CalyxOS Is (Almost) Back But Is It Any Better?
The Kallax OS comeback, the Canvas chaos,
and Google Chrome's sneaky AI downloads.
All of this and more is coming up
on episode of this week in privacy.
So stay tuned.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we're working on
within the PrivacyGuides community and
this week's top stories in data privacy
and cybersecurity.
I'm Nate, and with me this week,
after several weeks of absence, is Jonah.
How are you doing, Jonah?
You know, I am doing great this week,
and I'm always doing great to be back
on the show here.
It's always fun.
How have you been doing, Nate?
Pretty good.
Pretty good.
As you know,
lots going on behind the scenes here.
Lots of videos coming up.
We'll talk about that later.
But yeah,
I've just been keeping really busy working
on everything we got coming up.
Absolutely.
Well, let's get into it then.
All righty.
Yeah.
So let me swap the tiles here.
Oops.
Our first story this week is about Calix
OS.
So full disclosure,
we do not recommend Calix OS here at
Privacy Guides as one of our...
as one of our recommended, uh,
Android distros, but it is still popular.
Nonetheless,
they do have a heavy emphasis on, um,
open source, I would argue.
And, uh,
like that's kind of their whole thing is
a lot of the stock apps they swap
for, uh, open source apps.
And we'll,
we'll talk about that a little later.
But, um,
for those who may not be aware,
Calix OS actually, uh,
went on hiatus in august of last year
which is crazy to think about that it's
been that long um but uh they went
on hiatus uh they assured everybody they
were like hey there's no signs of
compromise or anything but um they had two
major staff members leave they had nick
merrill the founder and uh i don't know
how to pronounce his name cheerio decide
if i remember correctly um
But he was like their,
their lead developer and both of them
parted ways from the outside.
It seems very amicable there.
There was no accusations as far as I'm
aware of from any of the team members
towards anyone else.
But either way,
Calix decided they're like, Hey,
we're going to use this opportunity to
completely revamp our entire
infrastructure.
We're going to rotate signing keys.
I believe they went and bought a hardware
security module.
They really ramped up a lot of the
behind the scenes infrastructure,
but yeah,
that is unfortunately kind of the end of
the facts.
And I,
I'm going to go ahead and say,
I have a little bit of a soft
spot for Calix.
I just want to admit where my bias
is because they were kind of my first
distro when I was getting into,
to flashing custom Android ROMs.
And I,
I tried them out first and I liked
it.
You know,
graphene obviously is way more private and
secure, but it was, it was pretty cool.
It was very empowering to flash an Android
for the first time.
And yeah,
But, yeah, so that they,
they originally said it'd be about four to
six months,
which if I did my math right,
should be somewhere between December and
February.
And here we are in the beginning of
May, early May, early mid May.
And they said that this is their latest
progress report.
I believe it's number four.
And they finally have a test build with
Android.
Hey, Nate,
you're coming across a little robotically
to me.
So I wanted to ask people in the
chat if that's happening to anyone else on
the stream or not really quick.
So leave a comment how the quality is.
I might know what's causing that,
but I'd have to step over to the
other computer for just a second.
Let me see here.
Nope, that's not it.
Well, yeah, let us know.
It's just on my end.
Yeah.
Okay.
We'll wait and see.
Okay.
So, yeah.
So Calix said that they would go ahead
and...
It should have been ready sometime,
like no later than February,
but here we are.
In this new note,
they basically say the Android-XVI build
is ready.
So the version of Kallax that's based on
Android-XVI,
they say is ready for community testing.
So it's not in public yet.
This is in beta.
And, you know, I mean,
there's some interesting stuff here.
Like they say that it's based on
Android-XVI QPR-II,
which I think is the most recent one,
but don't quote me on that.
Um,
it does support pixels four through nine.
So it does not, um,
I don't think the tens out yet.
I'm sorry.
I don't keep up with a lot of
hardware very well.
Uh, supports the Fairphone four and five,
and it supports a handful of Motorola's.
That is one reason that Calix has
historically been a little bit more
popular is just because, um,
they do support more devices than graphene
and they do still support locking the
bootloader.
So most apps should work.
Okay.
Not as good as graphene because with
graphene,
you've got the Google play services and
stuff, but, um, definitely, uh,
Yeah, it just, it supports more devices.
And yes,
Jordan informs me that the Pixel X is
out.
So doesn't quite support the Pixel X yet,
but all their current devices.
Supports the Pixel X currently,
but this is their device list from before
they shut down, if I remember correctly,
because I think they supported the nine,
didn't they?
I believe so,
and I'm going to guess that's probably
what their direction was.
It's like,
let's start with our current stable of
devices that we already support,
and then from there, we'll expand.
That's usually kind of how they do things.
So yeah,
they do go on to say here that
they've also updated some of their bundled
apps.
So they moved to FDroid Basic instead of
regular FDroid.
They still have Aurora Store.
They moved up to Breezy Weather.
They used to be on Geometric Weather,
but that one was deprecated quite some
time ago, actually.
They still include Signal.
They still include the Tor browser.
The Tor VPN is, I believe,
a new project from Tor that's designed to
replace Orbot.
So they're going to be including that.
CoMaps will be replacing Organic Maps.
And other than that,
I think most of these are things that
they've already supported before.
So...
And then they say there's some features
that have gone away,
things like the panic button for now.
They say it requires a lot of updates
to make it work.
They say they're shipping Chromium with
less features,
which you can read about below.
So, yeah,
it's definitely a very early update.
beta, I mean, really.
I know our staff member Jordan did attempt
to test it out,
but I believe couldn't get the flashing
process to work.
They kept running into an error.
But I have seen some people just generally
around the internet who have said that it
has worked pretty well for them.
But yeah, so I mean,
that's kind of it as far as the
facts of the story.
This is a I think this is kind
of a bigger story that we wanted to
cover, even though, again,
we don't really we don't formally endorse
Calix OS as like a recommended distro,
but it is very,
very popular in the community.
And this has been an ongoing saga.
And I think this is like the first.
Big milestone in terms of like, oh,
they've actually got something to show for
now, you know what I mean?
So, yeah, really, yeah.
Really interesting stuff.
Do you have any thoughts you want to
start with, Jonah?
Because if not,
I got some questions I can throw your
way.
All right.
Yeah, a couple of things.
It was interesting,
I guess not really about the OS,
but some of the apps that they included.
Calix VPN, rather,
being excluded from the list is
interesting because I think that's been
one of the big services that the Calix
Institute has been providing for some
time.
I didn't even notice that.
And they include Verizon VPN,
which is kind of like... I mean,
they probably don't consider them
competitors because it's all non-profit
and they're all just doing it for fun.
But I mean,
they're pretty much operating the same
service so that they would include that
one and not the other.
It's interesting.
I don't know why the Kallax VPN
infrastructure and capacity is...
not where it was before,
or if they were having issues for some
time.
If anyone used Calix VPN,
you could let us know what the experience
is.
But I just thought that was an interesting
thing to highlight.
I also can't remember if we talked about
Tor VPN in a previous episode or
somewhere.
I was just talking to somebody.
Not since I've been here.
um maybe not then i don't know where
i was talking about it but torby poor
vpn is an interesting one too because it
uses um the new tor implementation so
instead of the one that was written in
c the original tor backend service now
it's written um in rust it's called rt
and that was the main reason that it's
replacing orbot so
It's not just a rebrand.
There's some modernization going on.
So if you're a Orbot user or a
Tor VPN user,
I think that that is going to make,
I mean,
that's going to be a lot nicer for
sure,
and hopefully more reliable and hopefully
more secure.
So I guess that's not really about
Kallaxos either,
but a couple of cool things about the
apps that they're installing.
What are you thinking about this release?
Um, no, that's cool about the VPN.
Cause I didn't, I've, um,
I I'm subscribed to the tour blogs RSS.
So every once in a while I get
notifications about RT's development,
but I don't really know much about it
other than like, it's a rebuild and rust.
So when you said like, oh,
this is basically a front end for Artie.
I was like, oh, cool.
So that's where they're going with this.
Yeah.
It's finally making it into,
into tour software.
I don't know when it'll be in like
tour browser or anything like that,
but at least we're slowly seeing progress
for sure.
Nice.
Yeah, I mean, overall, like I said,
I admit that I have a soft spot
for Calix.
So I'm really disappointed that this has
been well past schedule.
And I'm really disappointed by a lack of
communication, especially.
I mean,
they've been relatively open in the sense
that they have been publishing blog posts
every...
every other month, maybe, um, they've,
you know,
they went out of their way when they
made the initial post and people started
speculating like, Oh,
is there some kind of compromise?
They were like, no, no, no,
there's no compromise,
but really that's been it.
There hasn't been any explanation for
like,
why are they so much further behind
schedule than they expected?
And like, I, um, I've had in,
in the past, um,
I've worked at other jobs where we have
clients that I have to interface with.
Right.
And I remember one of my, uh,
One of my bosses got really mad at
me one time because I told the client,
I'm like, hey,
we have to contact support from this
company.
And, you know,
it's kind of like slowing things down.
And my boss was like, no, no, no,
never tell them how the sausage is made.
And I really disagreed with him on that
because I'm like,
if I was the client and you just
keep telling me we're working on it,
we're working on it, we're working on it,
we're
That's going to shake my faith in you.
That's going to be, make me think like,
dude, why is this taking so long?
But when you tell me like,
here's exactly what we're doing.
Like we had to get in touch with
support.
Support has to research this.
They're shipping us a new firmware,
like blah, blah, blah, blah, blah,
whatever the case.
That's when I know like, oh,
you're working on it.
And also this is a really complex problem.
That like this is why I'm paying you
is to handle these problems.
So I say that to talk about this
is like I'm really disappointed that Calix
has decided to take the first approach
where they're just like, oh,
we'll just we'll just issue you little
updates here and there.
But we're not going to address the
elephant in the room of why is this
taking so long and why are we behind
schedule?
So that that really does disappoint me
personally.
But I was curious if you could,
cause I know there's some technical
reasons.
If you could just kind of fill in
Jonah,
if you wouldn't mind filling in users on
why we don't really recommend Calix.
Cause I know it gets,
and it gets passed around or not passed
around.
It gets touted and advertised a lot in
the privacy community as like an
alternative to graphene.
And again, despite my bias,
I don't think that's really an accurate
representation.
So like what, what makes a,
I don't necessarily want to turn this into
talking crap about him,
but why don't we recommend...
Why isn't that a really fair comparison in
your opinion?
Yeah, for sure.
Before I get into that,
do you know if MicroG was on that
list?
Are they still using that?
I know they were using it before,
but I just didn't see it in this
post unless you...
yeah it's not in this list but i
have to assume it's going to be there
because otherwise i don't know okay how
it's going to work maybe if jordan's
listening and was able to test it out
um they can let me know in the
chat but um yeah there's there's a couple
different reasons i mean i think the main
thing comes down to the the changes that
calyx os is making
uh mainly come down to getting google
software out of the main operating system
so they replace google play services with
micro g for example and they replace all
of the standard apps um with these open
source alternatives like they don't have
the play store they bundle after a basic
by default um but beyond that they don't
do a lot of modifications they've never
been like super
technical with like how the operating
system works or additional features that
can protect your security or privacy
whereas um on graphene os for example we
see additional hardening features
additional like permissions that you can
you can restrict apps with um additional
sandboxing with google play and all of
that stuff you don't really see with
calxos i think another big criticism with
i would say micro g in general is
that well
it replaces all of the client software on
your device and in theory makes it more
compatible with the open source ethos.
All of these micro G services are
generally still connecting to Google
services at the end of the day.
Graphene OS certainly would also have this
problem in a lot of cases,
especially if you use Sandbox Google Play.
But if you don't do that,
Graphene OS by default,
removes, I believe,
all connections to Google services,
and they are really good about proxying
any services that are required with
Google, like connectivity checks,
for example.
They proxy through Graphene OS servers by
default,
so you're not hitting Google servers
directly,
and you can typically turn all of that
stuff off.
off completely if you choose to so those
are some of the benefits in graphing os
that we just don't see uh added in
calyx os calyx os is more of a
stock android experience with some bundled
apps that are nicer than the alternatives
but it's not really changing the android
paradigm in in any way and i don't
know in previous episodes and on other
shows i've talked a lot about how
Android is just not my favorite operating
system in general because it's very tied
to everything that Google is doing.
I think Chromium kind of has the same
issue,
but Android especially and Graphene OS
just goes a lot further in making that
less of the case.
I think it's unfortunate that even on
Graphene OS,
most people have to rely on Sandbox Google
Play to get a decent experience on
Android.
But what can you do?
At least with the Sandbox Google Play and
Graphene OS,
you can install all of those as
user-installed apps, basically.
Whereas even on Kallax OS,
if you use Micro G,
all of the Micro G apps have to
be installed as system apps, which...
will, I mean,
which is a greater security risk than apps
that have normal user install permissions.
I think the other main thing that we
would see with Graphene OS is just a
much stronger commitment to updates,
security updates,
but also just updates in general.
We saw, as you noted,
the Pixel X is not even supported with
Kallax OS yet.
i don't know i don't know too much
else about the current like version of
android that this is using i know all
of this calyxos is still in beta they're
just getting up and running but
historically they have been a bit behind
normal android releases and a bit behind
graphene os whereas graphene os very often
releases updates
very, very close,
if not at the same time as major
Android updates.
And even now,
Graphene OS has a partnership with an OEM
that has access to these security updates
that aren't publicly released yet.
So they can issue those security releases
before they're open source.
Of course, if you don't want
proprietary code on your device,
you can you can disable those and wait
for them to be publicly released.
But that is a security option that I
don't think Kallax OS would even be able
to offer as far as I know,
because Google restricts some of those
security updates to certain approved
parties, which is a shame.
So, yeah, kind of a lot,
but that's typically all of the reasons.
Kallax OS didn't really make sense to me,
probably still doesn't,
but I guess we'll see how this is
going,
because it seems like they'll be taking
a... well,
at least a different approach than they
were before.
Yeah.
Yeah, I agree with all of that.
I agree that it's...
I think they do a couple small things
to try and make it a little more
privacy-respecting.
I think the advertising ID is removed by
default or something.
But it's really nothing compared to
Graphene.
It's definitely not even in the same
ballpark.
I think really the only selling point,
in my opinion, is that it would be...
I would argue it's an easier setup because
then with graphene,
you need to go in and you need
to install the play services.
I mean, if you want to use those,
which like you said,
some people could definitely get away
without those, but for the average person,
you're going to need those for
notifications and stuff.
So with graphene,
you additionally have to go in and install
that kind of stuff and get everything set
up.
But yeah, at the end of the day,
it's...
That is another downside of graphene OS.
You are stuck with the official play
services clients.
If you are the kind of person who...
prefers the micro-G approach,
at least you have that option with Calix,
whereas despite them being sandbox on
Graphene OS, which is great,
especially because you can restrict them
to certain profiles,
you're still running that proprietary
Google code directly on your device,
and some people just aren't going to like
that.
So that is something to consider for sure.
Yeah, I agree.
I think I had...
One other.
Yeah.
So in your opinion on that note,
do you think there's any like redeeming
qualities about this update?
Like me personally,
I'm glad to see them finally move to
breezy weather because again,
geometric has been abandoned for God,
I think years at this point,
like a good couple of years.
So it's nice to see them finally move.
I like to see them get rid of
scrambled eggs.
If like that is also abandoned where I
think,
or at very least like not updated very
often.
I wish they would just roll that into
the camera app like graphene does,
but yeah,
Yeah, I don't know.
Do you think there's any redeeming
qualities about this or anything that you
think is a step forward maybe?
You know...
To be honest,
I'm not the biggest expert on Android
apps, so it's kind of hard to say.
Some of these apps certainly make sense to
pre-install.
I'm glad they're pre-installing Signal,
for example.
Some of them,
like the ones that you mentioned,
don't make a lot of sense.
I can't remember.
I saw DAB X five.
I think that's the newer.
I think I'm thinking of a different app
that was discontinued.
That's probably the newer one,
so never mind.
But yeah,
certainly having privacy respecting
defaults is good.
Like comaps or organic maps they had
before.
It looks like they're switching to comaps
now.
I mean, it's greater visibility.
And I would say that this...
list of apps is probably useful to people.
I mean,
even if you end up using Graphene OS,
this would be a good list of apps
to maybe look at.
And maybe you want to use some of
these.
You can install FDroid on Graphene OS too,
certainly.
And we have a lot of Android app
recommendations on our site as well.
But yeah,
any visibility to all of these third-party
apps that are providing good services is a
good thing, I would say.
Yeah, a user here says,
nice to have you, Jonah.
They said, breezy weather is goaded.
And that's an example.
I agree.
I use breezy weather.
It's pretty rad.
I like it a lot.
Before we move on to the next story,
assuming there's nothing to add to that,
sawed this all here, said,
you love the PG polos.
So I just wanted to,
I would be remiss if I didn't take
a moment to point out that we do
have a merch store,
shop.privacyguides.org.
We have this awesome,
I know you probably can't read it from
there, but this coffee cup,
because I'm insane and I'm drinking coffee
at five PM,
has article twelve of the UN's Declaration
of Human Rights, which is about privacy.
I actually have some stickers here because
I was going to ask Jonah a question
about those later.
poster in the back,
all kinds of cool stuff.
So yeah,
and certainly not all of our merch is
like these polos with just the with
privacy gets loaded.
A lot of that is for the team
members who want stuff for this video.
But we also have a lot of merch
like with that poster design in the
background of Nate's video right there.
And a lot of other cool stuff.
So if you are interested in those privacy
designs, I would check it out.
And we hope to add more stuff there
soon.
Another thing before we start talking
about this canvas story,
I wanted to answer TG in nineteen ninety
seven's question really quickly here.
We always have around five to twenty
viewers.
A couple of reasons were very generously
supported by many of our members.
We also get a lot of views on
this show after the fact of especially
various podcast apps we get
A lot of downloads there.
But it's mainly the support of our members
and people who want extra perks across our
site and our forum,
which certainly has an active membership.
The other reason for this discrepancy in
views is that we...
uh stream on a lot of different platforms
so like right now on streamyard i can
see a hundred forty nine people are
watching and on youtube that's quite a bit
less um so yeah as somebody else just
pointed we we live stream on youtube we
live stream on x we also live stream
on twitter and we live stream on
streamyard.com which is the
which is the streaming service that we are
using to stream in the first place,
so it's kind of a native approach.
We share the StreamYard stuff on our form,
so a lot of different options for people
to choose from, not just YouTube.
But yeah,
we would love to get more viewership.
So definitely subscribe if you like these
shows and share the show with a friend
or two if you think it's interesting.
Because we would love for more people to
hear about all of this stuff.
Of course, that's why we're doing it.
Not to dig into it too much,
but nice to have Jonah says why you
only see six people.
Because we're in the studio,
we can see the full list.
It says here that we've got over a
hundred and twenty people on Twitter.
What's that?
It just combines them all into one number.
That's what I was looking at.
But if we hover over it,
it gives us a breakdown.
So, yeah,
there's six people on StreamYard right
now, twenty two on YouTube.
We got one on Twitch.
I didn't even know Blue Sky did live
streaming.
We can look into that,
but it's really about what StreamYard.
Yeah, Blue Sky doesn't do live streaming.
if you want to share um whoever said
blue sky um what you're referring to i
know you can um post a link to
the live stream manually on blue sky and
it will show up like around your profile
picture um we have to do that basically
every time we stream manually and we can't
even link to
youtube streams i think or stream yard we
have to link to like twitch or something
so it's just annoying to do on on
blue sky but maybe we'll use that feature
in the future i don't know what blue
sky features really have for live streams
yeah we could look into it oh here
we go somebody said the the new calyx
os builds run great on the pixel six
six a and six pro so there we
go we have some uh boots on the
ground from somebody who's tried it
awesome
Good to know.
All right.
Well,
let's take a look at our next story
here.
This was reported by Bleeping Computer.
Headline is,
Canvas login portals hacked in mass Shiny
Hunters extortion campaign.
The Shiny Hunters extortion gang has
breached education technology giant
Instructure again,
this time exploiting a vulnerability to
deface Canvas login portals for hundreds
of colleges and universities.
The defacements,
which were visible for roughly thirty
minutes before being taken offline,
displayed a message from shiny hunters
claiming responsibility for the earlier
Instructure breach and threatening to leak
stolen data if a ransom is not paid.
The message warrants that Instructure and
schools have until May twelfth to contact
them to negotiate a ransom or students
data will be leaked.
Moving down in this story here.
I'm not seeing it in here,
but I read in a different article that
this vulnerability was related to a
service that Instructure has with Canvas
that allows teachers from any school to
sign up and create courses,
even if your school doesn't have a
partnership with them.
So I know that they've disabled that
feature, basically.
But what the vulnerability is exactly,
or I think what data has been leaked,
as far as I know,
is not necessarily clear yet.
But the hackers in question have claimed
to have stolen two hundred eighty million
student and staff records tied to eight
thousand eight hundred nine schools,
universities and education platforms using
the Canvas learning management system,
according to this source.
article.
So it is quite a cyber attack and
it seems to be very widespread.
I know,
I think it says it in this article
too somewhere,
but I just know Canvas is one of
the,
if not the largest learning management
systems used by schools.
So this is pretty extensive for sure.
And I think what we're going to see
out of this is
I mean, especially if this data is leaked,
but also, I mean,
even if it's not leaked,
these people could just keep the data
anyways,
or it could be leaked in the future,
or they could just leak it anyways.
I think there's really no way to guarantee
for sure whether this data is going to
make it out there or not,
regardless of whether that ransom is paid.
So I think this I mean,
this will certainly be a big problem for
students, also staff,
and maybe not even immediately.
All of this data could be used in
the future for various attacks.
I can imagine phishing attacks and other
and other sorts of attacks against all of
these students and and teachers to be very
I think they'll be very prevalent if all
of this data gets out.
So yeah, that's pretty much the story.
It's not great.
As Jordan W. says,
shaking my head with the centralization of
everything on a single platform for
learning.
Yeah, I mean,
this is definitely the big problem with
decentralization.
It's certainly a double-edged sword,
and it's the kind of thing that we
see in the school systems.
With this,
with a lot of different tech services,
I know all of them have switched to
Google Workspace, for example,
and none of these centralized services are
immune.
um i know before the days of decentralized
services schools would typically use
various platforms or open source platforms
like moodle um and there are downsides to
that as well because then you're relying
on the school or the district's i.t team
to secure all of that which can have
varying levels of quality and knowledge
depending on what kind of people they can
hire so
That's certainly a problem as well,
but certainly all of the centralization of
data into a single database is also a
huge concern.
So yeah, you kind of lose
Either way you go, really.
But obviously,
this sort of attack has a much larger
impact because this is going to affect
schools all around the US and maybe around
the world.
I don't know where Canvas is used.
I know it's huge in the US here,
but I would imagine they sell to other
countries as well.
Yeah, I agree.
And, uh, yeah, like you said, this, this,
um, this is a big story,
which is kind of why we're talking about
it.
Um,
so there's a lot of coverage out there.
So, uh,
there may be additional details in other
articles.
We tried our best to, um,
pick bleeping computers are usually a
pretty good source and some of their
articles are actually like really super
technical.
So I like going to them.
They're,
they're one of the more reliable sources
in my opinion, but yeah.
Jordan says it's massive in Australia too.
I would, yeah,
I would imagine it's in a lot of
different countries.
I mean, that's a huge company.
Yeah.
This article didn't really specify where
they're,
which is unusual because usually they do
say like, Oh,
it's popular in like the U S and
parts of Europe or something.
But yeah.
Um,
Yeah, I mean this is the question, right?
It's nice to have Jonah said,
what do you think should happen?
Make it illegal to pay ransoms?
Find companies for bad security?
I mean I think – I fully admit
that I'm not an expert on this kind
of stuff in terms of like what should
we do.
But I do think that's a good start
is like I think we need mandatory
disclosure laws because I remember there
was a few years ago they raided –
God, which ransomware gang was it?
It was one of the big ones.
Interpol shut them down and raided their
servers, and we learned so much.
They had hit so many more companies than
we knew about because most of them just
paid the ransom and made it go away.
Made it go away.
We learned that they,
like you were saying,
they never delete the data.
That was something we learned is when we
pulled their servers, it's like, oh, look,
here's everybody,
including the people who paid the ransoms.
They never deleted the data like they
promised they would.
They just hold on to it.
So...
I don't think – and when they do
pay the ransom,
that just encourages them to keep doing
it, right?
If we make it not economical,
they're going to stop doing it.
At some point, eventually,
they'll stop doing it.
So it's really –
I think that's a good start.
And yeah, I do.
I mean, personal opinion.
I think the problem with bad security is
that it's really hard to define in a
legal sense.
Like,
I think there's certain things that like
two FA, right?
I mean, it's twenty twenty six, dude.
No offense to any newbies watching this.
I'm not trying to make you feel bad,
but it's twenty twenty six.
If you're not using two FA,
you're you need to reconsider.
I'll just say it that way.
You know, and I mean, ideally, yes,
it would be nice if they had good
passwords,
but that's kind of an ongoing debate right
now is like what defines a good password.
There's a lot of nuance to that,
but it's, I mean,
that's like little things.
Like if you have something that was
patched or like if you have,
of vulnerability from six months ago that
the patch was already released and you
still haven't updated it and it's a
critical vulnerability,
I think we can all agree that's negligent.
Like when you get closer to like a
week lead time, like, I don't know,
it's just my point being like,
there's some nuance there,
but I think there is a certain baseline
we can establish.
And it's like, yeah,
you guys were just basically being
negligent at this point.
And unfortunately it's a,
I've said this before.
It's like a lot of these,
A lot of these smaller, or not smaller,
a lot of departments don't get the funding
they deserve because the bean counters
just look at them and all they see
is red.
So like cybersecurity, for example,
they're always like, oh,
we're always spending money on technicians
and software and this and that.
And it's just spending money and spending
money.
They never make us money.
We're just losing money on that.
And it's like, yeah,
because that's what's keeping you from
losing more money when something like this
happens.
So it's-
Yeah.
IT in general,
it's always seen as like a cost center
by businesses until you need them.
The problem with IT in general is that
I think the entire industry suffers from
its own success because when everything is
working properly, of course,
you never notice it at all.
Like it all just runs in the background.
Exactly.
Yeah, and then the last thing is,
like you said, a centralization issue,
which that one's harder, right?
Because that's kind of one of the
hallmarks of the free market is people
should be able to go to whatever company
has the features they need and makes the
best sales pitch and whoever they want to
go with.
So the centralization thing I feel like is
tricky, but I don't know.
Maybe there's some levers we can pull
there too to try to encourage a little
bit more competition.
I don't really know.
That one's definitely above my pay grade,
but it's all just kind of a big
–
know what the word i'm looking for is
it's all just kind of a big soup
of like a bunch of problems but even
fixing a few of them i feel like
would probably go a long way in my
opinion yeah neville matthew uh on youtube
points out same thing with epic uh
electronic health record systems all
hospitals use them uh that's a huge
problem as well i mean the centralization
uh that we're talking about this is
happening among
pretty much all industries at this point.
So we're definitely putting all of our
data in single gigantic baskets.
And I really don't think that's a good
thing,
which is why I always suggest
decentralization as much as possible.
But
not all organizations are going to do that
and i think the unfortunate reality is
that all of these organizations are going
to choose the cheapest option um yeah i
don't know if we pulled up this comment
but nice step jonah said uh i'd rather
use google workspace honestly google's
locked into their security and their
workspace privacy might not be terrible
I mean, with Google Workspace,
especially with the schools,
you never know what they're doing with
this data.
But according to their privacy policies,
it's all above board for students.
But no company is perfect at security,
and it's very possible that Google could
have a breach someday.
I think there's problems with all
centralized services.
kind of inherently.
So I wouldn't just rule out the
possibility that Google will suffer some
sort of security issue in the future.
I think a much bigger issue with all
of these schools adopting Google Workspace
for Education is just that it really
normalizes
I mean, the entire Google suite,
a whole generation of students who are
then going to demand that in the workspace
and in their personal lives.
People are just using alternatives like
Microsoft Word or Apple Pages or whatever
software was typically used in schools.
And now they just...
are used to Google Drive and used to
Google Docs,
and then they will grow up and they'll
continue using that or they'll use it in
college or they'll say to their employers,
like,
you should switch to all these Google
services.
That's really the big Google play here.
And there used to be more companies in
the education space.
I mean, for a very long time,
Apple was huge in the education space,
and then they basically randomly gave up
on supporting education customers,
which is really dumb, in my opinion.
You could certainly argue Apple isn't much
better.
And I would love to see...
We talked maybe a couple episodes ago
about these governments who are adopting
Linux systems among...
their own agencies.
I would love to see something like that
in schools too,
where more of these education providers
adopt open source software like Linux.
But we're not really seeing that right
now.
And even when Apple was in the game,
there was
at least some competition here,
which is always a good thing.
You always want to see competition.
And right now,
Google kind of has a stranglehold on the
entire education industry,
which is not great.
Maybe Apple will make a comeback with the
MacBook Neo,
but their software game has a very long
way to go before they get back into
a serious IT world, unfortunately.
Yeah, I was going to say,
I agree with the idea of like...
Like I've complained about that.
Not my last job,
but the job before that.
We were a very small company,
like less than ten people total.
And we used Google.
We used Gmail.
We used Google Drive.
We used Google Sheets, Google everything.
And then I moved to the bigger company
that was like super, super corporate.
And all of a sudden everything was
Microsoft.
And I remember just being like, God,
I would give anything to go back to
Google because Microsoft's UI is just –
everything about Microsoft is terrible.
Full stop.
I don't care.
It's bad.
So,
but I really appreciate what you're saying
about like, yeah,
but then you train people into that way
of thinking and that's what they're going
to want.
And, um, but, uh, yeah.
And another thing you said is just real
quick.
I'm,
I've been saying for a long time and
I know I'm not the only one that
like,
it blows my mind that public money can
be spent on private things.
So like,
I usually say that in the context of
policing and surveillance systems,
but yeah,
like Microsoft licenses for public
offices.
And it's like, dude, just switch to Linux.
Like,
And that's a new contract there too,
right?
Like somebody has to write this software
for Linux so they can manage the lakes
or whatever.
Like, great, that's a new contract.
We just made new jobs.
So I don't know.
Yeah, it's crazy.
Yeah, the whole tech ecosystem in general,
once you get into like proprietary stuff
is not great because we've really
transitioned to like full subscription
services.
I used to work at a school district
and towards the end of that,
Google changed their education pricing.
I think it was around like when the
pandemic was happening and there was a
huge push for remote learning,
but they were basically like, okay,
all of these
features that all these schools want now
we're going to be charging something a
month and it was still a lot cheaper
than like Google workspace for businesses,
but it just goes to show that like,
all of this free stuff can't and really
never does last forever,
even for schools and nonprofits.
Google's whole plan is not just to lock
students into this Google ecosystem,
but also to lock schools and districts
into
having to do whatever Google says,
basically,
because now they're kind of stuck with all
of the software and all their Chromebooks
and Google can kind of charge whatever
they want if they want to.
And it's very unlikely that any of them
will switch at this point,
which is a shame.
Yeah, very good point.
I think that's all we have on that
story.
In a minute,
we're going to talk about Microsoft Edge
and passwords.
And boy, that's a wild one.
But first,
we're going to talk about what we've been
working on this week at Privacy Guides.
So like I mentioned at the beginning,
it's been...
You know,
we kind of go through ups and downs,
right?
Like we kind of go through periods where
we're releasing a bunch of stuff and then
we go through periods where it seems like
we're a little bit more quiet.
But that's because it's just we're always
working behind the scenes.
I mean, we're always working,
but sometimes there's just a lot happens
at once.
And I think the last few weeks have
been like that.
So, for example.
I'm going to share this little tab here.
We have just released today a new video
about how to run a Signal proxy.
And we talk about this in the video
for the record,
but there are alternatives to Signal,
but censorship is on the rise and Signal
is around the world for the record.
And Signal is an extremely popular
messenger.
So you could try to get your friends
and family to switch to something like
SimpleX or Briar,
or you could look into Signal proxies as
a way to help around with that.
So
Yeah, if you're a member,
that's already available on YouTube.
If you are a Privacy Guides member,
like you went to privacyguides.org slash
donate and you're a member, it's also,
I believe, available on PeerTube.
And we share that link directly in the
member section of the forum,
or I believe you also get it in
your inbox.
So yeah.
Those are options there.
And then that'll be coming out to the
public next week.
We usually release those about a week
early for members.
And then we have an awesome interview
coming soon.
Hopefully next week.
Depends how much editing we have to do.
But I don't want to say too much.
It's just really exciting.
It was a great interview.
I had a lot of fun.
And it will include a bonus section,
again, for paying members.
Yeah, excited to share that.
And actually on the topic of memberships,
I just I keep forgetting to tell you
guys that we're actually now posting the
show notes for the show in the members
only section.
So throughout the week,
you guys can see what stories we're
considering discussing and stuff like
that.
So definitely check that out if you're
interested.
And I'll turn it over to Jonah to
talk about what else we've been doing.
We definitely got a lot of requests for
that because people wanted to ask
questions about the stories we would talk
about on the show,
but I know this show time isn't ideal
for everyone.
It's pretty late in the year right now,
so I know a lot of people skip
it and watch it later.
So hopefully that helps out some people
with getting your questions answered
during the Q&A that we have at the
end of the show.
In other Privacy Guides news,
the biggest thing that we launched this
week is a new DPA directory.
This is a tool that we have in
our Activism section,
which you can find at privacyguides.org
slash activism,
or you can click the Activism tab at
the top of our website.
And the DPA directory is basically a tool
that will help you find the main consumer
privacy law in your area or region or
country that describes what privacy rights
you have as a consumer and the authority
that's mandated to enforce the law,
which is very important.
because you should know where to report
these privacy violations and what privacy
violations may even be occurring.
I think for a lot of countries,
there are more protections than you might
think.
Of course, in a lot of countries,
I would definitely say the protections
could go quite a bit further,
but anything helps.
And reporting privacy violations by...
companies that you interact with not only
has a benefit for you personally,
but it has a huge benefit for your
entire community because it causes these
companies to make changes that will
ultimately improve the privacy for anyone
who are using these products or services.
So definitely check it out.
Find your region on there.
We have at the top of the directory,
we have buttons where you can click by
continent, basically,
and then you can find
whatever country.
If your country isn't listed,
either we couldn't find anything.
We were able to do it for a
lot of countries,
but certainly not all of them.
We hope to continue updating this with
more information as we can and as we
get it.
If your country
isn't listed or if some of the information
you want to update or what have you,
definitely submit a PR or even open a
topic on the forum sharing what
information you want us to add or change
and we can get that updated.
Or just let us know what country you
want us to update and we can look
into it as well.
Whatever works for all of you,
we definitely want to keep this updated
and get as much information out as
possible,
so
you can share uh what information you
would find most helpful here and hopefully
we can continue to build more legal
resources and other resources like this in
our activism section going forward so
we'll continue to keep you updated with
that um thank you carrie from fireworks
firewalls don't stop dragons uh for the
compliment i totally agree it is another
fantastic resource um it's one of the
final resources that are
former staff member m uh worked on with
us and it it came out really great
so i hope people find it very valuable
um that was the main update that came
out with our uh may release of all
the changes on our website i believe all
of the other changes were pretty minor um
we just
updated some information that was outdated
and changed some logos.
So not a lot of huge changes besides
that.
But, you know,
we're always changing the site,
making sure everything stays up to date.
So hopefully we'll see more changes in the
future.
I know we have twenty six pull requests
open right now.
So a lot of updates that we're hoping
to get made as soon as we can
review them.
this is episode fifty two of the show
which means that we've been doing this
every week for a full year which is
fantastic it's it's been a lot of work
to get this oh great Nate's celebrating if
it works I think it's busted now I
have a whole bag of them I'll find
another one I had to buy these for
a video one time it was like five
bucks so now I don't know what to
do with them
I had another one.
But yeah,
hiring Nate to get these done has been
a real game changer for this entire show
because we can really do this more
reliably.
And yeah,
we plan to continue doing this every week
for the foreseeable future.
News briefs are another big thing that we
do almost every day, pretty much.
Freya works very hard on those,
but we have other people on the team
publishing those as well.
I know Nate writes some of them on
occasion.
And this week we had updates on copy
fail, ChatGPT advanced account security,
Fedora releasing sealed bootable container
images, which is super cool.
Definitely look into that if you're using
Fedora, it's good for security.
RCS end-to-end encryption in iOS,
which I actually downloaded on my phone,
but I haven't been able to use it
too much yet.
So hopefully it improves a bit soon.
Disneyland, California,
facial recognition,
the FCC banning a data broker from selling
location data,
ProtonMail launching post-quantum
encryption,
which I believe we are going to talk
about later on in this stream,
if that's of interest to you,
certainly of interest to me,
Chrome for Android,
including approximate location,
which is a new web standard that'll
hopefully make sharing a location with
websites a bit more private,
and two more major Linux vulnerabilities
in the same class as
copy fail.
So a lot of news briefs,
we can't talk about all of the news
on this show specifically,
but we try and keep all of the
news briefs updated with the biggest stuff
that we can't discuss.
So if any of those things sound
interesting to you,
you can find that under the news tab
at privacyguides.org,
and we'll continue updating that and
updating our form with all of the news
stories we can find.
All of the stuff that we do at
Privacy Guides here, again,
like I said earlier,
it's all supported by our generous members
and other one-time donors.
You can sign up for a membership or
donate at privacyguides.org slash donate.
Or if you want to support us by
picking up some swag at
shop.privacyguides.org,
that is great as well.
Privacy Guides here is a nonprofit
organization.
and we research and share privacy-related
information and we facilitate a community
on our forum and other platforms to share
advice, ask questions,
get updated on the news with other people
who are in this privacy activist space.
So it's a great place,
especially our forum,
to get advice about staying private online
and preserving your digital rights.
I think that's my spiel.
We can move on to talking about how
Chrome has been downloading some AI stuff
to your device without telling you.
Well, maybe not you specifically.
You're probably not using Google Chrome,
but Google Chrome users.
Yeah,
hopefully if you're watching the show,
you know that Chrome is basically spyware,
and that's not much of an exaggeration,
unfortunately.
Warn a friend about it.
What's that?
Be sure to warn a friend about it.
Yeah, no kidding.
Pass that on.
Friends don't let friends use Chrome,
but seriously.
So yeah,
the latest Tomfoolery from Google Chrome
is that they have been quietly pushing a
four gigabyte AI model to your device
without asking.
Correct me if I'm wrong.
But I actually did some digging into this
and I was trying to put the four
gigabytes number into context.
And if I did my research right,
that is about, what is that?
About eight hundred to a thousand songs,
depending on how big the file is,
how long the songs are and stuff.
What is it?
It's like a similar amount of photos.
But the one that got me is that's
about four to six hours of high quality,
not like four K, I think,
but like high quality video footage.
Which is longer than the extended edition
of Return of the Kings.
And that just...
That was my favorite thing I learned from
researching this.
So anyways, yeah,
so Chrome has been pushing this AI model
onto your device.
It's Gemini Nano.
The article I don't think explicitly says
it's on desktop,
but it seems to imply that it's on
desktop because it says that right here it
says deleting the folder doesn't offer
lasting relief.
Chrome will simply redownload it.
On Windows, the folder is here.
It has also been confirmed on Apple
Silicon and Ubuntu machines.
So I think it's specifically on desktop.
The weird thing is,
from what I can tell,
this does not seem to be...
Because a lot of Apple and Google are
trying to do more,
especially on mobile phones,
they're trying to do a lot of AI
processing on device.
And I think for most of them,
that has more to do with performance than
privacy.
But of course,
never miss a good PR opportunity.
So they're like, oh,
it's also really private.
And it's like, meh.
So I think they try to do things
on device.
But from what I can tell,
if I remember this correctly...
Um, yeah, it says here,
the downloads carry a notable irony.
Chrome's most visible AI feature,
the AI mode integrated into the address
bar and Google search runs on Google
servers rather than the locally stored
weights.
The four gig folder is only used for
writing assistance and a handful of other
accessible or a handful of other features
accessible, several menus deep.
So it's not even like the,
the most commonly used things that they
would put on there.
It's just such a weird, weird choice.
Um,
I don't know.
Yeah.
So going back here, again,
if you uninstall it,
it just reinstalls itself.
I do appreciate this article.
Uninstalling Chrome entirely is the most
effective way to remove it.
However,
for those who wish to continue using it,
you can disable it by going into the
Chrome flags and finding an item called
Enables Optimization Guide on Device on
Android and selecting Disabled.
So apparently,
that basically just tells it that your
device can't handle it,
whether that's true or not.
So, yeah.
And then it looks like somebody is already
accusing Google of violating European
privacy regulations.
And I unironically wish them the best
because I want to see these companies sued
every single... You know,
we've mocked many,
many times how when these companies get
sued, it's always like, oh,
they got sued for four million dollars.
And it's like, bro...
who's, who's in charge of Google?
Sergey Brin.
Did he move on?
I don't know.
Whoever the guy in charge of Google,
it's like his shoes probably cost four
million dollars.
Like that's nothing.
They don't care.
But my hope is that if we keep
doing this,
maybe it'll be like death by a thousand
cuts.
Like if we just do them every single
time it happens,
maybe eventually it'll start to add up.
I don't know, man.
I'm trying to be an optimist.
I realize I'm probably delusional, but,
uh, yeah.
So I mean, I,
I think we kind of, to, uh,
hit our, our main points going into it,
but, um,
Well, let me start by saying,
I don't know.
I guess I'll really just jump to it
and say we don't recommend Chrome.
I mean,
in addition to just doing crap like this
all the time that's incredibly hostile to
users, that's incredibly unfair to users,
that's really, really sneaky,
I think it's so funny how they always
try to roll these things out that they're
like, oh, but this is good for users.
And it's like, well,
then why'd you hide it?
Why didn't you tell us how awesome this
new feature is?
But in addition to all this stuff,
you know, Chrome is like over the years,
it's really become a resource hog.
Like everyone I know says that it takes
up tons of space.
It eats up your Ram.
I don't know how true that stuff is.
Cause I haven't used Chrome in several
years, but that's what I hear.
So I think I'll have to bounce over
to the privacy guides website.
I know that brave is a big one.
We recommend Firefox is, is pretty good,
but it does require some some tweaking to
really get the most out of it for
sure.
And browsers are one of those things that
I know everybody kind of has their
favorite browser, right?
Like some people prefer...
Yeah, I mean, here,
I'll put you on screen while I'm looking
this up.
But some people prefer their LibreWall for
Mulvad, which Mulvad's a really good one.
Actually, here, I've got the page here.
I'll bounce this up real quick.
Mulvad's a really good one that we do
recommend.
I think for a lot of the power
users in the crowd, Mulvad will be fine.
But there are, like,
I remember when Mulvad came out,
I asked some of my friends and family,
like, hey,
can you test this out for me for
like a week?
Because I want to know if this is
a good browser I can recommend to the
average non-technical person.
one person couldn't download it because
their antivirus kept flagging it,
which I still need to talk to them
about why you shouldn't pay for third
party antivirus.
And then the other person was able to
download it just fine, but they were like,
Hey, um,
and they weren't mad at me for the
record,
but they just told me they're like, Hey,
FYI,
literally none of my streaming services
work like Netflix, Hulu, Disney,
like none of them work with Moldad.
So it's a great option.
It's just, you know,
the average person may struggle, um,
to do some like day-to-day things.
Um,
Firefox, like I said, is pretty great.
There's just some settings you need to
change.
Add uBlock origin.
Brave.
I think for people coming from Chrome,
Brave is probably going to be the best
replacement since it's based on Chrome.
So yeah.
And then people are obviously leaving
things here in the comments like Helium
and Zen.
Those are fine, I guess,
if you want to use those.
They're not our official recommendations,
but they're probably way better than
Chrome, I think.
So yeah, I think I've been talking plenty.
I'll turn it over to you for a
minute.
Any thoughts on this?
It was funny that you mentioned how many
songs there are because I think four
gigabytes was the amount of storage that
the original iPod had in in two thousand
one.
And that classic tagline,
a thousand songs in your pocket.
Now we're just kind of wasting that
storage space on random AI models that it
sounds like are going to be barely used
in Google Chrome since most of this is
still going through their servers.
So it just kind of goes to show
how much tech has changed in the last
twenty five years and how
not not really for the better i think
all of this software just becoming very
bloated for very little gain um and i
think at the end of this article um
someone pointed out that pushing four
gigabytes of data to the millions or
billions of devices that have google
chrome installed on them um results in
like just a huge amount of data being
transferred over the internet like all of
these software updates do um which is you
know i mean that's kind of normal we
get software updates all the time so it's
not that crazy but
That's still a huge amount of data there's
there's always a cost to that sort of
thing, not just financially,
but in terms of CO two environmentally all
of this Ai is just speeding up all
of those issues in many different ways.
So yeah technology is just.
Crazy.
Yeah,
four gigabytes times the amount of Chrome
users.
Absolutely.
It's exactly like Kerry just said in the
chat as well.
When these stories pop up,
you just got to stop using Google Chrome.
And I think all of these browser solutions
are going to be better.
We obviously,
the general consensus among Privacy
Guide's team members and also people
in the community on the forum is that
Brave and Firefox tend to be the best
choices for a lot of people.
But as other people have mentioned,
and like Nate just said,
there are other options that are coming up
and becoming very popular.
I've been using Zen Browser for some time
personally, and I like it a lot.
I know a lot of people are starting
to use Helium Browser lately,
which definitely has some good things
going for it.
I would also throw in Brave
origin as a great Google Chrome
alternative in addition to Brave,
just because it has a bit less of
the bloatware like the VPN stuff that
Brave does or the cryptocurrency related
stuff.
That obviously costs money for some
people,
but what I would say to that is
if you don't want to pay the sixty
dollars,
You should be on Linux anyways,
where Brave Origin is free.
So you always have that option.
Linux is a great operating system to
switch to, and you can start using that.
A big benefit of Brave Origin versus these
other platforms is mainly
Just having the backing of a much larger
company behind it,
and Brave has been very timely with
security updates and other Chrome updates
for a very long time,
whereas a lot of these other alternatives
are somewhat hit or miss with those
updates.
And just like with Graphene OS,
like we were talking about before,
staying up to date with those updates is
super important from a security
perspective.
I would typically probably recommend Brave
Origin to most people who are looking for
the cleanest Chromium experience these
days.
But yeah,
there are certainly a lot of options with
their own pros and cons.
And if you want to know any of
the specifics of that,
I would always recommend checking out our
forum or asking your questions there.
I mean, with a lot of these browsers,
I know there's already discussion threads
about them where you can find out the
pros and cons and why they're not
necessarily recommended on the site yet.
but can still be good in certain use
cases.
So the first generation iPod had a minimum
of five gigabytes.
And I don't know if this is going
to make you feel old,
but it made me feel old.
The connection was FireWire.
Yeah, that was an interesting time.
I will say,
for everything I just said about
technology going in a bad direction in
some ways,
I will say switching everything to USB-C
is one of the biggest improvements that
has ever been made, honestly.
Having one universal connector is just so
nice, so much nicer,
if anyone remembers how it was before.
Totally agree.
Yeah, I do want to point out,
I just want to drive home something you
said,
which is that I think there's something to
be said.
Privacy Guides kind of operates under the
idea, or under the philosophy,
I should say,
of recommending the best product.
I think,
kind of going back to our headline story,
I would argue that...
and maybe this is open for debate because
of what you mentioned about like micro G
running at an elevated privilege level.
But I would argue that something like, um,
Calix is going to be a little bit
better for your privacy,
assuming it's fully updated and
everything,
but it would be a little bit better
for your privacy than like stock Chrome or
stock Android.
Right.
Yeah.
But obviously we don't recommend that
because graphene is even better and it's
really not that much harder.
So we recommend graphene instead.
Um,
so where I'm going with that is I
think, uh,
a lot of the time I think, uh,
this is something I've harped on before,
is a lot of the time I think
we in the privacy community kind of
undersell how much we've learned and how
tech savvy we are.
I consider myself not very tech savvy
compared to a lot of other people that
are like developers and programmers and
hackers.
but even I like,
I know how to self host next cloud.
I know how to self host jellyfin.
Like I know how to mess with the
settings on my router.
I flashed my router,
like all these kinds of things that the
average person I think doesn't really know
how to do it.
And so I think, um,
sometimes it can be really empowering to
take those baby steps.
And I think sometimes those baby steps are
going to be, um,
I think some of them are going to
be like,
even if you never go further than this,
it's still better.
And so I'm kind of talking to the
audience here where, you know,
some people get mad that you say things
like you in general,
that we say things like, you know,
like switch to brave.
And some people are like, oh,
but brave has all these problems,
which is fair.
But also like if somebody switches to
brave and they're just like, oh,
this isn't so bad.
This is just like Chrome.
Well, I hear that Firefox is better.
What if I check that out?
What about the small bad browser?
What about that might be the gate that
opens them up to check out the gateway,
the gateway drug that opens them up to
check out other browsers.
And maybe eventually they will end up at
something way better and way more secure.
But even if they never go further than
that,
like it's still better than using Chrome
in my opinion.
So yeah,
um yeah i just i guess i just
kind of want to defend that uh not
not that you were not doing that but
just to the audience i want to point
out that like i think these these can
still be useful baby steps along the
journey to get people because something
like brave is going to be again i
think i said this already it's going to
be like the most familiar for people who
are coming from chrome and then once they
realize like oh that was really easy that
was simple maybe i'll check out firefox
maybe i'll check out these other ones so
you know it could potentially become a
journey for some people so
Absolutely.
I think our general philosophy,
at least mine,
but I think the general philosophy among
the team is that our recommendations on
the site are geared towards being the best
option with the least amount of downsides
for literally pretty much any
use case or threat model as much as
we can.
Obviously,
there's still going to be upsides and
downsides to each of these.
But like compared to Calix or even Lineage
OS,
it's our opinion that Graphene OS offers
the most benefits with the least amount of
downside to the most people.
If we're talking about Calix OS or Lineage
OS,
Those both have some merits.
Certainly,
like Jordan just mentioned in the chat
here,
there's wider device support with both
CalixOS, but especially LineageOS,
and that helps people get into this
de-Googled ecosystem.
which is always, I think,
great from a privacy perspective.
But at the same time,
the downsides of using CalixOS or
LineageOS are potentially very high,
especially from a security perspective.
And people can really shoot themselves in
the foot, I think,
if they don't know what they're doing.
Whereas with something like Brave,
not my favorite browser,
but the downsides are pretty minimal and
it's very easy to recommend to most
people.
And I think...
I think it probably goes without saying,
we don't explicitly have it on our site
yet,
but we should probably just update it
because Brave Origin is the same.
But I think Brave Origin is even better
because it's just the exact same thing as
Brave, but less,
which is typically good from a security
perspective.
You want to keep things as minimal as
possible and also just from a user
experience perspective.
But if we talk about other browsers like
Helium or like Zen Browser or even
LibreWolf,
like there are a lot of upsides for
a lot of people,
but there are also a lot of downsides,
which make it very hard to recommend to
a general audience who might not look into
all of this stuff further than what we
put on the site.
I think that's a common thing.
misconception that people have with the
privacyguides.org resources is that people
think that if it's not listed there,
that means there's some problem with it.
But typically if something is omitted,
it's not like an anti-recommendation in a
lot of cases.
And
This is a reason why I think our
forum has become even more popular than
our main website at this point.
It's because we can have these more
in-depth discussions if people are
interested in that.
So that's kind of the case with everything
we don't recommend on the site.
There are in-depth forum discussions where
you can learn about these tools,
but also learn about the potential
downsides,
which I think people should at least know
before they use them.
So yeah,
I think that's kind of where we're at
with the recommendations in general.
Yeah, for sure.
That is one nice thing about the forum.
Cause there's so much information and so
much to consider that, you know,
for some people may not be relevant and
for others may be relevant.
Like I know, um, and we'll,
we'll get to the forum in a minute,
but I know on the forum,
there's been an ongoing discussion about
only office and how only office like
allegedly has some ties to Russia.
And like the licensing is kind of weird.
And, you know, some people are like,
maybe we shouldn't list only office.
And me personally, I'm over here going,
I don't care.
Like none of that is part of my
threat model.
Um,
Not interested,
but I completely respect that there are
people who are like, no,
that's very alarming,
and I don't want to be using OnlyOffice
at my politically motivated nonprofit,
right?
So I think it's really cool that you
can go to the forum and get that
kind of in-depth because if you make a
website too wordy,
people aren't going to read it.
Ask me how I know.
Right.
So it's really cool that people have that
supplementary resource they can go to.
Not to shill the forum too much,
but I like that about it.
There's no way to shill the forum too
much.
I can shill it all day, any day.
And it'll never be enough.
You should check out the forum.
Fair enough.
uh nice to have jonah just said in
the chat is there no privacy respecting
streaming option yeah unfortunately uh
streamyard is not super great um either we
mainly offer it as a solution because i
mean it's a service that we're using so
you're kind of getting it directly but and
it's also better than literally all the
other options but streaming is a pretty
difficult system to to get up and running
because you have to imagine, I mean,
even if we're self hosting it,
every single viewer is going to use like
a certain amount of bandwidth.
So you just have to multiply that by
every single user who's watching it
simultaneously.
The problem that we have is
more to do with, I mean,
we just can't have a great experience.
We've got a lot of chats this week
and we wouldn't be able to integrate chats
with StreamYard if we were hosting a
stream ourselves.
And yeah, like you just pointed out,
unlike YouTube,
there's really no filtering going on with
StreamYard.
So that's the main reason we offer this
StreamYard option for most people.
I would say like if people...
I mean,
I can see why you'd want to watch
it live,
but if you're not going to interact with
the chat or anything,
the most private option is probably just
downloading the podcast to your app
because then it's just a download and you
can watch it anytime without being tracked
after that.
So usually that ends up being the most
private solution,
but all of this chat being integrated into
one place is super nice and that's why
we are streaming on these platforms and
not
Not anything better, unfortunately.
It's just more challenging, I think,
than you would imagine.
Yeah, for sure.
And I also want to mention that the
nice thing about StreamYard is like we
were talking about at the beginning,
we can broadcast to multiple channels at
once.
So that's kind of, I think,
one of the main reasons we use it.
I'm sure there's probably other reasons
behind the scenes that I'm not aware of.
But that unfortunately also kind of limits
us to...
what they're able to support.
Cause I mean,
there might be some kind of like third
party script that can mirror to pure tube,
for example.
But then like Jonah was saying,
we can't see the comments there.
And it's just, it's, you know,
it's like you were saying a minute ago,
or we were saying a minute ago about
switching to services and recommending
services.
It's like,
we kind of have to balance like what's
technically possible with what's going to
give us the most.
I don't want to say return,
but you know,
like we only have so much time and
technical energy that we can spend in
places and we need to make sure we're
maximizing it.
So.
Yeah, absolutely.
It will be on PeerTube.
It will be on whatchamacallit,
on podcasts like you were saying.
So we do our best to try and
offer people private alternatives,
but it can be rough.
I think there was something else I saw
that I wanted to mention.
Oh, yeah.
Somebody stopped by and just said,
thanks for everything you're doing.
So thank you.
Just wanted to shout that out.
Yeah, thanks for all your support.
I mean,
even like just from an algorithmic
perspective, one of the main goals,
both with this stream and with our YouTube
channel in general is to reach new
audiences who wouldn't be interested in
the in the type of content that we
would publish on privacycast.org,
for example.
So any sort of engagement on YouTube,
especially
is helpful for us,
even though we're asking you to use
Google, which is not great.
But in terms of reaching people who have
never seen any of this before,
it's super helpful.
And anything that we can do to improve
that and maybe help other people get this
information that they otherwise wouldn't
is super good.
Because it's exactly what Nate was saying
earlier,
not just about software being a good entry
point,
but
I'm hoping that a lot of the videos
that we're publishing is a good entry
point where people will then feel inspired
to check out the privacyguides.org site or
check out our forum when they otherwise
wouldn't have any awareness of it at all.
So that's a big goal for everything that
we're doing on YouTube and our videos in
general.
I think the last thing on that note,
what Carrie said about our conversation a
minute ago is I was pointing out that
for some people, when they start software,
it could be their entry point to move
on to other things.
If something's too complicated or onerous,
especially as a first foray into privacy,
it can derail people.
So yeah,
kind of similar to this whole streaming
thing.
If we tell people like, oh,
you can only find us on PeerTube,
and by the way,
there's like a hundred million instances
and just trying to be user-friendly to
everybody in that sense.
Lots to think about.
Anywho.
Yeah,
let's move on to our next story here.
This was reported by the Proton blog.
Looks like in their business section, but
They wrote about Microsoft Edge keeping
all saved passwords on your device
unencrypted.
So if you save passwords in Microsoft
Edge,
this article says there's a security risk
you should know about.
According to a new disclosure,
whenever you open Edge,
the browser immediately loads all saved
passwords into memory in readable form,
not just the password for the website
you're logging into.
That means credentials for every account
saved in Edge could be exposed if malware,
a compromised admin account,
or another attacker gains access to your
device or user session.
This is a really interesting story to me
because,
as I believe it's pointed out in this
article,
this isn't typical for Chromium-based
browsers in general.
If you look at Google Chrome,
they will only release the password in the
memory.
when you're using autofill,
and then they delete it after.
And your passwords could be at risk if
you just leave Microsoft Edge open,
like it's showing on the screen there.
Which is probably happening most of the
time for people because you always use
your browser.
But I mean,
even if you open it for a second,
malware can potentially get all of that
information at any time,
which is not great.
Microsoft kind of defends this with a
similar excuse to what Signal has said in
the past about their desktop client,
which is basically...
If this is something that's going to
compromise your data,
you probably already have malware on your
device that can get access to all of
this data.
And that's certainly true.
I mean, you probably have,
in such a case,
you might have bigger problems to worry
about than just this alone.
There are a lot of ways that malware
can exfiltrate your data without your
knowledge.
Yeah,
you just don't want to have malware on
your computer, obviously.
But at the same time, and again,
when signal desktop had some issue with
information being available to other
programs on your device,
we also said this, like,
there are technologies that edge could be
using that would improve the situation
beyond
beyond this.
And for them to do this means that
they've explicitly changed some aspect of
Chrome because, again,
stock Chromium doesn't have this behavior.
So it's just an edge-specific problem if
you're using edge in Windows, which is...
Not great.
I actually don't know if this article says
whether this occurs if you're using Edge
on another operating system like macOS
or...
I think there's a Linux version of Edge,
isn't there?
I don't remember.
Somebody tell me.
But there is.
Yeah,
but I don't know why you would be
using Edge on any of those platforms.
So it's probably not a huge issue,
even if this is the case in other
ones.
But, you know, on Windows especially...
Windows is still super popular and edge.
Microsoft really tries to force it to be
your default as much as possible.
So I mean,
I would imagine this would affect a lot
of users.
But at the same time,
only only making this available to like
local users or local software like
malware.
It's not the worst thing in the world.
It just seems completely unnecessary.
So I don't
Yeah,
that's what I would have to say about
the edge stuff.
Did you have any other takeaways from this
article, Nate?
Um, I think just the, uh, um, yeah,
I mean, it's, it's, unfortunately it's,
uh, it is unique to edge,
which kind of weakens the argument of like
move away from that stuff.
Cause I don't know a lot of people
that do use edge, but, um,
I think my big thing is it reminded
me of, you know,
and of course Proton's going to take this
opportunity to show their products and
they say use a password manager, but I,
I kind of agree with them on this
one.
Um,
I think there's a lot of reasons to
use a third party password manager.
Um, one of them is, um,
their browser agnostic, right?
We were just talking a minute ago about
maybe somebody starts off using Brave and
then eventually uses other browsers.
If they have a third-party password
manager,
that makes it a lot easier for them
to switch browsers because that's one less
thing they have to worry about switching.
There are also, I believe,
correct me if I'm wrong,
but I know there is malware that is
capable of stealing data that's stored in
the browser, like passwords, history,
credit card numbers.
And I think that it does not work
anywhere near as well, if at all,
on third-party password managers because
of the way that they're segmented away.
But I think a lot of other browsers
are also segmenting it away in a similar
manner.
I mean, obviously,
in most browsers except Google,
It's optional in Firefox,
I believe you can do this,
but you typically don't need a master
password to unlock your passwords or
anything,
so there are certainly ways to get into
that locally.
As this article points out,
on the disk they're using standard
encryption,
but what's happening is all of the
passwords are always being loaded into
readable memory or RAM as soon as you
launch the browser,
so
Since the browser is open most of the
time,
the fact that it's encrypted on the disk
is probably not super relevant.
But yeah, another... Oh, can't talk today.
Another thing I wanted to point out that
I just remembered was, I mean, Microsoft,
this has happened before.
There was a similar issue with Microsoft
Recall, where they...
just let anybody access all of that recall
data, all of your screenshots.
Any malware on your device could access
all of that without any protections in
place.
And that just seems to be Microsoft's MO
when it comes to developing software these
days.
They don't seem to take into account any
sort of local attacks, unfortunately.
Carrie just pointed out,
even though Signal originally said that
plain text messages while the app was
running wasn't a problem,
Didn't they eventually fix that?
And yes, they did.
And this is a case where I wouldn't
be surprised if Microsoft fixes it as
well, just because, again,
this is non-standard behavior.
I have no idea why...
Microsoft would choose to do this.
I don't know what feature that they
thought this would enable.
I don't know how they I have no
idea how they use this or why it
would be necessary for them to change it.
But now that it's getting attention,
they might do it.
Of course, on the other hand,
Microsoft isn't a company super well known
for security.
So unlike signal,
so I also wouldn't be surprised if they
don't fix it.
I guess we'll just see what what happens
there.
Microsoft, not well known for security.
That's blasphemy.
Yeah.
Yeah.
Signal kind of dragged their feet with
fixing that.
They like kicked and screamed about it,
but they did eventually.
So, yeah.
um yeah i mean i guess that's that's
all i got that was my big takeaway
is to use a password manager and that
kind of eliminates the problem and also we
don't recommend edge anyways so um but
yeah definitely uh hopefully they will fix
it because i know i mentioned before at
my last job um i used edge on
the work computers because first of all
they issued us those computers and we were
so deep in the microsoft system that
everything just integrated better with
edge and like if i used any other
browser
it added so much more friction which i
didn't have a desk job anyway so it's
like the less time i spent on my
computer the better if i was spending a
lot of time on my computer something was
wrong because we were like searching for
manuals or trying to get a hold of
somebody or like tech support or like so
yeah i just used edge because again work
computer i didn't have anything personal
on there that's their problem if it gets
breached but um it was you know
What I mean by that is it's their
problem because they're the ones deciding
that we want to use all this insecure
crap.
But anyways, so yeah,
I mean it's very popular in corporate
environments,
and they should probably fix that.
I think,
I guess that's kind of all we got
now on those stories.
So we're gonna start taking viewer
questions here in just a moment.
So the chat's been really active,
which has been super, super awesome.
But if for some reason you've been holding
onto questions and you haven't dropped
them in the chat,
go ahead and do so.
But for now,
we're going to check in on the community
forum.
And I mentioned that there's a pretty
active week.
I mean, it's always really active.
But there were a lot of good discussions
this week.
Ironically,
we're actually going to talk about Proton
again for a minute here because Proton now
supports post-quantum encryption.
And I think it was last week that
Jordan and I talked about this a little
bit because somebody asked about it in the
chat,
but I thought this could be a good
opportunity to talk about post-quantum
encryption specifically and what it is and
all this kind of stuff.
So definitely correct me if I'm wrong
here, but I think...
without turning this into a deeply,
deeply technical video that hurts my
brain.
Basically,
quantum computers are like the next
generation of computers.
You guys probably know this stuff,
but just in case.
And basically,
they're exponentially more powerful than
current computers,
aka classical computers.
And it matters.
I mean,
it's a good thing in a lot of
ways because they're way more powerful.
They're way faster.
They can do a lot more computational work.
But it also has a lot of implications
for cybersecurity and concerns about being
able to crack certain forms of encryption,
even without a zero day or a
vulnerability.
Like they're just so powerful that they
can do.
Cause here's where I'm starting to get a
little out of my element.
Cause modern cryptography basically relies
on the idea that like,
The numbers and mathematical equations
we're using to create this encryption are
so astronomically high that no computer
could realistically do these kind of
computations at scale without knowing the
password and the key.
And quantum computers kind of laugh at
that and say, hold my beer.
So yeah,
we're seeing a lot of companies both in
and out of privacy are really kind of
starting to roll out post-quantum
encryption.
Signal is one in privacy.
Tudor's one.
Proton's one now.
And outside of privacy, we've seen Apple.
I mean, arguable privacy on that one.
We've seen Apple.
We've seen Cloudflare.
I'm sure there's a lot of others that
I'm forgetting.
I think Google is messing with it a
little bit too.
So yeah, I think,
was that a pretty good summary so far?
Yeah, I believe so.
I mean, the quantum computers,
I guess it is sort of the next
generation of computing.
Not in the sense that it's going to
replace any of our current computers right
now, though,
because quantum computers are never going
to be
good at certain things.
It's very niche.
But certainly breaking encryption,
some encryption schemes,
is one of the things that they can
do.
Not currently because they're extremely
not powerful, but maybe in the next ten,
fifteen years,
it's a very real possibility.
And post-quantum encryption today is
Super important, in my opinion,
because there are definitely a lot of
scenarios where all of this data could be
stored and decrypted later by any number
of parties.
I would imagine governments are
probably...
uh working on collecting as much internet
traffic as they possibly can um without
really knowing what to do with that
traffic yet but we know like for many
years now the nsa for example has built
that huge data center in utah basically
just to store a huge amount of data
um so for some people and for some
threat models i think this is a real
concern when quantum computers would get
into the hands of
normal attackers.
It's hard to say if that'll happen,
if ever,
but certainly within the realms of
governments and probably within the realms
of huge companies that you might be
concerned about to get quantum computers
in ten, fifteen, twenty years or whatever.
We do have a full video on post-quantum
encryption on our YouTube channel that I
would definitely recommend checking out
because
There's a bit more nuance to all of
this, but I think it's a good explainer.
Yeah,
I was just logging into Proton right now
to see if I had access to this.
And this is a big problem that I
have with Proton that annoys me a lot,
that even though
I have a visionary subscription that they
say will get you access to all the
features when they come out.
They never give me access to features
first.
It's always like randomly after a lot of
other people get them.
So the blog post does say they're rolling
out gradually.
You probably won't see it in your account
yet, but maybe some of you will.
Unfortunately, I don't see it yet.
But what can you do?
I can complain about Proton all the time,
and they probably won't change this or
improve it for me.
But maybe they will.
If anyone from Proton is listening,
you should do things better for visionary
subscribers.
I know it's a very niche problem.
This is like first world problems to have,
because most people are not going to be
on a visionary subscription.
But yeah,
if you do have access to this,
let me know how it goes.
I believe it's optional.
You have to upgrade to it,
but that does make a bit of sense
because, I mean,
Proton can't do it for you because they
can't decrypt your data in order to
re-encrypt it.
I would imagine at some point,
maybe Proton could...
do it automatically when you sign in,
but they're obviously not doing that now.
And it's probably a good thing that
they're not doing it now because it would
be very hard to do that automatically in
a way that perfectly protects your data,
I would imagine.
So yeah, it's an optional feature.
Definitely upgrade to it when the feature
becomes available to you because I think
it's important to get going now.
And again, in our video about it,
we explain more of the reasons why it's
important to get started with it sooner
rather than later.
Yeah, there's the video.
Yeah, sorry,
I just found it and pulled it up.
Yeah, so for any audio listeners,
it says The Threat That Makes Encryption
Useless.
That's the title of the video from October
of twenty twenty five.
So definitely check that out.
And yeah, I
real quick on the topic of proton and
not having that switch.
I think they paused it because I think
a lot of users were reporting issues that
it was like breaking proton drive or
something like that.
So I think that's why you don't have
it.
I think they paused it while they're
trying to figure that issue out.
Interesting.
Okay.
But yeah,
one thing I wanted to address here is
Jordan said it feels a little bit like
AI hype.
Yes and no, because I agree with you.
I've heard a lot of experts talk on
this topic on like various podcasts and
stuff.
And I've heard a lot of them say
that like,
it's probably not coming anytime soon.
Like there's always certain technologies
that are like in the next five years,
right?
Like the running joke is cold fusion.
Um, for decades,
scientists have been like, no, no, no.
Like,
like we're right on the edge of cracking
it.
Like in five years,
we're all going to be using cold fusion.
And they've been saying that since like
the eighties,
probably even earlier than that.
So it's kind of become like a running
gag.
Like, Oh yeah,
it's always like five years away.
And, uh,
a lot of people are saying that about
like, uh, AGI, uh,
artificial general intelligence,
which is like the actual,
the stuff you see in sci-fi movies.
And it's like, you know,
of course Altman and,
and everybody's out here trying to hype up
their stock prices.
Like, yeah, man,
we were just going to roll out next
year.
It's like, uh, yeah,
that and cold fusion too.
Sure thing, buddy.
Um,
this one I've heard people be a little
bit less pessimistic.
In the sense that they're like, well,
it's probably not five years away,
maybe ten years away.
I mean, it's probably possible.
It's just like they're definitely
overhyping how close it is.
But I think you may have said this
is like I do still think it's a
good thing that we're getting ahead of it
because you mentioned the harvest now
decrypt later where like.
The NSA,
which a quick little piece of trivia for
anybody who looks at my online presences,
it's a selfie of me outside of a
building.
That is the NSA's data center in Utah.
I've done that twice now.
I am absolutely on a list.
There's not a doubt in my mind.
So yeah,
I think the whole point of the NSA's
data center is just to collect as much
information as possible so they have it
later when they...
quote unquote want slash need it.
So, um, yeah,
I think it's really cool that they are
getting ahead of this, but I'm with you.
I think I'll probably turn this on
whenever they roll the feature back out.
And, um,
whenever I stopped seeing people say that
it borked their proton drive,
not that I use proton drive a whole
lot, but still it's, uh,
it's good stuff to have.
I think personally, um,
I think somebody else said something too.
yeah i'll look at this question from uh
terracotta pie on youtube um and i'll
actually um share a thread that i saw
on on x about this from
Matthew Green,
if I can get this pulled up.
I'll sum it up so you don't have
to read the whole thing.
Matthew Green, if you don't know,
he teaches cryptography at Johns Hopkins,
and he's a big expert in the cryptography
space.
And basically what he says about the whole
quantum computing thing and why it's
probably not a huge issue now is that
There isn't really a lot of reason to
invest in quantum computing for
businesses.
Unlike normal computers back in the day,
traditional computers had very clear
business impact.
This is going to improve businesses in so
many ways as soon as they were developed.
No matter how slow they were, there were
huge practical applications for regular
computers to get those developed and make
them even better as fast as possible that
don't really exist for quantum computers
right now.
There's not a,
there's just not a lot of reason that
businesses would need them in the first
place.
So that slows down investments into it and
that slows down development overall.
Um, the other point that he made,
and I think this ties more into, um,
Well, I guess, yeah,
I guess your question,
whether there's a concern about whether
these could already be in use,
I think it's fairly unlikely.
Just because these companies really don't
have access to super powerful quantum
computers and
If they did, I mean,
there would probably be big announcements.
The other point that Matthew Green points
out in this thread, though,
is that we don't really know exactly what
the government's capabilities are.
There's different trains of thought on
this.
Some people would think that the
government and their technical
capabilities has really fallen behind the
academic and tech community,
and that big tech is really pushing all
of these improvements.
And the
what's available to big tech now might
just be the best in the world.
But some people think the government could
be like,
thirty years or fifty years ahead of
what's publicly known right now,
and they could have access to all of
these quantum computer resources and could
be using them to break encryption at the
moment.
So it depends on what you think about
the government,
but we likely wouldn't know because
As he points out,
if the government has access to this
capability,
they would try and keep this as secret
as they possibly can.
Um,
which has always been the case when
governments have new encryption schemes or
whatever,
you can think about like the Enigma
machine back in what world war two.
Um, the, the British, once they,
once they cracked it,
they went to extraordinary lengths to hide
the fact that they could now break this
encryption scheme that,
that the Germans were using because.
having that power and keeping it to
yourself and not sharing it is super
important.
And if they had quantum computing
resources,
that would be like a huge massive
advantage to every government and they
would be definitely trying to keep that as
secret as they possibly can.
So this whole thread was basically in
response to a lot of
crypto people and Bitcoin people are like,
well,
we're going to know when quantum computers
are powerful because somebody will use it
to hack Bitcoin, basically.
And the point of this thread is that
it's not really the case that that would
happen.
I mean, in the grand scheme of things,
there's a lot of money in Bitcoin,
but it's not like to the government or
to somebody else who would want these
quantum computing resources.
The whole Bitcoin
market uh value is probably a drop in
the bucket for them and they would be
much more incentivized to not not do
something like that and to keep it secret
instead so yeah that's basically the whole
thing i would say we don't know for
sure um but i i would say it's
fairly universally accepted that's
probably going to be a problem you know
within the next
I mean, even conservatively,
probably thirty to fifty years,
because there is progress being made on
all of that.
Neville Matthew on YouTube asked,
I'm assuming there's a considerable amount
of compute power to crack these
encryptions by quantum computers.
I don't, okay,
I don't understand what you mean exactly.
I assume you're asking
whether a considerable amount of compute
power is required.
And the answer is yes,
you need like a massive amount,
like quantum computers are nowhere even
close to being near to what you would
need to have any sort of practical
application and to, to,
craig encryption so we're we're very long
ways off um in the quantum computing power
as far as we know like i just
said doesn't exist yet um so i think
that answers it either way right now there
is not a considerable amount of quantum
computing power um
at least among these tech companies and
the academics who are publishing this
stuff.
And yes, you would need far,
far more than what we have now to
do anything practical with it.
But, you know,
progress is always being made.
My only thought is what you said about
governments aren't interested in the
market cap of Bitcoin.
Asterisk does not apply to North Korea.
Yeah, that's certainly true.
I don't think North Korea is on the
bleeding edge of quantum computing,
but you never know what's going on over
there.
Yeah, no kidding.
I never miss a good chance to take
a pot shot at that guy.
We did have one other forum thread here
that was interesting.
It's about IVPN has revamped.
I'm actually going to share their blog
post here.
Not the forum thread,
but the blog post from IVPN.
Let me swap it around here a little
bit.
IVPN has revamped their plans.
So for those of you who don't know,
I want to say about two years ago,
I want to say it was the end
of twenty twenty four.
IVPN purchased Safing,
which is the company that makes Portmaster
and SPN, which is a pretty awesome.
I think Kerry Parker once described it as
a reverse firewall.
It's kind of like a like on Mac.
We have things like Lulu and Little
Snitch.
And Port Master is probably the best
Windows version of that.
I know there's also things like Simple
Wall, for example.
But Port Master was really slick.
It's really good.
It comes with good defaults out of the
box.
I think I mentioned in previous episodes
that whenever my wife gets a new computer,
she asks me to set it up and
do all the privacy stuff.
And that's one of the things I do
is put Port Master on there.
Admittedly,
it does not work very well with other
VPNs.
It's designed to be used either by itself
or with SPN,
which is their version of a VPN.
It's not really a VPN per se.
It's like a multi-hop VPN.
It's interesting.
They do some interesting stuff with SPN.
I like it a lot.
Um, yeah, so IVPN acquired safing and, uh,
they basically said that they were going
to roll port master into IVPN and there
was going to be not a required
functionality.
Like you could still use them separately
if you want to,
but there was going to be
interoperability.
And, uh,
they also announced that they were working
on some other stuff like, uh,
an email aliasing feature and a DNS
feature.
And that all appears to be coming to
fruition now.
So there are three plans for IVPN.
There's standard plus and pro,
which are sixty,
eighty and one hundred dollars a year,
respectively.
And basically the changes are the standard
VPN is now including multi hop and a
five device limit,
which I kind of wish they did.
Oops, wrong way.
Still getting used to max.
I kind of wish they would have a.
Oh, OK, here we go.
So for the standard plan,
it was two devices and did not include
multi-hop.
The plus plan will also include the new
email, AOListing,
and DNS that I mentioned.
And the pro plan will offer a ten
device limit and access to all additional
services, including Port Master Pro,
which for the moment is only available on
Windows and Linux, unfortunately.
And they said that there are no price
changes on existing pro and standard
plans.
Pro is now the pro suite.
So, yeah,
I think if I'm reading this correctly,
basically prices haven't changed.
You're just getting more bang for your
buck regardless of which plan you're on
because.
Again, like even the lowest plan.
Now you've got more devices.
Now you've got multi hop,
which is super cool.
Multi hop is, I would argue,
not necessary in every situation,
because there is a considerable hit to
speed.
But there are times when it absolutely
makes sense.
Yeah,
it says pro went from seven to ten,
and you have access to all these different
port master pro male x and mod DNS.
So yeah,
Yeah, I like IVPN.
I think they're really cool.
I know I cannot find it to save
my life.
I should probably try again because it's
been a while.
But I swear back when I was on
surveillance report,
there was a period of time,
like a six month window, I think,
where we were covering VPN
vulnerabilities.
And I swear to God,
every single one of them was like, oh,
it affects this VPN, this VPN, like Nord,
Surfshark, Proton,
but does not affect IVPN.
And they were like, I swear to God,
there were like four or five of those
in a row where they would find
vulnerabilities.
And there was something about the way IVPN
was running their architecture that it
didn't impact them.
And I always thought that was...
I always thought that really spoke to
their security.
So they are one of the VPNs we
recommend.
We also recommend Mulvad.
We also recommend Proton.
They're all really great choices.
They all have pros and cons.
IVPN has a few cool features that I
really like, but yeah,
I think that's kind of these new exciting
changes.
Jonah,
did you have any thoughts about IVPN's new
direction?
I was just taking a look at the
forum thread here.
I don't want to like,
volunteer him to answer a ton of questions
necessarily but i will say victor from
ivpn is on our farm and it's pretty
active at least in ivpn related threads um
and i saw he was answering some questions
about the changes in this forum thread so
if you want to check that out if
you have any questions he might have
already uh shared some stuff i totally
agree that um
The device limit changes are very welcome.
Two is very limiting for sure,
especially as Jordan just said in the
chat.
To me,
it never made a lot of sense because
I think a lot of services were offering
more than that for quite some time.
Also, there are workarounds for it.
Like on your home devices,
you could use IVPN on your router to
kind of connect as many devices as you
want.
But then you can only do that at
home.
You can't do it for a lot of
remote devices.
Obviously,
you have to distinguish your pricing plans
somehow.
But yeah,
I think it still makes sense for them
to increase it at least a little bit.
Otherwise, yeah,
it seems to be a good value.
As far as I know,
they had they had all three plans before,
right?
There's not a new one.
I don't remember what the difference was
between them, though.
I'm gonna go dig it up on the
web archive.
Yeah,
cuz I'll just I'll just go back like
a week or something.
Because I don't remember how you got
access to mail exit my DNS before.
No, no, no.
Those are new.
I think those didn't exist before,
but that's being added to the plan.
They existed before today, though,
I thought like male X was announced a
while ago, I believe.
It was, it was announced a while ago,
but I think it was in like closed
beta because I remember they actually,
I feel bad about this.
Um,
they actually sent me an invite to test
it out and I got it.
Like I made an account,
I got into it and then I like,
I was like, okay,
now I need to find something I can
sign up with.
And I just kind of forgot to go
back.
Oops.
Oh no.
It looks like a week ago.
It looks like there were only two plans.
That's what I was.
Okay.
So what were the two plans?
So there was IVP and standard that says
all protocols,
two devices and anti-tracker,
and that was.
A year.
And then there's pro that's all protocols,
seven devices,
anti-tracker and multi-hop and that's the
a hundred dollars a year.
So it looks like,
so they added the plus plan.
Yeah.
And, and then ups the device limit.
Okay.
Okay,
that's what I thought happened because I
did not remember three before.
But the changes are welcome.
I definitely think if iVPN is going to
add more services like MailX and ModDNS,
it is great that they added an
intermediate plus plan instead of...
just increasing the price of the standard
plan.
You always want to see a bit more
delineation,
especially with features that probably not
everyone needs.
Some people are going to IVPN just because
they only want a VPN and nothing else.
And it's nice that you can still get
the standard plan that they had before
with the increased device limit for the
same price.
And it's also nice that you can get
these additional features
In the meantime, as an intermediate plan,
I haven't used Portmaster in quite some
time,
so I'm not sure whether I would say
it's worth the extra money,
but maybe it is.
A lot of people on our forum seem
to use Portmaster and like it, so...
Definitely worth checking out, at least.
I should check it out again,
although I see they still don't support
macOS,
which is what I told them I kind
of wanted from the beginning when Saving
launched Portmaster.
And it seems like that has never changed.
So I couldn't use it on all of
my devices, then only my Linux devices,
which is kind of unfortunate for me.
But I guess if you use Linux,
you wouldn't have that problem.
Uh, and they also,
I was just going to say on their
old pricing plans,
they advertised like the two and three
year plans with an additional discount.
It looks like they,
they do still have those.
They just don't show it on the pricing
plan anymore.
So if I try to buy a plan,
you can see those additional tiers.
Um,
and that seems like a good option if
you want even more of a discount, um,
than, than they already provide.
Nate, you're muted.
Okay.
Yeah,
I'm gonna have to test out MailX for
sure.
Because I think I'm,
I'm always I'm very happy with simple
login and Addy.
But I think it's one.
It's kind of like email, right?
Like Tudor and Proton and mailbox are all
good.
But it would be nice to have a
little bit more competition.
Instead of encrypted messenger number five
hundred and fifty seven million.
Um, and I, I feel that way about,
uh, uh, like aliasing services too.
It would be nice to have a little
bit more.
Cause I mean,
there are things like Firefox relay,
for example,
but they're very limited in what they can
do compared to something like simple login
or Addy.
So, um,
I'm really curious to check that out,
but I was just going to say, yeah,
I, um, up until last year, cause, uh,
when, when we moved,
we really scaled down a lot of our,
our stuff to kind of save money.
And, uh,
Um, I used to have SPN and it,
it's definitely come a long way.
When I first started using it,
it had a lot of like, um, disconnects,
I guess you could say,
like there were a lot of times that
things wouldn't load and I would have to
like on like disconnect and connect again
to get it to like reestablish the
connection.
Um, they really fixed that stability.
I, I liked it.
I never really noticed any issues with it
other than again, everyone,
it would still do that every once in
a while,
but nowhere near as bad as it used
to.
I think the, um,
The big issue that I have with it
is, again,
the fact that it does not work well
with third party VPNs,
which I don't know if that's maybe
something about the architecture and the
way that it's worked,
the way that it works.
Because like, like, again,
I put it on my wife's computer because
she doesn't usually use a VPN.
She doesn't really care for them.
But on my computer,
it's either basically you have to use SPN.
you have to use the router level VPN,
which I don't like to do because there's
certain things that I trust and I want
to send outside the tunnel,
like Tor or Signal,
or I just can't use Portmaster.
And unfortunately,
that's where I'm at right now.
So, yeah.
I don't know.
I like it though.
It's got a really clean UI.
The SPN is a nice benefit.
I was just looking at the Portmaster
pricing because there's another point I
want to make after this.
But I will say,
Portmaster Pro is a bit more than I
thought it was.
It's already eight euros a month to pay
for independently.
So IVPN's pricing,
if you want Portmaster Pro...
which includes access to SPN,
which is like, I mean,
it's a VPN service that Safing offers.
Safing being owned by IVPN now, obviously,
with some additional benefits beyond a
VPN.
So if that is something you want access
to,
and then you also want any of these
other IVPN features,
the plan change actually seems like a
great deal because I don't think any of
them, I mean,
none of the plans came with
port master before for sure so it is
kind of a step towards something like
proton unlimited for example that gives
you access to all of these things um
but on the other hand what I dislike
about some of these services is that uh
my DNS malex you can't pay for separately
which I think is kind of unfortunate
because like even with simple login right
now if you don't want
a Proton subscription or you use Proton
but you don't need all the additional
features of Unlimited and you just want
simple login,
you can still buy those products
independently.
And typically, if you use all of them,
bundling ends up being a lot cheaper,
but I would love to see some tier
of MailX that you could use independently
of all the IVPN stuff,
especially because you don't get it on the
IVPN
base plan so that does make it fairly
expensive for people as opposed to simple
login which is thirty six dollars a year
um just for access to simple login but
that probably continues to make more sense
than paying eighty dollars to IVPN if
that's the only service you need um so
it'd be nice if that was independent but
Beyond that,
the bundles do seem like a good value
for people who are using it.
And especially, I mean,
if you're using IVPN standard already and
you're using something like SimpleLogin
for thirty six dollars,
you basically get a new ALUsing service
for only a twenty dollar difference for a
year plan instead of the thirty six.
So, yeah, bundling it could make sense.
I see a lot of different opinions about
bundling stuff in general,
like on the form.
I don't know if my camera just
disconnected.
That's weird.
Yeah.
Did your camera overheat?
We still hear you though.
I don't know.
I'll figure this out.
You can go back to talking more stuff.
Yeah, no,
I was gonna say I know what you
mean.
Like bundling is it I mean,
you really hit the nail on the head.
Like on the one hand,
it's it's cool to have a whole bundle
like proton unlimited or like this ibpn
plus or pro suite.
And it's really cool.
But only if you're actually going to use
all those things.
If you're just like, No,
I just want male x for whatever reason,
or I want my DNS for whatever reason,
it,
it probably doesn't make sense to pay at
dollars a year.
Um, but yeah, it's, uh,
it would be nice to see them offer
that more modular thing.
I think my concern is, um, uh,
I,
my only reservation is I worry about
companies trying to do everything at once.
Like one thing I really admire about
Mulvad is they're basically, I mean,
they do have Mulvad browser,
but for the most part,
they only do a VPN and that's all
they do.
And they don't really seem interested in
doing anything else.
And that's great.
I mean,
they do have like some public DNS servers
you can use, but it's not like this,
you know, this...
my DNS standalone DNS service with block
list combinations and configurable rules.
Like more of that is just like,
here's our DNS.
You can use it if you want,
or you can not, we don't care,
but there it is.
And I,
I really respect that kind of like
specialization.
Whereas you look at things like proton
that rightfully so get a lot of, um,
a lot of criticism for the fact that
it's like, yeah, that's cool.
You have five hundred tools,
but like they don't work for crap on
Linux.
Ninety percent of the time, you know,
the the feature parity across operating
systems is just trash.
Like, you know,
there's there's features that people have
been asking for since I got into privacy
ten years ago that you still haven't
rolled out.
And so I just I worry.
I hope that they they aren't going to
bite off more than they can chew is
what I'm getting at.
So it is really cool to see them
add more and especially like
as much as I love IVP and I
gotta be honest,
like I think between Mulvan and proton,
I have kind of been struggling to figure
out like what their,
their niches and what their selling point.
Like, again,
I think they have really good security and
I don't think they're bad.
Like,
I don't think we shouldn't list them or
anything.
And there's,
there's a couple of neat features they
have.
Like they have this feature on,
I think it's Android only where you can
set up a trusted network.
So like, let's say your home network,
you have a VPN on the router, right?
You can tell your,
your IVPN app that like, Hey,
when you connect to this wifi turn off,
Because there's no point in having two
VPNs.
I mean, I know some people want that,
but for the average person, it's like,
I don't need that kind of speed slowdown.
But then when you disconnect from that
network, turn back on.
And so it automatically,
like you never have to manage your VPN.
And I think that's a really,
really cool feature.
But, um,
But yeah,
other than like little things like that,
I'm like, yeah, what are they really?
Because like Mulvad's thing is like
hardcore privacy,
hardcore anonymity and Proton's obviously
got the suite and they promised they work
with streaming services and stuff like
that.
So I guess what I'm getting at is
it is nice to kind of see them
starting to like carve out a niche again
and start to have like these competitive
features again.
And I think that's really cool.
And yeah, I saw that comment too.
Damn, almost two hours stream.
Yeah, this is normal, man.
Where you been?
No,
what was crazy was the other week we
went for like three and a half or
four hours.
That was wild.
We got a lot of stuff to talk
about every week.
Exactly.
Got a lot to say, man.
And then, yeah,
somebody else said ProtonDrive for Linux.
Yeah.
Yeah, exactly.
I wish.
Is ProtonDrive supported by Rclone yet?
I feel like I saw something about that.
Oh, I don't know.
That's above my skill level.
Oh, yeah, it is.
Yeah.
So technically,
there is a way to use it.
But yeah,
Proton Drive sadly doesn't have an
official API,
so they kind of just did the best
they can.
But Proton can kind of change it any
time.
I vaguely remember that now.
Which is interesting.
Their website says that they believe it
works.
I don't know what has...
Maybe something has changed.
Like I said,
Proton can kind of change all of that
at any time, so...
Not a great solution.
I would definitely rather Proton Drive
just release a Linux client,
but Linux support doesn't seem to be a
huge priority for Proton in general across
any other stuff.
I think that's one of the many problems
I have with Proton.
But what can you do?
I agree.
Just about IVPN really quick.
I was trying to look through their site
and find out more about these plans.
And if anyone from IVPN watches this,
I literally signed up and then tried to
change my plan one time and it says
too many requests.
Try again later.
So I don't know what's going on with
your site,
but the rate limiting might need a bit
of work.
rate limiting plans.
I've never heard of that.
That's interesting.
Yeah, I don't know what's going on there.
But yeah, overall, I think it's cool.
Definitely some concerns.
But yeah.
I think that's all I got for forums.
You ready to move on to the q&a?
Yeah,
we'll have to look through the chat here,
see if we miss anything.
I saw on the forum thread,
we basically just got one question in
advance this week.
Expert-FortyEightSeventy asked,
if we could add XMR chat as an
option for stream donations?
And the answer is yes,
I would love to do that,
but I keep forgetting to do that.
But also,
I'm not sure if we can show Super
Chats on the screen with an XMR chat
in the way that you've seen it on
other streams.
Just because we're not using OBS,
unfortunately,
so I don't think we can show those
banners in StreamYard here.
But we could definitely do it, and...
I don't know, manually type it.
We currently type the banners like the one
you see on the screen right now.
So yeah,
if I remember to set that up,
we can definitely test it out.
Hold on.
So it, uh,
I don't know if it will relay chats,
but if you go to their front page,
it says how to use XMR chat.
It does have instructions for stream yard.
It looks like it has to go through
Twitch though.
Interesting.
Oh,
cause it'll cause it'll send the message
in the Twitch chat and then we could
do it like all the other comments we've
been doing.
So I guess, I guess we could potentially.
Yeah.
I mean,
we'd have to look into that more.
I don't know if that's exactly what they
mean, but yeah,
that could potentially be an option.
Yeah.
All right,
let's see if I got any other questions
here.
Cool.
Yeah,
that's all we had in the forum this
week.
And I think we've been trying to answer
questions as we go,
so hopefully there's not too many.
So I'm looking through some of the names
here on some of the other creators on
XMR chat.
Not a FBI honeypot.
That's a good one.
Thanks for letting us know.
Cool.
Let's see here.
I could get lost in that.
I do that sometimes.
I just scroll through pages and pages of
usernames and stuff.
I like seeing what other people come up
with.
It's very fun.
I feel like I have heard of an
FBI honeypot.
I think they subscribe to our channel.
I think I've seen a lot of comments
from them on our videos, actually.
So that's interesting that you put that
out.
Oh, then hi if you're watching.
I like your username.
It was funny.
Here,
we just got a question from Cannabidder.
Any thoughts on Session shutting down?
Um, I mean,
I have thoughts on that one.
I'm, I'm really sad about it.
I've, uh,
I think he was actually one of the
first people I interviewed, um,
back when surveillance sport used to do
more interviews on the channel.
And, um, I don't know.
I, uh,
Maybe he was first.
I can't remember if he was first or
John Todd was first, but I don't know.
He's always been a really accessible and a
really cool guy, and I'm disappointed.
I'm disappointed for a lot of reasons.
I'm disappointed because I think even
though Session was never an official
recommendation from Privacy Guides,
or at least hasn't been for a long
time,
But I think it still served a useful
space for people who didn't want a phone
number,
for people who wanted the
decentralization.
And you have to remember,
this was before SimpleX.
So now SimpleX kind of fills that niche.
from a security standpoint,
a little bit better.
But, you know,
I think that at the time they served
a really valuable niche.
I'm also just really disappointed because
I know they like just moved their entire
community to Switzerland as a response to
some like pressure from Australian law
enforcement.
And I don't know,
I like and they just announced they were
trying to roll out a perfect forward
secrecy,
which I think would have
I mean,
I don't want to speak for anybody here,
like speculate too much,
but I think could have potentially put
them back on privacy guides.
Like we talked about that as a headline
story.
That was actually one of the first
podcasts I did with you guys.
So I don't know.
I think it,
I know every day that goes by,
it's less and less likely,
but I really hope something good will come
out of it because I do think they're
really showing a lot of potential.
And I do think they potentially serve a
useful niche.
And I don't know.
I hope they don't shut down,
but I know it's getting increasingly
likely as the days go on.
Those are my thoughts.
yeah i think to me it seems definitely
pretty unlikely that they would reach
their goal funding unfortunately it just
goes to show i think how expensive running
a proper messaging service is um you know
people always say something like signal
for example is massively overfunded and
like what could they possibly be using all
of this money for but um
in most cases, like, I mean,
this kind of thing barely breaks even at
best in the best case scenarios, usually.
A couple problems with it is just how
expensive it is to run reliable stuff,
but also having, like,
Mozilla also has this problem where they
say, you know,
you have to pay a lot of money
to get, like,
really good developers behind this stuff
because
the opportunity cost to work at a place
that pays you much less is just so
high because very good software developers
can command huge salaries like one hundred
fifty two hundred thousand or more and you
have to you basically have to pay that
to be competitive even if you don't have
enough money I think yeah you have the
FAQ up I don't know
I don't know what my camera is doing.
This computer is not my favorite so far.
It continues to have problems.
Anyways, yeah, looking at that FAQ,
like I said,
I don't think it's likely that they will
get it, unfortunately.
And they even say,
compared to their competitors,
they operate extremely efficiently,
but I mean...
That's just more proof that it's just
really hard to do something like this.
And I think that a lot of their
excuses or a lot of their reasoning for
why these are problems are more more
believable than than Mozilla's.
I know Mozilla used that justification to
like pay their CEO like
millions of dollars wastefully because
they also were running mozilla into the
ground with insane decisions so it
definitely wasn't worth it in that case
but um yeah in this case like the
people who were developing session um just
need more money than they were taking in
and there's not too much you can do
about that i think it was hard um
because i think a lot of people
I didn't like Session as much when they
switched away from the signal protocol.
I think that made it more difficult for
people to trust them,
especially because Session was relatively
new and rolling your own protocol is
usually not a great idea,
especially if you can't trust them
necessarily to do it properly because you
don't know what their experience is.
So I think that was an issue with
Session.
And then the lack of certain security
features, like perfect forward secrecy,
I think was a challenge for people as
well.
Kerry said he's bummed because it's
fundamentally different than Signal.
I agree.
Session was a weird app because it is
decentralized,
but it's not as decentralized as something
like SimpleX,
which is a decentralization model that
makes...
a lot more sense to me in my
head if I think about like how it
should work.
Sessions was strange and I don't know if
it still is.
I haven't looked into session in the last
year or so,
but I know for a very long time
and this may still be the case,
you needed to be in their cryptocurrency
ecosystem and you needed to have like a
significant holding of of their token in
order to run a node at all.
So it wasn't decentralized in
The same way that SimpleX or the same
way that the Tor network are,
where it can be totally volunteer-run,
there would be really no way for someone
like me, for example,
to contribute to the network in any
meaningful way,
which I think hinders the decentralization
aspect a bit.
I've always said and I would continue to
say the obvious replacement for Session
for most people is probably SimpleX,
but I know that gets in hot water
lately because they've taken on VC
funding,
which is not a great trend that we've
seen SimpleX and Bitwarden and other open
source companies begin to go in lately.
So a lot of problems with all of
these apps,
a lot of upsides and downsides.
Sick Scorpio just asked,
speaking of Mozilla,
are we interested in covering Thundermail
Pro?
I believe at least some of our team
members did get access to the beta and
we are hoping to do something on it.
Absolutely.
Seems like an interesting service,
but don't know too much about it yet.
Yeah,
I think that conversation just came up
today.
So it's a conversation we need to have.
I would love to.
It's not me, by the way.
But yeah,
I would love to cover it for sure
and see if, I don't know,
maybe that person can answer my questions
sufficiently to the point where,
or maybe they want to host the video.
I don't know.
But we'll have that conversation for sure.
I'd be down to do it.
Carrie just said that's the staking unit.
And yeah, I'm looking at the website now.
There is still a staking requirement.
You need twenty five thousand of whatever
this sesh coin is.
I don't know how much that is worth,
but I think it's not.
I think it's somewhat significant,
unfortunately.
They have a thousand nodes,
which is a pretty substantial network,
actually.
I'm not sure who runs those,
but the whole cryptocurrency aspect of it
still doesn't make a lot of sense to
me.
Yeah,
a lot of people really criticized that.
People had a lot of criticisms.
Some of them, I think,
were more valid than others.
I think you mentioned their whole,
the reason it costs so much to stake
is because they were trying to avoid
what's called a Sybil attack,
which is where, for listeners,
it's basically like,
that's an argument people make about Tor,
right?
It's like, well,
what if the US government just rents a
bunch of VPSs and runs like a million
Tor nodes,
and now they own so much of the
network that they can easily correlate
traffic?
Right.
And so that's what session was trying to
avoid is every time somebody spun up a
node,
the price increased so that it would
become financially unfeasible for a
government to do that.
And I think you could argue that like
they, that was the wrong approach.
I think that's totally fine,
but I think their logic made sense.
So yeah, I mean,
then there's other things that people
would criticize that I'm like,
that's just a dumb thing to care about.
So I don't know.
The obvious counterpoint I think is that
If you're worried about somebody with the
resources of the government running a ton
of nodes on the Tor network,
that has a significant cost.
And they can also just spend that on
session tokens.
So I think it actually makes it...
in my opinion,
probably more likely that very well-funded
adversaries could perform a Sybil attack
on the session network.
Whereas with Tor,
there's always going to be like,
that's very possible.
And we've seen very large families of Tor
nodes operated before,
but also we know that
a ton of volunteers are running this,
and there are always going to be a
lot of people who are just contributing to
it for the sake of doing so,
whereas that isn't really possible here.
I'm really curious how much a session
token actually is or where you can buy
it.
Right now, it looks like it's worth zero.
They've probably pulled the plug on it in
light of their impending shutdown,
but it looks like...
In the last year,
it looks like it peaked at about twenty
five cents or twenty one cents.
So it was never a particularly expensive
token.
So, yeah, I guess I mean,
even at like.
Their lowest point before the
announcement, um.
was around four cents.
But if you need twenty five thousand,
you're still talking about a thousand
dollar minimum investment.
That would be hard for people.
I think most independent server operators
to justify unless you really liked
session.
Yeah, that's true.
And for most of the time,
if I'm looking at this graph,
it was a lot more than four cents.
So it would have been it peaked at
like twenty one cents,
which is
I don't know, how much would that be?
That'd be like over five thousand dollars
that you would have to just stake forever.
And it obviously wouldn't have turned out
to be good financially either because now
it seems like you're just gonna lose that.
Nate, you're muted again.
god dang it i just said very unfortunate
so yeah uh can i better just ask
how big is the privacy guides team uh
staff wise um uh it's it's me and
nate and jordan right now so it's three
um
The whole team varies.
What are we at, eleven people?
But you can always go to the form.
I'll just show this really quick.
If you go to the form and on
the on the left hand sidebar,
if you hit the more menu,
there's a team members option and then you
can see how many people are listed on
there.
So.
Depending on how you count it,
some people are more active than others is
the only reason I say that.
But certainly a good number of people
volunteering.
Cool.
I think that's probably it for questions
as far as I see for now.
Anything else, anyone?
Last call.
Last call.
Oh yeah.
Look at that.
If you go to the website and you
click on team members under the about
section, it lists everybody.
Yes, there are ways to find out.
But currently in terms of staff,
just us three.
And honestly, mainly video stuff.
We do pay for other things,
like on a contract basis.
So like,
Freya gets paid on a per article basis
for the news stuff.
If other people contribute news briefs,
they would get paid as well.
And we do one off projects.
So we're working on some stuff with
individual contributors,
if we think it's a valuable use of
our resources,
but we can only really do so much.
just in case anyone's wondering,
I don't get paid per article.
So you'll see when I put out like
a whole bunch of articles,
it's not because I'm trying to make more
money.
It's because I'm just like, Oh, cool.
I have, I have some thoughts on this.
Cause I know I kind of go up
and down.
Like sometimes I don't post anything.
And other times I put out like three
or four articles a week.
And usually it's,
it depends on the workload.
So I try not to, um,
I try to be very mindful of not
to give you guys a little peek behind
the scene.
Jordan does most of the editing.
So if I'm just constantly writing and
filming,
I will overwhelm Jordan really fast.
So sometimes I hit a point where I'm
like, okay,
I think Jordan has a couple of videos
to edit.
I'm going to,
I'm going to write some articles.
Terracotta Pie asked,
is there a big need currently to have
more people around Tor nodes to strengthen
the anonymity of the Tor network?
And the answer is always yes, there is.
And that's the biggest benefit of running
additional Tor nodes.
I believe,
I just wanted to pull up on their
website to see if they still have this
graph easy to find.
In terms of like
bandwidth.
The Tor network typically has well more
than enough collective bandwidth than
they're actually using,
but additional loads will still speed it
up by spreading out that load a bit,
and the biggest reason is definitely to
increase anonymity.
To prevent those Sybil attacks we were
talking about, the more operators,
the better in pretty much all cases.
If you can't...
There's a huge need for exit nodes more
than anything, but those have...
considerable risks involved.
So I can't really recommend most people do
that because your ISP can see any of
your traffic and they'll be seeing a lot
of random tour traffic that probably some
of it is not going to be desirable
for your ISP to see.
So it could cause a problem, certainly.
But other types of Tor nodes are helpful,
or I think a big help is running
more bridges,
especially if you want to do this from
a residential IP.
Unless you're in a country where Tor is
completely illegal,
then you probably shouldn't be running a
bridge, obviously.
But in most countries,
you can definitely run a relay that's a
non-exit relay with no issues at all.
And if you run a bridge,
that's very helpful,
not just for anonymity,
but for strengthening the anti-censorship
properties of the Tor network.
Because if you run a bridge,
your IP address is not published in the
Tor directory,
It's harder for countries that are
adversarial to Tor to block,
and that allows a lot more people to
access the Tor network than would
otherwise be able to.
And there are various ways that that
traffic is obfuscated as well,
which makes it more difficult to determine
whether you're running a Tor relay in the
first place.
I think general purpose relays are usually
more helpful, but if you can't do that,
running a bridge or running a snowflake
bridge is probably the easiest way to do
it.
But there are other types of bridges as
well.
You can run a dedicated snowflake bridge
on a server or your computer,
but you can also do it as easily
as installing an extension in your web
browser without having to install any
server related stuff.
And then it just runs whenever your web
browser is open.
If you don't want to do literally any
server stuff at all,
you can download the Snowflake extension
and still contribute to the Tor network
that way.
So there's a lot of ways to contribute.
And I think the Tor network would always
appreciate more people doing that.
I just wanted to offer my experience
because I ran a Tor node a while
ago.
It's been a minute since I've done it.
Number one, yes, I'm with you.
I think it would be awesome if we
could get more US exit nodes strictly
because
It's not so much of an issue nowadays,
but I know for a long time,
Tor was practically unusable to me because
every website I went to would default to
usually German because my exit node was in
Germany,
and I could never get an exit node
in an English-speaking country,
and it was so frustrating.
I realize, as I say,
that I haven't had that issue in a
while, so maybe they fixed that, but...
Yeah, exit nodes, there are certain ISPs.
I don't think the Tor project keeps a
list anymore,
but there are certain like VPS providers
who are friendly to exit nodes.
You can reach out to them and ask.
And I would say that to your ISP
too, because I was very surprised.
For a while,
my wife and I had Google Fiber and
I reached out to them and I was
like, hey,
I want to run a Tor node,
like not an exit node.
I just want to run like a middle
relay.
And to my surprise, they were like, yeah,
go for it.
And I was like, really, Google,
are you sure?
And like,
but I ran an exit node or not
an exit node.
I ran a middle node out of my
apartment for,
God,
probably close to a year and never had
any issues at all.
But check with your ISP because some of
them do not allow that,
even if it's a middle node.
I think by default, your middle node,
once you've been online for a while and
they consider you trustworthy,
you will be upgraded to a guard node,
which is basically like an entry node.
I think there's a way to opt out
of that if you don't want to do
it.
But I think by default,
those are the ones that tend to be
less risky because everything's encrypted.
So as long as your ISP is cool
with it, that's fine.
But yeah, exit nodes,
what I've been told is it's kind of
a double-edged sword because on the one
hand,
if it's coming out of a data center,
like if you host a VPS,
then there's a lot of websites that'll
probably block it just by default.
But on the other hand,
like Jonah was saying,
it can potentially be risky to run it
out of your own home.
I have a friend in law enforcement.
He's told me it's usually not an issue
that I'm not a lawyer for the record.
Let me finish.
He's told me that in his experience,
it's not usually an issue.
What will happen is the cops will like
get a flag that, you know,
from the ISP.
They'll go to investigate and the person's
like, oh, I run an exit node.
Here's my server sitting in the corner.
I can show you.
I'll pull whatever logs I have,
but I probably don't have anything.
And the cops just roll their eyes and
go, well, that's frustrating.
um but again we're not lawyers we don't
know what will happen so yeah i would
talk to a real lawyer i would try
to get some expert opinion on that before
gambling that's why i've never done it
myself so um yeah
I will say real quick,
one last thought on that.
What I tried to do in my last
town that nobody ever got back to me,
this was also right when lockdown started,
which is probably why nobody got back to
me.
I should probably try again in this new
town.
Try if you can to get in touch
with schools or libraries,
public institutions,
because in a perfect world,
that would be the best place to run
it.
If you can get your local university and
be like, hey,
this is a really great project for your
students because it will teach them how to
be sysadmins.
It'll give them hands-on experience with
Linux and
All that kind of stuff.
It'll help strengthen the system.
And they could run an exit node out
of the university's IT department.
And they have the legal team.
They're equipped to deal with it.
Public libraries, I think.
It's hard to get a hold of somebody
because these are really busy,
usually underpaid people.
But I forget where I got that piece
of advice from.
But if you can get a hold of
somebody at a public institution like
that, that would probably be the best.
Because then...
It's less likely to be blocked compared to
a data center,
but it's also less liability on you.
But yeah, it's tricky.
There's no easy solutions for an exit
node.
No.
Talking with law enforcement or the feds,
another thing that I've heard is that
traffic from Tor,
for one reason or another,
is not super big on their radar anymore.
They're seeing a lot more traffic through.
I talked about this a long time ago.
I don't know.
It was probably like...
half a year ago on one of these
episodes,
but they're seeing a lot more suspicious
traffic coming out of residential proxies.
So it's probably far more dangerous than
running a
then running a Tor node to just buy
some random Android box on Amazon and
install that on your network.
That's how most of that stuff happens,
and they end up knocking down some
grandma's door because they bought some
cheap Android box on Amazon that's
relaying some random traffic through
there.
There's a lot of
If you search up pretty much any of
these residential proxy companies,
there's a few of them,
and they all claim that their IPs are
above board,
but pretty much every single company that
is offering access to residential IPs or
ways to get around VPN blocks are all
getting those IPs and connections through
very unethical means,
whether that's
dedicated Android boxes or malware browser
extensions that get installed on people's
computers or what have you.
And that tends to be a bigger concern
nowadays.
So just something to think about.
I think we did talk about that a
few months ago.
I forget what the context was,
but I remember you talking about that.
I guess maybe last question.
Do you have any experience with IDOPEE?
You know, I just wanted to look.
We used to list it on our site,
and then we removed it.
I don't remember if we added it back,
so I wanted to look at Privacy Guides
and see if it's still on there.
While he's checking that, I personally,
I think I tried to tinker around with
it one time, and...
I found it very difficult to understand
and use.
And it's also like,
it's the same problem with like Tor,
right?
Is a lot of people download the Tor
browser and their first thing is like,
okay, now what?
Like, you know,
there's no Google for Onion sites, right?
So a lot of people have a hard
time finding Onion services.
So it was kind of the same thing
for me.
It's like, okay,
now that I've downloaded it, now what?
I guess the only difference is,
And maybe this is a point in IDP's
favor.
I didn't really know if I even set
it up right.
Because, you know, with the Tor browser,
you download it, you open it,
it says you're connected and you start
surfing.
And even if you never go to an
Onion site,
you know that you're using the Tor
network.
With IDP,
I never really had that indicator.
So I was like,
I don't even know if I'm using it
or not.
And I think maybe it was user error
for the record,
because this was way back in my early
days when I was first starting my privacy
journey.
Yeah.
I was screwing up a lot of things
cause I was kind of just throwing
everything at the wall and seeing what
would stick for me.
Um, but yeah, I,
I personally found it at the time to
be a little bit user unfriendly and I
don't know.
I've just, I've always,
I've never really bought into the, um,
the claims that tour is like super
compromised and can't be trusted.
So like, is I to P better?
Maybe, I don't know.
That's above my head.
I'm not really qualified to say,
but personally I don't have any issue with
tour that stops me from using it.
So that's my experience.
yeah i think what holds i to be
back um significantly is the lack of a
user like a general purpose accessible
option um tor is very useful for
non-technical people people i mean a lot
of people probably imagine that like tor
isn't used that much except like in the
privacy community but that that is not
true like in a lot of countries where
there is extensive censorship tor sees
a lot of use by a wide variety
of people, whether that's I mean,
not even necessarily through the Tor
browser on your computer a lot of the
time,
like the people who are more concerned
about privacy and anonymity are,
but like
using it on your phone or using Tor
VPN on your phone or whatever.
Those are very valuable tools to
journalists and to activists and other
just people in these censored countries.
And that really increases the...
usability of Tor a lot,
which first of all means that there's more
hidden services on Tor in the first place,
but also Tor has the option to have
exit nodes,
whereas ITP doesn't have that built in by
default.
It's possible to run an I-to-P service
that acts as an exit note,
and some companies will do that,
but it's very rare for that to happen.
There's only a handful of public exit
notes on I-to-P that I know of,
and so using it
for that purpose,
for just browsing the web,
is pretty limited.
And I think that's a big reason that
I-to-P isn't very commonly used.
We do have it on our site again.
I do remember the discussion about this,
and then I can talk a bit about
my experience.
But we...
When we looked into this,
there are some benefits just from a
technical perspective compared to Tor.
ITP does a lot of interesting stuff that
theoretically does improve the privacy,
security,
anonymity
beyond what Tor is doing.
So for accessing ITP sites,
it's certainly better than accessing clear
net sites like through an exit node,
but it's probably better than accessing
Tor hidden services as well,
but not to a super significant degree.
And since the use case just isn't there
as much, it's...
I don't know,
not a lot of benefits to using it
over Tor, I would agree.
I tried setting up some stuff with it
like a year ago now,
but we just never really saw any
significant traffic, and it is,
like Dave was saying,
a lot harder to use.
When you set it up manually in a
browser, like with a SOX five proxy,
you lose out on a lot of the
benefits that the Tor project provides in
Tor browser as well,
because Tor is not only
network,
but it's also a huge anti-fingerprinting
project.
All of the modifications that they're
making to Firefox improve your anonymity a
lot,
and you're not really getting that on ITP.
I suppose you could probably use Malved
Browser with a proxy,
but I don't know how many people do
that on ITP at the moment, and...
You kind of need a crowd of people
to blend in with, like Tor Browser has.
So unless a lot of people are doing
that on ITP,
Malva Browser is not going to be a
huge advantage.
But I'm curious about that now.
I should test out Malva Browser on ITP
sometime.
But yeah,
hopefully some of that made sense.
It's an interesting project,
but it's just not a lot of use
cases for it that I can think of.
I think looking at the website here,
privacy guides, unlike Tor,
all IDP traffic is internal,
which means regular internet websites are
not directly accessible.
So that's probably what held me back,
because I connected to it.
And I'm like, OK, cool.
Now what?
I have nowhere to go.
I don't know any of these websites.
So yeah, I don't know.
I agree with you.
If it's only accessible for other stuff,
I feel like that dramatically reduces.
Because I try to use Tor where I
can.
Um,
and that's the nice thing about tour is,
you know, I can still go to,
to the proton, um, most news websites,
summer hit or miss, um,
depending on the exit note that I'm on.
But like,
I can still mostly use the internet in
a normal fashion compared to this,
where it's like,
imagine if you could only go to hidden
services and it's just like, oh, cool.
That's not really going to be useful for
my day-to-day browsing personally.
Another thing I will say about ITP,
though, is that, well,
we just talked about a lot of reasons
that it's not super helpful for web
browsing traffic.
A huge advantage that ITP does have over
Tor is that you can really send any
sort of traffic over it,
and so it's far more flexible in that
regard.
You will see it used for file sharing,
for example,
whereas running BitTorrent on Tor
Tor is highly recommended against and also
isn't as usable, whereas on I-to-P,
the network can support that type of
operation much better.
So if you have to share documents or
other files through means like that,
I-to-P could certainly have benefits that
Tor doesn't have there.
Yeah,
I-to-be is definitely something you could
use if you know the other people using
it and you want to connect to each
other through that and you want to build
your own network that goes through this
anonymizing thing.
But just for accessing public services,
there aren't a lot of public things on
there that would make it useful.
So I just want to give them that.
There are some benefits to it over Tor
for sure.
All right.
Is that it for the week?
I think that pretty much just about wraps
it up, doesn't it?
I think so.
Nice and chatty in the comments this week.
I love it.
I love it.
It really motivates us when you guys are
interactive.
And we're trying to be more interactive
with you guys as well throughout the
episode.
So thank you so much for everybody who
left a comment.
Yeah, absolutely.
All the updates from This Week in Privacy
will be shared on the blog every week.
So if you are not signed up for
the newsletter, you can do that.
Again,
I would like to remind people we send
out the newsletter when we start
streaming.
So it also acts as a good reminder.
You can also use your favorite RSS reader
if you want.
For people who prefer audio,
we offer a podcast available on all
podcast platforms and again on RSS.
And I mentioned earlier,
this video will be synced to PeerTube.
Privacy Guides is an impartial nonprofit
organization that is focused on building a
strong privacy advocacy community and
delivering the best digital privacy and
consumer technology rights advice on the
internet.
If you want to support our mission,
then you can make a donation on our
website, privacyguides.org slash donate.
You could also click the red heart icon
located in the top right corner of any
page on the website.
You can contribute using standard fiat
currency via debit or credit card,
or you can donate anonymously using Monero
or your favorite cryptocurrency.
Becoming a paid member unlocks exclusive
perks like early access to video content
and priority during the This Week in
Privacy livestream Q&A.
You'll also get a cool badge on your
profile in the Privacy Guides forum and
occasionally some early access content or
special content with our next video coming
up and the warm,
fuzzy feeling of supporting independent
media.
So thank you all so much for watching
and we will see you next week.
