Episode 58 - The Price Of Being Watched

Episode Details

Show Notes - https://forum.closednetwork.io/t/episode-58-the-price-of-being-watched/198

Website / Donations / Support - https://closednetwork.io/support/

BTC Lightning Donations - closednetwork@getalby.com / simon@primal.net


Thank You Patreons & Direct Supporters! -

https://www.patreon.com/closednetwork

https://xmrchat.com/closednetwork

Direct Support - https://closednetwork.io

Subscribe Without Patreon - https://closednetwork.io/#/portal/signup

  1. Michael Bates - Privacy Bad Ass
  2. David - Privacy Bad Ass
  3. TK - Privacy Bad Ass
  4. Trying - Privacy Bad Ass
  5. VO - Privacy Bad Ass
  6. MrMilkMustache - Privacy Supporter
  7. Hutch - Privacy Advocate
  8. Inferno_Potato Privacy Supporter
  9. Dolores Y - Privacy Supporter

Direct Support - Craig D

Thank You Producers! You Produce This Show!

TOP LIGHTNING BOOSTERS !!!! THANK YOU !!!

  1. @bon thousands and thousands and thousands of SATs sats!!
  2. @fireflygow - 5,000 sats!!
  3. frigolay - 34,540 SATs.. HOLY SHITE
  4. wardemoff - 5,000 SATs
  5. Silas Thornbrook

Thank You To Our Moderators:

Unintelligentseven - Follow on NOSTR primal.net/p/npub15rp9gyw346fmcxgdlgp2y9a2xua9ujdk9nzumflshkwjsc7wepwqnh354d

MaddestMax - Follow on NOSTR primal.net/p/npub133yzwsqfgvsuxd4clvkgupshzhjn52v837dlud6gjk4tu2c7grqq3sxavt

Join Our Community

Closed Network Forum - https://forum.closednetwork.io

Join Our Matrix Channels!

Main - https://matrix.to/#/#closedntwrk:matrix.org

Off Topic - https://matrix.to/#/#closednetworkofftopic:matrix.org

SimpleX Group Chat - https://smp9.simplex.im/g#SRBJK7JhuMWa1jgxfmnOfHz7Bl5KjnKUFL5zy-Jn-j0

Join Our Mastodon server!

https://closednetwork.social

Follow Simon On The Socials

Mastodon - https://closednetwork.social/@simon

NOSTR - Public Address - npub186l3994gark0fhknh9zp27q38wv3uy042appcpx93cack5q2n03qte2lu2 - primal.net/simon

Twitter / X - @ClosedNtwrk

Instagram - https://www.instagram.com/closednetworkpodcast/

YouTube - https://www.youtube.com/@closednetwork

Email - simon@closednetwork.io


Special Thanks to - EloquentWinter for creating - A Linux guide on MAC address randomization

https://forum.closednetwork.io/t/a-linux-guide-on-mac-address-randomization/189



TOPICS

Encourage curiosity - This week ties together a single thread: someone else holds your data, and therefore holds the power. From algorithmic pricing to supply-chain malware to government scanning to cloud-AI assistants — and the hopeful counter-move, taking your data back. The episode theme is curiosity: in every story, one extra question would have changed the outcome.


Segment 1 — Surveillance Pricing

Inspired by More Perfect Union, "We Found the Radical Solution to Surveillance Pricing"

Surveillance pricing (a.k.a. personalized / surveillance-based pricing) = charging you an individual price based on sensitive data about you — purchase history, browsing, geolocation, social activity, even biometric and financial signals. The economic endgame is "perfect price discrimination": charging each person their exact maximum.

  1. DoorDash holds a patent describing promotions based on a user's stress level.
  2. Delta Air Lines (with AI firm Fetcherr) has talked about expanding generative-AI pricing to ~20% of domestic fares, with ambitions to go further. Senators (Gallego, Blumenthal, Warner) and House members demanded answers.
  3. A Groundwork Collaborative / Consumer Reports / More Perfect Union study found different shoppers charged different prices for identical Instacart items. Former FTC chair Lina Khan has voiced concern.
  4. The "radical" fix is a law: New York's proposed One Fair Price Act would ban surveillance pricing outright — one posted price for everyone.

Defensive moves (partial): private/container browsing, block cookies, disable ad personalization, use a VPN, compare logged-out vs. logged-in prices. Honest caveat: this is a structural problem — regulation, not browser tricks, is the real fix.

Curious question: Is this price the market — or is it me being read?

Segment 2 — "Arch malware btw": the AUR supply-chain attack

Inspired by Michael Tunnell and Switched to Linux — developing story, June 2026.

The Arch User Repository (AUR) is community-maintained, unvetted package build scripts (PKGBUILDs). In a ~24-hour window, a coordinated attack poisoned a large number of packages — reports cite 1,500+ touched, with community trackers confirming ~400–500 malicious package names and rising.

How: Attackers adopted orphaned packages (abandoned by maintainers — anyone can claim them) and edited the PKGBUILD to add a pre/post-install hook that pulls a malicious npm package, atomic-lockfile (Sonatype tracked one strand as the "Atomic Arch" campaign).

Payload: A Linux infostealer + optional root-only eBPF rootkit. Targets developer secrets — browser creds/cookies, SSH keys, GitHub creds, Vault/npm tokens, Docker/Podman, VPN configs, shell history, Slack/Teams/Discord/Telegram, crypto wallets. eBPF lets it run in-kernel and hide processes/files/connections.

If you were hit and the rootkit deployed: rotate every credential (from a clean machine) and reinstall from scratch. A normal uninstall is not enough.

Status: Maintainers are removing malicious commits and banning accounts; the official repos of Arch-based distros (CachyOS, Garuda, Chaotic-AUR) were not infected — only users who installed/upgraded a compromised AUR package during the window. Community checker script + affected-package list were published within hours.

Action checklist (Arch users):

  1. pacman -Qm → list your foreign (AUR) packages.
  2. Compare against the community list / run the checker script (CachyOS advisory).
  3. If matched → rotate credentials from a clean machine, then clean-reinstall.

Curious habit: Before installing, ask who maintains this, when did it last legitimately update, and did ownership recently change? On the AUR, read the PKGBUILD — the malicious line was visible to anyone who looked.

Segment 3 — UK Device Scanning: 90 Days to Comply

Inspired by "Signal's Warning: The UK's Phone Scanning Plan Just Got Real"

The UK government signaled that phone makers (Apple, Google) will get ~90 days to start scanning photos on young people's devices for nude images. Running alongside: Online Safety Act powers for Ofcom aimed at encrypted messaging (key report expected ~April). The mechanism: client-side scanning — every message/image checked on your device, before encryption.

Why it matters: Client-side scanning doesn't break encryption directly — it inspects content before the lock clicks shut. The "end-to-end encrypted" label survives, but the privacy guarantee (nobody is looking) is gone.

Signal's position: scanning won't protect children and builds surveillance infrastructure that "endangers us all."

  1. Security: once scanning exists on every device, the match-database can be expanded — swap it and you're scanning for slogans, documents, faces. Signal would withdraw from the UK rather than build a backdoor. Mullvad raised parallel alarms.
  2. Misdiagnosis: real child safety = better-funded education, social services, AI-platform guardrails — not default scanning. Rallying phrase: "Surveillance is not safety."

Bigger picture: This is a template (cf. the EU's "Chat Control"). Sympathetic justification + a mechanism that, once built, can point anywhere.

Curious question: Not is the goal good? (it usually is) but what else can this machine do once built, and who decides what it points at next?

Segment 4 — iOS 27 at WWDC: the Privacy Fine Print

Apple WWDC 2026 keynote coverage.

Genuine wins: New Siri AI (next-gen Apple Intelligence) uses a tiered architecture — simple requests on-device, moderate ones via Private Cloud Compute (inspectable, hardened). Plus stronger family safety: child-account setup, parental controls, redesigned Screen Time, new Safari safeguards.

The fine print (two concerns):

  1. Total context access. Siri AI indexes across your messages, emails, photos, and apps — a unified, queryable view of your whole digital life. Conversation history syncs via iCloud ("with privacy protections"), but strength depends on whether you've enabled Advanced Data Protection (Apple's E2EE for iCloud — not on by default).
  2. New Google dependency. Apple made official a Gemini partnership — the heaviest reasoning routes to Google Cloud. Apple says queries are anonymized and tokenized so neither Apple nor Google can link them to you (Federighi: "privacy in AI is non-negotiable"). Critics counter that PCC/anonymization is "only as private as the weakest link" — if Google retains any path to usage data for training/debugging, the guarantee weakens.

Takeaway: Apple's defaults are still among the best of the mainstream — but don't let "privacy" in a keynote switch off your curiosity. On update: review Siri AI indexing settings, turn on Advanced Data Protection, and understand where your hardest queries travel.

Curious question: A magical assistant that knows everything about you is, by definition, a system granted everything about you. Did you make that trade on purpose?

Segment 5 — Self-Hosting 101: What to Migrate First

Original recurring segment — Part 1 (scope). Part 2 next week: hands-on photos build.

Self-hosting = run the services yourself, on hardware you own, instead of renting space on a company's servers. It's the deliberate counter-move to every other story this week. Honest caveat: you become your own IT department (backups, updates, downtime). Don't eat the elephant at once — scope first.

The five candidates (ranked by impact-to-effort):

  1. Photos — highest emotional and surveillance value (faces, locations, timestamps). Self-host with Immich (Google-Photos-like: app, auto camera-roll backup, face/object search). Difficulty: moderate; biggest single win.
  2. Calendar — a forward-looking map of your life. CalDAV via Radicale or Nextcloud; syncs to your existing calendar app. Easy–moderate; great first project.
  3. Contacts — your social graph (everyone else's data too). CardDAV on the same Radicale/Nextcloud server — bundle it with calendar. Easy.
  4. File backups — documents and digital paperwork. Often Nextcloud.