Claude Code Leaked It's Own Source Code
Hi, folks,
we got a lot to talk about.
Claude's source code was leaked.
LinkedIn scrapes your browser extensions.
There's a horribly insecure messenger app
going around and more.
All this and more coming up this week
in on this week in privacy number forty
seven.
So stay tuned.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we're working on
in the PrivacyGuides community and this
week's top stories in data privacy and
cybersecurity.
I am Nate,
and joining me again this week is Jonah.
How was your week, Jonah?
You know, my week has been pretty good,
thanks for asking.
Besides misspeaking during the intro
there.
Can't complain.
A lot of these things happen, right?
Yes, yes.
All righty.
Yeah.
I guess with that,
we'll jump right into our headline story
this week.
And you guys have probably heard about
this one.
So there's an AI called Claude,
Claude Code specifically,
because there's a few different kinds of
Claude.
I'm not a heavy AI user myself,
so I've heard that Claude is one of
the better ones in terms of the results
it puts out are mostly accurate.
It puts out mostly good code.
That's just what I've heard.
You could do a lot worse than that
one,
but we're not going to talk about that.
We're here to talk about the fact that
Claude code had its source code leaked
thanks to some human error.
To clarify,
this is the source code for the app
itself, the Cloud Code CLI,
not like the models or anything like that.
But it still gives us a little bit
of insight into what's going on under the
hood.
And...
I guess I'll go over it a little
bit, but I'm also mostly going to,
I mean, we're a privacy podcast, right?
So we're going to focus mostly on the
privacy and security stuff.
But just to kind of give you a
little bit of a recap.
So this happened because when they
published the newest version of the NPM
package, there was a source map file,
which I'll be honest,
that's technical stuff that goes over my
head.
But basically it allowed clever people who
noticed it
to access the source code.
Like we said,
it was almost two thousand TypeScript
files and more than five hundred and
twelve thousand lines of code.
I saw somebody else round up to five
hundred and thirteen thousand.
So, yeah.
I mean,
it's one of those once the cat's out
of the bag things, right?
Or once the horse has left the barn.
Because everybody quickly went and
downloaded this,
and there's other repos are springing up,
which we'll talk about that in a second.
Anthropic tried to get some of them taken
down with a DMCA takedown,
a copyright thing, basically.
unrelated we're not going to talk about it
but you know there was a whole uh
like github interpreted that dmca
according to the the official story github
interpreted that dmca a little harshly and
took down even things that were not
supposed to be taken down but yeah it's
it's been a whole thing um
So I've also seen some pretty polarizing
takes here because I think it was this
article.
Yeah,
this article said that its sophistication
is, quote, both inspiring and humbling,
according to some people who looked at the
code.
I saw some people on Mastodon look at
the code and say that it was pretty
sloppy and kind of shocking that it was
so bad.
But I mean, to be fair,
Mastodon tends to be a pretty anti-AI
crowd.
So I don't know who's telling the truth
there, but.
Yeah.
So, and then real quick,
before I jump into an analysis part,
we have like a follow-up to this story
that's related that says,
Clawed code leak used to push InfoStealer
malware on GitHub.
And this one comes from Bleeping Computer.
Basically, once the leak was out there,
a lot of people started...
putting up their own GitHub repos where
they would advertise that this was cloud
code with all the paywalled stuff removed,
basically.
So free premium cloud code.
And they would game the SEO to make
sure that it would show up in the
front.
If y'all are watching the video,
you can see here,
this one outlined in red is like the
third result from the top on Google.
And this is one of the malicious ones
that the article focused on.
And yeah, turns out, shocker,
it includes an InfoStealer malware.
I'm going to go out on a limb.
The article didn't say this,
but I'm going to go out on a
limb and say that it did work once
you fired it up.
Because usually that's how it is, right?
It works,
so you don't think anything's wrong.
But when you install it,
it's actually got that InfoStealer in
there.
And they said that there were multiple
repos like this.
So...
yeah so um cyber security takeaways from
this the we're covering this as a headline
story partially because this is a really
big story going around right but there's
there's a couple reminders here um one of
them is as far as the uh the
repo thing goes you know we we always
talk about making sure you get things from
an official source and um not not to
go too far out of my way to
pick on google here not like they don't
deserve it but uh you know we've been
covering a lot this whole google side
loading story and you know google
is trying to act like, oh,
this is all for security, right?
It's dangerous to get apps from a
third-party store,
even though the Play Store has plenty of
malware on its own.
But even so,
the point being is get things from a
trusted source.
Signal, for example, does have an APK,
but it's kind of hard to find.
But it is okay to get it from
the Play Store because that's a trusted
source.
Um,
there's also other places that you could
get the APK directly.
There's third party app stores like F
droid,
which I know have some concerns about
them.
But the point being is like,
this is when I go to download something,
typically what I do is I go straight
to the developer's website and I go, okay,
what are their official channels?
And then they'll say, you know, it's,
it's on the play store.
It's on F droid.
It's on GitHub directly.
And then I'll look at the list and
decide which one I want to use.
It's not so much the channel it's making
sure it's, it's official.
Um,
So maybe don't try to get free Claude
doing that.
And then, yeah,
just the other takeaway I had was the
whole source code leak thing.
Anthropic was really quick to own up that
it was a human error.
They said here, what was it?
Yeah,
this was a release packaging issue caused
by human error, not a security breach.
Yeah,
not like AI doesn't do this kind of
stuff all the time.
But, you know,
it's just remembering that there is...
remembering the human element in
everything.
You know,
if you listen to any social engineering
people,
they're always quick to point out that
humans tend to be the weakest link in
any system.
You know,
I could spend a lot of time trying
to,
if I'm trying to get into a building,
right?
I could spend a lot of time trying
to hack the door code or the card
readers or whatever,
Or I could come up with a really
convincing story for why I need to be
there,
usually involving a high-vis vest and a
clipboard, in my opinion.
But yeah,
so I think those are kind of the
more technical things that I took away.
Jonah,
was there anything specific about this
story that jumped out to you from your
expertise?
yeah there were a couple things that i
noticed and i was trying to find a
tweet that i saw from somebody else but
i couldn't pull it up here um but
i'll talk about some stuff going back to
what you said about mastodon i do think
it's interesting um
like the supposed quality or sloppiness of
the code,
because I believe Anthropic has said for a
while that all of their code base is
now AI-generated by all of their
developers.
That does, I think,
at least bring into question whether you
can DMCA or copyright any of this code
at all.
Maybe you can't because it's all
AI-generated,
which AI companies have been pretty firm
about saying, you know, this is not...
like a copyright concern at all.
So it's kind of a taste of their
own medicine there that all of this is
out, I think.
The main thing that I think we see
in this source code,
because like you said,
the models aren't leaked,
but there is a lot of information about
the
system prompts that Claude uses for a lot
of different tasks,
which definitely gives a lot of insight
into how Claude works and how like,
it like to to their competitors,
I think it gives a lot of insight,
like how you could make a similar product
and also
to people who are trying to do prompt
injections to bypass some of the
restrictions in placing cloud code,
you can more easily see how they're
implemented and get around them.
So I don't know how people are going
to end up using that,
but I think that there is a lot
of opportunity for people to do something
with it.
All of the AI stuff, I mean,
we've talked about it on the show before,
not...
the most interesting to me from a security
or privacy standpoint,
because like cloud code and all of these
AI models,
they're going to run fully in the cloud.
So they get all of this information.
I think it is sort of dangerous to
be using and relying on,
especially for sensitive information.
And that hasn't changed from any of this.
But yeah, it's interesting stuff.
The tweet that I was trying to pull
up talked about how Claude and how
Anthropic is using their AI to contribute
security patches to a lot of different
open source projects.
And they've been doing that out in the
open.
Certainly,
I've seen a lot of security
vulnerabilities submitted to
GitHub from Anthropic.
I think one of the latest Mastodon
security vulnerabilities in patches was
submitted by Anthropic.
So I believe I've seen contributions to
that and to Firefox and a lot of
other open source projects from them.
Unfortunately,
I just cannot find this source,
but maybe I'll be able to pull it
up later.
But I saw some information about internal
tools that Anthropic is using where the
system prompt is like,
create these security vulnerability
patches without giving any indication that
AI or cloud code is used at all.
So it's very specifically told not to
attribute anything to cloud or Anthropic.
It's told...
you know,
not to include comments that might
indicate it's AI, et cetera.
So I think that that's really interesting
that they are,
I don't know what cases they're using
those tools in.
I would have to find out more information
about that,
but I think it's interesting that they are
doing that.
Yeah,
it looks like you pulled up on the
screen some of the instructions that I
saw.
Yeah,
I found it on another article from Ars
Technica.
Yeah,
I don't know where the original thing is.
But yeah,
basically they were saying there's an
undercover mode.
So as you can see there...
they're basically telling Claude that
they're operating undercover in a public
open source repository.
So they can't contain any Anthropic
related information.
I can imagine that's probably used because
a lot of open source projects are very
anti-AI contributions and anti-AI pull
requests and just automatically close
anything that's AI generated.
So this is probably a way for them
to
um try and get around those restrictions
whether that's a good idea for them to
be doing or not i guess that's a
debate but um it seems to be what
they what they are doing and that's kind
of confirmed with this so i thought that
that was um fascinating yeah i agree i
i feel very torn on that because on
the one hand um
there's probably an angle I'm missing
here.
On the one hand,
I understand the idea of like,
let's just assume they're doing that
altruistically, right?
Like we want to make these open source
projects better.
We want to make them more secure.
You know,
like I don't think at Privacy Guides,
for example, correct me if I'm wrong,
we don't typically go out and solicit
people to like, hey,
come check out our website and make sure
all this information is accurate.
But we totally welcome it if somebody does
come up and they're like, hey,
I found an inaccuracy and they report it.
And I feel like that's kind of what
they're doing is, you know,
on the one hand,
it's like it's still creating a more
secure project, right?
Assuming that the bug report is good.
I know that's historically been a problem
is a lot of AI slot bug reports
that aren't really valid and they're not
really bugs or whatever the case.
And semi-related,
but I did see an article earlier this
week.
that said that actually there's been a
noticeable increase in quality on AI bug
reports.
So maybe they're starting to make some
progress on that.
But either way, point being,
I understand the idea of the end result
is the same and either way it makes
the project more secure.
But it also feels very disrespectful of
like, if I don't want AI reporting it,
why would you go out of your way
to hide that?
And I don't know,
it's a really weird thing and I don't
know how to feel about it.
But I did see that too.
That's really strange.
yeah i would be really interested to see
data on like all of the security related
pull requests or vulnerability reports
that anthropic specifically has reported
because i feel like there's two different
types of ai contributions to to these
projects i think a lot of them are
kind of slop contributions because a lot
of
a lot of people in the open source
space or some students, for example,
they want to pad their GitHub profiles
because it looks more attractive to
developers.
I see that quite a bit where if
you can get like a PR merge into
a major project,
it just kind of
looks good for you.
And so I think a lot of people
are just spreading a wide net and just
submitting a ton of AI slot pull requests
and hoping that some of them get accepted,
which is very annoying for open source
maintainers.
But on the other hand,
if Anthropic themselves,
if they have a legitimate interest in
improving open source tools,
which they probably do because a lot of
these big companies do use these open
source tools themselves for a lot of
different reasons,
I can imagine that
like somebody being like an engineer at
Anthropic being paid to use AI and submit
these pull requests might be doing a
better job in not just completely
submitting slop but like using AI to find
these vulnerabilities and write this code
but checking it themselves before
submitting it and writing like explainers
because they're getting paid to do this
unlike the people who are just you know
rapid fire submitting
vulnerability reports and PRs, right?
I don't know if that's true or not,
but I would imagine Anthropic would
probably argue that that's true and would
probably use that as the reason that
they're doing this.
And like I said,
I have definitely seen AI companies report
security vulnerabilities that were patched
to open source projects,
and some of them were major
vulnerabilities.
So there is some merit to the idea
that AI can find these vulnerabilities
more easily than, I mean,
I don't know if it's more easily than
people who are auditing the code,
but it certainly is happening.
So yeah, I mean,
if all of the reports that Anthropic
themselves are submitting are accurate and
worthwhile to fix,
I don't know if that's necessarily a
problem.
But of course, people are
all along the spectrum of AI and AI
contributions and AI code specifically.
So yeah,
I think that's going to be quite a
debate in the open source community for a
while,
and I don't know how people are going
to handle that.
Yeah, I don't know either.
It seems like one of the better uses
of AI, in my opinion,
as opposed to writing songs or putting out
blog posts.
It's still just, yeah.
Like you said, what, what would be the,
I wonder what the success ratio is,
especially from Claude.
And is there a human review?
It doesn't sound like it from that,
that snippet that I shared,
but that's personally,
that's where I fall.
Like,
I don't mind and I'm not a developer,
so maybe I just don't understand how,
how bad the problem is, but like,
I would imagine,
I don't mind if AI helps you find
the vulnerability,
as long as a human looks it over.
um but yeah i'm sure there's a lot
of people that are not doing that
unfortunately so yeah i mean we've we've
definitely talked about this in the
privacy guys community and when we're
talking about all these different tools
that we recommend um people really want to
see audits but they're extremely expensive
and um if ai is not being used
to like write new code but it's being
used as like a second pair of eyes
to take a look at all of this
code that could be a good thing um
You know,
it is not going to be perfectly accurate,
but if we're being honest,
all of these security audits that projects
are paying for are not completely accurate
or totally thorough either.
And they're certainly going to be cheaper
to run AI than have a whole team
of people auditing this code.
So while I would imagine it's probably
going to...
be worse quality and probably have more
false positives if you're using AI.
I do think that doing it and revealing
some of these vulnerabilities is probably
better for a lot of open source code
bases than not doing any sort of audits
at all and just hoping that the maintainer
catches all of these bugs.
So I can definitely see a use case
here.
It's a tricky situation.
Yeah, for sure.
I know it's not really AI per se,
but I know, and you probably do too.
I get the emails from GitHub every once
in a while.
That's like, Hey,
there's a thing that you use NPM or
whatever,
and there's like a vulnerability go ahead
and upgrade.
So yeah, I, I would be, uh,
I don't know.
I mean, mine's,
mine's just a static website,
so I can't imagine the damage would be
too terrible,
but still it's nice to get that proactive
without having to go out and get a
whole code audit thing.
So useful stuff.
But I don't have anything to add to
that story unless you did.
Did you want to tell us about this
next story out of California?
Yeah.
So this one was reported by the Los
Angeles Times.
Their headline is California bill would
require parent bloggers to delete content
of minors on social media.
Yeah.
So they have a quote here from somebody
directly impacted.
It says,
as the daughter of a social media
influencer,
Kami Barrett says she navigates life
within a digital footprint she wished
never existed.
Everything my mom posted is still on
social media, she said.
Photos I wish never saw the light of
day, private details about my health,
even when I started my first menstrual
cycle.
She was saying this at a Wednesday news
conference to advocate for Senate Bill,
which would require social media platforms
to offer a process for adults to request
the removal of content that features
themselves as minors and was created by a
family member who received compensation
for sharing material online.
So yeah, this is an interesting story,
and I guess it specifically relates to all
of these family influencers that we see,
which has definitely become more of a
problem lately.
Especially, I would imagine,
in California.
So it's interesting,
but probably makes sense that this is only
going to apply to...
kind of public influencers,
ones who are receiving money or
sponsorships in exchange for all of this
stuff.
But it is only going to be available
for adults.
So there isn't really a process that
prevents any of this stuff from being
posted in the first place or anything like
that.
It's only a retroactive thing that
adults can do about their childhood if
they were a part of like a family
influencer situation um does i i would say
i don't know if that makes a lot
of sense from my perspective because i
think as we always say um
anything that you post on the internet is
sort of permanent all of this stuff is
going to be archived and it could be
potentially years before you're able to
take any of this stuff down so uh
children who are like uncomfortable with
all of this going on um at the
moment i don't think have a lot of
protections um and i don't know um how
that should be handled to be honest i
know that that's been a debate that's been
going on for quite a while how children
should be
um like compensated for that is that
considered child labor um there's all
sorts of laws especially in the
entertainment industry and in hollywood
and on the internet um that that come
into play here so
I don't know if this is going to
really impact a lot of the people that
we see in the privacy guides community who
are trying to clean up their digital
footprint,
because I think a lot of people are
more concerned about smaller scale
situations than some of these commercial
ventures that this bill is going to
attack.
But I do think it's a good idea
for more privacy protections and some sort
of
process to get that data removed if you
are an adult and you don't want that
information out there.
So it seems to be a good thing.
I'm not sure how effective it'll be or
if it goes far enough,
but I think any protections and processes
to protect your privacy are good at the
end of the day.
Was there anything you wanted to note in
this article, Nate?
No, I agree with you.
It's funny.
I think most people would agree I'm a
lot more
lenient with some privacy stuff than a lot
of other privacy people are.
But like kids are kind of one of
the few things where I'm actually kind of
like,
like in a perfect world,
I think it should be illegal to post
pictures of your kids online at all.
Um, or at very least publicly, like,
you know,
if you're going to post pictures of your
kids,
it has to be in like a closed
group chat or like a,
a friends only Facebook post again in a
perfect world, there wouldn't be Facebook,
but that's beside the point.
Um, so like, yeah, this, I,
and I agree with you.
It's really sad.
Cause like, even in this article, um,
one of the,
one of the people they talked to said
that, um,
I think it was that first girl, Barrett.
Yeah, Kami Barrett.
Further down,
she says that she recalled being a target
for predators and online bullying,
said her mother was aware of the problems
it created,
but continued to share her daughter's life
on social media.
So, like, cool, thanks.
Now that I'm twenty, twenty-five, thirty,
I can ask you to take it down,
but that doesn't help me when I'm ten,
fifteen, sixteen, seventeen.
You know, like you said,
the damage is already done in so many
ways, and...
I mean, I guess, yeah, I don't know.
It's just, it's crazy.
And it's one thing I thought was
interesting is it says the legislation
requires that social media platforms offer
a process for adults to request the
removal of content.
And then basically from there,
they pass it on to the parent and
the parent has ten days to take it
down.
After ten days,
they get a three thousand dollar a day
fine.
So I don't know.
It's just it's really I'm with you.
I feel like it doesn't go far enough
and it doesn't.
it's not proactive enough,
but at the same time, I mean,
I guess it's better than nothing.
And I think that's, I don't know.
It's.
It frustrates me.
I wish it would do more,
but it's a story for sure.
A couple of things to note about this
story.
This bill hasn't passed yet.
It's just a proposal.
But this the person in question in this
article was talking about their support
for it.
The other thing I would note is similar
laws do exist in a couple of other
states, including here in Minnesota.
There are some laws that
here restrict um more highly how children
can participate in like commercial content
in the first place um so I think
if you're under thirteen you can't
actively uh participate in any of this
content creation at all you can maybe be
featured in it but you can't be um
Like an active part in it,
so I think that in Minnesota,
at least a lot of those toy unboxing
channels where people have their children
unbox a bunch of toys and that kind
of thing that's not allowed.
teenagers here in Minnesota are allowed to
participate,
but there are laws in both of these
situations around how that revenue is
split between everyone involved,
so there are some protections I think for
people participating in these commercial
ventures.
But from a privacy perspective,
I think they probably don't go far enough
in any case.
But it is interesting to see how this
is being handled.
It is a very, I think,
new issue with the internet and everything
that none of the existing laws were really
equipped to handle around child labor and
stuff like that.
So it's good that this is at least
getting attention,
and we'll see how this plays out.
Yeah,
it does say in California they have a
law that was signed two years ago that
content creators that feature minors and
at least thirty percent of the material
have to place some of their earnings into
a trust that children can access when they
turn eighteen.
So, yeah, like you said,
there's there's some it's an issue that's
starting to get attention for sure.
But.
Also, just on a personal note,
they interviewed Alison Stoner,
who they said was a former child actor
who appeared in films like Step Up and
Cheaper by the Dozen.
They were also Isabella in Phineas and
Ferb, and no mention of that.
And I feel so offended because I love
that show.
I just had to call that out.
Interesting.
I had to.
So in a little bit,
we are going to talk about LinkedIn's
browser scanning.
So that should be fun.
But first,
we're going to go ahead and jump into
site updates and talk a little bit about
what's been going on at Privacy Guides
this week.
Just this afternoon,
we dropped a new video.
It is currently members only.
So we usually leave those members only for
about a week.
This one is about encrypted email.
This is another one of those like really
beginner friendly videos that if you're a
bit of a privacy veteran,
you probably know this stuff,
but hopefully it's something that you can
share with your friends and family.
It talks about why mainstream providers
like Gmail and Yahoo aren't quite good
enough and how encrypted email works and
some of the different ones we recommend,
pros and cons of each.
So yeah,
if you are not a member yet and
you want to check that out,
you can join on YouTube or you can
go to privacyguides.org slash donate and
that will take you to a link where
you can sign up for a membership.
But that's what we did this week in
the video department.
And I will turn it over to Jonah.
Very cool.
Yeah, another thing we did recently,
Nate and I recorded this a few weeks
ago, but it's finally live.
We did a panel discussion on the Firewalls
Don't Stop Dragons podcast.
So episode four seventy four of that
podcast is now out.
It's called Privacy Guides Panel.
Nate and I are on it and we
talked about a ton of interesting stuff.
So I would definitely recommend checking
that episode out if you want to listen
to those discussions.
You can look at the table of contents
here.
It looks like Nate's showing that on the
screen,
but you can find the Firewalls Don't Stop
Dragons website for more information.
And if any of those topics sound
interesting to you,
Definitely check it out because it was a
ton of fun for us to record.
I think we talked about a lot of
cool, interesting, informative stuff.
So hopefully somebody finds it useful or
at least finds it entertaining.
In other news,
we again published a bunch of news briefs
that we're not covering here on this show,
but you can find our articles at
privacyguides.org slash news about them.
We have stories on Mac OS,
improving security in the terminal app.
a grandmother who was wrongfully arrested
because of facial recognition, iOS,
twenty six point five beta,
including end to end encryption for RCS
messages, Walmart,
digital price labels and more.
So definitely check that out.
Again,
it's privacyguides.org slash news if you
want to read those stories and let us
know if you have any questions about them
on the forum or anything else,
because there's always a lot of
discussions about these stories.
over there as well everything that we do
at privacyguides is made possible by our
supporters you can sign up for a
membership or donate at privacyguides.org
donate or you can support us by picking
up some swag like this water bottle for
example at shop.privacyguides.org
Privacy Guides is a nonprofit which
researches and shares privacy-related
information,
and we facilitate a community on our forum
in Matrix where people can ask questions
and get advice about staying private
online and preserving their digital
rights.
Now let's move on to our next story.
This is about NextCloud and OnlyOffice.
That is right.
So, um, full disclosure,
I am a next cloud user and a
little bit of a next cloud fan boy.
So, um, I'm bummed to hear this story,
but only office has suspended their
partnership with next cloud for forking
its project without permission.
And this comes on the heels of another
announcement.
So earlier this week, uh,
next cloud IONOS and several other
European tech companies
came together and announced this new open
source project called Euro Office,
which they describe as, quote,
a sovereign replacement for Microsoft with
intuitive interface and strong
compatibility backed by European open
source community.
Only Office has basically claimed that
this is a fork of their code.
And they say that this violates license
agreements because they offer only office
is source available or open source.
And they use the AGPL version three.
So specifically towards the end here,
if you're watching on screen,
you can see this, but towards the end,
it says we require compliance with
applicable licensing conditions,
including,
but not limited to the preservation of
only office branding logo and all required
attribution elements as defined in our
licensing terms, which is,
If this is a brand new project,
it would, of course,
have none of those things.
So for those who do not use Nextcloud,
you may or may not know that Nextcloud,
one of the things that it comes with
by default is an online document editor or
Office editor.
And there's a couple different ways to
make this work.
You can use Collabora online,
or you can use only Office.
And this has been...
I think they said for eight years,
only Office has partnered with NextCloud,
and now they are terminating that.
They do say...
I think they said that no, yeah,
no existing partners or clients will be
affected.
So basically if you've already got it
installed, you're good to go.
I don't know what that means for updates
and stuff, but yeah,
I guess we'll find out.
They also, interestingly, um,
just to throw it out there,
only office said that in the past,
and I'm quoting the article here,
next cloud has behaved in a manner not
expected from a partner,
including trying to poach its employees
and influencing customers against the
company,
but directly forking the project and
repacking it was the straw that broke the
camel's back.
Um,
Yeah, then kind of a statement here.
They said partnership is built on trust
and trust requires shared principles where
those principles are no longer upheld.
Continuing operation is no longer
sustainable.
For this reason,
we made the decision to suspend our
partnership cooperation.
And then just kind of, I guess,
a little bit more background towards the
end.
Lever Office has criticized OnlyOffice for
being, quote unquote, fake open source.
They say, for one reason,
OnlyOffice defaults to Microsoft Office
formats like DocX, XLSX, and PPTX,
which is Word, Excel, and PowerPoint,
rather than open standards like Open
Document Format or ODF.
And there's also, apparently,
Nextcloud says they didn't just
collaborate directly with OnlyOffice.
Let me rephrase that.
When asked why they didn't just
collaborate with OnlyOffice,
they said that there were a number of
reasons,
including that OnlyOffice is a Russian
company that tends to obscure its origins.
Developers often leave code comments in
Russian and many users are hesitant to use
software potentially linked to the Russian
government.
They also claim the only office
discourages contributions,
ignores pull requests and lacks
transparency since commit messages
frequently reference internal issue
trackers only.
So yeah,
I don't know that I have a lot
of thoughts on this one.
Jonah, did you have any,
like what do you know about this AGPL
V three, for example?
Yeah, so what's in question here is, well,
only office says that they've added
provisions to AGPL requiring certain
attribution in forks of the project.
So we could,
if I could share my screen here,
let's see.
Huh.
So they're talking about in their license
two things.
You have to retain the original product
logo when you distribute the program.
And they do not grant any rights under
trademark law for the use of any only
office trademarks.
And the Euro Office Project Initiative
basically removed these provisions saying
that
Basically, if I can find it here,
section seven of the AGPL says that you...
Which line is this?
Says that you can remove any additional
restrictions or any of these terms from
that license on your own.
And this is kind of the basis of
Euro Office's claim that they can kind of
change this license.
And they say that they don't have to
use their logo to...
Give attribution to OnlyOffice.
The AGPL is still going to require that
they provide some attribution somehow,
but according to the Euro Office project,
they don't have to use the OnlyOffice
trademark.
I think this is kind of interesting
because usually open source projects like
OnlyOffice in this position,
fight tooth and nail for forks to not
use their branding at all.
So the fact that they want them to
use their logo is kind of strange because
we've seen like Mozilla, for example,
when there's any Firefox forks,
they want to make sure that there's no
Firefox branding whatsoever associated
with that because they don't want it
associated with their
project um and related to this there's
actually another case um around it a few
years ago this started and then there was
a i think the latest update on this
was in um but a company called neo
four j um started a lawsuit against uh
another company purethink and
about a very similar issue.
Basically Neo-FourJ added a lot of clauses
to their AGPL license,
and Neo-FourJ said that because the AGPL
says that you can remove certain passages
or restrictions that were added onto the
AGPL, that they were able to do that.
And Peerthink actually lost this case.
This twenty twenty five article is
basically announcing an appeal that's
taking place.
I don't know if that's actually gone to
court yet,
but they
So yeah,
this article says that the AGPL allows
added-on terms like the Commons clause
that Neo-FourJ was using to be stripped
from the license.
And Neo-FourJ said that because they added
it,
you have to comply with all of the
terms of the license.
And the court basically agreed that any
terms in the license have to be followed
regardless of what the AGPL says.
And then the Free Software Foundation and
other organizations in the open source
space
said that that's not the case and that
they did intend this tenant or this
provision in the AGPL to work and for
these restrictions to be removed because
they believe that you can't really have
restrictions on free and open source
software,
which is kind of the point of the
AGPL.
So
It's a strange case.
It's definitely in a gray area.
And it really depends on how much
OnlyOffice wants to fight this.
But I think you could certainly argue in
the Neo-FourJ case and probably in this
OnlyOffice case that any of these
restrictions that are being added onto the
AGPL that have very...
specific restrictions on how the software
can be used probably make the software not
open source um so at the end of
the day you shouldn't be calling it an
agpo licensed project if you really want
these terms to be followed i think that
they would have to call it something else
and it
wouldn't be, I mean,
it would be at odds with the open
source in the same way that a lot
of these source available licenses that we
see are.
It's definitely a hot debate in the
community in general.
We've seen a lot of talk about like
the FUDO license, for example.
not being open source and they went with
a different name because of that.
But there's certainly other licenses that
projects are trying to use and they still
continue to claim to be open source when
in reality they're source available.
So I think that if only Office really
wants to follow through on having these
restrictions in place,
I think that would be very at odds
with their claims that they are an open
source
project um which would be a bit concerning
because the entire idea of open source is
that these forks should be able to exist
and like you should be able to completely
fork and create um this euro office that
nextcloud is making um without any
restrictions or preservation of OnlyOffice
branding.
That doesn't make a lot of sense for
a fork to be doing.
And so OnlyOffice is in a bit of
a strange situation here.
It's always the business
pace against open source software in
general.
They don't want people taking their work.
And OnlyOffice clearly believes that
because they say that they've spent years
building a fully functional production
ready Office document editor.
But at the same time,
they marketed that as an open source
project.
And that is what people kind of expect
from that.
I would also note,
Nextcloud kind of has a history of
forking open source projects um in not a
very collaborative way i mean their next
cloud itself was forked from own cloud of
course and that division was um
I don't think super well received by
OwnCloud themselves.
So it's kind of a situation that they're
used to.
But I think a lot of people side
with Nextcloud in that case.
And I think that a lot of people
are going to side with Nextcloud here as
well.
So it might just kind of be what
it is.
yeah and like kind of going back to
what you were saying about um you
mentioned that like a lot of companies
they they put work into it and then
they don't want people stealing that work
it's one of those things where like in
that case and i say this kind of
spitefully but like then just don't be
open source because i mean obviously in a
perfect world i would prefer everything
was or at very least be like you
said like be transparent about being
source available because um
in a perfect world,
I would love for everything to be at
very least source available,
because that's how we're able to verify
that the code is doing what it's doing.
And it helps build that trust at very
least, I think, um,
especially things that deal with security,
like password managers should at very
least have their cryptographic bits be
source available, um, bare minimum,
but cause security is something where like
everyone benefits.
Right.
But
To me,
it's just such a crappy thing because
that's the risk you take.
And I've talked to a lot of projects
that are not open source and I've asked
them that.
I'm like,
why don't you guys have any open source
clients or anything?
And that's usually the number one reason
they give is they're like,
we're worried that people are going to
take our stuff and steal it.
We have no real way to control that.
And then there's...
to counter their argument.
There are plenty of companies who seem to
be doing just fine despite that.
But yeah, so it's, I don't know.
It's just me.
I say this with a little bit of
bitterness in my voice towards only
office.
It's like, then just don't be open source.
Like it feels almost, um,
it's going to be a really niche reference.
And I don't think this is as much
of an issue anymore,
but back in like the early two thousands,
um, there was a real,
I don't know if you'd call it an
issue or not.
I guess it depends on how you feel
about it, but a lot of bands would,
um,
would market themselves as Christian bands
because the Christian market would be a
lot easier to break into.
And then once they hit a certain level
of success,
they would quote unquote go mainstream.
And some of them would even like
vehemently deny, like, no,
we were never a Christian band.
And it's like, well,
we have interviews with you where you said
that you were, so whatever, dude.
But to me,
it just feels the same way.
It's like,
you don't actually believe this stuff.
It's just some kind of marketing gimmick.
And in this case, the open source,
I just feel like that, I mean,
I guess in the Christian thing too,
just feels kind of crappy.
It's like, you know,
don't say that you believe in this stuff
just to get ahead in the competition,
like commit to it or don't.
So I don't know.
That just, that really frustrates me.
Quick thanks to at Sod This All for
gifting a Privacy Guys membership.
Thank you for your support.
Oh, nice.
I just saw that.
Yeah.
I had comments closed down so I could
see the screen a little better.
But yeah, thank you.
That's super cool.
All right.
I think that'll take us into a LinkedIn
story that Jonah actually alerted me to
this story right before we started
recording.
This one's like hot off the presses.
Yeah,
I think this was reported just yesterday
or today, if I remember correctly.
I definitely saw it only yesterday,
but maybe it's been talked about a bit
for a while.
But there's this report that LinkedIn is
illegally or allegedly illegally searching
your computer.
They are scanning installed browser
extensions without user permission.
So this is reported by Apple Insider.
And something is wrong with my computer.
There we go.
They say researchers have determined that
Microsoft's LinkedIn is scanning browser
plugins and other information without
permission and building user profiles
using data that the company did not get
permission to take.
A European advocacy group claims LinkedIn
is probing browser extensions through its
website code.
Fairlinked EV published a BrowserGate
report alleging LinkedIn detects installed
browser extensions by probing for known
identifiers through JavaScript.
The group says the technique reveals
personally identifiable information.
And so this is a threat that we've
talked about before,
I think in a previous episode of this
show,
but definitely on the forum where the
browser extensions that you install can
definitely add to your browser fingerprint
and can specifically identify you based on
what extensions you have installed.
And that's been a known threat for quite
a while,
but I think this is one of the
first and maybe the largest examples of a
real world situation where this is
happening.
And so if we look at this Fairlinked
BrowserGate website,
they point out a lot of different problems
with these tools,
namely that
Microsoft is designated as a gatekeeper
under the Digital Markets Act in the EU.
So Microsoft Windows and Microsoft
LinkedIn are both regulated products under
the DMA, and they need to allow,
as a result, free, effective,
high-quality, continuous,
real-time access to all data,
including personal data that's generated
through the use of these products,
which LinkedIn is not doing because
they're doing this
in the background.
They also point out that this search of
all of your browser extensions can reveal
a lot of different personal information,
and they give some examples of extensions
that could potentially reveal that.
It could reveal your political opinions,
for example,
because there are extensions like
anti-woke, anti-Zionist tag,
no more Musk that you can install.
I don't know what those extensions do,
but obviously having them installed
definitely shares a bit about what you
believe.
It could share some...
Could reveal your religious beliefs
because there are extensions like Porta AI
which blur haram content or Dean Shield
which blocks haram sites.
It could reveal potential disabilities or
neurodivergence through extensions you
have installed like Simplify which aids
neurodivergent users in browsing the
internet.
Certainly,
LinkedIn could be getting your employment
information.
There's a lot of obvious ways to do
that,
but there are job search extensions that
people use on LinkedIn where that could
reveal information to LinkedIn or your
current employer.
And then it just reveals a lot of
potential trade secrets because LinkedIn
is this network where so many
professionals are located and they share a
ton of information about where they work
and Microsoft would have access to all of
that data and they would also have access
to all of the extensions that these people
have installed,
some of which would be mandated by their
companies.
So like whether you use
The examples that they give are Apollo,
Zoom, Info.
You could imagine other browser extensions
of professional tools that would be
installed by these companies.
I don't know what tools companies use,
to be honest.
I know in the education space,
we would use tools like GoGuardian,
for example.
And so...
In that example,
they could find out what we're using.
But a similar case would apply to all
of these organizations and their employees
who use LinkedIn.
They say,
Fairlink says in their BrowserGate site
that LinkedIn has not disclosed this
practice in its privacy policy.
There's no mention of extension scanning
in any public-facing document that
LinkedIn has published.
And so on this BrowserGate website,
which you can find at browsergate.eu,
they list six thousand two hundred twenty
two extensions that a hidden JavaScript
program on LinkedIn will scan your browser
for.
I believe this only applies to Chrome
browsers,
but that's probably most people visiting
LinkedIn, I would imagine.
and you can't opt in or opt out
of that and there's again no mention of
any of this happening in any of their
privacy policies um which is definitely
very concerning um so
It's kind of a mass breach of your
personal data.
They say that this is deceiving
e-regulators, which is probably true.
And so I think it's just interesting to
note for sure that this definitely leads a
lot of credence to the idea that your
browser fingerprints are going to identify
you and reveal a lot of information about
you and what you do,
especially when it's being done by a
company like
LinkedIn that has probably a lot of
information about you if you use it.
It has your real name.
Some people ID verify on LinkedIn.
They have your whole resume and being able
to tie all of this digital data to
those profiles.
creates a very unique and very
comprehensive profile of you when you use
the service.
So I think it is very concerning for
sure.
And it shows that the threats that we
talk about when it comes to your privacy
are in fact a real issue.
And these companies are trying to get all
of this data wherever they can.
Yeah, for the record,
I tried to show the browsergate.eu
website.
For some reason,
it's not loading on the device.
It worked fine earlier,
but I guarantee it's DNS.
It's always a DNS issue.
But yeah, it's my first thought.
OK, so my first thought,
because I was recently educated,
for general browser fingerprinting,
like the day-to-day,
Some browsers like Firefox, for example,
they do actually try to obfuscate what
extensions you have installed.
And I guess just to back up a
little further, I know that for, again,
for general fingerprinting,
it's not always a guarantee that having
more extensions will make you more
fingerprintable because it generally
depends on what does the extension do and
whether or not it modifies the page.
But obviously this one is going out of
its way to scan your extensions, right?
So that's a little bit of a different
story.
which I would argue that general
fingerprinting probably does that too.
But going back to what I was saying
about Firefox,
I know Firefox basically tries to,
and I'm probably going to get the fine
details wrong on this, so I apologize,
but they basically try to like randomize
the ID that your extensions have to make
it a little bit harder for you to
be fingerprinted.
Do you think that would,
do you think that would stop something
like this or slow it down?
Or is it just going to be able
to get past that anyways?
um it could potentially but i mean yeah
it depends on you know i'm not sure
how these programs work randomizing it
could work if you can't find the files
in the first place um and that probably
is a strong protection against it um but
If those extensions modify the page
itself, which a lot of extensions do,
then that probably is still going to be
detectable.
And so that's only going to protect your
privacy against certain extensions you
have installed that make public resources
available, but don't modify the page,
which I don't think would be a ton
of extensions,
especially like password managers.
I can imagine where...
like if they edit the page itself to
add like a pop up or like a
drop down menu to logins,
that's going to be impacted.
So if you disabled all of that autofill
stuff, and you kept the extension,
and only like manually copied from it on
certain pages, you know,
it could potentially protect you in that
situation.
But I don't think most people are doing
that.
So I don't know how extensive that
protection would really be.
Which even then,
my thought process is that kind of defeats
one of the advantages of a password
manager, which is if it doesn't autofill,
that could be an indicator that you're on
a phishing page.
So if it never autofills,
then you never have that moment of like,
wait, am I on the right page?
Yeah.
Yeah.
And then I guess my other thought, too,
is just not really a question,
but just a thought.
You pointed out that this was tested on
Chromium browsers,
which is probably what most people are
going to use anyways.
I, at my last job,
they gave us work computers that came with
Microsoft.
And I mean,
ninety nine percent of what I did was
logging into the company stuff anyway.
So I just use Edge because that's what
it came with.
And at one point,
I think at one point I did get
Brave installed on it and then I was
never able to do it again.
But I think I did try Firefox because
I was like, well, you know,
it'll it's not Edge, right?
It'll be a way bigger improvement in
privacy.
But I got really annoyed because
everything in a corporate environment is
optimized to work
with Edge.
And so it was just so much extra
friction to use Firefox.
So where I'm going with this is, yeah,
like most corporate environments are
probably going to be using either Chrome
or Edge because everybody's familiar with
Chrome.
And where I was going with that is
at my job, they said like, yeah,
if you go to our little app store,
you can download Chrome or whatever.
We don't care.
Use whatever browser you want.
So most people are probably going to be
using Chrome or Edge.
Maybe some will be using Safari,
which I think the article did say that
Yeah,
Safari users are less likely to be
affected by the specific mechanism based
on how extension detection typically works
across browsers.
Apple's browser model limits
fingerprinting surfaces.
But it kind of goes back to...
It's unfortunate because not everything...
Where am I?
How am I trying to word this?
It's important to try to compartmentalize
your professional life and your personal
life, right?
Like never...
Never do personal stuff on a work
computer.
For some reason, people do anyways,
and I don't know why.
But even then,
LinkedIn is something that...
You wouldn't get in trouble for doing that
on a work computer, I would imagine,
but it's also something you would do at
home, right?
LinkedIn is supposed to be something that
follows you from job to job to job.
It's not necessarily specific to that job.
So it is something that I could see
people checking on a home device,
which is so frustrating because it's like
you're trying to...
I don't know.
It's like,
it's one of those things where like,
you're not really necessarily doing
anything wrong and you're still getting
punished.
And that's, that's super frustrating,
but yeah, I guess I,
I just wanted to point that out.
It's, it's, yeah, I don't know for sure.
I mean, a ton of people, I think,
um,
Their work laptop is their only computer
in a lot of cases besides their phone.
I think a lot of I know people
in that situation.
And yeah,
definitely do not recommend doing that.
You should get your own personal laptop
and use that instead.
But I know a lot of people do
that anyways.
Another thing that I wanted to share,
not in the notes,
but kind of related to this is browser
extensions aren't the only ways that
websites can potentially fingerprint you
or like software you have installed on
your computer.
Sometimes the software itself on your
computer can work against you.
And so kind of recently,
I think this has been going on for
a while,
but it's been picked up by some news
sources.
Basically, Adobe Creative Cloud,
of course it's Adobe,
is changing the host file on your
computer,
which allows websites to detect whether
you have Adobe Creative Cloud installed.
So this is posted to Reddit.
Basically,
Adobe is adding this line to your host
file.
And then when you visit the Adobe website,
it tries loading an image from that exact
domain.
And if the image loads because of this
line that they've added that points that
domain to a specific IP,
then they know that you have Creative
Cloud installed.
And that could, of course,
be checked by any number of different
websites to detect whether you have Adobe
Creative Cloud installed.
And so even if you don't have any
browser extensions,
there are other ways that software
on your device itself can um increase your
browser fingerprinting profile um
regardless of what you do with the browser
so that is something to definitely keep an
eye out for because the only thing that
would really protect you against this is
either not letting creative cloud do this
which i don't know if there's a mechanism
to do that but it might be
uh worth looking into or using a browser
like tor browser which is going to bypass
all of your local network stuff
specifically but that's um challenging to
do and not a lot of people are
doing that for day-to-day use um and so
software that does something like this um
is a problem i don't know of any
other software that's going to do this
besides adobe but um
Of course, again,
of course it's Adobe doing that, but yeah,
that is another attack vector unrelated to
extensions that websites could be using
that you'd also have to look out for.
That's insane though.
Editing the host file.
I don't even like screwing with that.
That's some deep level stuff.
Oh my God.
Wow.
These companies are out of control, man.
Yeah.
My brain hurts.
Just related to that, it's always DNS,
right?
DNS can be used against you.
DNS is used for evil.
Anyways,
I think that's all I have to say.
Do you want to talk about our next
story here?
Yeah.
My brain is still hurting from the host
file thing, so we'll just move on.
So this next story,
it helps if I share the actual screen.
Here we go.
So this next story comes from Four of
War Media.
It says,
a secure chat app's encryption is so bad,
It's quote unquote meaningless.
I mean, okay,
we'll go through it a little bit.
So the app is called Teleguard and I've
heard of it a little bit.
It actually rang a bell when I read
this.
I really, I'm not going to lie.
I really wanted a moment where I went
and checked the DMs on the forum because
we get a lot of projects and privacy
guides that message us directly.
And they're like, hey,
you should recommend our product.
And we always tell them like,
go post on the forum.
This is a community project.
Let the community vet it.
Um, so I,
I went and checked and I thought like
maybe I,
I knew their name cause they messaged us,
but, um, nothing like that, I guess.
So I don't know where I've heard it
from, but, um,
it has been mentioned on the forum once
or twice,
but never really like heavily recommended
or anything.
Just, I don't know.
But either way.
Yeah.
So this is an app that markets itself
as a secure end to end encrypted messaging
platform.
It's been downloaded at least a million
times.
Um, but apparently this researcher, uh,
found, it says there's no storage,
highly encrypted, highly encrypted, um,
kind of like military grade encryption,
right?
Anyways, um, Swiss made,
and there's an anonymous researcher in
March who contacted four Oh four.
They said that the private encryption keys
are sent to the company server upon
account registration.
And, um,
Jonah can correct me if I'm wrong about
any of this, cause I'm,
I'm speaking a little bit outside my
element here, but I think I'm,
I'm right about this.
Um, there are services like proton,
for example, that, um,
I don't know if I'd say the private
key gets sent to the server,
but they do have a way where like
you can log in from any device and
your email is decrypted.
Right.
But they also store that in such a
way where they don't really get the key
itself.
Um, I, again,
I could have the details wrong here,
but my point being like,
I think there is a way to store
private keys,
but they weren't doing it this way.
They weren't doing it in a way where
it's like,
we don't have access to your private key.
Like, no, they just had your private keys.
Um,
So yeah, they also...
I think it's further down.
They go through every single issue they
found,
which is basically like your private key
was derived from your user ID.
So anybody who had your user ID could
plug it into this API and decrypt your
messages, which is anybody you message.
Or a lot of people will post their...
Well, Signal, for example,
but a lot of people will post their
username publicly because they're like,
hey, anybody who wants to contact me,
go ahead.
They said further down that metadata was
stored in plain text.
So basically every single mistake you
could possibly imagine a company doing or
a messenger doing,
it seems like they were doing.
And oh, man, hold on.
I do have to find...
Yeah.
So the CEO, after publication,
the CEO contacted four Oh four via
LinkedIn,
hopefully from a company computer in a
direct message and said, quote, this,
the information is incorrect.
Exclamation point.
The person who gave you the technical
information that has completely misled
you.
That person is not competent.
Exclamation point.
Uh,
the CEO did not provide any evidence for
this or point to any specifics.
Um, very.
Yeah.
I don't know.
I always like when people do that kind
of stuff.
Very professional.
Um,
So is my making fun of them,
but whatever.
So yeah, I personally,
I wanted to share this story because I
feel like in the privacy community in
general,
I see a lot of people who I
think...
we get excited about new projects.
I think there's two kinds of privacy
people.
I think there's the people who get excited
about new projects and the people who are
suspicious of anything new.
But I see a lot of people who
get excited about new projects and they're
constantly like, oh,
there's this new messenger I just heard
about.
I'm excited to try it.
What does everybody think?
And first of all,
I think that's really awesome when you go
to other members of the community.
What do people think?
And because I have seen one of the
messages that I mentioned when I was
trying to figure out where I've heard of
this app before.
I went to the privacy guides forum and
one person was asking like, hey,
what does everybody think of this?
And a lot of people were like, oh,
it's proprietary.
Like this seems weird.
This seems weird.
There's a lot of red flags here.
I don't think anybody did like an actual
technical analysis like this person did.
But, you know,
it's good to get that kind of feedback
from other people.
Like I'm very open about the fact that
I don't really know a lot of code.
I did take a...
There's a little app that kind of gamifies
learning code, kind of like Duolingo does.
And allegedly it taught me Python,
but I wouldn't trust me to code anything
in Python if I were you.
I can now look at Python and recognize
it as Python, basically.
So that said, like,
I think it's really good to,
in my case, you know, like, hey,
I don't know enough about code to
understand this.
Can anybody else weigh in on this?
That's a really good thing.
But I think it's just this...
be a little bit cautious, right?
There's a fine line because on the one
hand, if we never trust anything new,
we would never have any mass adoption of
all these great tools like Proton, Intuda,
Signal, SimpleX.
All these really good tools would never
get out of the small phase because nobody
would ever trust them.
But at the same time,
we have seen so many apps that shut
down, sold.
Every once in a while,
it does turn out to be a honeypot.
And so there's a very fine line between
these things.
And-
Yeah, I would also ask,
especially with chat messengers,
one of my personal beefs is I feel
like there's
an obnoxious amount of messengers.
And one of the questions I always ask
with any new product, not just messengers,
but any new product is what are you
solving?
Like people send me links all the time
and they're like, this looks really cool.
And I'm like, okay, what is it doing?
What is it solving?
What problem is this solving that,
you know, whether it's a search engine,
an email provider, whatever,
like what is it doing that this existing
tool doesn't already do?
And I'd say about half the time people
are like, oh, I don't know.
I just,
I saw it and thought it was cool.
it's gotta be solving a problem for me
personally, but yeah.
So, um, I don't know.
Did you have any thoughts on this?
I know,
I think this one may have gone below
your radar a little bit,
but did you have any thoughts about it?
Yeah.
Um, yeah,
I think that's all a good takeaway.
Um,
thankfully the only thing I would say is
in the case of teleguards specifically,
um,
thankfully we've known about some of the
issues with it for a while.
I know that they note at the end
of this article, um,
TeleGuard handed over information to the
FBI in around,
according to the Washington Post.
That article was shared on our forum and
in all of the posts where TeleGuard is
brought up or in the thread about
TeleGuard itself.
People have known for a while that they
can provide information like the push
notification tokens and other information
and hopefully are avoiding that.
But yeah,
it's definitely a good thing to keep in
mind because there is a balance,
like you said.
We do need to have more products in
this space,
but knowing whether they work well is...
kind of tricky.
And it's always good to keep an eye
on this stuff because they certainly do
not always work the way that they
market themselves for sure.
I wasn't aware until I just read this
article that it was made by Swiss cows.
I've heard a lot of, well,
not a lot,
but I've heard their search engine brought
up a few times.
I know that they also have a file
storage service,
which is as far as I know,
just based on next cloud and uses like
the next cloud end to end encryption,
which isn't the best.
So they kind of just seem to be
one of the,
one of those companies where um they're
just putting stuff out there probably with
open source tools without really um adding
too much or changing it i don't know
if telegard is its own homebrew product i
would imagine it is because i don't know
of any like open source stuff that would
be um
that would have this poor encryption,
at least the people who are like forking
element, for example,
are getting a reasonably decent encryption
implementation,
whereas I don't know what's going on with
teleguard.
But yeah,
I think I think in this specific case,
people already know not to use it.
And otherwise,
with with stuff not like this,
it's it's everything you said for sure.
Yeah, I looked into Swiss cows briefly,
I think the only thing it has going
for it is it says,
like the search engine.
It says that it will censor adult content,
which I think could be useful if you
have really young kids,
just as like one of those layers of
defense, you know,
maybe set that as the default search
engine on the family computer and
But then we get into the whole topic
of like,
at what point is it appropriate to kind
of transition your kids off that?
But I don't know.
I remember when I looked into it,
that was kind of the only advantage I
saw was like, okay,
I could see this if I had young
kids and I just wanted it as one
more layer of defense of like,
I don't want them to accidentally find
their way onto something bad.
But yeah, of course,
for for immediate does note that Teleguard
has a reputation of being linked to cam
models and child abusers at the end of
this article.
So how much I would trust their approach
to child safety,
it probably would not be that far.
But yeah, in general,
it's probably a good idea for companies to
be a bit more thoughtful about all of
that stuff.
Yeah, that's fair.
I, I don't know.
I trust four Oh four,
but I'm not going to lie.
When I read that part,
my brain kind of went to like,
I wonder how much Teleguard does get used
for that stuff.
I don't know.
Yeah,
maybe if you turn a blind eye to
it.
I don't know how much they market it,
but I know that Kik had this reputation.
Maybe it still does, I don't know.
It does with me, that's for sure.
Yeah,
I've definitely heard this about various
messaging apps to the point where it seems
to be...
If you have that reputation and it
remains,
it seems to be kind of intentional,
and if it's on the radar...
Of these officers saying that they're
notorious for it,
that is a bit of a red flag.
Of course, with law enforcement,
it can always go either way because a
lot of law enforcement officers will say
Drive Fina OS, for example,
is notorious for being used by criminals
when in reality it's just a security tool.
But seeing as how this chat app doesn't
seem to provide adequate security,
I don't think it's the same sort of
situation.
Yeah.
Which not to get off topic,
but I know I've said in the past,
like,
cause there was that story about a year
or two ago about, um, apparently in Spain,
just having a pixel phone automatically
makes you suspicious,
like maybe not legally, but in practice,
it makes you suspicious because the only
people in Spain that have pixels are drug
dealers using graphene.
Um, and so it's the,
my argument when we covered that story
back then was like,
this is why we need to normalize tools,
uh, privacy tools,
because
if the only people using Signal are,
not that they're doing anything wrong,
of course,
but like dissidents and drug dealers,
then like it becomes like, oh,
you're on Signal,
you have something to hide, which,
you know,
in some countries being a dissident is
illegal.
So my point is I'm not trying to
morally group them into the same thing,
but my point,
it becomes something suspicious.
Whereas like if my stepdad is using
Signal, probably does not know what it is.
I had to download it and put it
on his phone and set it up for
him and get him in the family chat.
He didn't even know it could do video
or voice calls.
I tried to call him on it one
time and he didn't pick up.
So I called him on the regular phone
and he's like,
did you just try to call me on
signal?
I'm like, yeah, it does voice calls.
He's like, oh, I didn't know that.
So,
but my point being like when everybody's
using it,
then it takes away from that stigma
because they can't point to it and be
like, oh,
only bad people are using signal.
Really?
Really?
My seventy year old stepdad,
you think is running drugs from the
border?
Come on.
So anyways, yeah,
I just I know that's a little off
topic,
but I always feel the need to say
that.
So I think that'll take us into forum
updates if I remember correctly.
Yeah, well, in a minute, everyone,
we're going to start taking viewer
questions.
Of course,
you can always leave them in the chat
anytime.
But if you've been holding on to any
questions about any of these stories that
we've talked about so far, go ahead,
start leaving them now here in the chat
or in the forum thread for this live
stream.
Otherwise, yeah,
let's check it on the community forum.
There's always a lot of activity on the
forum every week,
so you should always check it out.
But here's a couple discussions that we
had
wanted to highlight from this week.
The first one is here about Russia's
internet blocks.
Let me get this pulled up.
This was just a discussion on a New
York Times piece which talked about
Russian internet restrictions and how
Russians are evading them.
So it's a bit of a cat and
mouse game there.
So the person who posted this said,
as some background, since early March,
Moscow and St.
Petersburg have experienced widespread
mobile internet blackouts,
not just blocked apps,
but full mobile data shutdowns.
Telegram is reportedly being blocked
entirely starting in April.
The government regulators now have the
authority to disconnect Russia from the
global internet entirely.
And some regions of Russia are on
lockdown.
whitelist mode meaning everything on the
internet is blocked except state-approved
services like yandex and government
portals um so yeah this version was
interested in whether or not there's a way
around this government censorship um which
could expand to europe and north america
The whitelisting situation,
that is pretty tricky because that's going
to block even the ability to use Tor
bridges, for example.
I know that Tor bridges are probably the
best way to get around censorship,
but if you're in a full whitelist
situation, that may not work.
At the end of the day,
if your internet service provider isn't
going to allow you to make any sort
of connections,
There isn't much you can do about that
besides find an entirely alternative
network.
So people in this thread note that Russian
citizens have started using Meshtastic to
communicate,
which is a decentralized network that
doesn't use the internet at all.
It uses LoRa radios,
which are small devices that you can
connect to your phone to communicate,
but they have very limited range,
although you can set up a mesh with
them.
There's probably other solutions,
but I think, yeah,
there's probably not too much you could do
from a technical perspective here that I
can think of.
Was there anything in this form that you
wanted to highlight specifically?
No,
it was really just kind of the Russian
internet blocks in general.
I know when those, well,
when the war in Ukraine first started,
I know Russia started cracking down on
VPNs.
And at the time I was with Surveillance
Report and Henry really made a good point
about how this is one of the drawbacks
of a centralized app store.
And at the time we were talking about
Apple,
but now it seems like we're starting to
talk about Android too.
Um, because, you know,
with Android and sideloading, uh,
which I know people don't like that term,
but you know,
Android and installing third-party
installs, whatever you want to call it.
It's, um,
it's kind of hard for Android to be
like, well,
we blocked VPN installs because they can't
block VPN installs and Tor installs.
Whereas Apple, you know, when,
when Russia came to Apple and was like,
Hey,
remove proton VPN and Nord VPN and all
these VPNs, they had no choice,
but to be like, all right, we'll do.
Cause you know that everything's so
centralized and locked down, but.
Yeah, with a total internet blackout,
the thing that comes to mind is years
ago, again, back on surveillance report.
So I interviewed John Todd,
who was the president of Quad Nine,
I think.
He's from Quad Nine.
I think he was the president at the
time.
I'm not sure if he's still there.
But it was interesting because we talked
about,
or it briefly came up about censorship
resistance.
And something he said that always stuck
with me is he's not a fan of,
DNS over HTTPS specifically for stuff like
this because if if the government starts
doing mass blocking at a DNS level and
you use something like DOH it makes your
traffic just blend in and eventually it
kind of like
I'm not trying to use language that is
sympathetic to a government for the
record,
but it kind of backs them into a
corner where they just decide to shut off
the internet entirely because they can't
figure out what traffic is going around
the censorship.
And I guess he was really ahead of
his time with that prediction because
that's basically what we're looking at
right now.
So yes,
it's a really tricky thing because how
would you, you know, and especially,
I don't know,
I feel like completely disconnecting from
the global internet is a completely
different beast that I don't even know how
we would handle that.
And I guess at that point it's,
I mean,
it's what are you trying to do?
If you're just trying to talk to people
locally, then yeah.
Things like Meshtastic, I think,
I really want to get into that,
but it looks like it would require a
little bit of skill just to kind of
first time dive in, you know,
to figure out the hardware and figure out
the install and the apps and the,
it feels like a bit of a commitment,
but if there's maybe a way to make
those things a little bit more
user-friendly or...
I don't know.
Yeah,
it's a good question because there's
different things you would need in that
situation, right?
I would need to be able to communicate
with my family here in the country,
hypothetically.
But then I would also need to be
able to communicate with the wider
internet and get information,
which here in the US, unfortunately,
we are kind of the wider internet.
But in another country,
that wouldn't be the case.
Or I mean, Proton even.
I wouldn't be able to check my ProtonMail,
so...
Yeah.
I don't know.
It's crazy.
And even Meshtastic,
that puts people in a dangerous situation.
And there's always the possibility that
Russia could, I mean,
both ban the use of it,
but also ban the import of Meshtastic
hardware.
I doubt any of it is being made
domestically in Russia.
And if anything is or could be,
the Russian government could stop that.
Yeah.
and also just using it,
or any sort of radio service,
you can be trivially tracked.
It does have a short range,
so it depends where you are,
but if people go around from the
government and try to track people down
who are using Matchtastic in the future,
they would pretty much be able to find
out who's
using it um so there so there are
concerns there i mean we even talked about
in a previous episode um i think it
was in belarus if i remember correctly um
ham radio enthusiasts were being accused
of like um being espionage agents
basically um for
for using their own like radio waves to
communicate rather than like these
government sanctioned things.
So it does like any of this amateur
radio stuff does put you in a dangerous
position in a country like this.
And especially if it becomes too
widespread,
it's very easy to imagine that Russia
would take a similar position to the
Internet in general and just blanket ban
it because they don't really need it.
The other reason this can't really be
solved from like a technical perspective
is
Um, like,
I don't think it's something that another
country like the United States or someone
else could kind of reach in and try
to solve for Russian citizens.
Like immediately what might come to mind
is something like Starlink, for example,
providing direct access to the internet,
bypassing, you know,
anything going on in Russia.
But Starlink,
like when that technology is in place,
we see it used for, um,
a lot of different things that the United
States and companies like SpaceX
definitely do not want to promote or
support.
We saw in the war with Ukraine,
for example,
Russian frontline troops were using
Starlink extensively to communicate on the
battlefield.
That's actually the reason SpaceX
does not operate in that region at all
and hasn't for many years.
And bringing it back for Russian citizens
to get around something like this would
just enable that usage of it again,
which they definitely don't want to do.
So it puts Russians in not a great
situation and really the only solution.
like we say for a lot of these
very widespread privacy issues,
whether it's age verification in Western
countries or mass censorship in other
countries, like in this case,
it's more of a social issue that you
have to resolve within your own country.
And hopefully people can fight back
against this there.
Because, I mean,
this should not be unacceptable.
I mean, this should not be acceptable,
if you know what I mean.
So, yeah.
Yeah,
it's definitely something tricky that I
don't know if we're qualified to solve.
But I guess if there's any takeaways on
this one,
it would just be kind of a...
I'm pretty open about having a mild
interest in disaster prep.
And sometimes that gets categorized as
wrongly it gets characterized as like you
know worrying about the end of the world
um which i don't care about that but
you know just little things like floods uh
hurricanes tornadoes earthquakes and
unfortunately we are in an incredibly
digital world so you have to think about
outages and cyber attacks and so um i
guess yeah if nothing else this is just
kind of a thought experiment of
if you're listening and you're in a
situation where you don't have to worry
about this yet,
just think about it a little bit.
Like don't lose any sleep over it,
but you know, what,
what would I do in that situation?
And just kind of give that some thought,
I guess.
The other forum post we were going to
look at, this one,
there's probably not too much to say on
this one, but there's a new video,
a YouTuber, this got shared on our forum,
that said, if you ran this debloater,
reinstall your system immediately.
And this is specifically,
so for the Windows users out there,
you know that there's a lot of scripts
that promise to do all kinds of different
things to your system.
Um,
there's a lot of ones that are popular
in the privacy community that promise to
remove a lot of telemetry and stuff.
There's also some that claim to optimize
the graphics and the performance and this,
that, and the other,
there's even entire windows ISOs that, um,
I want to say it was called Atlas
OS.
And if I've got that wrong,
I apologize to those guys.
But there was one that advertised itself
as like a gaming distro.
And it's basically like you install
Windows from scratch using this customized
ISO and it comes pre-optimized for gaming.
But the downside is it turns off Windows
Defender.
which I don't know why you would do
that.
So yeah, I'll be honest,
I didn't watch this specific video,
but basically it was not trustworthy.
I think it may have even come with
actual malware,
but don't quote me on that.
And so this whole thread is basically
talking about these deep loaders and
stuff.
And I think the official position of
Privacy Guides is that we don't recommend
them because they are...
They're tricky.
I know there's some that are open source
or source available, I should say.
And if you know code and you're
comfortable doing it, then sure,
you could look through it and make sure
that you verify what it's doing.
But it's definitely very...
A lot of these deep loaders,
you're giving them a lot of power over
your Windows system.
And...
If you're going to use one,
you have to be like come off of
a mountain and found a religion positive
that this thing is trustworthy because it
would not take much for it to do
something malicious,
whether that's planning malware,
crypto mining, stealing data, whatever.
So, yeah.
Absolutely.
I think I just wanted to take a
moment to mention that.
And it's worth noting this tool in
question is open source as well.
As far as I know,
it doesn't come with malware,
but it basically acts...
the way that malware would.
There's a pinned comment on this video
saying there's a few inaccurate
statements, but overall,
the conclusion of the video is that this
is all implemented poorly.
I do think this is a classic case
of like,
somebody putting something out there
without really fully understanding what it
does.
I don't want to say whether it is
or not,
but I think we're just going to see
this happening more often as more people
try to AI code tools to solve all
of their problems without really
understanding what they are.
Whether or not that's the case in this
situation,
it's definitely something to look out for
when you're running any sort of scripts
that you don't fully understand.
I think that is absolutely the most
important takeaway here,
that you cannot run any of these deep
loading scripts unless you know exactly
what they do and you see how they're
doing it,
because at which point you could probably
do it yourself, by the way.
But yeah, all of these scripts like this,
they affect the system so substantially.
And Windows is already such a not secure
and not private platform in the first
place that it doesn't really make a lot
of sense to me to try and improve
it, especially to this degree,
unfortunately.
There isn't really a ton...
that you can do at the end of
the day to improve your privacy on Windows
because the operating system itself is
going to be constantly fighting against
you.
So that's unfortunate.
It's cool to see more videos from this
YouTuber.
I first...
heard about this person who made this
video calling the other YouTuber who made
the script out because they made a video
about Freely around the same time that I
published a video about Freely.
So they came up in my feed.
And I think we had some overlapping
complaints.
I haven't watched the rest of their
videos,
but I think anybody who is creating
content in the privacy space
That's always a good thing.
And so if they continue to be brought
up and they continue to post more useful
content like this,
I think that's fantastic.
Yeah, I think about that a lot.
There's...
I think there's still plenty of room in
the privacy space for more voices,
for sure.
Yeah, real quick,
looking through his description on his
video, you're right.
It doesn't look like it installs malware,
but it disables crucial security
components and makes your system severely
vulnerable to malware.
So it also makes your system much more
unstable and prone to corruption and
breaking.
I recommend that anyone who ran this tool
immediately reinstall a fresh copy of
Windows.
So yeah, they're dangerous things.
You've got to make sure they're trusted if
you're going to use them at all.
I also totally hear your argument of like,
it's already so like such a lost cause
that it may be safer for a lot
of people to just not even try and
just stick to like the,
the toggles and the settings and stuff.
So, yeah.
Yeah.
Well,
we've been going for about an hour and
a half here.
We'll probably give a last call for any
questions or comments that people want to
leave on the forum.
I don't think we had any on our
forum post today,
and I'm not sure if I've seen any
in the chat here.
I know there's a bit of a delay
on this live stream between when I'm
saying this and when you'll hear it,
so we'll give people a couple of minutes
if you want to add anything else.
Otherwise,
we'll probably begin to wrap things up.
So this is your final morning,
anyone who's watching and wants to chime
in on any of these stories.
It's always my favorite part of a live
stream is knowing that delays there.
So you say stuff like that, like, Hey,
we're going to open the floor.
And now I have to fill time for
a couple minutes and give people time to
hear it and write their questions.
Uh, it just feels so awkward, but, um,
Yeah,
apparently we don't have any questions in
the forum here.
Got one question from Hogan in the chat
here.
There's been a couple of supply chain
attacks recently.
The current best practice is to always
update your apps,
but this opens you up to those attacks.
Does it still make sense to keep apps
updated as recent as possible?
Definitely depends on the app.
I know you have definitely seen this more
prominently in apps that are built with
NPM, probably a lot of web-based apps.
But in general,
I do think it's probably the safer option
to keep your apps up to date versus
not updating them because
Typically,
all of these updates are going to... Well,
not all of them,
because some of them just add features.
But most updates that you see are going
to be patching known vulnerabilities or
vulnerabilities that you already see in
the wild.
And so the potential of a new update
having a zero-day vulnerability that
hasn't been discovered yet is probably a
lot lower than the potential of using code
that
almost certainly has known vulnerabilities
that can be exploited.
So yeah,
I would definitely recommend keeping apps
up to date.
And especially the lower level you go,
the more important it is.
Keeping your operating system up to date
is super important.
As we saw, I don't know if...
when we talked about this on the show,
but recently iOS had a bunch of updates
for zero-day vulnerabilities in Safari and
some other security vulnerabilities which
were not patched at all in the previous
version of iOS.
You had to be on iOS to receive
some of these security updates.
And so it's examples like that where even
a company like Apple,
which is relatively well known to provide
security patches to older versions of
their operating system,
they almost are never doing that super
consistently.
And in that case, they weren't.
And so it's always, I think,
a danger to not be fully up to
date.
It's interesting, kind of related to this,
I just installed an app on my phone
and during the setup process it said you
should disable automatic OS updates
because they don't validate how it works.
And I was like, that's terrible advice.
That was a medical device related app.
So I think they were saying that because
they have to validate how OS updates work,
but it's like that kind of puts all
of the users of this device in danger.
So that's...
yeah sometimes you will definitely see
software and advice that are at odds with
security advice but generally um yeah keep
your stuff up to date yeah i agree
i think um i hope that i would
be interested to see an actual study on
how many like supply chain attacks versus
how many um like known vulnerability or
zero days are being patched um i'd be
willing to bet that
the supply chain attacks are more rare
just by raw numbers.
And, you know, something,
something I struggle with a lot in all
areas of life is I forget what the
name of it is, but, um,
It's a logical fallacy because news is
news because it's out of the ordinary,
right?
Even the example I like to use is
traffic accidents.
Nobody ever goes on... Tonight at five,
man gets home from office safely without
incident.
Nobody talks about that.
And even traffic,
accidents are so common that we don't even
really talk about the accidents that much.
It's usually just like, hey,
traffic's bad because there's an accident.
It's more about the traffic.
But
News is news because it's unusual.
So when we see all these supply chain
attacks, it's because, I'm guessing,
they're still the exception instead of the
norm.
But that said, I hope...
kind of a dark way to look at
it, but I,
I hope we're seeing enough of them that,
um,
companies are starting to wake up and
realize the importance of securing their
supply chain, whatever that may look like.
Um,
and hopefully we will start to see those
go down because if they do become too
common,
it becomes a problem for the companies
too.
Cause think about it.
That's money.
They have to spend a, um, regain control,
kick out the person,
try to push out the good code to
fix the bad code.
Um, the reputational damage,
like all of that stuff.
So,
It affects them too.
I don't know if we're at that point
yet, but... Absolutely.
I mean,
to take it to the most extreme example,
right?
Like,
you never would ever see a news article
today about a new vulnerability in Windows
XP or something like that.
But everyone knows you can't be using
Windows XP on the open internet because
it's just so insanely vulnerable to all of
these attacks.
But, like...
We already know you shouldn't be using it.
So if a new attack is discovered,
that's not going to make the news.
And that's going to be the case for,
I think,
a lot of apps that you don't keep
up to date, which is why, in general,
I would still say the updates are super
important.
Yep.
All right.
I guess that's all we got this week.
Okay.
All right.
Well, I think, yeah, we can, I'll just,
I'm going to give the form thread one
more check unless you just did,
but it looks like there's nothing else.
Yeah,
I've got it open on another window here.
Cool.
Okay, well, thanks everyone for tuning in.
Like usual,
all of the updates from This Week in
Privacy,
we share them on the blog and in
our email newsletter every week,
so you can sign up for that newsletter
or subscribe with your favorite RSS reader
if you want to stay
tuned about new episodes,
and also all of the sources for this
episode.
That's where we post them all,
so if you want links to all the
articles we talked about, check that out.
For people who prefer audio,
we have a podcast available on all podcast
platforms in RSS,
so you can use your own podcast reader.
The recording for this video is also going
to be synced to PeerTube like usual,
so you can watch it outside of YouTube.
Here at Privacy Guides,
we are an impartial nonprofit organization
that is focused on building a strong
privacy advocacy community and delivering
the best digital privacy and consumer
technology rights advice on the internet.
If you want to support our mission,
you can make a donation on our website
at privacyguides.org.
To make a donation,
you can click the red heart icon located
in the top right corner of our website,
or go to privacyguides.org slash donate.
You can contribute using standard fiat
currency via debit or credit card,
or opt to donate anonymously using Monero
or with your favorite cryptocurrency.
Becoming a paid member of Privacy Guides
will unlock exclusive perks like early
access to video content,
early access to the show notes for this
show,
and priority during the This Week in
Privacy livestream Q&A.
You'll also get a cool badge on your
profile on the forum and the warm,
fuzzy feeling of supporting independent
media.
Thank you all again for watching,
and we will see you next week.
