, here's a link to my blog post, like my entire old blog that I've been writing since like 2018 on Right As. I'm like, here's a link to that for Tone. I want a review of this book. here were my thoughts about it and it was really good i'm not gonna lie but at the same time i looked at it i'm like but i just i'm not comfortable publishing that like i didn't write that and there were definitely like a couple sentences that i was like okay actually i really like the way it put that and so i'm going to use that specific sentence but there were like two sentences out of the whole thing i just i don't know i'm the same way i think it's i think it's a pick and choose kind of thing so i think if it's like i'm the same way i would love this is something i'm working on as well it's called rag and i forget what rag stands for it's an acronym but basically you feed it a whole bunch of stuff. And I basically want to give it here's here's my book. Here's my all my blog posts. Here's the transcripts from my podcast. But I want to know things like, have I talked about this before? When was the last time I talked about it? Who did I talk about? Did I have a guest where they talked about this? What were the points that we brought up then? Go back and look at my podcast. Did I ever say something like, you know what, if this if this changes, I'll get back to you. And I don't want to forget that. So go back and help me find to do lists from things where I said, oh, that's good. I told my audience I'd get back to you on this. And I want to make sure I do that. But, yeah, I've done the same thing. I don't think I would ever let it write an article for me, but I have had it. It's like, okay, give me some bullet points. Give me some ideas. Here's what I'm looking for, and I've done some brainstorming with it. I did for fun, kind of like you. I'm too OCD about it. I would never let them. I've got to write in my own voice. It's me, and I like my tone and the way I do things, and I wouldn't trust something else to mimic me. But I did say, okay, give it a shot. Take this and just write this article as if you were me. It wasn't me. It wasn't good enough. It probably will be someday, but it's not there yet. I probably still wouldn't do it. I'm with you. When it comes to things like that, content creation, things that I'm creating, it's got to be for me. But there are so many things that I got on me. Here's another one for you that I'm looking at doing, and I've already kind of started putting some groundwork. I hate most news aggregators. I have an RSS feed where I can actually just, you know, I can get the raw articles into a nice, you know, set of folders or whatever. But what I really want is I want to write my own news aggregator that goes and finds these things for me and then highlights the ones based on my criteria that are interesting. And then maybe even notifies me like, hey, this is hot. This is happening right now. You might want to go check this out. I want to and I want it to be tailored to me. And I don't want ads and I don't want tracking and I don't want data mining. But in summarizing, give me give me three bullets and that could be a slightly executive summary version. And then if I want to go on, I'll read the whole thing. I would love to have something like that because most all, okay, every news thing I've used lately just sucks. It's full of ads. It's full of autoplay videos, and I just can't stand it. I'm going to build my own. And so let me make another point. That's where we are. Another thing, I'll make another prediction for you, and Carissa Valise would not like it because she – and that is that we are in the age now of custom apps. We're already there. I'm already doing it, and the rest of us are going to be doing it very soon. This is going to put some software people out of business, certainly a lot of these subscription-based ones. where you're going to say, I just read this article recently, and I think I might talk about this on my next podcast, where this guy, no, I actually did my last podcast. He wrote his own word processor because he was so sick of all the other ones. He needs a certain set of features. I don't need 100 features. I need five. And then I need, of the five that Microsoft Word has that I really do use, I need two more that it doesn't have. Like he likes Pomodoro timers. He's into that getting things done system, which I've heard of, never used. He built that into his own word processor. He just had he just vibe coded the whole thing. And so now he has a custom word processor that lets him it has folders where you can bring in source material like here's a PDF. I want to reference. Here's a link I want to reference. And now I write an article about this. Help synthesize that for me. He wrote a custom word process. This is what we're all going to be doing soon. We're just going to be writing our own apps. I've heard other me. I've heard other people make those predictions, too. So, yeah, I don't know. And I mean, I guess as far as vibe coding goes, I know for the simple stuff, it's probably fine. Like, make me a note-taking app that does this and looks like this. I think right now, the complexity is where it's going to go wrong, right? Like, somebody's going to be like, oh, but I wanted to do 500 things, and then it's like the next thing you know, your social security number is on the front page of Google. But, you know, yeah. I will say, not to, like, keep getting on the topic, but I will say the Cindy Cohen, the article that I had it write, the AI write, was actually pretty good. And I'll be honest, if I published it, I think most people probably would have not noticed maybe. But it still just it just doesn't feel right. Like it's no. Yeah. Like you said, it's not me. So real quick. I OK. I was just going to say I'd feel bad if we didn't touch on this. The whole like the boss where aspect of this meta story is, you know, just to kind of remind. I don't know about other countries, but here in America, like I don't think I mean, it does specifically say that this probably would not fly in Europe. The Reuters article here did say that. But I know in America, they can't make you download anything on a personal device. I think on company computers, they technically can, which is also why, again, we made a point of if you can, try not to do anything on company computers. I know everybody's in a different situation. Some people are in a situation where that's the only computer they have, and that's really unfortunate. But if you can, try to keep your stuff compartmentalized for sure. We get into all that stuff in this interview coming up. I think it's going to be late May. So it's going to be, I think, three interviews out, which is six weeks, because I alternate between news stories and interviews for my show. But we talk about that. We get into those details a lot about what they can and can't do and what they are doing. And the fact of the matter is it's their equipment. So if you're using their equipment, you should assume that they know everything you're doing on there. And they can legally. You don't have the right expectation of privacy on a company device. so from that perspective I don't think just because it's right doesn't mean it's not creepy or legal let me say it's not right just because it's legal doesn't mean it's not creepy and that's what Facebook is doing here it's going to be super creepy and you know Microsoft recall was another thing like that where Microsoft had this built in AI agent that's going to keep track take pictures of your screen every few every few seconds I think is what they were doing yeah I think it was like every three seconds or something. Yeah, read all your texts so that you could ask it later. Hey, what was that website I was looking at before? Hey, what was that email I started and then deleted? I want to do that again. But that also means that they were going to mine that stuff. And their security, of course, when they first released it was horrible. But anyway, yeah. These devices, you should assume, even if it's your own device, if it's a mobile device, we call it BYOD, bring your own device. Because it used to be issued a company phone back in the day, and that's a lot less common now. You bring your own phone, because nobody wants to carry two phones. And so they put an MDM profile on your device, which allows them to do certain things. Usually it's pretty sandboxed is my understanding, actually. And again, we talk about this in the interview. But that is actually pretty clean. And, like, they don't cross the streams. Like, they get access to Outlook or whatever the company wants you to install. It might force you to have a pin or a pin of a certain strength on your device. Things like that, security, things like that, because they want to protect their IP. And by that, I mean intellectual property. but yeah when it comes to the corporate laptop or the corporate desktop if you've got one of those you should just completely assume that even off hours if you take it at home they can they're probably not doing it maliciously right now like there's not somebody sitting in a security room somewhere just like flipping through channels and look at what employees are doing but it's being recorded so they could go back at any point and look at logs and look at those kind of things and you know find some reason to fire you yeah I used to at my last job where they They gave us a company laptop. It was on the guest network, so it was behind a VPN. It was isolated from everything else. And I would come home. I would log my hours. I'd send my daily report, and I'd turn it off and put it in my backpack and put it away. And I really tried to get in the habit of doing that before I even left the job site just because that way it's like – I don't know. It just felt like it saved up so much more time when I got home. I get home, and I just go straight into shower, eat, whatever, but yeah. Yeah, setting boundaries, and that was a good way to do it probably. Yeah. Yep. Alrighty. So I think we're at the point in the show where we will start taking listener questions. So if anybody can bring it on. All right. Yeah. If anybody has any questions, I know the chat's been pretty busy. But if you have any more you've been holding on to, go ahead and start leaving them in the comments or in the forum thread. We're going to check that in a minute. But first, on the topic of the forum, we're going to check in on, well, the community forum. So there's always a lot of activity. This week has been really busy, a lot of chatter. I mean, we post a lot of articles and videos, so a lot of chatter this week. But this week I wanted to highlight specifically a couple of very closely related forum messages. So one of them is somebody said, how much privacy can I really have when I'm being ratted out by my friends? And interesting choice of words there. But basically they mentioned that they have a friend that they play sports with. And that friend recently said they chose their team lineup using ChatGPT. So basically they told ChatGPT all their friends like playing styles, strengths, and weaknesses. And they said, although the information was probably subjective and not highly sensitive, I'm still uncomfortable with it. And kind of just went on to talk about, you know, how do we interact with people who may be a little bit less privacy focused than us and may not necessarily see the issues with that kind of stuff. And similarly, there was somebody else who asked about messaging apps. They said they made a friend who uses Line, which is a really popular messenger in Asia. I think it is technically end-to-end encrypted, but don't quote me on that. It's definitely proprietary either way, so basically like the Asian version of WhatsApp. And, you know, they said, why don't we use Signal? But the person declined. They said, I don't know why they declined to use Signal. Apparently, they said Asian mainstream media sometimes intimidates people away from secure messaging apps because it associates them with criminal activities, which is really unfortunate. it but um they were kind of asking in that specific scenario like what are my options here like i could sign up for a line using this i could use it this way but the um again the overarching theme here that i really want to discuss because i know you and me carrie both kind of come from a background like me at the new oil and and you at um at firewalls no stop dragons we come from a background of like kind of trying to meet people where they are and trying to like nudge them towards better security but also accepting that unfortunately a lot of people are just going to do the basics and Sometimes we'll just be lucky if they even do the basics. But so, yeah, what are I know this is a very nebulous way to word this question, but I mean, what are your thoughts on that? Finding that balance between like accepting that you can't always force people to be as into privacy as you are, but also like still wanting to preserve your privacy and respect that. No, I think it's a really good point. And it's something I think a lot of people lose sight of. And it takes two to tango. And so you've got to trust the other people in your group. And that is another actually a great feature of Signal where you can set your messages to be disappearing, which is nice, right? So at least you don't even have to count on the person at the other end to make sure they're wiping the device every so often if you can set that, which is another great use for Signal. In this case, this person, you know, was using this other tool, which I don't know if it has such a feature. But even so, you've got to, I mean, as far as if you're threat modeling what's going on, you've got to just take into account that everybody that you're talking to, end-to-end encryption only goes to the ends. And so any of those ends could be compromised. Right. And, you know, like we're what was it? We're good on OPSEC. Right. When when when we're clean on OPSEC, I think it was. But yeah, we're clean on OPSEC. So clean. Yeah. Right. So, you know, it's something you got to take into account. And as far as how do you this is a perennial problem with this with security and privacy tools in general is that you you've got to. and I struggle with this. I mean, you want to communicate to your friends. I'm on several group chats that are just the ones that drive me the most nuts are Android slash iPhone group chats where you're getting green bubble messages everywhere. And some people have older iPhones, so they're like duplicating messages. And when someone puts a highlight on a message, instead of highlighting it, there's a text message saying so-and-so has said, ha-ha. You know, so you know, technically, you're already screwed. Plus, it's SMS. So, you know, There's no security. And I would love to say, hey, guys, let's all go to Signal and do this there. And I just don't. I just shut up and roll with it. So there's only so much you could do. I've convinced certain sets of my friends to use Signal for when it matters, and I keep trying to get more. But this is why it needs to be the default everywhere. So there is no choice. You don't have to worry about it. Everyone's just – we should all just have it by default. It's not a criminal thing. It should not be should not raise eyebrows when someone is using end-end encryption. It just should be the default. Yeah, for sure. And thankfully, like now RCS is starting to come with encryption. But I know that's still in the early days. I don't even think it's out of beta on iOS yet. But but even then, you know, RCS comes with metadata concerns. But it's certainly a step up from, like you said, SMS, which is I always tell people like SMS is basically a postcard at this point. Yeah. But yeah, it is really frustrating because like my my brother, I'm very close with my brother, but he's pretty much all in on discord. Like you might maybe call me on like a cell phone if there's an emergency, but he's not going to switch to signal or anything. But it it does suck. But yeah, I think kind of one thing you said toward the beginning, if if I heard you correctly, you kind of mentioned threat modeling. And I think that's a really important thing that, you know, I'm a firm believer that like privacy should not negatively impact you. and um it's definitely great to try and like encourage people to use these messengers and try to nudge people towards that and and offer to help them out you know like it's it's such a fine line to to between like being pushy and being helpful of like hey what if i install it for you like would that make you more likely to use it because i've run into those kind of people like i've mentioned um uh on previous episodes i have my stepdad on signal and we have like a family group chat we're probably the only people he uses signal with but like i put it on his phone and he uses it no problem and i guarantee you it probably would have been crazy to talk him um i think he's almost in his 70s uh it he might be in his 70s now um and he's just he's one of those you know obviously there's a lot of like tech savvy older people but he's not one of them and um i'm sure trying to walk him through it over the phone or something would have been a nightmare but we just got together one time and i was like hey if i put this on your phone will you use it he's like yeah absolutely and um so it's super awesome having all of us in there now but yeah it's um But where I was going with the threat modeling is just remembering that it's – how important is it? It's finding that tradeoff of like this person is important to me. I'm willing to have this SMS conversation, but also recognizing that maybe there's some things I'll wait to say until we're in person or some things – I don't know. So it's a tough mind for sure. So when it comes to things like family, like one thing I did for my family is I just went ahead and sucked it up and paid for Proton Family for everybody. And that – so once I'm paying for it, it was easier to talk them into doing it. A little bit of guilt. I'm paying all this money. Because that was my first thought. If I did that for my family, I'd have to guilt them into it. Guys, I spent like $600 on this. Come on. Right. So I wasn't above doing that for my family. so yeah i totally agree though helping other people do it could be a big can be a big way to go i back to threat modeling i wish we could come up with a more less scary term for that threat modeling sounds really technical it sounds really scary and people like that immediately turns people off i wish we could come up with a better marketing term for evaluating your situation right yeah that's why um i i did give a talk recently and i basically had to like recap all the basics and I started with threat modeling and I always tell people I'm like it's just a fancy way of saying what are you protecting who are you protecting it from like it's it sounds scary I think we use it because it makes us feel like spies and that's fun but it's uh it it definitely sounds intimidating but uh yeah um the privacy dad said I put graphene on my partner's phone and I don't even think she realized um honestly yeah I I kind of want to ask my wife that because them. She also has a Pixel, but she's at the point where she's settled in. She's got all her apps on there and everything. And I've asked her before, I'm like, hey, can I flash your phone? Like put something on there? And she's like, yeah. But I mean, at first she was like, yeah, sure. And then when I told her, I'm like, you're gonna have to reinstall everything. She's like, oh God, that sounds awful. So I think next time we buy phones, I'm going to be like, okay, before you sign in, can I flash this phone? And then it's all. I think browsers are a thing that really fit in that category too because i mean surfing the web there are some nice features here and there most people probably don't use them if you replace somebody's browser i think the chances are pretty low they're even going to notice because they basically function the same way i uh i have seen multiple stories on reddit of more tech savvy people who are like oh i went to my mom's house and found out she was still using like my windows explorer or microsoft whatever it's called and Internet Explorer. Yeah, and so it's like I replaced it with Chrome, but I changed the logo so it still says Internet Explorer, and she hasn't even noticed that it's been like six months. Oh, that's funny. I mean, you know, some people for sure could definitely do that. But I feel like Chrome is different enough that I think most of the people in my life would notice. Like, wait, something's different. But, yeah. So, all righty. I think on that note, we'll dive into questions. And we'll start with the questions on the forum, specifically if we have any paying members who left questions. I don't think anybody did, but I'll take a look. And if you want to become a paying member, you can go to privacyguides.org. And there's a little red heart icon in the top right corner of the page. So I told you all this Brave story was extremely controversial. And I'm not kidding, because if you go look at the forum post for this episode, it's mostly people discussing amongst themselves so the first question came from Nostromo who said I'm sure you'll talk about it but please be sure to make a case both before and against I hope we did that because I personally feel very split on it so I don't I apologize if I came off as very like either way because I don't know I see both sides of the argument personally but yeah me too again to me there's a difference between the marketing aspect and the financial aspect of this. I think the marketing was kind of weird, but that doesn't mean you still can't do it. And if you want to support them, that is a way to do it. And if it gets you a better version of the browser or automatically turns off all those things that drive you nuts, sure, I guess. I could see it either way. So we did have C's listed a couple of questions here. Let's see. I'd be interested to hear your thoughts on the following topics and stories if you have time. I know some of these stories so we can go through them pretty quick Did you hear about the Bitwarden CLI was compromised with a supply chain attack Yeah I did Do you have any thoughts on that one Not on that one specifically, but supply chain attacks are a serious, serious problem that needs to be fixed. We need to lock, that is, we found another soft spot in our processes. And as a software engineer, I can tell you that that is, for example, one of the things that's often done in software is that you say, here's a list of software libraries I depend on, because software today is not. No one writes their own software top to bottom anymore. That's not, we're all using, it's a Frankenstein. You're taking a piece of this, a piece of that, because someone's already done it. So why reinvent the wheel? And so you bring in all these various parts and libraries. Some are open source, some are not. And if you don't specify, by default, what usually happens is like, okay, here are the 10 things I depend on. They'll get you the latest version every time. When you do a new version of your software, go and fetch the latest version because it figures you want that. That's where the supply chain attacks bite. So one of the things we could be doing and should be doing for all these things is what we call pinning, where you say, okay, here's the 10 things I depend on, and I want these specific versions unless I tell you otherwise. So at least if you get to the point where you can trust the versions that are there, you're not going to get bit because one of those got taken over by somebody, and the next version has got built-in malware because you're not going to go get that version automatically. There are things like that. There's processes that we need to, the new best practices that we need to adopt, but that is a definite soft spot today with software engineering. So I don't hold it against the Bitwarden CLI folks. It's probably one of those kind of things that bit them. Supply chain stuff is a serious problem. Yeah, and I do want to say for the record, for those who aren't familiar with this story, because it is pretty new. It just happened like the other day, I think. So this was a, like Carrie said, supply chain attack. So it wasn't Bitwarden itself. It was one of the libraries they used. The library itself was actually only compromised for about two hours, not even. I think it was like an hour and a half, 5.57 p.m. to 7.30 p.m. on April 22nd. Bitwarden confirmed the incident. They said that the breach affected its NPM distribution channel and only those who downloaded the malicious version. So hopefully nobody downloaded it in the hour and a half window. They said there's no evidence at this time that any end-user vault data was accessed or at risk, but they've already fixed it up. So, yeah, I mean, I'm with you. You talk about the supply chain, what do you call it, the bill of materials? Or manifest. It has different names, but yeah. You mentioned that a few times on the podcast, and that's definitely, I think, I was really hopeful for a minute there. We were seeing a whole bunch of supply chains. Oh, S-Bomb, software build materials. Yes, I have talked about that several times. Keep going. Yeah, and I remember thinking, I'm like, we might finally start making some progress on this, but I haven't really heard anything, so I don't know. That is something that, as a software engineer, I would say we should all have, and it sounds maybe easier than it is, but basically what that is is an ingredients list for your software and you publish that with the software. So you can say, these are all the things that my software depends on. Now, some companies are going to say, well, that's a proprietary secret, even if I'm using a public library of some sort, OpenSSL, let's say. Even if I'm using that, I don't want to tell people I'm using that because maybe, again, security through obscurity, maybe it's going to expose me to people who are going to find an exploit in the version I'm using and then try to exploit me. Okay. But the flip side of that is it also tells people, if we had software bill of materials, If every piece of software you downloaded came with a machine-readable list of ingredients that went into that software, then your operating system could keep track of all that and find, like, oh, OpenSSL version this, which you have in this app and this app and this app right now, has been compromised, which means those apps are then compromised. You should stop using them or update those apps right away. It would give us that transparency and that visibility to allow us to react to those things. So I think, yeah, you could look at it. It's just kind of like open source software. A lot of people say, well, if I show you, if I open Kimono, this whole thing, you're going to know how to exploit me. Okay, but the upshot, when you look at NetNet, it's better for everybody if people have had a chance to review that stuff. And now we've got tools that will do it, like Mythos, that will find bugs in it, hopefully, so you can fix them, as opposed to just hoping that nobody finds these bugs. So, yeah, that was software-building materials, or SBOM, which I think is a fantastic idea. But, yeah, it has not really, unfortunately, has not caught on. yeah yeah it's uh oh i was gonna say um if you haven't uh last week's episode i think we talked about this because cal.com went closed source yeah no i heard that yes i did listen to that yeah i was gonna say this discourse which is our forum software that we use um their maker kind of issued a very very aggressive rebuttal where they pointed out kind of like you're saying And like, yeah, okay, security through obscurity might slow them down a little bit, but probably not that much. Well, they also got another life thing. Go ahead. I was going to say, like, you mentioned earlier that, like, security through obscurity isn't necessarily bad. And I agree with you on that because to me it's like it should be part of a defense in depth. Like if you're only relying on security through obscurity, that's probably bad. But, you know, if you're layering it with other things like password logging, password logins, right? That's a really good example. If your credentials, if you're not using the same password and you're not using the same username on every single website, that's a little bit of security through obscurity. But then you layer it with like two factors. So probably not the best example. Yeah. So, yeah, you definitely don't rely on security through obscurity. But it's also another layer that doesn't hurt you either. I mean, you know, but where I take exception to that is with open source software. I think it does help to have other eyes on software and now other tools that can look at that software. And I know you've mentioned this fact. I think you mentioned it maybe last week where you said you said that just because it's open source doesn't mean it's going to be more secure. But it gives you the opportunity for other people to look at it and perhaps find bugs and get them fixed, which is a good thing. Yeah, that's that's my take, at least. But so this person did have a couple other things they wanted us to look at. Did you hear about how Firefox is actually going to start adding built in ad blocking? no I hadn't heard that one yet oh man I'll have to go find you an actual article because this one they just linked the Mozilla Bugzilla like their little in-house hub kind of thing I've seen at least one article write up about it but I'm not sure how good it is but yeah they're basically going to they're going to be using Brave's ad block implementation which I believe is written in Rust and again I was traveling this week so I didn't really read it that closely, but I think it is... Let me see if I can go find it here. Yeah, they're going to be using Brave's Adblock Rust engine, and it's basically going to be like a little bit of a built-in ad blocker, which I think is really cool. How good is Brave's built-in ad blockers? Because it's my secondary browser, so I don't surf everywhere with it. Is the built-in Brave stuff pretty good for blocking ads? I mean, I think it's pretty good. Is it comparable to Ublock Origin? I was going to say, I think it's honestly just like a copy of UBlock Origin. Like, I think they make some changes to it, but I think it's largely based on UBlock Origin. Or at least it uses a lot of the same list that UBlock Origin does. So I don't know why they didn't just go with that personally. But, yeah, it looks like this is a pretty – Jonah says here that Braves is a little bit lighter weight. So, okay, let's see. Oh, this is a pretty short article. Mozilla's bundling. Pretty excited to see them finally. It landed in 149. It's an experiment. It's disabled by default, no UI, no filter lists, but looks like Waterfox rolls it on, and then he talks about how to enable it in your About config. So I might, if I remember, I will try to add that to the show notes, which means I might do it tomorrow while I'm making clips of these. But yeah, no, I mean, I'm really excited about that because I think personally that's been – I have a lot of little nitpicky complaints with Firefox, and then I have a few that I think are kind of bigger. And this is – I think this is kind of somewhere in the middle is – okay, so actually let me preface this. So when I make shorts over at the New Oil, like I'll make shorts about like ad blocking, right? And I'll tell people – I'm like, download Brave. And people get mad at me because they're mad at the company behind Brave. They're mad at the guy at the top of Brave, which is fair. That's fine. And they're like, well, you should use Firefox. And it's like, OK, but I'm making a TikTok video. And what are people more likely to do? Download Brave versus download Firefox and then install Ublock Origin and then make these dozen changes to bring it up to Brave's level. Like Brave is just so set and forget and we have to make it easy for people. And so I really appreciate that Firefox is like doing that and getting up to that level where it's like, you know, now it's becoming easier to recommend that people just like go download Brave or go download Firefox. They're both equally good. And I'm excited to see them getting up to that level personally. Okay. But here's – so I'll be flipping it back at you. So one of the reasons that I didn't go to Brave, and sometimes the reason I don't tell people to use Brave, is I recall back in the day, and this may have changed, having to, like, disable their bat token thing, having to disable their AI now, which, by the way, Firefox, their new CEO, is like, we're all in on AI. I'm like, no. Anyway, so for me, it was like, okay, yeah, Brave out of the box was private, but then I'd also have to tell people to disable this, disable this, turn this off. So to me, it was kind of a wash. and I mean don't get me wrong like if you go to like privacy guides for example if you go to our website we do have like a recommendation like you should still tweak these things but I think I kind of think for some reason most people just don't care like again when I look at my wife's computer she's got the bat stuff turned on she's got the sponsored images turned on like I think and for the record I'm not saying this in praise of them because I'm with you I kind of wish that stuff wasn't there or at least I wish it was off by default because I'm pretty sure the crypto people are smart enough to go looking through the settings and know how to turn things on. Which, by the way, Joni just said that's the point of the new Brave Origin. Yeah, true. Good point. And actually, on that note, Cass here said maybe Firefox should sell a $60 alternative. They have good defaults. You know what? I'd pay for that. I'm not even going to lie. I would pay for that. And it would be a sustainable business model, unlike just buying random extensions nobody's ever heard of. And then killing the ones that people actually liked. You mentioned Pocket before we started recording. That was like the one time Mozilla killed something and everybody on my Maston timeline was like, dude, what the heck? Yeah. Anyways. But no, I think it's, for better or worse, I think Brave has designed those features in a way where they're not really intrusive to the average person. So I don't know. At least I've never heard anybody complain about it. But I agree. It would be nice if they turned it off. But I think it's still just an easier sell to tell people, like, go use Brave. That's one step versus go use Firefox, but also you need to make some changes. I will give Brave some credit in trying to find a different way to monetize the Internet, because it seems like, you know, micropayments was going to save us at one point. Like, OK, we're going to micropayments. And then there was this push for a little while of let us mine Bitcoin while you're on our page. And it's all running in the browser. It's all contained. But, you know, hey, while you're on our site, there's this little thing running in the background that's trying to mine Bitcoin. I thought those were at least interesting because ads, ad based Internet is what's causing all of these problems in the first place. We we've got to find some other way to monetize the Internet. That's kind of free ish. Right. That people don't have to necessarily. I don't know. So I give them credit for trying to come up with some way to do that. I just don't I just don't like what they chose. No, and I agree with you. And I like I find myself doing that, too. like lately i've really been thinking a lot about um like just i'll be honest i just think a lot about like diet and finances and stuff and i'm like man why am i willing to buy you know especially with inflation and everything like a soda is like three dollars now and it's gone in like an hour but i'm not willing to pay like five bucks a month for some kind of membership or something and it's just it's so weird like marketing's got us all mess up man and i don't know what the solution is because then on the other hand there's you know there's certain things where i'll admit Like there's certain YouTube channels I watch where I'm like, I like this channel, but quite frankly, I don't get enough value to pay for it. If it went paid tomorrow, I would just stop watching. But then, you know, there's other things that it's like, yeah, but I do get a lot of value out of this. Like, why am I not paying for it? It's I don't know. It's it's weird. It's weird what's happened to us. But yeah, sustainability is an issue for everybody, I think. The last one we had here is they were asking if we had any thoughts on the way that Signal handles edited messages. So I don't know if you've noticed, but basically when you edit a message on Signal, I guess people can see the changes that you made. Oh, I actually had not noticed that. I don't know if I've noticed that before or not. I personally think that's perfect. In fact, I've argued for that on social media, especially the damn sites that don't let you edit your messages. Oh, my God, that drives me nuts. Let me edit it, and fine, keep the original. I'm actually okay with that. so that people can see if you've altered something. I think that, you know, especially on social media, perhaps, you know, you could say maybe for public figures, but whatever, everybody, fine. I think that solves the problem with the editing thing. Edit it and just let people see your past edits. And I think that preserves the, what's the something trail, the audit trail or the log trail. I'm okay with that. I don't know. Do you have an opinion? Do you do not think that's cool to be able to go back and see? Because when I edit something, usually it's a typo or I want to expand on something or realize that something I said was ambiguous. So I want to add a little notes like this. Here's the context that is missing from this. And so you can understand what I'm saying. That's that's usually why I would edit a message on Signal. Do you have a problem, you think, with showing that it's no, I mean, me personally, no, because I'm kind of in the same boat as you were like, I feel that I try to reread my especially longer messages, because like I said, I am pro at typos or like or just forgetting a whole word. Like usually it's a small word like the or something like that. But, yeah, so a lot of the time I'll send a message. And then if it's a long one, I'm like rereading it and I'm constantly like, oh, go edit. I missed that word. Oh, go edit. I type of that. Oh, shit, go edit again. And I like I try to group them because otherwise I feel like I'm just going to keep pinging the person every time I edit it, which is annoying. But I don't know. I think somebody pointed out like I hate to do whataboutism, but somebody pointed out that like I feel like the bigger concern here is because basically they were saying like, what if what if basically you said something you didn't want the other person to see like maybe you sent the wrong message to somebody or you um like maybe you're having an argument you said something hurtful which could you just delete that though i mean delete is delete well so for the record that's my bigger concern is because i've um i struggle with depression i'm pretty open about that and every once in a while when i'm depressed i'll say something to somebody like not anything hurtful, but like I struggle to reach out. Um, I'm trying to figure out how to word this, but then sometimes I'll doubt myself. Like I'll send somebody a message and then my brain is just like, man, just like, don't, don't bother them with your crap. And so I'll delete it. And I've actually had times where people were like, like, hold on. I saw you deleted that. I saw the message preview. Like, let's talk about this. And I'm just like, Oh my God, dude. And you know, like that one's kind of relative. And that one's a good one, right? Like people are trying to like help me out and be there, but like, that's the bigger concern to me. And I know this is, again, And this is kind of like whataboutism. But, like, most people have notifications turned on and the previews are turned on. So what happens when you delete the message? The preview doesn't go away. It's still there. So, I don't know. To me, that would be the bigger concern is, like, they're still probably going to see that preview even if you delete it. Because otherwise, yeah, I'm with you. Like, that would be the easy workaround is just delete it and redraft it completely. So, yeah, I don't know if this is – I guess that's what I'm trying to say is I don't know if this is the bigger concern. I think the bigger concern would be the message previews that most people likely have enabled. But I thought it was interesting that we talked a little bit about the signal thing where they figured out how to. I mean, this was, as far as I'm concerned, a bug in iOS, which, by the way, they just fixed where they got into the signal messages to somebody because the notifications, there's a whole database for the notifications. And if you have those set to show on your lock screen or certain certain situations, they will get put in this database, even if you delete the app, which is the big thing. So I think what Apple finally fixes, if you delete the app, it goes to this database and also deletes the history of notifications. But, you know, I don't know. I guess delete should be delete. I think that's to me, that would be the solution. So delete is delete. So if I delete, it deletes it from all this memory that should not show up anywhere. If they happen to see it, I can't stop them. But if they hadn't seen it yet, I delete it. I think it should just be gone from their phone. I think that's the delete angle. And hopefully that cover most cases. But I think otherwise edits, sure, I'm fine rotating the edit history, I think. And I wish that, like I said, I wish that that's how they would solve edits on social media as well, because I hate the fact that I will do this all the time. I'll put a notice on Twitter. I don't want to get any hate mail. I don't like – but I've got to be there because that's where a lot of people are. So anyway, otherwise I don't like Twitter. We have a Twitter too. Yeah. It's the curse of being a public figure, I guess. So I post on Twitter, and you can't change it. So I have to delete it. By the time I'm copying and pasting to the third thing, I've done Mastodon and Blue Sky, and I'm like, oh, crap, there's a typo. And I go back and fix Mastodon. I can't fix Blue Sky. I can't fix Twitter. And I've got to delete and re-add. And, of course, by then, someone's already liked it. Anyway, it drives me nuts. How long has Twitter been around now? And I swear to God, back when I used to use Twitter, back in, like, 2012, people were asking for that. And is there a reason why they don't have it? I don't get it. Like, what's the reasoning? i honestly don't know i couldn't tell you i don't know i'm kind of technical well i know okay so i know on reddit um when you make a post you can edit it within the first i think like five minutes because reddit has a huge problem or at least had i don't know if they still do but they used to have a huge problem with like people would go in and they would make a comment and it would get like a lot of upvotes or whatever it would get visibility and then they would go in and like edit the comment and make it say something completely different like sometimes something borderline offensive or crazy or like they would like make it say make it seem like the person responding to them was saying something crazy and um i don't think reddit lets you see the post history but there is a little star and that means it's been edited after that little five minute so they give you like a little window where like if you're like me and you're like oops i forgot a word like you can go edit it and star is not there but i do think if you edit it it should it should wipe all likes it i mean you should it should start over because for that exact problem because yeah i don't want to put something like i love puppies and everyone says yeah thumbs up and it's like i also love hitler and yeah exactly right you know yeah that's the kind of thing people were doing i think yeah i mean anonymous here is a good point like they should make it if you disable edit history for yourself you can't see others edit history which i mean signal already does that for like red receipts um stories like i have i do have stories enabled but um i don't have view history so i can't see who sees my stories and they can't see when i like there it's you know it goes both ways. So, I mean, that seems like a good compromise, but I don't know. Yeah. Interesting, interesting stuff. Interesting, fun things to talk about. Totally agree. I think that was actually all our questions. It looks like all the other posts were people discussing the Brave thing. And man, this was such a very contentious topic. People have, which, I mean, I'm not saying that's a bad thing. Did they cover anything that we didn't cover? Are there any angles to this? I don't think so. They're just kind of explaining. I think, let's see here, they're talking about what counts as a license. Like if you install, if you reinstall your operating system, is that, does that count as one of the 10 activations? How do you get activations back? So if I go through 10 devices, when I buy that 11th device, how can I get my 10 activations back? So, yeah, I don't know. Can I throw out one more story? I've got one more story. I love stories. This goes back to the AI coding stuff. If you can't tell, I'm kind of fixated on this lately. So do you remember, did you ever watch Halt and Catch Fire? No, but I've heard of it, or I've heard the phrase at least. The first season satirized a thing that actually happened, and that was back in the day in the, I guess in the 80s, when IBM had a proprietary BIOS for their PCs. And of course, and they wouldn't, you know, you have to license or sell it or whatever. Somebody figured out, hey, I'm going to take a group of engineers and I'm going to say, go dig through this BIOS and figure out what it does. Like, I want you to look deep into it. If you can find the code, find the code. But but give me a spec. Tell me what this BIOS does and describe it. And then, OK, give that to me. And then what they did is they hired a whole separate set of engineers and said, here's your spec. Make this. So what they called that's called a clean room. And basically what they did to get around the copyright and the licensing was they reverse engineered it. And they had one group reverse and one group actually pick it all apart as a black box and come up with all the specs for it and hand that to another group of engineers who'd never seen the code, never worked with it to create a complete copy that works just like it. And so that's how they got around this thing. They reverse engineered. Somebody has come up with and they said this was supposed to be satire, but it works. They've come up with an AI tool that will take a code. You give it any code. I think it mostly works on open source code. But you could, by the way, you could decompile binaries from regular code and still get the code. So even if it's not open source, you can still kind of get to it. He created a tool that takes one set of AI agents and picks apart the software, learns it, writes a spec, figures out what it does and comes up with a spec for what that tool does, and then takes the spec to a different set of AI agents. So this is all automated. This is a single click. takes another thing. I think I know where you're going with this. Writes the software based on that. And one of the reasons this guy did it is we didn't like the LG LPL license that came with the original code, which means I had to back contribute or whatever. I want to rewrite this with an MIT license, which is much more permissive. So they basically had two sets of AI agents rewrite it so they could basically say we didn't look at the code when we did this. That's just blowing my mind. I think I saw the headlines about that one, but I haven't read the story. Yeah, that's funny. They're making copyright-free AI or whatever because of that. That's so funny. People – I love the ingenuity of that. I love it. I never get tired of it. All right. I think we're going to call it here for this week, though. Thank you, everybody who joined us. All the updates from this episode will be shared on the blog every week. So if you are a regular listener, sign up for the newsletter or subscribe with your favorite RSS reader if you want to stay tuned. I'm still letting people know. If you didn't know, we send the newsletter out as soon as the show starts at 5, well, 5 Eastern time. And if you are subscribed, you'll get that. And that'll be kind of your reminder that, hey, the show is starting. For people who prefer audio, we have a podcast available on all podcast platforms and again on RSS. And this video will be synced to PeerTube. We want to thank Kerry again for coming on and being a guest this week. And I'm going to let him tell you guys a little bit more about his show and his book. Yeah, just a couple more things. So this is going to be a big year for me. It already has kind of been a big year. So this is the ninth year I've been doing my podcast. I'm on episode, I don't know, what am I on, 477. I've done a podcast every week for 477 times. The book is actually about a year or two older than that, and both of those things are going to be doing a big year. So as you can tell by the numbering, I'm going to be hitting 500 in September, episode 500. That's going to be a really big deal. And so in years past, so the funny story, in years past, I tried to get, you know, when I was in my tens of episodes, I kept reaching out to Bruce Schneier, who's a cryptographer and well-known security guy. And I kept reaching out to Bruce, and he was nice enough to respond, but he always said he was busy. I'm like, I want you to get on my show. I want you to do an interview. And finally, I was like, okay, the 100th episode was coming up. And I said, Bruce, look, I'm going to ask you one more time. I promise I will stop bugging you, but this is the 100th episode. I'd really like to make it special. I'd like to have you do my guest on the 100th episode. And he's like, you know what? I'll do it. So I got Bruce Schneider for the 100th. I was super proud of that. And then I think at the end of that episode, I had, I jokingly said, well, I'll see you at the 200th. Like, all right, I'll see you then. I'm like, okay. So I got him for the 200. I got him for the 300. So he's been my pod centennial guy. So naturally I'm going to be talking to Bruce to come back, but I, I really want to try to get some big names. I'm going to do, I'm going to do multiple big episodes. So anyway, we'll see if I can pull that off, but I'm going to try to do big things to separate and not just for the podcast. I want to do some fun things for that. So be on the lookout for that. Also, I just am about, I'm this close to, I've got the contract in my hand. I haven't signed it yet for the sixth edition of my book. So I wrote my book 10 years ago, and I've done multiple editions because my book has got a bunch of screenshots. And so they get stale. Like two years later, I need to unfortunately do the whole book, and it's getting big. And the screenshots are like 40% of the content. So anyway, I'm due for a sixth edition. And I think what I'm going to do this time around is a little bit different. I'll make it smaller. I'll make it cheaper. Yeah, there you go. Sucker is 600 pages. No lie. It is. It's big. It's honestly, it's gotten too big. So what I'm going to do is I'm going to split out the really volatile parts and make that a free downloadable PDF so that I can update whenever I want as needed and not have to redo the book every time. So I'm going to try to write a sixth edition of this book and I'm about to sign the contract to do that. So it should be out hopefully by this fall. It's going to be thinner. It's going to be cheaper. And all the PDF, all the down-level PDF for all the really volatile stuff. So anyway, the book could hopefully stand on its own for a while after that. So I'm also hoping to do that around September. So all this stuff is going to kind of hopefully come together in September. Awesome. Can't wait. All righty. As for privacy guides, we are an impartial nonprofit organization that is focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet if you want to support our mission then you can make a donation on our website privacyguides.org donate you could also click the red heart icon in the top right corner of the website i think it's visible on like any page you can contribute using standard fiat currency via debit or credit card or you can donate anonymously using monero or with your favorite cryptocurrency Becoming a paid member unlocks exclusive perks like early access to videos, priority during the live stream Q&A. You'll also get a cool badge on your profile in the forum where Carrie is a regular participant. I see your name pop up quite a lot. And you'll get the warm fuzzy feeling of supporting independent media. So thank you all for watching and we'll be back next week. Thank you.