AMA with Yan Zhu

Welcome to the fifth post in our series of BAT Community-run AMAs.

The ongoing AMA series on Reddit is a six-month-long event that features various guests from the Brave and BAT teams. The goal of the series is twofold: to give fans of the project an opportunity to interact directly with team members, and to give team members—especially those who operate largely behind the scenes—a chance to share their insights and offer the community a window into their work.

The most recent AMA took place on October 17th with Yan Zhu, Brave’s Chief Information Security Officer. Over the course of the AMA, Yan fielded both pre-submitted and live questions from Redditors concerning a variety of topics, including how a day in her life at Brave looks, electronic music (a hobby of hers), and her thoughts on the Metamask project. Yan also divulged that she’s against tech companies building backdoors or breaking encryption to aid law enforcement and revealed that the simplest way to prove to someone who claims to be uncaring about privacy and security that they do, in fact, care is to “Ask them to hand over their phone unlocked.”

Highlights can be found below, with a link to the full AMA at the bottom of this post.

The next AMA will take place on Wednesday, October 31st, and will feature Jonathan Sampson, Brave’s Senior Developer Relations Specialist.

For the full list of upcoming BAT Community AMAs through January 2019, see below.

u/dkong1026: What are the most effective ways (for you/in your opinion) to keep up with the ever-evolving tech ecosystem/landscape? Security and crypto move fast!

As much as it sucks in other ways, X (formerly Twitter) is pretty good for keeping on top of the latest security news, especially during conferences where people are live-tweeting the talks and papers coming out. I'm also on a private mailing list run by a friend who aggregates and sends out links to security news articles.

@PandaCP78 (X, formerly Twitter): What are the tasks you perform daily at your job?

Lately a lot of security reviews, which is a code review/audit that focuses on security and privacy aspects of a feature before it is merged. I also write code, mostly security or privacy related fixes. I try not to be invited to any meetings :P.

u/scooptoop: What led you to join Brave?

I thought it was great that finally, someone was trying to improve privacy on the web (blocking ads and trackers) in a way that could be financially sustainable through micropayments.

u/groovingraphs: Hi Yan, Big fan ") I myself am a big believer in new business models that have the potential to make fundamental changes in industries, which I believe BAT is well positioned to do. I have tried to play devil's advocate for myself in analyzing BAT and have not come up with as many visions of road bumps as I'd like. So in your opinion, what are the biggest hurdles BAT and brave face in taking on the biggest in the BIZ and trying to convert such a large user base?

Not sure if I would call it the biggest hurdle, but a big hurdle is convincing people (non-cryptocurrency/tech people especially) that they should use a new browser. Probably the most common question I’m asked when I meet someone who hears about Brave for the first time is, "why should I use this over my existing browser?" A lot of people think that the idea of blocking ads/trackers by default and offering privacy-protecting ways to pay publishers is cool, but they are not really incentivized to pay for something that's been ostensibly "free" for them.

There's also the chicken-and-egg problem of getting publishers signed up to receive Brave Payments. (Some publishers don't find it worth the effort to sign up until there are sufficient Brave paying users, some users aren't interested in using Brave Payments until they see that their favorite publishers can be paid through Brave.)

u/shumwhere: I feel obligated to vet your claim as an information security expert by asking: What is your password?

If the Brave browser is collecting data on-device, will there be anything built in to protect its users from having that data stolen by hackers? I get it doesn't make sense to target users individually so I'm speaking more to something like a virus, worm, etc., that spread across millions of devices that does it.

my password on every site is p@ssw0rd obviously.

Brave's local data collection is not really more significant than other browsers' IMO, since every browser in non-incognito mode will generally write your browsing history to disk by default so it can show you the history after a browser restart.

Like Chrome/Chromium, we have some protections against people getting their devices hacked in the first place:

  • SafeBrowsing, a blacklist of sites which are known to spread malware/viruses or engage in phishing
  • Running tabs in sandboxed processes such that it's harder for a website to get remote code execution
  • Protecting sensitive data like passwords on-disk encrypted with a key in the system keychain
  • Brave also has some additional protections:
  • Blocking ads helps block malware that is spread through ads
  • HTTPS Everywhere is built-in to upgrade connections to HTTPS when possible
  • Prominently showing the origin of downloads in the download bar since this can be different from the site that is currently being viewed

u/SuperSiayuan: What do you think of the Metamask project? Should more people be aware of it and are you using it?

We've worked with Metamask at Brave since it is integrated into Brave on desktop. I think it's one of the most promising and usable Ethereum wallets out there. The only blocking feature that was missing for me was hardware wallet support, which they recently added!

u/Cryptotips_io: Hi Yan, thank you for taking the time to do an AMA! What are the biggest opportunities, as well as challenges, you face with your work at Brave Software?

Opportunity: Help publishers get paid in a way that doesn't wreck people's privacy. Challenges: Convincing people they should try this out.

u/AdmirableAwareness4: What if any efforts are being done to solve the privacy problems in Chromium, of which the Brave engine is based?

Privacy in general or privacy WRT leak-proofing in Tor (which is the doc you linked to)? For the former, we're working on blocking all connections to Google by default, have removed Google Accounts/telemetry/sync, and are looking into lifting patches from the Ungoogled Chromium project, among other things. For the latter, some of the bugs in have been resolved in Chromium itself since that page was last updated. We block Flash, FTP, and WebRTC in Tor mode and block QUIC and DNS prefetching generally. The big outstanding issue is certificate fetches on non-Linux platforms, which we are going to look into after the new chromium-based Brave is released.

u/SuperSiayuan: If you picture a utopia (or the closest thing to it) in about 100 years, what does it look like in regards to security, privacy, traffic monitoring, etc.?

Hopefully global warming is in check by then, since that is a prerequisite to people being around to care about security/privacy. 🙂

Traffic monitoring: All connections are HTTPS with encrypted SNI and some kind of protection for DNS so that a passive traffic monitor can't see any domain names that people are visiting.

It would be cool if we got rid of the ad-funded web by then. I kind of imagine the Bandcamp funding model applied to every type of content on the web.

u/dkong1026: I have a few music-related questions. Feel free to answer any or all of these :D.

Sorry for all the questions.

Been following you on X (formerly Twitter) for a while now and always thought you've been involved in cool stuff. How do you balance your time between music and tech? Both of them are time-consuming and demanding fields, I can imagine it's dizzying trying to keep track of it all.

What software and/or hardware do you use?

Favorite venue you've played at? (Burning Man, by chance?).

I definitely don't spend as much time on music as I'd like. On weeks when I'm working on music, I generally do so between the hours of 8 pm and 3 am, which is not ideal. Also, it's hard to motivate myself to start a music project (vs procrastinating) because I still feel like a n00b in electronic music production.

I use Ableton 9 for both production and DJing. For controllers, I have a launchkey25 and an apc40. I recently got a Subpac and it's surprisingly useful.

Favorite venue: Probably someone's apartment where there wasn't any dust 😛

Read the full AMA here.

Read David Temkin’s AMA from October 4th, 2018 here.  

Follow the BAT Community’s Updates here:

Upcoming BAT Community AMAs:

October 2018

Jonathan Sampson, Developer Relations Specialist (Oct. 31st)

November 2018

Alex Wykoff, User Research and Testing
Marshall Rose, Senior Software Engineer

December 2018

Ryan Watson and Kamil Jozwiak, DevOps and QA
CBO Brian Brown, Luke Mulks, Jan Piotrowski, and Brad Flora from the Business Development team

January 2019

Tom Lowenthal, Security and Privacy Coordinator

Related articles

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.