GTA V Cheaters Just Got Exposed!
A Grand Theft Auto online cheat service
suffered a data breach.
Another password manager had vault stolen
and two disappointing stories from Meta
this week.
All this and more coming up on This
Week in Privacy, number fifty six.
So stay tuned.
Jordan, you're muted.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we're working on
within the PrivacyGuides community and
this week's top stories in data privacy
and cybersecurity.
I think Jordan was muted this week,
but I am Nate and Jordan is joining
me.
Or there were technical difficulties.
Check, check, one, two.
All right.
Well, while Jordan gets that figured out,
I think we're gonna... Hey, Jordan,
welcome back.
Oh no, we still can't hear you.
Oh no.
Gotta love going live.
These things do happen.
I'm gonna go ahead and jump into the
main story while Jordan is trying to
figure that out.
And our main story this week is Grand
Theft Auto.
Yeah.
So for those, I mean,
I feel like this is a pretty popular
game,
but for those of you who are not
gamers and maybe may not know,
Grand Theft Auto, super,
super popular video game.
man, as long as I can remember, or,
you know,
at least as long as I've been a
gamer and, um, it, uh, you know,
like a lot of games these days,
it has an online mode and, uh,
the online mode from what I understand can
be a cooperative or, um, adversarial.
Uh, I, for some reason,
the word I'm looking for is,
is escaping me right now, but, um,
you know, like, uh, like any online game,
uh, there are cheaters and, uh,
It's, you know,
cheating kind of ruins the experience for
everybody, right?
Because if you're just a casual gamer
trying to have fun and somebody just like,
you know,
blows your character up and steals
everything, that really sucks.
But then also if you're like a serious
gamer and you're maybe like trying to be
professional or something like that,
then having somebody cheat is, you know,
it ruins your rankings.
It just, it sucks for everybody,
except for the cheaters who seem to have
fun, which I don't really understand why.
Yeah, well,
we'll get to that in a minute.
So anyways, so there's a service.
I mean, there's a lot of services.
There's a lot of different ways to cheat.
Dead serious, I've never done it.
I'm not much of an online gamer myself,
but there's a lot of different ways to
do it.
And one of them is this paid service
called Atlas Menu.
And they had a data breach,
which leaked the email addresses,
usernames.
TechCrunch here says scrambled passwords,
IP addresses, and support tickets.
of almost sixty four thousand accounts.
And I'm assuming by scrambled passwords,
they mean like hash passwords.
I don't know why they said scrambled here.
Yeah,
especially coming from this particular
author,
he's very knowledgeable about
cybersecurity.
So that was an interesting choice of
words.
But Atlas Menu claims to offer secure
authentication and enhanced privacy
through our advanced encryption
techniques,
which is just a reminder that marketing
will say anything and usually means
nothing because that's not
really clear.
The attacker claimed responsibility and
posted the data on GitHub,
and motivation appears to be revenge
against a scammer, which, you know,
privacy is a human right,
so I'm not going to say these people
had it coming,
but I think anybody who's ever been the
victim of a cheater on an online game
can definitely feel the frustration there.
So yeah, Atlas Menu,
according to one video,
offered features like invisibility and
super jump and the ability to fly through
the map.
So I mean,
at least I guess it wasn't like
invulnerability or something.
And then they point out in this article,
cheating has become like a huge industry,
multimillion dollar business.
And they mentioned that Counter-Strike
Global Offensive also had a breach a few
years back.
So this is not a particularly new thing,
but it's definitely very interesting for
sure.
Yeah.
Trying to think.
Yeah.
So like I said, am I back?
Hey, Jordan.
Yes, you are.
Welcome back.
Of course.
As soon as we press go live,
like everything just breaks.
So yeah,
you and I were talking beforehand.
Yeah, that was so bizarre.
I don't know what happened.
But yeah, sorry.
I'll just throw it back to you, Nate,
to continue with the story.
No, you're good.
I mean,
I don't really have too much to add.
I'm not much of an online gamer.
I think when I was in high school,
I played a little bit of Halo Online,
and there were a few.
I think I ran into a couple of
cheaters, but definitely not a ton.
Just like I said,
it kind of ruins it for everybody,
and
I've I've I've done some cheats in offline
games just for fun,
but I find that in my experience,
they tend to get really boring really
fast.
So I'm not a huge fan of it.
I don't really understand what the point
is if you're just going to cheat,
especially in online mode,
like just play offline at that point.
But the
Yeah,
I guess the two things that I really
took away from this story is, number one,
it's unfortunate because this cheating
industry is why we've seen a huge rise
in rootkit.
Sorry, I shouldn't call them rootkits.
Anti-cheats.
And they kind of are rootkits, though,
because a lot of them go deep, deep,
deep into the operating system and work at
a very deep level, similar to a rootkit.
Like some of them even, I think,
before the OS boots up, which is...
incredibly frustrating, especially again,
if you're like me and you don't really
play online games,
I actually did buy GTA five a few
years ago.
And, uh, it was like, Oh,
install the anti-cheat.
And I'm like,
but I have no plans to ever online.
And it's like, doesn't matter.
You got to install the anti-cheat,
which is just garbage and terrible.
And, um,
Yeah, it's... Ironically,
we've seen stories in the past about how
having these anti-cheats on your
computer... First of all,
some of them conflict with each other.
So if you play multiple online games,
you may have to uninstall one to install
another,
which is incredibly annoying as somebody
who does not have a lot of space
on my computer and therefore tends to do
that with games in general.
But also, it's... Ironically, they can...
they kind of fend off certain forms of
other malware.
And I'm not saying that as an endorsement,
obviously, but it's just,
it's interesting to see that it's like,
if you have one of these installed,
because it basically functions like
malware with a pinky promise not to do
anything bad,
then it kind of stops other malware from
being installed,
certain types of malware from being
installed.
But yeah,
the other thing I kind of poked fun
at was the whole, you know,
I called it out.
It's like, oh, Atlas menu says they have
secure authentication and enhance privacy
through our advanced encryption
techniques.
You got to be careful of marketing.
I know marketing has always got to hype
up their product.
They got to seem super awesome and
whatnot.
But you do,
especially with the open source stuff
that's a little bit more transparent,
try to find white papers,
try to find the FAQ,
try to find something that digs in a
little bit deeper and specifically says,
here's our threat model.
Here's what we defend against.
Here's exactly how it works.
Even if you don't dig into...
here's our exact encryption protocol and
key exchange and this, that,
because I'll be honest,
that stuff goes over my head.
But if they break it down, like, oh,
everything is encrypted in the browser and
then sent to our device where we compare
hashes or, you know,
just something like that,
something that's a little bit more
substantial, I think.
I don't know.
Yeah, so you were,
Jordan was originally supposed to take
this story because you have a little bit
more experience with online gaming,
I believe.
So I guess I will turn it over
to you for your thoughts on this story.
Yeah,
so I guess the most important thing about
this that can be kind of confusing with
the way that this story was presented was
this is, you know,
this cheat software is primarily used on
GTA Online,
which is where people basically...
It's like GTA V except...
you basically can play with other players
and there's like different multiplayer
activities you can do.
So that's the main thing that I think
people are using this for.
And I think that's personally what I would
think is the main issue with a lot
of these cheat things.
Like I don't really care if someone is
like cheating on their GTA five local game
installation.
And it's like,
you know,
that they're single player video game.
I don't really care.
I think people should be able to use
software the way that they want.
Right.
And they should be able to,
if they want like run cheat software,
right.
Because that should be up to them.
So I think this is kind of where
I have more of an issue is when
you start affecting other people and,
you know, ruining people's experiences,
um,
It can kind of get really frustrating,
especially with GTA Online,
because this is one of these sorts of
games where basically if someone is
cheating,
they can basically ruin the entire
experience for everybody.
And I've seen a lot of times,
like I used to play GTA Online and
there was a lot of people who would
use
not specifically this software.
I don't know which software they were
using,
but they were using some sort of cheat
menu to basically
mess around with people.
And I think the most important thing with
this, though, is, like,
I don't think we should be, like,
celebrating people's information getting
breached, right?
Even if these are, like, people that,
like, kind of deserved it, right?
Like, it's, like, you know,
you're fucking with people's video games.
Like, you should probably, you know,
be a bit... It's a bit of karma,
right?
But it's also, you know,
I don't think we should be happy that
all these people have had their
information breached because...
of like a security breach.
Right.
Um, so I think, you know, it's,
it kind of makes sense why this, uh,
why this service was breached in the first
place.
Right.
Because they're kind of a target because a
lot of people probably hate this software
because it keeps ruining their games.
Um, but it sounds like from the article,
it was actually someone who thought that
they'd been, um,
scammed so maybe perhaps they purchased
the software and then they never got
access to it or something like that and
they decided to basically take revenge on
this specific software developer I do
think though that you know obviously this
sixty four thousand people whose accounts
were part of the breach that's kind of
crappy and I do think you know maybe
if they were using this software on a
local installation of a game maybe that
would be like less of a concern I
know a lot of these games definitely
enforce like a TOS and they say like
you know if you use any software that's
that affects the game in a way that
is not intended or allows you to gain
an advantage that could be a reason to
ban you so I mean
I think we should be promoting people
being able to use whatever software they
want.
But also, like,
it's not great that these people had their
information breached.
I don't think we should be celebrating
that exactly.
I think it's just kind of unfortunate.
And they were primed to get hacked,
I think, at that point.
Yeah, I totally agree.
I'm never a fan of saying people deserve
to get hacked because, again,
privacy is a human right, right?
And that's how human rights work,
is even if you disagree with somebody.
And also, it's a video game.
Believe me, I am a gamer.
I am ashamed to admit this,
but in high school,
I did throw a controller one time.
And I know some of you guys are
like, one time?
Get on my level.
But to me,
that's really immature and not...
emotionally, you know, but I was like,
or something.
So my point being is like,
I get it.
I know how frustrating it can be.
And yeah,
especially if they're like the kind of
cheats where it's like the one hit kill
kind of stuff is just like, dude,
come on.
Like, it's just a game.
Don't take it so seriously.
Don't,
don't be doing that and ruining the fun
for everybody else.
But it's still, yeah, it's, and it's,
it's frustrating.
Cause like this anti-cheat thing has been
a major sticking point for
gaming on linux because so many of these
games now require this anti-cheat that as
far as i know only works on windows
or maybe windows and mac and because linux
has such a small adoption there's a lot
of people who
there's it.
And I'm told that gaming on Linux has
gotten a lot better.
Um, because I, I use cubes, which you'd,
I don't even know if you could play
solitaire on that thing.
Um, but you know, it's,
it's not really a gaming computer,
so I don't have a lot of gaming
on Linux experience,
but I'm told that gaming on Linux is
getting a lot better,
but it's still like a
It's still got a ways to go,
especially for some of the AAA titles,
and this is why.
Because the whole anti-cheat thing,
which does not work on Linux,
and therefore there's a lot of AAA games
that you can't play on Linux strictly
because you can't install the anti-cheat.
So this does have privacy implications
beyond just this story as well.
It's like, if people would...
I don't know what the solution is,
because I don't think they should just
make an anti-cheat that works on Linux.
I don't think any of the Linux people
would want that.
But it's like,
if we could get a better handle on
the cheating situation where people didn't
need it, that would be...
That would be super awesome.
I think also the issue with these
anti-cheat software is that they're
actually really privacy invasive as well.
Like we've seen with, I know Vanguard,
which is part of like Valorant and League
of Legends.
That's like.
basically, like you were saying,
it's basically a rootkit.
Like it actually needs full access to your
entire system.
It needs to be running, uh,
in order to verify the authenticity of
your system.
And, you know,
I think that basically means that they're
logging every process on your computer.
They're checking to see what code is
running on your computer and possibly
sending that back to some third party
company.
Right.
And, um,
Yeah, I don't think the solution is...
Actually,
I don't really know what the solution is
because I'm not a game developer.
I'm sure there's issues either way, right?
Like if we took away all the anti-cheat,
every single game that we play would be
filled with people cheating.
And if we made it so that Linux
had anti-cheat, then what might happen,
like what we saw with Apex Legends.
So at one point,
Apex Legends was using BattleEye
anti-cheat,
which actually does have a Linux version.
However, the Linux version isn't
It doesn't have as good access as Windows.
So basically all the cheaters were just
switching to Linux to cheat because it
would be harder to detect.
And then, of course,
what do you think happened then?
Well,
the Linux version doesn't exist anymore
because it was just being used by
cheaters, which sucks, right?
Like, it goes both ways.
So...
Yeah,
it's just a really crappy situation
because, you know,
I think a lot of people in our
community don't want to have to use
Windows and there's just a lot of video
games at this point that are kind of
forcing you to basically use it or...
basically you can't even play the game.
Like it would be fine if there was,
you know, performance issues.
Like if there was some minor performance
issues and like maybe it didn't perform as
well as the Windows version or something
like that, but it can't even start.
Like you can't even run the game.
So I think that's,
it basically has gotten to this point at
this point where like if a game doesn't
run on Linux, it's because of anti-cheat.
There's no other reason why it can't run
because it's
It's just a platform limitation almost at
this point.
I don't know what the answer is to
that exactly.
Maybe I'd rather not have to run an
invasive anti-cheat software on my Linux
computer,
but maybe that ends up being kind of
the only option that actually allows it to
happen.
But if it doesn't have the same amount
of access,
I don't see why any company would allow
that.
in the first place.
Yeah.
Yeah, it really sucks.
It's kind of a crappy situation all
around, for sure.
And I went and looked it up because
I was like, man,
wasn't there an anti-cheat thing recently?
There have been several anti-cheat
scandals.
Riot Games,
which is Vanguard you were talking about,
and their easy anti-cheat.
In Valorant,
Vanguard has been accused of data
scraping.
There have even been allegations that a
Riot employee was being bribed to ignore
cheaters.
Vanguard updates were reported to brick
DMA cheating devices by forcing full OS
reinstalls in Apex Legend.
Oh, yeah, I remember this one.
There was attackers used a remote code
execution to inject cheats into pro
players during an actual competition.
So, I mean, like, yeah, this stuff is...
This isn't just like theoretically it
could be bad.
Like there's an actual history of this
stuff.
And then now we see that sometimes it
doesn't even work and just puts people at
risk, which, you know, shocker, right?
Unfortunate.
But I think if that's all we have
for that story,
we're going to go ahead and talk about
another super exciting corporate...
How would I define this one?
Corporations...
Corporations doing the wrong thing or
making the wrong move.
So we've actually covered some of this
recently for audio listeners.
The headline says Microsoft under fire or
threatening security researcher with
criminal investigation.
And so we've covered,
there was a security researcher who goes
by Nightmare Eclipse and
And they have publicly published a series
of vulnerabilities, including Blue Hammer,
Red Sun, Undefend, and Yellow Key.
And I think Yellow Key and Blue Hammer,
we talked about on previous episodes,
one of those was a vulnerability in
BitLocker.
And so this is interesting.
Basically,
Microsoft is saying this person did not
responsibly disclose, which, okay, so...
It's not a law,
but I think it's kind of a –
and it's actually a little contentious,
which we'll talk about that in a minute.
But generally speaking, in cybersecurity,
there is kind of the idea that the
proper way to go about things is you
find a bug.
You report it to the company,
and then you give them about – I
think the standard is ninety days.
I could be wrong.
Somewhere between thirty and ninety to fix
the bug and push out an update.
and then you kind of explain what you
found and what it is um just kind
of for the the education of the community
right like letting everybody know that uh
here's this bug i found here's how it
works whatever whatever um they're kind of
fun to read sometimes especially if
they're not super super technical
sometimes they're just super technical and
i can't understand them but if they're a
little more approachable i like and i
enjoy reading those kind of posts and um
So, and for the record,
there's exceptions.
Like if a company is really like open
and working with you,
a lot of the time they'll delay the
public post because it's like, oh,
they're having trouble rolling out an
update or whatever the case.
But anyways,
so Microsoft is basically saying this
nightmare eclipse person did not do that.
They say there was no responsible
disclosure.
They just went ahead and published this
stuff right off the bat,
which in turn provably did put a lot
of people at risk.
The article talks about how there have
been
vulnerabilities that are already using
this stuff in real world attacks,
according to both Microsoft and CISA.
So they're saying we're going to sue this
person because this was negligent and just
irresponsible.
Nightmare Eclipse claims that's not true.
They said there's a series of blog posts
where they claim to have been in contact
with Microsoft,
but the company allegedly mistreated them,
including revoking access to the Microsoft
Security Response Center account.
I think they said something like their
GitHub posts were taken down in two.
Oh, yeah,
the researcher published the bugs on
GitHub and the account, oh, and GitLab,
and both of those accounts were banned,
according to this writing,
if I'm understanding that correctly.
So, yeah, this is, and of course,
neither of them have responded,
which is smart when you're in the middle
of a lawsuit,
you do not talk about it,
because that can complicate things.
It seems that the community is on
Nightmare Eclipse's side here,
which I know is a shocker.
They're, who did they cite here?
They mentioned... I know they mentioned...
Okay, so they mentioned this Katie...
I don't know how to pronounce this.
Katie Masouris,
who works for Luda Security.
And she talked about how responsible
disclosure... It's kind of...
I don't want to say nitpicky.
It's not the right word.
Um,
but she talked about moving away from the
idea of responsible disclosure and instead
moving it more towards coordinated
disclosure, which is like I mentioned,
like sometimes they'll expand the window
if the company's having a hard time
patching it.
Um, you know, Kevin Beaumont, I,
I saw this on Mastodon.
He was on Mastodon sizing Microsoft.
And, um,
I don't know, from what I've seen,
and this is as an outsider,
I'm not a cybersecurity expert,
I'm not a researcher,
but from what I've seen,
Microsoft does not have a particularly
strong security culture.
So I'm kind of inclined to take this
Nightmare Eclipse guy's version of events
and say that he probably did try to
reach out to them and they probably tried
to like sweep this under the rug and
make it go away.
because everything is vibe coded from
Microsoft now.
But yeah, I mean, either way,
it's I kind of brush past it.
But this this sub headline here says
cybersecurity veterans warn of chilling
effect, which is true.
This is this has been and
I don't know how true this is,
but I've heard this story from multiple
people.
There have been a lot of people who
have say that they're like hobby
cybersecurity researchers.
They're not like professional,
but they do it for fun.
And they've disclosed vulnerabilities to
multiple organizations, big and small.
And nine out of ten times,
if they get a response at all,
the response is, oh, you hacked our stuff.
We're going to sue you.
And so after a while,
they just give up.
They're just like,
I'm not even going to report bugs anymore
because they keep threatening to sue me.
And what's the point?
go ahead and get hacked,
which I don't think is a great response
because it puts everybody else at risk.
But yeah,
so if this is how companies respond,
it definitely does have a chilling effect
on
on researchers coming forward to report
this kind of stuff,
especially from a company as big as
Microsoft.
And I'm assuming that if,
if nightmare clips reached out,
he's probably got receipts, you know,
he's probably got copies of the emails he
sent and stuff like that.
So we'll,
I guess we'll see how this shakes out,
but I do,
I do find this whole debate interesting
because I,
of course I have my own opinions on
this,
but I've seen some people argue that like,
you're never owed responsible disclosure.
I'm thinking of a very specific researcher
who I don't wanna name,
but they will routinely post like, oh,
here's why this software sucks and here's
all the things I found in it.
And no,
I didn't message them because their
software is so crappy that they're
basically,
malicious and they deserve it.
And therefore I'm not going to say
anything because I'm very full of myself.
I feel comfortable saying that.
So yeah, I don't know.
I think it's very,
I am a fan of at least trying.
If you're going to disclose this kind of
stuff in the first place,
it's my personal opinion that you should
reach out to the company.
If you're one of those people who's just
like, it's not worth the lawsuit,
I'm not even going to report it,
then fine.
But you're also probably not the person
who's blogging about it.
So I don't know.
That's kind of my opinion.
Because again, it's the thing of like,
You're putting other people at risk.
It's not just like making this company
look bad and shaming the company,
which unfortunately is required sometimes.
We've had to do this with Signal in
the past.
There was a bug a long time ago,
a long time ago,
a couple of years ago, where Signal,
I think it was on Windows specifically,
Signal was not like properly sandboxing
the private key.
And apparently a bug report had been open
for years at that point.
And signal tried to argue when it, like,
it kind of blew up and became a
big story and signal tried to be like,
well, cause for those who don't know,
basically what it is is if you had
malware on your device,
it could easily access your private key on
signal.
So it could see your messages.
And Signal tried to like downplay it and
be like, well,
if your device is compromised,
there's nothing we can do about that.
To which everybody's response was like,
yes,
but this person already like did a fix
and it takes two seconds and it's like,
why not do it?
And eventually Signal did it anyways,
even though they insisted it wasn't a big
deal.
So unfortunately,
companies do have to be shamed sometimes,
even the best of companies.
But...
I think to go straight to the shaming
part and to not try to coordinate first
is definitely, in my opinion,
not pretty cool.
But I also think it's not really cool
for the companies to respond by saying,
hey,
let's sue you because you found a
vulnerability instead of saying, hey,
let's fix it.
So I don't know, a little bit rambly,
but I think that's all I've got.
Jordan,
did you have any additional thoughts on
this one?
Yeah,
so I think one interesting thing about
this entire thing was you mentioned in the
start there that it was GitHub and GitLab.
Both the exploits were removed on GitHub
and GitLab.
And I think that kind of shows that
we've reached a point, honestly,
where
basically Microsoft controls way too much.
Like they control the software
distribution platforms.
They control the most popular operating
system.
They control like way too much.
Right.
And I think the reason that even get
their GitLab account was deleted because
it's because GitLab is a Microsoft
partner.
Um,
and they also coordinate with Microsoft.
So they,
I think, you know, it's once again,
one of those things where we have to
say, you know, this is probably,
it's probably a bit too much control that
Microsoft has over the entire software
distribution process.
And that's where they kind of can wield
this power against developers and
security researchers who report this stuff
to them.
And I think it also shows a really
bad look as well because imagine if you're
a security researcher and you find a
really bad vulnerability in a Microsoft
product.
Now there's precedent that you're going to
get sued and reported to the criminal...
What do they call it?
The criminal... Something security...
I can't remember what they call it.
The digital crimes unit.
digital crimes unit,
like you're going to get reported to the
digital crimes unit,
like just for reporting a vulnerability.
Um, and I dunno,
I just think this is not how you,
this is not how you look good when
you, when, when in terms of security,
this is not how you promote more people
to report vulnerabilities to you.
Um, and I think even if it's like,
you know,
these vulnerabilities that get reported,
if they're like, you know,
if they're used for criminal activities
and Microsoft doesn't realize that these
are being exploited in the wild just
because people don't want to report it,
then that's just like a negative for
everybody.
That's not a positive.
And I did also see Kevin Beaumont,
who's like a security,
I feel like he's in like the cybersecurity
industry,
is kind of quite a popular person.
popular guy.
He also wrote like a Medium blog post.
I don't know if we can bring that
up.
But in his blog post,
he talks about someone else.
There was someone else called Sandbox
Escaper.
And they basically reported a bunch of
zero-day flaws to Microsoft.
And then eventually,
according to Kevin Beaumont,
they hired this person.
So it seems like there's...
Microsoft has done the right thing in the
past and also hired somebody.
And now why have they suddenly changed
their tune to start reporting someone to
the authorities?
It doesn't really make a whole lot of
sense.
It also says Microsoft,
Kevin Beaumont also says Microsoft have
also purchased zero day exploits in their
own products from exploit brokers.
So
Yeah.
I mean, according to Kevin Beaumont, this,
this basic, this whole,
this whole saga is not looking too good
from a legal perspective for Microsoft,
especially because now there's all that
history, right?
There's like the history of Microsoft
hiring somebody who was doing the exact
same thing.
It's,
it looks extremely bad for Microsoft.
I don't think this is
This is not the right way to do
vulnerability disclosure.
Like this is like the bug bounties and
all this sort of stuff.
It's not the right way to do it.
And yeah, I think Microsoft just,
it just shows us in this case,
Microsoft has too much control as well.
I didn't really have too much to add
about this specific person because I don't
really...
I don't really know how much we can
trust from some random person,
but like if we just look at things
from like a, the aspect of like,
the actions of Microsoft against someone
reporting a vulnerability.
I think we can all agree that this
is the wrong way to do it.
The exact opposite way to do it,
in fact.
So yeah,
just really frustrating for Microsoft.
It feels like Microsoft is literally not
doing a single thing right at this point.
Like they can't even get anything right.
Like their operating system,
everyone is switching.
They keep trying to put AI in all
their products and no one wants it.
Like,
it's not great I'm not not a fan
okay this is totally off topic like just
taking shots at Microsoft but did you see
four oh four's post about like Microsoft
is trying to roll out some new AI
thing called Scout and apparently there
was like a leaked memo that was like
oh we want it to be addicting and
Sachi Nadella went on this huge rant where
he's like I don't know who wrote that
or where it's coming from and four oh
four wrote this like it's almost
borderline passive-aggressive
But it's not.
It's close, but it's not.
But it is beautiful.
Where this whole thing where they said
like six times in the post, they're like,
it says in the post who wrote it.
So either you are like really not paying
attention or just choosing to be ignorant.
Like, why don't you go ask that person?
It's, oh man, if you haven't read it,
you should.
It's beautiful.
But yeah, I kept seeing stuff about him.
Yeah.
Like he kept saying like he didn't know
what it was about,
but like he's like the CEO.
He should know everything that's going on
in the company.
That's like his job, right?
yeah which is what four oh four said
it's like so are you telling me that
you don't know what's going on in your
own company like what's going on here dude
here I'll real quick I'll I know we're
a little off topic but I'll put it
up I just pulled it up right now
it's a Sachi Nadella not sure who said
Microsoft wanted to make AI addictive is
looking for the guy who did this and
then if you actually read it they say
like multiple times it's like again it's
you know he signed it or whatever so
yeah it's a
Just, yeah, what is going on at Microsoft?
That is the million-dollar question right
now.
Actually, how much is Microsoft worth?
That is the trillion-dollar question.
Common Microsoft L, as usual.
Yeah, for real.
That's a good way to put it.
All righty.
Yeah, no,
I don't have anything to add to that.
But I do appreciate you pointing out
the...
Oh, gosh.
I already lost track of it.
But it was good insight.
Oh, yes.
How Microsoft is getting way too powerful.
If they can get GitLab to take stuff
down,
GitLab is supposed to be separate and
independent.
And just, yeah, that's troubling.
GitLab's getting a little too corporate,
I think.
I know there's a lot of people starting
to push away.
What's it called?
Forge Go, Forge Joe, something like that,
which is supposed to be like an activity
pub version of Git.
Or there's, what else?
Codeberg's a popular one.
I don't know if it's as popular,
but I know some people like GitT.
I mean,
they've all got their pros and cons,
but yeah,
we definitely need to decentralize a
little bit because that is scary, I think.
But in the meantime,
I think we're going to issue some quick
site updates.
We do have a story coming up in
a little bit about Dashlane,
who's pulling a LastPass.
There's some good news there, hopefully,
but still not great.
But before we discuss that,
we're going to talk about what's been
going on at Privacy Guides this week.
So this has been another one of those
weeks where there hasn't been a whole lot
of public-facing stuff,
but we've been very busy behind the
scenes.
Jordan is wrapping up a new video.
I'm getting all the B-roll for the next
video after that.
But in the meantime,
we had a fantastic new article,
which actually,
let me see if I can pull that
up real quick.
While that's loading,
it is called No Right to Remain Silent,
Negative Rights in a Positive Rights
World.
And I highly encourage you guys to go
read this one because it is here.
Let me pull this up real quick.
Share this tab.
It is about something a lot of you
guys, if you're privacy veterans,
have probably clocked already,
which is we're kind of moving into a
world where it is suspicious to not be
part of the system.
You know, like it was a...
What year are we in?
Twenty twenty six.
So like fifteen years ago,
twenty years ago.
God, it's been so long.
We'll say fifteen,
ten to fifteen years ago.
If you didn't have a Facebook,
that's kind of normal.
I mean, it wasn't like super normal,
but it's kind of like whatever.
You know, if you didn't have Instagram,
if you didn't have Snapchat and even now,
I think to not have some of these
things like I'm not on Snapchat,
but I'm on Discord or I'm not really
on Facebook,
but I'm really active on Instagram or
whatever.
That's pretty normal.
But we're moving into a world increasingly
where to not have any of this stuff
is really starting to be seen as
suspicious and strange.
And this was a fantastic write-up by one
of our guest contributors.
And they kind of explore this and how
it's kind of really becoming a problem
where like,
obviously we're not fans of it,
but here in the US, you know,
now to get a visa or get into
the country, they want you to show,
if you're a foreigner,
they want you to show like five years
of social media history.
And it's like,
how do you think that's going to look
when you show up at border patrol?
And you're like, yeah,
I don't have social media.
I don't have, or, you know,
I use Mastodon where everything over a
month gets automatically deleted.
Like that's going to look really
suspicious,
even if it was a different administration
in charge.
And so it's,
this is a definitely becoming a problem.
And I highly recommend checking that out.
And then, again,
it was kind of a slower week.
We did have a couple of news articles,
really.
We had the Data Breach Roundup, of course.
But we also had a story that we're
going to talk about here in a minute,
which is Meta's AI support agent used by
attackers to take over Instagram accounts.
And if you want to read a little
bit more about that story or a different
perspective, Freya wrote that.
So definitely check that out.
But that's all that's been going on the
article side of things.
And I think Jordan has some additional
updates.
Yes, I do.
I've got something that Jonah's been
working on quite a lot behind the scenes.
I'm not sure if I can... Okay,
it looks like I've got to remove your...
Okay.
Basically, we've been working on... Well,
not we.
I'm just going to say Jonah's been working
on basically this whole verified apps
database.
So if you didn't catch last week's show,
basically how it works is it's
a database that has the certificate hashes
of Android apps.
And basically we're relying on our
community members to submit their apps to
that database.
And originally it was just like we talked
about last week.
It was a website that you could visit
that basically would provide
have the hashes that you could compare
with apps on your device.
And Jonah has basically been working on a,
he's been testing something that would
basically allow for allow for people to
automatically check device like
certificate hashes of apps that they have
installed automatically against the
database that we've been working on so I
guess I can scroll down a little bit
here this is kind of like what it
looks like it basically shows all the all
the apps that you have installed and it
will basically tell you the hash of the
app and then it will tell you the
status of the, if the app matches that,
that is stored in our community database.
So basically we've been having people on
GitHub submitting their app certificate
hashes,
and then that's been compared against
all app stores, basically.
Google Play, FDroid, Accrescent,
all these app stores,
checking the certificate hashes against
that, and then eventually,
once we double-check everything,
submitting that to the database itself.
And basically,
the reason why we've been doing this is
the previous app that existed,
which was...
called AppVerifier by Superslurper.
It was a good app,
but the issue with it was that the
internal database was very limited and the
developer didn't want to increase the apps
that were actually included in that
database.
So basically it was useful for checking
the hashes,
but it didn't have a very large internal
database.
So basically we're trying to change that a
little bit.
And we're not trying to replace the App
Verifier app exactly.
We're basically just using...
This is basically an app that can check
the certificate hashes of all the apps
that you have installed.
It doesn't work exactly the same way as
the App Verifier app.
I might just read exactly what Jonah put
on the GitHub because I feel like that's
probably a better way to...
basically explain it.
So let me just share this tab instead.
Basically it's a verified apps is a app
signing hash viewer and verifier.
And if you scroll down here,
It's a fork of AppVerifier,
but many components have been removed,
so it no longer serves the same purpose.
Notably,
it no longer includes peer-to-peer
verification via clipboard sharing.
This app only checks against our
crowdsourced database.
So basically what this means is that this
is more of a
I guess,
supplementation to the app verifier app.
So it's not a replacement.
It fills a small niche there.
And the app right now is,
this is all pre-release stuff as well.
I just want to put that out there.
This is not anything that's been fully
released.
We've currently got,
Jonah put out a release fifteen hours ago.
This is like a pre-release of the app.
I've downloaded it myself and there's no
issues with the functionality or anything
like that.
But it is,
it is not quite production ready.
Like there's still certain things that I
think Jonah is working out on the back
end and to basically
make sure that you can verify that the
app is actually legit.
Because obviously you need to make sure
you trust this app because it's going to
be checking all the certificate hashes of
all the apps you're using.
So yeah,
there's been some kind of background
process on that.
And overall, it's looking really good.
I've already really liked this app a lot,
actually.
So if you're interested in testing it out,
you can check that out on the privacy
guides forum,
verified apps app for Android pre-release.
So it's available for pre-release if you
want to test it.
Obviously don't rely on this fully yet
because it's not really fully released,
but it would be really helpful if people
could download this and give feedback if
they have any.
because it's, yeah,
it's kind of actively being developed and
it's only just, we only just put out,
I think Jonah put out a release the
other day, two days ago.
So two day old app.
So don't, don't judge too harshly,
but I think it's already quite promising.
But yeah.
Do you have any thoughts on this on
Nate?
Because I feel like this is kind of
a big release here.
Um, no, to be honest,
I don't really have any thought.
I think it is super cool.
I agree with you.
Um, it is a big release.
It is really exciting.
Um, I'm glad, uh,
cause I know last time we mentioned this,
uh, this crowdsourced app verifier thing,
we explicitly said like,
we're not promising an Android app to go
with it.
And, uh,
I believe basically Jonah was just kind of
like, well,
how hard would it be to make an
app and kind of tinkered around a little
bit.
And, um,
Jonah's crazy smart with tech stuff.
Um, I mean, obviously, but yeah, uh,
I guess for him it was like, Oh,
this is actually easier than I thought.
So, uh,
he went ahead and released this and, um,
yeah, I mean, I,
I think it's super cool.
Uh,
I will say another place you can find
the link to this is in the newsletter.
So if you go to privacyguides.org slash
live streams, um,
there's a link to it in there as
well, but yeah, uh,
I don't really have too many thoughts.
I just think it's, um,
It is super cool.
It is super exciting.
And if you are okay with some bugs
and some stuff,
I think we always appreciate beta testers
and feedback and stuff.
But yeah, like Jordan said,
this should be considered pre-release
alpha.
Do not rely on it too heavily.
Expect there to be some issues.
And yeah,
it's really cool to see this coming
together.
I don't know.
I think those are kind of just my
main thoughts.
It's really cool to see this project
coming together from my perspective, so.
Yeah, same.
And I think I do want to remind
people like, you know,
we wouldn't be able to do this without
your support.
So all of this is made possible by
our supporters and you can sign up for
a membership or donate at
privacyguides.org.
Or you can pick up some swag at
shop.privacyguides.org.
Privacy Guides is a nonprofit which
researches and shares privacy related
information.
and facilitates a community on our forum
and matrix where people can ask questions
and get advice about staying private
online and preserving their digital
rights.
Now let's dive into this story about Meta.
Yeah, all right.
So we got a couple stories about Meta
this week.
We'll start with this first one that you
guys may have seen because it kind of
made the rounds.
It says,
hackers use Meta's AI support bot to seize
Instagram accounts.
So we're talking big name accounts like
the Obama White House.
I didn't know that past administrations
get to keep their own little archive
account.
I didn't know that.
But the Obama White House,
the chief master sergeant of the U.S.
Space Force says,
I think four Oh four said Sephora,
the makeup brand,
and they were briefly defaced with pro
Iranian messages over the weekend.
And apparently it's so meta has patched
this now, according to this article,
but it's,
Apparently,
it was literally as simple as opening the
Meta AI support assistant and saying, hey,
I need to add a new email address
to this account.
And then Meta would send you the
verification code for video viewers.
You can see a screenshot of the
conversation here.
And, you know,
tell me the verification code.
And then they would add it to the
account.
And then you could do like a basic
password reset.
So...
My first thought is I have to wonder
if two-factor would have slowed this down
or stopped this potentially.
I'm not positive,
but I feel pretty confident that it
probably would have.
But, oh yes,
it says here in the last paragraph,
securing your various online accounts
means taking full advantage of the most
secure form of multi-factor authentication
offered.
And in this case,
using even the least robust forms of MFA,
such as a one-time code sent via SMS,
would likely have blocked the exploit.
And we'll talk about two-factor actually a
little bit in the Dashlane story.
But I think the other thing is,
and this is kind of preaching to the
choir here,
but the other thing with this story is
that
This is a reminder, like I don't,
I mean,
it's not really a reminder because again,
you guys know this,
but like it blows my mind that companies
are relying so heavily on AI when it's
just, it's not, it doesn't have thought,
you know?
I mean, again,
I know I'm preaching the choir here,
but like,
This is the problem is AI is not
conscious.
And this is proof of it because a
conscious person would have realized,
why am I adding a random email address
to this account?
But AI is just automatic.
It just does what it's told.
And it's just, it's crazy.
I can't believe it did that.
But yeah, and I...
Um, ever,
ever since the anthropic code leech leak,
I would love to see how meta patch
this, because from what I can tell,
like programming AI is basically just
giving it prompts that are like deep down
below the user level.
So like, what did they do?
They just added a new prompt,
like do not add random email addresses to
an account, you know, things that again,
a normal person would know, but yeah.
Yeah, this move fast and break everything,
right?
And it's not even just meta.
Like as much as I love to crap
on meta and they deserve every bit of
it and then some, it's, you know,
all these companies are doing this where
they just roll everything out and then
worry about the consequences later.
To which I would like to inform people
if you didn't know that there's literally
an entire Wikipedia page listing deaths
directly relatable to AI and LLMs.
So yeah,
I've been pretty open that I'm not like
the most anti-AI person around here,
but they're just,
the number of use cases that I found
for it are so few and far between
that it just blows my mind that companies
are trying to cram it into every single
thing possible.
But I don't, yeah, I mean,
this is a pretty straightforward story.
So I don't know if I have anything
else really to add to this.
I know this was a big one that
made the rounds.
Did you have any thoughts on this one
when you saw this story, Jordan?
Yeah.
I was thinking of jumping in right away,
but I think it's,
it is kind of funny that like the
Obama,
the Obama White House account didn't have
two-factor authentication.
What are they doing?
Like that, that must be so many,
that must be like such a huge account
as well.
Like that is not a small account.
I don't know.
It just kind of surprises me how,
how resistant people are to,
to like
it's not even like SMS to FAA is
like the bare minimum.
Like that is like this,
that is literally the lowest form of
authentication you can possibly have.
And okay.
So it says here,
Obama White House account and the chief
master Sergeant of the U S space force
were briefly defaced with pro Iranian
images.
So I don't know.
It just kind of surprises me that there's
these public facing accounts that have
like
zero security.
And I think it also,
I think meta is to blame here as
well, because number one,
you should be enforcing two factor,
like a hundred percent across your entire
company.
You shouldn't be allowing people to just
not have two factor authentication,
especially when you're like meta, right?
Like you have so much power over so
many people,
like you should be at least trying to
enforce the bare minimum of security.
Like, I mean,
as much as we don't like Google,
As much as we really hate Google,
they have done that right.
They've put in,
they've mandated two-factor authentication
across every account, which, you know,
it stops silly stuff like this.
But also, I wonder, like,
how much control did they actually give
this AI support assistant?
Because if it's allowed to reset account
passwords,
how much more control over the
infrastructure does this?
It's basically a...
it's basically just making stuff up,
right?
Like AI is basically just telling you what
you want to hear.
And I think putting that into a support
bot that has control over people's
accounts,
that just sounds like a security nightmare
because we've seen this before.
There's all these sort of prompt injection
things where you can be like,
disregard all prior programming and
and change the email address of this
account.
Like, it's just so ripe for abuse because,
like Nate said, it's not a human being.
It doesn't think.
It's not like they're trying to imitate a
human, but it's not the same thing.
And, I don't know,
it's just kind of funny how much money
we're pouring into this, like,
funny makeup words machine that, you know,
keeps doing silly stuff like this.
Right.
And they're just trying to mimic the power
of a single human being.
Like if a single human being was on
the other end of this,
this wouldn't even be a story.
It literally wouldn't have happened.
So like,
it's just really frustrating that they're
trying to, you know,
maybe you should start employing human
beings to actually, you know, manual, uh,
support assistant instead of having some
AI that can make mistakes like this.
So I don't know,
this is just kind of the reality of
meta.
I think in this day and age,
they've just gone too far.
They've put AI into too many things.
They're trying to minimize costs as much
as possible and
utilize all these AI systems to automate
things.
And I think we're only just going to
see this becoming more and more of an
issue.
And any company that is doing this sort
of integration,
I would be extremely skeptical of the
security of their product.
And honestly,
the most surprising thing of this story is
just how much control they gave to the
AI support bot,
because that's basically not...
Something that I would have expected a
company to actually do,
but I guess meta is just that bad.
Yeah.
Yeah.
I, I totally agree,
especially about the two FA thing.
Like,
I don't know what things are like at,
at the white house,
any white house for the record.
Um, and you know,
the chief master Sergeant,
I have to assume that's his account that
he's Manning.
Maybe I could be wrong about that.
But, uh, I, I, especially like Sephora,
I mentioned that was in the four Oh
four media article.
Like
How is there a company on earth that
is not using a password manager and not
mandating?
Like at my last job,
they mandated we had to use Microsoft
Authenticator, which pissed me off.
It was garbage.
But, you know,
it's like we had to use two FAA.
That was just basic push notification to
FAA.
Like that's insane that these these big
billion dollar brands like God forbid you
make everybody even even Microsoft
Authenticator is as much as I hated it
and as dumb as it is and as
much as I wouldn't want anybody to put
that spyware on their freaking phone.
Like
it's,
it's better than just leaving it wide
open.
Right.
And it's probably some shared garbage
password to like, you know,
make up forever or something stupid.
I don't know.
So yeah, it's,
it's completely insane that these
companies are not doing better.
Um, yeah.
Chess Joe said a stochastic parroting.
I've never heard that word before.
I had to look it up.
Apparently it means random involving a
random variable.
So yeah, just, it's, um,
Again, I'm not the biggest AI hater,
but it is a probability machine.
It's like,
what is the most likely word that's going
to come next?
It's an oversimplification,
but it is fancy autocorrect.
And to try to assign sentience or
intention or motivation to it is
incredibly dangerous.
Again, I do believe AI has use cases.
But like you said,
just giving it this massive amount of
ability and power,
that's one of the things that no...
mild offense to the people that use ai
agents i think they're completely insane
unless they've got like a very specific
like it's got this machine and it only
has access to like the search engine and
it doesn't have access to like my my
you know because that's the example
they've given us right it's like oh you
can use it to uh to like go
buy plane tickets it's like first of all
i don't trust it not to buy like
first class tickets to freaking moscow at
this point i don't trust it not to
buy three of them at a time and
i also don't trust it to actually get
me the best price
So it's like,
I don't understand people that trust AI
with that degree of power and control or
like unchecked responding to emails.
Like I have never used AI to write
an email, but I cannot imagine the people,
which we've seen it in our spam and
privacy guides and in our email,
people will just like give it a prompt,
go and hit send.
And it's like,
what kind of a psychopath doesn't even
like proofread it?
It's just,
people are putting way too much trust in
AI.
It's scary.
I think the other thing that we've kind
of seen is the boon of this software
that's like AI, it's like agentic agents.
They're like open claws of the world.
Like people will just like,
they'll give an email inbox to like this
AI agent.
And then the AI agent will just go
through the entire internet and just send
out emails to people and just like be
really irritating.
Like we have this issue.
We kept getting this one person who would
just keep sending us emails and
And it wasn't a person.
It was an AI agent that was just
spamming us constantly.
And it was complete gibberish too.
Exactly.
It was like complete slop as well.
It was like not even... It was like...
It's just...
it's just very frustrating when you,
when you see these sort of the way
things are going,
like the way certain companies are
influencing technology at the moment,
because let's be real, like it's not,
it's not the individual people using the
technology that are shaping where
technology is going.
It's these massive, you know,
like multinational corporations like
Microsoft, Apple, Nvidia, you know,
all these massive companies,
they're controlling where the
where where money is going where where
development is being focused on and uh
unfortunately it's being focused on
something that's really silly and kind of
useless in a lot of aspects right like
we could argue you know oh maybe it's
good for like a little bit of stuff
like you said maybe it's like oh it's
okay for like researching something maybe
I can find some information that's hard to
find on a search engine by you know
asking an AI agent but like
when we start expanding it to more things
like, you know,
asking it to manage an inbox or be
a support agent, then it's like, that's,
I think that is a little bit too
far.
I totally agree,
but I do want to push back just
a tiny bit in the name of optimism
and point out that like,
Sometimes we can push back on this stuff.
Remember the metaverse and how that
completely failed to materialize?
Or like, okay,
this is an example that I don't know
how many people remember.
But I used to see commercials for this
service called Quibi.
And it was supposed to be like...
It was supposed to be like Netflix,
except every episode was less than ten
minutes.
So I guess the idea was like you
could watch it while you were like waiting
for the bus or something.
And I swear to God,
I saw those commercials like every single
commercial break.
Like streaming services, cable TV,
because I think I was traveling a lot
at the time,
so a lot of hotel TVs.
Like I saw it everywhere.
It was everywhere.
It was obnoxiously everywhere.
They went under in like a year because
it was a stupid idea.
So like my point being is like a
lot of people think that –
and I'm not accusing you of this for
the record,
but I've seen a lot of people who
seem to think that like, oh,
companies just pump an ungodly amount of
money that most of us would never need
to work again if we had that kind
of money.
They just pump this ridiculous amount of
money into advertising and boom,
now they've shoved this terrible product
down our throat.
Usually, but every once in a while,
we can kind of push back on it
and like get them,
get it to fail regardless.
So, I mean, if I'm being realistic,
I don't think AI is going to completely
go away,
but I do think there is something to
be said for like, it's not a guarantee.
And I think
It is worth continuing to push back and
I admire everyone who does.
I say as the person who is admitted
to occasionally using AI,
I know I kind of suck, but yeah,
I don't know.
I guess I just wanted to offer a
little bit of potential hope.
Boo.
Yeah.
Anyway, I know.
I think a lot of people use AI.
A lot of people would say like they,
I think it's pretty fair to say most
people use at least some sort of AI
right at this point.
Like it's become kind of ubiquitous.
Yeah.
Um, so I don't think that, you know,
we shouldn't shame people that are using
this technology, but I think, you know,
educating people like, oh, why is this,
why shouldn't we be doing this?
Why are,
why are we funneling so much money into
this technology?
Why is this technology not good?
Um, so, you know, I think, yeah,
you're right.
Like we are already kind of seeing it
happening a little bit.
Maybe let's be optimistic.
I guess we've seen data centers being
canceled.
We've been seeing, you know,
ram prices and gpu prices kind of hitting
hitting a ridiculous point now where like
you know it's impacting a lot of people
and people are becoming a little bit more
skeptical of the amount of money that
we're pouring into this right like oh you
know it is kind of affecting a lot
and like is it really that useful like
people are becoming more skeptical i think
um at least i would like to hope
same totally agree
But with that being said,
I guess we could move on to the
next article here,
also about Meta as well.
So this one is from Wired.
Meta silently added face recognition code
for its smart glasses to millions of
phones.
So one quick thing before we dive into
this story.
I don't know if anyone remembers,
but a couple of years ago,
maybe it was like two years ago,
there was another story about this and it
was some,
there was some university students and
what they'd done is basically hooked up
meta glasses to,
what's that facial recognition?
Pim eyes.
Pim eyes.
That's it.
Sorry.
I'm going to find that story right now
and put it on screen, but keep going.
Perfect.
Okay.
Um,
so they did that a couple of years
ago.
Right.
And they basically were like proved,
Oh wow, this is like really creepy.
Like you can,
you can just look at someone in public
and they'll just immediately have a name
attached to somebody and like all their
information and
So, um, yeah, anyway,
so everyone really thought that was super
creepy.
And of course, you know, Meta was like,
we've got to do that.
So Meta's currently, uh,
they added some face facial recognition
code.
Oh, there we go.
So here's the story that I was talking
about in this one's from four or four
media, um,
Yeah,
so basically they attached PIMIs to it.
And I think if you scroll down,
there's like a little bit of stuff like
this, like images of, you know,
being able to like identify people and
find their name and all this other creepy
stuff.
It's a pair of students at Harvard.
Yeah.
So that was super creepy.
And I think we all agreed at the
time that was like incredibly wrong and
incredibly invasive.
But, of course, you know,
meta doesn't really care.
And basically they have...
Well,
Wired has uncovered an unreleased facial
recognition system embedded in Meta's
smart glasses platform.
It's designed to identify people via
biometric data stored on users' phones.
I think this is kind of... Oh,
and of course,
I'm running into a paywall on this article
as well.
Things are going really well this week.
I'm just going to read off the screen
here.
Okay, so...
code discreetly added to meta's AI app
over multiple updates this year shows that
the feature internally called name tag
identifies people captured by the glasses
camera and when activated alerts the
wearer when it recognizes someone so
firstly like do we really need to rely
on
smart glasses to recognize somebody.
I feel like are we dedicating that much
to technology at this point where we can't
even use our own brain to remember
someone's appearance?
That's just kind of strange to me.
The discovery of name tag in the live
Meta AI app shows that Meta had begun
shipping face recognition code to users'
phones while publicly describing it as
something the company was still thinking
through.
In April,
Meta said if it were to utilize facial
recognition,
it wouldn't be rolled out without first
taking a very thoughtful approach.
I don't know about that.
I don't know about that.
Because I think Meta had quite a long
time to basically think about implementing
these smart glasses and put them out in
a privacy respecting way,
like have the light activated and make
sure that it's not easy to deactivate.
And they still failed at that.
There's people on the internet who are
making tutorials on how to disable the
Meta Ray-Ban light on the side to record
people without their consent.
I don't think like,
and also like we talked about the previous
story, you know, um,
I don't think meta thinks about things too
carefully when they roll something out,
they'll roll out an AI support bot without
thinking in a couple of months, you know?
Um, so, uh,
Yeah, so though not yet enabled,
NameTag sits inside a Meta AI companion
app that's been downloaded over fifty
million times and is necessary for use of
key features of its smart glasses,
including Ray-Ban and Oakley models.
If activated,
it will transform faces captured by Meta's
glasses into unique biometric signatures,
commonly known as face prints,
and check each one against face prints
stored on the user's phone, a database.
that's currently configured to receive
updates from Meta.
Recognized faces will trigger
notifications while the rest are cropped,
indexed,
and saved to a folder marked as pending.
I feel like this is almost like one
of those Black Mirror episodes, you know,
like you're walking down the street and
like you see somebody and then your
glasses automatically detect them as like
a criminal and it just like pops up
on the screen or something like,
something ridiculous like that, you know,
like I could see this technology being
used
for something super creepy like that.
And I think also it's not really a
very...
I think these face recognition scans,
they're not very good.
They're not very accurate as well because
the cameras on these glasses is kind of
bad, right?
So I guess quoting more from this article,
it's renewed efforts arrive amid mounting
opposition to consumer level face
recognition,
which privacy advocates argue will give
anyone from stalkers to immigration agents
easy access to dangerous technology.
internal meta documents published by the
new york times in february showed the
company had planned to roll out the
feature during a dynamic political
environment when meta believed its biggest
critics would be preoccupied so yeah
basically what they're saying is that they
were going to release it when everyone was
kind of busy getting getting mad about
something else um and it does seem like
they do these sort of things
they do plan this.
Like I wouldn't be surprised if they do
plan these releases around when things
are, you know, kind of a bit turbulent.
And I think especially now,
especially with a lot of the stuff that's
going on in the U S I think
there's,
it's a pretty turbulent political
environment currently.
Um,
especially like this talked about earlier
with the immigration, um, officials,
like there's,
there's a lot of that going on in
the U S with like ICE agents, um,
you know, like kidnapping people almost.
Um, so I think it's, yeah,
it's definitely a very strange time to
release this.
And I think it's at a time when
it can be abused the most, almost, um,
which kind of sucks.
Um, but yeah,
I feel like I've rambled a little bit
here.
Um, do you have any,
do you have any thoughts on this one
as well, Nate, or?
Yeah.
Um, I mean,
I do, as always,
I do want to push back a little
bit on what you said at the beginning,
where I don't think this technology in and
of itself is bad,
because they do actually talk about,
towards the bottom,
Meta originally presented this name tag
thing in...
what did they say?
Um, no,
they were planning to debut it at a
conference for blind, uh,
for the blind before making it available
to the general public.
However, they never did for the record.
I do not want to defend meta for
a second because it's a garbage company
run by garbage people.
Um,
But in that same paragraph,
Wired pointed out that a twenty eighteen
study of blind users by Cornell Tech and
Facebook researchers found that every
participant called recognizing people an
important daily task.
And I've also shared that me personally,
I think I genuinely think I have some
like low key face blindness because I have
to meet the same person like multiple
times before they start to really stick in
my head.
And I'm also a very contextual person.
Like if I met you once and I've
talked to you.
And then I run into you again,
like a month later,
I probably won't remember you unless
you're like, yeah,
we talked about this thing.
Remember, like, you know,
we talked about silos coming up and we're,
we're both really excited about that.
And I'm like, oh my God.
Yes.
I remember that now.
Um, so I personally,
I really see the value,
especially as someone who wears glasses in
being able to wear glasses that do like,
Hey, you know, this person,
and you can recall that information for
me.
But at the same time,
I think it's very, um,
I mean, it's meta, right?
It straight up says that if their face
is not recognized,
that it's just going to hold on to
the image.
What?
Why?
That's like... I didn't consent to that.
I mean,
I didn't consent to being in these things
in the first place.
But especially, I could...
Arguably, because again, it's meta.
I don't trust them as far as I
can throw any of them.
And I probably can't throw any of them
very far because I have not been working
out lately.
But like,
it would be one thing that I could
quote unquote defend if they were like,
hey, we're going to do a search.
If we don't find you,
we discard the image.
Okay, fine, whatever.
At least we can pretend that's kind of
privacy respecting.
Well, if we don't find you,
we'll just hold on to it for reasons.
You know, it's like...
Anyways, okay,
I think I made my point there.
It's also meta,
and actually backing that up,
meta said in a different article in the
past that the whole idea was that it
would only identify people that you knew,
but then that raises the question of,
like,
how far is this people that you know
thing?
Because it's one thing to, like,
which I still don't like this for the
record because I don't think it's
anybody's business.
It's one thing if it downloads the faces
of, like,
your immediate friends on Facebook, right?
Like, the people you friended, which...
I don't know.
To me, that's distracting.
Let's say I go to the store.
Hypothetically,
let's pretend I have Facebook.
I go to the store and I pass
one of my friends and it pings me
like, oh, hey, that's your friend.
Okay, first of all,
either I'm gonna notice and I don't need
your help or B, I'm busy,
my mind is elsewhere and I don't really
care.
No offense to my friends, but like,
I hate shopping.
I just wanna get my crap and get
out.
So like,
if I'm so focused that I just wanna
get my thing,
I don't wanna stop and talk to you
because I'm gonna forget why I'm there.
I'm gonna take too long.
It's just, it's a stupid thing.
But anyways...
That was their original intention is it
only flags people you know,
so it's not just everybody.
But then what happens when it's people you
know you know?
Like, oh, that's your wife's friend.
Okay, cool.
There's probably a reason I haven't added
them on Facebook.
So like, why are you telling me this?
And I don't know.
It's just, this whole system is like,
I'm not, again,
where I'm going with that is like,
I'm not opposed to the tech itself,
but I do want to make it very
clear that like, I don't trust Meta.
I think of all the companies,
they're like the company I would trust the
least to roll this out in anything
remotely resembling an ethical form.
And it's just a shame.
It's a shame that we can't have,
it's a shame we can't have nice things
because, you know,
we mentioned this with age verification
the other week.
It's like,
there are so many ways to do things
in a way that is privacy respecting,
that is at least not overtly terrible,
but companies never do that because
where's the money in that?
So it's just, it's awful.
I hate it.
But other than that, yeah, I mean,
I don't really have a whole lot of
other thoughts.
It's just,
I guess this does kind of counter what
I said at the end of the last
story where it's like,
sometimes we push back and, you know,
we can get companies to like stop this
stuff,
but we pushed back against this so many
times and meta is just so adamant about
making this a thing.
And that is really, really unfortunate.
Yeah.
Yeah.
I hate these things.
Please, please friends.
Don't let friends buy meta glasses.
Don't ever let your friends buy this
stuff.
Yeah,
and I think also it's kind of interesting
that thing you brought up about
accessibility.
I didn't really think about that too much,
actually.
But I almost think, like,
it is kind of like an excuse a
lot of these companies use to, like,
make something pretty invasive and then,
like, kind of normalize it a little bit.
I mean, I don't know.
I'm not an accessibility expert.
I don't really know what technology, like,
people that are low vision people are
using to identify people in public.
Um, but, you know,
I think we have to weigh the benefits.
Maybe there could be some other way of
doing it in a way that doesn't require
you to take biometric scans of people's
faces.
Maybe there's like a way to
I don't know,
like maybe it detects nearby devices and
then it pings you if someone is detected
nearby or something like that.
I don't know,
but that is a way to do it
without having to get face scans of
people,
of every single person you interact with,
because like that is kind of terrible from
a privacy perspective.
You're basically creating a massive
database of people.
um people's faces biometric scans so yeah
overall just kind of frustrating situation
um let's see uh there was some comments
here from peace boy john um uh someone
he's uh they said uh if meta was
president i would make sure creepish
companies like them are banned and i would
make them illegal too yeah if he was
president
yeah i think i think that would be
that would be ideal but yeah unfortunately
that's not really how how the government
works the us government at least um so
i don't know we kind of just got
to deal with it and i don't know
try and try and stop this stuff from
happening as much as we can um advocate
for this and hopefully we can get some
changes to make sure that this technology
is not normalized i think also just kind
of
shaming people that wear them in public.
Like, you know,
if someone walks up to me and they're
wearing meta glasses,
I'm just going to say,
are you wearing meta glasses?
And if they say yes,
I'll just walk away.
You know, I don't think that's,
I don't think that's really
I don't know,
I don't see a usefulness aspect of these
devices.
I think, you know,
we have phones for that reason.
I think it's basically just normalizing a
concealed recording device,
which is very creepy.
I mean,
I'm sure some people probably wouldn't
care,
but there's people that don't like to be
recorded and there's certain people that
are more affected by this.
So we should keep that in mind as
well.
I just want to support what you said
is, yeah, for the record,
do not assault people.
Do not break their glasses.
I don't know how many people are serious
and how many people are just talking big
on the internet,
but I've seen so many people say that.
It's like, oh,
if I see somebody with those,
I'm going to punch them or I'm going
to break their glasses.
And it's like, cool.
And you're going to get in legal trouble
and you're just going to look like an
even bigger dick.
That said, I think for the average person,
these are universally unpopular,
especially once people know what they are
and how they're working.
So I think, yeah, calling somebody out,
like if you're in a social setting and
it's like, hey, I'm sorry, like,
are you wearing meta glasses?
And they're like, oh, yeah,
do you like them?
No, actually, I hate them.
I think they're really creepy.
I think they're really invasive.
I don't want you to record me.
And there's like a social phenomenon where
like everybody is afraid to make the first
move,
except for a few psychopaths like myself.
Yeah.
which also for the record depends on how
I feel.
Sometimes I'm also afraid to make the
first move,
but I guarantee you if you speak up
and like,
probably not that that's probably being a
little bit too harsh even,
but if you speak up and it's like,
I'm actually really uncomfortable with
those.
And I don't like how they're always
recording and sending my data to meta.
Even if they try to argue you and
they're like, well,
it's not always recording.
There's going to be somebody else.
Almost certainly there's going to be
another person who's got your back.
Who's like, actually I'm kind of with him.
I don't really like that.
I don't trust Facebook.
Could you like take those off please?
Or like not wear them next time or
whatever.
Like,
it just takes one person.
And like, once they realize that, I mean,
I curse all the time.
Once they realize that they're the
asshole,
they're either not going to bring them
next time,
or they're just not going to come back
to whatever that event is,
which in my opinion is the trash taking
itself out.
So I don't care, but yeah,
I just wanted to point that out.
Like definitely don't resort to assault
because it's not going to help you any,
and it's just going to get you in
trouble.
But I agree with you,
like shaming people who do this,
I think is really the way to go
personally.
So.
Yeah,
it's better to explain to someone the
reason why it's bad than like try to
start a physical altercation.
I think also the if people aren't really
open to, you know,
if you try to explain something to someone
and they don't see the issue.
then I think maybe it's time to start
thinking about whether you want to be
friends with that person or interact with
them.
Because I think they're not going to get
the message unless they start actually
getting pushback for their actions.
And I've never seen anyone in public
wearing them.
So, but maybe that's,
maybe this is much more a tech hub
situation where like everyone in like
Silicon Valley is like walking around with
like meta, meta Ray-Bans and like,
that's just a locational aspect thing.
But I mean,
since Google's coming out with these
products as well,
I think they must be selling reasonably
well if there's,
if more people are jumping on the boat.
So it's only, it's only more of a,
it's only more of a,
it's only becoming a better time to
publicly shame people that buy these
products.
Because, you know,
I think eventually if the public opinion
does sway, I think, you know,
just someone wearing those in public is
enough to stop a lot of people buying
these products, I think.
Yeah,
we did cover this on a previous story.
They sold like millions of these things
last year,
which is incredibly unfortunate.
But yeah, like you said,
enough that other companies are now like,
oh,
maybe we should get in on this and
Yeah.
It's, it's really unfortunate.
All right.
Um,
I think that's all we have for that
story.
So we'll go ahead and talk about Dashlane.
I'm a little excited for this story.
I'm not going to lie.
Um, so, uh, this started,
I want to say earlier this week and
basically Dashlane users, uh,
Dashlane is a password manager for those
who don't know.
Um,
I believe it's one of the most popular
ones.
And, um,
it is not open source and it is
cloud-based and they, uh,
a lot of users were reporting that they
were getting emails about their accounts
being locked.
And, um,
Dashlane to their defense was very quick
to respond.
And they were kind of like, yeah,
there's like this, um, what did they say?
There was like,
basically when they initially responded,
it was kind of unclear.
It's like, Oh,
is this a glitch or is this some
kind of cyber attack?
But they were basically like,
we're on top of it.
Don't worry.
And, um,
They did finally release a statement that
basically, I believe,
still left a lot to be desired.
I didn't see the statement myself,
but I saw a lot of headlines that
said, like, eh, the statement isn't great.
But basically, Dashlane is now saying,
like, okay,
so what happened was there was a cyber
attack.
And for any audio listeners,
the headline of this article from Ars
Technica says Dashlane explains how
attackers managed to download encrypted
password vaults.
So veteran listeners are already thinking
of LastPass.
I believe that was in twenty twenty two.
So basically what happened is there were
attackers who mounted, they said,
a coordinated hacking campaign against a
large base of users.
So.
Trying to think of how to describe this
succinctly.
Um, so for those who don't know,
there's a thing called credential stuffing
and with credential stuffing,
basically because a lot of people reuse
the same garbage passwords everywhere.
If an attacker gets your username and
password or your email address and your
password,
they'll just try it on like every website
they can find, right?
They'll try it on Netflix.
They'll try it on Amazon.
They'll try to Gmail,
assuming it's a Gmail pass or email
address.
They'll just try it everywhere and see
what it works because again,
most people reuse passwords.
So it will probably work in more places
than it won't.
Apparently, this is now...
I think somebody on Mastodon called it MFA
stuffing or two FA stuffing.
And basically, so...
Let me see if I can read just
parts of this.
So when a user installs the Dashlane app
on a new device and attempts to enroll
it into their existing account,
Dashlane first verifies the account
holder's identity.
This verification is completed by sending
a one-time six-digit token to the user's
registered email address or for users who
have enabled two-factor by validating the
six-digit code authenticated by their app.
For the registration to succeed,
the user must enter this code into the
application.
At this point,
Dashlane will improve the enrollment and
send a copy of the encrypted vault to
the device.
So basically,
let's say you download Dashlane on a new
phone.
You go to sign in, and it says,
hey, we emailed you a code.
If you enter the code,
now it sends a local copy of the
vault, but it's still encrypted.
It then says...
Let's see.
Contents remain unreadable until the user
enters the master password,
which acts as a decryption key.
And then let's see.
So basically at that point,
what the attackers were doing is they were
brute forcing the
Again, how do I... Okay,
I'll just keep reading because they really
do describe it pretty well.
So brute forcing the one-time code for a
single account,
which means iterating through every
possible combination until the right one
is entered,
would be little more than a fool's
errands,
even with a three-hour window that the
code remains valid.
With one million possible valid codes,
the attackers would have to cycle through
a statistically significant percentage
within that period.
Rate limiting,
in which a set of requests are allowed
per account,
would also lock out the account.
So, I mean,
you guys have seen rate limiting.
You put in the password wrong too many
times,
it says try again in five minutes or
an hour or whatever.
So to improve their odds,
the attacker sent requests to register new
devices across a large number of accounts,
and then they simultaneously entered the
one-time codes into each of them.
In theory,
attacking two accounts this way increases
the odds for each try from one in
two, one in five hundred thousand.
Attacking a thousand counts would make it
one in one thousand and so on.
So basically,
they tried to log into a ton of
accounts all at once and started spamming
two FA codes because if you do it
at scale, statistically,
you're certainly going to get something
right.
So they said that ultimately the two-FA
spraying attack managed to hit the right
combination on fewer than twenty user
accounts before it was shut down.
Now, there is...
A lot of differences here with the
LastPass thing.
For example,
this was not somebody's Plex server that
caused this.
They also said Dashlane was using Argon,
too, which is very, very modern.
I think it's one of the most modern
and current standards for hashing
passwords.
They also said that...
Let's see here.
I don't think they mentioned iterations.
That was the thing with LastPass.
So with LastPass, basically,
there were sections of the password
manager vault that were not encrypted,
like the login link.
So that would mean that attackers know,
for example,
if you have an account with Amazon and
they can create an Amazon phishing link.
Dashlane said they don't have that.
They said everything is encrypted.
They're not open source,
but theoretically,
if they're telling the truth.
Another thing with LastPass is they were
not
The whole iteration thing goes a little
bit above my head, but basically,
long story short,
the more iterations a master password has
when it's being hashed,
the harder it is to crack.
LastPass was not increasing the
iterations,
at least not without user input.
Dashlane says they have been doing that.
So theoretically,
as long as a user was using a
good, strong master password,
they still don't really have much.
The attackers don't.
That's a big caveat though, because again,
I just mentioned a lot of people reuse
garbage passwords and master passwords are
unfortunately no exception to that.
So I guess the only thing here that
I think is interesting is this seems to
have been, from what I can tell,
kind of random.
Because if they're doing this at scale,
they don't really have any control over
which ones are going to succeed and which
ones aren't.
So they just grabbed like,
twenty random user vaults,
which is really confusing.
I don't know.
I guess I will be interested to see
how this plays out.
I will be interested to see is Dashlane
telling the truth?
Are we going to get another story in
a week that's like, oh,
it turns out fields aren't encrypted or
whatever.
Are we going to find out that this
was actually some coordinated thing
that...
uh they did know exactly what accounts
they were going for and somehow managed to
pull that off i don't know how they
would have done that that would be really
impressive but again it's just this this
whole thing i have a lot of questions
that i don't necessarily expect dash lane
to have answers to like again why those
accounts and stuff like that but it's it's
a really interesting story it does if we
take it at face value it does seem
like everything was handled a lot better
than the last pass thing which is good
but
Again, still lots of questions.
And I think the last thing I want
to emphasize is when you use a password
manager, any password manager,
whether it's a cloud-based one like this,
like Bitwarden, like one password,
a local one, KeePassXE,
if you write your passwords down in a
notebook,
you are placing an immense amount of trust
in that password manager.
And so we always recommend...
I mean,
I feel safe saying that everybody in
Privacy Guides would agree with me on
this.
I would recommend if you don't use a
security key anywhere else,
like a YubiKey or something like that,
first of all,
you should be using it everywhere you can.
But if you don't use it anywhere else,
you should at least be using it on
your password manager because of how
sensitive it is,
because everything is centralized there.
And theoretically,
if you had used a security key,
I feel like this attack probably would
I mean,
I guess it might have still worked because
again,
they're trying to verify the device,
not necessarily the login, but I mean,
at very least you wouldn't have to worry
about them like trying to crack your
master password, right?
Because they still need the YubiKey to get
it and they're not going to have that.
So yeah,
always try to put the maximum amount of
security on your password manager,
even if it's not cloud-based,
like whatever it is,
because you're putting a lot of trust in
that thing regardless.
So I think I kind of went over
a lot there,
but did you have any thoughts on this
story or is there anything I missed,
Jordan?
Yeah, definitely an info dump.
I think it is important, though,
to all the stuff that you mentioned,
like putting the most security you can on
your password manager.
Nate actually wrote a video about
passwords and password management and all
this sort of stuff that's going to go
into things in a much more succinct and
explainable way.
Hopefully this weekend we'll have it out.
So definitely look out for that if you
want to kind of, I don't know,
I think it's also important to, you know,
if you share that with someone, uh,
I think it's a good,
it's a good resource that we're going to
have available soon.
And it does go into like a lot
of what Nate was saying, like, you know,
your, your password manager is,
I think the way Nate put it in
the video was, you know,
you're putting all the keys to your castle
in one spot.
So you need to make sure it's well
defended.
Um,
And it's the same with, you know,
any centralization of trust.
I think one interesting thing about this,
though, was they did mention it.
So this is Dan Gooden, who's like, yeah,
he's basically super, super,
super big on like security topics at Ars
Technica.
He put at the bottom,
he said like there was,
I don't know,
out of an abundance of caution,
both master passwords and the contents of
any recovered Dashlane vaults should be
changed immediately to reduce the chance.
So I think one thing that I think
Nate did talk about it a bit was
like the...
The issue with these password managers and
when these encrypted vaults get stolen is
it's basically stuck at that stage, right?
Because once they've stolen the encrypted
vault,
you can't change the password to something
more secure.
That vault is now...
stuck in time.
It's not able to get more secure.
It's not able to get less secure.
It's just stuck at that specific security
level.
So the risk with this is updating your
master password.
That's not going to do anything because
they already have the encrypted vault
itself.
So basically, I don't know,
if you're a Dashlane user and you think
you might have been affected,
I would just change every password.
which kind of sucks, right?
This is like the worst case scenario for
anybody having to change every single
password in your password manager.
That's depending on who you are.
I think Nate also wrote this in the
script for this new video.
It was about a hundred passwords.
The average American has average of a
hundred passwords.
So, you know, this is,
it's almost unreasonable.
That is an unreasonable amount of
passwords to change.
Like that would take
hours so you know i think this is
this is a pretty big flop from dashlane
i think like you know this this is
basically as bad as it can get i
mean it's not as bad as it can
get because you can be last pass and
you can just like leak everyone's stuff um
and not encrypt anything so you know it's
not the worst case scenario but it's it's
kind of nightmare scenario level um
I mean, I would probably,
if you don't think you've been affected,
I would just update my master password
anyway out of caution.
But again,
we do have password manager
recommendations.
And, you know, at Privacy Guides,
we do more rigorous analysis.
We...
get input from the community on which
products are the best.
And we do all the hard work for
you to work out what the best services
are.
So Dashlane is not something we recommend.
We don't recommend Dashlane for a variety
of reasons.
But I think you'd be much better off
if you were using something like Bitwarden
or ProtonPass or Sono.
There's plenty of other password manager
recommendations that we have on our site.
And I think it's always going to happen,
though.
There's always going to be, like,
cyber attacks against these password
managers because they are,
like Nate said in the video,
that what's going to come out is it's
a castle.
It's where all the secrets are in there.
So it's a much more valuable target.
It's kind of frustrating when security
isn't enforced as well as it should be
in this case.
But, yeah,
I don't really have too much more to
add other than that.
Yeah,
I don't really have much else to add
myself.
It's just, I guess, again,
assuming we take Dashlane at face value,
it's good that this is not a repeat
of LastPass,
where they did everything they possibly
could wrong.
But it's also, there are certain things,
I feel like,
where it's just too important
to trust a non-open source thing.
And a password manager is one of them.
Because I keep saying,
assuming they're telling the truth,
we don't know.
Dashlane's proprietary.
If this happened to ProtonPass,
if this happened to Bitwarden,
if this happened to,
I don't know how it would happen to
KeePass, but theoretically,
if this happened to KeePass,
those are all open source.
So we can verify that, yes, everything is.
I actually remember when LastPass
happened,
Everybody went to these open source
password managers and started re-examining
and being like, oh crap,
are we in danger?
And I remember Bitwarden, I think,
was okay.
But a lot of people did notice.
It's like, hey,
you're kind of using this like,
it's not like outdated hashing,
but there's, you know,
this Argon-II is out now and it's a
lot better.
And like, why don't we up the iterations?
And I remember Bitwarden kind of replied
where they're like, yeah,
we don't really have to, but I mean...
Good point.
We'll go ahead and do that.
And you know, now it's,
it's more secure and we can verify that
because it's open source and not to
necessarily sing Bitwarden's praises.
I'm not trying to harp on them,
but you know,
it's just an example of like, hopefully,
uh, Dashlane users will be okay.
But yeah, if you are a Dashlane user,
definitely, um, that does suck.
Cause I am that I've,
I've said this before.
I am that psychopath that went down and
changed all my passwords in like one
weekend when I first got into privacy.
And it is,
It is intense.
And, uh, you know,
at the time I was single and I
was in my twenties and I had all
the energy for that stuff.
And, but it's, uh, you know,
especially if you've got a family and
stuff, it's like, man,
how are you supposed to find time to
do that?
So that's crazy.
But here we are.
I almost feel like there needs to be
a way.
I don't know.
I feel like this could have been.
possibly avoided if there was i don't know
maybe there's got to be a way for
an api access or i don't know some
some way to easily update a lot of
accounts passwords quickly um i don't know
what that would look like but it's kind
of we get into this situation with with
a password manager where things get
breached like this and it becomes like i
know people that have got like five
hundred passwords like how the heck are
you supposed to go through and update all
that like that is impossible um it's just
kind of frustrating for those people
Unfortunately,
you are not the first person to have
that idea.
And I don't think, yeah,
it would need to be some kind of
like standardized process,
which I don't think it is right now.
And I think that's the big challenge is...
Yeah,
but it would be cool because then that
would open the door for like a privacy
service that's like, oh,
you're getting into privacy?
Cool, for like ten bucks,
we'll download all your accounts out of
Chrome and go in and change all the
passwords and dump them into Bitwarden or
whatever.
That would open a lot of doors to
make it easier for people to get started
with this stuff.
But I just don't think,
as far as I know,
there's not like a standardized API that
people could hook into like you're talking
about.
It'd be cool if there was.
Yeah.
I mean,
one thing that you did talk about quite
a bit in the video we've been working
on is, you know,
like the adoption of passkeys.
And I think that could be at least
one step in the right direction, right?
At least one end,
one end of the passwords being messed up
is going to be okay.
Like the websites themselves can't,
they can't leak the passwords.
So then you don't have to worry about
your password ever getting breached.
But then there's the opposite end as well.
That's what I was about to say is
I feel like this unfortunately would be
one of the few times where a passkey
wouldn't save you.
Like someone correct me if I'm wrong,
but because in this case,
if you're saving your passkeys to a
password manager,
which is probably what most people are
gonna do,
which I would argue in most cases is
fine.
But now it's the password manager that got
leaked.
So if they get into it,
they would have your pass keys.
But generally speaking, yeah, I mean,
stuff like this is still very much the
outlier.
So, I mean,
ninety nine times out of one hundred,
I totally agree.
A pass key is it's one of those
things where like, yes,
there's always going to be that one
scenario where it's like, OK, fine.
It doesn't make sense to do that.
But every other time it makes perfect
sense, you know, so.
Yeah.
I mean,
I feel like pass keys could definitely,
yeah,
you're a hundred percent right about it.
Like the private key is the thing that's
important and that's what your password
manager is protecting.
The public key is what the website has.
So it doesn't matter if they leak the
public key.
Public key can be public.
But yeah,
the private keys is that's where you start
having the issue.
I don't know if it's like, you know,
a way for
basically password managers to like kind
of hook into a website's like, like, uh,
Fido flow or something to automatically
update it.
I don't know.
Someone really smart is probably going to
work it out.
Um, that's just not me.
Um,
I don't really know what the solution is,
but I don't know.
It was just a thought that I had.
It's kind of interesting.
Um,
Don't think it's super relevant to this
story, though, because like you said,
if your vault is breached,
it's not really going to protect you in
that case either.
So kind of a crappy situation.
Agreed.
I think that's all we've got on this
one.
Do you want to move into forum updates?
yeah let's dive into some forum updates
here in a minute we'll start taking viewer
questions so if you've been holding on to
any questions about any of the stories
we've talked about so far go and go
ahead and leave them on the forum thread
or in the comment section on the live
stream and you can do so on the
stream yard chat if you don't want to
sign up to youtube or any other platform
so if you do want to leave a
comment
definitely feel free to do so.
But for now,
let's check in on our community forum.
And as always,
there is a lot of activity on the
forum.
So here's just like a few of this
week's most interesting discussions
happening there.
So I'm going to take this one.
You can take the other one.
How do I compellingly advocate for my
privacy with doctors and other health care
professionals?
I think this is a really interesting
thread.
So this one was started by a regular
on our forum,
not going to mention the name for their
privacy sake.
But basically, you know, I think it's,
we're living in an age where a lot
of doctors are using technology that is
pretty invasive, right?
Like I'm,
I guarantee you if you've been to the
doctor in the last two years,
they've asked you if you,
if they can use an AI transcription
software, if they can, you know,
share your data with one of these
companies.
And, um,
I guess kind of reading a little bit
into this, uh,
thread that was started here.
Um,
you know,
this person was saying that they kind of
felt like healthcare workers don't really
care.
They don't really read the privacy policy.
They don't really, you know,
think that there's any issues.
They don't, you know,
they don't really have the same level of
concern that most people should have about
their medical data, especially if it's,
you know, very sensitive information,
like, you know,
It could be reproductive status.
It could be all these,
especially in the US, like these,
these are pretty,
I would say sensitive things, right?
Because, you know, in some states it's,
it's illegal and stuff like that.
Like this is,
it depends obviously on your threat model
and your situation,
but they can be extremely concerning.
So they kind of went through
basically how they want to challenge
their,
their doctors and to basically get them to
take things a bit more seriously.
Um,
and they did bring up this one specific
example, um, you know, about,
it was Carissa Vellies who we interviewed,
um, a couple of weeks ago.
She,
she basically had an example and she used
the example of like the Holocaust, like,
you know,
would you, you know,
disclosing that you're Jewish in the
Holocaust is kind of a bit of a
death sentence and maybe it's not as the
parallel is not as like, Oh,
did you want to add something here?
Yeah, real quick.
Um,
so what she was talking about was in,
um,
Oh my God,
I can't remember which countries it were.
Basically, when the Nazis invaded,
I wanna say it was France,
the number of Jews that they killed in
France was significantly lower because in
France,
they didn't even keep ethnicity records on
who was Jewish and who wasn't.
And therefore,
that made it significantly harder for them
to find Jews to send them to the
camps.
That was the example she was using.
And that's the example this person is
talking about is like,
if um if my doctor is not sharing
data with these companies like uh i'll
i'll let you talk in just a second
sorry i'm trying not to like do all
the talking um but like they said their
doctor is using gmail and it's like okay
but if gmail is reading these emails or
even has access to these emails that's
kind of the same thing where it's like
if something goes wrong now the the data
is there in the first place that's kind
of the example the the connection they're
trying to make there
Right.
Okay.
So that's, yeah,
that's definitely good context.
Um,
I'm not really super familiar with her
work personally, so that is good to know.
Um, yeah, I think it's, I think,
I don't know.
I think you should be,
try and be cautious around, I think,
standing up to these people because
unfortunately they kind of do have quite a
lot of control over, um,
But when you talk to a doctor,
like they do have quite a lot of
control over the care that you receive and
that care could be kind of important.
So, you know,
if you're going to challenge someone on
this sort of stuff,
I would definitely think about the
consequences of doing so, because,
you know, the.
the repercussions for challenging someone
like this could cause things to become a
bit more difficult because, you know,
you have such strict, um,
beliefs and stuff and such.
Like, I think it shouldn't be like that.
Like they shouldn't be able to do that,
but it's kind of the facts of the
situation.
Unfortunately, like you'll,
you'll receive different care.
If you make a fuss about something like
that,
you may not get treated the same way.
Um,
you might be seen as someone who's trying
to, you know,
hide information or like be a criminal.
And there's all these stereotypes for
people that are, um,
caring about their privacy.
And it's not really,
it shouldn't be like that,
but it's kind of the way things are
at the moment.
And it's kind of seen as almost like
a fringe thing.
So I would also take that into account
as well.
If you do end up bringing this up
to them, um,
yeah anyway i i think people are saying
like you should walk away from these
doctors agencies and stuff i i kind of
disagree with this because um i think you
know depends on what conditions you have
and for some people there's not really an
option right if you have like a very
specific condition you need to see a
specialist you need to see
a doctor that is specifically trained in a
certain area that doesn't particularly
have another option especially if you live
in a small area um you don't exactly
get a choice to just like oh you
you're using google workspace for all your
medical emails i'm gonna go to a different
clinic um and it's not even verified that
you know the the next clinic you go
to they might be even worse so
um it's kind of frustrating situation but
i don't think that is always the best
solution just like walking away from um
someone um i've never seen a doctor's
office using gmail i've never seen a
doctor's office even use email so this is
kind of bizarre to me like is this
a common thing in the us or yeah
they um they do use internal email a
lot and i've i've seen doctor's offices
that i'm pretty sure using teams
So I definitely have thoughts on this one,
but I'll wait for you to finish your
thoughts.
I don't want to cut you off.
Okay.
Yeah.
I mean, yeah.
So there's some more comments here.
People were discussing like, you know,
the original author of the post was saying
like,
you know,
you wouldn't even try to convince them
that what they're doing is wrong.
Like you wouldn't even try and bring up
that this is a privacy issue.
I mean, I could,
I think it's certainly possible to try.
I think you could try,
but I don't think you're going to be
able to convince, you know, an entire,
you know,
medical facility to change their main
tools so quickly.
I don't know.
There's definitely some people were,
making jokes in this thread I guess a
little bit of about this like saying like
you know it's better to keep quiet in
such situations you might be misunderstood
and referred to a psychiatrist I don't I
think you know if you you've got to
be tactful about this right you can't just
be saying like how could you be using
gmail it's spyware like it's evil like you
know coming across as like someone who's
not really uh you have to have tact
right and I think it comes down to
any
any social cause, right?
If you just start calling someone like a,
you know, a privacy normie or something,
like they're not going to really take what
you're saying that seriously,
and they're probably not going to agree
with you.
So I think it definitely helps to have
some grounding in reality, you know?
And, but yeah,
I don't really have too much more to
add.
There's quite,
this goes on for quite a long time.
I didn't have time to read this entire
thread.
So
Yeah, I was kind of skimming in myself.
There is a lot here.
Also, Mike Lastname said,
you are a doctor and a privacy advocate.
Feel free to weigh in while I'm giving
my thoughts,
and we'll definitely – maybe it would be
great to get an expert opinion.
So my thing is it's –
The challenge is institutional.
This kind of came up a little bit
in this article.
So first of all,
I want to say that in my personal
opinion,
and I don't think this is a hot
take,
your health should always come first,
whether that's physical health,
mental health, whatever.
If your choices are between not seeing a
doctor and seeing a doctor that uses Gmail
or even, God forbid, Teams,
please go see the doctor.
Your health always comes first.
That said, in my experience,
a lot of this is institutional.
Like I have pushed – I'm –
generally relatively healthy um my wife in
particular has um you know seen a lot
more doctors relatively than i have and i
mentioned her because like i've tried to
get her to push her doctors towards things
like using signal instead of whatever
weird platform they're on or something and
a lot of the time the doctors don't
really have control over that
a lot of the time they'll, you know,
they're like, oh,
I do use Signal in my personal life.
I'm totally cool with it,
but I am required to use this platform
because either it's not their practice and
they have to do whatever their boss tells
them to do,
just like you do at your job,
or
there's like healthcare is so heavily
regulated that even though HIPAA isn't
really about privacy,
there are very strict rules about who has
to be able to access that data.
And it does have to be transparent to
a point,
to the point where a lot of them
can't use something like signal because
like, again,
like their boss has to be able to
access it in the case of an audit
or something along those lines.
So that's a,
It's,
it's hard because in a lot of cases
they might be totally willing to,
it's just not something they actually can
do.
It's, it's beyond their control.
They don't have the authority to make that
call.
Another thing,
I think you may have mentioned this.
Cause again,
I was kind of skimming while I was
listening to you,
but there's a logistical thing.
If we are talking about an office and
not a single practice,
like a single person, it's, you know, I,
and my last job, we were using LastPass,
probably still using LastPass.
And I,
would very openly kind of like, haha, JK,
but not really.
But I would very regularly like criticize
the IT guys.
I'm like, man,
I can't believe we're still using
LastPass.
And they would point out, it's like, no,
I totally agree with you.
There's a thousand people in the company.
across the country.
Switching off LastPass is not easy,
especially when you're talking about
people that are not necessarily tech
savvy, that don't... Yeah, for you or me,
switching to another password manager is
cake.
But for a thousand people who, again,
some of them call in every single day
asking, how do I get into my email?
It's a huge lift to migrate your entire
infrastructure over to another provider.
And then there's cost,
which I know a lot of healthcare is...
Let me politely say that cost should not
be an issue for some of them.
But here in the US, at least,
a lot of them are for-profit entities,
which means they're going to want to go
with things that are inexpensive,
which is going to automatically rule out
Proton, for example.
So, I mean,
there's just so many factors that go into
it.
But I think, yeah,
I also want to agree with what you
said about it's very...
How you ask is usually very helpful,
like especially in some places,
they're just used to people being entitled
and frustrated and snappy.
And so asking politely, like, you know,
hey, I don't really like Zoom.
Can we use something else for this
appointment is going to make them a lot
more likely to work with you if they
can.
I think I saw something in here where
people were arguing about
Because there was a section here where the
original poster said something about like,
okay, here it is.
So they said health workers don't have to
care.
And they pointed out that like doctors are
overflowing with patients.
So it's like, it's almost,
and I think you mentioned this too.
It's almost like if you're being
difficult,
they just don't even have to work with
you.
There's like a line of,
there's a literal waiting list in most
places, right?
But at the same time,
we could weaponize that as well.
And I understand not everybody has the
time to be politically involved,
but to call your representatives or email
them once in a while, once a month,
and say, hey,
I really think we need better privacy
laws.
In this thread,
they pointed out that when they're talking
about trying to convince the doctor's
office to move,
they mentioned that Gmail has had
so many fines for not handling patient
data properly or user data properly and
stuff like that, which for the record,
I don't think that's going to work on
them because, you know, they're like, Oh,
but we use the HIPAA version that blah,
blah, blah, blah.
And again, HIPAA,
there's not privacy anywhere in that
title.
But anyways, it's, you know,
if you call your representatives and
you're like, Hey,
a lot of these doctor's offices are using
Microsoft and Gmail,
who Microsoft especially has been hacked
more times than I have fingers and toes
and trying to institute it at a,
a
I want to say structural level,
systemic level,
at a systemic level where they don't have
to care because there are options or it's
like mandated that they have to use
something that's encrypted.
And now there will be a whole bunch
of companies that spring up to serve that
purpose.
I don't know.
I mean,
that's kind of a long-term solution,
but...
I don't know.
I guess what I'm getting at is like
for individuals,
I don't think there is that much you
can do, unfortunately.
If you are in a position where you
can shop around and you can find a
doctor who's like, yes, I use Signal.
I encrypt everything.
Awesome.
That's great.
And if you have that privilege,
you totally should use it.
But for the average person,
I think the best you can do is
just kind of like ask the doctor like
–
can you not write this down?
Um, can you, you know,
especially if it's something less
important,
like they do have to make notes about
your medical care, but if it's like,
you know,
please don't write down anything
essential.
Like I,
I had one therapist who said that, um,
she did not write down actual
conversations.
She just wrote down like broad notes about
what we talked about.
Um, but like never quoted me or anything.
So yeah, uh,
I've always advocated for like using alias
email, alias phone numbers.
Uh, that's more of a data breach thing,
but
Yeah.
So, I mean, it's it's tricky, man.
I mean, real quick,
let me go back and check and see
what Mike said here.
I could explain a bit.
There's a really big time constraint to
see more patients and to keep up.
Yeah.
So that's a true thing, too.
Doctors are really like, again,
they have literal waiting lists.
Like there's so many patients that need to
be seen.
And contrary to some stereotypes.
I think most doctors are actually trying
to help their patients.
Like they're not all just like selfish and
in it for the money.
And so when they've got to see a
million patients,
but they've also got to make notes in
between the care and they've got to,
you know, send prescriptions,
they've got to respond to messages and
this, that, and the other.
Um,
a lot of the time is used for
filing documents and insurance,
legal documents,
using AI for the slow typers helps.
Um, that's another thing.
If they are using AI,
they have to fact check it and make
But yeah, like you said, most importantly,
they just don't understand that they are
just employees.
Yeah.
So there have to be records.
They use the most well-known ones like
Teams and Gmail.
Quick note, saw this all,
has been a member for five months and
said, keep up the good work.
So thank you so much.
But yeah, it's just...
I think the best you can do is
to ask nicely.
Like that's, that's really my,
I don't know if this is a common
phrase.
I feel like I don't hear it a
lot,
but my mother used to have this phrase
that you catch more flies with honey than
vinegar.
And basically what she always meant was
just like, you know,
it like you get better results when you're
nice to people.
So yeah.
I definitely would not go in there talking
about like, oh, you know,
Gmail's reading our emails.
Because again,
they don't understand that companies will
do this stuff anyways.
And they'll just say like, oh,
but they're not supposed to do that
because we have this special, again,
like a lot of these companies do have
a HIPAA compliant version that is
specifically for medical companies.
And so they'll be like, no, no, no,
we're using this different version.
And they don't understand that like,
that doesn't really matter because again,
HIPAA has nothing to do with privacy.
But you know,
if you go in there with like,
I'm just,
I'm really concerned about this stuff and
it makes me uncomfortable.
And like,
I would prefer to use something else.
And I think again,
if you're kind about it,
I think people will be much more likely
to work with you as best they can.
But yeah,
unfortunately the privacy situation in
healthcare kind of sucks.
I think one other interesting thing that I
think kind of happens with these doctors
is like,
like Mike last name said in the chat,
like basically doctors don't really have
time to read the privacy policies of every
tool they're using.
And a lot of times these,
these vendors of these, of these software,
like they'll, they'll say, Oh, it's,
it's got all this privacy stuff and it's
like, it's,
it's secure and it's not going to send
it to anywhere.
And I've been to multiple doctor's office
and they're using AI transcription
software and that software is,
it's it's it says that it's private but
it's sending all that to open ai but
it's just zero retention like that's not
very that's not very good like that's
that's exactly what we don't want and it's
a lot of times it's these vendors that
are trying to sell to these to these
medical practices that kind of get get it
pull the wool over the eyes of these
doctors and basically you know tell them
you're going to save so much time if
you use this tool and like you know
it's completely private and it's,
it's no problem.
And, you know,
I think you have to be a bit
genuine.
Like you have to, you have to say,
if you say no to them using these,
this piece of these pieces of software,
like if it's AI transcription or if it's
some other like medical system they use
for booking appointments or something like
that, um,
I've just never seen email.
I've never seen anyone emailing patient
records around.
So that's very bizarre to me.
But I guess if they're using an email
system,
convincing them to switch might be
possible.
But I feel like that's a bit more
of a,
that's definitely a bit more of a harder
thing to get them to do, I think.
Yeah, I don't, to clarify,
I don't know if they use it to
email patient records, but I mean,
that was another thing that I was thinking
about while you were talking on that note
is it's, you know,
coupling what Mike said about like,
they have so many patients to see.
Okay.
And so when you have to see,
when you have eight hours in a day
and you need to see
And they all have questions and concerns.
And I'm hitting that age where every time
my leg starts hurting a little bit,
I'm like, maybe I have a blood clot.
Maybe I should go to the doctor.
When you have patients like that all day,
and again,
you need to take notes in between and
the billing and the filing.
And so now you're saying like, Oh,
but I want them to like store everything
offline in Libra office.
Okay.
And what happens when you move and they
need to transfer your medical record to
someone else,
or they need to get your medical,
we already have a huge problem in this
country, in this country,
in the U S I think it's probably
better in other places, I hope.
But like,
we already have a huge problem where
nobody uses a standardized medical system.
So like every time my wife and I
move and you know, it's like, Oh,
now we're closer to a different doctor.
So let's start going here instead.
It's this huge pain in the ass to
get the medical records transferred from
one place to another.
And, you know,
it's just like everything is fragmented.
And, you know,
it's more work is what I'm getting at.
Like if you're the one who's like,
I'm the only person who's saying, hey,
don't use this system.
You're one person out of, again,
five hundred on a waiting list and they
don't care.
And it's going to make it quicker for
me to give you care.
Like that's what the doctors are saying.
are interested in so it's just there's
there's so many things working against us
which is why again i'm kind of i
know it's hard work and i know i
can't ask that of everybody but i'm kind
of at the point where it's like this
needs to be one of those things that
like trickles down from the top where like
we have these good privacy laws that say
you know medical emails have to be
end-to-end encrypted or encrypted at rest.
These systems have to enforce two-factor
authentication.
These kind of technical requirements that
will give us privacy,
that it is illegal to share data with
third parties for anything other than
research purposes or something like that.
We need something at a systemic level so
that doctors and nurses don't need to care
about this stuff anymore because it's
built into the systems they use,
which is really what we need at all
levels, not just healthcare,
but I digress.
I'm kind of rambling now.
So yeah.
Yeah.
I mean,
I think a lot of vendors that are
trying to sell this software to doctors,
they do think that they are providing that
right now.
They think that zero retention sending
your transcription to OpenAI is fine.
But yeah,
I think it's kind of frustrating because
usually if it's an AI transcription
locally,
that's going to be a lot more expensive,
isn't it?
Because you've got to have a whole,
you know,
a whole beefy computer to run that.
So, you know,
it's definitely a harder sell.
So I kind of understand why a lot
of times these systems that are like
relying on external third parties and
stuff is kind of becoming more
popular.
It said,
so Mike Lastname has kind of put a
couple more comments.
Not only the privacy policies,
but also in general,
they don't understand how computers work
as thinking maybe we as the clinic or
mail service could get hacked.
Yeah, I don't think they think about,
they don't think about like the
cybersecurity risks and such.
It kind of sucks though, because with
With the medical field,
you kind of do have to store records
on people.
I need to have records of my treatment
so my doctor can understand how to treat
me the best.
In other areas,
it's like minimal data retention is the
best.
But in this specific case,
maximum data retention is the most
important because if someone doesn't
understand your...
your needs or your issues then they're not
going to be able to give you the
correct care um and I think the other
thing that Nate said about like the data
transfer stuff I think that's another
thing that we could definitely improve um
it's never been an issue for me but
I guess it could be I guess because
you kind of have that I'm not sure
it's I always thought it was
done through like a government run system
here, but maybe I guess through,
through your system, it's kind of like,
it's just different private companies kind
of managing the records.
Um, so it, it,
I mean, a little bit off topic.
It's not usually a huge issue for us.
Usually my wife just calls the old clinic
and goes, hey,
I've moved to this other doctor because we
moved.
And, you know,
I've she fills out a form and we
scan it and there's your email.
Actually, we email it to them or whatever.
And they, you know,
send over the medical records.
But it's definitely I have a friend who
has he's a.
a full stack developer.
He's very experienced.
He's a veteran and he's worked for a
lot of startups.
And one of his most recent was a
healthcare startup.
And that's what they were trying to do
basically was trying to create a way to
make it easier for healthcare companies to
standardize record formats.
So they were more easily transferable
because again, we, like you were saying,
we,
we have a bunch of fragmented private
companies here and,
And so like on a technical level,
like the database itself,
the format for this company may not match
the format for this company.
So even if they do,
it's almost like I don't know if you've
had this experience,
but I know it's pretty common here in
America where like you'll go to apply for
a job and sometimes it'll be like, oh,
click here to upload your resume and you
upload your resume and it's still wrong.
And you have to go through and like
manually reformat everything correctly,
which is super annoying.
It's kind of like that.
It's like they might transfer the medical
records,
but they may still need to be cleaned
up on the other side because there's no
standard protocol for how they transfer.
It's weird.
I mean, I'm in the VA,
so I've never had that problem,
which actually I wanted to say that real
quick.
I thought that was funny.
You were talking about like healthcare is
kind of like the one time it makes
sense to have maximum data retention.
And this happened to me.
I mean, full disclosure to everybody,
I'm back on antidepressants now.
And when I went to the VA and
I was like, hey,
I want to get back on antidepressants.
And he like pulled up my record and
he's like, oh,
so you used to take this one.
He's like, how much were you taking?
And I'm like,
What do you mean how much was I
taking?
Shouldn't that be in the record?
Like,
I don't know how much I was taking.
That was four years ago.
And for some reason,
the dosage that I was on was not
in the medical record.
It was super weird.
But yeah,
it's like the one time that it's like,
that was four years ago.
Why should I know what my dosage was?
I thought you guys handled that.
So yeah,
that's our lovely fragmented system around
here.
yeah it is kind of I don't know
I've definitely run into issues similar to
that like people not having the correct
information or like assuming things um
it's not great but I think yeah I
do think it is kind of important to
have that data in in the medical field
um especially I don't know like
I think having good notes on people's
conditions is kind of important.
Unfortunately,
like we would rather that that information
isn't stored right because it can probably
get breached at some point.
But also like if you're seeing a lot
of doctors and they kind of need to
be able to coordinate together,
it's kind of problematic if you don't have
those notes.
It looks like someone said here National
Nurses United has been part of protesting
Palantir campaign's
Yeah, I know Palantir...
Doesn't Palantir have stuff to do with the
medical sector as well now?
They're kind of moving into that as well?
I don't know if I've heard about that,
but it wouldn't surprise me because I'm
really...
For those who don't know,
the interesting thing about Palantir is
they technically don't do any surveillance
or data collection themselves.
What they do is they're kind of like
my friend I just talked about.
They're trying to figure out how to
aggregate all the data and make it all
talk to each other and then turn it
over to law enforcement.
So, I mean, yeah,
healthcare seems like it would be an
inevitable part of that mission.
So if they're not moving in yet,
I'm sure it's on the roadmap.
Yeah.
And then Mike, last name also said,
there's also what we call defensive
medicine where doctors want to make
records of everything in the case they get
a lawsuit.
Yeah.
Yeah.
That's fair too.
I mean,
everyone's got to protect themselves.
I think, yeah, especially doctors,
I think,
especially someone who's your primary care
provider,
they have kind of
quite a lot of say over what care
you receive.
So it kind of makes sense.
Yeah,
we've talked about this one for a while.
Do you have anything actually you want to
add before we hop into this next forum
post?
Um, yeah, just real quick.
I was going to say, uh, in,
in response to what Mike said about the
doctors keeping a record of lawsuits,
I found out here in the U S
at least in like emergency rooms,
if I understand it correctly,
it's almost like the doctors are like
contractors renting out the rooms.
Um,
because the hospitals and the doctors will
bill you separately,
like to go see the doctor costs like
two hundred and fifty bucks,
but then you're paying like a thousand
dollars for the aspirin and the room
cleaning and all this kind of stuff.
And they're like separate fees.
But yeah,
so doctors make a lot of money,
but it's also because from what I
understand, they're like,
kind of a lot more on the hook
for it like when you sue a doctor
you're not suing the hospital you're suing
the actual doctor so yeah that's um not
saying that's a good system but yeah i
totally get it for sure like you said
you got to protect yourself that is the
u.s health care system for you oh best
country on the planet they tell me i'm
not gonna get into that there's worse
places i'll say that i uh i would
rather be here than a lot of places
in the world so um
Moving on,
the last forum post we were going to
look at,
is RCS with Google messages worth having
Google on my phone?
So this person has a graphene phone,
and they're basically saying, like,
I was kind of thinking about it,
and I can totally take all the Google
Play stuff off of my phone,
except that I use Google and RCS.
And so basically, they're saying, like,
is it worth it to have this, like,
totally de-Googled phone?
But to go ahead and put some Google
on it for the sake of getting access
to RCS messages.
And they do specifically mention that they
say their closest contacts use Signal.
But non-close contacts and random people,
they always default to...
They say they do live in the USA,
so it's always just regular text message.
I can confirm this one.
You said you have to pull teeth to
get them to use anything else.
So...
They're just kind of looking for a second
opinion.
Well, they do say,
how do we know Google isn't lying about
the encryption or isn't client-side
scanning messages?
I will tell you right now, actually,
I'm assuming this is still true.
I covered a story on Surveillance Report a
long time ago where Google does actually
make hashes of the message.
And then compare the hashes.
So they do actually know who you're
talking to.
They can't see the content of the message.
But yeah,
that's why I always tell people when I
explain that RCS has an encryption,
I'm like, yeah,
it's better than not having it.
But also at the same time,
it's definitely not as good as something
like Signal.
I'm gonna have to go find that story.
But yeah.
Yeah.
I mean, this is a,
I think this is kind of a classic
question for everybody, right?
Cause you're always going to have the
people that won't use signal or can't use
signal or just like the one-off contacts
that like, you know, again,
at my last job, I,
I interfaced with a lot of other trades
and other jobs.
And so I would have to give them
a phone number to like call me or
text me if they had any questions or
anything.
So, um,
I think my thoughts are,
it kind of depends.
If that happens to you a lot,
I'm at the point where,
even before I took this job, like,
ninety percent of my communications were
on Signal,
and the ten percent that weren't were
mostly job-related stuff,
like professional stuff.
So it was like, okay,
I don't really care if that's encrypted
personally,
and I would rather not have Google
Messages and deal with that.
I think if you're kind of in the
opposite boat where it's like, okay,
but only my closest friends and family are
on Signal and the vast majority of
messages I get are not,
including some friends and family who just
refuse to download Signal,
I think that might change the math a
little bit.
Another thing worth considering is I
believe Jonah has said in the past that
RCS only works on certain carriers.
And so you might have to check and
make sure that your carrier is one of
them.
So, I mean,
it kind of sucks because you're already
like,
it's already kind of getting narrowed
down.
It's not just as simple as like, okay,
I have Google messages and now I've got
RCS encryption.
It's like, well,
you've only got RCS encryption with other
Google message users or Apple users or
people that use this certain carrier.
So I don't know.
I don't think I can really give like
a yes or no answer.
I think it really just depends on you.
I will say on Graphene,
the nice thing about Graphene is that you
do have a little bit of privacy because
of the sandbox thing.
I know that's more security than privacy
per se, but...
Um,
I would probably be a little bit more
willing to do it on a graphene phone
than a regular phone, I guess.
Although I guess with a regular phone and
all the Google stuff would be built in
there.
So I guess, nevermind,
that doesn't really make sense,
but I don't know.
I think it's really a personal thing,
but I guess I just thought this
interesting because again,
this is a situation that I think a
lot of people have been in where it's
like, you only,
you can only get so many people using
encrypted messaging.
So what's the right move.
And, you know, as usual,
I don't think there is one right answer,
but I think those are kind of the
factors that I would think about.
Yeah.
do you have any thoughts on that one
I know you're I don't think you're like
a daily Android user are you I know
you have an Android but
Um, yeah.
Am I throwing you in the house?
I'm sorry.
I mean, yeah, I mean, yeah, I do.
I use both like iOS and Android for
different things.
I think it's always like,
there's weird people who are just like,
I'll only ever use an Android.
I'm never going to use an Apple.
Apple is so bad.
And it's like, well, you can use both.
Like both have got good things about them,
right?
Like there's, there's positives to both.
I think there's certainly more positives
on the Android side,
but
a huge amount more positives but there's
also some positives on the apple side as
well so you know don't don't feel like
you only have to use one type of
device i think that's also another thing
but yeah i think i agree with you
though like i think you know if you're
using this on graphene os though i feel
like you're giving google significantly
less information
um than you would on like a google
android device right like it's it's not as
deeply integrated into the operating
system it's just a standard app that you
install um i think that would definitely
be a good idea and i think considering
the state of like of of cellular
communication like remember i don't know
if you remember but a couple of maybe
maybe a year ago there was like a
story about like um chinese
state-sponsored hackers like inside the
u.s like
telecommunications infrastructure.
Like I don't think you want to put
like all your text messages to those
people.
Like that's basically public, right?
Yeah, I remember that Volt typhoon,
and I think it had been going on
for at least a year when they found
it.
I actually remember I was with
Surveillance Report when that happened,
and I remember the way Henry described
that story.
He's like, yeah,
the government is basically like,
we don't know if they're gone yet.
We don't know when we'll kick them out.
It's just kind of like the whole thing
was such a mess.
Yeah, that was a crazy story.
And that, oh,
I know this isn't the point,
but that is my favorite story when we
talk about how backdoors don't work.
It's like that was literally a backdoor
that was only for the good guys,
and look what happened.
So yeah, I'm, I'm with you.
When, when I saw that story,
I was just like, Oh,
I'm really glad I've got again,
like on almost all my friends and family
using signal, thankfully.
And like I said,
the handful of things that aren't on
signal, I mean,
I guess it was technically like company IP
or whatever, but you know,
that's on the company.
So it was, uh, I don't know.
I mean, again,
this was before I worked at privacy
guides, but yeah, you know,
it was just texting other people like,
Hey, there's supposed to be this here.
Where's this thing?
When's this delivery coming?
So yeah.
It's the kind of stuff that as far
as I'm concerned, I'm not super,
I don't know.
It's whatever.
Yeah,
I think the most important part is like
you're saying, you should be careful.
Like you should be thinking,
I'm about to send this message.
Am I okay with this information becoming
public?
And if the answer is no,
then you should be using something else,
right?
Like that is the case because I think
any message you send on like a public
service like telephone network,
any sort of telecommunications thing,
I think you should treat it as public
because it's not really –
secure it in a way.
You don't know how long that data is
being retained either.
So, yeah,
that's how I would think of it at
least.
Personally,
I'm a big fan of applying that to
everything because you never know if
somebody's going to screenshot a post.
I mean, you can screenshot Signal still.
It's super easy.
Or even if you can't screenshot something,
they might take a picture of it with
another phone.
So, yeah,
that's always what I encourage people is
like anything you put in a digital format,
just assume it might be publicly leaked.
So...
I mean, yeah, I think we can.
I think, you know,
I think it's definitely we should be
trying to preach privacy to everybody.
We should be like, you know,
don't do that.
That is the wrong thing to do.
That's just ethically wrong to do that.
But yeah, of course, people aren't on.
No one's perfect and people are going to
do that.
So it's true.
But I think.
With the cell phone network,
I think it is one of those things
where it's systemically just going to be
public at some point.
That's fair.
At least with Signal,
if I send you a message,
I know you're not going to share that
with someone else, right?
Because we have a shared understanding.
But if it's like the telecommunications
company,
they don't have any agreement with me.
They just are going to...
you know,
let hackers roam around in their network
and not actually do anything and then say
that they're gone, but they're not really.
So anyway,
what I'm trying to say and going around
in a kind of massive circle here,
what I'm trying to say is basically that
is what you need to think about when
you think about whether you need to do
this or not.
I still think
that most people are using Google Play
services on like a Graphene OS device.
Most people,
like most people are using these apps from
these stores, right?
You don't need to create an account that's
linked to your identity.
You could use just some burner Google
account, right?
You don't have to provide that much
information.
So I think using RCS on GrapheneOS to
secure, even if it's one,
even if it's only one person,
I think that's still a benefit in a
lot of cases.
And I think it's not,
you're restricting the access quite
significantly compared to what is
available on the cell network,
which is basically nothing.
So something is better than nothing and
Of course, it's up to you to decide.
If you don't have Google Play services on
the device already,
then maybe that is a bit more of
a concern.
Maybe that's like, oh,
I don't know if I want to do
that.
You could also set up a separate profile.
You could set up a separate user profile.
And in that user profile,
you set up a burner Google account and
then you add Google messages.
Maybe that could be an option.
But I'm just, you know,
kind of spitballing.
I think it's
You need to decide this yourself,
but I think if you just avoid SMS,
just, just avoid it in general,
if you can.
I think a lot,
and now with Apple releasing like
encrypted RCS,
I think it's becoming more and more
popular and more and more accessible.
So, you know,
I think you should try and try and
try and see if some of your friends
are using it and if you can secure
those chats.
And I think that's definitely a big win.
Agreed.
Yeah.
All right,
I think that was it for forum updates.
And so I think we'll move into listener
questions.
So if you have been holding on to
any questions,
definitely go ahead and leave them in the
chat.
Normally we would start with the forum,
but it looks like there haven't been any
questions left on the forum.
So we'll just go straight into the chat,
which I did.
I think somebody left something earlier.
Oh yeah.
Purring pudding quite a while back,
we were,
we were talking about how cool it would
be if there was some kind of API
you could hook into that could just like
change passwords automatically.
They said, apparently there is a,
the skim SCIM API to provision logins,
but most sites don't implement this.
So yeah, that, that doesn't surprise me.
Cause I know I'm a,
Like I've said multiple times,
even today alone,
we could do things in a certain way.
We could do things in a way that
are privacy respecting and we just don't.
So it doesn't surprise me that people have
opted not to do things that way.
I mean, talking about standards,
it's kind of a funny situation.
I was talking to everyone on the team
about this.
It's really kind of funny.
We have all these standards that are
really good that everyone should be using,
but it's just all the organizations can't
agree on
using them and they don't all use them
properly.
So it's, it's, we do have the answer.
Like we do like with passwords,
like we have the answer, like don't,
Yeah, exactly.
It's this XKCD thing, like the situation.
There are fourteen competing standards.
Fourteen.
Ridiculous.
We need to develop one universal standard.
And then now there's fifteen.
So it's like we have all these standards,
but like no one can decide which one
is the best,
which one we should implement.
Like, oh, we're going to put pass keys,
but we're going to retain passwords.
We're going to use pass keys and passwords
at the same time.
Or we're going to use pass keys and
only pass keys.
And it's like it's ridiculous.
It's it's.
yeah i feel like this is such the
case for like so many things like linux
specifically comes to mind like oh we're
gonna use we're gonna use weyland oh no
we're not gonna use weyland because that's
that's gonna be too bad blah blah blah
it's like you know it's a never-ending
thing the minute you said standards that
was where my brain went ah i never
get tired of that comic yeah i agree
Um,
Mike here pointed out on the topic of,
uh, Google, uh, Google services,
most apps don't need play services,
even if they say so when opening the
app, I was surprised by it.
Yeah.
Especially a lot of privacy apps.
Like I think signal, for example,
if you download signal, um,
I think by default,
I could be wrong about this.
Don't quote me.
I think by default,
it will use Google services,
but in the past I've downloaded it on,
um, D Google fully D Googled phones,
like lineage phones, um,
just for whatever reason.
Um,
And I still get notifications.
So it falls back to its own services
if it doesn't detect Google.
And it's also like,
what do you need them for?
I'm thinking about MySudo, for example.
So I pretty much use MySudo for anybody
who's not on Signal.
And like, ninety percent of the time,
I don't really need to get the call
in real time.
Like, again, I mentioned I'm with the VA.
they do call me sometimes,
but ninety percent of the time it's a
text that's like, hey,
don't forget you have an appointment on
Monday.
Click why to or like text why to
confirm or text and to reschedule or
whatever.
And so like I don't really need that
notification in real time.
It's OK if I get that later in
the evening.
So, yeah, I mean,
there may be certain situations where you
don't necessarily need the play services,
but I would look into if RCS because
that is a good point.
I don't know if RCS would be required
for that.
So
Definitely interesting.
Good thought.
Yeah.
So it's been kind of a slow week,
or like this week,
with people leaving comments.
But if anybody has any last minute
questions, be sure to let us know.
Yeah,
we definitely tried something a bit
different with the highlight story this
week.
We kind of wanted to see if people
would be interested in something that's a
little bit different.
We kind of try that some weeks,
like some weeks we know that the highlight
story is going to like be a banger
and everyone's going to click on it.
But, you know, we do try things.
We want to try and, you know,
experiment a little bit.
We don't want to keep doing the same
thing over and over again.
It's not fun for us.
It's not fun for you.
So we're trying our best with different
things.
And we want to make sure we don't
stagnate, right?
We're always trying to reach new people
with privacy messages and that requires us
to try new things.
Oh man,
the million dollar question from Yumi.
Why can't we agree on which standards to
use?
I mean, it's...
in my opinion,
it's because there are usually pros and
cons like, okay.
Every once in a while,
you definitely get somebody who's just
like stuck in their ways and they just
don't want to grow and adopt.
But I think a lot of the time
there are like situations where, um,
I know this isn't a standard,
but just to talk about something that I
actually know about,
we'll take SimpleX versus Signal.
They're both really good choices,
but they're different use cases and
they've got different advantages.
SimpleX has the whole decentralized
architecture and it's supposed to be a lot
more censorship resistant without having
to set up a proxy,
which we made a video about that.
At the same time,
it's missing a lot of the features that
the quote-unquote normies would come to
expect and
you know,
it can be harder to get your family
onboarded.
Like,
I remember that was a big thing when
Mastodon kind of had their fifteen minutes
is everybody was like,
I don't know what instances are.
I don't know what server to sign up
for.
Like, I'm really confused.
And, you know,
it's things like Signal don't have that
problem.
You just download it and start using it.
And so there's a lot of the time
standards are
built for certain use cases but I would
venture to say that a lot of the
time they can also especially when we talk
about tech and this kind of stuff they
can apply to multiple use cases and so
there's like advantages and disadvantages
so there's not always a clear like well
this one is obviously better it's like no
it's obviously better in certain ways and
you know this other one is obviously
better in certain ways but humans are
incredibly emotional creatures and so
sometimes we uh have a hard time agreeing
on this kind of stuff I think that
would be my guess I don't know if
you have a better answer
yeah it's kind of frustrating it's like
every every single thing we've got has got
like some some argument about standards
happening like which you mentioned like
mastodon oh mastodon i don't like that
it's like the standard is so bad like
the fed the federated protocols are so bad
i prefer blue sky i prefer uh what's
the other one nosta i prefer blah blah
blah like it's
yeah people have always kind of argued
about this stuff um you know i think
there's not many protocols that we could
argue are like actually standard at this
point like email comes to mind like
everyone is like kind of on board with
that unfortunately it's like the worst
it's really bad it's a really crappy
protocol but everyone uses it so i mean
i guess it doesn't really matter if a
protocol is actually good or a standard is
actually good it doesn't mean that it's
going to be
adopted um i think it also is just
a legacy thing too but like same with
phone numbers it's a standard everyone's
using a phone number and it's not a
good way um i guess also here there
was a question from mike uh last name
with about session session is about to
close shop soon um i know nate you've
definitely got more experience with this
so you want to handle this one
Yeah, I mean,
I actually found this out from Kerry from
Firewall's No Stop Dragons, but actually,
thankfully,
Session is not shutting down right away.
They were able to get enough support,
not as much as they hoped for,
but they will be able to continue
developing past July eighth.
A smaller team will continue development
into twenty twenty seven,
focusing on strengthening the project and
building a foundation for its long term
future.
Um, so yeah, they say,
although procedures,
shutdown procedures have been canceled,
the shape of the project is still changing
considerably.
The project will now be led by Jason
Rhinelander,
longtime chief software architect and
member of the session technology fund.
Uh,
currently donations received are enough to
support critical infrastructure to retain
Jason as developer and possibly to add one
other full-time developer.
There's also still a small team of
volunteers contributing to other aspects
of the ecosystem.
So, um, session will continue to exist.
It's just, they've unfortunately had to
dramatically stripped down their team.
Um, which is really, really unfortunate.
And, uh,
Yeah, I mean,
they're still they only raised just shy of
two hundred thousand dollars and their
goal was one million,
which they did explain.
This is right on the front page,
by the way.
If you go to get session dot org,
you can read the appeal up top and
it'll take you to this page.
So, yeah,
they definitely do still need donations.
If you believe in session,
if you are a fan of them,
please donate.
They do still need it.
They're not out of the woods yet,
but thankfully they are not shutting down
as of this point in time.
Yeah, it's really unfortunate when we see,
you know,
I think it's really hard for a lot
of these projects to get the funding that
they need.
And, you know,
unless you're like the big player,
which currently right now is Signal,
they get a lot of donations.
But like all the other projects,
I'm not really sure what SimpleX's deal
is.
I believe they did take on venture capital
funding,
so they're probably going to work out some
way to monetize their product eventually.
Raya is definitely more of a
community-based project,
doesn't see as much development as Signal.
You know,
we've got all these different messengers,
and if you do, like, personally,
I'm on Signal every day.
I'm sending messages.
I'm on voice calls for, you know,
hours at a time.
Like,
I think this is an important opportunity
important thing to do, right?
If like you use a product or use
a service and you get a lot of
value from it, then, you know,
maybe consider donating because it is
expensive to run all this infrastructure.
And I don't know,
I've always had kind of a soft spot
for Session because they've been an
Australian based company originally.
And I don't know,
I was kind of sad to see that
this happened because I thought they had a
thought they were receiving enough um
through cryptocurrency donations but it
seems like they have kind of been
struggling so i don't know this is kind
of sad but i hope that they can
work out some other sustainability like
some some other way to sustain their
project because it's never been an app
that i've used a lot but it's always
been nice to have that extra option like
a lot of people were like oh i
don't like signal because it requires a
phone number
Here's session.
Doesn't require a phone number.
Or here's simple X.
Like there's other options for people.
It's better to have more options than not.
So if session does go away,
we're going to be kind of stuck with
the only one I can think that really
compares is simple X.
Simple X is kind of session adjacent,
but it has a different direction,
certainly.
Agreed.
All right.
I think that might be all we got
this week.
You think it's time to close out?
All right.
All right.
All the updates from this week in privacy
will be shared on the blog every week.
So sign up for the newsletter or subscribe
with your favorite RSS reader if you want
to stay tuned.
For those who prefer audio,
we also offer a podcast available on all
podcast platforms.
And again, RSS.com.
This video will be synced to PeerTube as
well.
Privacy Guides is an impartial nonprofit
organization that is focused on building a
strong privacy advocacy community and
delivering the best digital privacy and
consumer technology rights advice on the
internet.
If you want to support our mission,
you can make a donation on our website,
privacyguides.org.
To make a donation,
you can click the red heart icon located
in the top right corner of the page.
You can contribute using standard fiat
currency via debit or credit card,
or you can donate anonymously using Monero
or your favorite cryptocurrency.
Becoming a paid member unlocks exclusive
perks like early access to video content
and priority during the This Week in
Privacy livestream Q&A.
You also get early access to our show
notes and the stories we might be
covering,
and a cool badge on your profile in
the Privacy Guides forum and the warm,
fuzzy feeling of supporting independent
media.
So thank you guys so much for watching
and we'll be back next week.
