Software - Open-Source - Free and Open-Source Software (FOSS)

Why Free and Open-Source Software (FOSS) Matters

Intro

Do you love money and freedom? Do you hate being spied on and having your data monetized, shared, breached, and held captive by creepy organizations? If so, Free and Open-Source Software (FOSS) is right for you!

Even if you’re paying, many closed-source applications and services are harvesting and sharing your personal data (searches, purchases, location, health and fitness, etc.) and potentially exposing you to critical security vulnerabilities. Many have come to accept that if you want to live in a modern society, you must use proprietary software and accept their abusive practices. This just isn’t the case. Not only are there a lot of great FOSS alternatives out there, many of them are actually better than their proprietary counterparts.

In addition, we see a disturbing trend of proprietary software weakening encryption, collecting more data, bundling adware, and moving to subscription payment models. Abandon this sinking ship while you still can. In this episode, we explain what the issues with closed-source software are and how FOSS can help.

We also discuss action items for transitioning to FOSS and using closed-source software in a controlled manner if you need to.

Podcast

1
00:00:00,000 –> 00:00:14,920
Hey everybody, welcome to the Bigger Insights Privacy and Security podcast, the best podcast

2
00:00:14,920 –> 00:00:17,080
in the history of podcasts.

3
00:00:17,080 –> 00:00:22,800
In this episode, we’re going to talk about free and open-source software and why it matters.

4
00:00:22,800 –> 00:00:27,080
Before we get too deep into the weeds, let’s go over some background items to make sure

5
00:00:27,080 –> 00:00:29,840
that we’re on the same page.

6
00:00:29,840 –> 00:00:36,760
So when we say free in the context of free and open-source software or FOSS, we’ll probably

7
00:00:36,760 –> 00:00:38,680
be saying FOSS a lot.

8
00:00:38,680 –> 00:00:40,200
We mean freedom.

9
00:00:40,200 –> 00:00:44,400
Free as in freedom, not necessarily free as in free beer.

10
00:00:44,400 –> 00:00:51,000
Now, it is the case that open-source software oftentimes is free as in there’s no cost to

11
00:00:51,000 –> 00:00:54,440
you, but we’re really focused on freedom here.

12
00:00:54,440 –> 00:01:00,000
When we say open-source, we just mean that the source code for the software is publicly

13
00:01:00,000 –> 00:01:06,120
available, meaning that you can read through it if you want and you know how to read software.

14
00:01:06,120 –> 00:01:10,680
Obviously, not everybody’s going to do that, but it’s still helpful to know that there

15
00:01:10,680 –> 00:01:15,520
are people out there like security researchers, for example, who are going to review that

16
00:01:15,520 –> 00:01:21,920
code and potentially identify or recommend fixes to make it better.

17
00:01:21,920 –> 00:01:27,640
One thing to keep in mind with open-source software is it is relatively common that

18
00:01:27,640 –> 00:01:33,960
the source code for the client software is open-source, but not necessarily the server

19
00:01:33,960 –> 00:01:35,040
code.

20
00:01:35,040 –> 00:01:41,440
And sometimes software vendors do that to protect their servers because that code might

21
00:01:41,440 –> 00:01:45,960
contain things to help fight against spam and abuse and things like that.

22
00:01:45,960 –> 00:01:51,480
And if they make that code available, it makes it very easy for scammers and spammers and

23
00:01:51,480 –> 00:01:56,160
hackers to find ways to get around their anti-abuse measures.

24
00:01:56,160 –> 00:02:02,920
So that’s pretty common with things like VPN software where the client software that you

25
00:02:02,920 –> 00:02:07,480
actually run on your computer is open-source, but the code that they run on their servers

26
00:02:07,480 –> 00:02:09,280
might not be.

27
00:02:09,280 –> 00:02:14,680
And when it comes to software that relies on encryption, that’s nice to know because

28
00:02:14,680 –> 00:02:19,480
you can at least verify that regardless of what the server is doing or whether it’s

29
00:02:19,480 –> 00:02:24,960
compromised or not, you can still see that your data that’s going to the servers is

30
00:02:24,960 –> 00:02:27,160
properly encrypted.

31
00:02:27,160 –> 00:02:32,080
We’d also like to go over a few caveats to make sure that nobody jumps to any conclusions

32
00:02:32,080 –> 00:02:38,120
or misconstrues what we’re saying about open-source versus closed-source software.

33
00:02:38,120 –> 00:02:43,480
And the first is that open-source is not a guarantee of anything.

34
00:02:43,480 –> 00:02:45,320
It doesn’t guarantee that it’s secure.

35
00:02:45,320 –> 00:02:50,840
It doesn’t guarantee that it’s not spying on you or doesn’t contain telemetry.

36
00:02:50,840 –> 00:02:55,680
There’s no guarantee that anybody’s actually reviewing and auditing this code, especially

37
00:02:55,680 –> 00:03:00,800
for smaller niche and obscure projects.

38
00:03:00,800 –> 00:03:05,760
And on the flip side of that, closed-source doesn’t necessarily mean that software is

39
00:03:05,760 –> 00:03:06,760
bad.

40
00:03:06,760 –> 00:03:12,800
It doesn’t necessarily mean that we’re opposed to it, but there are pros and cons to both

41
00:03:12,800 –> 00:03:18,320
that you really need to consider before you use a piece of software.

42
00:03:18,320 –> 00:03:24,080
Now we’re going to discuss some of the issues with closed-source software that you should

43
00:03:24,080 –> 00:03:27,120
really be keeping in mind when you use it.

44
00:03:27,120 –> 00:03:33,360
The first is that keeping your software closed-source is a really convenient way to hide

45
00:03:33,360 –> 00:03:35,800
things from your users.

46
00:03:35,800 –> 00:03:42,680
Now I’m going to go over a few examples of that and just keep in mind I’m not necessarily

47
00:03:42,680 –> 00:03:48,120
implying that these companies are doing something intentionally malicious, but it certainly could

48
00:03:48,120 –> 00:03:50,760
be that way and it kind of looks that way.

49
00:03:50,760 –> 00:03:58,440
So very recently, TrashPass, I mean LastPass had a security incident and one of the things

50
00:03:58,440 –> 00:04:04,920
that we found out was that they were not encrypting all of the password vault contents, which

51
00:04:04,920 –> 00:04:05,920
is mind-blowing.

52
00:04:05,920 –> 00:04:09,360
I mean, why would you do that?

53
00:04:09,360 –> 00:04:13,040
Not to mention LastPass has been around for a long time.

54
00:04:13,040 –> 00:04:17,520
If anybody should know that they should be encrypting all the content that their users

55
00:04:17,520 –> 00:04:20,880
are putting in their password vaults, it should be LastPass.

56
00:04:20,880 –> 00:04:25,720
So one of those things that they were not encrypting were URLs.

57
00:04:25,720 –> 00:04:29,960
That might not sound like a big deal, but they could be using that information or selling

58
00:04:29,960 –> 00:04:35,000
that information to keep tabs on what their users are doing, what kind of accounts they

59
00:04:35,000 –> 00:04:38,960
have and things like that, you know, it’s pretty concerning.

60
00:04:38,960 –> 00:04:43,800
Through our own research, we see concerning things all the time.

61
00:04:43,800 –> 00:04:51,680
So we’ve tested and reviewed NordVPN and it’s a very popular VPN.

62
00:04:51,680 –> 00:04:57,360
It’s closed-source and I think there are good reasons why they keep it closed-source.

63
00:04:57,360 –> 00:05:01,960
Nord seems to have a very cozy relationship with Google.

64
00:05:01,960 –> 00:05:08,480
Their website has Google trackers in it and at least in their iOS client, when you open

65
00:05:08,480 –> 00:05:11,000
NordVPN, it makes connections to Google.

66
00:05:11,000 –> 00:05:16,480
Now, I don’t know about you, but I don’t want my devices connecting to Google, especially

67
00:05:16,480 –> 00:05:22,920
if I’m using a VPN, I mean that the P and VPN stands for private.

68
00:05:22,920 –> 00:05:26,200
There’s nothing private at all about Google.

69
00:05:26,200 –> 00:05:28,680
So A, why are they doing that?

70
00:05:28,680 –> 00:05:34,600
And B, we believe that this is one of the reasons why their clients are closed-source.

71
00:05:34,600 –> 00:05:39,560
Because if they were to show their code to the whole world, it would open up a whole

72
00:05:39,560 –> 00:05:45,000
host of questions like, why are you connecting my device to Google?

73
00:05:45,000 –> 00:05:49,840
Just the other day, I was testing a free and open-source application firewall called Safing

74
00:05:49,840 –> 00:05:53,280
Portmaster on Windows 10.

75
00:05:53,280 –> 00:05:58,600
And one of the things that I noticed was that Windows Explorer, at least in Windows 10,

76
00:05:58,600 –> 00:06:03,320
if not Windows 11 as well, connects your computer to Bing.com.

77
00:06:03,320 –> 00:06:05,440
Well, what is that about?

78
00:06:05,440 –> 00:06:08,040
What does that have to do with Windows Explorer?

79
00:06:08,040 –> 00:06:12,840
I don’t want my computer connecting to Bing.com unless I go to Bing.com.

80
00:06:12,840 –> 00:06:18,320
So again, this is something that software companies like to do when they can hide behind

81
00:06:18,320 –> 00:06:20,400
closed-source code.

82
00:06:20,400 –> 00:06:28,040
iOS and most versions of Android have persistent tracking and telemetry that you may or may

83
00:06:28,040 –> 00:06:31,200
not be able to, you know, turn some of it off.

84
00:06:31,200 –> 00:06:36,120
But we know for a fact that some of it you cannot turn off, and, you know, Apple and

85
00:06:36,120 –> 00:06:41,940
Google are being sued all the time over things like this, over things like having toggles

86
00:06:41,940 –> 00:06:47,960
turning off location tracking, for example, and then we find out that, in fact, they keep

87
00:06:47,960 –> 00:06:50,400
tracking your location.

88
00:06:50,400 –> 00:06:52,840
And here’s another one that you might get a kick out of.

89
00:06:52,840 –> 00:06:59,000
A lot of people use Google Chrome, which we definitely don’t recommend.

90
00:06:59,000 –> 00:07:04,560
The Chromium engine behind it is open-source, but basically Google takes Chromium and then

91
00:07:04,560 –> 00:07:08,640
they add a bunch of spyware to it, and that becomes Google Chrome.

92
00:07:08,640 –> 00:07:13,640
So one of the things that I actually found out by myself by going through my files and

93
00:07:13,640 –> 00:07:21,560
trying to understand what was in it, Chrome comes with a tool called, I believe it’s Chrome

94
00:07:21,560 –> 00:07:25,000
Cleanup Tool or something like that, at least on Windows.

95
00:07:25,000 –> 00:07:27,920
I don’t know about other operating systems.

96
00:07:27,920 –> 00:07:36,080
This tool scans the files on your PC and Google claims that they’re just looking for malware,

97
00:07:36,080 –> 00:07:38,680
which is extremely suspicious for a number of reasons.

98
00:07:38,680 –> 00:07:43,920
One of which is Windows comes with Windows Defender, which obviously scans your files

99
00:07:43,920 –> 00:07:45,760
looking for malware.

100
00:07:45,760 –> 00:07:51,360
And who’s asking Google to scan their Windows PC looking for malware?

101
00:07:51,360 –> 00:07:54,440
Now that might not sound that suspicious to you, but it is suspicious.

102
00:07:54,440 –> 00:07:58,680
I mean, just take a look at Google’s business model.

103
00:07:58,680 –> 00:08:04,200
Their business model is to try to collect and understand everything there is to know about

104
00:08:04,200 –> 00:08:05,200
you.

105
00:08:05,200 –> 00:08:09,880
And it’s sitting here on your computer scanning through all of your files.

106
00:08:09,880 –> 00:08:12,080
And of course, that’s closed-source.

107
00:08:12,080 –> 00:08:15,800
And they’ll say things like, Oh, we’re just looking for malware.

108
00:08:15,800 –> 00:08:20,160
You know, we can only see the files in your user space.

109
00:08:20,160 –> 00:08:21,800
We can’t see the system files.

110
00:08:21,800 –> 00:08:24,840
But who cares about the system files?

111
00:08:24,840 –> 00:08:30,200
You know, if Google is sitting there scanning your pictures, your videos, your documents,

112
00:08:30,200 –> 00:08:34,960
your downloads, your desktop, that’s the stuff that actually matters.

113
00:08:34,960 –> 00:08:38,200
That’s the kind of stuff you don’t want Google to see.

114
00:08:38,200 –> 00:08:40,520
And they could be abusing this for all kinds of things.

115
00:08:40,520 –> 00:08:44,640
They could be keeping track of what other apps you have installed, what kind of things

116
00:08:44,640 –> 00:08:48,040
you’re writing, what kind of content you have on your system.

117
00:08:48,040 –> 00:08:50,680
They could be using it for fingerprinting your system.

118
00:08:50,680 –> 00:08:52,880
There are all kinds of ways to abuse this.

119
00:08:52,880 –> 00:08:54,960
It is concerning.

120
00:08:54,960 –> 00:08:58,120
And this one deserves its own episode.

121
00:08:58,120 –> 00:09:05,080
But if you have an Intel or an AMD CPU, be aware that Intel CPUs have something called

122
00:09:05,080 –> 00:09:11,320
the Management Engine and AMD CPUs have something called the Platform Security Processor, which

123
00:09:11,320 –> 00:09:19,080
are little closed-source operating systems that run inside your CPU 24 hours a day as

124
00:09:19,080 –> 00:09:24,360
long as they have power, they can see all of your information before it’s encrypted.

125
00:09:24,360 –> 00:09:29,760
I think they have some remote administration and networking capabilities.

126
00:09:29,760 –> 00:09:31,680
And like I said, they’re closed-source.

127
00:09:31,680 –> 00:09:35,560
And these companies are very secretive about what these things do.

128
00:09:35,560 –> 00:09:40,720
Now these companies will swear up and down that they’re not doing anything suspicious,

129
00:09:40,720 –> 00:09:44,480
which if that is the case, why not show us?

130
00:09:44,480 –> 00:09:46,440
Why not show us the code?

131
00:09:46,440 –> 00:09:50,280
That’s the easiest way to convince us that they’re not doing anything suspicious.

132
00:09:50,280 –> 00:09:55,120
And if they have some good reason for not showing us the code, why not give us the ability

133
00:09:55,120 –> 00:10:01,200
to turn it off or buy a CPU that doesn’t have these built into them.

134
00:10:01,200 –> 00:10:07,040
And you can read about this if you want on Wikipedia on the Intel Management Engine page.

135
00:10:07,040 –> 00:10:12,920
But something very interesting happened once. Somebody noticed on Dell’s website that there

136
00:10:12,920 –> 00:10:19,160
was a CPU option that came with the Intel Management Engine disabled.

137
00:10:19,160 –> 00:10:25,400
And when asked about it, Dell’s response was basically, oh, that was an issue with our

138
00:10:25,400 –> 00:10:26,520
website.

139
00:10:26,520 –> 00:10:28,640
You weren’t supposed to see that.

140
00:10:28,640 –> 00:10:31,840
Those CPUs are basically for the military.

141
00:10:31,840 –> 00:10:35,160
Now I don’t know about you, but that sounds pretty suspicious.

142
00:10:35,160 –> 00:10:40,840
I mean, if all it’s doing is some security and administrative tasks or something, why

143
00:10:40,840 –> 00:10:46,720
would only the military or law enforcement or whomever be able to have it, but you, the

144
00:10:46,720 –> 00:10:50,720
consumer cannot, you know, that’s, that’s obviously very suspicious.

145
00:10:50,720 –> 00:10:51,720
Okay.

146
00:10:51,720 –> 00:10:52,720
So this is interesting enough.

147
00:10:52,720 –> 00:10:57,360
I think I’m just going to go ahead and read it to you straight from Wikipedia.

148
00:10:57,360 –> 00:11:04,200
It says, in December, Dell began showing certain laptops on its website that offered the systems

149
00:11:04,200 –> 00:11:12,120
management option Intel v pro ME inoperable custom order for an additional fee.

150
00:11:12,120 –> 00:11:18,120
Dell has not announced or publicly explained the methods used. In response to press requests,

151
00:11:18,120 –> 00:11:23,640
Dell stated that those systems had been offered for quite a while, but not for the general

152
00:11:23,640 –> 00:11:29,520
public and had found their way to the website only inadvertently.

153
00:11:29,520 –> 00:11:37,000
The laptops are available only by custom order and only to the military, government and intelligence

154
00:11:37,000 –> 00:11:38,000
agencies.

155
00:11:38,000 –> 00:11:43,840
They are specifically designed for covert operations such as providing a very robust

156
00:11:43,840 –> 00:11:53,080
case and stealth operating mode kill switches that disables display LEDs, speaker, fan and

157
00:11:53,080 –> 00:11:55,440
any wireless technology.

158
00:11:55,440 –> 00:12:00,320
Now I don’t know about you, but why would you need to be in the military, government

159
00:12:00,320 –> 00:12:08,360
or intelligence agency to be able to disable your display LED lights, speaker, fan or wireless

160
00:12:08,360 –> 00:12:09,360
technology?

161
00:12:09,360 –> 00:12:15,400
Like what, what is so special about that that you need to be in one of these organizations

162
00:12:15,400 –> 00:12:17,440
to get access to that?

163
00:12:17,440 –> 00:12:21,200
And I mean, you might think that only they would have a use case for something like that,

164
00:12:21,200 –> 00:12:22,720
but why would they need to hide it from you?

165
00:12:22,720 –> 00:12:23,720
That doesn’t make any sense.

166
00:12:23,720 –> 00:12:29,360
I mean, if you were an average user and you wanted to disable your LED lights or something

167
00:12:29,360 –> 00:12:34,440
and pay Dell a fee, why would they not even give you that option?

168
00:12:34,440 –> 00:12:38,480
Or is it that they’re not telling you the whole truth and we think that that’s more

169
00:12:38,480 –> 00:12:45,320
likely and you know, these are just the prizes you win when you play with closed-source software.

170
00:12:45,320 –> 00:12:52,000
This is a good segue into security because not only are there a lot of questions about

171
00:12:52,000 –> 00:12:58,840
what IME and PSP are actually doing, they have actually introduced very serious security

172
00:12:58,840 –> 00:13:03,080
vulnerabilities in people’s systems, which are bound to happen.

173
00:13:03,080 –> 00:13:08,640
Because again, IME and PSP are closed-source and because they’re closed-source, the security

174
00:13:08,640 –> 00:13:15,920
community can’t audit their code and look for vulnerabilities. Intel and AMD’s philosophy

175
00:13:15,920 –> 00:13:19,520
on this is called security through obscurity.

176
00:13:19,520 –> 00:13:25,120
And it’s the belief that you can make your code secure by hiding its implementation

177
00:13:25,120 –> 00:13:27,120
from the general public.

178
00:13:27,120 –> 00:13:34,000
This is a very flawed idea that’s been around for millennia, at least as far back as the

179
00:13:34,000 –> 00:13:35,000
Caesar cipher.

180
00:13:35,000 –> 00:13:41,480
And more recently, we’ve seen this idea fail with things like the enigma machine in World

181
00:13:41,480 –> 00:13:44,120
War II, which we were able to crack.

182
00:13:44,120 –> 00:13:49,200
Some of the cell phone encryption mechanisms have also been cracked despite being closed-

183
00:13:49,200 –> 00:13:50,200
source.

184
00:13:50,200 –> 00:13:56,840
In the security community, there are a lot of debates going on, but one thing that all

185
00:13:56,840 –> 00:14:02,800
security experts will agree on is that security through obscurity is a terrible idea for a

186
00:14:02,800 –> 00:14:03,800
couple of reasons.

187
00:14:03,800 –> 00:14:09,120
I mean, one, you’re not allowing a lot of researchers to audit the code to look for

188
00:14:09,120 –> 00:14:15,800
vulnerabilities, but two, there are a lot of off the shelf open standards for security

189
00:14:15,800 –> 00:14:21,600
that anybody can use and that have had, you know, people spending years of their life

190
00:14:21,600 –> 00:14:24,640
trying to crack and haven’t been able to do it.

191
00:14:24,640 –> 00:14:30,320
Another trend that’s going on in the security world today in both the private and the public

192
00:14:30,320 –> 00:14:37,520
sector, you know, even the intelligence community would agree is that the way to go forward

193
00:14:37,520 –> 00:14:41,080
if you want to be secure is trustless computing.

194
00:14:41,080 –> 00:14:45,960
You might have heard of this before and, you know, unfortunately, you can’t eliminate

195
00:14:45,960 –> 00:14:52,640
all forms of trust in your technology stack, but basically every layer of trust that you

196
00:14:52,640 –> 00:14:57,000
add introduces a new set of vulnerabilities.

197
00:14:57,000 –> 00:15:02,160
So let’s just say, for example, that you’re one of these people who store passwords in

198
00:15:02,160 –> 00:15:08,160
an Excel file or something like that and then back it up to Dropbox or Google Drive or something,

199
00:15:08,160 –> 00:15:09,160
which is a terrible thing to do.

200
00:15:09,160 –> 00:15:10,160
You shouldn’t do that.

201
00:15:10,160 –> 00:15:14,480
You should listen to our podcast on why you should use a password manager.

202
00:15:14,480 –> 00:15:19,160
But if you think about it, there’s a lot of trust involved in that chain.

203
00:15:19,160 –> 00:15:25,840
So basically you’re thinking, okay, I trust Windows to not be spying on what I’m doing.

204
00:15:25,840 –> 00:15:28,920
I trust them not to collect my keystrokes.

205
00:15:28,920 –> 00:15:34,320
I’m trusting them not to take screenshots or take a copy of my file.

206
00:15:34,320 –> 00:15:38,480
I trust Excel not to be doing those things either.

207
00:15:38,480 –> 00:15:44,120
And if it sounds like I’m just making things up, you should read through Microsoft’s documentation,

208
00:15:44,120 –> 00:15:50,400
their privacy policies, their terms of service, and read through the descriptions of some

209
00:15:50,400 –> 00:15:56,320
of the features in the Group Policy Editor, and they’ll tell you point blank that Windows

210
00:15:56,320 –> 00:16:01,440
may be capturing keystrokes, screenshots, mouse clicks, files, and other things for a number

211
00:16:01,440 –> 00:16:05,280
of reasons like diagnostics or debugging or something like that.

212
00:16:05,280 –> 00:16:06,880
So I’m not just making this up.

213
00:16:06,880 –> 00:16:10,440
But then you’re thinking, okay, I need to trust my computer.

214
00:16:10,440 –> 00:16:15,360
I need to trust the network that I’m on, that it’s not monitoring what I’m doing.

215
00:16:15,360 –> 00:16:21,800
Then I need to send that through my ISP and trust that they’re not doing anything malicious,

216
00:16:21,800 –> 00:16:26,120
which these days is a little bit more difficult for them to do because most web traffic is

217
00:16:26,120 –> 00:16:31,080
encrypted with TLS, but they are recording what people are doing.

218
00:16:31,080 –> 00:16:35,560
The FTC is currently investigating that, which you can read their report on it.

219
00:16:35,560 –> 00:16:37,160
It’s pretty interesting.

220
00:16:37,160 –> 00:16:43,440
Then when your file gets to Google Drive or Dropbox, you need to trust that they are

221
00:16:43,440 –> 00:16:48,200
securing it properly and won’t expose it in a data breach.

222
00:16:48,200 –> 00:16:53,200
You’re trusting that their employees aren’t going to read through your documents, which

223
00:16:53,200 –> 00:16:58,080
sometimes they do, either manually or using automated means.

224
00:16:58,080 –> 00:17:03,880
Not only does that happen, but these companies sometimes will even admit to allowing contractors

225
00:17:03,880 –> 00:17:10,040
to access user data for tuning their algorithms or debugging or something like that.

226
00:17:10,040 –> 00:17:13,520
That’s also something that you need to trust them not to do.

227
00:17:13,520 –> 00:17:20,160
Google also had an incident with Google Drive where people noticed that when they were using

228
00:17:20,160 –> 00:17:27,080
the Takeout tool to download their data from Google Drive, that it was including files,

229
00:17:27,080 –> 00:17:31,680
at least photos, if not other files, from other people’s Google accounts.

230
00:17:31,680 –> 00:17:37,040
Then on top of that, you need to trust that they wouldn’t hand that over to law enforcement,

231
00:17:37,040 –> 00:17:40,880
which is definitely on the table.

232
00:17:40,880 –> 00:17:45,320
And you need to trust that if you delete that file, that they’ll actually delete it.

233
00:17:45,320 –> 00:17:48,080
That’s shaky as well.

234
00:17:48,080 –> 00:17:52,080
If you’re picking up what I’m putting down, you’ll notice that there’s an awful lot of

235
00:17:52,080 –> 00:17:55,160
trust in this transaction here.

236
00:17:55,160 –> 00:18:00,640
If any one of those turns out to be an issue, you might have a very big problem on your

237
00:18:00,640 –> 00:18:01,920
hands.

238
00:18:01,920 –> 00:18:06,480
That’s why the name of the game these days in the security world is trustless computing.

239
00:18:06,480 –> 00:18:12,240
With something like Proton Drive, for example, as opposed to Google Drive, the application

240
00:18:12,240 –> 00:18:14,040
is open-source.

241
00:18:14,040 –> 00:18:19,200
We can read what it’s doing and verify that it’s end-to-end encrypting our data so that

242
00:18:19,200 –> 00:18:25,720
when we send our data to Proton Drive, they’ll have it in an encrypted form that they can’t decrypt.

243
00:18:25,720 –> 00:18:31,960
Worst case scenario, they could delete it or something like that, but they can’t access

244
00:18:31,960 –> 00:18:36,480
and abuse it like a company like Google or Dropbox can.

245
00:18:36,480 –> 00:18:42,080
Another thing to keep in mind with developers of close-source software, especially the kinds

246
00:18:42,080 –> 00:18:49,480
of software that’s known to do suspicious things, is they always have this excuse that

247
00:18:49,480 –> 00:18:54,080
they can fall back on and just claim that if they get caught doing something that it

248
00:18:54,080 –> 00:18:56,360
was just a bug.

249
00:18:56,360 –> 00:19:01,600
Think about it, if you’re Google or Apple or something and people find out that you’ve

250
00:19:01,600 –> 00:19:06,720
been tracking their location, even though they’ve flipped the toggle that asked them

251
00:19:06,720 –> 00:19:10,600
not to track your location, you can just throw your hands up in the air and say, oh, that

252
00:19:10,600 –> 00:19:12,400
was just a bug.

253
00:19:12,400 –> 00:19:18,040
What I was alluding to earlier about questions about whether some of these providers are

254
00:19:18,040 –> 00:19:20,280
actually deleting your data.

255
00:19:20,280 –> 00:19:28,640
A few years ago, Dropbox had what they essentially chalked up to as a bug where some users started

256
00:19:28,640 –> 00:19:35,840
reporting that they were seeing files mysteriously reappear in their Dropbox account after having

257
00:19:35,840 –> 00:19:39,640
been deleted, in some cases, several years ago.

258
00:19:39,640 –> 00:19:46,520
Of course, Dropbox just blew it off and said it was a bug or something like that, but I

259
00:19:46,520 –> 00:19:51,600
don’t understand how their developers and their engineers could not catch something

260
00:19:51,600 –> 00:19:52,600
like that.

261
00:19:52,600 –> 00:19:59,600
I mean, if someone has been deleting files for years, how could you not catch that?

262
00:19:59,600 –> 00:20:05,240
Especially if somebody is on an account that only has like a one or five gigabyte limit and

263
00:20:05,240 –> 00:20:08,920
they’re consuming that and deleting files for years, you would think that there would be

264
00:20:08,920 –> 00:20:15,240
a huge discrepancy between what their servers are actually holding and what is reported

265
00:20:15,240 –> 00:20:17,080
on people’s accounts.

266
00:20:17,080 –> 00:20:22,320
But again, this is an excuse that these companies can throw out there when they get caught doing

267
00:20:22,320 –> 00:20:24,360
something that they probably shouldn’t be doing.

268
00:20:24,360 –> 00:20:30,240
And of course, most people and the mainstream media are just going to accept it because

269
00:20:30,240 –> 00:20:33,600
their whole system is based on trust.

270
00:20:33,600 –> 00:20:35,560
You can’t verify what they’re doing.

271
00:20:35,560 –> 00:20:39,440
You can’t verify whether they’re doing something they shouldn’t be doing or whether something

272
00:20:39,440 –> 00:20:40,800
is just a bug.

273
00:20:40,800 –> 00:20:43,240
All you have is their word.

274
00:20:43,240 –> 00:20:47,400
And as far as we’re concerned, a big tech company’s word is essentially meaningless.

275
00:20:47,400 –> 00:20:50,280
I mean, it means about as much as a politician’s word.

276
00:20:50,280 –> 00:20:54,160
Let’s look at some examples of recent history.

277
00:20:54,160 –> 00:21:00,280
Zoom lied about their web meetings being end-to-end encrypted for years.

278
00:21:00,280 –> 00:21:04,600
They lied about, they just straight up lied about it for years.

279
00:21:04,600 –> 00:21:07,840
Let’s take Fecesbook and WhatsApp, for example.

280
00:21:07,840 –> 00:21:14,600
So Fecesbook bought WhatsApp for a little over $19 billion.

281
00:21:14,600 –> 00:21:22,080
Now when somebody pays that kind of money for a free messaging app, which let’s be honest,

282
00:21:22,080 –> 00:21:28,000
Facebook has the means and the engineers to develop a messaging app.

283
00:21:28,000 –> 00:21:29,200
They’re not buying the app.

284
00:21:29,200 –> 00:21:31,760
They’re buying you, the user.

285
00:21:31,760 –> 00:21:36,880
But when they did that, they really downplayed the risk that they would be sharing WhatsApp

286
00:21:36,880 –> 00:21:39,320
data with Fecesbook.

287
00:21:39,320 –> 00:21:43,320
Their users freaked out about it and understandably so.

288
00:21:43,320 –> 00:21:46,040
So they just kind of laid low about it.

289
00:21:46,040 –> 00:21:50,360
And eventually, I think it was like a couple years after they bought it, they updated their

290
00:21:50,360 –> 00:21:55,720
terms of service to allow them to start sending your WhatsApp data back to Fecesbook.

291
00:21:55,720 –> 00:21:59,640
But while we’re on the subject, let this be a cautionary tale.

292
00:21:59,640 –> 00:22:05,880
You should be very selective about who you give your information to because once companies

293
00:22:05,880 –> 00:22:11,800
like Facebook and Google and Oracle and Microsoft get to be the size they are, one of the things

294
00:22:11,800 –> 00:22:17,520
they’ll do is if they don’t feel like they can get the data from you that they want in

295
00:22:17,520 –> 00:22:21,760
that you won’t give it to them, they’ll just go out and buy some company that does have

296
00:22:21,760 –> 00:22:23,280
that data.

297
00:22:23,280 –> 00:22:31,320
So in addition to Fecesbook buying WhatsApp, Google bought Fitbit so they could collect

298
00:22:31,320 –> 00:22:36,600
some of your health information, Amazon bought Roomba so they could collect information about

299
00:22:36,600 –> 00:22:38,680
what’s going on in your home.

300
00:22:38,680 –> 00:22:42,520
So just keep this in mind when you’re handing data over to someone because you need to be

301
00:22:42,520 –> 00:22:48,040
thinking about who might buy and get access to that information in the future.

302
00:22:48,040 –> 00:22:54,680
So for example, we use Signal and we use Proton Mail. If either one of them, which I think

303
00:22:54,680 –> 00:22:59,080
is extremely unlikely, but if either one of them was to come out with an announcement

304
00:22:59,080 –> 00:23:03,560
one day and say, oh, by the way, you know, we’re being bought by Google or something

305
00:23:03,560 –> 00:23:09,720
like that, you know, we would run away as fast as possible and go find another solution.

306
00:23:09,720 –> 00:23:16,920
Both Apple and Google have lied on multiple occasions about basically what some of the

307
00:23:16,920 –> 00:23:19,360
settings do in your phone.

308
00:23:19,360 –> 00:23:25,040
So if you say, you know, turn off analytics or disable location tracking or something

309
00:23:25,040 –> 00:23:28,360
like that, they were still tracking that information.

310
00:23:28,360 –> 00:23:33,400
I believe Apple is actually involved in a class action lawsuit for that, you know, at

311
00:23:33,400 –> 00:23:35,600
the time of this recording.

312
00:23:35,600 –> 00:23:40,360
But again, you know, these are the kinds of things that you get when you use closed-source

313
00:23:40,360 –> 00:23:41,360
software.

314
00:23:41,360 –> 00:23:46,800
They use the closed-source nature to hide these kinds of behaviors.

315
00:23:46,800 –> 00:23:52,280
If you’re going to use this kind of software, you also have to be aware that some of these

316
00:23:52,280 –> 00:23:58,920
companies just go way, way overboard trying to protect their intellectual property.

317
00:23:58,920 –> 00:24:06,120
If you want a perfect example of that, go to Wikipedia and search for Sony BMG copy protection

318
00:24:06,120 –> 00:24:08,080
rootkit scandal.

319
00:24:08,080 –> 00:24:13,480
I’ll go ahead and read some of this because it’s so bad that it’s almost funny.

320
00:24:13,480 –> 00:24:20,720
So this is from Wikipedia, a scandal erupted in 2005 regarding Sony BMG’s implementation

321
00:24:20,720 –> 00:24:26,160
of copy protection measures on about 22 million CDs.

322
00:24:26,160 –> 00:24:33,400
When inserted into a computer, the CDs installed one of two pieces of software that provided

323
00:24:33,400 –> 00:24:40,960
a form of digital rights management by modifying the operating system to interfere with CD

324
00:24:40,960 –> 00:24:41,960
copying.

325
00:24:41,960 –> 00:24:47,960
Neither program could be easily uninstalled and they created vulnerabilities that were

326
00:24:47,960 –> 00:24:50,800
exploited by unrelated malware.

327
00:24:50,800 –> 00:24:56,720
One of these programs would install and phone home with reports on the user’s private listening

328
00:24:56,720 –> 00:25:03,840
habits, even if users refused its end user license agreement, while the other was not

329
00:25:03,840 –> 00:25:06,720
mentioned in the EULA at all.

330
00:25:06,720 –> 00:25:12,840
Both programs contained code from several pieces of copy-lefted free software in an apparent

331
00:25:12,840 –> 00:25:19,480
infringement of copyright and configured the operating system to hide the software’s existence

332
00:25:19,480 –> 00:25:24,080
leading to both programs being classified as rootkits.

333
00:25:24,080 –> 00:25:29,560
Sony BMG initially denied that the rootkits were harmful, but then released an uninstaller

334
00:25:29,560 –> 00:25:36,280
from one of the programs that merely made the program’s files visible, while also installing

335
00:25:36,280 –> 00:25:41,440
additional software that could not be easily removed, collected an email address from the

336
00:25:41,440 –> 00:25:46,760
user and introduced further security vulnerabilities.

337
00:25:46,760 –> 00:25:53,760
Following public outcry, government investigations and class action lawsuits in 2005 and 2006,

338
00:25:53,760 –> 00:26:00,440
Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10%

339
00:26:00,440 –> 00:26:07,440
of the affected CDs, and the suspension of the CD copy protection efforts in early 2007.

340
00:26:07,440 –> 00:26:12,560
So just imagine for a second that you buy a CD with your money.

341
00:26:12,560 –> 00:26:18,640
You own it, you pop it into your computer, and it installs rootkits onto your operating

342
00:26:18,640 –> 00:26:25,480
system to interfere with your computer’s ability to write to a disk.

343
00:26:25,480 –> 00:26:32,280
Not only that, it was introducing security vulnerabilities and spying on you, and the

344
00:26:32,280 –> 00:26:37,200
most ironic part about this, they did this to try to protect their intellectual property

345
00:26:37,200 –> 00:26:41,400
at the same time they were infringing on other people’s copyrights.

346
00:26:41,400 –> 00:26:46,480
Now, I know this sounds like a little bit of a wild tangent, but the point of this is

347
00:26:46,480 –> 00:26:51,640
you have to understand the mentality of the people behind some of these companies like

348
00:26:51,640 –> 00:26:55,760
Sony and Google and Fecesbook and stuff like that.

349
00:26:55,760 –> 00:27:03,160
I mean, just listen to what the senior vice president Steve Heckler said on the issue.

350
00:27:03,160 –> 00:27:09,880
He said, the industry will take whatever steps it needs to protect itself and protect its

351
00:27:09,880 –> 00:27:11,720
revenue streams.

352
00:27:11,720 –> 00:27:17,640
It will not lose that revenue stream no matter what. Sony is going to take aggressive steps

353
00:27:17,640 –> 00:27:18,960
to stop this.

354
00:27:18,960 –> 00:27:23,800
We will develop technology that transcends the individual user.

355
00:27:23,800 –> 00:27:26,640
We will firewall Napster at source.

356
00:27:26,640 –> 00:27:29,320
We will block it at your cable company.

357
00:27:29,320 –> 00:27:31,360
We will block it at your phone company.

358
00:27:31,360 –> 00:27:33,840
We will block it at your ISP.

359
00:27:33,840 –> 00:27:37,080
We will firewall it at your PC.

360
00:27:37,080 –> 00:27:43,160
These strategies are being aggressively pursued because they’re simply too much at stake.

361
00:27:43,160 –> 00:27:44,960
And it didn’t stop here either.

362
00:27:44,960 –> 00:27:52,440
Sony, I don’t know if the litigation is still ongoing, but Sony sued Quad9, which is a

363
00:27:52,440 –> 00:28:00,120
DNS resolver, to try to force Quad9 to remove certain domains from its registry.

364
00:28:00,120 –> 00:28:05,560
And you know, it’s stuff like this, why we won’t buy anything from Sony.

365
00:28:05,560 –> 00:28:11,000
Along these lines, a lot of close source software comes with really strict terms and licensing

366
00:28:11,000 –> 00:28:12,000
agreements.

367
00:28:12,000 –> 00:28:16,280
You know, this is something that I encountered in the workplace once.

368
00:28:16,280 –> 00:28:20,200
We wanted Windows Server on a workstation.

369
00:28:20,200 –> 00:28:25,440
I can’t remember exactly why something about building some of our software or something

370
00:28:25,440 –> 00:28:26,680
like that.

371
00:28:26,680 –> 00:28:31,760
But if you know anything about Windows Server, it’s not as simple as just giving Microsoft

372
00:28:31,760 –> 00:28:36,960
a credit card number and buying a license like it is with some other operating systems.

373
00:28:36,960 –> 00:28:43,520
Basically, they have these things called Client Access Licenses, and you have to license

374
00:28:43,520 –> 00:28:47,160
Windows Server according to how you use it.

375
00:28:47,160 –> 00:28:52,440
So our IT team was talking to me and he’s asked me questions like, well, how many CPUs

376
00:28:52,440 –> 00:28:54,240
does the system have?

377
00:28:54,240 –> 00:28:55,760
How many people are going to use it?

378
00:28:55,760 –> 00:29:01,240
How many people are going to remote into the system to access it?

379
00:29:01,240 –> 00:29:03,000
And I can’t even answer some of these questions.

380
00:29:03,000 –> 00:29:04,800
I’m like, well, first of all, I have no idea.

381
00:29:04,800 –> 00:29:09,640
I mean, if somebody remoted into the system, I might not even know who that is or why they’re

382
00:29:09,640 –> 00:29:11,400
remoting into it.

383
00:29:11,400 –> 00:29:13,440
And like, what is a user?

384
00:29:13,440 –> 00:29:18,040
Like what if, you know, our Jenkins system gets on there and compiles some code?

385
00:29:18,040 –> 00:29:19,680
Is that a user?

386
00:29:19,680 –> 00:29:23,360
You know, these are the kinds of headaches that you run into.

387
00:29:23,360 –> 00:29:27,480
Alternatively, you can use things like Linux and never have to worry about things like

388
00:29:27,480 –> 00:29:28,480
this.

389
00:29:28,480 –> 00:29:34,320
And you don’t really realize how big of a deal that is until you start using free software

390
00:29:34,320 –> 00:29:38,480
that you realize like how much easier it makes your life, especially if you’re trying to

391
00:29:38,480 –> 00:29:41,280
stay in compliance with the law.

392
00:29:41,280 –> 00:29:46,080
There have been a lot of issues and questions about that in the software development and

393
00:29:46,080 –> 00:29:50,200
IT space in general, particularly around virtual machines.

394
00:29:50,200 –> 00:29:55,840
Like what if I want to make a virtual machine and put Windows on it just to test an application

395
00:29:55,840 –> 00:29:56,840
real quick?

396
00:29:56,840 –> 00:29:57,840
Do I have to get a license?

397
00:29:57,840 –> 00:30:01,440
Like, you know, who wants to deal with that?

398
00:30:01,440 –> 00:30:06,440
And I bet a lot of people out there are thinking to themselves, well, you know, this is why

399
00:30:06,440 –> 00:30:10,440
I just torrent and use cracked software and things like that.

400
00:30:10,440 –> 00:30:16,800
But you know, that’s a terrible idea because, you know, not only is that illegal, but it’s

401
00:30:16,800 –> 00:30:22,240
relatively easy for somebody, you know, whoever’s providing you that cracked software to put

402
00:30:22,240 –> 00:30:23,840
malware in it.

403
00:30:23,840 –> 00:30:30,120
And you know, we do see examples of, you know, like Photoshop and games and stuff that are

404
00:30:30,120 –> 00:30:33,440
cracked containing malware.

405
00:30:33,440 –> 00:30:37,800
So now I’m going to drop some truth bombs on you to help drive this point home that in

406
00:30:37,800 –> 00:30:42,680
general, closed-source software has a lot of issues that you need to be aware of.

407
00:30:42,680 –> 00:30:47,840
And part of this is not just where we stand today, but where does it look like this is

408
00:30:47,840 –> 00:30:49,640
going in the future?

409
00:30:49,640 –> 00:30:54,920
So if you follow what Apple and some of these other companies are doing, they’re increasingly

410
00:30:54,920 –> 00:31:02,120
treating your devices and your data on your devices as not really being yours.

411
00:31:02,120 –> 00:31:09,600
They have this growing attitude that it’s not just their right to monitor what you’re

412
00:31:09,600 –> 00:31:16,320
doing, understand what you’re doing and scan your content for material that they or the

413
00:31:16,320 –> 00:31:22,960
government doesn’t approve of, but that it’s almost their obligation to, you know, protect

414
00:31:22,960 –> 00:31:30,000
the children, for example. You know, Apple is supposed to be like the champion of privacy.

415
00:31:30,000 –> 00:31:34,520
They’ve got things like billboards that say what happens on your iPhone stays on your

416
00:31:34,520 –> 00:31:38,960
iPhone, which is, you know, one of the biggest lies I’ve ever heard in my life.

417
00:31:38,960 –> 00:31:44,600
And they come out telling the world, Hey, we’re going to start scanning your content

418
00:31:44,600 –> 00:31:46,960
on your device.

419
00:31:46,960 –> 00:31:51,560
And if it matches certain criteria, we’re going to send it back to base.

420
00:31:51,560 –> 00:31:53,680
Our employees are going to look at it.

421
00:31:53,680 –> 00:31:58,560
And if it meets other criteria, we’re going to send that to law enforcement.

422
00:31:58,560 –> 00:32:03,400
Naturally, a lot of people freaked out about that and for good reason.

423
00:32:03,400 –> 00:32:08,120
They’ve since backed off on that or at least told us that they’ve backed off on that, which

424
00:32:08,120 –> 00:32:11,360
again, almost everything they do is closed-source.

425
00:32:11,360 –> 00:32:13,880
We just have to take their word on that.

426
00:32:13,880 –> 00:32:17,880
But you know, this is the way that these things always start.

427
00:32:17,880 –> 00:32:20,000
They throw out the idea.

428
00:32:20,000 –> 00:32:25,880
People freak out about it like WhatsApp sending data to Fecesbook and these companies

429
00:32:25,880 –> 00:32:30,200
just sit back and they wait for the outcry to die down.

430
00:32:30,200 –> 00:32:34,080
And then they bring it up again and again and again until they get their way.

431
00:32:34,080 –> 00:32:40,440
So we’re not necessarily of the opinion that Apple or anybody else is doing client side

432
00:32:40,440 –> 00:32:43,400
scanning, although it is possible.

433
00:32:43,400 –> 00:32:49,400
But at the same time, we also believe that this debate is going to come up again.

434
00:32:49,400 –> 00:32:55,280
And it wouldn’t surprise us at all if, you know, in not too many years, this not only

435
00:32:55,280 –> 00:33:01,920
gets implemented, but becomes a standard practice between Apple and Google and Microsoft and,

436
00:33:01,920 –> 00:33:04,160
you know, the usual suspects.

437
00:33:04,160 –> 00:33:07,560
We should also be concerned about closed-source encryption.

438
00:33:07,560 –> 00:33:14,040
You know, Microsoft has their BitLocker, for example. It’s closed-source.

439
00:33:14,040 –> 00:33:16,040
You know, why would that be?

440
00:33:16,040 –> 00:33:18,800
I mean, think about that for a second.

441
00:33:18,800 –> 00:33:26,120
Give me one reason why BitLocker should be closed-source or tell me one risk that Microsoft

442
00:33:26,120 –> 00:33:33,320
faces by making it open-source which it should be. Any critical security application should

443
00:33:33,320 –> 00:33:34,720
be open-source.

444
00:33:34,720 –> 00:33:37,840
Otherwise, we don’t know if we can trust it.

445
00:33:37,840 –> 00:33:39,760
We don’t know if there’s a backdoor in it.

446
00:33:39,760 –> 00:33:42,320
We don’t know if they’ve made a serious mistake.

447
00:33:42,320 –> 00:33:47,880
You’re taking a huge risk by using encryption that you can’t verify.

448
00:33:47,880 –> 00:33:51,920
And that might sound a little tinfoil hat to some people, but look at this through the

449
00:33:51,920 –> 00:33:53,520
proper context.

450
00:33:53,520 –> 00:33:59,920
Microsoft has been working very closely with the NSA and other such organizations for many

451
00:33:59,920 –> 00:34:01,480
years now.

452
00:34:01,480 –> 00:34:06,320
And those organizations and the governments behind those organizations have been very

453
00:34:06,320 –> 00:34:09,720
clear that they don’t like encryption.

454
00:34:09,720 –> 00:34:11,560
They don’t want you to have encryption.

455
00:34:11,560 –> 00:34:17,440
In fact, certain, you know, encryption over a certain number of bits was actually considered

456
00:34:17,440 –> 00:34:24,280
a weapon subject to arms controls laws for years in the United States.

457
00:34:24,280 –> 00:34:28,800
And you know, the United States government, the UK government, Australians have been

458
00:34:28,800 –> 00:34:32,920
very vocal about, you know, engaging in a war on encryption.

459
00:34:32,920 –> 00:34:34,760
They don’t want you to have encryption.

460
00:34:34,760 –> 00:34:39,920
They don’t want you using end-to-end encrypted messaging. You know, in the UK, they spent,

461
00:34:39,920 –> 00:34:45,800
you know, a pretty decent amount of money developing commercials in a marketing campaign

462
00:34:45,800 –> 00:34:53,280
to try to convince UK citizens that you shouldn’t use encryption because it helps child predators

463
00:34:53,280 –> 00:34:55,960
hide from the law.

464
00:34:55,960 –> 00:35:02,000
And back to client side scanning for just a second, I think a lot of people are failing

465
00:35:02,000 –> 00:35:07,480
to appreciate what’s going on and how this applies to encryption.

466
00:35:07,480 –> 00:35:14,760
So basically what Apple and other companies are proposing is trying to convince you that

467
00:35:14,760 –> 00:35:21,840
you can still have your encryption, but at the same time, allow them and law enforcement

468
00:35:21,840 –> 00:35:27,160
to analyze what you’re doing by basically looking at your files or your communications

469
00:35:27,160 –> 00:35:30,560
or whatever before it’s encrypted.

470
00:35:30,560 –> 00:35:35,360
They believe that this is some way that they can kind of have their cake and eat it too,

471
00:35:35,360 –> 00:35:40,840
because it’s, you know, just one of the accepted truths in the security community that there

472
00:35:40,840 –> 00:35:46,760
is no such thing as a backdoor only for the good guys. But, you know, Apple and these

473
00:35:46,760 –> 00:35:51,160
other companies disagree and they think that this is the answer.

474
00:35:51,160 –> 00:35:55,880
They’ll say, look guys, there’s nothing to worry about, you still have your encryption,

475
00:35:55,880 –> 00:36:00,680
but that’s kind of moot if they’re going to sit there and analyze your content before

476
00:36:00,680 –> 00:36:01,680
it’s encrypted.

477
00:36:01,680 –> 00:36:07,160
At that point, I mean, you’re basically reduced to encryption during transit, which is better

478
00:36:07,160 –> 00:36:08,160
than nothing.

479
00:36:08,160 –> 00:36:09,160
But now we’re going backwards.

480
00:36:09,160 –> 00:36:15,600
You know, we’ve had transport layer encryption for a long time, and recently we’ve discovered

481
00:36:15,600 –> 00:36:21,640
the value in end-to-end encryption and Apple and other players are trying to break it.

482
00:36:21,640 –> 00:36:26,480
Another disturbing trend that we see that users should be aware of is that Microsoft

483
00:36:26,480 –> 00:36:30,640
and now Apple are really getting big into advertising.

484
00:36:30,640 –> 00:36:33,760
I think Microsoft doesn’t surprise anybody.

485
00:36:33,760 –> 00:36:36,600
You know, this kind of started with Windows 10.

486
00:36:36,600 –> 00:36:40,840
When that came out, you know, a lot of people were very concerned about the telemetry and

487
00:36:40,840 –> 00:36:46,880
Cortana and inking and typing and logging your keystrokes and all kinds of crazy things

488
00:36:46,880 –> 00:36:47,880
that it does.

489
00:36:47,880 –> 00:36:54,200
But now it looks like Apple is, you know, really pushing to get into the advertising space.

490
00:36:54,200 –> 00:36:56,200
To help illustrate that point,

491
00:36:56,200 –> 00:37:01,200
a little while ago, we saw a story where I can’t remember where he found it.

492
00:37:01,200 –> 00:37:05,320
I think it was in like the developer program or something like that, but somebody noticed

493
00:37:05,320 –> 00:37:13,040
that Microsoft was working on a feature that would embed ads into Windows Explorer.

494
00:37:13,040 –> 00:37:16,240
Now, you might not think that that’s a big deal.

495
00:37:16,240 –> 00:37:22,120
And I guess on paper, it might not be, but the ads are not really the point.

496
00:37:22,120 –> 00:37:26,080
The issue with Internet ads is not the ads themselves.

497
00:37:26,080 –> 00:37:28,160
It’s the data collection that’s behind them.

498
00:37:28,160 –> 00:37:34,560
And I think it’s pretty safe to say that if or when Windows and Apple start including

499
00:37:34,560 –> 00:37:39,440
adware in their operating systems, that that’s going to coincide with collecting more of

500
00:37:39,440 –> 00:37:41,360
your data.

501
00:37:41,360 –> 00:37:48,280
And this is consistent with what I was talking about earlier with Safing Portmaster showing

502
00:37:48,280 –> 00:37:54,560
that Windows Explorer was contacting Bing.com, which is, you know, Microsoft’s search engine

503
00:37:54,560 –> 00:37:58,000
and a big part of their ad network.

504
00:37:58,000 –> 00:38:02,160
But another thing that’s important about that is what these companies are doing is they’re

505
00:38:02,160 –> 00:38:09,760
starting to blur the lines between their devices and infrastructure, their services, and your

506
00:38:09,760 –> 00:38:11,720
local devices.

507
00:38:11,720 –> 00:38:16,580
Because once you blur that line, it makes it very easy for them to justify collecting

508
00:38:16,580 –> 00:38:17,960
your data.

509
00:38:17,960 –> 00:38:23,040
Because as soon as, you know, your computer starts sharing data with Bing.com, well, now

510
00:38:23,040 –> 00:38:26,880
you’re subject to Bing’s terms and conditions, and you don’t even know that this is going

511
00:38:26,880 –> 00:38:28,640
on in the background.

512
00:38:28,640 –> 00:38:34,760
You know, have you ever wondered why Apple tries so hard to push your data into iCloud?

513
00:38:34,760 –> 00:38:40,440
It’s because when your data goes to iCloud, now it’s under their jurisdiction.

514
00:38:40,440 –> 00:38:44,560
Now they can justify doing whatever they want to it.

515
00:38:44,560 –> 00:38:50,780
So the takeaway there is that you need to realize that Windows and macOS and probably

516
00:38:50,780 –> 00:38:57,120
other operating systems are turning into, you know, if you could imagine if Fecesbook

517
00:38:57,120 –> 00:39:00,800
made an operating system, that’s basically what they’re turning into.

518
00:39:00,800 –> 00:39:05,720
So if that concerns you, and it probably should, you might want to start thinking now about

519
00:39:05,720 –> 00:39:07,520
an exit strategy.

520
00:39:07,520 –> 00:39:13,000
Because the last thing you want is some sort of, you know, Snowden-level revelation that

521
00:39:13,000 –> 00:39:17,640
these companies have been doing, you know, extremely abusive or malicious things with

522
00:39:17,640 –> 00:39:22,760
your devices and your data for years, you know, at that point, it’s kind of too late.

523
00:39:22,760 –> 00:39:28,920
I mean, think about how much information and data these companies hold on the average person.

524
00:39:28,920 –> 00:39:34,840
Just as a kind of a comical example, the other day I was kind of bored and I was just searching

525
00:39:34,840 –> 00:39:39,840
about an old service that everyone used decades ago called Photobucket.

526
00:39:39,840 –> 00:39:41,320
You might have used it.

527
00:39:41,320 –> 00:39:46,400
So basically they host photos and it used to be free.

528
00:39:46,400 –> 00:39:51,320
So a lot of people were using Photobucket for many, many years.

529
00:39:51,320 –> 00:39:54,880
It was the place where they just backed up their photos.

530
00:39:54,880 –> 00:39:59,800
And one day people started logging on to Photobucket and they would see this pop up come

531
00:39:59,800 –> 00:40:03,080
up and says, Hey, this is not free anymore.

532
00:40:03,080 –> 00:40:06,200
We’re not going to let you into your account until you pay us.

533
00:40:06,200 –> 00:40:10,960
I think it was $400 or 400 pounds or whatever it was.

534
00:40:10,960 –> 00:40:13,580
So now they’re holding your data hostage.

535
00:40:13,580 –> 00:40:15,680
You don’t want to run into a situation like that.

536
00:40:15,680 –> 00:40:20,920
You don’t want, you know, Windows or Apple or whoever to change their terms on you like

537
00:40:20,920 –> 00:40:26,920
that someday and put you in a real serious box where you can’t get out.

538
00:40:26,920 –> 00:40:32,720
That might sound a little farfetched, but another thing for you to consider, Microsoft

539
00:40:32,720 –> 00:40:40,680
is also toying with the idea of making Windows a cloud-based operating system.

540
00:40:40,680 –> 00:40:45,040
And I don’t think they would ever admit to this, but I think what they would like to

541
00:40:45,040 –> 00:40:49,520
see in the future is that there is no Windows on your machine.

542
00:40:49,520 –> 00:40:52,480
You have to log into Windows on their machines.

543
00:40:52,480 –> 00:40:54,760
I mean, think about that for a minute.

544
00:40:54,760 –> 00:41:00,800
For one, it would be very easy for them to force you to pay like a subscription model

545
00:41:00,800 –> 00:41:06,040
and they would justify that by saying, Well, look, you’re using our servers and stuff.

546
00:41:06,040 –> 00:41:07,040
That stuff’s not free.

547
00:41:07,040 –> 00:41:08,040
You got to pay for it.

548
00:41:08,040 –> 00:41:11,200
And for two, they could shut you down at any minute.

549
00:41:11,200 –> 00:41:16,320
Like, you sorry, you can’t log into your own computer because now it’s on our computer.

550
00:41:16,320 –> 00:41:21,560
And three, then that would obviously give them access to read and write any file in

551
00:41:21,560 –> 00:41:23,060
your system.

552
00:41:23,060 –> 00:41:28,160
So again, just take a look at what these companies are doing and what they’re saying and try

553
00:41:28,160 –> 00:41:32,240
to extrapolate that out into the future and think to yourself, is that a future that I

554
00:41:32,240 –> 00:41:33,240
want to see?

555
00:41:33,240 –> 00:41:39,240
Or does it make sense for me to look into other options like free and open-source software?

556
00:41:39,240 –> 00:41:42,840
So let me share some stories with you, which will help make sense of some of these things

557
00:41:42,840 –> 00:41:44,960
that we’re talking about here.

558
00:41:44,960 –> 00:41:50,040
Recently, I saw this story where some guy bought a device on Amazon.

559
00:41:50,040 –> 00:41:54,880
I think it was some kind of media streaming device or something like that.

560
00:41:54,880 –> 00:42:03,360
Well, soon after that, he noticed on his Pi-hole system, which is a it’s a DNS sinkhole.

561
00:42:03,360 –> 00:42:09,360
It basically you connect your devices to the Pi-hole on your network and it filters all

562
00:42:09,360 –> 00:42:10,360
of your DNS queries.

563
00:42:10,360 –> 00:42:14,240
And if it sees anything that looks suspicious or meets certain rules, it’ll just drop it

564
00:42:14,240 –> 00:42:16,760
and not let it go through to the internet.

565
00:42:16,760 –> 00:42:19,720
And we’ll talk about that in a separate episode.

566
00:42:19,720 –> 00:42:26,360
But what he noticed was that device came from Amazon pre-infected with malware and it was

567
00:42:26,360 –> 00:42:31,120
trying to connect to known malware domains and his Pi-hole caught it.

568
00:42:31,120 –> 00:42:34,240
So luckily he had that or he wouldn’t have noticed that.

569
00:42:34,240 –> 00:42:38,920
But again, that’s what happens when you’re using closed-source stuff.

570
00:42:38,920 –> 00:42:44,360
And from my personal experience, I’ll share a couple of reasons why I stopped using certain

571
00:42:44,360 –> 00:42:46,240
Google products.

572
00:42:46,240 –> 00:42:52,280
So I used to use Google Drive because many years ago, that was the thing to do.

573
00:42:52,280 –> 00:42:58,380
Over time, I slowly started picking up the pieces as to what Google and other companies

574
00:42:58,380 –> 00:43:00,840
were up to and just how creepy they are.

575
00:43:00,840 –> 00:43:09,480
So I started or I stopped using Google products for anything remotely personal and basically

576
00:43:09,480 –> 00:43:14,520
I was just using it for taking notes on things like investments and things like that, which

577
00:43:14,520 –> 00:43:18,880
we’re also working on a financial podcast by the way.

578
00:43:18,880 –> 00:43:21,840
So you should look for our Bigger Insights Finance podcast.

579
00:43:21,840 –> 00:43:26,800
But anyway, I was writing notes on uranium investing because I’m interested in that.

580
00:43:26,800 –> 00:43:29,600
I think it’s got good long-term potential.

581
00:43:29,600 –> 00:43:35,040
But I was writing in my Google Drive notes about uranium.

582
00:43:35,040 –> 00:43:39,000
And one of the things to keep in mind when you’re using Google products is they’re analyzing

583
00:43:39,000 –> 00:43:43,320
everything you type, everything you click on using automation, of course, there’s not

584
00:43:43,320 –> 00:43:47,400
like employees sitting there watching what you’re typing, it’s all automated.

585
00:43:47,400 –> 00:43:52,840
And I started to feel kind of weird about it like, Hey, am I going to be investigated

586
00:43:52,840 –> 00:43:55,520
or put on a list somewhere because I’m writing about uranium?

587
00:43:55,520 –> 00:44:00,080
I mean, obviously, you know, there’s different reasons someone might be writing about uranium

588
00:44:00,080 –> 00:44:02,840
and obviously some of those are not good.

589
00:44:02,840 –> 00:44:07,080
And you know, that’s those are just the games you play when you use these kinds of services.

590
00:44:07,080 –> 00:44:13,480
So after that, I started using Microsoft Office a little bit more, you know, at least it’s

591
00:44:13,480 –> 00:44:19,520
local, but it’s got the same, you know, presents some of the same kind of risks.

592
00:44:19,520 –> 00:44:22,720
It’s closed-source, it’s connected to the internet.

593
00:44:22,720 –> 00:44:28,360
These products do contact Microsoft, who knows what kind of information they’re sharing,

594
00:44:28,360 –> 00:44:30,880
and who knows what they’re programmed to look for.

595
00:44:30,880 –> 00:44:35,800
I would bet a lot of money that if you type certain things into certain Microsoft Office

596
00:44:35,800 –> 00:44:41,320
products, that that will get sent to Microsoft and potentially law enforcement.

597
00:44:41,320 –> 00:44:45,880
So you really need to think about what you’re doing, what you’re typing, what you’re saying,

598
00:44:45,880 –> 00:44:51,640
and how might that be misinterpreted or misconstrued, especially by automation.

599
00:44:51,640 –> 00:44:57,920
I mean, that’s one of the most difficult things to do is to teach AI, for example, how to

600
00:44:57,920 –> 00:44:59,000
understand context.

601
00:44:59,000 –> 00:45:06,800
You know, it’s very easy to say, if anybody types anything containing the word uranium,

602
00:45:06,800 –> 00:45:09,400
let’s send it back to base and analyze it.

603
00:45:09,400 –> 00:45:15,360
But it’s very difficult to teach automation to understand the context of what people are

604
00:45:15,360 –> 00:45:21,480
saying, and, you know, say, ignore something like somebody’s writing about it, you know,

605
00:45:21,480 –> 00:45:23,520
researching investments.

606
00:45:23,520 –> 00:45:29,440
And another thing that we, you know, talk about in our Finance podcast is about taxes.

607
00:45:29,440 –> 00:45:34,560
And I remember one day, you know, years ago, many years ago when I used to use Google search,

608
00:45:34,560 –> 00:45:41,320
which is also problematic, I was searching for information on how people file fraudulent

609
00:45:41,320 –> 00:45:43,120
tax returns.

610
00:45:43,120 –> 00:45:48,080
Because when I was very young and I filed one of my first returns, I had a typo.

611
00:45:48,080 –> 00:45:54,440
So I typed a number was like something, something, something 34, and it was supposed to be 43.

612
00:45:54,440 –> 00:45:57,200
And the IRS immediately rejected it.

613
00:45:57,200 –> 00:46:01,640
So I’ve been wondering for years, like, well, how is it possible that some random person

614
00:46:01,640 –> 00:46:04,560
can file fraudulent returns?

615
00:46:04,560 –> 00:46:08,720
If the IRS already knows all this information, how does it, how do they do it?

616
00:46:08,720 –> 00:46:11,200
So I was searching for it on Google.

617
00:46:11,200 –> 00:46:15,920
And then I was thinking to myself, you know, because I know that Google goes to great lengths

618
00:46:15,920 –> 00:46:22,400
to try to understand who everybody is who’s using their systems and match their queries

619
00:46:22,400 –> 00:46:24,120
to their identity.

620
00:46:24,120 –> 00:46:29,120
So if you’re using Google, you know, you run the risk of them retaining a permanent copy

621
00:46:29,120 –> 00:46:30,960
of everything that you’ve ever searched in it.

622
00:46:30,960 –> 00:46:37,680
And I was thinking, you know, this could very easily be misinterpreted as me expressing

623
00:46:37,680 –> 00:46:42,000
interest in filing fraudulent returns.

624
00:46:42,000 –> 00:46:48,240
And that might sound kind of farfetched to some of you, but just keep in mind that people

625
00:46:48,240 –> 00:46:55,400
are arrested over Google searches. Law enforcement do what they call keyword search warrants where

626
00:46:55,400 –> 00:47:00,120
they’ll basically ask Google and certain other companies for a list of everybody who has

627
00:47:00,120 –> 00:47:07,440
searched for certain things like uranium, for example, and Google search queries do end

628
00:47:07,440 –> 00:47:12,120
up in criminal and civil court cases.

629
00:47:12,120 –> 00:47:18,080
So a lot of you are probably too young to remember, but when Casey Anthony was being

630
00:47:18,080 –> 00:47:23,760
tried for murder, one of the pieces of evidence that they used against her were her Google

631
00:47:23,760 –> 00:47:26,000
search queries.

632
00:47:26,000 –> 00:47:32,160
And they said that she searched for things like neck breaking and how to make chloroform

633
00:47:32,160 –> 00:47:37,720
and so on, and you know, I don’t think anybody is shedding any tears for her.

634
00:47:37,720 –> 00:47:40,480
But the point is, this stuff is being monitored.

635
00:47:40,480 –> 00:47:44,480
So you need to keep that in mind when you’re using services like Google.

636
00:47:44,480 –> 00:47:48,880
So over time, I just started, you know, thinking more about these things and how these systems

637
00:47:48,880 –> 00:47:54,600
work and how easy it is to misunderstand what people are doing, why they’re doing it, what

638
00:47:54,600 –> 00:47:58,960
they’re saying, why they’re saying it, that eventually I came to the conclusion that it

639
00:47:58,960 –> 00:48:04,920
would just be best to just not use these things and use products and services that don’t record

640
00:48:04,920 –> 00:48:08,160
and analyze everything that you’re doing.

641
00:48:08,160 –> 00:48:12,880
So to help wrap up the issues with closed-source software, there’s a couple of things

642
00:48:12,880 –> 00:48:14,120
that we want to say.

643
00:48:14,120 –> 00:48:19,840
And one of those is the phrase, you might have heard it a lot is play stupid games, win

644
00:48:19,840 –> 00:48:20,840
stupid prizes.

645
00:48:20,840 –> 00:48:26,720
You know, one of the things that surprises me is when people use these kinds of products

646
00:48:26,720 –> 00:48:31,880
and services, and then they find out that these companies have been recording what they’re

647
00:48:31,880 –> 00:48:37,880
doing or reading through their emails or something like that, and they get all upset about it.

648
00:48:37,880 –> 00:48:44,240
And you know, the takeaway here is that if you’re going to use closed-source software,

649
00:48:44,240 –> 00:48:49,880
especially if it’s from companies like Microsoft and Apple and Fecesbook and Google and whatnot,

650
00:48:49,880 –> 00:48:52,840
these are the prizes that you win.

651
00:48:52,840 –> 00:48:58,200
Don’t be surprised when you find out that they’ve been abusing you. But more importantly,

652
00:48:58,200 –> 00:49:01,880
we want to emphasize that it doesn’t have to be this way.

653
00:49:01,880 –> 00:49:07,480
And one of the things that we observe is that a lot of people seem to have just given up.

654
00:49:07,480 –> 00:49:11,320
Some of these things we’re talking about is not exactly a secret anymore.

655
00:49:11,320 –> 00:49:17,400
And we’re concerned that a lot of people continue to use software and services that we would

656
00:49:17,400 –> 00:49:22,720
consider to be spyware, because they’ve just accepted that this is just the way that

657
00:49:22,720 –> 00:49:23,720
it is.

658
00:49:23,720 –> 00:49:29,000
If you want to use a computer or a phone or take notes or use email, you just have to

659
00:49:29,000 –> 00:49:30,600
accept the spying.

660
00:49:30,600 –> 00:49:33,280
And that’s just not the case.

661
00:49:33,280 –> 00:49:38,280
You know, for entertainment, I used to watch a lot of these videos on YouTube.

662
00:49:38,280 –> 00:49:45,280
There are entire channels dedicated to basically people exposing and talking to these internet

663
00:49:45,280 –> 00:49:46,280
scammers.

664
00:49:46,280 –> 00:49:51,720
Like there’s a lot of tech support scammers and IRS scammers and things like that.

665
00:49:51,720 –> 00:49:58,320
And in one of them, this guy actually got ahold of one of the victims on the phone.

666
00:49:58,320 –> 00:50:02,920
And he said, hey, those guys that you were just talking to about your computer or whatever,

667
00:50:02,920 –> 00:50:06,720
you know, they were telling her to go to Walmart or something and buy a bunch of iTunes gift

668
00:50:06,720 –> 00:50:08,600
cards or something stupid like that.

669
00:50:08,600 –> 00:50:11,600
And you know, unfortunately, a lot of people fall for those things.

670
00:50:11,600 –> 00:50:17,320
But this YouTuber called the victim and said, hey, those guys that you were talking to on

671
00:50:17,320 –> 00:50:21,040
the phone, those guys were scammers, you know, Microsoft is not going to call you and tell

672
00:50:21,040 –> 00:50:24,280
you that you’ve got a problem with your computer or whatever.

673
00:50:24,280 –> 00:50:27,960
And her response to that was, well, everybody’s trying to scam you.

674
00:50:27,960 –> 00:50:33,480
And it was such a sad thing to say because basically what she’s saying is, I don’t care

675
00:50:33,480 –> 00:50:39,320
to learn what’s going on and try to protect myself because this is just the way that the

676
00:50:39,320 –> 00:50:40,960
world works.

677
00:50:40,960 –> 00:50:45,720
So if you’re in that camp and it seems like a lot of people are, we’re going to try to

678
00:50:45,720 –> 00:50:49,440
convince you that that’s not just the way that things have to be.

679
00:50:49,440 –> 00:50:53,920
We’re going to talk about alternatives that you can use to get away from a lot of these

680
00:50:53,920 –> 00:50:55,840
kinds of problems.

681
00:50:55,840 –> 00:51:01,360
So let’s switch gears and talk about why FOSS or free and open-source software is so great

682
00:51:01,360 –> 00:51:05,600
as compared to most other closed-source software out there.

683
00:51:05,600 –> 00:51:12,200
So we’ve alluded to this earlier in the episode, but with FOSS software, there is a high potential

684
00:51:12,200 –> 00:51:18,680
that that code is being reviewed by others for all kinds of issues, privacy issues, security

685
00:51:18,680 –> 00:51:20,000
issues.

686
00:51:20,000 –> 00:51:25,200
In addition to that, the community can come together and actually contribute to the software

687
00:51:25,200 –> 00:51:26,880
and make it better.

688
00:51:26,880 –> 00:51:33,160
I think it surprises people sometimes how great and advanced some of this free software actually

689
00:51:33,160 –> 00:51:34,160
is.

690
00:51:34,160 –> 00:51:38,040
And that’s one of the reasons is because the whole world can contribute to it.

691
00:51:38,040 –> 00:51:43,200
And if you’re using it and you find a small bug or you know how to code and you want to

692
00:51:43,200 –> 00:51:47,680
add a nice feature to it because it will help you and your workflow or something, you can

693
00:51:47,680 –> 00:51:48,680
do that.

694
00:51:48,680 –> 00:51:52,880
I mean, you know, good luck trying that with with Microsoft Windows or something, you can’t

695
00:51:52,880 –> 00:51:54,520
do that.

696
00:51:54,520 –> 00:51:58,680
Another advantage that I don’t think it’s talked about often enough is how liberating

697
00:51:58,680 –> 00:52:02,600
it can feel to use free and open-source software.

698
00:52:02,600 –> 00:52:08,800
I thought about it before recording this episode, but I don’t think I use a single piece of

699
00:52:08,800 –> 00:52:10,320
closed-source software anymore.

700
00:52:10,320 –> 00:52:16,280
Now, maybe there’s some like proprietary blob somewhere that I’m not aware of, but and I

701
00:52:16,280 –> 00:52:19,880
do have some Windows systems mostly for testing.

702
00:52:19,880 –> 00:52:26,440
But we use Linux, Audacity, LibreOffice, Kdenlive, you know, on and on.

703
00:52:26,440 –> 00:52:31,360
These are all free softwares that are quite amazing as far as we’re concerned.

704
00:52:31,360 –> 00:52:35,360
And it’s a very liberating feeling knowing that, you know, we don’t have to pay for them.

705
00:52:35,360 –> 00:52:38,280
We can donate to these projects if we want to.

706
00:52:38,280 –> 00:52:42,400
We don’t have to license them, which can be a huge pain.

707
00:52:42,400 –> 00:52:47,840
I remember at one of the places that I worked at, we had to have this special license server

708
00:52:47,840 –> 00:52:51,720
that held license keys for all the different software that we used.

709
00:52:51,720 –> 00:52:57,520
You know, we might have only had like 10 keys for SolidWorks or something like that.

710
00:52:57,520 –> 00:53:00,960
And you know, you would try to open up SolidWorks and then it’s like, no, sorry, there’s

711
00:53:00,960 –> 00:53:05,240
no more keys and you got to go around and figure out who’s got the other 10 keys and

712
00:53:05,240 –> 00:53:07,400
try to beg them to get off of it.

713
00:53:07,400 –> 00:53:12,360
Or sometimes our license server would go down because Windows is installing updates or something

714
00:53:12,360 –> 00:53:13,360
stupid like that.

715
00:53:13,360 –> 00:53:18,200
It’s just a huge pain that you don’t have to deal with when you’re using FOSS.

716
00:53:18,200 –> 00:53:24,320
And obviously with much of this software being free as in free beer, these can be easier

717
00:53:24,320 –> 00:53:25,720
on your budget as well.

718
00:53:25,720 –> 00:53:30,440
I mean, this is also something that we ran into at one of the places I worked was, you

719
00:53:30,440 –> 00:53:34,600
know, they’re looking at their software bill going, oh my God, this is enormous.

720
00:53:34,600 –> 00:53:40,480
Can we switch, you know, these screenshot programs and other little things with free

721
00:53:40,480 –> 00:53:42,880
and open-source software and the answer was yes.

722
00:53:42,880 –> 00:53:46,040
And that’s what they did and saved a bunch of money.

723
00:53:46,040 –> 00:53:52,240
Free software is usually less bloated and easier on your PC’s resources.

724
00:53:52,240 –> 00:53:55,760
So I obviously don’t use Adobe to open up PDFs.

725
00:53:55,760 –> 00:54:00,360
But back when I did, like at my old office, it would do this thing where every time I

726
00:54:00,360 –> 00:54:06,200
tried to open a PDF, it would hang and it would just spin and load for sometimes minutes

727
00:54:06,200 –> 00:54:08,320
just to open one PDF.

728
00:54:08,320 –> 00:54:12,280
You know, on my Linux systems, I use something called Document Viewer.

729
00:54:12,280 –> 00:54:14,680
It just opens them up right away.

730
00:54:14,680 –> 00:54:17,960
This is a very common benefit with FOSS software.

731
00:54:17,960 –> 00:54:19,520
Same thing with virtual machines.

732
00:54:19,520 –> 00:54:24,880
I mean, I could run literally hundreds of virtual machines on my laptop.

733
00:54:24,880 –> 00:54:29,920
I’ve got 64GB in it, but a lot of these Linux distributions only use a few hundred

734
00:54:29,920 –> 00:54:31,400
megabytes of RAM.

735
00:54:31,400 –> 00:54:36,960
I mean, try opening, you know, a few hundred Windows 10 virtual machines or something.

736
00:54:36,960 –> 00:54:39,280
It’s just, it’s just not going to happen.

737
00:54:39,280 –> 00:54:43,920
And just to make this a little bit more concrete, you might not have realized this, but you

738
00:54:43,920 –> 00:54:46,840
might recognize some of these names that I’m about to list off.

739
00:54:46,840 –> 00:54:53,000
But if you really think about it, many of the most trusted, most useful softwares out

740
00:54:53,000 –> 00:54:54,000
there are FOSS.

741
00:54:54,000 –> 00:54:55,480
I mean, just think about it.

742
00:54:55,480 –> 00:55:05,480
We got Linux, BSD, rsync, Signal, LibreOffice, VeraCrypt, KeePass, 7-zip, a lot of VPN clients

743
00:55:05,480 –> 00:55:16,880
are open-source, Firefox, Brave, Blender, Audacity, Kdenlive, git, VLC, OBS Studio, Pi-hole, on

744
00:55:16,880 –> 00:55:17,880
and on.

745
00:55:17,880 –> 00:55:22,600
I mean, not only are these applications free and open-source software, but they’re amazing.

746
00:55:22,600 –> 00:55:29,080
I mean, a lot of them are better than their expensive proprietary spyware counterparts.

747
00:55:29,080 –> 00:55:35,080
And just to help demonstrate how they can be better, there have been multiple instances

748
00:55:35,080 –> 00:55:43,360
in my life where Windows has screwed up partitions on a flash drive and nothing you could do would

749
00:55:43,360 –> 00:55:44,560
get it to work.

750
00:55:44,560 –> 00:55:46,960
It wouldn’t even show up in Disk Manager.

751
00:55:46,960 –> 00:55:52,600
I even read through Microsoft documentation to run some tool in PowerShell on the command

752
00:55:52,600 –> 00:55:56,520
line where it asks you a bunch of options and you pick like number one and then you

753
00:55:56,520 –> 00:56:01,120
pick number three and it tries to like recover it or something and even that failed.

754
00:56:01,120 –> 00:56:02,120
So what do I do?

755
00:56:02,120 –> 00:56:08,200
I pull up a live Linux image, boot it up, open the disk and G-parted, it immediately

756
00:56:08,200 –> 00:56:12,600
recognizes it, blows the whole thing away and re-partitions it.

757
00:56:12,600 –> 00:56:13,600
No problem.

758
00:56:13,600 –> 00:56:15,600
You know, that’s embarrassing.

759
00:56:15,600 –> 00:56:23,000
Like how can this free utility do a better job of partitioning Windows partitions than

760
00:56:23,000 –> 00:56:24,920
Windows can?

761
00:56:24,920 –> 00:56:27,480
Here’s another example, VLC.

762
00:56:27,480 –> 00:56:28,880
You’ve probably used VLC.

763
00:56:28,880 –> 00:56:32,280
It’s the media player with the little orange cone as the icon.

764
00:56:32,280 –> 00:56:37,720
That thing, not only is a FOSS, it can play just about anything.

765
00:56:37,720 –> 00:56:43,120
Not only can it play anything, you can also use it to look at file metadata.

766
00:56:43,120 –> 00:56:44,920
You can edit the file metadata.

767
00:56:44,920 –> 00:56:47,120
You can stream content from the internet.

768
00:56:47,120 –> 00:56:50,240
It can convert between different formats.

769
00:56:50,240 –> 00:56:57,640
And I remember seeing a meme many years ago where someone got a pop-up from Windows Media

770
00:56:57,640 –> 00:57:04,280
Player that said something like, hey, you don’t have the codec to watch this video.

771
00:57:04,280 –> 00:57:08,920
So you need to pay us like a certain number of dollars to buy this codec and the person’s

772
00:57:08,920 –> 00:57:12,640
response was, or I could just use VLC.

773
00:57:12,640 –> 00:57:15,120
And I mean, just think about that for a second.

774
00:57:15,120 –> 00:57:21,080
I mean, it’s counterintuitive to the average person how free and open-source software can

775
00:57:21,080 –> 00:57:28,440
not only be free, but better than proprietary software, and it’s not spying on you.

776
00:57:28,440 –> 00:57:29,560
I mean, just think about that.

777
00:57:29,560 –> 00:57:30,720
It’s crazy.

778
00:57:30,720 –> 00:57:32,880
Here’s another example that’s kind of funny.

779
00:57:32,880 –> 00:57:38,280
So I use a Focusrite Scarlett audio interface.

780
00:57:38,280 –> 00:57:42,920
And if you read the documentation from that, they basically say you need to be on Windows

781
00:57:42,920 –> 00:57:45,200
or Mac, which I’m not.

782
00:57:45,200 –> 00:57:50,640
And someone in the Linux community basically reverse-engineered the thing and wrote an

783
00:57:50,640 –> 00:57:56,920
application for it that is not only free and open-source, but it’s more powerful.

784
00:57:56,920 –> 00:58:02,800
The official Focusrite Control app or whatever they call it, at least in some sense, you

785
00:58:02,800 –> 00:58:10,000
know, it provides this graphical tool where I can basically map any logical input and

786
00:58:10,000 –> 00:58:13,040
output however I want, and it’s persistent.

787
00:58:13,040 –> 00:58:19,080
So I can set it up on one machine and unplug it and any other machine that I plug it into,

788
00:58:19,080 –> 00:58:21,280
all those settings remain.

789
00:58:21,280 –> 00:58:27,360
Now we’re of the opinion that a lot of people don’t even consider looking for FOSS alternatives

790
00:58:27,360 –> 00:58:32,160
to their proprietary software, because they just believe that it’s not very good.

791
00:58:32,160 –> 00:58:37,160
Or like, oh man, well, this, this software is very complicated, you know, there’s no

792
00:58:37,160 –> 00:58:41,520
way that there’s some good free option out there for me, but you should really start

793
00:58:41,520 –> 00:58:42,640
looking into this.

794
00:58:42,640 –> 00:58:47,800
So let’s take Windows and macOS, for example, we’re going to do a separate episode about

795
00:58:47,800 –> 00:58:53,600
this, but what I can tell you right now is Linux is shockingly good these days.

796
00:58:53,600 –> 00:58:54,600
It’s very stable.

797
00:58:54,600 –> 00:58:59,160
I’ve used it on a lot of different systems, including ones that are over 10 years old.

798
00:58:59,160 –> 00:59:04,400
You know, it’s very light on resources, so you can use it on old or weak computers like

799
00:59:04,400 –> 00:59:06,200
an old laptop or something.

800
00:59:06,200 –> 00:59:09,200
The user experience is actually pretty amazing.

801
00:59:09,200 –> 00:59:12,960
You know, I’m using Fedora right now to record this episode.

802
00:59:12,960 –> 00:59:18,400
And I think it would shock most, at least Windows users, how easy it is to do things

803
00:59:18,400 –> 00:59:23,760
like change the network settings, for example. You know, I don’t need to click through eight

804
00:59:23,760 –> 00:59:30,120
different dialogues that were written, you know, 15, 20 years ago, just to do something

805
00:59:30,120 –> 00:59:32,880
like change my DNS settings.

806
00:59:32,880 –> 00:59:38,320
Let’s take Google Chrome, for example, that also deserves its own separate episode.

807
00:59:38,320 –> 00:59:44,000
But the short story there is that Chrome is spyware that was written by Google to spy on your

808
00:59:44,000 –> 00:59:45,560
browsing habits.

809
00:59:45,560 –> 00:59:52,040
Now it’s built on an open-source engine called Chromium, and there are other projects out

810
00:59:52,040 –> 00:59:57,680
there like Brave that’s built on Chromium as well that doesn’t include Google spyware.

811
00:59:57,680 –> 00:59:58,880
So you can check that out.

812
00:59:58,880 –> 01:00:04,840
And obviously there’s there’s Firefox and certain other options, which are worth considering.

813
01:00:04,840 –> 01:00:06,880
What about Adobe products?

814
01:00:06,880 –> 01:00:11,080
I know Adobe is a big sticking point for a lot of people.

815
01:00:11,080 –> 01:00:15,640
From what I understand, some of their products are Windows only, which is, or at least it

816
01:00:15,640 –> 01:00:16,640
used to be.

817
01:00:16,640 –> 01:00:21,840
I don’t know if that’s still the case, but that’s kind of a strange business decision.

818
01:00:21,840 –> 01:00:26,440
But if all you need to do is open PDFs or something, you don’t need Adobe Reader.

819
01:00:26,440 –> 01:00:29,000
You know, I haven’t opened Adobe Reader in years.

820
01:00:29,000 –> 01:00:34,600
You know, in Linux, there’s Document Viewer and a lot of other options actually on Windows,

821
01:00:34,600 –> 01:00:38,800
you can use something called Sumatra PDF or something like that.

822
01:00:38,800 –> 01:00:44,880
That’s open-source and that is like infinitely faster than Adobe Reader, ironically.

823
01:00:44,880 –> 01:00:46,520
What about Photoshop?

824
01:00:46,520 –> 01:00:51,680
You know, Photoshop is probably one of the most torrented applications on the planet

825
01:00:51,680 –> 01:00:58,480
because, you know, it’s powerful and everybody wants to edit a photo from time to time.

826
01:00:58,480 –> 01:01:00,200
You can use GIMP.

827
01:01:00,200 –> 01:01:02,400
GIMP is a Photoshop alternative.

828
01:01:02,400 –> 01:01:07,320
It’s, you know, I’m sure that there’s some features that aren’t in GIMP that are in Photoshop.

829
01:01:07,320 –> 01:01:11,480
So if you’re doing work professionally, I could see a case where you might actually

830
01:01:11,480 –> 01:01:17,120
need Photoshop, but, you know, for probably 99% of home users, GIMP will do everything

831
01:01:17,120 –> 01:01:19,400
that they need it to do.

832
01:01:19,400 –> 01:01:21,120
Same thing with Illustrator.

833
01:01:21,120 –> 01:01:22,880
You know, Illustrator is really nice.

834
01:01:22,880 –> 01:01:28,760
If you need to make vector artwork like a logo or something, it’s cool, but it’s expensive.

835
01:01:28,760 –> 01:01:30,800
It’s proprietary and so on.

836
01:01:30,800 –> 01:01:32,600
You can use Inkscape.

837
01:01:32,600 –> 01:01:34,200
Inkscape is free open-source software.

838
01:01:34,200 –> 01:01:37,040
It’s very similar to Illustrator.

839
01:01:37,040 –> 01:01:43,840
It works with open-source file formats like SVG, which you can also import into Illustrator

840
01:01:43,840 –> 01:01:45,400
if you need to.

841
01:01:45,400 –> 01:01:51,600
And again, if you’re a professional, you know, you might have a good reason to need Illustrator,

842
01:01:51,600 –> 01:01:56,280
but most people I’m quite confident could get away with just using Inkscape.

843
01:01:56,280 –> 01:02:00,320
Even for accounting software, you know, a lot of people use QuickBooks.

844
01:02:00,320 –> 01:02:05,160
There’s something called GnuCash, G-N-U-C-A-S-H.

845
01:02:05,160 –> 01:02:07,240
It’s free and open-source.

846
01:02:07,240 –> 01:02:10,720
You know, I’m sure it’s not as powerful as QuickBooks, but again, I bet you it would

847
01:02:10,720 –> 01:02:15,400
serve the needs of most individuals and small businesses out there.

848
01:02:15,400 –> 01:02:16,600
What about VMware?

849
01:02:16,600 –> 01:02:20,000
You know, very powerful, it’s great, whatever.

850
01:02:20,000 –> 01:02:25,000
There’s Virtual Machine Manager, VirtualBox, Boxes, on and on.

851
01:02:25,000 –> 01:02:30,480
You know, there are a lot of other options out there that are free, and they’re extremely

852
01:02:30,480 –> 01:02:31,480
fast.

853
01:02:31,480 –> 01:02:36,640
I mean, I can boot up, you know, a Fedora VM in like a few seconds, you know, try doing

854
01:02:36,640 –> 01:02:41,680
that with, you know, VMware and Windows, it’s not going to happen.

855
01:02:41,680 –> 01:02:48,000
Google Play Store, you can use F-Droid or Aurora, because they’re both open-source and they’re

856
01:02:48,000 –> 01:02:49,000
quite nice.

857
01:02:49,000 –> 01:02:54,840
I mean, in reality, at least with F-Droid, it contains some of the best Android apps out

858
01:02:54,840 –> 01:02:59,400
there that you won’t find in the Play Store, because, you know, some of these developers,

859
01:02:59,400 –> 01:03:05,360
they don’t want to abide by Google or Apple’s terms of service.

860
01:03:05,360 –> 01:03:09,680
MATLAB, for example, great program, it’s also quite expensive.

861
01:03:09,680 –> 01:03:16,840
I mean, some of the toolboxes for MATLAB are as expensive as $10,000 last time I checked.

862
01:03:16,840 –> 01:03:19,960
There’s an alternative out there called GNU Octave.

863
01:03:19,960 –> 01:03:25,280
Now, again, it might not contain all of the same features, but it might suit all of your

864
01:03:25,280 –> 01:03:27,520
needs for free.

865
01:03:27,520 –> 01:03:31,600
Microsoft SQL, that’s fine, very expensive.

866
01:03:31,600 –> 01:03:36,720
You can use PostgreSQL, which from what I hear is actually quite amazing.

867
01:03:36,720 –> 01:03:41,120
A lot of people use a torrenting program called uTorrent.

868
01:03:41,120 –> 01:03:46,640
Now it was really popular back in the day, not only is that closed-source, but it’s got

869
01:03:46,640 –> 01:03:51,640
a very, very long history of embedding, basically, malware into it.

870
01:03:51,640 –> 01:03:57,000
I remember I was installing it on a system many years ago, and my antivirus popped up

871
01:03:57,000 –> 01:04:03,000
and said that it was trying to install some malware called OpenCandy, which is AdWare,

872
01:04:03,000 –> 01:04:06,920
basically, and, you know, not only is it closed-source, but like, why would you want to deal

873
01:04:06,920 –> 01:04:07,920
with that?

874
01:04:07,920 –> 01:04:13,320
Especially since there are better, more trusted open-source alternatives that don’t install

875
01:04:13,320 –> 01:04:20,280
malware on your system, like qBittorrent, KTorrent, Transmission, there’s tons of them.

876
01:04:20,280 –> 01:04:25,720
And you know, what some people will say is, oh, don’t worry, I’ve got this version of

877
01:04:25,720 –> 01:04:32,760
uTorrent that’s like 12 years old, I never updated, I’ve got the settings set just right

878
01:04:32,760 –> 01:04:34,880
and it’s everything’s cool.

879
01:04:34,880 –> 01:04:39,640
Well, you know, the problem with that is, you know, if you’re using networking software

880
01:04:39,640 –> 01:04:43,560
that hasn’t been updated in 12 years, it’s probably riddled with holes, you know, a lot

881
01:04:43,560 –> 01:04:49,440
of, if you actually look at change logs for software, a lot of those changes are security

882
01:04:49,440 –> 01:04:50,640
improvements.

883
01:04:50,640 –> 01:04:54,680
So why would you accept that kind of risk when you can just switch to something that’s

884
01:04:54,680 –> 01:04:58,320
actually trusted and gets updates?

885
01:04:58,320 –> 01:05:04,200
Resilio Sync is a file syncing tool, pretty cool, I guess, you know, it’s an alternative

886
01:05:04,200 –> 01:05:08,720
to something like Dropbox, where you can basically sync between your devices rather

887
01:05:08,720 –> 01:05:13,880
than using the cloud, which is really just someone else’s computer. The problem with

888
01:05:13,880 –> 01:05:18,720
it is it’s closed-source, you know, you have to pay for it, which is whatever, that’s not

889
01:05:18,720 –> 01:05:21,200
a huge deal, but it’s closed-source.

890
01:05:21,200 –> 01:05:26,680
And you know, last time I checked their apps made connections to Google, which, you know,

891
01:05:26,680 –> 01:05:31,720
like we talked about with NordVPN, if you’re trying to set up a private cloud or a private

892
01:05:31,720 –> 01:05:36,520
connection, last thing you want is that software talking to Google.

893
01:05:36,520 –> 01:05:41,280
So instead of Resilio Sync, you can use something like Syncthing, which is amazing.

894
01:05:41,280 –> 01:05:46,520
The only problem with that one is there’s no iOS client. And there are even FOSS games

895
01:05:46,520 –> 01:05:52,000
out there, some of them actually look pretty amazing and quite sophisticated, can’t really

896
01:05:52,000 –> 01:05:55,040
speak to any of them specifically, because I don’t really have time for that.

897
01:05:55,040 –> 01:06:00,040
But you know, the point of this is that there are a lot of amazing FOSS alternatives out

898
01:06:00,040 –> 01:06:03,240
there that you should really consider looking into.

899
01:06:03,240 –> 01:06:08,880
So to wrap up why we think FOSS is great, we’ve got three major points that you should

900
01:06:08,880 –> 01:06:10,000
consider.

901
01:06:10,000 –> 01:06:13,120
The first is that the world runs on FOSS.

902
01:06:13,120 –> 01:06:21,680
You know, if you take a look at IoT devices, medical devices, most web servers, clouds,

903
01:06:21,680 –> 01:06:29,520
HPCs, these almost all run some variant of Linux and other FOSS software.

904
01:06:29,520 –> 01:06:33,560
And for good reason too, I mean, they’re stable, you know, you don’t have to license

905
01:06:33,560 –> 01:06:34,560
it.

906
01:06:34,560 –> 01:06:35,560
It’s free.

907
01:06:35,560 –> 01:06:41,600
I mean, just imagine you’re being operated on by a medical device running Windows, and

908
01:06:41,600 –> 01:06:45,760
the thing shuts down on you because it’s installing updates or it blue screens or something

909
01:06:45,760 –> 01:06:46,760
like that.

910
01:06:46,760 –> 01:06:50,160
I actually tried to look this up and I couldn’t really find a great answer.

911
01:06:50,160 –> 01:06:52,480
So if anyone knows, let us know in the comments.

912
01:06:52,480 –> 01:06:58,520
But I bet that Microsoft Azure, you know, their cloud computing service is built on

913
01:06:58,520 –> 01:06:59,800
Linux as well.

914
01:06:59,800 –> 01:07:03,600
I couldn’t imagine that being built on Windows.

915
01:07:03,600 –> 01:07:10,240
The second big takeaway is that, you know, there’s a perception that a free application

916
01:07:10,240 –> 01:07:16,600
must be at best, just an 80 for 20 solution, meaning that, you know, it gets you most of

917
01:07:16,600 –> 01:07:24,800
the way there at very little cost, but, you know, in practice, it’s more like 90 or 95

918
01:07:24,800 –> 01:07:25,800
for zero.

919
01:07:25,800 –> 01:07:30,640
I mean, you’re not paying for it most of the time, which right off the bat, that’s a great

920
01:07:30,640 –> 01:07:36,560
deal and that’s a very high bar for proprietary software to overcome.

921
01:07:36,560 –> 01:07:43,760
But like I was saying before about VLC, some of these applications are actually better

922
01:07:43,760 –> 01:07:49,200
than the ones that you’re paying for, and they’re open-source, and they’re not spying

923
01:07:49,200 –> 01:07:50,200
on you.

924
01:07:50,200 –> 01:07:51,520
I mean, just imagine that.

925
01:07:51,520 –> 01:07:58,360
Imagine, you know, paying for a media player, for example, that’s closed-source and reporting

926
01:07:58,360 –> 01:08:01,280
your viewing habits to Google or something like that.

927
01:08:01,280 –> 01:08:05,640
Why would you do that when you can use something like VLC for free?

928
01:08:05,640 –> 01:08:11,200
And the third item is similar to what we were saying before about Windows and macOS going

929
01:08:11,200 –> 01:08:14,280
downhill and basically becoming adware.

930
01:08:14,280 –> 01:08:18,920
You know, this is also the road that a lot of proprietary software is going down.

931
01:08:18,920 –> 01:08:24,520
So what you can look forward to in the future of proprietary software is, you know, everything

932
01:08:24,520 –> 01:08:30,400
moving toward a subscription based model where you have to pay, you know, infinitely for

933
01:08:30,400 –> 01:08:34,560
these things and still be spied on and be served ads.

934
01:08:34,560 –> 01:08:39,360
Now, if you’re like us and you don’t like the sound of that, then, you know, it obviously

935
01:08:39,360 –> 01:08:42,480
behooves you to start thinking of an exit strategy.

936
01:08:42,480 –> 01:08:48,440
Now, to be fair, we should mention that FOSS software is not a panacea.

937
01:08:48,440 –> 01:08:50,680
There’s no guarantees that it’s private.

938
01:08:50,680 –> 01:08:52,720
There’s no guarantees that it’s safe.

939
01:08:52,720 –> 01:08:56,440
We do find issues in these projects sometimes we’ll find bugs.

940
01:08:56,440 –> 01:09:00,720
Some of these projects are open about including telemetry.

941
01:09:00,720 –> 01:09:02,360
Some of them also serve you ads.

942
01:09:02,360 –> 01:09:04,840
They’re very open about that as well.

943
01:09:04,840 –> 01:09:11,000
And I think recently we saw it was either with PIP or one of these other package systems

944
01:09:11,000 –> 01:09:15,120
that had some malicious packages that, you know, somebody found and they had to remove

945
01:09:15,120 –> 01:09:16,120
those.

946
01:09:16,120 –> 01:09:19,360
So, you know, that’s a risk.

947
01:09:19,360 –> 01:09:22,440
Linux, you know, a lot of people think Linux is bulletproof.

948
01:09:22,440 –> 01:09:23,440
That’s definitely not true.

949
01:09:23,440 –> 01:09:28,960
You know, we like Linux, we use it on a regular basis, but you know, it’s liable to have security

950
01:09:28,960 –> 01:09:32,760
holes in it just like any other operating system.

951
01:09:32,760 –> 01:09:38,300
It’s not that uncommon to see, you know, security vulnerabilities in Linux that have been sitting

952
01:09:38,300 –> 01:09:40,320
around for like 10 years.

953
01:09:40,320 –> 01:09:46,600
So, you know, don’t feel like you’re bulletproof because you’re using something like Linux.

954
01:09:46,600 –> 01:09:51,080
Any software is also vulnerable to supply chain attacks.

955
01:09:51,080 –> 01:09:53,240
I don’t know if you heard about CCleaner.

956
01:09:53,240 –> 01:09:56,840
I don’t think that one’s actually open-source, but it proves the point.

957
01:09:56,840 –> 01:10:04,040
CCleaner, you know, the developer got hacked somehow and someone injected malicious code

958
01:10:04,040 –> 01:10:10,080
into CCleaner during the build process and distributed malware to their users.

959
01:10:10,080 –> 01:10:16,240
Now, even though code is open-source, it is still technically possible to modify the code

960
01:10:16,240 –> 01:10:20,800
during the build process and not commit it to their repository.

961
01:10:20,800 –> 01:10:27,000
And you know, there are some mechanisms for checking that, but it is, it is a possibility

962
01:10:27,000 –> 01:10:28,400
to be aware of.

963
01:10:28,400 –> 01:10:35,360
I’m pretty sure Linux Mint also had a security incident in their website where the ISO for

964
01:10:35,360 –> 01:10:40,560
the operating system was replaced with a malicious one, so people installed basically a malicious

965
01:10:40,560 –> 01:10:42,720
operating system.

966
01:10:42,720 –> 01:10:48,000
Another thing to keep in mind is you have to wonder whether the code that you’re seeing,

967
01:10:48,000 –> 01:10:52,680
you know, in their GitHub or GitLab repo actually matches the installer that you’re

968
01:10:52,680 –> 01:10:56,640
using or whether anybody’s even looking at the code.

969
01:10:56,640 –> 01:11:01,400
And you know, this is more of a risk with smaller projects, things that are a little bit more

970
01:11:01,400 –> 01:11:05,880
niche that, you know, just don’t have a lot of eyeballs on them.

971
01:11:05,880 –> 01:11:13,040
And we should also mention that FOSS projects are also targets of certain kinds of attackers,

972
01:11:13,040 –> 01:11:19,120
because if you have the code, it’s very easy to, you know, download it, insert malware into

973
01:11:19,120 –> 01:11:24,200
it, build an executable or an installer, and then try to trick somebody into installing

974
01:11:24,200 –> 01:11:25,200
it.

975
01:11:25,200 –> 01:11:29,560
And if you can do that, then they might be running a real application and not have any

976
01:11:29,560 –> 01:11:31,960
idea that it’s actually infected.

977
01:11:31,960 –> 01:11:38,080
Now, that’s not, you know, a direct criticism of FOSS, but it’s just something to be aware

978
01:11:38,080 –> 01:11:39,080
of.

979
01:11:39,080 –> 01:11:44,960
There are, you know, infected versions of OBS and a lot of other projects out there.

980
01:11:44,960 –> 01:11:50,040
You just need to make sure that you’re installing them from, you know, the proper source.

981
01:11:50,040 –> 01:11:56,160
But you know, we get it, we get that sometimes you want or need to deal with closed

982
01:11:56,160 –> 01:11:58,120
source software.

983
01:11:58,120 –> 01:12:03,520
So we’re going to take a couple of minutes just to give you some ideas as to how you

984
01:12:03,520 –> 01:12:09,840
can run closed-source software and minimize, you know, some of the privacy and security

985
01:12:09,840 –> 01:12:12,440
risks that might come along with that.

986
01:12:12,440 –> 01:12:16,800
The first thing to keep in mind is you want to keep it to a minimum, you know, the more

987
01:12:16,800 –> 01:12:21,880
proprietary software you use, the more likely it is that you’re going to have a problem.

988
01:12:21,880 –> 01:12:27,560
You should also be thinking about how you can isolate these closed-source softwares as

989
01:12:27,560 –> 01:12:28,560
much as possible.

990
01:12:28,560 –> 01:12:31,480
And there are a lot of ways to do that.

991
01:12:31,480 –> 01:12:34,520
One of the best ones is to use separate devices.

992
01:12:34,520 –> 01:12:40,000
So if we talk to a lot of people in the privacy and security community, they’ll tell you that,

993
01:12:40,000 –> 01:12:41,880
you know, we do this as well.

994
01:12:41,880 –> 01:12:47,000
If you’re going to be playing games or you have certain applications like you really

995
01:12:47,000 –> 01:12:53,000
need to use PhotoShop or DaVinci Resolve or something like that, consider doing that on

996
01:12:53,000 –> 01:12:54,440
a separate device.

997
01:12:54,440 –> 01:13:00,400
You know, a device that you don’t have a lot of sensitive personal information on.

998
01:13:00,400 –> 01:13:07,040
And another thing that you can try is to use and prefer web applications.

999
01:13:07,040 –> 01:13:13,960
A lot of services out there like Spotify, I think I heard that Uber does this as well.

1000
01:13:13,960 –> 01:13:20,280
They have web applications that you can use, which is nice because that allows you to try

1001
01:13:20,280 –> 01:13:25,280
to isolate some of your activities and data collection in your web browser as opposed

1002
01:13:25,280 –> 01:13:28,160
to actually installing their app on your device.

1003
01:13:28,160 –> 01:13:34,000
So when you install an app on your device, you’re giving it usually much more control

1004
01:13:34,000 –> 01:13:38,920
over your device and what data it has access to, than it would be if you just run that

1005
01:13:38,920 –> 01:13:42,800
application as a web application in your browser.

1006
01:13:42,800 –> 01:13:48,840
And the reason for this is because when you run a web app, that app is beholden to the

1007
01:13:48,840 –> 01:13:54,280
settings and the limitations imposed by that web browser, which of course is beholden to

1008
01:13:54,280 –> 01:13:56,000
the operating system.

1009
01:13:56,000 –> 01:14:01,080
So that gives you an extra layer of protection as opposed to running the native application

1010
01:14:01,080 –> 01:14:04,160
directly on your operating system.

1011
01:14:04,160 –> 01:14:08,720
Another thing that you should be using to help keep your activities isolated are virtual

1012
01:14:08,720 –> 01:14:09,720
machines.

1013
01:14:09,720 –> 01:14:14,320
These are very powerful and they’re a great way of keeping applications from communicating

1014
01:14:14,320 –> 01:14:19,320
with each other or accessing data that you don’t want them to have access to, or if they

1015
01:14:19,320 –> 01:14:23,280
turn out to be malicious, you can typically just delete the virtual machine and pretend

1016
01:14:23,280 –> 01:14:25,200
like that never happened.

1017
01:14:25,200 –> 01:14:31,040
And finally, there are a lot of techniques for managing the traffic between an application

1018
01:14:31,040 –> 01:14:33,240
in the outside world.

1019
01:14:33,240 –> 01:14:38,280
And you can do that with firewalls, you know, an application firewall like Safing Portmaster

1020
01:14:38,280 –> 01:14:39,960
is a great way to do that.

1021
01:14:39,960 –> 01:14:45,560
You can also use, you know, DNS filtering, like Pi-hole or NextDNS or something like

1022
01:14:45,560 –> 01:14:46,560
that.

1023
01:14:46,560 –> 01:14:51,040
And, you know, a lot of people don’t talk about this, but virtual lands, VLANs, those

1024
01:14:51,040 –> 01:14:56,360
can also be very helpful as well by segmenting your network traffic.

1025
01:14:56,360 –> 01:14:59,360
So to wrap this up, let’s talk about action items.

1026
01:14:59,360 –> 01:15:04,200
First of all, don’t install something just because it’s FOSS.

1027
01:15:04,200 –> 01:15:08,360
You know, there are shady applications and projects out there.

1028
01:15:08,360 –> 01:15:13,120
Bad actors are aware that, you know, a lot of people have a false sense of security using

1029
01:15:13,120 –> 01:15:14,760
FOSS applications.

1030
01:15:14,760 –> 01:15:19,960
So you still need to do your due diligence about, you know, the application and the team

1031
01:15:19,960 –> 01:15:23,800
behind it and what exactly it does and whether it fits your needs.

1032
01:15:23,800 –> 01:15:27,760
And also be careful about where you download it from.

1033
01:15:27,760 –> 01:15:33,960
I always recommend going straight to the source, you know, most projects have a downloads page

1034
01:15:33,960 –> 01:15:40,560
on their website, so you don’t really benefit by going to, you know, FossHub or one of these

1035
01:15:40,560 –> 01:15:43,040
other sites that distribute software.

1036
01:15:43,040 –> 01:15:45,120
Just go to the source first.

1037
01:15:45,120 –> 01:15:48,560
And you know, it is possible that they’ll link to something else like they might link

1038
01:15:48,560 –> 01:15:52,600
to FossHub or they might link to GitHub or something like that, but at least you know

1039
01:15:52,600 –> 01:15:55,800
that that’s what they’re telling you to do.

1040
01:15:55,800 –> 01:16:02,160
And before you find yourself trapped, like a lot of WhatsApp users felt when Fecesbook

1041
01:16:02,160 –> 01:16:08,880
took over, start identifying the proprietary apps and services that you rely on and try

1042
01:16:08,880 –> 01:16:13,640
to start switching them over to something, you know, more open-source or more privacy

1043
01:16:13,640 –> 01:16:14,640
friendly.

1044
01:16:14,640 –> 01:16:20,280
I think that, you know, a lot of people just are under the impression that, you know, if

1045
01:16:20,280 –> 01:16:24,560
something bad happens or something changes against you, then you’ll switch.

1046
01:16:24,560 –> 01:16:28,280
But unfortunately, you know, a lot of times it’s too late by that point.

1047
01:16:28,280 –> 01:16:34,440
So like we started warning our clients, you know, more than a year ago about LastPass

1048
01:16:34,440 –> 01:16:39,040
and recommending that they switch to either KeePass or Bitwarden.

1049
01:16:39,040 –> 01:16:45,280
And since then, LastPass has had a major security breach, which doesn’t surprise us in the least.

1050
01:16:45,280 –> 01:16:48,680
And you know, now people are freaking out about it because they’re wondering whether

1051
01:16:48,680 –> 01:16:51,040
their password vaults are safe.

1052
01:16:51,040 –> 01:16:56,880
So with the proprietary apps that you don’t feel like you can replace with FOSS apps for

1053
01:16:56,880 –> 01:17:01,320
whatever reason, you know, ask yourself, can you just get rid of it?

1054
01:17:01,320 –> 01:17:03,680
Some of them you probably can.

1055
01:17:03,680 –> 01:17:08,000
Can you switch from a native app to a web app?

1056
01:17:08,000 –> 01:17:11,160
You know, that could give you a pretty big privacy and security boost.

1057
01:17:11,160 –> 01:17:12,160
It’s worth thinking about.

1058
01:17:12,160 –> 01:17:17,320
And if those fail, then you should be thinking about isolating it in a virtual machine or

1059
01:17:17,320 –> 01:17:19,400
a separate device or something.

1060
01:17:19,400 –> 01:17:23,400
If you are using FOSS projects, consider donating to them.

1061
01:17:23,400 –> 01:17:27,880
You know, most of them rely entirely on donations.

1062
01:17:27,880 –> 01:17:32,600
And every once in a while, we do see one just quit because, you know, it’s just not worth

1063
01:17:32,600 –> 01:17:34,920
it to them for one reason or another.

1064
01:17:34,920 –> 01:17:38,040
So you know, if you have a little bit of money to spare, why don’t you go ahead and help

1065
01:17:38,040 –> 01:17:39,040
them out?

1066
01:17:39,040 –> 01:17:45,200
And finally, knowing this information is one thing, but actually sitting down and putting

1067
01:17:45,200 –> 01:17:47,280
it into practice is another.

1068
01:17:47,280 –> 01:17:50,000
So consider becoming a Bigger Insights client.

1069
01:17:50,000 –> 01:17:53,880
We help our clients live more private and secure lives by helping them navigate these

1070
01:17:53,880 –> 01:17:56,960
kinds of issues in one-on-one sessions.

1071
01:17:56,960 –> 01:18:02,400
If you’re interested, fill out the short form at the bottom of our website, biggerinsights.com.

1072
01:18:02,400 –> 01:18:06,800
Otherwise, please spread this message by sharing it with others.

1073
01:18:06,800 –> 01:18:11,000
The more people that we share this message with, the better off we think we’ll all be.

1074
01:18:11,000 –> 01:18:13,920
And with that, thanks for staying to the end.

1075
01:18:13,920 –> 01:18:37,000
Take care and stay safe out there.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top