[SILENT - 22.2s]
Maze Brothers
What is happening, everybody?
Hope everyone's doing well out there.
i can't even think about it i've been up oh man straight to it no ring around it you coming for
me we'll see about it is uh a lot to catch up on and this is my first episode of february
trying to maintain that two episodes per month and slowly increasing and so far i have not done
that well this month at all so today is uh today's recording is thursday february 26th
2026 barely uh almost two full months into the into the new year and it is not disappointing
that's for sure so i've got a lot to cover uh the initial my initial plan what i had kind of spec'd
out for this episode was really focused on the opsec fail uh with with the epstein debacle with
the epstein files but i wrote actually um quite a long piece that
that
I'm going to get to in this episode, hopefully, on top of all the other craziness going on.
And kind of, you know, I should have just had a lot going on the last couple weeks,
and I also got really sick. So it's just been just, you know, just life stuff. And so I really
wanted to be able to take the time and sit down and record the episode specifically on the OPSEC
failure with the Epstein stuff. So I'm going to get to that. And I'm also going to try to get to some
of these other important things. If you're in the United States, one specifically is a Senate Bill
26051. It's the age attestation on computing devices. And I'm sure you've probably heard
about that. And it's already starting to roll out and hit the news. So I'm going to cover that. I'm
going to cover some other things between Graphenois updates I've been testing in the
Alpha Channel with Google Messages and RCS. I'll be talking about...
iOS 26.3 updates, and then also what's coming right now currently in the iOS 26.4 beta.
There has been some popular password managers that fell short of a zero knowledge
audit by ETH Zurich that I want to touch on. I think it's important to at least highlight
as well as watching out for friends that might be sharing your information,
specifically your phone number with ChatGPT. If I can get to it, some information around
BitLocker and FBI, that might be old news. I don't really need to cover that. All of the
links will be in the show notes. You should be able to click a hyperlink hopefully in the show
notes, but if not, you can always go to the website and go to the forum, and the show notes are there.
So I'm going to, yeah, I've got a lot to cover, and hopefully it's not too crazy.
So we're going to touch a little bit on the OPSEC failure, why decentralized systems are a threat
to power networks. We're going to talk a little bit about age verification.
and what that looks like, what it looks like today, and what it looks like potentially over
the course of several months or this year in the coming years. So it should be kind of jam-packed
with a lot of hopefully viable information that will give you some sort of direction on what
pathways you're looking at taking. So yeah, that's the show, episode 52, OpSec Fail Epstein Files
on why decentralized systems are a total threat to all networks. So yes, stick around. We're going to
kind of get into the weeds on all of that. This show is fully and totally supported by myself
and you all, the producers of the show. To those who know who I'm stealing from, in the morning to
you, and thank you for your courage because this model has been working out quite well
for this podcast.
for this project and I plan to keep it that way which means we don't take any sponsorships there's
no advertising I'm not peddling anything if I talk about something or if I recommend something
it's because it's coming from experience but not because there's any monetary benefit for me to do
so so because of that I'm going to take just a minute to thank the people who contribute to
to the podcast and and the whole project of what closed network is and so those are either through
patreon or lightning aka bitcoin donations so I want to take a moment and thank those individuals
so starting at the top here michael bates privacy badass tears michael bates david inferno potato
which I just love saying that for whatever reason it just cracks me up as well as tk
uh and uh vo vo vo vo v zero um and then coming in privacy supporters mr milk mustache
hutch top lightning boosters bond uh sn at x firefly go wartime and unknown anonymous and
triple b uh thank you thank you for all of that support and if i missed anyone let me know
i have received several emails uh over the last couple of weeks which i will get back to you on
most some of them i've already replied some of them i still need to and i was out of town uh the
last few days and so i'm catching back up again i was i've been out of town a few handful of times
for a week here and there for work and so i'm just you know catching back up and i will get back to
you don't want you to think that i don't care because i do most of those are asking for links
link requests to our super secret signal chat so we do have a signal chat it's pretty small we still
also have a simple x chat group which is um you know fairly active actually as i pull my phone out
and log into it. There's probably messages. There are. There's 15 messages in there I haven't read
yet, as well as our matrix channels. Those are our most popular places. Currently, we have about
430 some odd people in our main channel and two or 300 people in our off topic channel. I can't
even keep up. I've got matrix up on my laptop, which is currently locked here. So I normally
do look at that in real time. But if you want to engage and connect with other people that are
kind of just trying to do the same thing, minimize the attack surfaces, increase their
operational security, aka OPSEC, evaluate what their threat models are for themselves, for their
family members and friends and figure out how they can protect them from things. I actually
anecdotally just have a story that my mom was telling me, a friend of hers who was getting
duped and scammed, buying gift cards, that kind of thing. There's so much.
much spam and scam and malware. I actually had another buddy of mine, uh, uh, texted me last
week, uh, a family member of his who is a CPA had gotten malware and locked the files. And there's
like tax information, personal information. I mean, just, you know, you can never be too
careful with what you click on. And sometimes it's just taking an extra moment to look at that email
verify who the sender is from checking the domain and trying to authenticate as much as you can
to, you know, the, that, that person is the person they say they are. And also checking those
attachments and making sure that you're not, um, you know, uh, creating an opportunity for someone
to exploit something on your system. Uh, especially if you have financial records or it's a work
machine and you know, the, the best tool you have to.
use against these things is your brain and your intuition and your gut feeling. So I kind of act
on the kind of mindset that everything's a scam, that almost just everything in my inbox
is potentially something that, you know, either get my attention to something that I don't really
care about or to click on something or respond or something. So I find myself not even entirely
like using the unsubscribe links from mailing lists because obviously there's some known ones
that are pretty reputable, whether it's like sent to you through MailChimp or Constant Contact or some
of these other things. But a lot of times it's not and it kind of looks a little sus. You know,
my ticket is just some weird page and you're supposed to enter your email address. It should
automatically be able to unsubscribe you from those links. So I use the...
move to spam uh feature quite a lot and just kind of you know forget about it so
yeah just and that it's kind of interesting because that kind of leads into one of the
big topics of this episode which is the operational security fail and i get to that
here in just a few minutes uh but i do want to say if you if you want to join the chat rooms
if you want to communicate with other people the easiest way uh right now we're still using matrix
and we're using the matrix.org server so we're not self-hosting that right now
uh it's just set up an account you can download a popular matrix client element is kind of a popular
one it's not necessarily the one i'm saying you should use forever but it's a great way to
dip your toe in and it's kind of like using discord but without um uh the corporate big tech invasion
uh and into it's matrix is a it's a protocol and you can host your own
server and and it's uh it's kind of a big alternate to like tools like discord so that's
what we we use for our primary form of communication and we do have a couple sub chats
that are like i said earlier in simple x as well as signal so feel free to uh hit me up or chime
into the into the group uh conversations introduce yourself and yeah you can uh you can engage i also
i've been trying to spend more time on mastodon and less time on x i'm trying to eventually just
kind of get away from x but it is a it is a channel or a platform where there is a lot of
conversations happening to kind of get people to realize that there are alternate ways of doing
things without just relying on you know uh big tech companies to solve a lot of their problems so
because those conversations happen there and they're not necessarily happening in places like
um you know on mastodon or whatever kind of feel like once people wake up and kind of
then they migrate to other, you know, other, other tools or protocols. So yeah, if you're
on any of those platforms, Mastodon, Noster, Matrix, hit me up. Feel free to always shoot
me an email, simon.closednetwork.io. And that's, yeah, that covers that. So I'm going to get right
into, I think this story is probably the newer one and most important. This has just been within
the last 48 hours that Apple, and apparently at Google as well, but Apple is launching new tools
to comply with the growing number of age verification laws, both in the U.S. and
internationally. So as part of those changes, Apple's going to block downloads of apps rated 18
plus in starting in Brazil, Australia, Singapore, while also rolling out other features to comply
with laws in specific, in specific states inside the United States. So starting out in Utah,
Louisiana, and this.
probably just going to be a setting that just gets turned on as more states or countries want
age verification. And I know a lot of people are saying, well, you know, age verification for 18
plus, right? Because they put like the words kids in 18 plus in the same paragraph. And it looks
like, well, this is common sense, right? But it's, it's so much deeper than that. Because number one,
this is overstepping and parenting, parenting, I've mentioned this several times before,
there are so many parenting controls baked and built right into these operating systems,
specifically talking about Android, and iOS, as well as, you know, other other games and other
things to Steam and, you know, all these different things. I mean, it used to be going to GameStop.
If you're under the age of I think it was 17, you know, you'd have to have your parent buy you the
game.
and so it's kind of like removing the whole um it's kind of like removing the whole
parental component from this and it's like forcing tech companies to do it but now
they also then get to determine at what point and this can change what is deemed necessary or what
is deemed an adult app now you say adult app you probably think adult content or dating apps or
things of that nature but this could easily become uh targeted towards communication applications
like signal or or telegram or any other kind of communication tool it could be anything that's
deemed violent like a video game like a mobile video game or something where it's going to require
an age verification now apple says that they're going to use some tools to determine the the age
of the accounts and whether or not the accounts tied to a credit card to basically count as the
age verification
which is better than having to do a selfie with your ID or scan your ID and have that uploaded
into God knows where and for how long and who has access to it. We saw this big Discord breach that
happened four or five months ago right after they rolled out age verification. They had 70,000
and it wasn't directly from Discord. It was through the third party that was doing the
age verification for Discord. But again, how quickly that turned into a bad situation for a
lot of people who had uploaded their IDs and took selfies and all this personal information is now
just exposed and will undoubtedly end up in clear net forums and dark net forums and things of that
nature. So this might be a little bit better than having each individual app or app developer put
the burden on them rather, you know, because the, at least in my opinion, Apple and Google
probably have much better security protocols and also
already do verify people buy credit card transactions for microtransactions for buying
apps and subscription services and things of that nature so maybe it's a little better but this is
all still leading towards a very dystopian pathway which is you buy a hardware and you can't use that
hardware the way that you want to use it you have to use it the way they tell you to use it and you
have to dox yourself even if you didn't even intend necessarily to to use anything adult related it's
just that in order to get apps you have to create an account you have to give them your phone number
you have to give them a lot of an you know very unique informational information that's like a
primary key associated to you and your identity which then allows a better uh point of accuracy
for tracking your movement your transactions who you connect with who your contacts are and all
these different things so this is this is just that slow drip that we've seen you know really since like
covid really uh with
with
you know, vaccine, you know, verifications and all these different things. And now it's just
rolling into kind of like, well, let's just do it for everything. And this started in the UK
pretty heavily. And it's been spreading out very quickly around the world. And now in the United
States, I think there's the when I was looking last month, there was almost 25 states that either
had laws now passed or proposed bills that will likely pass all to do with protecting children,
age, verify everyone. And this is, you know, even further in other countries are more extreme
when it comes to the banning or use of virtual private networks, VPNs, things of that nature.
Now it's actually getting into the OS and to the apps, literally everything. So there's an article
I'll post in the show notes to a tech wrench article. It says, in addition, Apple will block users in
Australia, Brazil and Singapore from downloading apps rated 18 plus starting today. And that was
this is February.
24th this article was so two days ago from the from the recording of this episode and until they
confirm they are adults it says in this case the app store will perform the age confirmation
automatically but apple notes that developers may still have separate compliance requirements they
need to meet also developers whose games contain loot boxes a gambling like mechanism that lets
players spend money for random chance at it end game rewards and that lawmakers believe that
shouldn't be will you know should not be available to kids and you know we'll see their apps is age
ratings updated to reflect 18 and plus so even if it's a video game that has these types of
microtransactions or the ability to pay for an opportunity to get some sort of reward is
considered gambling so now that falls right into the 18 plus audience block uh and brazil specifically
it's saying that you know it's definitely going to do that that will likely probably trickle out to
other places around around the globe um and
the u.s new users in utah and louisiana will soon have their age categories shared with their
developers apps through the declared age range api as well so the company said it has expanded its
you know other tools around the age ratings and permission to meet the compliance obligations
so it sounds like they're maybe trying what's this you know dar this declared age range api
is a way maybe for developers to use the api to check with apple to say to find out if the person
has already been age verified to maybe then not require the developer of the application to then
have their own age verification so we'll see this probably is also because parents who have
control over their kids phones set up through like screen share or screen time or whatever it's called
they'll probably be able to use that api check if the parent you know types in their passcode
probably will unlock it to say yes this is okay or yes this is authorized uh but oh man this is
just a big slippery slope and i'm not really looking forward to how all this plays out because
it's just to me it's almost like we're probably only a couple years away from any new mainstream
device that you buy having to basically dox yourself or to the device from the moment you
set it up just to use the device because of all of these gate kept uh centralized ways of getting
applications to the device i mean almost every device has now been kind of um pushing end users
into using their centralized app stores right if you buy a mac or you buy a windows computer
i know we don't even talk about linux this is totally different thing but i mean if you buy
just go to the store and you buy a laptop
From the moment you turn it on and start setting it up, they're really pushing you to create this online identity and online account.
And then that will be tied to that machine, be tied to the user, and it basically can record everything from the inception or the setup of that device until it's no longer in use, everything it's done.
And I just feel like that's like a really big privacy attack because it's basically snooping on you from the very beginning.
Like in your thoughts, your journal, I mean, they're shoehorning Copilot into the Notepad app, into everything.
The AI stuff is basically just big on-device scanning.
So it's like, can you not just journal and not have it completely scanned?
Or do your finances and do your budgeting and all that?
I mean, can you not just use a personal computer for it to be personal?
And it doesn't seem like...
That's really the end game here.
The personal computer will become the rented computer.
It's just basically you're buying the device, the hardware,
to basically then pay the subscription fees
and have your life essentially housed for you
by these companies that get to change their terms of service,
change their privacy policies at whim,
whenever they want to do that.
So these are the types of things we've been talking about for a very long time.
And I've been really kind of for myself and my pathway,
my journey, I call it, is pushing for self-hosting as much as I can.
My data, my photos, my contacts, my calendar, my media,
everything is in my domain.
It doesn't live on someone else's server
because the cloud is just someone else's server.
That's all it is, right?
It's another server someone else owns somewhere that they're root on
or they're the administrator.
on and you are just you get a user bucket you know and everything you do is basically looked
at scanned cataloged and can be held hostage for payment if you stop paying those subscription
fees whether it's google or apple or microsoft it doesn't matter like they're all in the game
because they have to they have to basically a comply with these laws that are being pushed
some of these tech companies have been pushing back especially apple i mean i'm not a huge fan
of big tech but apple does at least has been trying to put up some resistance to this age
verification and it seems like they do want to try to kind of maintain their reputation for their
level what they consider to be private for their users and obviously if you listen to this episode
you know this podcast or you're part of this you know community of privacy and and security focused
individuals you know that that's mostly marketing it generally is all marketing but i don't want
to take away
from some of the things that they've actually done that do actually benefit their end users
i i have said many times online publicly in x and things like that where it's like yeah
graphene os is my mobile device os of choice linux is my desktop uh operating system of choice i know
linux is not an operating system it's a kernel but you know what i'm saying a linux distribution is
my choice for for a computer right my laptops and my desktops but apple is probably ironically
the the best worst option if you had to just go with either an android vanilla android or vanilla
ios or a mac computer versus a windows computer i would definitely go apple at this point if that
was my options like if you're not a super tech savvy person that would probably be a better
safer route uh try to do as much as you can offline not use icloud services not use icloud
storage uh enable advanced data protection on your mobile devices which would theoretically
you know create some end-to-end encryption for all of your files basically everything that you
would use minus your contacts your calendar and your email uh so your photos and things of that
nature but you know it's all kind of like going down a crapshoot right i i've made a reference
to like you know a dumpster fire rolling down shit mountain is essentially what this is kind
of turning into it's just some of us are going a little slower or faster depending upon which
ecosystem you're in and so um yeah so um i'm also going to touch on so i kind of want to talk about
some nuance because i know a lot of people have reached out to me who are in similar situations
as me where well you know i have to use these things for work and they're all kind of on one
device and i can't really just have like multiple devices and i get it and i've been trying to balance
that out myself right because i have my own company and i have direct clients i also do white label work
for another
other agency and i need to kind of be malleable so i need to be able to work with a lot of different
file types and collaborate within different uh ecosystems especially for like media video editing
all that fun stuff um and i've compartmentalized most of my stuff excuse me by by machine like this
machine over here is a work device i don't do anything personal on it and this machine over
here is my personal machine and i don't do anything business related on it so i kind of
keep the keep those things separate when i say a device like i actually have multiple devices for
those for those silos and i know that's not practical for everyone so i i also understand
right so even with like my my main device which is um currently a pixel 9 pro xl running graphene os
with different user profiles i do um have that set up so that i can communicate with group chats
because most of these people are in the creative space they all use iphones and so rcs messaging is
a big thing
for me to work because otherwise group messages don't always work and it's getting better uh so
for those that are in that kind of silo i want to say i have been running the latest graphene os
alpha release and i'm running the latest google messages app and rcs has been working very well
this is because there was a change from google rcs like all rcs messages going through google
servers and that now it's been out and standardized for quite a while the uh telcos are actually
running their own rcs servers so for example uh and this is why things weren't have been broken for
a long time i my uh before i moved over to the alpha release i was running the the stable version
of graphene os and i was running a particular uh build of of google messages from like november of
2023 or 2024 i think possibly like almost a year and a half old at a date because that was the only
one that would work and stay connected
to rcs but now uh that line is with t-mobile and t-mobile has its own rcs server so in the
graphene os alpha release or at least as of this past week i've been testing it uh it's working
great so you can go into google sandbox settings and enable the i think it's called icc connection
and that allows it to talk to t-mobile's rcs and everything's been working really really well
also if you are an ios user i would highly recommend upgrading your uh your firmware just go into your
settings in general and software update and look for the latest software update which would be ios 26.3
i would definitely update that immediately because there are like 39 vulnerabilities that get patched
in that some of them uh like a very serious one is cve 2026-2700 where an attacker could execute
arbitrary code
Apple was aware of it, that it's been reported, and apparently it's been patched in iOS 26.3.
Now, this would be a targeted attack, but it's still like a zero-click, zero-day vulnerability
that's been discovered and patched along with like tons of other security fixes.
So I'll have a link to a Forbes article about that iOS 26.3, those issues, along with the link
to the support page for Apple regarding that CVE I mentioned. And also in iOS 26.4 beta,
they're supposed to be, and I haven't installed the iOS 26.4 beta on my iPhone,
but I read the show notes and I saw, or not the show notes, I read the release notes and it looks
like those were linked from a MacRumors article that I will link, which is enabling end-to-end
encryption with RCS chats. Because until recently, I mean, until, unless you're on Android-to-Android RCS,
um...
iphone to google messages rcs was not end-to-end encrypted the way i understand it uh you do you
did get the rich communication services meaning bigger images and video and all that fun stuff so
you got that but it wasn't end-to-end encrypted so allegedly this is supposed to fix that
i think rcs um is a much better protocol obviously than sms or mms because it does get us closer to
those people who use those protocols a lot those those ways of communicating to get to a point where
those conversations can be end-to-end encrypted and that's what's being tested in ios 26.4 uh beta
uh so anyways yeah that was a lot that was a lot to get out um but those are things that i think are
really important to understand because i mean there are uh i wish i could live in a world where like i
just had a normal job sometimes and i could just have a device one device and have it exactly set
up the way i want with
you
no third-party apps or no, you know, just use progressive web apps only. But I have a lot going
on. I have a lot of communication with a lot of different parties. I've got banking stuff I've
got to do. There's just, you know, apparel things. And so I use different devices as tools to get the
job done. But I am slowly trying to move even my business tech, right, into a more privacy
respecting kind of network stack or not network stack, but a technology stack, if you will, like
Linux and Graphene OS and all as much open source as I can. And, you know, I don't know when I'm going
to get there. I'm pushing for it. I'm working with stuff all the time. But there are just some things
in the world that require us to play the game in order to participate in it. But there's a lot of
things that we can do to kind of reclaim or opt out. And that's going to be different for
everybody, right? I mean, it depends on where you are in the world.
world. It depends on what kind of government, you know, you live under and, you know, what kind of
what your companies require of you. So, you know, there's a lot of conversations and there's kind
of like this extreme privacy mindset for a lot of things like set up everything in an LLC or in a
trust and register your car and all this stuff. And that is honestly an end game goal for me for
a lot of those things. But you can't do that overnight, especially if you don't have the
means to just do all this crazy stuff. And I don't, the whole point of like doing this was
kind of like starting out at a humble beginning and just recognizing like where your weaknesses
are and start working on those over time. You're not going to get there overnight. You're not going
to get there in a month. You probably won't get there in a year. It's, this is some, you know,
unless you're really, really motivated, but you know, it's, it's challenging and I don't want to
discount that because not all of us have the same kinds of lives. So that's why it's,
I talk about this. If I look at my
if i look at my podcast stats um they're largely ios people i know you know so so i am speaking to
a large majority of people listening to this podcast uh i get some really cool statistical
information back from from yellow ball uh thank you josh aka side of burritos for for you know
building that tool because it's it's helpful and it's it's very privacy respecting but you know
when it when devices pull uh the feeds or the podcast episodes it it has a user agent right
anytime you're on the web anytime you do anything online it sends what's called a user agent which
tells you like the device the browser if it was an app what kind of app was it you know that kind of
stuff so i'm able to look at these analytics and i'm always like well let me i'll look at episode 51
right now and we can actually um they can actually kind of like tell you because you know sometimes
i will get kind of comments like what you know
why do you only, why do you talk about that kind of stuff? Well, episode 51, uh, almost 40%
of you all that use, uh, that listen to this podcast, 40% are on iOS.
I mean, that's a huge, that's a huge number. Yes. You know, second, first is Android versus
Android. Android is number one, right? Uh, then it's iOS, then it's other and unknown and that
kind of stuff. But I mean, you know, if, if you're listening to this, good chance you're one of those
iOS people. So I really want to impress upon, Hey, keep your stuff updated. And these are the
changes that are coming out that kind of impacts like, you know, um, oh, and, and just so you know,
mobile apps make up like 74% of people who listen. Well, that makes sense. Most people use podcast
apps to subscribe to their very, their favorite podcast. So, uh, and then the rest is like
listening on through the web or something like that. So anyway, that's why I talk about,
why I was so much, cause there are a lot of you out there.
That's totally cool. I'm glad you're here. I'm glad you're listening and soaking up this
hopefully useful knowledge. Don't forget to update your phones. So, in the topic of
falling short, there is some interesting news that came out about password managers. And these
were opt-in to a security audit from a company called ETH Zurich. And I'm actually looking at
a blog post on the Bitwarden website because Bitwarden is a password manager that I use for
work stuff and shared vaults and things. Of course, I have private passwords I keep offline in KeePass
and some version of KeePass XD or other flavors of applications. So, this is an article that was
actually published 10 days ago on the Bitwarden website about the security through transparency
kind of thing that they have. And there was malicious server scenarios that were found within this
audit by this ETH Zurich company. They proactively tested Bitwarden core cryptography operations
against the hypothetical event, right, of some sort of compromised server. Well, you know,
this is important. These are good things to test. Our password managers and our vaults are probably
the most important thing to us to keep secure. And so how we store, you know, and how much we're
trusting if you're using a cloud-based like Bitwarden, LastPass, Dashlane, 1Password,
or these different service providers, it's important to understand where those vulnerabilities
lie. And I actually found a really good recap of this by Nate over at Privacy Guides on their
Privacy Shorts YouTube channel. So I'd like to just play this for a few minutes because he does a
really good breakdown on what these claims are, the password managers that were tested, and where
they failed. And I, you know, I agree with him is that Bitwarden seems to be the most proactive
perspective.
the first out there honest about talking about these scenarios and what it means. But yeah,
just give this a quick listen. Three popular password managers fall short of quote unquote
zero knowledge claims. So this came from researchers at ETH Zurich. They did audits
with permission of Bitwarnen, LastPass, and Dashlane. In controlled tests, the team was able
to recover passwords and tamper with vault data, challenging longstanding zero knowledge encryption
claims made by vendors. And then the findings were published in a technical paper and disclosed to
vendors under a coordinated 90-day process. Unfortunately, Bitwarnen did the worst. They
had 12 attacks against Bitwarnen, seven against LastPass, and six against Dashlane. Bitwarnen and
Dashlane have fixed most of these. LastPass is working on fixing them. So Bitwarnen, I personally
found their blog post to be the best because they did actually give a full explanation of
all 12 vulnerabilities. I believe that they said all of them were medium or low impact.
Products like Bitwarnen, Signal,
proton. In theory, the way these products are designed is that it doesn't matter if the server
is malicious because everything happens on device. Everything is really secure. And the server being
malicious is more kind of like a bummer than an actual problem. And that was not the case here.
Bitwarden did fix nine of them and three of them, I guess the term is they accepted it. They
basically said like, we hear you, we acknowledge it and here's why we're not fixing it. The reasons
they gave made sense in my opinion, like one of them was, uh, they basically said like, we need
this functionality for shared vaults to work, which I hear. But at the same time, all three of them
that they didn't fix, they also said like, we'd be open to looking into this in the future. Why not
just fix it now? Dashlane was a lot less open on their blog post. They said that they did fix some
stuff, but they didn't really give that same detailed breakdown that Bitwarden did. And last
pass, like I said, they, I think they fixed one of the issues. I think they've got a couple others
that they've got the fixes ready for, but they haven't rolled out yet. And then they've got a
few more that are still in progress. I think this is really disappointing because the idea
of an attack like this is we want to make sure your vaults are protected no matter what. Like
that is the whole point of a password manager is that you can trust this. It's very frustrating
when that is not the case and that does not turn out to be true. I know already there's probably
some of our more hardcore veteran listeners or viewers, they're thinking like, oh, well,
this is why I use key pass. This is why I use offline password managers, which is great. If
you have the kind of organizational skill to do that, that's fantastic. And I'm totally in favor
of it. But for a lot of people, offline password managers are too much work. And the problem with
security is security requires you to trade convenience, but everybody has a different
threshold of convenience. And once something becomes too inconvenient, they're going to stop
doing it because it's just too much work and it's not worth it. The nice thing about cloud-based
password managers is it's just easy. You know, Bitwarden syncs across every device. It looks
really clean. And the last thing I want to throw in there real quick is one password was not audited,
but they went ahead and released a blog post and basically said like, this wouldn't impact
us because they have that, like, like a two.
password system where you sign up and you, it's not quite your recovery key, but it kind of is.
I don't know. Either way, the way that they have their setup, they said that this would not have
affected them. And ProtonPass, I don't think has released a blog post surprisingly, and they were
not part of this audit. So I don't know how they fare. LastPass was sort of downplaying some of the
severity risks of these vulnerabilities that were found by ETH Zurich. They said our own assessment
of these risks may not fully align with the severity ratings assigned by ETH Zurich team.
The interesting thing to think about here is I don't think we should be trusting LastPass,
especially because in 2022, they basically had a breach which impacted 1.6 million of their users
because they didn't adequately secure their infrastructure. And it also showed that a lot
of the fields in LastPass weren't actually encrypted and were stored in plain text. Zero knowledge
needs to cover every single data field.
It needs to cover metadata.
It needs to cover everything.
Zero knowledge, zero access, all these buzzwords that a lot of companies like to throw around.
They're becoming the military-grade encryption thing that we always kind of make fun of
because it doesn't really mean anything unless the implementation is actually correct.
But I think we should try and center this back on some of the recommendations that we
have on the site.
So we do recommend ProtonPass.
They've been audited.
They've passed rigorous checks from our community members and our staff members to be recommended
on privacy guides.
And we also recommend Bitwarden because they're open source, they're transparent, they offer
a high level of security.
And there's a couple of other ones that we do recommend, such as 1Password.
There's also Persona.
And of course, when we move on to the local password managers, there's KeePassXC.
And there's also KeePassDX, which is available on Android.
And we also recommend KeePassium, which is available on iOS.
and mac os three popular past so um i just thought that was a really good brief breakdown
with the right edits uh that kind of just covered what it was and so if you saw headlines
and this video um this coverage was is eight hours old from the time that you're listening
to this so very very recent breakdown and yeah i just thought it was good so
you know i i uh there's no like there's no perfect system uh you just have to do the best that you can
but the more that you kind of use different layers like email aliases or definitely password manager
number one and you know shielding uh purchase transaction information if you have if you live
in a country that you can use cloaked or my sudo or excuse me uh privacy.com or or you know
benefit from maybe your credit a lot of credit card companies now are allowing users to generate
one-time use credit cards for one-time purchases things of that nature the more you can do that
where assume or expect that at some point in time your data is going to be compromised and
if that information is was one-time use or in the case of a password manager you create a unique
password for every login you have well assuming that that service that you signed up for has a
breach that password was only ever good on that website and if you are layering in email aliases
and a lot of stock operating systems like i know apple does for sure i think google does as well
will even kind of can even create uh one-time use emails for like different like if you sign up for
you know you want to i don't know use some cool app to make ai art or whatever it can create those
but if you do it yourself, like using simple login or something like that, you can kind of
control those logins. It makes it even that much more useless to the people who hacked the data
or anyone accessing the data breach to like try to use that email address on anything because you
only ever used it with one service and that password was only good there. So like you can't
be compromised everywhere else. Whereas if you use the same email address for every account you sign
up for, that's kind of like a known identity piece of information. So then it's like, okay,
now they maybe try to do a password reset or they can try different ways. But if it's the more you
can separate those things, the better. So on the topic of guarding your information,
I want to talk about this article on PC Magazine. This came out a couple of weeks ago. It's talking
about watch out, your friends might be sharing your number with ChatGPT. It says, ChatGPT is
getting more social with new features that will allow you to sync your contacts to see if your
friends are using the chat bot or anything.
any other open AI product. Oh my gosh, kill me now. Like, please tell me that people are not
doing this. And this just goes, this is just more in shitification. It's just in a much more
accelerated rate of some of these services where it's like, oh, this is free and you can use it
and you can, it solves all these problems in your life. And then all of a sudden it starts
encroaching and adding more stuff in. And before you know it, it's just spying on you like
everything else is. And it says in the article, details are light. The company has not shared
images of what this experience will look like or what it will unlock for users. However,
it has changed its privacy policy to say that the contact syncing will help users, air quotes,
find friends. And it's completely optional. It says, however, even if you don't opt in,
anyone with your number who syncs their contacts are giving open AI your digits, your phone number.
It says open AI may process your phone number.
If someone you know has your number saved in their device's address book and chooses to upload their contacts, says the company, with a link to the privacy policy.
So if you're the person who syncs your contacts and OpenAI finds an account with a matching number, it suggests you to connect with that person.
Social media sites have been doing this for decades.
If you choose to follow them, that person may receive notifications with an option to follow back.
Please, for the love of God, tell me that they're not going to create a social media platform out of OpenAI.
And I wouldn't be surprised.
OpenAI seems to be not doing so great financially.
They're looking for ways to drive value for their investors because they're definitely not hitting revenue numbers that justify their spend commitments over the next several years and return to their investors.
There's just no way.
So they're looking at doing advertising that's been rumored.
Claude actually poked...
fun at them uh during the super bowl with one of their ads specifically towards open ai regarding
advertising so it looks like advertising may be coming very soon uh as that unfolds i'll keep
track i'm actually i actually have a couple different accounts submitted to actually be part
of their beta program so i'm kind of curious to see if that actually takes off or not and then
now this social stuff is just even more disgusting right it's just like not uh yeah straight up not
having a good time bro so anyways it's just something again to be aware of this is another
example of why you might actually have your you might have a plan you might have like a voice over
ip number that you use and i've mentioned this ad nauseum over several episodes about you know
signing up for rewards or you know your grocery store and this and that use fake numbers use
fake data or use a pseudo number that you control that's not tied to your real
number and your real contact information, whether your email address, phone number, that kind of
stuff, because all these things get correlated through data brokers. And so it's important to
also have conversations with your people, your friends, your family, and kind of educate them
on like, hey, by the way, if you ever sign up for these services, it's really bad if you upload all
your contacts, because you're giving them all the connections to you, including mine, meaning yours,
right, having this conversation with them. And I don't want these shadow profiles being created on
me, because your phone number is a primary key, right? I mean, typically, for most of us, your phone
number is a number that only you have. So it's only you, it's pretty much guaranteed to be you.
And if people are giving those secrets out, it can kind of start encroaching on your operational
security plan. So be careful.
who you give your number to and make sure that you have these conversations with the people that
that have your contact info because you i wouldn't want my number being uploaded into
open ai for the love of god just just no so especially when there's articles like this one
and i'm gonna it i'm gonna link to it and i and i actually wrote up a quick too long didn't read
a tldr which is um the watchers it's labeled as the watchers how open ai the u.s government and persona
built an identity surveillance machine that flies or files reports on you to the feds so this is
actually uh discord's kyc provider persona is very naked very poorly secured uh federal intelligence
outfit and also a siphon for open ai data for them and their partners like world coin yes world coin
the most interesting part
you
is that it legit cross-checks a Discord ID check.
This is this Persona company.
That it cross-checks a Discord ID check
actually involves checking your face,
IP address, device, signature, etc.
against chain analysis dossiers
for any partial matches to devices,
people, accounts, names involved
with tracked cryptocurrency addresses.
Deep, man.
Like Palantir Deep type stuff.
So if Chain Analysis gets a device signature
and then you verify your Discord on the same device
yielding the same signature,
both FinCEN, Chain Analysis, OpenAI,
and basically anyone else knows
your cryptocurrency transactions,
your device signature,
aka knows who your real identity is.
That's how some of this stuff is working.
Okay?
Like...
they're they're corroborating they're collaborating this data i guess you know
through through all these different back ends these companies and this is all tied back to
persona who's doing the discord the discord kyc so if you have digital cryptocurrency wallets on
the same device and you're using the same device to also kyc yourself they're pulling all these
different data points together to then also then tie it back to transactions through chain analysis
dossiers for any matches why i mean you're not like you're not a target of investigation likely but
this is happening in the background without you being a target like no warrant no nothing just
straight up let's just snoop everything we can and let's see if there's any cryptocurrency
transactions that we can tie back to this id all because you kyc'd yourself on freaking discord so
if that isn't like a wake-up call enough to like how deep these things are going and what's going
on in the background. And I have a link to that article. That was the quick synopsis breakdown of
it. And I was just kind of like, what is going on? So anyway, I will have links to all of that
in the show notes. Feel free to check it out. I have a couple links to some other articles that
are a little dated now, the BitLocker and FBI stuff, which BitLocker is Microsoft's
data encryption for your hard drive if you have a Windows computer. Well, they hold your keys.
Unless you specifically go through a different pathway of setting it up to store them locally,
on like a USB key or something, they house your keys. And yeah, those are being shared with the
FBI. And then there's been some Google patches for zero-day exploits within Google Chrome attacks
this year. So I'll have a link to that bleeping article as well.
bleeping computer, uh, article. So I kind of want to get into this quick, um, uh, into this age
verification, uh, component. And then I'm also then going to cover a little bit about this bill
that's been proposed in Colorado, which is kind of a key thing because if it passes, it's just
kind of like, it's very dystopian and it's very like cringe on the enforcement and penalties
for the violations. And then we're going to cover, um, the Epstein OPSEC failure. So
going back into, into this, um, the age signals are basically the new gatekeepers. So there's a new
bill moving through Colorado, um, SB 26-051. And on the surface, it sounds simple, right? So it's
essentially what the normal rhetoric of protect kids online. Well, this is going to require
operating systems and it's not exactly defined in the bill. Like how
what how this is going to be done but it's going to require operating systems to collect a user's
birthday and account at the account setup and generate an age signal is what they call it
and then send that signal to apps which they say will limit data sharing and they're all they will
allegedly find violators for this but we'll see and uh so the bill shifts age verification away
from the individual apps and it places it more at the operating system level so that means the
gatekeeper isn't just the app developers anymore it's apple it's google it's windows you know whoever
controls the operating system so instead of every app asking your age your device now becomes the
source of the truth it kind of like you know like a centralized age oracle or something you know so
what like that's that's that's almost even worse in some ways because at least if you had your os
set up the way you wanted to and if you wanted to opt in to age verify yourself to use one app
that'd be one thing i guess that'd be up to you to decide but now it's just happening from the
get-go if this bill passes this is how it would look you're basically kyc and age verifying
yourself from the very moment you're setting up the computer like i was talking about earlier
so you know it's this consolidated power back to the operating systems on the other hand because
it consolidates it there the operating system now mediates identity attributes across like every
application that you install so one api call and your age bracket becomes available across all those
apps so maybe that's better but i think it's kind of worse i think it's all bad uh you know and it's
supposed to not give like your exact age but like a bracket and i guess that's part of what the age
signal is and that should be legally binding knowledge for the developer then authorize
you to use the app that's the way this
bill reads. So, you know, and once something becomes an API, it's, it's basically becomes
infrastructure. And once it becomes infrastructure, it becomes expandable. So that's, that's where I
look at things where it's like, oh, we're just going to do this one thing, this one time, this
little thing. And now it becomes commonplace. It is the infrastructure. And then the infrastructure
eventually expands into wherever else it can go. So that's what they're saying today, it's used for
age. But what is it going to be used for tomorrow? Is it going to be used to define social credit
scores is going to be used to define, you know, insurance rates. If you like to watch stay up
late and watch speeding videos, or if you stay up late watching content to your health insurance go
up, because they know you're not getting more than six or seven hours of sleep at night, you know,
I mean, there's so many things that this leads to we're
seeing this with automobiles and automobiles starting i think 2027 i was i've seen something
about this where they're going to be instituting all this technology to basically track everything
you do and how much you speed and could they intervene to vehicle could it detect whether
or not you're inebriated and disable the vehicle and all these things like and of course they're
going to use ai and all this other stuff to do it it's not going to be a real human being there
will be errors there will be you know failures within the tech it doesn't matter they're just
pushing all this stuff and in the bill they say that you know minimum information is necessary
and it doesn't share with third parties it says it's there are civil penalties for that
but the deeper question isn't like what it says but what the architecture creates what this
infrastructure creates this precedent because when identity moves lower in the stack uh into the
operating system itself you're no longer just talking about app compliance you're talking about
program
programmable identity and where in a world now where every device level you know controls are
already tightening you know that's that's what they're going to go after they're going to go
after this programmable identity because it will be unequivocally defined it will be unequivocally
you that's using that that device that operating system anyways it's worth paying attention to
it's worth paying attention to these legislation bills even if you're living somewhere and you're
like well why do i care about some senate bill in colorado i don't even live in the u.s or i don't
live in colorado well you know when when westernized civilizations see that these laws work in one
country or one state within a country it becomes a lot easier because it's like well look see they
did it we should do that too there's this adoption so the purpose of the bill requires the operating
system uh providers such as the mobile device platform to implement the age attestation the
to attest to the age right this attestation system that signals a user's age bracket in the apps to
order you know order to enhance protection for minors right it's all about the kids
so i have a breakdown um in like different sections uh i'm going to skip over the operating
system providers well actually you know i'll just kind of run through a couple of the bullet points
so the operating system providers must provide an accessible interface an account setup requiring
the account holder to enter the user's birthday and age also generate this age signal provide
developer access to the age signal through through a real-time api share allegedly only minimum amount
of information necessary to comply and then also not share the age signal with third parties except
required by the bill right we we believe all that sure i mean after how many times have we
seen even just recently big tech
you
companies settling multi-million dollar lawsuits for violating their own terms of service you think
they're just going to abide by all this stuff hell no they're going to scoop all of that information
and then application developers must request the age signal when the app is downloaded and launched
so just think downloading the app from the app store and on your phone and opening it now it's
going to do this api call to check your age treat the age signal as knowledge of the user's age range
across the platforms and access points and if they have a clear convincing evidence that the
user's age differs from the signal they must rely on an updated information so we don't exactly know
what that looks like yet how that would be prompted uh so this could be like a kid trying to circumvent
the system maybe or maybe there's a mismatch or maybe you gave false information and it didn't
match the new information you gave so what are the enforcement and penalties if violated up to
two thousand five hundred dollars per minor per negligent violation up to seventy five hundred dollars
per minor per intentional violation and enforced through civil action by the Colorado Attorney
General, which that's a wide berth. That's a wide berth for what kind of civil action can come
after that. I don't know. Things are just looking pretty grim, looking pretty grim.
And I know a lot of people are like, oh, well, just, you know, it's fine. Just run the Graphene
OS on a pixel. Yeah, I agree. But we have other battles on other fronts that are affecting that
as well with like Google forcing KYC, which is know your customer. They're forcing app developers
to pay a fee and provide their ID and all sorts of other stuff to create an app that can be installed
on Android, even if they have zero intention of submitting it to the Google Play Store.
So this would be happening with the Google Play.
protect api i'm assuming so let's say right now right and i'm talking about stock android but
this can impact all android users eventually this impacts fdroid uh this impacts you know
people who install via obtainium directly from github because if you're installing
a lot of these app developers may not just develop apps anymore number one they don't
want to comply with that and number two it kind of like really makes it difficult for anyone
not running uh a degoogled rom to install like what's referred to as side loading applications
because the system is going to block block the installation because the developer hasn't passed
all these checks so it really is gatekeeping on all fronts you know how you can use your device
what applications you can install and all these different things so uh you know i'm not really
sure and i'm not trying to sound too like dystopian and grim but i mean this is just the reality
reality of our world
right now that all these things are happening and because there's so few options i mean there
are options you know you could go to a dumb phone and all these other things but i mean it's like
there's so few you know competitors in the space it's really run by a duopoly which is google and
apple at least in the sense on the mobile devices that you know yeah you can run a linux phone and
stuff like that and kind of do your own thing but from the masses the masses they're all going to
be kind of you know screwed um if all of these things come to fruition so um so yeah i want to
transition into the uh the opsec the epstein opsec failure uh because if unless you've been sleeping
under a rock there's been a lot going on with all of the global elites leaders being named in the
epstein files which there have been i don't know how many millions of totality have been released i know
the first batch was three million i know there was there was supposed to be more several of it was a
lot of
it was redacted some of it was actually unredacted by by people who just basically was like oh there's
just a black line we can actually you know copy and paste this and and and actually read this
stuff there's things like jmail.world where you could just go and read epstein's emails as if
you're reading his gmail which is quite entertaining uh you could go directly to the
department of justice and and actually read the files there um there's a lot of different ways to
kind of get into this but what i what i find kind of fascinating about all of this was the
operational security around the data around the communications because a lot of those
communications were i mean most all of it a lot of it was email and not just email but gmail
and not google workspace like free gmail accounts which baffles me right if i was criminal minded
and i was gonna be
communicating about criminal activity, I wouldn't do that on Gmail. And we're talking fairly recent
here. In the last 10 years, there's been encryption. There's been applications you could
use to communicate that provided in encryption. Why is all of this on Gmail? I have no idea,
including attachments and videos and files and photos and PDFs and all this other stuff.
So when people, I'm going to kind of go into this segment here. So when people talk about
Epstein, they usually focus on the names, the flights, or the unanswered questions.
But what gets talked about for less is more like the alarming part of the story, which is the total
failure of the operational security at nearly every level. So this wasn't a failure of one system.
It was a cascade failure. So you had predictable travel patterns, shared aircraft logs, centralized
communications, poorly segmented access controls, and an astonishing reliance on the idea that
secrecy alone was enough. There was no real compartmentalization, no meaningful deniability,
no resilience. Once scrutiny began in looking into this, there's no security layers,
there's no security protocol. And so the most uncomfortable lesson, this wasn't a high-tech
espionage thing. This wasn't some crazy hack. It was basically all done through sophisticated
tradecraft. It was convenience, arrogance, and institutional blind spots stacked up
over time on top of each other. So the takeaway isn't like, how do they hide for so long? It's
how fragile the system really was once sunlight hit it. So for anyone interested in privacy,
power, or network systems, the Epstein case isn't just a scandal. It's like a textbook example of
of exactly what happens when operational security.
is treated as basically optional, right? So this kind of led me into, well, this is why
decentralized systems are a threat to power networks. So one reason the Epstein network
ultimately collapsed is that it depended on centralization, centralized travel,
centralized communication, centralized silence, centralized protection. But decentralized systems
like break that model entirely. So when information is distributed, there's no single ledger to erase,
no one server to seize, and no gatekeeper who can quietly air, quote, like lose a record.
So decentralization replaces trust in the institution with verification across many independent like
nodes, we'll call them. So that's dangerous to, you know, entrenched power structures,
not because it's chaotic, but because it's resilient.
You can pressure one journalist, you can one platform, one court, or one company, but you can't easily pressure thousands of loosely connected observers who don't need permission to share, verify, or remember.
So decentralized networks don't rely on secrecy, they rely on redundancy, and redundancy is the enemy of plausible deniability.
So this is why we see such aggressive resistance to encrypted messaging, peer-to-peer communication, and self-hosted infrastructure.
These tools don't just protect privacy, they flatten power.
So the Epstein case isn't just about abuse or corruption, because obviously that's a big component,
but it's a warning about what happens when centralized systems are trusted to police themselves.
And why systems that distribute memory, verification, and communication are fundamentally harder to capture.
you know sunlight didn't end the network distribution did so that kind of like goes
into like decentralization encryption and the threat to centralized power because that's kind
of what this highlighted for me and why this push for everything to be verified to the user
uh they don't want any more you know and i don't mean that with they i'm talking about the power
structure that's trying to keep control over the masses but notice in a lot of these bills
especially even like the uk if you go there are exclusions to these laws they exclude themselves
from them most of these politicians usually exclude themselves from the surveillance apparatus
expansions and that decentralization encryption you know is is a big threat to that power because
centralized power structures depend on
choke points. Servers, platforms, custodians, administrators control the choke points and you
control the narrative, the records, and eventually accountability. Peer-to-peer mesh and federated
systems remove those choke points by design. And I know that some designs are better than others,
right? But in a peer-to-peer model, there's no permanent hub. So data moves directly between
participants, often ephemerally, leaving minimal centralized logs. Mesh networks go further. Each
node can route traffic, store fragments, and operate independently if the rest of the network
is disrupted. Federation distributes trusts across multiple operators instead of concentrating it in
a single authority. And these architectures are resilient not because they're hidden, but because
they're redundant. And there's no master switch.
no single database to subpoena, no universal audit trail that can be selectively edited,
right? This is where encryption becomes the real pressure point. And encryption prevents
intermediaries from seeing content, but decentralized systems remove intermediaries
altogether. So when you combine the two, it'll just protect messages, you eliminate the role
of gatekeepers. And that's why modern attacks on encryption almost always arrive wrapped in the
safety or moderation or lawful access language. The stated goal is visibility. The operational goal
is re-centralization. So because once communication is forced back through a few approved platforms,
surveillance scales again. So logging becomes trivial, memory becomes fragile, and power
reconsolidates. So self-hosted infrastructure.
and a local first communication quietly short-circuit this model.
They reduce data exhaust, minimize third-party exposure,
and keep operational control at the edge,
where it's hardest to coerce and hardest to erase.
Decentralized systems don't make wrongdoing impossible.
They make systematic cover-ups and practical,
and that's why they're treated as a threat.
So a lot of the things that we talk about on this podcast exactly are this, right?
The threat model breakdown.
Who attacks decentralization and why?
So to understand why decentralized systems are under pressure,
you have to look at the threat model,
not in terms of hackers but institutions.
So the first attackers are governments and regulators.
Their concern isn't individual messages.
It's loss of visibility at scale.
Centralized platforms.
allow monitoring, metadata collection, and compliance enforcement. Decentralized systems
break that by removing aggregation points. So the second attackers are large platforms
and service providers. Centralization is their business model. Data collection, behavioral
profiling, moderation, all depend on users passing through centralized infrastructure.
Systems that operate peer-to-peer or federated threaten that control and the revenue attached
to it. So the third pressure point comes from intelligence and law enforcement agencies. So
their tools are optimized for subpoenas, warrants, and lawful intercepts, wink, wink, all of which
assume custodianship. So when no one owns, quote, air quotes, owns the network, those tools stop
scaling. And this is why attacks rarely...
target the technology directly instead they target the edges key escrow proposals client
side scanning mandatory identity weakened encryption defaults or liability placed on
intermediaries and that's what we're seeing like with this bill right the fines the punishments
the liability placed on intermediaries that that is another you know component that fails or it's
harder to enforce so the goal isn't security at all it's just restoring leverage is what this all
is all about the way that i see it right and decentralized systems reduce leverage and that's
why they're framed as dangerous irresponsible or ungovernable so some other bridges to this right
and i've talked about this um two episodes ago like mesh communications and disasters and shutdowns
right
MeshTastic, MeshCore, Reticulum. These are kind of even like another step above. Now,
not as much bandwidth, not as easy to set up as say like traditional devices. I mean, not hard,
but some properties that make decentralized systems uncomfortable for power structures are
exactly what makes them reliable during failure. And this is kind of like why I've been really
interested in MeshTastic and Reticulum. Disasters, outages, or shutdowns, you know, centralized
infrastructure collapses first, like cell towers fail, data centers go dark, authorization systems
time out, communication become, you know, permissioned or impossible. We've seen the
repercussions of centralized technology through Azure, Microsoft Azure Cloud or Amazon Web Services
when they have big issues. I mean, like big
dig.
parts, big service providers, even telcos can go down because of that. So mesh communication
flips that model, right? Each device becomes infrastructure. Messages move locally. Routing
adopts. The network survives even when the upstream access disappears. This isn't theoretical. We've
seen it during hurricanes, wildfires, protests, blackouts, and network throttling. When centralized
systems fail, people fall back to whatever still works. Local, peer-to-peer, and offline capable
communication. It's why Jack Dorsey's BitChat app has gotten, you know, kind of a lot of attention
lately. Even though there's other apps like Kutch and Briar and things of that nature that have existed
for several years, it's new and flashy, but it does the same thing. It works without internet
connection. So what's interesting is how often these systems are labeled like emergency tools,
when in reality, they're just resilient systems doing what centralized ones can't. So lesson's
pretty simple.
Reliance looks like decentralization under stress.
And systems built for everyday convenience tend to fail precisely when reliability matters the most.
So what would be like an OPSEC checklist for individuals?
So operational security checklist, right?
It isn't about hiding.
I want to iterate.
A lot of what I talk about isn't about hiding.
I myself, that's not my goal.
I'm a pretty public person.
I don't, you know, I'm not trying to, you know, hide or flee from anything.
And it's about reducing unnecessary exposure is what it is.
So first, data minimization.
If a service doesn't need your real name, number, or address, don't give it.
Every extra field is just future leverage.
Second, compartmentalization.
Separate your identities by function.
Work, personal life, financial.
activity private communication should not collapse into a single account or device and i know that's
easier said than done but you can compartmentalize through software as well but just you know this is
just kind of more of like a personal exercise and and and thinking things through before you set
things up so the third is reduce metadata exhaust so location services contact syncing always on
cloud backups create detailed you know behavioral maps so even when content is encrypted you know
there's still a lot of metadata that that basically still tells a story then fourth is assume central
points will fail ask a simple question if this platform disappears tomorrow do i lose access to
my contacts messages or files and if the answer is yes you found a single point of failure
and
you
This could be Dropbox, it could be Google Drive, it could be anything.
If you lost access to it for whatever reason,
is there important information there that's now just inaccessible
and how disruptive is that to your life?
So if the answer is yes to those questions, have a backup plan.
Have a different plan to at least keep a backup or be the backup.
Fifth is control your endpoints.
Strong encryption doesn't mean anything.
If the device itself leaks data, the updates, the device locks,
the minimal app permissions matter more than people think.
What the hell is this app doing in the background?
When I update it, does it toggle something back on again that I toggled off?
Do I have to go check it every single time?
Apple is notorious for this.
A lot of companies are notorious for this.
Microsoft is a big one.
You do all these things to debloat and turn stuff off.
You do all these things to debloat and turn stuff off.
gut co-pilot, gut recall, whatever. You run an update and it's just all back on again, right?
So it's undoing what you're doing. The app permissions that you set are now just blown out.
Sixth, plan for offline communication. So think about power outages, disasters, network shutdowns.
Those are normal events, right? Not edge cases, but resilient communication doesn't start during
the emergency. You need to think about this and have it become common practice and use it. Find a way
to use it. If you get some mesh-tastic nodes once every week or two, try to have some mesh
conversations with your family members or your friends. Use it. Don't let it just die.
I didn't even charge it in a month. It's sitting in a drawer somewhere. Incorporate it into a way
that now if something happens or there's an emergency, you're not trying to figure it out
and get it all set up. You know what you're doing, being familiar with your tools.
understanding how they work. And finally, normalize privacy. Normalize it. OpSec works
better when it's boring. The goal isn't secrecy. It's autonomy, right? For some of you, it might
be secrecy. But I think by and large, especially 40% of you iOS users, it's autonomy. It's having
sovereignty. It's having ownership over your identity and your information, your data, your
whereabouts, your travel, everything that touches you, any data points that touch you. So good
operational security doesn't make you invisible. It makes you predictable only to yourself, right?
So that's the objective. At least that's my objective. So with that, I just want to cover
the last component of that, which is systems, power, and resilience. So when people look back,
it's highly profiled failures. They usually ask, well, who?
knew what and when but the more important question is almost always like how the system was designed
to fail because that's what I noticed the most out of this was what an what a what a major fail
dude all your base are belong to me you know kind of a situation and how how how did this happen
how did they allow this to happen it's such a big exposure so the Epstein case wasn't just a moral
collapse I mean it was an operational one as well a network built on centralization convenience
silence held together by the assumption that accountability could be managed from the top
like the top people decision makers the centralized systems like challenge that assumption peer-to-peer
networks federated models local first communication don't depend on permission or trust in a single
authority they distribute memory
they remove choke points, they make, you know, erasure and quiet coordination much harder.
That's why encryption is under constant pressure, not because it's unsafe, but because it breaks
surveillance at scale. And when encryption is paired with decentralization, it doesn't just
protect messages, it removes intermediaries entirely. So we see, you know, these patterns
in the disasters and the shutdowns and centralized systems that fail first. The resilient systems
survive by design. Communication continues not because it's approved, but because it's local,
redundant, and adaptive. We've seen this in like hurricanes and different things. It's the ones
that know how to operate ham radios and have mesh-tastic or these other forms of communication
that are not dependent on these centralized services that actually can kind of keep things moving
forward again. So operational security isn't about paranoia or hiding from
the world. It's about understanding where power concentrates and choosing architectures that
don't collapse when the power fails or turns inward. So the lesson isn't that systems should
be secret. The lesson is that systems should be resilient to abuse. And because in the end,
power doesn't fear chaos. It fears distribution. And that is kind of my takeaway
from the Epstein files and this and looking at it from a different vantage point,
different lens to see things going like, how amazing is it that this information wasn't
compromised or released earlier or exposed somehow? Well, because they relied on this centralized power
authority. And ultimately, I see that's what governments are also trying to do themselves.
They want to be the gatekeeper of information.
They want to be the gatekeeper of information for this analysis, bringing to power and
flow and communication. And so when you use and you fight for VPNs and end-to-end encryption and
self-hosting services, it goes against that very power structure, that power gain, that reach for
ultimate control. Because these laws that they're passing IC could be used and probably will be
used at some point by those who self-host Mastodon servers. Is that considered a social platform,
a social network? Or does it fall under, oh, no, it's just a federated server, man. I'm just
talking to my friends. I talk to people and I have my account on here. It's not a social network.
It's just a social federation, bro. But I mean, they're going to come after it. They will likely
try to come after those things. And so by having a plan for being able to communicate and...
end.
happen.
have sovereignty it's thinking about operational security in this way is what's most important to
me is being able to also coordinate and and and build community so because that's that's so
important i mean that that really is we are uh social beings and oftentimes you know we don't
really find people in the real world so we we meet them online we find friends online and the people
that are like-minded and in order to have that freedom to connect we really are reliant on systems
that can exist beyond targeted attacks because they're not centralized so yeah that's um that was
what i was working on for the last couple weeks was this breakdown and putting it in a way that
would make sense without being
super technical about it because honestly it wasn't that technical the epstein stuff that
from what i understand i mean it's pretty pretty primitive technology they were using for the
recordings he's using gmail for crying out loud there wasn't any like sophisticated organized
organization to like having encrypted hard drives and encrypted communications and disappearing
messages and i mean it was all pretty much just there and historical there was no like retention
policy i guess for deleting old conversation i guess he thought i will just save everything
forever because i might need to use it um is collateral as leverage you know to get somebody
to to bend to my will because i have all he was the data keeper and i think that's one of the
biggest problems and like you have some of the smartest well i don't know how freaking smart
they are actually probably not smart but i'm just what we would assume to be smart people
who fell for that fell into those traps like like people who open the emails and buy the gift cards
and click on
the links, right? Like we have to be vigilant. We have to be smart about the things that we do
because it is a war. There is definitely a war online from a lot of different fronts. And no
one's going to wake up every morning thinking about how to secure your life, how to live your
best life. Everyone's thinking about that for themselves. So you are the person that needs to
be vigilant and have conversations with your family, have conversation with your friends.
Protect your information. It's all you got. It really is all you got. So thanks for listening
to me babble for the last 90 minutes. I really appreciate everything from everyone. I've always,
always just really enjoyed the conversations we have in our chats and everything. Like we just have
some of the coolest people. And one of the, I think probably the coolest communities, especially
within this space that is really kind to people.
who are just trying to learn and hey i'm gonna buy a new router what are your thoughts on this
or i'm gonna maybe finally switch you know to proton mail or get a vpn or what's the best way
to do it or how do i get monero i mean all these different things and having people that don't tell
you to go rtfm or stfu and all this other stuff it's just like it's a breath of fresh air because
no one can know everything about everything i mean it's just impossible and all these things
kind of become more and more specialized they do get easier i will say uh the the path i've been on
and like where i'm at now with like my proxmox setup and now proxmox backup server and my nas and all my
self-hosted services and you know making them accessible to the outside for my family members
and all these different things it's like wow it's cool it puts a lot of responsibility on me
but i'm it's worth it it's worth that trade-off um because it's it's so much more gratifying
to know like hey this
is ours we run this which also means we have to maintain it we have to know what we're doing
and that may not be you and that's okay if you're listening to me right now and you made it this far
you're like i can't set up servers and stuff well you probably know someone in your family who can
one of your friends who can and maybe it's start time to learning learning some new tricks
right i mean who says you can't learn new shit just do stuff try it break things and and once
you're comfortable you start moving things one over at a time set up set up an adgar home server
get a raspberry pi bust out that old laptop that you that you know it's 10 years old
and and put put uh put linux on there you know install um you know raspberry you know raspberry
pi os install casa os install umbral just pick something try it out install it mess around
with it set up an adguard server set it up as your dns server and your gateway so all
All your devices on your entire network are now using an encrypted DNS server to do all your DNS lookups, and now you're network blocking trackers and ads at the network.
I mean, I'm just tossing stuff out there.
It's a great way to get started.
And then you're like, cool, maybe I'll set up an XCloud server.
Maybe I'll set up an image server for my photos.
You know, you kind of start, then you start becoming a nerd.
And before you know it, you're writing articles and you're contributing to GitHub projects.
I hope so, man.
We need this.
We need people to be engaged and start doing things.
And yeah, it's kind of maybe my long-term plan.
I'm thinking actually maybe that's kind of the stuff I might do professionally, you know, a few years down the road.
I kind of really enjoy it.
And, you know, I've done consulting in before in my life, and I could do it again.
And I think it could be a cool way to make a living is to, you know, consult with those that can't do but need.
And so...
if you can be that person for someone in your life be that person do that thing set up that
server it could be just a synology now i mean you know yeah we're all about open source and you know
i want to run true nas and open but you know what running something that's just even commercially
available to you that that would uh get you out of big techs you know data centers and in your own
data center is good i'm not uh gonna be the pretentious person i was like well unless you
use everything has to be 100 open source i mean that is the ideal route for sure but don't let
that limit you don't let it don't let it be a limiting factor because you're too overwhelmed
to learn open sense it's okay it's okay that you can't master all these things because there's a
lot of us that know what we're doing and we still can't figure shit out sometimes we still break
things i broke a vlan the other day just conferring a wire guard server or wire guard connection
incorrectly broke half my network for like a day just couldn't figure out what the hell's going on
we make mistakes we learn
okay, make a note, keep good notes, right? And they move on to the next thing. So anyways,
I hope this finds you well. I hope you feel empowered and motivated to, if nothing else,
just to start being awake, being aware of what's going on around you. There's no right or wrong
way. There's just a way that works for you. And anywhere you just start and making small changes,
small changes. All right, finally, I'm going to get on this password manager. I won't reuse the
same eight passwords. All right, let me start there. Let me get a, let me get a decent VPN.
You know, let me get some, let me get a Molvad VPN or IVPN or maybe Proton VPN, you know, and just
start, you know, looking at, you know, doing your research, at least using a VPN because your ISP
is snooping on you and likely selling that data. So anyways, I feel like I'm rambling at this point.
I hope you found some value and entertainment in this episode, episode 52 closing out. And
um,
I will try to get one more episode out in the next few days to try to meet
my two episodes per month.
I'm going to try real hard, but if I don't, I'll make up for it next work.
Uh, next month. I promise. I'm just, I, you can probably hear me.
I'm still congested. I'm still fighting stuff. And, uh, but I really,
I really wanted to get this out and I really wanted to connect with everyone.
And, uh, thank you for all the support. Catch you guys on the flip side.
I never quit. Cause I know that every loss may lead to another win.
I'm going up. I bet when I land, they're going to tell me it's luck again.
See that I'm winning. It's harder to watch. I'm setting the stage.
You should give me my prize. You ain't got a soul. You lacking the spirit.
You talk out your neck. I'm going to show you I'm with it.
I've been really happy you to sit and watch me win again and win again and win again.
I know it's probably getting on me and win a synonym.
So if I ever win again, there's no, I did the minimum. I didn't have to sell my soul.
Oh, yeah. Please don't play no games with me.