You Should IGNORE Most Security Advice (w/ Henry from Techlore)

00:00

- This is Henry from Techlore.

00:01

My name's Josh with All Things Secured.

00:03

Henry, thank you so much for joining us, man.

00:04

Where like, you wanna do just a

00:06

brief introduction to yourself?

00:08

- Yeah, so I'm Henry from Techlore

00:10

and I've been working in digital rights, privacy

00:13

and security now for almost 10 years,

00:14

which is kind of crazy to say.

00:16

And I have a YouTube channel similar to Josh's,

00:18

which talks about very similar concepts.

00:21

And so yeah, we also have a forum.

00:24

We do some direct coaching with certain clients

00:27

and we have a couple open source projects

00:29

and we have some VPN resources and stuff on our site.

00:31

So just dabble in a lot of different things.

00:33

Oh, and you, you definitely seem to like the podcast I do

00:37

with Nate, which is Surveillance Report,

00:38

which is our weekly news.

00:39

That's what I've heard you talk about the most. I think so.

00:42

- Well I, I think it's something about the podcast medium

00:46

that really like helps you connect with somebody.

00:49

Like even, even the YouTube medium.

00:52

Sometimes I feel like when I'm watching on TV it's, it's

00:55

that person's over there, I'm over here.

00:57

But with podcasts you're like, you're like in my head.

01:00

So yeah, I,

01:01

I think you guys do a great job with the Surveillance Report.

01:03

I've been a huge fan of Techlore for a long time,

01:06

so if you have not seen or

01:08

or you know, yeah, been on that channel,

01:12

you can find everything with Henry here at Techlore

01:15

for the YouTube channel.

01:17

He talked about that forum, which is fantastic.

01:19

It discuss Techlore tech

01:20

and of course he's got his websites both personal

01:23

and the Techlore side.

01:24

So if you wanna go check those out.

01:26

I also wanna make sure that everybody knows

01:29

that this podcast

01:30

or this podcast, I feel like I'm gonna podcast now

01:32

that this live stream is, is being sponsored by ybio,

01:36

which you guys have heard me talk about this a lot.

01:40

For those of you who are coming from the Techlore side,

01:42

I have no doubt that Henry,

01:43

or that you guys are familiar with 2FA keys.

01:46

I actually went out and visited the Ybio offices in Sweden

01:49

last year and really got to enjoy meeting their,

01:52

their founders, their current president

01:54

and just a lot of the team they've got, I I, I've loved

01:58

what I've seen and but not more than that.

02:00

I've used a UCO key for many years

02:03

and I think that they are probably,

02:05

aside from a password manager, one of the best things

02:09

that anybody can do for their, for their security,

02:11

for at least their online accounts.

02:13

So if you don't have a key, you can go

02:15

and there's actually gonna be a link.

02:16

I think it's all things secure.

02:18

Do, oh I think I have it over here.

02:20

Lemme just pull this up right now just so

02:21

that we've got that.

02:22

There's the, you can get a $5 off any of their keys,

02:26

all things secure.com/ub five off and,

02:29

and you'll be able to get one of those keys if you don't

02:31

have one or if you need to go grab a backup.

02:35

Alright. So with that out of the way Henry, I,

02:40

one of the things what, like we've been, this is a long,

02:44

long time coming in the collab that we've, you know,

02:46

that we're doing here.

02:48

And I like when I was sitting down trying to figure out,

02:51

hey, what would be the best thing for us to talk about?

02:54

I think the thing that came coming that kept coming up

02:56

to my mind is like this phrase you

02:59

and I both have used, I've heard you use it

03:01

so many different times

03:02

and I've used it as well, which is this phrase, it's just,

03:05

it depends, like you

03:06

and I get questions all the time from people

03:09

and they're asking some kind of security question

03:12

and the answer unfortunately is not just this black

03:15

and white, here's what you should do,

03:16

here's what you shouldn't do.

03:17

It ends up being like this.

03:19

It depends, which can be both frustrating and

03:22

and helpful in different ways.

03:23

I'm, I'm curious for you personally,

03:25

before we jump into like all these other things, like

03:28

for you personally, how do you view what you do

03:32

for your personal security and privacy and like the lens

03:35

and the rubric

03:36

through which you make those kind of decisions?

03:40

- Yeah, first it depends. Always kind of sucks to hear.

03:43

'cause I know that people just want a simple answer

03:46

and there really is nothing in the world

03:48

that I feel like has very many simple answers.

03:51

And so when people ask me something, should I use A VPN?

03:54

It's like, well if they came to me

03:55

and said should I buy a hammer?

03:57

I'd go, well, it kind of depends. Why do you need a hammer?

04:01

What are you gonna use it for?

04:02

What's the purpose of purchasing it?

04:04

And then we can go from there.

04:05

And it's the same thing I think with

04:06

what we recommend and do.

04:09

I think that there's very few things I can just outright

04:11

suggest to everybody

04:12

because there's always going to be somebody

04:14

who doesn't align with that advice.

04:18

And it's also, I'm sure you deal with this as well,

04:21

we make content

04:22

and we talk about things for thousands if not hundreds

04:25

of thousands of people.

04:27

So when we produce something

04:29

and give advice, we can't just give advice

04:32

and say everybody needs to do this

04:34

because you can't guarantee that hundreds of thousands

04:36

of people will be on that same page.

04:38

So it has to be nuanced, there has to be some, it depends.

04:41

And on my end I definitely look at it through

04:44

what are the things that I'm concerned about.

04:46

So any time I ask what device should I buy,

04:49

what services should I use, what software should I decide

04:52

to implement into my daily workflow?

04:54

It normally comes from a place of, okay,

04:56

well why am I getting this in the first place?

04:58

What's the purpose of it?

04:59

Does that purpose agree with the things

05:01

that I'm concerned about in my life?

05:03

And then from there I go, well

05:05

what are my options within this little bubble

05:08

of things that I'm trying to do?

05:09

So for example, a big concern of mine is making sure

05:13

that my passwords are a kept up to date.

05:15

They're also secure passwords

05:17

and also they're things

05:18

that aren't gonna be reused easily across websites.

05:21

So what are my options here?

05:22

I can use my built in password manager on my operating

05:25

system, I can use a third party password manager,

05:27

but now that introduces a second party I have to trust.

05:31

If it's a smaller organization, then I have

05:33

to rely on their security infrastructure

05:35

and maybe lack of proper security team.

05:38

If it's a larger one, they have more funding behind it,

05:40

but maybe they're putting too much money into marketing,

05:42

so maybe it makes more sense

05:44

to actually roll my own password database.

05:46

And that's actually what I opted to do.

05:47

So I use key password, my password manager,

05:49

but it really just depends on what I'm going for.

05:52

And then now you start implementing

05:54

that password manager into your workflow

05:56

and it goes, okay, well do I need a

05:58

password manager on every device?

05:59

Does it need the cloud sync?

06:00

What features will I utilize in my password manager?

06:03

Which clients, 'cause KeyPass has different clients on

06:06

every operating system.

06:07

Which client will I go with? Is it being frequently updated?

06:11

Does it integrate with the features I need?

06:12

So it's a very nuanced thing

06:14

and that's just a password manager.

06:16

There's dozens if not hundreds of different security

06:18

and privacy tools out there.

06:20

So Yeah.

06:21

Does that help just at least break down how difficult it is

06:24

to like do that for thousands

06:26

of people somehow in an eight minute video?

06:29

- I know, I know. And and yeah, so true.

06:33

Like I think the, the, the thing

06:34

for me is it's like there are best practices, right?

06:37

That, that it feels like everybody should be doing.

06:40

And then there are, you know, kind

06:42

of these like gray area things,

06:43

but even within the best practices,

06:45

like you're saying like I think one

06:46

of the best practices is hey, you need

06:48

to be using a password manager.

06:51

But within that, like there's just, okay, well do you host

06:54

that vault in the cloud?

06:55

Do you have to self-host, you know, does it sync?

06:58

Like do you store all

07:00

of your passwords in that password manager?

07:02

Do you salt your passwords

07:04

or what I call a double-blind password?

07:05

Like there's, there's all these within even the,

07:08

the easy answer where it's like the easy answer, yeah,

07:11

sure you should use a password manager,

07:13

but within that, now we've got this, this branch

07:15

of 20 different options that that, that run the gamut of

07:20

hey, you know, just a person that needs to have a better,

07:23

you know, stronger password, right?

07:26

And so for them using Google Chrome to store their passwords

07:29

and create password managers, maybe that's, that that's,

07:32

that's as good as they're gonna get for them and,

07:35

and their, you know, what their tech

07:37

savviness is all the way to the other end where, hey,

07:41

I'm hosting my own password manager, it's on my servers,

07:43

it doesn't sync in the cloud.

07:44

Like all of that type of stuff.

07:46

So I completely agree with you.

07:48

I think it, it makes it very difficult,

07:50

especially when we're dealing with attention spans,

07:54

which you know, on YouTube are, are very limited where I,

07:58

I do have eight minutes or less.

08:00

I mean I could do, I've got some videos that are longer,

08:02

but I can only really dive

08:04

so deep in those, you know what I mean?

08:06

- Right, right. Yeah, no, I agree.

08:08

It's definitely difficult.

08:09

And I think also what's tough, you don't always,

08:14

it's probably not always good

08:15

to constantly be nuanced though,

08:17

because in the context of friends

08:19

or family, they don't want me

08:20

to go on a one hour spiel about password managers.

08:22

They just want, they, they just want an answer.

08:25

What do I use? And I think sometimes that lack

08:28

of nuance is important

08:29

and that's something that like for people

08:31

who are already involved in this space,

08:33

probably tuning into this livestream

08:34

who are already involved in this community, they want

08:37

that nuance because they want to understand things better.

08:40

But I I, I don't think that the average person needs to

08:43

give a damn about this, honestly.

08:45

Like they shouldn't have to, like, they should just have

08:47

to worry about living their lives

08:48

and not deal with security, not deal with privacy.

08:50

And that should just be a default.

08:52

So that is the ideal world,

08:54

but that's not quite the one we live in.

08:58

- Yeah, I think that's a really good point.

09:00

Like I, I do, I I have started to answer with nuance

09:04

before with some friends and, and,

09:06

and they're like, they

09:07

stopped me and they're like, whoa, whoa, whoa.

09:09

Like what do you use? It's like, well I use this.

09:12

Okay, that's all I needed to know.

09:14

Like that's good enough for me.

09:16

If you use it then that's good enough for me.

09:18

But I'm sure that you have to deal with this too, Henry,

09:20

I get, I have to deal with comments in the videos of people

09:24

that are maybe frustrated that I didn't go into the nuance

09:28

where it's like, oh yeah, you use one password,

09:31

but you know, anything that uploads to the, to the cloud is,

09:35

is a terrible security idea.

09:37

It's like, well maybe for you I

09:39

I I'm not gonna, I'm okay with it.

09:43

- Right. And also I feel like the comment sections is always

09:46

hard because I feel like there are things

09:48

that make sense when you read them at first glance something

09:50

like the password manager, it's like, well yeah,

09:52

you don't want, in theory your password's accessible on

09:56

someone's cloud that can be broken into,

09:58

but that's not how it works, right?

09:59

Because the encryption iss done on the client side.

10:01

So actually it's still local in a way

10:03

because one password can't see what your passwords are.

10:06

So yes, there is a little bit of a handoff of trust,

10:09

but if you can trust the code that's running on your device

10:12

and you're trusting that everything's encrypted locally

10:14

before it touches the cloud,

10:16

then really it's just in transit.

10:18

Everything's fine in transit,

10:19

it's just on your devices where it's unencrypted.

10:22

Yeah. And so when you explain that to people then,

10:25

and for the record, I don't use a cloud-based password

10:27

manager, but I still don't think they're a bad option

10:30

for people because I think it's unrealistic

10:31

to expect the average person to have

10:33

to somehow manually sync their password manager every week

10:36

when they add or remove a password to change a password.

10:39

It's just, it conflicts.

10:40

'cause if we're gonna suggest people consistently like check

10:43

their password to make sure they're not breached

10:44

and when they are breached change them,

10:46

now you're also asking them

10:47

to manually change it on eight devices instead of

10:49

that being automatic, which is now making it harder for them

10:52

to have better practices. So

10:54

- Yeah. Yeah.

10:56

- I don't know if you probably deal with all

10:57

of these things as well in your life.

10:59

- Oh, 100%.

11:00

And I wish it was just password managers,

11:02

but it's like, it goes from password managers to 2FA keys

11:06

to, you know, you,

11:07

you name like even goodness don't even get me started on VPN

11:10

stuff where it's like they're, people are very,

11:13

very opinionated, especially if they're within the security

11:17

and privacy space.

11:19

And you know, I, I live overseas, for those of you

11:22

who don't know, I'm out in Asia, I've been out here

11:23

for many years with, in a couple different countries

11:26

and like my approach to some of that,

11:30

it actually changes depending on what, what country I'm in.

11:34

I think that's one of the things

11:35

that I was gonna ask you Henry and

11:37

and kind of really bring up myself is, you know, I I,

11:40

when I think of a personal threat model, a lot

11:43

of it is one very unique to you and,

11:46

and you know, your situation, it's built over time.

11:50

Like I know some people just wanna like know right now this

11:53

is what do I need to do right now?

11:55

It's like man, this is something

11:56

that's gonna take time for you.

11:58

It's taken time for me to build

11:59

and it's something that's constantly evolving, right?

12:02

Something that I used, you know,

12:03

before, I'm not gonna use maybe five years from now.

12:06

And perhaps it's something like skiff

12:08

because it goes out of business or perhaps it's

12:10

because there's, you know, another option

12:12

or something else that has come up

12:13

that I would much rather use.

12:16

And for me sometimes it has to do with, you know, location.

12:19

You know, when I was in China

12:21

that's different than if I'm in a southeast Asian country.

12:25

Henry, I was curious if you wanted to kind

12:27

of share any thoughts on when you are coaching somebody,

12:31

let's say if you're coaching somebody on this stuff

12:33

or you know, creating a video on it.

12:36

Like what are the questions that you are asking in order

12:39

to figure out what kind of threat model

12:43

and what what solutions would be best for that person?

12:49

- Yeah, well it's, it's tough

12:51

because not many of our videos

12:55

are really targeted towards like

12:57

answering the question for people.

12:58

And that's where we probably could be doing better I would

13:01

say is that a lot of our videos are just like,

13:04

well here's what it is.

13:05

Here's the information you need, period.

13:09

There is no, this is why you should be doing X, y,

13:11

Z tied to our videos.

13:13

'cause that's where it starts getting difficult to do.

13:15

And that's really where it's really hard to get into

13:17

that without, again, making mistakes

13:19

and saying things that don't apply to everybody.

13:22

And so it's easier to just give people the information

13:24

and give them the tools necessary

13:26

to make their own decisions on what to do.

13:28

And that's kind of how we do a lot of things.

13:30

But I would say there are a couple videos here

13:32

and there where it is very just, here's what you need

13:35

to know, here's what we suggest you do.

13:37

And normally in that context

13:41

it really is just really thinking through the kind of person

13:44

what their threat might be

13:45

and trying to make assumptions on behalf of them.

13:48

But normally there's always a giant asterisk

13:49

of if you have a specific country that you live in,

13:53

you need a specific feature,

13:54

then definitely just explore other options,

13:58

get advice from other people.

13:59

Don't just rely on us.

14:00

And I think that's also an important thing

14:02

to hear from somebody is don't just rely on us

14:04

because we might not have all the answers

14:06

for you, nor do we claim to.

14:08

And so make sure you take what we say,

14:10

hopefully it's helpful, make your own decision,

14:13

hear from someone else, see what they say maybe

14:15

or connect better with them.

14:17

And I think that's the best way to do it. Yeah.

14:20

But I don't know if you have a different

14:21

approach to it as well. No,

14:23

- I 100% I think, I think what you said,

14:26

I i I totally agree with.

14:27

I think, you know, I get Henry probably similar to you,

14:30

I get emails all the time from people that are like, Hey,

14:33

I'm in this particular situation, what should I do?

14:36

And you know, if, and,

14:38

and this is unfortunately an email

14:39

that I get more often than I'd like,

14:40

but you know, I get somebody, hey,

14:42

I'm in an abusive relationship

14:43

or I'm in a relationship where I feel like this person is

14:46

stalking me in some way.

14:48

The way that that they're going have

14:51

to set themselves up is different than somebody who's just

14:54

like, Hey, can I, can I have a little better security?

14:57

Or you know, hey, I just wanna be

14:59

a little more removed from big tech and Google

15:02

and all that stuff, which is different than, you know,

15:04

somebody who's an expatriate living in another

15:06

country like we were talking about.

15:07

And, and, and definitely even different than those

15:09

who are in positions of power or influence

15:12

because what you're trying

15:14

to protect is als is different sometimes.

15:17

And then, you know, so for like the abusive relationship,

15:21

you know, you, you might be trying to protect

15:23

even the GPS on your phone

15:25

or something of that sort, you know, which is, you know,

15:28

I'm not as, not quite as concerned about that

15:31

where I am right here.

15:32

And so like those, the situation really,

15:36

really does have a, a huge influence on the kind of solution

15:39

that, that you provide to any person that's reaching out

15:43

or asking for advice.

15:45

- Right. Totally agreed.

15:46

And so before I wanna respond to that, but

15:49

before I, I forgot to mention one thing previously you were

15:52

talking about how it constantly evolves

15:54

and I think that's one of my misconceptions

15:56

and maybe some people might disagree,

15:58

but I don't really see a finite line

16:01

because I think a lot of people think

16:03

that there's this definitive end mark of, oh,

16:06

I finally figured out, I figured out what to use.

16:10

I I have the perfect password manager, perfect browser,

16:12

perfect everything and it's all I'm gonna use for the next

16:15

50 years that I'm alive.

16:17

And that's just not normally how it works.

16:19

Even if you did in theory find the perfect thing for you,

16:22

which you probably won't and you will never find that,

16:25

but if you did things, change services, go outta business,

16:28

new services pop up, technology evolves.

16:31

And so it really is impossible in my eyes to kind

16:35

of have that perfect thing.

16:36

What you can do is do your best, see what's new,

16:40

make updates, change, just get better over time

16:43

as more tools become accessible,

16:45

as more information becomes accessible.

16:47

And as we learn more things as a community as well.

16:50

And it reminds me of health.

16:51

I I constantly make this analogy to health.

16:53

You're not going to just sit down one day

16:56

and go, this is the perfect diet for me.

16:57

This is the perfect exercise plan for me.

17:00

This is the perfect amount of times I need

17:01

to go see my doctor and check my,

17:03

my my vitals and everything.

17:04

And if I do this, I will live

17:05

to be the longest possible time.

17:07

No, it's an evolving thing.

17:09

You try a certain diet, see what you like, see

17:11

what you don't like, you make modifications,

17:12

you make improvements, you go, maybe I went too far,

17:15

I was starting to obsess

17:16

and it started becoming a mental thing for me

17:18

and I need to disconnect a little bit from that.

17:20

It's a constant push pull game and then that's just diet.

17:23

And then we head into exercise plans

17:24

and you might prioritize upper body, lower body aerobic.

17:27

You realize that you were neglecting your

17:28

strength in your back.

17:30

I'm a runner and I just realized a few weeks ago

17:32

that my upper back is just weak as hell.

17:34

I had someone helping me at the gym

17:36

and they were watching me do pull-ups

17:38

and they go, wow, you don't even engage your back at all

17:40

and you're just lifting yourself up with your arms.

17:42

And I go, I had no idea.

17:44

So yeah,

17:46

but what was the most recent thing you said though?

17:49

'cause I wanted to respond to that too.

17:51

The last thing you said.

17:53

- Oh, abusive partners and, and

17:56

- Yes.

17:57

So on this note,

17:59

I think a very common example of this is signal.

18:01

So signal, just to give people kind of the idea of

18:05

how a feature can both be beneficial and non-beneficial.

18:08

One of the reasons that I do believe

18:10

Signal uses phone numbers,

18:12

which people really complain about is a anti-spam.

18:14

And I think that's the number one reason,

18:16

but also it makes it easy to add people, right?

18:18

Signal is meant to be a one-to-one messenger that you use

18:21

with somebody else, you know, who you just met at the bar.

18:24

And when you do that, you don't want to have

18:26

to do this crazy nonsense to add them like Matrix

18:29

and Matrix has a lot of cool things going for it.

18:31

But to have to explain to someone, okay, you have

18:34

to choose a matrix client,

18:35

you gotta choose a Matrix home server, you gotta register

18:37

and my home server is probably

18:38

gonna be different than yours.

18:39

And then here's what you need to know about

18:40

how to use it properly.

18:42

People just wanna message you

18:43

and it needs to be taken care of by default.

18:45

And that's not to say both tools can't exist

18:47

and they don't have their place,

18:49

but that is something

18:50

that indirectly benefits everybody's security

18:53

because it's simple and it's easy to use on the other hand,

18:56

until recently, so now that Signal has dropped usernames,

18:59

you can actually hide discoverability

19:01

by a phone number now, which solves this issue.

19:03

Yeah. But as of two months ago,

19:06

it was really bad if you used Signal

19:08

because if you join Signal

19:10

and your abuser,

19:11

this is something I've talked about in the past,

19:13

your abuser has signal,

19:14

they'll be notified that you join Signal.

19:16

So that phone number requirement now works against you in

19:18

this very specific situation

19:20

and that is not a good thing for that one situation,

19:23

but in almost every other situation it's

19:25

not a terrible thing.

19:26

And so that's just one example of how a feature,

19:28

just one feature within an app can actually be detrimental

19:32

to your security that is now again,

19:34

resolved Signal has released usernames,

19:36

they also gave you the feature

19:37

to disable discoverability with your phone number.

19:40

So you can just turn that off in your signal settings.

19:42

Don't have to worry about that anymore.

19:43

But that's just one example

19:46

and we can probably find countless of these examples in tons

19:48

of different workflows where a feature's generally good,

19:51

but it's actually awful in another,

19:52

in another situation too. Yeah.

19:55

- So, well, and I, I tend to think too,

19:57

and this is something that I preach to those of my friends

20:00

that aren't necessarily like deep into the security

20:02

and privacy community, it's just like the, the best security

20:06

or privacy measure is the one that you're actually going

20:08

to use and do.

20:10

Right? You can, I can set you up with all this stuff,

20:14

but if you're not actually going to use it,

20:16

then what's, what's the point?

20:18

I mean, I'm, I'm still in the current,

20:20

I'm currently testing, it's been a while for me,

20:22

but it's taken a while like a graphene os phone

20:27

and it's, it's been fun.

20:28

I've enjoyed it, but I'm like, I'm still on that journey.

20:32

Like I can't, I still haven't been able to make

20:34

that switch away from my iOS app.

20:37

And part of that is because all of my family, you know, I,

20:41

I live overseas and so, you know,

20:42

my family's back in the United States

20:45

and I want,

20:49

I'm sorry I'm getting all these different comments from

20:51

people who are saying sound levels are off.

20:53

If that's the case, please let me know in the

20:55

comments, I apologize.

20:56

But anyway, like I, like I want to, that iOS,

21:01

iMessage going back

21:02

and forth has been really like, it's gonna be hard to give

21:05

that up and to try to get my mom to get on signal.

21:08

It's not that bad,

21:10

but like she's already, she's using iMessage

21:13

and it's like that's, it's really gonna be hard not

21:15

to that a point not do that.

21:16

Yeah, yeah, exactly.

21:18

- And you're also now burdening other people.

21:22

That's something that I'm also trying to navigate too is if,

21:26

if I have to increase my security

21:28

but it burdens the people around me

21:30

and it to net loss to everybody around me, is

21:32

that something I should be implementing in my life?

21:35

And so that's something that's tough as well

21:36

to always think about too is like how your privacy

21:39

and security journey is impacting the people around you.

21:41

And if it's too much of an inconvenience for them,

21:43

then it's probably not a net gain.

21:45

But on the topic of what you're saying too,

21:47

with friction points in the, let's say,

21:52

I think it's good though for people who are here

21:54

who are tuned into this podcast

21:56

or this live stream, sorry, that's all rights good for them

22:00

to, I think find what's too extreme.

22:03

Yeah. And just acknowledge that, try Linux,

22:07

try everything, have fun with it.

22:09

Try a custom ro see what it's like, see

22:11

what the limitations are and you'll learn something from it.

22:14

Definitely. You're going to learn something about installing

22:16

it, you're gonna learn how it works.

22:17

You're gonna learn why it doesn't work for you

22:19

or it might work for you,

22:20

but I'm sure you're learning now, well here's,

22:22

here are the five reasons why this,

22:23

this operating system doesn't work for me.

22:25

And now you, you kind of realize now,

22:27

well now I realize I have this dependency on a messenger.

22:30

Is that a good thing? Is that a bad thing?

22:32

And now you start asking these questions

22:33

and from there maybe it's less of I'm moving

22:37

to a different operating system

22:38

but it's less, it's more of I need to move

22:40

to a different messenger so that I am less tied

22:43

to this ecosystem.

22:44

And I'm not saying you necessarily should do that because,

22:47

but I'm saying in general, like that's

22:49

where my mind goes when I'm dealing

22:50

with issues like this as well.

22:51

And data portability is also just a big topic. Yeah.

22:56

In conjunction with this, I think.

22:58

- Yeah, makes sense.

23:00

Okay, so I wanna shift just a little bit, which first

23:03

of all, by the way, thank you to those

23:04

who left comments about my audio.

23:06

I had the wrong microphone actually set up.

23:08

So hopefully this sounds a lot better when,

23:13

you know there there's different ways to look at your,

23:16

you know, your your threat model And,

23:18

and for us as content creators or you know, influencers,

23:22

however you wanna look at it, I'm, I have

23:24

to look at it both from, you know, me personally, like

23:26

what I do and then I have to have like a separate model

23:31

for how I evaluate new software

23:34

that comes across my table.

23:36

Right? And I'm sure you're like this as well.

23:39

There's constantly something like, heck, I I could,

23:42

I could fill pages of things

23:44

that are people like, Hey, have you tried this?

23:46

Have you done this? Have you tried this software?

23:47

And I can't do all of it,

23:49

but I do have to like I do have to select some

23:52

and those have to go through somewhat of a, you know,

23:56

some kind of rubric to say, you know, do I,

23:59

will I trust this company?

24:01

Do is what they're doing, you know, valuable.

24:04

And, and so I'm, I wanted to know very selfishly from,

24:08

you know, my point of view from, for you like what,

24:11

what are the, the kind of the criteria

24:13

that you have when something new comes across your table

24:16

and you're having to evaluate whether

24:18

or not this is a useful tool

24:21

or a good company to be working with?

24:25

- Yeah, well I'll start with what's more public facing.

24:28

'cause we actually do publish criteria for our resources.

24:30

So if you go to ler tech slash resources on the very top,

24:34

it's gonna, it's gonna go through like I think it's 10

24:37

different things and our criteria that we look for.

24:39

And it's things like how long they've been around.

24:43

It's gonna be things like are they open source?

24:45

Do they do consistent security updates? Is it a public team?

24:50

Different questions like this.

24:51

And these are more objective measurements where I think,

24:54

you know, it might be more subjective is

24:56

just, it's just experience.

24:57

And I'm sure you're already getting a knack for it yourself.

25:00

If not, you probably have already

25:01

had a knack for it for years.

25:02

I don't know what I'm talking about.

25:05

But like when you get emails from all these companies,

25:08

you start looking into them

25:09

and you go, okay, now I know that people

25:11

who send emails like this that clearly are there just

25:14

to be marketing spam

25:15

and are just trying to get people to sell out

25:17

for this ridiculous 32nd sponsor segment

25:19

that has nothing to do with anything.

25:21

Yeah. Then it's like instant red flag, don't even need

25:25

to respond that it's full of crap.

25:28

And so you definitely just get a knack for it,

25:29

which I'm sure you, again, like you've probably

25:31

experienced this as well.

25:33

But on my end it really is also just

25:36

presentation and branding.

25:38

And I think marketing is for me just a clear giveaway as to

25:40

what a, a company's priorities are

25:43

because there's good marketing and there's bad marketing

25:46

and I feel like just

25:48

because a company has bad marketing doesn't mean a services

25:51

are necessarily bad, but it's an instant red flag.

25:53

Especially if they're not an established player.

25:55

If an established player is doing shady marketing practices,

25:59

then maybe sometimes they can get away with it.

26:01

But if you're a brand new to the scene

26:03

and you're just focused all in on marketing,

26:05

then you're already are starting off on the wrong foot.

26:07

And I think one of the most common places I see this is

26:11

as an example Signal.

26:14

Signal to say that Signal isn't like

26:19

one of the, I know I've been talking about Signal a lot,

26:21

but it's just an easy example

26:22

because they really rock it, right?

26:24

Signal's encryption is so good

26:25

that every other company at this point who's using

26:27

end-to-end encryption is pretty much trying to do it.

26:30

Signal does, if not, they're utilizing signal's encryption,

26:32

Facebook Messenger uses signals encryption, Google

26:34

and RCS is using signals encryption.

26:37

It really is kind of the gold standard right now.

26:39

And for somebody to come forward

26:41

and say what signals doing isn't good enough,

26:43

what I'm doing is better has a certain connotation to it

26:48

of interesting.

26:49

Like you better be doing a damn good job

26:51

and justifying why it's that good.

26:53

And it's quite the claim to make for me.

26:55

And so it's also knowing the context of claims

26:58

and really appreciating the tools we have.

27:00

I feel like if you understand the tools we currently have

27:03

access to and just how good they are,

27:05

like if someone comes along

27:07

and says they're significantly better than one

27:09

of those tools, it's almost kind of a red flag.

27:11

Like if someone comes forward and says, I have something

27:13

that's 10 times more anonymous than the Tor browser,

27:16

you better be going, well how the hell are you doing that?

27:19

Because like some of the smartest people in the world are

27:21

working on the tour browser.

27:23

So if that's not you, who are you?

27:26

So I know that's kind of a bit, bit of a tangent.

27:30

I don't know if something there can help people see,

27:32

but I would say there's the objective criteria which have

27:34

already listed out and it's things like

27:36

how long they've existed,

27:37

are they open source, that kind of stuff.

27:38

And then there's more of just my personal views

27:41

and my subjective stances on things like that,

27:43

which I'm sure you have both of them as well.

27:45

Yeah,

27:46

- Yeah.

27:47

That, that one about how long you've been in on the,

27:50

in the market and serving customers is, is a hard one

27:53

because it, it puts new companies at a huge disadvantage.

27:58

And yet, you know, the community has been burned time

28:01

and again by companies that just can't maintain the funding.

28:05

Like it's this chicken and egg thing.

28:07

They need the customers in order to, you know, justify the,

28:11

the spend and the burn and all that stuff in order to grow.

28:14

But, but it's hard.

28:15

And I think, you know, even just, I, I was rooting

28:19

for Skiff a lot.

28:20

I really was. And,

28:22

and I hadn't done, I, by fortunately,

28:25

like this was not planned or anything

28:26

'cause I was actually gonna be doing a video on them

28:29

'cause it, it had been like two years

28:31

and I was like, all right, they, they seemed to be,

28:33

you know, making some traction.

28:34

I know a lot of people who like using them,

28:36

I'd been using it for a little while

28:38

and then boom, out of the blue, they just,

28:41

they got bought up by Notion.

28:43

And now, I mean, not just bought up

28:45

but like shut down completely, right?

28:47

So now if you are a skiff user,

28:48

you've gotta be moving off the platform

28:51

and that just makes it really hard.

28:52

Like it's, it's hard enough to get people to move over

28:55

to something different than what they've been using.

28:58

And so I wanna make sure as somebody who has

29:02

even just a small amount of influence, you know, over

29:05

with an audience, like the people

29:06

who are watching right now, like I wanna make sure that

29:08

what I'm talking about is gonna be

29:11

around for at least a little while.

29:13

And I think that that is, it's,

29:14

it's hard but it's important.

29:18

- Right. I think, and I don't mind name calling

29:21

because they're public videos

29:23

and I'm just referencing public videos.

29:24

But yeah, I did talk about the skiff thing as well

29:27

and how like skiff was something I was,

29:31

I don't know if you saw this,

29:32

but in our forum community, I think,

29:36

I wanna say it was at least six to eight months ago, um-huh?

29:41

Andrew who's the CEO of CFF as part of our forum community.

29:44

And these are public posts

29:46

and they were asking to be listed on our website

29:48

and I pretty much just said, Hey, like you guys,

29:49

I just need to wait longer.

29:51

And I think it's almost a direct quote

29:53

of I don't wanna like recommend my friends

29:55

and family to a service

29:56

and then they get mad at me when it

29:57

shuts down in six months.

30:00

And sure enough they shut down. Wow.

30:02

It's not like I called it. Yeah.

30:03

It's just like that's part of the criteria

30:05

and the criteria did what they're supposed to,

30:06

which is like make things a little bit safer.

30:09

But on the other hand, I think it's

30:11

how you cover things, right?

30:13

Because if,

30:14

and this is actually one of my criticisms

30:16

of some stuff I see like online, I don't like things

30:20

to be over marketed right away

30:23

by not even the companies themselves, but other people.

30:25

I see this a lot, which is like,

30:27

there's this brand new browser,

30:28

it's amazing, it's incredible.

30:30

Here's 10 awesome things about the browser. Go download it.

30:33

Or you're silly, see you later. Yeah.

30:36

And there's no talk about, okay, well how, who's the team

30:38

behind this browser?

30:39

Why, why are they better than other browsers?

30:42

Is it actually that good?

30:43

Let's like get objective about this.

30:45

Why is this protection in the browser better than a

30:47

different browser for who is it better?

30:50

And also let's talk about the long-term

30:52

sustainability of the project.

30:54

Why are you gonna move to this browser if it's going

30:56

to just shut down anyway in six months?

30:59

Is it reputable?

31:00

Are the people who are running this,

31:01

they're pushing code to your device?

31:03

Do you trust them to push code to your device?

31:05

So I wish that there were,

31:07

I think you can cover these new services

31:09

and it's something that I don't do

31:10

'cause I don't have the time for it, but I wish I did.

31:13

But as long as you cover new services critically

31:16

and honestly,

31:17

and you tell people, Hey, yeah, this is super cool.

31:20

It seems awesome, but here are my reservations.

31:23

I think it's fine. And we actually did that

31:25

with something called, I, I saw a question here in the live

31:27

chat about eims.

31:29

We covered a service called Silent Link a while ago. Yes.

31:32

I think it's been a couple years.

31:34

And we covered them when I just learned about,

31:36

they must have been so much smaller.

31:37

I don't know if, I don't know what they're doing,

31:39

I haven't kept up with them.

31:40

But in the video I straight up say like,

31:44

guys, this works.

31:45

I tested it for myself,

31:46

but I don't necessarily recommend it to people

31:48

because I don't know who the team is.

31:50

I still have so many questions about this. So proceed.

31:53

Proceed with caution. Yeah.

31:55

So I think you can cover new services,

31:57

but it has to have a lot of disclaimers.

32:00

- Yeah. Yeah. Well I mean, to that point

32:01

- I'm not recommending them even now

32:03

'cause I haven't looked into it since then.

32:05

Just for the record. Yeah.

32:06

- Well, and I, I'm gonna, I'm gonna be vulnerable here

32:09

and hopefully, you know, people will be understanding,

32:12

like I went to use Silent link as well just

32:15

'cause I wanted to try this anonymous SIM option.

32:18

And this is the question I think that Henry was,

32:20

was referencing and,

32:22

and I eventually was able to use it, but the pro,

32:26

but they only accept crypto payment.

32:31

And for the life of me,

32:34

I consider myself somewhat tech savvy.

32:36

I had such a hard time doing it, you know,

32:41

I, I I hold crypto,

32:42

but I don't necessarily, like, it was, it was hard for me

32:45

to, to pay out for some reason.

32:47

Like it literally took me hours to try to figure it out and,

32:50

and it was like, I'm, there's no way I'm gonna tell my mom

32:55

for sure, but even some of my friends that wouldn't be able

32:58

to go through a process like that.

33:01

So that being an example, both of like what you said,

33:04

being careful about how you recommend something,

33:06

but even, even if I were to recommend that,

33:09

who I would recommend that to

33:11

- Great point.

33:12

Yeah. Different demographics, different use cases.

33:14

And again, I think this is where people just miss the mark

33:17

because back to signal, signal might be perfect

33:20

for your friends, but it might not be perfect

33:21

for in an anonymity oriented messenger.

33:24

And that's where something like Briar might be better.

33:25

Where there is no like core unique identifier

33:29

in a way it's peer to peer.

33:30

There's no central server,

33:32

there's no one you even have to trust.

33:34

And so it really is different use cases

33:36

and there's very few tools.

33:39

There's so few moments where I say just don't use this.

33:43

And the only one I can think of off the top

33:45

of my head is like, LastPass just

33:48

because there's no reason there's better free options than

33:52

LastPass that have better usability,

33:53

better every, I just Sure.

33:54

It's, it's one of those things that I can't even sit down

33:56

and figure out who should use it Yeah.

33:59

Relative to the competition.

34:00

But I, I can't even do that

34:02

for anything else off the top of my head.

34:05

Like operating systems, browsers,

34:08

messengers in general.

34:10

I just feel like there's a use case

34:11

for almost everything out there.

34:13

And I'm sure you see this with VPNs, you were talking about

34:15

how different countries, maybe a v PN that was terrible

34:18

to recommend for pricing security might have bypassed

34:21

something in China, for example.

34:24

I know, I see that a lot.

34:26

Yeah, you probably know a lot

34:27

more about that than I do though.

34:29

- I mean, you're, you're right.

34:30

Like I would get so many people that would,

34:32

that would criticize my, my recommendations for A VPN

34:36

and a lot like I started because I was in China

34:40

and how I was recommended VPNs.

34:41

And the reality is, is like the,

34:44

the game in China is very cat and mouse.

34:45

So unless a company is willing to play that game,

34:48

if they've got enough of a customer base in that country

34:51

to play that game of cat

34:52

and mouse, okay, this, you know, IP address

34:55

or this server has been blocked in some way,

34:58

so let's change it.

34:59

Let's, let's adapt for our customer base it like, I don't,

35:03

I don't care if you're open source, I'm just trying

35:05

to access my email for goodness sakes.

35:07

I'm just trying to like message my parents.

35:09

I like, it's, it,

35:11

there were different criteria that I had for that.

35:14

All right. Oh, go ahead.

35:16

- No, I'm just agreeing. - Yeah, let's,

35:20

we're gonna shift gears here.

35:21

So those of you who are in the comments section right now,

35:24

I want you, I, we've already got some great questions

35:27

that I've starred that I'm gonna bring up for both Henry

35:29

and I as we finish out the last 20

35:31

minutes of this live stream.

35:32

But before we do that, I did wanna say,

35:35

and you know, this is, I, it's paying the bills,

35:38

but quite honestly I am really, really happy with Yubico.

35:41

We were talking about, you know, companies that we trust

35:44

and different things that, that we,

35:46

that are basically markers

35:48

for why I would recommend something.

35:49

And I have to be very,

35:51

very careful about which companies I allow

35:54

to sponsor the All Things Secured channel.

35:57

And I'm, right now it's just, you know, Proton, Yubico

36:01

and a couple others.

36:02

And so right now, Yubico if you don't have a 2FA key,

36:04

like this is, I'll show you different types of,

36:07

they've got USB-C, they've got the lightning cable,

36:10

which may not be useful here in a, in a year or two.

36:14

This is one that I keep in my, in my computer, on my,

36:18

you know, in my office all the time that keeps plugged in.

36:21

Like these keys are the best way to make sure

36:25

that you're not just like the, I I always say that,

36:27

you know, when it comes to two-factor authentication,

36:30

having two-factor authentication is better than not.

36:32

But the tier is SMS text would be my least favorite followed

36:37

by the authenticator app.

36:38

But the, the top of the line there is using a physical key

36:42

that somebody would have to steal off of me in order

36:45

to be able to log into my accounts.

36:47

So if you wanted to get your own key, you can get $5 off,

36:50

you can get two of them get $10 off,

36:52

and that includes their Security Key series.

36:54

So that's their lower, not lower end.

36:56

That sounds really bad because it's their entry level.

36:58

It does what you need to do.

37:00

It just doesn't have certain FIDO2 security features.

37:03

But if you wanna go ahead and grab that, this is, I, they,

37:06

they haven't given me a code, they've just given me a link.

37:08

And so you can go to allthingssecured.com/yubikey5off,

37:11

and you can get $5 off.

37:12

It's automatically applied even if you, I think if you go to

37:16

that link, it automatically puts in a five C key.

37:19

But you can take that out, you can put in different keys

37:21

and you'll still get that $5 off once you update that.

37:24

So let's go ahead and jump in