As much as it sucks in other ways, Twitter is pretty good for keeping on top of the latest security news, especially during conferences where people are live-tweeting the talks and papers coming out. I'm also on a private mailing list run by a friend who aggregates and sends out links to security news articles.

Lately a lot of security reviews, which is a code review/audit that focuses on security and privacy aspects of a feature before it is merged. I also write code, mostly security or privacy related fixes. I try not to be invited to any meetings :P.

I thought it was great that finally, someone was trying to improve privacy on the web (blocking ads and trackers) in a way that could be financially sustainable through micropayments.

Not sure if I would call it the biggest hurdle, but a big hurdle is convincing people (non-cryptocurrency/tech people especially) that they should use a new browser. Probably the most common question I’m asked when I meet someone who hears about Brave for the first time is, "why should I use this over my existing browser?" A lot of people think that the idea of blocking ads/trackers by default and offering privacy-protecting ways to pay publishers is cool, but they are not really incentivized to pay for something that's been ostensibly "free" for them.

There's also the chicken-and-egg problem of getting publishers signed up to receive Brave Payments. (Some publishers don't find it worth the effort to sign up until there are sufficient Brave paying users, some users aren't interested in using Brave Payments until they see that their favorite publishers can be paid through Brave.)

my password on every site is p@ssw0rd obviously.

Brave's local data collection is not really more significant than other browsers' IMO, since every browser in non-incognito mode will generally write your browsing history to disk by default so it can show you the history after a browser restart.

Like Chrome/Chromium, we have some protections against people getting their devices hacked in the first place:

• SafeBrowsing, a blacklist of sites which are known to spread malware/viruses or engage in phishing
• Running tabs in sandboxed processes such that it's harder for a website to get remote code execution
• Protecting sensitive data like passwords on-disk encrypted with a key in the system keychain
• Brave also has some additional protections:
• Blocking ads helps block malware that is spread through ads
• HTTPS Everywhere is built-in to upgrade connections to HTTPS when possible
• Prominently showing the origin of downloads in the download bar since this can be different from the site that is currently being viewed

We've worked with Metamask at Brave since it is integrated into Brave on desktop. I think it's one of the most promising and usable Ethereum wallets out there. The only blocking feature that was missing for me was hardware wallet support, which they recently added!

https://medium.com/metamask/metamask-now-supports-ledger-hardware-wallets-847f4d51546

Opportunity: Help publishers get paid in a way that doesn't wreck people's privacy. Challenges: Convincing people they should try this out.

Privacy in general or privacy WRT leak-proofing in Tor (which is the doc you linked to)? For the former, we're working on blocking all connections to Google by default, have removed Google Accounts/telemetry/sync, and are looking into lifting patches from the Ungoogled Chromium project, among other things. For the latter, some of the bugs in https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs have been resolved in Chromium itself since that page was last updated. We block Flash, FTP, and WebRTC in Tor mode and block QUIC and DNS prefetching generally. The big outstanding issue is certificate fetches on non-Linux platforms, which we are going to look into after the new chromium-based Brave is released.

Hopefully global warming is in check by then, since that is a prerequisite to people being around to care about security/privacy. 🙂

Traffic monitoring: All connections are HTTPS with encrypted SNI and some kind of protection for DNS so that a passive traffic monitor can't see any domain names that people are visiting.

It would be cool if we got rid of the ad-funded web by then. I kind of imagine the Bandcamp funding model applied to every type of content on the web.

I definitely don't spend as much time on music as I'd like. On weeks when I'm working on music, I generally do so between the hours of 8 pm and 3 am, which is not ideal. Also, it's hard to motivate myself to start a music project (vs procrastinating) because I still feel like a n00b in electronic music production.

I use Ableton 9 for both production and DJing. For controllers, I have a launchkey25 and an apc40. I recently got a Subpac and it's surprisingly useful.

Favorite venue: Probably someone's apartment where there wasn't any dust 😛