Claude Code Leaked It's Own Source Code

Hi, folks,

we got a lot to talk about.

Claude's source code was leaked.

LinkedIn scrapes your browser extensions.

There's a horribly insecure messenger app

going around and more.

All this and more coming up this week

in on this week in privacy number forty

seven.

So stay tuned.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we're working on

in the PrivacyGuides community and this

week's top stories in data privacy and

cybersecurity.

I am Nate,

and joining me again this week is Jonah.

How was your week, Jonah?

You know, my week has been pretty good,

thanks for asking.

Besides misspeaking during the intro

there.

Can't complain.

A lot of these things happen, right?

Yes, yes.

All righty.

Yeah.

I guess with that,

we'll jump right into our headline story

this week.

And you guys have probably heard about

this one.

So there's an AI called Claude,

Claude Code specifically,

because there's a few different kinds of

Claude.

I'm not a heavy AI user myself,

so I've heard that Claude is one of

the better ones in terms of the results

it puts out are mostly accurate.

It puts out mostly good code.

That's just what I've heard.

You could do a lot worse than that

one,

but we're not going to talk about that.

We're here to talk about the fact that

Claude code had its source code leaked

thanks to some human error.

To clarify,

this is the source code for the app

itself, the Cloud Code CLI,

not like the models or anything like that.

But it still gives us a little bit

of insight into what's going on under the

hood.

And...

I guess I'll go over it a little

bit, but I'm also mostly going to,

I mean, we're a privacy podcast, right?

So we're going to focus mostly on the

privacy and security stuff.

But just to kind of give you a

little bit of a recap.

So this happened because when they

published the newest version of the NPM

package, there was a source map file,

which I'll be honest,

that's technical stuff that goes over my

head.

But basically it allowed clever people who

noticed it

to access the source code.

Like we said,

it was almost two thousand TypeScript

files and more than five hundred and

twelve thousand lines of code.

I saw somebody else round up to five

hundred and thirteen thousand.

So, yeah.

I mean,

it's one of those once the cat's out

of the bag things, right?

Or once the horse has left the barn.

Because everybody quickly went and

downloaded this,

and there's other repos are springing up,

which we'll talk about that in a second.

Anthropic tried to get some of them taken

down with a DMCA takedown,

a copyright thing, basically.

unrelated we're not going to talk about it

but you know there was a whole uh

like github interpreted that dmca

according to the the official story github

interpreted that dmca a little harshly and

took down even things that were not

supposed to be taken down but yeah it's

it's been a whole thing um

So I've also seen some pretty polarizing

takes here because I think it was this

article.

Yeah,

this article said that its sophistication

is, quote, both inspiring and humbling,

according to some people who looked at the

code.

I saw some people on Mastodon look at

the code and say that it was pretty

sloppy and kind of shocking that it was

so bad.

But I mean, to be fair,

Mastodon tends to be a pretty anti-AI

crowd.

So I don't know who's telling the truth

there, but.

Yeah.

So, and then real quick,

before I jump into an analysis part,

we have like a follow-up to this story

that's related that says,

Clawed code leak used to push InfoStealer

malware on GitHub.

And this one comes from Bleeping Computer.

Basically, once the leak was out there,

a lot of people started...

putting up their own GitHub repos where

they would advertise that this was cloud

code with all the paywalled stuff removed,

basically.

So free premium cloud code.

And they would game the SEO to make

sure that it would show up in the

front.

If y'all are watching the video,

you can see here,

this one outlined in red is like the

third result from the top on Google.

And this is one of the malicious ones

that the article focused on.

And yeah, turns out, shocker,

it includes an InfoStealer malware.

I'm going to go out on a limb.

The article didn't say this,

but I'm going to go out on a

limb and say that it did work once

you fired it up.

Because usually that's how it is, right?

It works,

so you don't think anything's wrong.

But when you install it,

it's actually got that InfoStealer in

there.

And they said that there were multiple

repos like this.

So...

yeah so um cyber security takeaways from

this the we're covering this as a headline

story partially because this is a really

big story going around right but there's

there's a couple reminders here um one of

them is as far as the uh the

repo thing goes you know we we always

talk about making sure you get things from

an official source and um not not to

go too far out of my way to

pick on google here not like they don't

deserve it but uh you know we've been

covering a lot this whole google side

loading story and you know google

is trying to act like, oh,

this is all for security, right?

It's dangerous to get apps from a

third-party store,

even though the Play Store has plenty of

malware on its own.

But even so,

the point being is get things from a

trusted source.

Signal, for example, does have an APK,

but it's kind of hard to find.

But it is okay to get it from

the Play Store because that's a trusted

source.

Um,

there's also other places that you could

get the APK directly.

There's third party app stores like F

droid,

which I know have some concerns about

them.

But the point being is like,

this is when I go to download something,

typically what I do is I go straight

to the developer's website and I go, okay,

what are their official channels?

And then they'll say, you know, it's,

it's on the play store.

It's on F droid.

It's on GitHub directly.

And then I'll look at the list and

decide which one I want to use.

It's not so much the channel it's making

sure it's, it's official.

Um,

So maybe don't try to get free Claude

doing that.

And then, yeah,

just the other takeaway I had was the

whole source code leak thing.

Anthropic was really quick to own up that

it was a human error.

They said here, what was it?

Yeah,

this was a release packaging issue caused

by human error, not a security breach.

Yeah,

not like AI doesn't do this kind of

stuff all the time.

But, you know,

it's just remembering that there is...

remembering the human element in

everything.

You know,

if you listen to any social engineering

people,

they're always quick to point out that

humans tend to be the weakest link in

any system.

You know,

I could spend a lot of time trying

to,

if I'm trying to get into a building,

right?

I could spend a lot of time trying

to hack the door code or the card

readers or whatever,

Or I could come up with a really

convincing story for why I need to be

there,

usually involving a high-vis vest and a

clipboard, in my opinion.

But yeah,

so I think those are kind of the

more technical things that I took away.

Jonah,

was there anything specific about this

story that jumped out to you from your

expertise?

yeah there were a couple things that i

noticed and i was trying to find a

tweet that i saw from somebody else but

i couldn't pull it up here um but

i'll talk about some stuff going back to

what you said about mastodon i do think

it's interesting um

like the supposed quality or sloppiness of

the code,

because I believe Anthropic has said for a

while that all of their code base is

now AI-generated by all of their

developers.

That does, I think,

at least bring into question whether you

can DMCA or copyright any of this code

at all.

Maybe you can't because it's all

AI-generated,

which AI companies have been pretty firm

about saying, you know, this is not...

like a copyright concern at all.

So it's kind of a taste of their

own medicine there that all of this is

out, I think.

The main thing that I think we see

in this source code,

because like you said,

the models aren't leaked,

but there is a lot of information about

the

system prompts that Claude uses for a lot

of different tasks,

which definitely gives a lot of insight

into how Claude works and how like,

it like to to their competitors,

I think it gives a lot of insight,

like how you could make a similar product

and also

to people who are trying to do prompt

injections to bypass some of the

restrictions in placing cloud code,

you can more easily see how they're

implemented and get around them.

So I don't know how people are going

to end up using that,

but I think that there is a lot

of opportunity for people to do something

with it.

All of the AI stuff, I mean,

we've talked about it on the show before,

not...

the most interesting to me from a security

or privacy standpoint,

because like cloud code and all of these

AI models,

they're going to run fully in the cloud.

So they get all of this information.

I think it is sort of dangerous to

be using and relying on,

especially for sensitive information.

And that hasn't changed from any of this.

But yeah, it's interesting stuff.

The tweet that I was trying to pull

up talked about how Claude and how

Anthropic is using their AI to contribute

security patches to a lot of different

open source projects.

And they've been doing that out in the

open.

Certainly,

I've seen a lot of security

vulnerabilities submitted to

GitHub from Anthropic.

I think one of the latest Mastodon

security vulnerabilities in patches was

submitted by Anthropic.

So I believe I've seen contributions to

that and to Firefox and a lot of

other open source projects from them.

Unfortunately,

I just cannot find this source,

but maybe I'll be able to pull it

up later.

But I saw some information about internal

tools that Anthropic is using where the

system prompt is like,

create these security vulnerability

patches without giving any indication that

AI or cloud code is used at all.

So it's very specifically told not to

attribute anything to cloud or Anthropic.

It's told...

you know,

not to include comments that might

indicate it's AI, et cetera.

So I think that that's really interesting

that they are,

I don't know what cases they're using

those tools in.

I would have to find out more information

about that,

but I think it's interesting that they are

doing that.

Yeah,

it looks like you pulled up on the

screen some of the instructions that I

saw.

Yeah,

I found it on another article from Ars

Technica.

Yeah,

I don't know where the original thing is.

But yeah,

basically they were saying there's an

undercover mode.

So as you can see there...

they're basically telling Claude that

they're operating undercover in a public

open source repository.

So they can't contain any Anthropic

related information.

I can imagine that's probably used because

a lot of open source projects are very

anti-AI contributions and anti-AI pull

requests and just automatically close

anything that's AI generated.

So this is probably a way for them

to

um try and get around those restrictions

whether that's a good idea for them to

be doing or not i guess that's a

debate but um it seems to be what

they what they are doing and that's kind

of confirmed with this so i thought that

that was um fascinating yeah i agree i

i feel very torn on that because on

the one hand um

there's probably an angle I'm missing

here.

On the one hand,

I understand the idea of like,

let's just assume they're doing that

altruistically, right?

Like we want to make these open source

projects better.

We want to make them more secure.

You know,

like I don't think at Privacy Guides,

for example, correct me if I'm wrong,

we don't typically go out and solicit

people to like, hey,

come check out our website and make sure

all this information is accurate.

But we totally welcome it if somebody does

come up and they're like, hey,

I found an inaccuracy and they report it.

And I feel like that's kind of what

they're doing is, you know,

on the one hand,

it's like it's still creating a more

secure project, right?

Assuming that the bug report is good.

I know that's historically been a problem

is a lot of AI slot bug reports

that aren't really valid and they're not

really bugs or whatever the case.

And semi-related,

but I did see an article earlier this

week.

that said that actually there's been a

noticeable increase in quality on AI bug

reports.

So maybe they're starting to make some

progress on that.

But either way, point being,

I understand the idea of the end result

is the same and either way it makes

the project more secure.

But it also feels very disrespectful of

like, if I don't want AI reporting it,

why would you go out of your way

to hide that?

And I don't know,

it's a really weird thing and I don't

know how to feel about it.

But I did see that too.

That's really strange.

yeah i would be really interested to see

data on like all of the security related

pull requests or vulnerability reports

that anthropic specifically has reported

because i feel like there's two different

types of ai contributions to to these

projects i think a lot of them are

kind of slop contributions because a lot

of

a lot of people in the open source

space or some students, for example,

they want to pad their GitHub profiles

because it looks more attractive to

developers.

I see that quite a bit where if

you can get like a PR merge into

a major project,

it just kind of

looks good for you.

And so I think a lot of people

are just spreading a wide net and just

submitting a ton of AI slot pull requests

and hoping that some of them get accepted,

which is very annoying for open source

maintainers.

But on the other hand,

if Anthropic themselves,

if they have a legitimate interest in

improving open source tools,

which they probably do because a lot of

these big companies do use these open

source tools themselves for a lot of

different reasons,

I can imagine that

like somebody being like an engineer at

Anthropic being paid to use AI and submit

these pull requests might be doing a

better job in not just completely

submitting slop but like using AI to find

these vulnerabilities and write this code

but checking it themselves before

submitting it and writing like explainers

because they're getting paid to do this

unlike the people who are just you know

rapid fire submitting

vulnerability reports and PRs, right?

I don't know if that's true or not,

but I would imagine Anthropic would

probably argue that that's true and would

probably use that as the reason that

they're doing this.

And like I said,

I have definitely seen AI companies report

security vulnerabilities that were patched

to open source projects,

and some of them were major

vulnerabilities.

So there is some merit to the idea

that AI can find these vulnerabilities

more easily than, I mean,

I don't know if it's more easily than

people who are auditing the code,

but it certainly is happening.

So yeah, I mean,

if all of the reports that Anthropic

themselves are submitting are accurate and

worthwhile to fix,

I don't know if that's necessarily a

problem.

But of course, people are

all along the spectrum of AI and AI

contributions and AI code specifically.

So yeah,

I think that's going to be quite a

debate in the open source community for a

while,

and I don't know how people are going

to handle that.

Yeah, I don't know either.

It seems like one of the better uses

of AI, in my opinion,

as opposed to writing songs or putting out

blog posts.

It's still just, yeah.

Like you said, what, what would be the,

I wonder what the success ratio is,

especially from Claude.

And is there a human review?

It doesn't sound like it from that,

that snippet that I shared,

but that's personally,

that's where I fall.

Like,

I don't mind and I'm not a developer,

so maybe I just don't understand how,

how bad the problem is, but like,

I would imagine,

I don't mind if AI helps you find

the vulnerability,

as long as a human looks it over.

um but yeah i'm sure there's a lot

of people that are not doing that

unfortunately so yeah i mean we've we've

definitely talked about this in the

privacy guys community and when we're

talking about all these different tools

that we recommend um people really want to

see audits but they're extremely expensive

and um if ai is not being used

to like write new code but it's being

used as like a second pair of eyes

to take a look at all of this

code that could be a good thing um

You know,

it is not going to be perfectly accurate,

but if we're being honest,

all of these security audits that projects

are paying for are not completely accurate

or totally thorough either.

And they're certainly going to be cheaper

to run AI than have a whole team

of people auditing this code.

So while I would imagine it's probably

going to...

be worse quality and probably have more

false positives if you're using AI.

I do think that doing it and revealing

some of these vulnerabilities is probably

better for a lot of open source code

bases than not doing any sort of audits

at all and just hoping that the maintainer

catches all of these bugs.

So I can definitely see a use case

here.

It's a tricky situation.

Yeah, for sure.

I know it's not really AI per se,

but I know, and you probably do too.

I get the emails from GitHub every once

in a while.

That's like, Hey,

there's a thing that you use NPM or

whatever,

and there's like a vulnerability go ahead

and upgrade.

So yeah, I, I would be, uh,

I don't know.

I mean, mine's,

mine's just a static website,

so I can't imagine the damage would be

too terrible,

but still it's nice to get that proactive

without having to go out and get a

whole code audit thing.

So useful stuff.

But I don't have anything to add to

that story unless you did.

Did you want to tell us about this

next story out of California?

Yeah.

So this one was reported by the Los

Angeles Times.

Their headline is California bill would

require parent bloggers to delete content

of minors on social media.

Yeah.

So they have a quote here from somebody

directly impacted.

It says,

as the daughter of a social media

influencer,

Kami Barrett says she navigates life

within a digital footprint she wished

never existed.

Everything my mom posted is still on

social media, she said.

Photos I wish never saw the light of

day, private details about my health,

even when I started my first menstrual

cycle.

She was saying this at a Wednesday news

conference to advocate for Senate Bill,

which would require social media platforms

to offer a process for adults to request

the removal of content that features

themselves as minors and was created by a

family member who received compensation

for sharing material online.

So yeah, this is an interesting story,

and I guess it specifically relates to all

of these family influencers that we see,

which has definitely become more of a

problem lately.

Especially, I would imagine,

in California.

So it's interesting,

but probably makes sense that this is only

going to apply to...

kind of public influencers,

ones who are receiving money or

sponsorships in exchange for all of this

stuff.

But it is only going to be available

for adults.

So there isn't really a process that

prevents any of this stuff from being

posted in the first place or anything like

that.

It's only a retroactive thing that

adults can do about their childhood if

they were a part of like a family

influencer situation um does i i would say

i don't know if that makes a lot

of sense from my perspective because i

think as we always say um

anything that you post on the internet is

sort of permanent all of this stuff is

going to be archived and it could be

potentially years before you're able to

take any of this stuff down so uh

children who are like uncomfortable with

all of this going on um at the

moment i don't think have a lot of

protections um and i don't know um how

that should be handled to be honest i

know that that's been a debate that's been

going on for quite a while how children

should be

um like compensated for that is that

considered child labor um there's all

sorts of laws especially in the

entertainment industry and in hollywood

and on the internet um that that come

into play here so

I don't know if this is going to

really impact a lot of the people that

we see in the privacy guides community who

are trying to clean up their digital

footprint,

because I think a lot of people are

more concerned about smaller scale

situations than some of these commercial

ventures that this bill is going to

attack.

But I do think it's a good idea

for more privacy protections and some sort

of

process to get that data removed if you

are an adult and you don't want that

information out there.

So it seems to be a good thing.

I'm not sure how effective it'll be or

if it goes far enough,

but I think any protections and processes

to protect your privacy are good at the

end of the day.

Was there anything you wanted to note in

this article, Nate?

No, I agree with you.

It's funny.

I think most people would agree I'm a

lot more

lenient with some privacy stuff than a lot

of other privacy people are.

But like kids are kind of one of

the few things where I'm actually kind of

like,

like in a perfect world,

I think it should be illegal to post

pictures of your kids online at all.

Um, or at very least publicly, like,

you know,

if you're going to post pictures of your

kids,

it has to be in like a closed

group chat or like a,

a friends only Facebook post again in a

perfect world, there wouldn't be Facebook,

but that's beside the point.

Um, so like, yeah, this, I,

and I agree with you.

It's really sad.

Cause like, even in this article, um,

one of the,

one of the people they talked to said

that, um,

I think it was that first girl, Barrett.

Yeah, Kami Barrett.

Further down,

she says that she recalled being a target

for predators and online bullying,

said her mother was aware of the problems

it created,

but continued to share her daughter's life

on social media.

So, like, cool, thanks.

Now that I'm twenty, twenty-five, thirty,

I can ask you to take it down,

but that doesn't help me when I'm ten,

fifteen, sixteen, seventeen.

You know, like you said,

the damage is already done in so many

ways, and...

I mean, I guess, yeah, I don't know.

It's just, it's crazy.

And it's one thing I thought was

interesting is it says the legislation

requires that social media platforms offer

a process for adults to request the

removal of content.

And then basically from there,

they pass it on to the parent and

the parent has ten days to take it

down.

After ten days,

they get a three thousand dollar a day

fine.

So I don't know.

It's just it's really I'm with you.

I feel like it doesn't go far enough

and it doesn't.

it's not proactive enough,

but at the same time, I mean,

I guess it's better than nothing.

And I think that's, I don't know.

It's.

It frustrates me.

I wish it would do more,

but it's a story for sure.

A couple of things to note about this

story.

This bill hasn't passed yet.

It's just a proposal.

But this the person in question in this

article was talking about their support

for it.

The other thing I would note is similar

laws do exist in a couple of other

states, including here in Minnesota.

There are some laws that

here restrict um more highly how children

can participate in like commercial content

in the first place um so I think

if you're under thirteen you can't

actively uh participate in any of this

content creation at all you can maybe be

featured in it but you can't be um

Like an active part in it,

so I think that in Minnesota,

at least a lot of those toy unboxing

channels where people have their children

unbox a bunch of toys and that kind

of thing that's not allowed.

teenagers here in Minnesota are allowed to

participate,

but there are laws in both of these

situations around how that revenue is

split between everyone involved,

so there are some protections I think for

people participating in these commercial

ventures.

But from a privacy perspective,

I think they probably don't go far enough

in any case.

But it is interesting to see how this

is being handled.

It is a very, I think,

new issue with the internet and everything

that none of the existing laws were really

equipped to handle around child labor and

stuff like that.

So it's good that this is at least

getting attention,

and we'll see how this plays out.

Yeah,

it does say in California they have a

law that was signed two years ago that

content creators that feature minors and

at least thirty percent of the material

have to place some of their earnings into

a trust that children can access when they

turn eighteen.

So, yeah, like you said,

there's there's some it's an issue that's

starting to get attention for sure.

But.

Also, just on a personal note,

they interviewed Alison Stoner,

who they said was a former child actor

who appeared in films like Step Up and

Cheaper by the Dozen.

They were also Isabella in Phineas and

Ferb, and no mention of that.

And I feel so offended because I love

that show.

I just had to call that out.

Interesting.

I had to.

So in a little bit,

we are going to talk about LinkedIn's

browser scanning.

So that should be fun.

But first,

we're going to go ahead and jump into

site updates and talk a little bit about

what's been going on at Privacy Guides

this week.

Just this afternoon,

we dropped a new video.

It is currently members only.

So we usually leave those members only for

about a week.

This one is about encrypted email.

This is another one of those like really

beginner friendly videos that if you're a

bit of a privacy veteran,

you probably know this stuff,

but hopefully it's something that you can

share with your friends and family.

It talks about why mainstream providers

like Gmail and Yahoo aren't quite good

enough and how encrypted email works and

some of the different ones we recommend,

pros and cons of each.

So yeah,

if you are not a member yet and

you want to check that out,

you can join on YouTube or you can

go to privacyguides.org slash donate and

that will take you to a link where

you can sign up for a membership.

But that's what we did this week in

the video department.

And I will turn it over to Jonah.

Very cool.

Yeah, another thing we did recently,

Nate and I recorded this a few weeks

ago, but it's finally live.

We did a panel discussion on the Firewalls

Don't Stop Dragons podcast.

So episode four seventy four of that

podcast is now out.

It's called Privacy Guides Panel.

Nate and I are on it and we

talked about a ton of interesting stuff.

So I would definitely recommend checking

that episode out if you want to listen

to those discussions.

You can look at the table of contents

here.

It looks like Nate's showing that on the

screen,

but you can find the Firewalls Don't Stop

Dragons website for more information.

And if any of those topics sound

interesting to you,

Definitely check it out because it was a

ton of fun for us to record.

I think we talked about a lot of

cool, interesting, informative stuff.

So hopefully somebody finds it useful or

at least finds it entertaining.

In other news,

we again published a bunch of news briefs

that we're not covering here on this show,

but you can find our articles at

privacyguides.org slash news about them.

We have stories on Mac OS,

improving security in the terminal app.

a grandmother who was wrongfully arrested

because of facial recognition, iOS,

twenty six point five beta,

including end to end encryption for RCS

messages, Walmart,

digital price labels and more.

So definitely check that out.

Again,

it's privacyguides.org slash news if you

want to read those stories and let us

know if you have any questions about them

on the forum or anything else,

because there's always a lot of

discussions about these stories.

over there as well everything that we do

at privacyguides is made possible by our

supporters you can sign up for a

membership or donate at privacyguides.org

donate or you can support us by picking

up some swag like this water bottle for

example at shop.privacyguides.org

Privacy Guides is a nonprofit which

researches and shares privacy-related

information,

and we facilitate a community on our forum

in Matrix where people can ask questions

and get advice about staying private

online and preserving their digital

rights.

Now let's move on to our next story.

This is about NextCloud and OnlyOffice.

That is right.

So, um, full disclosure,

I am a next cloud user and a

little bit of a next cloud fan boy.

So, um, I'm bummed to hear this story,

but only office has suspended their

partnership with next cloud for forking

its project without permission.

And this comes on the heels of another

announcement.

So earlier this week, uh,

next cloud IONOS and several other

European tech companies

came together and announced this new open

source project called Euro Office,

which they describe as, quote,

a sovereign replacement for Microsoft with

intuitive interface and strong

compatibility backed by European open

source community.

Only Office has basically claimed that

this is a fork of their code.

And they say that this violates license

agreements because they offer only office

is source available or open source.

And they use the AGPL version three.

So specifically towards the end here,

if you're watching on screen,

you can see this, but towards the end,

it says we require compliance with

applicable licensing conditions,

including,

but not limited to the preservation of

only office branding logo and all required

attribution elements as defined in our

licensing terms, which is,

If this is a brand new project,

it would, of course,

have none of those things.

So for those who do not use Nextcloud,

you may or may not know that Nextcloud,

one of the things that it comes with

by default is an online document editor or

Office editor.

And there's a couple different ways to

make this work.

You can use Collabora online,

or you can use only Office.

And this has been...

I think they said for eight years,

only Office has partnered with NextCloud,

and now they are terminating that.

They do say...

I think they said that no, yeah,

no existing partners or clients will be

affected.

So basically if you've already got it

installed, you're good to go.

I don't know what that means for updates

and stuff, but yeah,

I guess we'll find out.

They also, interestingly, um,

just to throw it out there,

only office said that in the past,

and I'm quoting the article here,

next cloud has behaved in a manner not

expected from a partner,

including trying to poach its employees

and influencing customers against the

company,

but directly forking the project and

repacking it was the straw that broke the

camel's back.

Um,

Yeah, then kind of a statement here.

They said partnership is built on trust

and trust requires shared principles where

those principles are no longer upheld.

Continuing operation is no longer

sustainable.

For this reason,

we made the decision to suspend our

partnership cooperation.

And then just kind of, I guess,

a little bit more background towards the

end.

Lever Office has criticized OnlyOffice for

being, quote unquote, fake open source.

They say, for one reason,

OnlyOffice defaults to Microsoft Office

formats like DocX, XLSX, and PPTX,

which is Word, Excel, and PowerPoint,

rather than open standards like Open

Document Format or ODF.

And there's also, apparently,

Nextcloud says they didn't just

collaborate directly with OnlyOffice.

Let me rephrase that.

When asked why they didn't just

collaborate with OnlyOffice,

they said that there were a number of

reasons,

including that OnlyOffice is a Russian

company that tends to obscure its origins.

Developers often leave code comments in

Russian and many users are hesitant to use

software potentially linked to the Russian

government.

They also claim the only office

discourages contributions,

ignores pull requests and lacks

transparency since commit messages

frequently reference internal issue

trackers only.

So yeah,

I don't know that I have a lot

of thoughts on this one.

Jonah, did you have any,

like what do you know about this AGPL

V three, for example?

Yeah, so what's in question here is, well,

only office says that they've added

provisions to AGPL requiring certain

attribution in forks of the project.

So we could,

if I could share my screen here,

let's see.

Huh.

So they're talking about in their license

two things.

You have to retain the original product

logo when you distribute the program.

And they do not grant any rights under

trademark law for the use of any only

office trademarks.

And the Euro Office Project Initiative

basically removed these provisions saying

that

Basically, if I can find it here,

section seven of the AGPL says that you...

Which line is this?

Says that you can remove any additional

restrictions or any of these terms from

that license on your own.

And this is kind of the basis of

Euro Office's claim that they can kind of

change this license.

And they say that they don't have to

use their logo to...

Give attribution to OnlyOffice.

The AGPL is still going to require that

they provide some attribution somehow,

but according to the Euro Office project,

they don't have to use the OnlyOffice

trademark.

I think this is kind of interesting

because usually open source projects like

OnlyOffice in this position,

fight tooth and nail for forks to not

use their branding at all.

So the fact that they want them to

use their logo is kind of strange because

we've seen like Mozilla, for example,

when there's any Firefox forks,

they want to make sure that there's no

Firefox branding whatsoever associated

with that because they don't want it

associated with their

project um and related to this there's

actually another case um around it a few

years ago this started and then there was

a i think the latest update on this

was in um but a company called neo

four j um started a lawsuit against uh

another company purethink and

about a very similar issue.

Basically Neo-FourJ added a lot of clauses

to their AGPL license,

and Neo-FourJ said that because the AGPL

says that you can remove certain passages

or restrictions that were added onto the

AGPL, that they were able to do that.

And Peerthink actually lost this case.

This twenty twenty five article is

basically announcing an appeal that's

taking place.

I don't know if that's actually gone to

court yet,

but they

So yeah,

this article says that the AGPL allows

added-on terms like the Commons clause

that Neo-FourJ was using to be stripped

from the license.

And Neo-FourJ said that because they added

it,

you have to comply with all of the

terms of the license.

And the court basically agreed that any

terms in the license have to be followed

regardless of what the AGPL says.

And then the Free Software Foundation and

other organizations in the open source

space

said that that's not the case and that

they did intend this tenant or this

provision in the AGPL to work and for

these restrictions to be removed because

they believe that you can't really have

restrictions on free and open source

software,

which is kind of the point of the

AGPL.

So

It's a strange case.

It's definitely in a gray area.

And it really depends on how much

OnlyOffice wants to fight this.

But I think you could certainly argue in

the Neo-FourJ case and probably in this

OnlyOffice case that any of these

restrictions that are being added onto the

AGPL that have very...

specific restrictions on how the software

can be used probably make the software not

open source um so at the end of

the day you shouldn't be calling it an

agpo licensed project if you really want

these terms to be followed i think that

they would have to call it something else

and it

wouldn't be, I mean,

it would be at odds with the open

source in the same way that a lot

of these source available licenses that we

see are.

It's definitely a hot debate in the

community in general.

We've seen a lot of talk about like

the FUDO license, for example.

not being open source and they went with

a different name because of that.

But there's certainly other licenses that

projects are trying to use and they still

continue to claim to be open source when

in reality they're source available.

So I think that if only Office really

wants to follow through on having these

restrictions in place,

I think that would be very at odds

with their claims that they are an open

source

project um which would be a bit concerning

because the entire idea of open source is

that these forks should be able to exist

and like you should be able to completely

fork and create um this euro office that

nextcloud is making um without any

restrictions or preservation of OnlyOffice

branding.

That doesn't make a lot of sense for

a fork to be doing.

And so OnlyOffice is in a bit of

a strange situation here.

It's always the business

pace against open source software in

general.

They don't want people taking their work.

And OnlyOffice clearly believes that

because they say that they've spent years

building a fully functional production

ready Office document editor.

But at the same time,

they marketed that as an open source

project.

And that is what people kind of expect

from that.

I would also note,

Nextcloud kind of has a history of

forking open source projects um in not a

very collaborative way i mean their next

cloud itself was forked from own cloud of

course and that division was um

I don't think super well received by

OwnCloud themselves.

So it's kind of a situation that they're

used to.

But I think a lot of people side

with Nextcloud in that case.

And I think that a lot of people

are going to side with Nextcloud here as

well.

So it might just kind of be what

it is.

yeah and like kind of going back to

what you were saying about um you

mentioned that like a lot of companies

they they put work into it and then

they don't want people stealing that work

it's one of those things where like in

that case and i say this kind of

spitefully but like then just don't be

open source because i mean obviously in a

perfect world i would prefer everything

was or at very least be like you

said like be transparent about being

source available because um

in a perfect world,

I would love for everything to be at

very least source available,

because that's how we're able to verify

that the code is doing what it's doing.

And it helps build that trust at very

least, I think, um,

especially things that deal with security,

like password managers should at very

least have their cryptographic bits be

source available, um, bare minimum,

but cause security is something where like

everyone benefits.

Right.

But

To me,

it's just such a crappy thing because

that's the risk you take.

And I've talked to a lot of projects

that are not open source and I've asked

them that.

I'm like,

why don't you guys have any open source

clients or anything?

And that's usually the number one reason

they give is they're like,

we're worried that people are going to

take our stuff and steal it.

We have no real way to control that.

And then there's...

to counter their argument.

There are plenty of companies who seem to

be doing just fine despite that.

But yeah, so it's, I don't know.

It's just me.

I say this with a little bit of

bitterness in my voice towards only

office.

It's like, then just don't be open source.

Like it feels almost, um,

it's going to be a really niche reference.

And I don't think this is as much

of an issue anymore,

but back in like the early two thousands,

um, there was a real,

I don't know if you'd call it an

issue or not.

I guess it depends on how you feel

about it, but a lot of bands would,

um,

would market themselves as Christian bands

because the Christian market would be a

lot easier to break into.

And then once they hit a certain level

of success,

they would quote unquote go mainstream.

And some of them would even like

vehemently deny, like, no,

we were never a Christian band.

And it's like, well,

we have interviews with you where you said

that you were, so whatever, dude.

But to me,

it just feels the same way.

It's like,

you don't actually believe this stuff.

It's just some kind of marketing gimmick.

And in this case, the open source,

I just feel like that, I mean,

I guess in the Christian thing too,

just feels kind of crappy.

It's like, you know,

don't say that you believe in this stuff

just to get ahead in the competition,

like commit to it or don't.

So I don't know.

That just, that really frustrates me.

Quick thanks to at Sod This All for

gifting a Privacy Guys membership.

Thank you for your support.

Oh, nice.

I just saw that.

Yeah.

I had comments closed down so I could

see the screen a little better.

But yeah, thank you.

That's super cool.

All right.

I think that'll take us into a LinkedIn

story that Jonah actually alerted me to

this story right before we started

recording.

This one's like hot off the presses.

Yeah,

I think this was reported just yesterday

or today, if I remember correctly.

I definitely saw it only yesterday,

but maybe it's been talked about a bit

for a while.

But there's this report that LinkedIn is

illegally or allegedly illegally searching

your computer.

They are scanning installed browser

extensions without user permission.

So this is reported by Apple Insider.

And something is wrong with my computer.

There we go.

They say researchers have determined that

Microsoft's LinkedIn is scanning browser

plugins and other information without

permission and building user profiles

using data that the company did not get

permission to take.

A European advocacy group claims LinkedIn

is probing browser extensions through its

website code.

Fairlinked EV published a BrowserGate

report alleging LinkedIn detects installed

browser extensions by probing for known

identifiers through JavaScript.

The group says the technique reveals

personally identifiable information.

And so this is a threat that we've

talked about before,

I think in a previous episode of this

show,

but definitely on the forum where the

browser extensions that you install can

definitely add to your browser fingerprint

and can specifically identify you based on

what extensions you have installed.

And that's been a known threat for quite

a while,

but I think this is one of the

first and maybe the largest examples of a

real world situation where this is

happening.

And so if we look at this Fairlinked

BrowserGate website,

they point out a lot of different problems

with these tools,

namely that

Microsoft is designated as a gatekeeper

under the Digital Markets Act in the EU.

So Microsoft Windows and Microsoft

LinkedIn are both regulated products under

the DMA, and they need to allow,

as a result, free, effective,

high-quality, continuous,

real-time access to all data,

including personal data that's generated

through the use of these products,

which LinkedIn is not doing because

they're doing this

in the background.

They also point out that this search of

all of your browser extensions can reveal

a lot of different personal information,

and they give some examples of extensions

that could potentially reveal that.

It could reveal your political opinions,

for example,

because there are extensions like

anti-woke, anti-Zionist tag,

no more Musk that you can install.

I don't know what those extensions do,

but obviously having them installed

definitely shares a bit about what you

believe.

It could share some...

Could reveal your religious beliefs

because there are extensions like Porta AI

which blur haram content or Dean Shield

which blocks haram sites.

It could reveal potential disabilities or

neurodivergence through extensions you

have installed like Simplify which aids

neurodivergent users in browsing the

internet.

Certainly,

LinkedIn could be getting your employment

information.

There's a lot of obvious ways to do

that,

but there are job search extensions that

people use on LinkedIn where that could

reveal information to LinkedIn or your

current employer.

And then it just reveals a lot of

potential trade secrets because LinkedIn

is this network where so many

professionals are located and they share a

ton of information about where they work

and Microsoft would have access to all of

that data and they would also have access

to all of the extensions that these people

have installed,

some of which would be mandated by their

companies.

So like whether you use

The examples that they give are Apollo,

Zoom, Info.

You could imagine other browser extensions

of professional tools that would be

installed by these companies.

I don't know what tools companies use,

to be honest.

I know in the education space,

we would use tools like GoGuardian,

for example.

And so...

In that example,

they could find out what we're using.

But a similar case would apply to all

of these organizations and their employees

who use LinkedIn.

They say,

Fairlink says in their BrowserGate site

that LinkedIn has not disclosed this

practice in its privacy policy.

There's no mention of extension scanning

in any public-facing document that

LinkedIn has published.

And so on this BrowserGate website,

which you can find at browsergate.eu,

they list six thousand two hundred twenty

two extensions that a hidden JavaScript

program on LinkedIn will scan your browser

for.

I believe this only applies to Chrome

browsers,

but that's probably most people visiting

LinkedIn, I would imagine.

and you can't opt in or opt out

of that and there's again no mention of

any of this happening in any of their

privacy policies um which is definitely

very concerning um so

It's kind of a mass breach of your

personal data.

They say that this is deceiving

e-regulators, which is probably true.

And so I think it's just interesting to

note for sure that this definitely leads a

lot of credence to the idea that your

browser fingerprints are going to identify

you and reveal a lot of information about

you and what you do,

especially when it's being done by a

company like

LinkedIn that has probably a lot of

information about you if you use it.

It has your real name.

Some people ID verify on LinkedIn.

They have your whole resume and being able

to tie all of this digital data to

those profiles.

creates a very unique and very

comprehensive profile of you when you use

the service.

So I think it is very concerning for

sure.

And it shows that the threats that we

talk about when it comes to your privacy

are in fact a real issue.

And these companies are trying to get all

of this data wherever they can.

Yeah, for the record,

I tried to show the browsergate.eu

website.

For some reason,

it's not loading on the device.

It worked fine earlier,

but I guarantee it's DNS.

It's always a DNS issue.

But yeah, it's my first thought.

OK, so my first thought,

because I was recently educated,

for general browser fingerprinting,

like the day-to-day,

Some browsers like Firefox, for example,

they do actually try to obfuscate what

extensions you have installed.

And I guess just to back up a

little further, I know that for, again,

for general fingerprinting,

it's not always a guarantee that having

more extensions will make you more

fingerprintable because it generally

depends on what does the extension do and

whether or not it modifies the page.

But obviously this one is going out of

its way to scan your extensions, right?

So that's a little bit of a different

story.

which I would argue that general

fingerprinting probably does that too.

But going back to what I was saying

about Firefox,

I know Firefox basically tries to,

and I'm probably going to get the fine

details wrong on this, so I apologize,

but they basically try to like randomize

the ID that your extensions have to make

it a little bit harder for you to

be fingerprinted.

Do you think that would,

do you think that would stop something

like this or slow it down?

Or is it just going to be able

to get past that anyways?

um it could potentially but i mean yeah

it depends on you know i'm not sure

how these programs work randomizing it

could work if you can't find the files

in the first place um and that probably

is a strong protection against it um but

If those extensions modify the page

itself, which a lot of extensions do,

then that probably is still going to be

detectable.

And so that's only going to protect your

privacy against certain extensions you

have installed that make public resources

available, but don't modify the page,

which I don't think would be a ton

of extensions,

especially like password managers.

I can imagine where...

like if they edit the page itself to

add like a pop up or like a

drop down menu to logins,

that's going to be impacted.

So if you disabled all of that autofill

stuff, and you kept the extension,

and only like manually copied from it on

certain pages, you know,

it could potentially protect you in that

situation.

But I don't think most people are doing

that.

So I don't know how extensive that

protection would really be.

Which even then,

my thought process is that kind of defeats

one of the advantages of a password

manager, which is if it doesn't autofill,

that could be an indicator that you're on

a phishing page.

So if it never autofills,

then you never have that moment of like,

wait, am I on the right page?

Yeah.

Yeah.

And then I guess my other thought, too,

is just not really a question,

but just a thought.

You pointed out that this was tested on

Chromium browsers,

which is probably what most people are

going to use anyways.

I, at my last job,

they gave us work computers that came with

Microsoft.

And I mean,

ninety nine percent of what I did was

logging into the company stuff anyway.

So I just use Edge because that's what

it came with.

And at one point,

I think at one point I did get

Brave installed on it and then I was

never able to do it again.

But I think I did try Firefox because

I was like, well, you know,

it'll it's not Edge, right?

It'll be a way bigger improvement in

privacy.

But I got really annoyed because

everything in a corporate environment is

optimized to work

with Edge.

And so it was just so much extra

friction to use Firefox.

So where I'm going with this is, yeah,

like most corporate environments are

probably going to be using either Chrome

or Edge because everybody's familiar with

Chrome.

And where I was going with that is

at my job, they said like, yeah,

if you go to our little app store,

you can download Chrome or whatever.

We don't care.

Use whatever browser you want.

So most people are probably going to be

using Chrome or Edge.

Maybe some will be using Safari,

which I think the article did say that

Yeah,

Safari users are less likely to be

affected by the specific mechanism based

on how extension detection typically works

across browsers.

Apple's browser model limits

fingerprinting surfaces.

But it kind of goes back to...

It's unfortunate because not everything...

Where am I?

How am I trying to word this?

It's important to try to compartmentalize

your professional life and your personal

life, right?

Like never...

Never do personal stuff on a work

computer.

For some reason, people do anyways,

and I don't know why.

But even then,

LinkedIn is something that...

You wouldn't get in trouble for doing that

on a work computer, I would imagine,

but it's also something you would do at

home, right?

LinkedIn is supposed to be something that

follows you from job to job to job.

It's not necessarily specific to that job.

So it is something that I could see

people checking on a home device,

which is so frustrating because it's like

you're trying to...

I don't know.

It's like,

it's one of those things where like,

you're not really necessarily doing

anything wrong and you're still getting

punished.

And that's, that's super frustrating,

but yeah, I guess I,

I just wanted to point that out.

It's, it's, yeah, I don't know for sure.

I mean, a ton of people, I think,

um,

Their work laptop is their only computer

in a lot of cases besides their phone.

I think a lot of I know people

in that situation.

And yeah,

definitely do not recommend doing that.

You should get your own personal laptop

and use that instead.

But I know a lot of people do

that anyways.

Another thing that I wanted to share,

not in the notes,

but kind of related to this is browser

extensions aren't the only ways that

websites can potentially fingerprint you

or like software you have installed on

your computer.

Sometimes the software itself on your

computer can work against you.

And so kind of recently,

I think this has been going on for

a while,

but it's been picked up by some news

sources.

Basically, Adobe Creative Cloud,

of course it's Adobe,

is changing the host file on your

computer,

which allows websites to detect whether

you have Adobe Creative Cloud installed.

So this is posted to Reddit.

Basically,

Adobe is adding this line to your host

file.

And then when you visit the Adobe website,

it tries loading an image from that exact

domain.

And if the image loads because of this

line that they've added that points that

domain to a specific IP,

then they know that you have Creative

Cloud installed.

And that could, of course,

be checked by any number of different

websites to detect whether you have Adobe

Creative Cloud installed.

And so even if you don't have any

browser extensions,

there are other ways that software

on your device itself can um increase your

browser fingerprinting profile um

regardless of what you do with the browser

so that is something to definitely keep an

eye out for because the only thing that

would really protect you against this is

either not letting creative cloud do this

which i don't know if there's a mechanism

to do that but it might be

uh worth looking into or using a browser

like tor browser which is going to bypass

all of your local network stuff

specifically but that's um challenging to

do and not a lot of people are

doing that for day-to-day use um and so

software that does something like this um

is a problem i don't know of any

other software that's going to do this

besides adobe but um

Of course, again,

of course it's Adobe doing that, but yeah,

that is another attack vector unrelated to

extensions that websites could be using

that you'd also have to look out for.

That's insane though.

Editing the host file.

I don't even like screwing with that.

That's some deep level stuff.

Oh my God.

Wow.

These companies are out of control, man.

Yeah.

My brain hurts.

Just related to that, it's always DNS,

right?

DNS can be used against you.

DNS is used for evil.

Anyways,

I think that's all I have to say.

Do you want to talk about our next

story here?

Yeah.

My brain is still hurting from the host

file thing, so we'll just move on.

So this next story,

it helps if I share the actual screen.

Here we go.

So this next story comes from Four of

War Media.

It says,

a secure chat app's encryption is so bad,

It's quote unquote meaningless.

I mean, okay,

we'll go through it a little bit.

So the app is called Teleguard and I've

heard of it a little bit.

It actually rang a bell when I read

this.

I really, I'm not going to lie.

I really wanted a moment where I went

and checked the DMs on the forum because

we get a lot of projects and privacy

guides that message us directly.

And they're like, hey,

you should recommend our product.

And we always tell them like,

go post on the forum.

This is a community project.

Let the community vet it.

Um, so I,

I went and checked and I thought like

maybe I,

I knew their name cause they messaged us,

but, um, nothing like that, I guess.

So I don't know where I've heard it

from, but, um,

it has been mentioned on the forum once

or twice,

but never really like heavily recommended

or anything.

Just, I don't know.

But either way.

Yeah.

So this is an app that markets itself

as a secure end to end encrypted messaging

platform.

It's been downloaded at least a million

times.

Um, but apparently this researcher, uh,

found, it says there's no storage,

highly encrypted, highly encrypted, um,

kind of like military grade encryption,

right?

Anyways, um, Swiss made,

and there's an anonymous researcher in

March who contacted four Oh four.

They said that the private encryption keys

are sent to the company server upon

account registration.

And, um,

Jonah can correct me if I'm wrong about

any of this, cause I'm,

I'm speaking a little bit outside my

element here, but I think I'm,

I'm right about this.

Um, there are services like proton,

for example, that, um,

I don't know if I'd say the private

key gets sent to the server,

but they do have a way where like

you can log in from any device and

your email is decrypted.

Right.

But they also store that in such a

way where they don't really get the key

itself.

Um, I, again,

I could have the details wrong here,

but my point being like,

I think there is a way to store

private keys,

but they weren't doing it this way.

They weren't doing it in a way where

it's like,

we don't have access to your private key.

Like, no, they just had your private keys.

Um,

So yeah, they also...

I think it's further down.

They go through every single issue they

found,

which is basically like your private key

was derived from your user ID.

So anybody who had your user ID could

plug it into this API and decrypt your

messages, which is anybody you message.

Or a lot of people will post their...

Well, Signal, for example,

but a lot of people will post their

username publicly because they're like,

hey, anybody who wants to contact me,

go ahead.

They said further down that metadata was

stored in plain text.

So basically every single mistake you

could possibly imagine a company doing or

a messenger doing,

it seems like they were doing.

And oh, man, hold on.

I do have to find...

Yeah.

So the CEO, after publication,

the CEO contacted four Oh four via

LinkedIn,

hopefully from a company computer in a

direct message and said, quote, this,

the information is incorrect.

Exclamation point.

The person who gave you the technical

information that has completely misled

you.

That person is not competent.

Exclamation point.

Uh,

the CEO did not provide any evidence for

this or point to any specifics.

Um, very.

Yeah.

I don't know.

I always like when people do that kind

of stuff.

Very professional.

Um,

So is my making fun of them,

but whatever.

So yeah, I personally,

I wanted to share this story because I

feel like in the privacy community in

general,

I see a lot of people who I

think...

we get excited about new projects.

I think there's two kinds of privacy

people.

I think there's the people who get excited

about new projects and the people who are

suspicious of anything new.

But I see a lot of people who

get excited about new projects and they're

constantly like, oh,

there's this new messenger I just heard

about.

I'm excited to try it.

What does everybody think?

And first of all,

I think that's really awesome when you go

to other members of the community.

What do people think?

And because I have seen one of the

messages that I mentioned when I was

trying to figure out where I've heard of

this app before.

I went to the privacy guides forum and

one person was asking like, hey,

what does everybody think of this?

And a lot of people were like, oh,

it's proprietary.

Like this seems weird.

This seems weird.

There's a lot of red flags here.

I don't think anybody did like an actual

technical analysis like this person did.

But, you know,

it's good to get that kind of feedback

from other people.

Like I'm very open about the fact that

I don't really know a lot of code.

I did take a...

There's a little app that kind of gamifies

learning code, kind of like Duolingo does.

And allegedly it taught me Python,

but I wouldn't trust me to code anything

in Python if I were you.

I can now look at Python and recognize

it as Python, basically.

So that said, like,

I think it's really good to,

in my case, you know, like, hey,

I don't know enough about code to

understand this.

Can anybody else weigh in on this?

That's a really good thing.

But I think it's just this...

be a little bit cautious, right?

There's a fine line because on the one

hand, if we never trust anything new,

we would never have any mass adoption of

all these great tools like Proton, Intuda,

Signal, SimpleX.

All these really good tools would never

get out of the small phase because nobody

would ever trust them.

But at the same time,

we have seen so many apps that shut

down, sold.

Every once in a while,

it does turn out to be a honeypot.

And so there's a very fine line between

these things.

And-

Yeah, I would also ask,

especially with chat messengers,

one of my personal beefs is I feel

like there's

an obnoxious amount of messengers.

And one of the questions I always ask

with any new product, not just messengers,

but any new product is what are you

solving?

Like people send me links all the time

and they're like, this looks really cool.

And I'm like, okay, what is it doing?

What is it solving?

What problem is this solving that,

you know, whether it's a search engine,

an email provider, whatever,

like what is it doing that this existing

tool doesn't already do?

And I'd say about half the time people

are like, oh, I don't know.

I just,

I saw it and thought it was cool.

it's gotta be solving a problem for me

personally, but yeah.

So, um, I don't know.

Did you have any thoughts on this?

I know,

I think this one may have gone below

your radar a little bit,

but did you have any thoughts about it?

Yeah.

Um, yeah,

I think that's all a good takeaway.

Um,

thankfully the only thing I would say is

in the case of teleguards specifically,

um,

thankfully we've known about some of the

issues with it for a while.

I know that they note at the end

of this article, um,

TeleGuard handed over information to the

FBI in around,

according to the Washington Post.

That article was shared on our forum and

in all of the posts where TeleGuard is

brought up or in the thread about

TeleGuard itself.

People have known for a while that they

can provide information like the push

notification tokens and other information

and hopefully are avoiding that.

But yeah,

it's definitely a good thing to keep in

mind because there is a balance,

like you said.

We do need to have more products in

this space,

but knowing whether they work well is...

kind of tricky.

And it's always good to keep an eye

on this stuff because they certainly do

not always work the way that they

market themselves for sure.

I wasn't aware until I just read this

article that it was made by Swiss cows.

I've heard a lot of, well,

not a lot,

but I've heard their search engine brought

up a few times.

I know that they also have a file

storage service,

which is as far as I know,

just based on next cloud and uses like

the next cloud end to end encryption,

which isn't the best.

So they kind of just seem to be

one of the,

one of those companies where um they're

just putting stuff out there probably with

open source tools without really um adding

too much or changing it i don't know

if telegard is its own homebrew product i

would imagine it is because i don't know

of any like open source stuff that would

be um

that would have this poor encryption,

at least the people who are like forking

element, for example,

are getting a reasonably decent encryption

implementation,

whereas I don't know what's going on with

teleguard.

But yeah,

I think I think in this specific case,

people already know not to use it.

And otherwise,

with with stuff not like this,

it's it's everything you said for sure.

Yeah, I looked into Swiss cows briefly,

I think the only thing it has going

for it is it says,

like the search engine.

It says that it will censor adult content,

which I think could be useful if you

have really young kids,

just as like one of those layers of

defense, you know,

maybe set that as the default search

engine on the family computer and

But then we get into the whole topic

of like,

at what point is it appropriate to kind

of transition your kids off that?

But I don't know.

I remember when I looked into it,

that was kind of the only advantage I

saw was like, okay,

I could see this if I had young

kids and I just wanted it as one

more layer of defense of like,

I don't want them to accidentally find

their way onto something bad.

But yeah, of course,

for for immediate does note that Teleguard

has a reputation of being linked to cam

models and child abusers at the end of

this article.

So how much I would trust their approach

to child safety,

it probably would not be that far.

But yeah, in general,

it's probably a good idea for companies to

be a bit more thoughtful about all of

that stuff.

Yeah, that's fair.

I, I don't know.

I trust four Oh four,

but I'm not going to lie.

When I read that part,

my brain kind of went to like,

I wonder how much Teleguard does get used

for that stuff.

I don't know.

Yeah,

maybe if you turn a blind eye to

it.

I don't know how much they market it,

but I know that Kik had this reputation.

Maybe it still does, I don't know.

It does with me, that's for sure.

Yeah,

I've definitely heard this about various

messaging apps to the point where it seems

to be...

If you have that reputation and it

remains,

it seems to be kind of intentional,

and if it's on the radar...

Of these officers saying that they're

notorious for it,

that is a bit of a red flag.

Of course, with law enforcement,

it can always go either way because a

lot of law enforcement officers will say

Drive Fina OS, for example,

is notorious for being used by criminals

when in reality it's just a security tool.

But seeing as how this chat app doesn't

seem to provide adequate security,

I don't think it's the same sort of

situation.

Yeah.

Which not to get off topic,

but I know I've said in the past,

like,

cause there was that story about a year

or two ago about, um, apparently in Spain,

just having a pixel phone automatically

makes you suspicious,

like maybe not legally, but in practice,

it makes you suspicious because the only

people in Spain that have pixels are drug

dealers using graphene.

Um, and so it's the,

my argument when we covered that story

back then was like,

this is why we need to normalize tools,

uh, privacy tools,

because

if the only people using Signal are,

not that they're doing anything wrong,

of course,

but like dissidents and drug dealers,

then like it becomes like, oh,

you're on Signal,

you have something to hide, which,

you know,

in some countries being a dissident is

illegal.

So my point is I'm not trying to

morally group them into the same thing,

but my point,

it becomes something suspicious.

Whereas like if my stepdad is using

Signal, probably does not know what it is.

I had to download it and put it

on his phone and set it up for

him and get him in the family chat.

He didn't even know it could do video

or voice calls.

I tried to call him on it one

time and he didn't pick up.

So I called him on the regular phone

and he's like,

did you just try to call me on

signal?

I'm like, yeah, it does voice calls.

He's like, oh, I didn't know that.

So,

but my point being like when everybody's

using it,

then it takes away from that stigma

because they can't point to it and be

like, oh,

only bad people are using signal.

Really?

Really?

My seventy year old stepdad,

you think is running drugs from the

border?

Come on.

So anyways, yeah,

I just I know that's a little off

topic,

but I always feel the need to say

that.

So I think that'll take us into forum

updates if I remember correctly.

Yeah, well, in a minute, everyone,

we're going to start taking viewer

questions.

Of course,

you can always leave them in the chat

anytime.

But if you've been holding on to any

questions about any of these stories that

we've talked about so far, go ahead,

start leaving them now here in the chat

or in the forum thread for this live

stream.

Otherwise, yeah,

let's check it on the community forum.

There's always a lot of activity on the

forum every week,

so you should always check it out.

But here's a couple discussions that we

had

wanted to highlight from this week.

The first one is here about Russia's

internet blocks.

Let me get this pulled up.

This was just a discussion on a New

York Times piece which talked about

Russian internet restrictions and how

Russians are evading them.

So it's a bit of a cat and

mouse game there.

So the person who posted this said,

as some background, since early March,

Moscow and St.

Petersburg have experienced widespread

mobile internet blackouts,

not just blocked apps,

but full mobile data shutdowns.

Telegram is reportedly being blocked

entirely starting in April.

The government regulators now have the

authority to disconnect Russia from the

global internet entirely.

And some regions of Russia are on

lockdown.

whitelist mode meaning everything on the

internet is blocked except state-approved

services like yandex and government

portals um so yeah this version was

interested in whether or not there's a way

around this government censorship um which

could expand to europe and north america

The whitelisting situation,

that is pretty tricky because that's going

to block even the ability to use Tor

bridges, for example.

I know that Tor bridges are probably the

best way to get around censorship,

but if you're in a full whitelist

situation, that may not work.

At the end of the day,

if your internet service provider isn't

going to allow you to make any sort

of connections,

There isn't much you can do about that

besides find an entirely alternative

network.

So people in this thread note that Russian

citizens have started using Meshtastic to

communicate,

which is a decentralized network that

doesn't use the internet at all.

It uses LoRa radios,

which are small devices that you can

connect to your phone to communicate,

but they have very limited range,

although you can set up a mesh with

them.

There's probably other solutions,

but I think, yeah,

there's probably not too much you could do

from a technical perspective here that I

can think of.

Was there anything in this form that you

wanted to highlight specifically?

No,

it was really just kind of the Russian

internet blocks in general.

I know when those, well,

when the war in Ukraine first started,

I know Russia started cracking down on

VPNs.

And at the time I was with Surveillance

Report and Henry really made a good point

about how this is one of the drawbacks

of a centralized app store.

And at the time we were talking about

Apple,

but now it seems like we're starting to

talk about Android too.

Um, because, you know,

with Android and sideloading, uh,

which I know people don't like that term,

but you know,

Android and installing third-party

installs, whatever you want to call it.

It's, um,

it's kind of hard for Android to be

like, well,

we blocked VPN installs because they can't

block VPN installs and Tor installs.

Whereas Apple, you know, when,

when Russia came to Apple and was like,

Hey,

remove proton VPN and Nord VPN and all

these VPNs, they had no choice,

but to be like, all right, we'll do.

Cause you know that everything's so

centralized and locked down, but.

Yeah, with a total internet blackout,

the thing that comes to mind is years

ago, again, back on surveillance report.

So I interviewed John Todd,

who was the president of Quad Nine,

I think.

He's from Quad Nine.

I think he was the president at the

time.

I'm not sure if he's still there.

But it was interesting because we talked

about,

or it briefly came up about censorship

resistance.

And something he said that always stuck

with me is he's not a fan of,

DNS over HTTPS specifically for stuff like

this because if if the government starts

doing mass blocking at a DNS level and

you use something like DOH it makes your

traffic just blend in and eventually it

kind of like

I'm not trying to use language that is

sympathetic to a government for the

record,

but it kind of backs them into a

corner where they just decide to shut off

the internet entirely because they can't

figure out what traffic is going around

the censorship.

And I guess he was really ahead of

his time with that prediction because

that's basically what we're looking at

right now.

So yes,

it's a really tricky thing because how

would you, you know, and especially,

I don't know,

I feel like completely disconnecting from

the global internet is a completely

different beast that I don't even know how

we would handle that.

And I guess at that point it's,

I mean,

it's what are you trying to do?

If you're just trying to talk to people

locally, then yeah.

Things like Meshtastic, I think,

I really want to get into that,

but it looks like it would require a

little bit of skill just to kind of

first time dive in, you know,

to figure out the hardware and figure out

the install and the apps and the,

it feels like a bit of a commitment,

but if there's maybe a way to make

those things a little bit more

user-friendly or...

I don't know.

Yeah,

it's a good question because there's

different things you would need in that

situation, right?

I would need to be able to communicate

with my family here in the country,

hypothetically.

But then I would also need to be

able to communicate with the wider

internet and get information,

which here in the US, unfortunately,

we are kind of the wider internet.

But in another country,

that wouldn't be the case.

Or I mean, Proton even.

I wouldn't be able to check my ProtonMail,

so...

Yeah.

I don't know.

It's crazy.

And even Meshtastic,

that puts people in a dangerous situation.

And there's always the possibility that

Russia could, I mean,

both ban the use of it,

but also ban the import of Meshtastic

hardware.

I doubt any of it is being made

domestically in Russia.

And if anything is or could be,

the Russian government could stop that.

Yeah.

and also just using it,

or any sort of radio service,

you can be trivially tracked.

It does have a short range,

so it depends where you are,

but if people go around from the

government and try to track people down

who are using Matchtastic in the future,

they would pretty much be able to find

out who's

using it um so there so there are

concerns there i mean we even talked about

in a previous episode um i think it

was in belarus if i remember correctly um

ham radio enthusiasts were being accused

of like um being espionage agents

basically um for

for using their own like radio waves to

communicate rather than like these

government sanctioned things.

So it does like any of this amateur

radio stuff does put you in a dangerous

position in a country like this.

And especially if it becomes too

widespread,

it's very easy to imagine that Russia

would take a similar position to the

Internet in general and just blanket ban

it because they don't really need it.

The other reason this can't really be

solved from like a technical perspective

is

Um, like,

I don't think it's something that another

country like the United States or someone

else could kind of reach in and try

to solve for Russian citizens.

Like immediately what might come to mind

is something like Starlink, for example,

providing direct access to the internet,

bypassing, you know,

anything going on in Russia.

But Starlink,

like when that technology is in place,

we see it used for, um,

a lot of different things that the United

States and companies like SpaceX

definitely do not want to promote or

support.

We saw in the war with Ukraine,

for example,

Russian frontline troops were using

Starlink extensively to communicate on the

battlefield.

That's actually the reason SpaceX

does not operate in that region at all

and hasn't for many years.

And bringing it back for Russian citizens

to get around something like this would

just enable that usage of it again,

which they definitely don't want to do.

So it puts Russians in not a great

situation and really the only solution.

like we say for a lot of these

very widespread privacy issues,

whether it's age verification in Western

countries or mass censorship in other

countries, like in this case,

it's more of a social issue that you

have to resolve within your own country.

And hopefully people can fight back

against this there.

Because, I mean,

this should not be unacceptable.

I mean, this should not be acceptable,

if you know what I mean.

So, yeah.

Yeah,

it's definitely something tricky that I

don't know if we're qualified to solve.

But I guess if there's any takeaways on

this one,

it would just be kind of a...

I'm pretty open about having a mild

interest in disaster prep.

And sometimes that gets categorized as

wrongly it gets characterized as like you

know worrying about the end of the world

um which i don't care about that but

you know just little things like floods uh

hurricanes tornadoes earthquakes and

unfortunately we are in an incredibly

digital world so you have to think about

outages and cyber attacks and so um i

guess yeah if nothing else this is just

kind of a thought experiment of

if you're listening and you're in a

situation where you don't have to worry

about this yet,

just think about it a little bit.

Like don't lose any sleep over it,

but you know, what,

what would I do in that situation?

And just kind of give that some thought,

I guess.

The other forum post we were going to

look at, this one,

there's probably not too much to say on

this one, but there's a new video,

a YouTuber, this got shared on our forum,

that said, if you ran this debloater,

reinstall your system immediately.

And this is specifically,

so for the Windows users out there,

you know that there's a lot of scripts

that promise to do all kinds of different

things to your system.

Um,

there's a lot of ones that are popular

in the privacy community that promise to

remove a lot of telemetry and stuff.

There's also some that claim to optimize

the graphics and the performance and this,

that, and the other,

there's even entire windows ISOs that, um,

I want to say it was called Atlas

OS.

And if I've got that wrong,

I apologize to those guys.

But there was one that advertised itself

as like a gaming distro.

And it's basically like you install

Windows from scratch using this customized

ISO and it comes pre-optimized for gaming.

But the downside is it turns off Windows

Defender.

which I don't know why you would do

that.

So yeah, I'll be honest,

I didn't watch this specific video,

but basically it was not trustworthy.

I think it may have even come with

actual malware,

but don't quote me on that.

And so this whole thread is basically

talking about these deep loaders and

stuff.

And I think the official position of

Privacy Guides is that we don't recommend

them because they are...

They're tricky.

I know there's some that are open source

or source available, I should say.

And if you know code and you're

comfortable doing it, then sure,

you could look through it and make sure

that you verify what it's doing.

But it's definitely very...

A lot of these deep loaders,

you're giving them a lot of power over

your Windows system.

And...

If you're going to use one,

you have to be like come off of

a mountain and found a religion positive

that this thing is trustworthy because it

would not take much for it to do

something malicious,

whether that's planning malware,

crypto mining, stealing data, whatever.

So, yeah.

Absolutely.

I think I just wanted to take a

moment to mention that.

And it's worth noting this tool in

question is open source as well.

As far as I know,

it doesn't come with malware,

but it basically acts...

the way that malware would.

There's a pinned comment on this video

saying there's a few inaccurate

statements, but overall,

the conclusion of the video is that this

is all implemented poorly.

I do think this is a classic case

of like,

somebody putting something out there

without really fully understanding what it

does.

I don't want to say whether it is

or not,

but I think we're just going to see

this happening more often as more people

try to AI code tools to solve all

of their problems without really

understanding what they are.

Whether or not that's the case in this

situation,

it's definitely something to look out for

when you're running any sort of scripts

that you don't fully understand.

I think that is absolutely the most

important takeaway here,

that you cannot run any of these deep

loading scripts unless you know exactly

what they do and you see how they're

doing it,

because at which point you could probably

do it yourself, by the way.

But yeah, all of these scripts like this,

they affect the system so substantially.

And Windows is already such a not secure

and not private platform in the first

place that it doesn't really make a lot

of sense to me to try and improve

it, especially to this degree,

unfortunately.

There isn't really a ton...

that you can do at the end of

the day to improve your privacy on Windows

because the operating system itself is

going to be constantly fighting against

you.

So that's unfortunate.

It's cool to see more videos from this

YouTuber.

I first...

heard about this person who made this

video calling the other YouTuber who made

the script out because they made a video