New Exploit Affects 220 Million iPhones

A brand new exploit impacting iPhones.

The FBI has resumed buying location data

and Google's update to installing third

party apps.

All this and more coming up on this

week in privacy number forty five.

So stay tuned.

I don't.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we're working on

within the Privacy Guides community and

this week's top stories in the data

privacy and cybersecurity space.

I am Nate,

and with me this week is Jordan.

Jordan, it's been a while.

How are you?

I'm good.

Just excited to be here and cover the

latest news.

Yeah, it's good to have you back.

Privacy Guides, for those who don't know,

is a nonprofit which researches and shares

privacy-related information and

facilitates a community on our forum and

matrix where people can ask questions and

get advice about staying private online

and preserving their digital rights.

With that,

we will launch into the biggest news in

the privacy and security space from the

past week.

And Jordan is going to tell us all

about hundreds of millions of iPhones that

can be hacked with a new tool found

in the wild.

Yes, that's right.

So basically there's a story here from

Wired.

A powerful iPhone hacking technique known

as Dark Sword, one word,

has been discovered in use by Russian

hackers.

It can take over devices running iOS that

simply visit infected websites.

so uh reading into this story here iphone

hacking techniques have sometimes been

described almost like rare and elusive

animals hackers have used them so

stealthily and carefully against such a

small number of hand-picked targets

they're only rarely seen in the wild now

a recent spat of espionage and cyber

criminal campaigns have deployed those

same phone takeovers tools

Embedded infected websites to

indiscriminately hack phones by the

thousands.

You might have to take over here, Nate,

because the article is paywalled for me.

Oh no, that's unfortunate.

Okay.

Um, yeah.

So, uh,

basically this article came or this

disclosure, I should say,

came from Google as well as I verify

and another firm called lookout.

They revealed this on Wednesday and they

said that this isn't really a, well,

I guess it kind of is.

Um, this isn't an exploit.

How do I word this?

This is an exploit on iPhones,

but also not,

because they're actually infecting

websites.

And then the websites are the ones who

are delivering this, again,

not even payload.

Further down on the article,

it says that this is actually one of

those

those malwares that can be defeated with a

reboot, when your device becomes infected,

it's able to grab as much data as

it possibly can.

And because it's not persistent,

it's actually pretty hard to...

for these cybersecurity companies to trace

evidence of it.

It's not like the typical Pegasus or those

kind of more advanced malwares that we see

where there's things that they can look

for.

I think it's actually right here.

It uses fileless malware.

Hold on.

Okay, yeah.

Rather than install spyware that persists

on users' phones,

Dark Sword uses stealthier techniques that

are more often seen in fileless malware

that typically target Windows devices.

They hijack the legitimate process on an

iPhone's operating system to steal data.

And then this is a quote from one

of iVerify's people.

It says,

instead of a spyware payload to brute

force your way through the file system,

which leaves tons of artifacts of

exploitation that are pretty easy to

detect,

this just uses system processes the way

they're meant to be used,

and it leaves far fewer traces.

Um, so yeah,

the upside there is that it does not

persist after reboot.

Uh,

but instead it steals data from the phone

within the first few minutes after it's

hacked,

which is called a smash and grab approach,

or at least that's what this guy calls

it.

So it's very, um,

it does the damage very quickly,

I should say.

And, uh, yeah, so I guess the,

The pro and con here,

and just in case anyone's wondering,

because earlier this week or late last

week,

we also saw there was a malware called

Karuna, which appears to be an iPhone,

not state-sponsored.

How do I explain it?

So for those who don't know,

a lot of the time we see...

We see companies,

big companies that will spend millions of

dollars to either find zero days or they

will go to places like DEF CON and

Black Hat and they will they will pay

big money if people there say, you know,

they do a presentation.

They're like, hey,

I found this this exploit.

And it's interesting,

and it's never been seen before.

They'll go up to those people and be

like, hey, next time, give us a call,

and we'll pay you to kind of keep

it quiet.

I believe it's Nicole Perlroth has a great

book called This is the Way They Tell

Me the World Ends that's all about the

zero-day market and everything.

So if you want to know more,

definitely check that out.

there was an employee of one of those

firms who was accused of selling access to

these tools to Russia.

Uh, I believe he was convicted recently.

And then around the same time we saw

this other malware or this other exploit

called Karuna,

which was making the rounds.

This does not appear to be Karuna,

but they do have evidence to believe that

this came from one of those zero day

resellers firms.

Um,

Which, you know what, yeah,

I'll go ahead and touch on that now.

So they talk about – and I know

I've said this in the past.

Like when Pegasus first came to light and

everything, a lot of people were like, oh,

no, how do I know I'm infected?

And we used to say like you're probably

not because this is not something they're

going to burn on any random person.

They're going to use this on like lawyers

and activists and political figures,

journalists, dissidents.

Um, the thing is this dark sword one,

I verify as Cole argues that the fact

that it was used so brazenly with no

real attempt to prevent its discovery

suggests that hacking techniques are now

attainable on the black market.

Uh,

attainable enough that hackers are willing

to use them indiscriminately,

even if the result is their exposure.

He says, if one gets burned,

I'll just go buy another one.

Uh,

they know that there's more where this

came from.

So, um,

I still think the risk of falling to

some of these malware is pretty low,

but it does seem to be increasing,

which...

unfortunately is something we see

historically.

I mean, we see this all across technology,

right?

Like when computers, computers alone,

when computers first came out,

it was like really expensive and only rich

people had them.

And now you can buy a Chromebook for

a couple hundred bucks,

which I understand is still relatively

expensive for some people.

But the point is the price came down

and now it's something that's much more

attainable to the average person.

So that does appear to be what's happening

with malware here.

Now,

the last thing I want to touch on

that was in the story,

that many of you may have noticed.

This only works on iOS,

which is because Apple changed their

naming scheme with the latest iOS.

So this current iOS is iOS because it

is it would be iOS if they hadn't

renamed it.

So this is the previous major version of

iOS.

However,

Apple confirms that about a quarter of all

their devices are still running iOS.

That could be for any number of reasons.

Liquid Glass was really, really unpopular,

so a lot of people did not like

iOS.

A lot of people choose not to update

because they don't want the AI features,

which I think might actually be in iOS

I could be wrong there, but yeah.

Apple, as another explanation,

for some reason,

Apple is really bad at automatic updates.

We were talking about this in a group

chat the other day, actually.

It's like every time I go to the

app store on my iPhone,

it's got like a bunch of apps that

haven't updated,

even though the update came out like three

or four days ago.

And you have to update those.

There was a...

Actually, if you're an Apple user,

there was a background security update

that just came out earlier this week that

most people,

it did not automatically install.

So go check for that.

It's just, yeah, Apple's,

so that could be part of it.

And just for context, there are,

I checked, according to one source,

there's one point five billion iOS devices

out there right now in active use.

So a quarter of those is still like

three hundred million,

which is like the entire population of the

U.S.

So even though this is an older iOS

device,

it still affects hundreds of millions of

people potentially.

And if this has fallen into the hands

of the average...

What's the word I'm looking for?

The average cyber criminal, then...

What I was saying earlier about they're

only going to use this on dissidents and

journalists,

and unfortunately that does not seem to be

the case.

So it is really important to keep your

stuff updated.

It is...

Yeah, I don't know.

I think that's all I got to say

is it is really important to keep your

stuff updated.

And I see some people in the comments,

personal pet peeve,

I see some people in the comments

sometimes that are like, well,

I'm still on Android twelve because I

don't want the AI stuff.

And it's like,

I respect that you don't want the AI

stuff and I'm not telling you you should

just embrace it.

But at that point,

maybe you should be looking into like

alternative ROMs or moving to a more

trusted OS because, yeah,

sometimes these security updates really

are important.

um i think that's kind of the the

bare bones of the story and that's all

i got did you have anything to add

that i missed um i think it is

important that we talk about specifically

like what this attack actually looked like

so if you don't know this is like

sort of i guess uh i verify was

saying this is like a watering hole attack

so basically that means it's an attack

strategy where basically an attacker will

find websites that users commonly visit

and then use those websites to distribute

malware.

So in this case, it was

The attack was against users running iOS,

eighteen point four to eighteen point six

point two.

So just to be clear,

the if you're fully up to date on

iOS eighteen, you should be on, I think,

iOS eighteen point seven point something.

So this didn't affect like even if you're

running iOS eighteen,

it may not affect you.

So just be aware of that.

And the attack itself was basically

as far as iverify is stating here it

was a you know an attack from russia

and it was specifically um a used on

government websites so ukrainian

government websites um so that was any

website ending with gov.ua so basically

they were able to um

compromise Ukrainian government's servers

and basically put this malware out there

onto these devices.

And especially because it was a government

website, it was very, you know,

no one from another country is going to

be visiting that website.

So it's a pretty effective way to infect

a lot of people's devices.

And I think, you know,

staying up to date is important as well.

But I think, you know,

I think a lot of people probably wouldn't

have been affected by this if they were

running lockdown mode,

because it does sound like this is

probably that would probably block the uh

the exploit chain because in a lot of

cases this this exploit itself was written

in javascript and the exploit according to

iverify it was uh it used six

vulnerabilities across two exploit chains

so um i think you know

Staying up to date is important,

but also minimizing your attack surface.

So in this case,

not using all these third party, um,

you know, JavaScript libraries,

locking that down with lockdown mode,

that's gonna definitely protect you in

that case.

Same thing with Android, right?

You can, I know on Graphene OS, they,

they use like MT on the browser and

a bunch of other protections.

So I think reducing the attack surface and

just in time is also commonly exploited

JavaScript.

Um,

So I think disabling a lot of those

things can help, but obviously, you know,

updating your device is important,

but I think, you know, it's usually the,

uh,

these things that like are there for like

web convenience and are actually there to

protect you.

Like the.

they use for rendering WebGL stuff,

that that can be exploited.

I think it's important to be aware of

that and not to just trust every single

website just because it's a government

website, right?

Um,

so I think there was another thing that

they also said, um,

basically because they didn't obfuscate

the JavaScript, um,

it basically was sitting on the website

and a bunch of other groups were stealing

the code to use as well.

So, uh, apparently according to iVerify,

um,

a Chinese criminal group was also using

this, um, Dark Sword and Karuna exploit,

um,

So yeah,

just be on the lookout because people are

definitely using this.

So make sure you're updated.

Make sure you're using lockdown mode if

you're thinking you might be a target of

this.

But it does seem like this is like

a very large

like they're trying to target a lot of

people with this.

It's not like a specifically, um,

it's not specifically targeted towards a

single individual.

Um,

so I'm sure that there's people in the

military,

in the Ukrainian military who probably

visit those websites who unfortunately

have been, um, compromised.

So it's,

it's a wide,

they're casting a wide net to, to,

to get access to people's, um, devices.

But I think, uh, I think the,

the estimate that they've given on here

was on the, on the,

on the high side.

I think I saw a couple of other

websites saying it was closer to two

hundred million devices affected.

So I don't know.

I think it's, yeah,

just be on the lookout for that.

I don't really have too much more to

add.

Do you have anything else you want to

add here, Nate?

No.

Yeah,

that like three hundred million number was

just an estimate I came up with by

doing the math of like one point five

billion devices or whatever.

So it may not be exact.

That may be on the high side.

But yeah,

it's thank you for mentioning lockdown

mode because I definitely forgot to

mention that.

They did say that lockdown mode would have

defended against this.

So Apple did.

Like you said,

they did push out an update to devices

that are not able to update to iOS

twenty six.

So if you're sitting here and you're just

like, I can't update, dude,

we'll make sure you get that update at

least because that would be helpful.

But yeah, also lockdown mode is helpful.

Yeah, like you said,

that's an important piece of context is

whoever got a hold of this,

which I think was Russia, like you said,

they kind of left it out in the

open.

So originally they were using it

specifically on like Ukrainian news sites,

Ukrainian government sites,

like they were clearly targeting

Ukrainians.

But now that they just left it out

there unsecured and anybody can go grab it

and there's like comments in the code

about what each module does and how to

use it.

So it's kind of like,

They made it so easy now,

and now it's out there in the wild,

and who knows where it'll pop up.

So yeah, that's unfortunate for sure.

Definitely.

I guess we can move on to the

next story here,

if you want to take that.

Sure.

So this next story is about the U.S.

government buying location data.

And I know this probably...

This is and isn't a surprise.

So back in twenty twenty three,

the government put a pause on buying

location data.

I cannot remember if that was something

that they were ordered to do by the

White House or if they just stopped doing

it for one reason or another.

But they stopped doing it.

And now I think confirm is a strong

word here.

Here in the title, I believe, is that,

yeah, director confirms he didn't confirm.

So the question was.

Basically, Ron Wyden,

who I think not a controversial take.

We like him for privacy at least.

I'll be honest.

I don't know any of his other policies,

but he does really good work for privacy,

and he's really on the ball for that.

He asked the FBI – or he asked

Kash Patel if the FBI would commit to

not buying Americans' location data,

and Kash Patel said that the agency,

quote,

uses all tools available to do our

mission.

So he didn't directly say it,

but he I mean, you know,

come on when he refuses to admit it

for sure.

So this.

This is a. Outside of the privacy space,

because I think in the privacy space,

we all universally recognize that this is

an awful thing that needs to stop.

But even even in mainstream circles,

this is a very controversial thing that

the U.S.

government does law enforcement because.

Law enforcement is supposed to get a

warrant whenever they want to search your

data.

And by going to these third-party vendors,

they don't have to get a warrant.

But the article notes that, interestingly,

this is –

Well, okay, maybe this isn't a one-to-one,

but the FBI claims it does not need

a warrant to use this information for

federal investigations,

though the theory has not yet been tested

in court.

So the way that I read that is

like maybe this whole –

going to third party brokers,

if that went to court and a judge

said, no, you can't do that,

then maybe that would become illegal,

but it has not yet been to court.

Or maybe it is just totally legal.

I know,

I believe Wyden has in the past tried

to introduce a bill.

It was called like the fourth amendment is

not for sale act or something,

which would have outlawed this

specifically,

but of course it did not pass.

And now I know the,

I think section seven Oh two,

if I remember correctly, which is,

what allows the NSA to like bulk collect

data, um,

that I believe is up for renewal and,

um,

hopefully will not get renewed.

But then it says here at the end

that Wyden and several other lawmakers

have introduced a bipartisan act called

the Government Surveillance Reform Act,

which among other things would require a

court authorized warrant before federal

agencies can buy Americans information

from data brokers,

which personal opinion does not seem

unreasonable.

Like I don't think anybody's telling them

not to do their job.

I think we're just telling you to go

through the proper channels where there's

oversight and there's accountability.

But I don't know.

They seem to disagree for some reason.

The last thing I want to mention here

– this has become a little bit of

a personal crusade of mine.

It says here for audio listeners,

it says that U.S.

Customs and Border Patrol control – Border

Protection, excuse me.

U.S.

Customs and Border Protection purchased a

bunch of data sourced from real-time

bidding or RTB services according to a

document obtained by Foro Foro Media.

So –

For those who do not know about this,

there's a lot of really good resources out

there.

EFF has an article.

I mentioned before that Byron Tao has a

book called Means of Control that dives in

deep into this.

But the way that ads on the internet

work is you go to a website that

has ads.

Let's say Reuters because as much as I

like Reuters,

their website is littered with ads.

Most news websites are.

So you go to a news website and

–

When there's that ad space,

they basically open it up for bidding,

just like any given auction.

They're like, who wants this ad space?

Who's willing to pay the most for it?

And in order for those advertisers to

decide how much they want to pay,

they get your data.

They get a copy of your data so

that they can decide, oh,

this person is worth this much to me.

And then they submit their bid and whoever

wins, you see that ad.

The thing is they don't have to bid

to get your data,

which in theory makes sense, right?

Because if they get your data and they're

like, oh, nevermind, I don't want to bid,

but they still have that copy of your

data.

And so this is a proven thing.

There are companies out there who will

enter the advertising ecosystem just to

get a copy of your data and then

turn around and sell it to people like

the FBI.

So where I'm going with this is if

you are not using an ad blocker,

That is, in my opinion,

one of the currently most overlooked ways

to protect your privacy.

And obviously there's a million other

ways, right?

You need to switch to a secure messenger.

You need to switch to a...

private email.

Ideally,

we should get off Windows and switch to

Linux and stuff.

And I know I have a Mac in

front of me.

It's specifically for streaming and

editing, for the record.

This is not my daily computer.

But we should make all those steps.

But to me,

the lowest hanging fruit to start with is

installing an ad blocker because that

real-time bidding is happening everywhere,

all the time, constantly.

And like I said,

they don't even need to bid.

They can just sit there and collect your

data and then resell it to

whoever they want.

Um, so yeah, that is that story.

That is my takeaway from that story.

Um, Jordan, did you have any,

any additional thoughts on that one?

I mean,

I guess like this is kind of surprising,

but I guess not like with,

with the prevalence of data brokers and

stuff like that, it's not that surprising.

Like they said in the, Oh,

they said in the article, um,

there was like, you know,

the FBI is going to use all tools

at their disposal to do their job.

So, um, it's kind of, you know,

it makes sense that they would do that,

but I guess it needs to be like

Senator Ron Wyden was saying, like,

it's not really consistent with the

constitution.

Like it's a little bit,

they kind of bypassing a lot of the

protections that people had with,

you know,

places having to require a warrant

instead.

Um,

It is, yeah,

I don't really have too much to add

here, really.

This is sort of a very American story,

so I can't really comment too much about

it.

Yeah, that's fair.

Yeah, I mean,

it's a pretty straightforward story,

really.

I don't have too much to add other

than what I already said.

But just before we continue,

I just did see a couple of comments

we should probably quickly mention here.

So there was someone who said,

how do you find out what security updates

have been loaded if you can't update to

iOS twenty six?

So I wouldn't update to iOS twenty six.

If you're on iOS eighteen,

just make sure you're on the latest

version of iOS eighteen.

Um,

I would also check the background security

improvements tab as well.

Um, that will also have like,

there was a,

there was a background security

improvement that was released.

I don't know if that's for iOS,

you have to look at that.

Um,

but I would make sure you're on the

latest version of iOS.

You don't have to update to iOS.

Um,

I think the latest versions fix a lot

of these issues.

So.

Yeah,

I wouldn't be too worried as long as

you're on the latest version.

Someone also said,

what is the timeline for the disclosure of

these sorts of things?

Is the idea it's better to announce it

to help make people update?

I think they've already released.

Usually, they notify the company,

in this case, Apple.

Apple releases a fix,

the fix gets released,

and then they disclose it to the public.

And then that's basically where we're at

right now.

You need to update.

to make sure you're not,

there's no background improvements option

to check.

Uh, maybe that's an iOS twenty-six thing.

I don't think so though.

Um, I believe it's in...

I don't have an iOS eighteen device to

check exactly where it is.

Um, but there is,

there should be a setting there.

Um, but yeah, we're in the,

we're in the point right now where we

need to be updating.

That's why iVerify came out with like this

whole, um, press release, I guess,

about the Dark Sword attacks and...

Karuna stuff.

Um, so yeah, it's kind of, uh,

unfortunate, but I think people should be,

that's why we're trying to share it as

like the main story here,

because if you're running an older version

of iOS,

I kind of do wonder as well,

if this would affect older devices,

for instance,

like I was and I was because I

know there's some devices that are limited

to like iOS or .

So it'd be interesting to see if they're

also affected,

but

Yeah,

I think this is one of those things

where you need to be using, I think,

I think lockdown mode doesn't really

introduce that many problems now.

Like a lot of websites have already fixed

out.

Um, oh, it's only iOS,

that has background improvements.

Okay.

I thought it was a,

I think they called it something else.

They call it like rapid security responses

or something.

um so maybe i don't know that is

a good point i guess um looks like

nate is back here hello hopefully i'm back

um this is the first really warm day

we've had of the year and i think

my camera was overheating so um if it

goes out again i apologize y'all but i

think i found a solution for now that

can get us through the episode awesome

then uh why don't you take us into

the next section of the show here

yeah so um in a little bit we're

going to talk about google's updates to

their third-party app installation

procedures but first we're going to give

some updates about what we've been working

on at privacy guides this week so we'll

start by talking about the videos our

private messaging video is now available

to the public so if you are not

a paying member you can

access that now paying members do get

early access to these things but uh that

is up our next video will be about

encrypted email um which that is fully

recorded and the first round of editing is

done so that is off to jordan to

work their magic and they uh they do

all the graphics the zoom and they

basically just make it look a thousand

times more awesome which we are super

grateful for

And we, a lot of you guys,

if you tuned in last week,

you saw that Jonah and I were at

an event for South by Southwest,

an unofficial event.

And we had the awesome opportunity to

record some of those talks.

And those should be out hopefully in the

next coming days.

They should be trickling out.

There's only a few of them,

but they were really insightful and really

good.

And we wanted to share those with you

guys.

So expect those in the near future.

Awesome, yeah.

I think there's also, yeah,

Nate's kind of been piling on the videos

for me to work on.

So I've got quite a big backlog now,

which is great.

So definitely be on the lookout.

I think we're trying to have something

come out next week

For our members,

hopefully that encrypted email video.

That's the plan at least So definitely

look out for that.

And there was also a couple of extra

things we should have mentioned We had

privacy guides news articles coming out So

Freya is working on that every week and

we have a couple of new articles that

came out this week one was about Instagram

ending end-to-end encryption on their DMS,

which is kind of a

very surprising i guess but also like

facebook being facebook i guess um they

just end up making their product worse uh

i don't know instagram has notified its

users that it will no longer support

end-to-end encryption after may eighth so

if you use instagram i feel like not

many people in our community are using

instagram but it's good to know uh good

to put the info out there but

And there was also another one about,

we were debating on talking about this

one,

but Pokemon Go players data was used to

train visual positioning AI.

So there was a parent or spin-off company

from Niantic which basically runs Pokemon

Go and they used images from Pokemon Go

to train its visual positioning system.

So that is kind of scary too.

Freya did a great write-up on that so

definitely check that out as well.

And there was also another thing,

it's kind of another thing where we're

keeping on the lookout,

which is like the homomorphic encryption.

Intel made an advance in that area.

I think it's a lot to do with

these, you know,

the ability to do server-side processing

end-to-end encrypted.

So the server processes the data,

but it doesn't,

isn't available for the server to access,

which is kind of a problem we have

with like AI at the moment.

because it's kind of hard to run that

on your device as well.

Like, you know,

you need a lot of RAM,

you need a lot of CPU processing power.

Mobile devices can't really do that.

So yeah,

this is basically a trusted execution

environment,

which segregates the CPU using encryption.

Definitely read into it.

Freya did a great write up of that

as well,

explaining the whole system there.

So if you're interested in that,

check that out too.

But yeah,

if you want to stay up to date

with that stuff,

you can go to privacyguides.org forward

slash news if you want to check out

that.

Nate's also doing every week,

he does a Data Breach Roundup,

which is

really useful if you want to make sure

you stay on top of things and you

aren't missing if you're in a breach.

A lot of tools that detect if your

credentials are in a data breach are

usually pretty slow to determine that

because they have to add the data set

to scan it.

So if you're wanting to keep on top

of data breach stuff,

definitely check that out.

Nate does a great job on that.

It's very comprehensive.

Let's see how many here.

One, two, three, four, five, six, seven,

eight.

Yes.

So eight ones this week.

I basically write about any data breaches

that come through my RSS feed that affect

individuals.

If it's like company had their source code

stolen, I don't usually cover that stuff.

But yeah, so it varies week to week.

Sometimes there's like three,

sometimes there's like twelve.

So kind of a medium, a midweek,

which is,

I guess less data breaches is better.

Let's normalize less data breaches.

But yeah,

that's kind of what we've been working on

this week.

I guess we can head into the next

article here.

Nick kind of mentioned it before.

basically Google is making changes to,

if you haven't heard already,

there was this whole project with keep

Android open.

And basically Google was trying to

combat malware by basically restricting

application installation on your device

but it was usually apps outside the google

play store so it would stop you from

installing that and there's been a huge

amount of backlash to this as well like

we've uh we signed the open letter to

google um with keep android open and if

you notice that on our socials um you

can share that with your friends and

family get people talking about this

because i think it's important that

you know,

people are pushing against this because

it's basically Google using their power as

a monopoly here.

Like they do have control over the Google

Android ecosystem.

It allows them to make these sort of

wide reaching changes with really no one

to stop them.

Well, I guess we are,

we are trying to stop them,

but

Clearly,

we do have some power because this week

there was a change.

Actually, it was, I believe,

today or yesterday.

There was a change.

Google detailed a new twenty four hour

process to we're not going to mention

sideload here.

We're going to we're going to say install

unverified Android apps.

because that's what it is.

You're not sideloading, you're installing.

So Google is planning big changes for

Android in twenty twenty six aimed at

combating malware across the entire device

ecosystem.

Starting in September,

Google will begin restricting application

installation with its developer

verification program.

But not everyone is on board.

Android ecosystem president Samir Samat

tells us that the company has been

listening to feedback.

And the result is the newly unveiled

advanced flow,

which will allow power users to skip app

verification.

So I think one thing to mention,

like right off the bat here,

people will probably have, uh,

they're probably thinking like, oh,

does this affect my Graphene OS device?

Oh no,

I'm not going to be able to install

apps without going through the

sideloading, uh,

installation process that warns me I'm

installing something.

No,

this is affecting Google Android devices.

Um, so just to put that preface here,

um,

So basically, uh,

as Nate's showing on the screen,

there's now this new advanced flow for

power users to install apps from

unverified developers.

So basically Google wants developers to

register centrally with them,

which often requires payment

identification.

Not many people who create these,

you know,

independent free and open source apps want

to verify through Google.

It's the whole point, right?

Um,

Yeah.

So there's a twenty five dollar fee.

These independent developers, you know,

I think a lot of independent developers

aren't really up to paying the twenty five

dollar fee.

Like I've seen people who were kind of

like, oh,

I don't want to pay Apple's one hundred

dollar a year thing to publish on the

App Store.

Same thing in this point,

like twenty five dollars.

for someone in India might be a

significant amount of money or in Turkey

or, you know,

a country where the currency is worth a

lot less.

So I think that also puts another barrier

on people where, you know,

they would be able to release apps without

having to worry about that.

But it does seem like Google has folded

a little bit here.

Basically,

The whole flow is that it makes sure

no one is telling you to turn off,

to allow you to install from unverified

sources.

Basically it'll say, yes,

someone is guiding me.

No one is instructing me.

And then it starts a security delay of

twenty four hours.

And once that delay has been passed,

then it allows you to select which option

you want to do,

which is turn on temporarily,

which will allow installing unregistered

apps for seven days or turn on

indefinitely,

which will allow unregistered apps to be

installed indefinitely.

And it does give you a confirmation tick

mark.

You can select install anyway.

I think this is.

really just uh we can kind of read

uh keep android open did actually put a

response to this so let's just have a

look at what they said um but i

think you can take that um nate if

you want sure uh give me one second

i'm pulling that up right now i had

that tab open and then i closed it

okay um so keep android open yeah they

did they said this is not a solution

um and they kind of highlighted some of

the

issues in this is the actual workflow.

I think this is actually copy and pasted

from that article we were just showing you

guys.

But they say you have to enable developer

mode,

which there I think this is to kind

of illustrate to people why this is a

little ridiculous.

And to me,

this also was like the first thing that

I was like, oh, but why?

For those of you who've never enabled

developer mode,

you have to go into your settings.

You have to go to about phone and

then you have to find software build

number and you tap that seven times.

Which, I mean,

obviously it's tapping a screen.

It's not that hard.

But just the fact that you...

Because once you enable developer mode,

then you unlock a whole new menu of

settings.

And it's just kind of like,

but why do we have to go in

there to enable this?

That is very onerous.

And then they point out that they call

these scare screens,

confirming that you are not being coerced.

You know,

there's another scare screen warning.

And then, of course,

the twenty-four hour waiting period,

which...

As Jordan noted,

Google's argument for the twenty four hour

waiting period is that.

So I'm not trying to defend Google here,

so follow me on this one.

From what I understand.

Sideloading malicious apps is a much

bigger problem in other parts of the world

outside America and Europe.

Like I think they said it's going to

roll out in.

like Brazil.

Yeah, here it is.

Brazil, Singapore, Indonesia,

and Thailand.

And that's because those are the areas

where these types of scams are extremely

common.

And the way those scams will work is

they'll call you with some kind of

pretense about like, oh,

your bank account's under attack or

whatever.

We need you to update to the latest

app,

but it's not in the app store yet.

So we're going to have you sideload it

and they walk you through the process.

So the idea is that if there's a

most scams, um, as you guys probably know,

most scams rely on urgency.

They want you to just do it now

so that your brain doesn't have time to

kick in and go, wait a minute.

Like, I don't know if, uh, well,

some of the older members of the crowd

might remember.

And I'm counting myself when I say that

back in like,

there was a scam going around that was

like, Oh, I was on vacation in like,

you know, um,

was it like somewhere in Southeast Asia,

not India,

but like

Not Thailand.

I can't remember where it was.

But anyways,

I was on vacation in this part of

the world and I lost my passport and

I got arrested and I need you to

wire me like two thousand dollars to buy

a new passport.

And I remember I got that one from

my mom and I just laughed and deleted

it because I'm like,

we don't have the money to be traveling

like that.

Like, I know this is a scam.

There's no way.

Um, and so,

but a lot of the time,

like when you get those,

the idea is like, Oh,

I need it quick.

Or they're going to, you know, my,

my hearing is tomorrow.

Like the embassy is going to be closed

this weekend.

Like they want you to not think and

to just do it because once you start

to think you're going to be like,

wait a minute,

why didn't they tell me they were going

to Thailand?

That seems like really big news.

They would tell me.

Um, and again,

there's like a million other variations,

but the point is that's,

that's the point of the

force that that period of time where it

stops and slows down but um yeah that

that is still really honest because now

like let's say i get a brand new

phone right and i'm trying to set up

this phone and you know being in privacy

i do a lot of sideload excuse me

installing i do a lot of app installing

from non uh outside the play store and

so now when i get that phone i

have to enable this and then wait a

whole day before i can actually start

setting up my phone which is

Really not cool, especially if,

I don't know,

your phone blows up or something.

Wouldn't know anything about that.

But anyways, yeah, all that to say, like,

I agree with them.

I think this is really...

On the one hand,

I feel a little bit of sympathy for

Google.

Just a little bit.

Because they do want to... You know,

they pointed out here in the actual

article, they said that...

Where was it?

Yeah, in a lot of countries,

there's chatter about if this isn't safer,

then there may need to be regulatory

action to lock down more of this stuff.

And I don't think that it's well

understood.

This is a real security concern in a

number of countries.

And that came from Google's spokesperson,

which, yeah, I mean,

obviously he's trying to push his

narrative, but I think he's right.

I think this is a real security concern

that Google's trying to solve.

However,

I also don't have a lot of sympathy

for Google because I feel like every

month, at least once a month,

usually more than once a month,

I read an article from Bleeping Computer

or Ars Technica that's like, oh,

Google just removed an app from the Play

Store that was malicious and it had like

a million downloads or a couple million

downloads.

And it's like,

I never read those stories from Apple.

And again, Apple's got problems.

I'm not trying to put them up on

a pedestal.

But

My point being is like,

and they do happen with Apple,

for the record.

I've seen them.

But those happen a couple times a year,

tops.

Whereas with Google, again,

it's like almost every month,

sometimes even more than that.

So I find it kind of hypocritical that

Google's like, oh,

we need to fix this problem.

But you're not necessarily guiding people

towards a safer alternative.

You haven't really made the Play Store

safer, in my opinion.

So it kind of weakens their argument.

But yeah, yeah.

I don't know.

I think if we want to give Google

the benefit of the doubt,

which I know a lot of people don't,

I think they are trying to strike...

I think now because there's pushback,

they are trying to strike a balance.

But I definitely understand that this does

feel very heavy handed.

I'm not looking forward to the idea of

like I'm getting a new phone and now

I have to wait twenty four hours,

which I mean,

I guess I use custom operating systems

that, you know,

the classic like that won't affect me.

But, you know,

my wife still uses stock Android and she's

not ready to make the jump to custom

operating systems yet.

But she does use like Neo store and

some of those alternative systems.

um side loading excuse me uh those

third-party app installation features and

so it again it sucks that it's like

she's gonna get a new phone and it's

like hey first thing you do go in

and turn this on because we gotta wait

a whole freaking day for it to get

out of the waiting period so yeah i

don't i don't think this was the best

solution they could have come up with and

i i think they um

I don't know.

I don't know what is the best solution,

but yeah,

I think this is really heavy handed and

I would like to see something even less

obnoxious than this personally.

My big thing is the developer settings,

but I know there's other issues as well.

Yeah, I agree.

I think this is...

Obviously, it's not ideal,

but I think it's important to remember

here a thing that the Keep Android Open

team was saying here is this entire like

the thing that we showed before that Nate

had on the screen,

it was the entire flow is delivered

through Google Play services.

So it's not actually part of

the Android operating system.

So the thing with Google Play services is

that it kind of just automatically updates

and applies changes to operating system

without your consent.

This is useful for Google because they

need to roll out fixes or introduce new

features.

But when it starts being about whether you

can actually install apps from third party

sources,

I don't think we want Google to be

the

the arbiter um i think you know uh

they state here the advanced flow has

still not appeared in android beta dev

preview or canary releases so basically

this entire flow that they're displaying

is

basically just a blog post and some UI

mockups.

So I think we should wait until we

see how exactly this works until we

actually get our hands on it.

I don't think anyone should be accepting

this.

And I think there could be a better

way to do this.

I don't know what that solution would be,

but I think, you know,

as soon as you start placing

restrictions on third-party developers,

I think it's getting to the point of

like, it's slightly anti-competitive.

I mean,

a lot of these apps aren't trying to

make money,

but

I think everyone should get a fair chance

of being installed on someone's device.

People should be allowed to choose what

they want on their device.

They shouldn't have to go through a

twenty-four hour waiting period to install

something on their device.

We should be able to choose what we

want on our device.

So, I don't know,

I think just from a freedom perspective,

Everyone should be in favor of people

being allowed to install software on the

device that they've paid for.

Like Google is basically just becoming the

arbiter of app installs on your device.

It's like a very, I don't know,

like people definitely wouldn't have

accepted this like ten years ago,

but I feel like we've gotten to a

point now where like everything is so

locked down.

like restrictions on apps are becoming

worse and worse.

So people are more likely to accept this

slight compromise that Google's made here.

But I think it's still not time

personally.

I mean,

I know Nate said like he was he

felt like it was a decent middle ground.

I think it's okay,

but I think we can definitely push Google

for something a bit better.

And hopefully we'll actually see an

implementation of this before it actually

gets released.

Because I think right now we've only got

like a hundred and sixty three days until

it's locked down.

So we need to see a working prototype.

We need to see at least something from

Google to know that this is not

kind of just a sham to make everyone

stop talking about this and be like,

Google has announced that they're going to

fix it.

You don't need to worry about it anymore,

everybody.

And then, you know,

Google rolls out the original

implementation.

But yeah,

someone says Play Store sucks and

Yeah,

I think Nate just said there was so

much malware on the Play Store.

I don't think it's particularly useful

that they're saying... Obviously,

there's a larger percentage of malware

used through these unverified apps, right?

But I don't think the Play Store is

also very safe because I've got

grandparents,

I've got older people in my life, and...

They absolutely will install a torch app

that requires your GPS location and your

camera and your

messaging history and your contacts and,

you know, they weren't,

they weren't bad at that.

And that's clearly like a data harvesting

app, but Google play has no problem, uh,

allowing that app to be, uh,

installed on people's devices.

You know,

there's apps that like spam your phone

with notifications and like ads that's

perfectly fine to exist.

Um, I think, yeah, every,

every store is going to have, uh,

Every store is gonna have malware and

issues.

I think even really curated ones are gonna

have apps that have vulnerabilities as

well.

And I'm sure something might sneak through

eventually.

It's not like there's definitely not a

zero percent chance

And I think, yeah,

most people would prefer,

most people probably don't even know that

there's another way to install apps.

Like most people would just assume that

Google Play is like where you get your

apps from.

Like it's kind of a problem that Google's

created because they want to be the number

one place to get apps, right?

So yeah, anyway, sorry,

I feel like I've been rambling a little

bit,

but hopefully that helped add some points

to discuss here.

I mean, I ramble plenty,

so it's totally fair.

Yeah.

And I mean,

just to kind of back up what you

were saying, like, yeah,

there's never going to be a perfectly

vulnerability free store.

I mean, like I said,

it happens to iOS every now and then.

It's just it happens a lot less on

iOS.

And I feel like to Google's defense to

what you were saying is they will remove

apps as far as I know once they

get found.

But it's the fact that they got there

on the first place.

Like,

why does this happen so much less on

iPhone?

And I have to assume it's a vetting

thing because, you know, I mean, sure,

there's a higher barrier to entry to put

your apps on an iPhone in the first

place.

But at the same time, it's like,

They still try to submit malicious apps

there too.

Like there was a study a few years

ago about how Apple has stopped like a

quarter of a million malicious apps from

ending up in the app store.

To be fair, maybe Google's got like,

we've stopped one million.

Like I don't know what their stats are.

But my point being is like,

clearly Google could put more effort into

this.

And I just feel like it's really

disingenuous to be like,

we want to keep people safe.

So we're going to push them into our

store, which is only marginally safer,

arguably.

And it's also like a...

um, what do you call that?

Like a survivor bias or a confirmation

bias where it's like, okay, sure.

We hear about all the maliciously

third-party unverified apps that get

installed, but at the same time,

what about the, you know, I,

at least fifty percent,

probably more than that,

of the apps on my phone are third-party

unverified apps.

They're, you know, NextCloud, they're, um,

Trying to think what else I have on

there.

I don't know.

My brain's drawn a blank, but they're,

they're all things that like signal,

you know, they're,

they're all things that I can obtain from

outside the play store.

So I prefer to do that because I

don't want the Google analytics there.

And it's like, those are never malicious.

So those never get reported, but you know,

it's yeah, I don't know, but it's crazy.

And just to be clear,

I didn't necessarily say I like this

solution.

It's just not as crappy as what it

was.

but yeah, it's still not great.

And one thing I think you mentioned

earlier,

but I kind of forgot to touch on

as well is this whole,

Google is not really giving satisfying

answers to a lot of this stuff.

Like,

so you mentioned the twenty five dollar

fee and how twenty five dollars is like

a lot more to somebody in like India,

for example.

And he did say that like, oh,

we're going to account for that.

We're going to kind of balance it out.

But it's like this.

Who was it?

The Samat person.

I forget what the role is,

but they didn't really answer any

questions like they did.

at least this Ars Technica,

they mentioned like,

I don't know if they actually asked Google

directly,

but they did mention things like one of

the concerns is that Google is now

building this list of app developers if

the developers choose to get verified,

which already presents a host of privacy

and security concerns.

Like here in America,

we had that whole like a, like that,

what was that?

Ice spotter, ice block or something.

We had that app where you could report

sightings of people

Immigration agents.

And in some countries,

that is super illegal.

Even just peacefully putting some kind of

protest app, super illegal.

And so if that person chooses to verify,

now Google has their information.

They have their payment.

They have their government ID.

They know exactly who they are.

And so Google...

Um, like actually right here,

Google swears is not interested in the

content of the apps and it won't be

checking proactively when registers

developer, uh, when developers register,

excuse me, I can't talk tonight.

Um,

this is only about identity verification

so that basically if they become a,

if the developer distributes malware,

they're unlikely to remain verified and

they can get booted from the program.

Um,

but then like, you know, when he's a,

when this smart person, he's like, Oh,

but this, uh, you know,

we're not keeping a list of developers.

Well then how are you going to verify

if somebody is a repeat offender?

Like your,

your answers don't make sense here.

And yeah.

Um, I also just need to,

to be snarky and point out,

he says that, uh,

Not everything is malware.

It depends on the context.

So like a rootkit is malware,

but a rootkit you download intentionally

because you want to root access to your

phone is not malware.

Likewise,

an alternative YouTube client that

bypasses Google's ads and feature limits

isn't causing the kind of harm that would

lead to issues with verification.

Anybody who uses things like NewPipe or

FreeTube knows that those things break

about once a month because Google does

something on their end to block it.

And then they have to update and do

the cat and mouse.

So yeah,

that was just kind of funny to hear

them cite that.

I don't think that came from Google,

for the record.

I think ours wrote that.

But it's still kind of funny to hear

them cite that as an example.

And it's like, yeah,

but Google still treats that stuff in a

very hostile manner.

Yeah.

Yeah.

I think the other thing that you kind

of mentioned it a little bit,

like with the ice block thing,

but I think there's plenty of countries

that we've already seen this happen with

where like, you know,

having a centralized app store kind of

allows governments to basically get apps

removed or to like have apps not be

allowed to install on devices.

Like I'm pretty sure the,

the way that works, like in China,

a lot of apps don't want to comply

with a lot of the like legislation that

they have.

Like, Oh, you've got to,

share a certain amount of data or you

have to meet these like economic

requirements or whatever.

Um,

and so they're actually just removed from

the play store or for like censorship

reasons.

Like there's stuff that's being shared on

those platforms that they don't want, um,

people to access basically.

Um, so having the centralized,

like we already saw this with like iOS

devices,

basically turns your phone into a Rick.

Like you can't install the software that

you want on it.

Right.

Um,

But yeah,

I think it's like it's like with Linux,

right?

You can kind of install software from a

trusted repository and you can also add

additional repositories.

I think it should work similar on Android.

Like you should have the option to have

install stuff from additional places.

Maybe there's more of a warning about it,

but I don't think having to go through

developer settings and all this stuff is

particularly great.

I think it definitely also puts up a

bit of a barrier,

especially when you're like,

showing all these warnings like,

this is very un-recommended.

What you're about to do could compromise

your device.

It's not gonna sit well with someone who

doesn't understand the technical reasons

why they're showing that.

Yes,

a lot of cases it's it could be

useful for someone to see that warning.

But if it's like someone and they're like,

oh,

I want to be able to watch YouTube

with without the ads,

I'm going to download new pipe.

And it's like this app could compromise

your device.

This is a highly this is a highly

suspicious action you're about to take.

Are you sure you want to do this?

People are going to be like, oh,

this is just malware.

I'm just installing malware.

It's not malware.

So

I don't know,

not really happy with this situation.

I think we're going to keep pushing Google

here to make a better decision.

I just think they should go back on

all of this and just go back to

what it was before.

Like you have to enable it, right?

But

it should still be an option for people.

Um,

I don't know if there's a better way.

Maybe they have a way of scanning like

the device to see if the permissions are

suspicious or I don't know.

I can't really think of a better way

that doesn't involve Google just like

doing more invasive stuff on your device.

But

I mean,

I think it should go back to how,

like how it is on Linux.

Like you can install additional

repositories,

you can install the applications you want

on your device.

And that is an increased risk of using

a third party platform to install packages

or like using a third party repository.

But that should be up to the user

to determine if they want to take that

risk, not Google,

who's like making that decision for you.

But yeah,

that's pretty much all my thoughts on this

one.

Do you want to take the next story

here, Nate?

Yeah, sure.

So this will probably be a pretty quick

one.

I just thought it was really interesting

because I am a nerd who really likes

thought experiments.

And the headline from this one,

this comes from Slashdot.

It says, should Banksy remain anonymous?

And the original article comes from

Reuters.

And Reuters did this really deep dive

um, really deep dive.

Uh, I'll be honest.

I didn't read it all cause it's so

long, but I skimmed it.

And, uh, they tried to identify Banksy,

which for anyone who doesn't know Banksy

is a very, very famous, um,

graffiti artist, I guess you would say.

Uh, well, I mean,

I would say artist in general,

he's done a lot of like legit artwork

as well,

but he's also well known for doing

graffiti work, um, all around the world,

actually, not just he's from the UK,

I believe, but, uh,

Well, we're assuming he's from the UK.

I believe that's where he's most active.

But Reuters did this deep,

deep dive to try and figure out who

Banksy was because there's been a lot of

I mean, of course,

there's been a lot of speculation over the

years.

And there's also just been a lot of

there's been a couple of like,

we're pretty sure it's this guy.

It might be this guy.

But they set out to like for sure

figure out who he is.

And spoiler alert, I think they did.

And I kind of don't like that personally.

I think it took some of the magic

out of it.

But I liked this headline of should Banksy

remain anonymous?

And I thought that was something

interesting to think about because there's

a few different angles here.

One of them is a legal liability.

This dude is technically a graffiti

artist, although...

I don't think it's here in the Slashdot

summary,

but in the actual Reuters article,

they mentioned how he does kind of seem

to get a pass because he is so

well-known.

And to be fair,

his art probably brings a lot of tourists

and stuff.

So even though he's technically doing

illegal things,

other graffiti artists have noticed.

It's like, if I did that,

I would absolutely go to jail.

But the police don't even seem interested

in figuring out who he is anymore.

They're just like, yeah, whatever.

He made some art.

Let's clean it up and move on.

But...

They also talked about his lawyer when

Reuters reached out to them and said like,

hey, we want a statement for this piece.

He urged us not to publish this report,

saying doing so would violate the artist's

privacy, interfere with his art,

and put him in danger.

And they pointed out again that what he's

doing is technically illegal and the

police could come after him and it could

stifle free speech.

So yeah,

it was just – it was really interesting

to –

um i mean i i have a feeling

our our whole audience is going to say

like yes he should remain anonymous or

maybe not maybe you're one of those like

hardline lawful good people that's like

yeah it doesn't matter if he's not doing

any real damage i mean he's costing some

people some paint on their building but

other than that he's not doing any real

damage let him do his thing but it

was just really interesting to see this um

this again huge deep investigation on the

front page of reuters that uh kind of

challenged like

I don't know.

It was just really interesting.

I don't think I have much more to

add than that, to be totally honest.

But to...

To kind of like, where is that line?

I think that's kind of where my mind

went.

It's like, where is that line of like,

again, yes, he's doing something illegal.

He should not be allowed to do that,

but also like free speech and free

expression.

And it's not just the UK.

He protests things all over the world.

Like he's drawn on the walls in Palestine,

separating Israel from Palestine.

Most recently he was in Ukraine,

which is what sparked this investigation.

So it's not all like him saying,

living in a repressive regime,

criticizing his government.

Well, I don't know.

Some of the stuff I've seen come out

of the UK lately has me really worried.

Maybe he is living in a repressive regime,

but it's not all that.

It's also him going to other places around

the world just to make all kinds of

statements,

all kinds of political statements,

I guess.

But, you know,

just kind of the hippie stuff, you know,

like,

why can't we all just get along kind

of political statements?

But it's yeah.

Like I said,

I really don't have too much to add

to that one.

It's just it's just an interesting story

that

I thought was a good discussion about,

I guess about public interest, right?

Because we think about that a lot too,

about famous people and how much privacy

versus transparency do they deserve

depending on their roles.

And I don't know.

I like thought experiments.

I think that's what prompted me to want

to talk about this one.

I don't know if you have any thoughts

on this.

I think when it comes to art,

I think

this is, you know,

there's plenty of artists that do this

sort of stuff, like not just Banksy.

Um, and you know, obviously people,

the government is not going to be super

happy if you're like defacing a public

building or like there's a, there's,

I think defacing is,

is certainly up in the air, right?

Like I think in a lot of cases,

uh,

it's very much like, you know,

trying to make a message,

trying to make a pub,

make a message publicly,

people publicly aware of an issue,

for instance, like, uh,

I don't know if it's,

we've had a lot of like street art

just like pop, pop up in Sydney,

Australia, like, and it was never,

you know,

it was never publicly sanctioned.

It's just a lot of it's to do

with like

know street art um criticizing the

government criticizing like social justice

issues um i think you know it's not

really hurting anybody so i think you know

maybe i'm it's it's it's showing an art

artist's vision i think in a lot of

cases when there's like graffiti uh

it actually brings people, like Nate said,

it's like a tourism thing,

especially when it's like a famous artist.

There's plenty of places where there's

like graffiti in places.

Um,

and people come there just cause they want

to take pictures.

Um,

it doesn't have to be any famous artists.

Right.

Um, but I think, you know,

it's part of the community.

It's part of like,

it's just,

it's kind of an expression of people in

that who live in that place.

Um, so I dunno, I think it's,

I don't think Banksy's identity should be

like revealed obviously.

Cause I think, you know,

people should be able to choose whether

they,

share that information or not.

Um, I think it just applies.

It doesn't really,

I think someone could definitely make the

argument that because he was technically

committing crimes or like not crimes,

I guess maybe like a,

I don't know what you would classify

graffiti as like vandalism, I guess maybe,

but yeah, some kind of misdemeanor,

I think.

Yeah.

So I think, you know,

It's up to the community to determine

whether it's acceptable or not, I guess.

I think you know there's definitely a

difference between like a lot of people

just do like tagging stuff or they like

put their name on something that's not

really art that's just like vandalism but

I think if it's actually something that's

trying to display a message I think it's

a little bit different um like social

commentary and stuff I think is definitely

more acceptable but I think you know

legitimate actual street art is definitely

on a different

different level,

but I think it's definitely,

I think one of these things where it's

down, it's down to someone's beliefs, um,

as a person,

like it's not really a very clear cut

thing.

I don't think, um,

whether it's a clear cut, obvious answer,

but I think in this community, it's like,

you know,

I think people should be for protecting

artists, privacy,

protecting anyone's privacy if they don't

want to have their identity revealed.

But,

yeah i think yeah i don't really have

too much more to add do you have

any thoughts no yeah um i mean yeah

i was really disappointed to see that they

went ahead and published his name anyways

or who they believe it is um

And it's,

I'm with you on the one hand,

because like, to me, it's like,

I don't think his message is

controversial.

You know,

I could see the argument of like, well,

let's say I own a business and he

graffitis the side of that business with a

message that I don't agree with.

Like, okay, I hear that,

but he's not in my opinion.

I mean,

I don't see anything controversial about

any of the stuff he's posted.

I mean, for the record,

I don't follow him super closely.

So I don't know if somebody is going

to go dig up and be like, oh,

go look up this painting.

This was like super political and somebody

may not agree with that one.

on the wall in Palestine was like it

was like it was forced or not forced

perspective but you know it was like it

was a lifelike painting of like a hole

in the wall and it was like this

beautiful beach on the other side and you

know it's art so it's open to

interpretation but the way I took away

from that was like

this could be paradise if we could find

a solution here.

And he wasn't trying to say what the

solution is.

He was just trying to say like,

be human,

be kind to each other and figure out

a solution.

And it's like,

I don't think that's a particularly

controversial take personally, but yeah.

So, I mean, it's, it's, I don't know.

I think there's much worse crimes in the

world, but yeah, it was just,

I don't know.

He's, he's so, yeah.

I was disappointed to see the Reuters went

ahead and published it, but yeah.

It's interesting to think about because I

think about that a lot as a quote

unquote semi-public figure is like,

how much transparency do I owe people

versus how much privacy do I get to

have as an individual?

And it's, I don't know.

Yeah, life is full of nuance.

Definitely.

All right, so in a moment,

we're going to start taking viewer

questions.

So I know there have already been some

questions,

but if you guys are holding on to

any more,

definitely go ahead and start leaving

those in the chat or in the forum

thread.

But for now, speaking of the forums,

we're going to check in on our community

forum because there's always a lot of

activity.

This week has been no exception,

been very busy week.

So here's a few of the most interesting

discussions happening.

And the first one we're going to talk

about is there's a community discussion

about Firefox's new features.

So for those who don't know, Firefox,

I believe it's one forty nine is coming

out here pretty soon.

And it's got a few pretty big changes.

Some of them are very.

Cosmetic welcome cosmetic, for the record,

like I just found out.

I feel dumb.

But I just found out two or three

weeks ago that in Brave,

you can do split tabs.

So it's kind of like tiling a window,

which I just realized I should totally be

doing here, but I'm not.

The split tab thing, I mean.

It's kind of like tiling a window,

except it's the same window,

and it's just the tabs are side by

side.

which is probably a little bit of a

niche use case,

but it's really cool for me.

It's really nifty and I like it.

Firefox is going to be adding that,

but then there's also some more serious

things.

Like there's a sanitizer API, which...

I'm forgetting off the top of my head

exactly what that does.

I think that's supposed to help protect

against cross-scripting attacks,

but don't quote me.

It's definitely a security update.

And noticeably, this one is new.

Apparently,

they've announced the sanitizer API

before.

But Firefox is going to include a VPN.

I believe from what I've heard,

they did not really say for sure in

their blog post,

but it will be free for up to

fifty gigs a month.

And to start with,

it's going to roll out in France, Germany,

the UK and the US.

We'll see about the UK if they start

requiring ID for VPNs.

But that's a different discussion.

And yeah,

I think I've heard rumors that it's going

to be in-house.

I know last time they did this,

it was a white label of Mulvad.

And I actually stand corrected because

I've always said that like,

I don't see the point of the in-browser

VPN because I want more than just my

browser to be protected.

And from what I'm told,

that is not how this is going to

work.

It is actually going to like protect your

whole device.

It's just going to give you a lot

more granularity in the browser.

That's what I've heard.

But yeah,

Yeah, what do we think about this?

I think I'll go ahead and say that

I'm notoriously critical of Mozilla,

but I'm happy to see them putting good

features into Firefox.

I mean,

at least it's not an AI feature that

nobody asked for, right?

So yeah,

I think this is potentially a good step

forward.

I will be interested to see how that

VPN works potentially, but yeah.

Uh, I think you did, unfortunately,

unfortunately, Nate, to,

to ruin your parade of anti AI.

They unfortunately did include, uh,

there's an update in this, in this update,

they're including smart window,

which was previously called AI window,

which is basically.

Oh yeah.

That, okay.

I missed that.

I was just reading the summary here in

the thread.

Yeah.

So unfortunately that is coming in this

update.

I think they realized calling it AI window

was probably a bit too on the nose.

So they've changed the name to smart

window this time, I think.

We did talk about this a little bit

internally about this privacy,

this free inbuilt VPN.

I think the thing I was specifically

talking about was Mozilla VPN.

So this is a different thing.

This is, I guess, Firefox VPN.

which is different to Mozilla VPN.

Mozilla VPN,

one of the cool things about Mozilla VPN,

like Nate kind of talked about,

was it would cover your whole device and

then when you use Firefox,

it would integrate with the desktop client

and it would allow you to select different

locations for where your browser would

exit based on the website.

so you know obviously you wouldn't want to

like access your bank's website and also

be coming from like turkey because that

would like cause your bank to like you

know lock down they're not gonna they're

not gonna like that um so that allowed

you to have different end points coming

out there um i think that is also

very useful because you know

A lot of times VPNs are blocked.

Like on Reddit,

you'll frequently find it's blocked.

On YouTube, it'll ask you to sign in.

I think that's an interesting thing with

Mozilla VPN.

But I think like Nate said,

this is a separate thing.

This isn't the same thing.

It's kind of confusing.

They've got two products.

This is only for your browser.

As far as we're aware,

they haven't said that it's going to be

your entire device because they say this

is a proxy.

So as far as we are aware,

that is only going to be through the

browser itself, as far as we know.

So I would say that's what we should

think that this is first.

Um, I don't think this is, you know,

an amazing.

because I think we have such good free

privacy, like full VPNs you can use now.

Like you can use ProtonVPN free.

Like they have quite good speeds.

It's free.

I think Proton's doing a great job by

offering that for free to people.

I think people should use that if they

don't have another way to protect their

privacy.

But I think especially with the low cost

of VPNs at this point,

like more that is five euros a month,

like that is a pretty cheap price for

a lot of people.

But I think, you know,

price is also it's a trying time.

You know, people are trying to save money.

So I think, you know,

fifty gigabytes of data is definitely

pretty uh pretty generous i would say it's

like that's gonna take you quite a long

way um especially monthly i feel like i

don't even use i use like only a

couple of gigabytes a month on my phone

so i mean if that's i mean i

mean i know there's people that use like

hundreds of gigabytes on their phone every

month i don't know how you do that

exactly but um

I think fifty gigabytes is a lot maybe

I'm like I think it might just be

because our internet is really slow here

but it's kind of hard to download that

much stuff but fifty gigabytes and it's

it's kind of frustrating Firefox and

Mozilla in general do this all the time

like they only release their products in

specific regions

Like in this case, they're saying the US,

France, Germany, and the UK to start.

That's where they're releasing this free

Firefox VPN.

And it's the same thing with Mozilla

Monitor, which I think is defunct now,

and Mozilla VPN and Mozilla Relay.

It's like their email aliasing thing.

It was only available in certain

countries.

I was always kind of like interested in

trying it.

never was available in australia so i

think they should probably look at you

know i don't really understand the reason

why they're only releasing this in certain

locations but um i think especially in

locations where i feel like they don't

need the privacy as much like what about

countries that are like you know under

siege by like authoritarian governments

maybe we should focus on those first to

get this technology to but um

It's still an interesting thing.

I didn't really read any of the comments.

Was there anything you were thinking that

people mentioned that we haven't really

talked about yet?

I don't think so.

There was kind of a discussion right off

the bat about whether they meant, um,

like there was a confusion of, um,

When they said to start,

did they mean to start?

And that might change?

Or did they mean the countries might

change?

But I think everybody kind of agreed that

it's like, no, it's probably the country.

But yeah,

there was a lot of discussion about is

it

like what I was saying,

is this going to be an in-house thing

or is this going to be a,

like a white label of Mulvad was some

people here are saying this might be like

competition against opera,

which I I'm with you.

Like personally, I don't,

I do think the proton last time I

tried one of them,

the proton free servers tend to be a

little bit slow,

but I also know since then they've kind

of added a few more.

So hopefully that's helped.

But that said, I do think,

I'm not opposed to them adding this as

like a compete with opera thing,

especially if they can keep the cost low

for them.

And this isn't going to be one of

those things that,

you know, in a year, they're just like,

oh,

we killed this off because it's really

expensive.

But I don't know.

I mean,

I know there's the whole smart window

thing, which I don't know.

To me,

that reminds me of like Brave's Leo.

Like Brave has like a little pop out

mode where you can just talk to Leo

directly and have a conversation with it,

have a conversation in the sense of like,

I'm not asking it to paraphrase this page

or whatever.

But they also have like a little sidebar

where you can ask questions about the page

you're on.

And they say that this will be completely

optional.

So I don't know, to me,

that's just competing with brave, which,

again, I don't know, it's just,

it's good to see the mostly focusing on

the browser again,

and not buying like ad companies or fake

review plugins or Yeah,

so

Yeah,

I think one interesting thing you said,

oh, this is like,

I feel like Brave also has like a

VPN built in Vivaldi.

Oh, they do.

I forgot about that.

So I think it's more of a,

I think they're going more to try and

challenge Vivaldi here and Opera.

But Brave also has, it's a paid thing,

but it's still technically built in,

I guess.

I guess they're just trying to be like

feature compliant.

competing against, you know, this stuff.

so yeah i don't know uh i think

it's also one other thing that uh firefox

has actually rolled out in like the latest

release they do have the ai block switch

now so like if you've got that enabled

you're not going to get any of this

ai stuff so i wouldn't worry about that

i would make sure you have that ticked

if you use firefox because you don't want

to get this in the next update um

So yeah, I don't know, this is,

it's good to see Firefox actually doing

something this time.

Like I feel like we were sitting at

like no changes being made every year.

There was like absolutely barely any

changes to Firefox for like, I feel like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like, like, like, like, like, like, like,

like

I don't think it's going in the direction

I would like.

I don't think many people agree that it's

going in the direction they want.

And I guess with all this AI stuff,

I think it's pretty tricky to avoid at

this point.

Every company is basically rolling this

stuff out.

At least Firefox is making it easy to

opt out, but I just,

it kind of frustrates me that all the,

all the donation money and all this money

from Google to be the main search engine

is just being dumped into like AI and

like privacy preserving analytics.

Um, it's not really stuff that is gonna,

I don't think it's gonna bring people into

the browser,

but I think if they actually made some

big changes and listen to what community

people actually wanted from the browser,

I think they could.

you know,

there's plenty of projects that are doing

interesting things.

Like I think one of the most interesting

ones was arc browser.

Like they were doing quite a lot of

interesting, you know,

different things that no other browser was

doing.

Like,

I think it'd be interesting to see Mozilla

just actually try something new,

like not just like copy what other people

are doing,

like actually try and make something, uh,

little bit revolutionary a little bit

different um to actually give people a

reason to use it because right now it's

like firefox just kind of is bad

especially on some websites like you're

just gonna be have a worse experience like

people don't test for firefox now um like

even this website we're using streamyard

to do this right now i can't use

firefox

to do this.

So, you know, it's,

if you can't do basic stuff with your

browser,

I think that's going to push people away

from doing, from using it as well.

But yeah,

I think that's kind of my thoughts on

this.

Somewhat positive, I guess, but yeah.

Yeah, I agree.

I mean, for me,

it's unfortunate that Mozilla is

constantly playing catch-up to everyone

else.

Like, again, the split view.

Brave has that.

I don't know how long they've had it,

because I just discovered it,

but Brave has that.

And even their AI stuff, it's like...

Like, everyone else... The AI ship...

I mean, I feel comfortable saying this,

because this isn't like a, you know,

hustle podcast or whatever, but, like,

I feel like at this point,

if you're just now jumping on the AI

bandwagon, it's gone.

Like...

It's gone.

Why are you there?

And so it's, you know, it's like,

I don't understand why they're,

and they're doing it in such a poor

way too.

Like I remember being really disappointed

when I looked into their AI features,

not because I wanted to use them,

but just because I wanted to understand

them and they don't even do anything.

It's like, oh,

here's a tab where you can talk with

chat GPT.

Your privacy policy,

like their privacy policy is literally

like go see open AI's privacy policy.

And it's like,

so what's the difference with this?

and just going to chatgpt.com.

What use is this?

And it's like, oh, well,

it's integrated in there.

I don't care about that.

If I cared about that,

I'd be using ChatGPT's browser.

I don't understand why it needs to...

to do that.

I don't know.

It's just,

it's weird to me that like they're

constantly playing catch up and yeah,

it would be nice to see them because

they have such a passionate,

active community.

I know they do.

And I'm sure people have plenty of ideas

about how they can improve it, but it's,

it's, it's, yeah,

it is nice to see them investing in

something that isn't AI for,

even if they have the little smart window

thing, but yeah,

The split view, the tab notes,

which I don't know how that's going to

help, but the sanitizer API, the VPN.

I agree with you.

It's not enough,

but it's nice to see them starting to

get back into it.

And hopefully,

I'm hoping the momentum will pick up for

sure.

Yeah, I think we had a question here.

We have, well, not a question.

I guess someone was just saying, uh,

without manifest V two extensions,

I find the internet to be pretty bad.

Um, I agree.

I think, you know, you block origin,

I think is kind of a needed tool

at this point.

Uh,

you block origin light is it doesn't work

as well and it doesn't block a lot

of things that you need, right?

Like, you know,

you would hope that, uh, you know,

websites don't have a million pop-ups and

like cookie banners and paywalls and all

this sort of stuff.

But it's kind of the modern internet at

this point.

Um, you need to, you need to,

you need to use an ad blocker unless

you want to go completely, you know,

off the rails, I think.

So if,

if Mozilla is like the last bastion of

MV two extensions, then, uh,

I think that is definitely a thing that

separates them from Chrome, but,

You know,

that's not going to be enough to keep

people there because plenty of people are

still using Chrome and they're still using

you block origin lights.

Um, it's good enough for them.

It's not perfect,

but it's definitely good enough.

Um, so.

people kept saying that we're going to

leave Chrome.

If, if Chrome doesn't, uh,

if Chrome doesn't use, um,

doesn't allow MV two,

I'm going to leave Chrome.

And then everyone just stayed on Chrome.

Like, like,

I think people might not realize that a

lot of people don't actually use

extensions.

They don't even know what they are.

They just use their web browser like

normally.

Um, so yeah, I dunno.

Um,