Back to episodes

Episode 39

Enhancing Your Web Experience with Privacy-First Browsing Strategies

Yan Zhu, Chief Information Security Officer at Brave Software, discusses ways to reduce your risk of getting compromised when browsing the Internet. She also explains how Brave’s policy of only collecting the bare necessities not only boosts security but also simplifies legal compliance and keeps your data truly private.

Transcript

[00:00:00] Luke: From privacy concerns to limitless potential, AI is rapidly impacting our evolving society. In this new season of the Brave Technologist podcast, we’re demystifying artificial intelligence, challenging the status quo, and empowering everyday people to embrace the digital revolution. I’m your host, Luke Malks, VP of Business Operations at Brave Software, makers of the privacy respecting Brave browser and search engine, now powering AI with the Brave Search API.

[00:00:29] You’re listening to a new episode of the Brave Technologist. And this one features Yan Zhu, who’s been the Chief Information Security Officer at Brave since 2015. Prior to Brave, Yan was a Senior Security Engineer at Yahoo, working on end to end email encryption and a Staff Technologist at the Electronic Frontier Foundation, where she worked on both open source projects such as HTTPS Everywhere and Let’s Encrypt.

[00:00:48] In this episode, we discussed security challenges that are unique to browsers and how Brave builds your user profile differently using user first principles. Ways to reduce your risk of getting compromised when browsing the [00:01:00] internet, along with the evolution of Paskey’s two factor authentication and SIM swapping.

[00:01:04] How security and policy work together for establishing company culture and best practices that ultimately protect both users and the company. Now, for this week’s episode of the Brave Technologist. Jan, welcome to the Brave Technologist. How are you doing today?

[00:01:21] Yan: Thanks, Luke. Yeah, it’s great to see you again, even though it’s been over a year now, I think, since I’ve actually seen you in any form.

[00:01:28] Luke: I know. It’s been a while. It’s been a while. This whole remote work life thing is, it’s a little scattered, but, um, I’ve been looking forward to doing this one, too, like, not only because you’ve been at Brave, like, forever, but also because you have, like, kind of a super interesting role at Brave, too. Can you tell us a little bit about, like, how you ended up doing what you’re doing, like, getting kind of to Brave?

[00:01:48] Yan: Yeah, so I’ve actually been at Priv for eight and a half years, so pretty much since the beginning. Before that I was actually working on the security team at Yahoo, which is a company we don’t [00:02:00] hear much about these days, but back then we were starting this project to encrypt all of Yahoo Mail end to end.

[00:02:07] I was kind of leading that project from the engineering side there. Brenda and the CEO of Brave reached out to me and said, Hey, I’m like, I’m starting something new. I like, I know you’ve worked on browser extensions in the past, kind of in the security space. We’d really like to meet you and like learn more about, you know, your experience.

[00:02:24] That’s kind of how I found out about Brave, like couple of months before we officially launched. Yeah. So met with the team, like people came out to SF, we met up and we work and did some hacking and it went really well. So, yeah, I decided to joined Brave shortly after that.

[00:02:39] Luke: Awesome. Yahoo is pretty big, right?

[00:02:41] Like I’d imagine it’s like a super interesting place to be at, but what was it about Brave that kind of moved you over here?

[00:02:46] Yan: Honestly, I mean, I think I really enjoyed, I like, I’d been working at companies of all different sizes and like a nonprofit as well. So think I’ve discovered, I really liked the small size companies because you kind of get to build the culture.

[00:02:59] You get to set the [00:03:00] product direction from scratch. You don’t have any bureaucracy to deal with at that stage. So it’s just a lot more fun. Like you get to move really quickly and prototype things out. So that was appealing about brave. And also the fact that, it was a very ambitious project to just.

[00:03:15] Like when I had worked at the Electronic Frontier Foundation, we often had ideas where we were like, well, you know, if someone just built a new browser, like this would be doable, but no one’s, you know, crazy enough to do that. So, so that’s, that’s what drew me to Brave is that like the vision was just, you know.

[00:03:30] Very expansive. And yeah, I’ve kind of been interested in like building out like more privacy and security and browsers. I’ve worked on this project called HTTPS everywhere that automatically upgraded sites to HTTPS. I built the first version of something called privacy badger, which is an ad blocker that still isn’t used today.

[00:03:49] So kind of was just. Dovetail very nicely into the things Brave was interested in.

[00:03:54] Luke: Awesome. I mean, when you look at kind of the security challenges around browsers, what are those [00:04:00] major security challenges that you see?

[00:04:02] Yan: Right. Yeah. It’s almost like asking like, what’s the, you know, big security issues with like operating systems.

[00:04:07] Cause browsers are responsible for so much of. What runs on someone’s computer? Yeah, I’d say like, if you asked me the same question 10 years ago, I would say the fact that most websites aren’t using HTTPS or using encryption, it’s just kind of like table stakes, right? Like, if you visit a website, you want a guarantee that that’s who you’re actually talking to, and Other people who aren’t running the website can’t read your communications.

[00:04:32] So we’ve pretty much solved that. Like, I think we’re over 95%, encryption across the major websites these days, it’s just kind of an ongoing battle, you know, with things that come up, know there was a while, like crypto was really big, as you know. so there was a lot of interest in like web three and NFTs and all that, and like a new wave of phishing attacks, some of them, which were really interesting because I think crypto really made it so that.

[00:04:54] It got very easy to steal money without major consequences by just stealing someone’s wallet private [00:05:00] keys. So that was interesting in that it made it really profitable to compromise a browser extension, right? Like if that browser extension has access to, or like for instance, if an extension is an existing wallet, you know, if you can somehow compromise that or like take over that extension, you just get all the funds that So I thought that was a really interesting development, you know, just seeing people come up with these like attacks, whether they’re phishing or taking over existing software packages, supply chain attacks, and so forth, just to get to like cryptocurrency wallets.

[00:05:29] Luke: Yeah, I was gonna ask you kind of how Brave’s approach is a little bit different. But I think too, to just kind of frame it a little bit, I mean, it seems like with every trend, you’re having to be right there in the middle of it. But one of those interesting things about Brave, I think that sets us apart from a lot of other places is that like, You’re not only thinking about, the security from, like, the user’s point of view, but also, company policy ethos point of view, right?

[00:05:51] I mean, that’s a cultural thing, right? Like, I’ve seen that kind of grow as a company, but, do you have to say kind of about, how security’s role is within Brave, how it’s a little bit [00:06:00] different from other places, or how you’d like to see other companies doing it similarly or differently?

[00:06:06] Yan: Yeah, it’s a great question. As you said, like my role is not just security on the product side, but also taking care of security internally, which is in some ways a much harder problem and more important because, yeah, you just think about the amount of work it takes to compromise like one employee at a company who has access to the product.

[00:06:22] All kinds of internal resources like that’s a much easier path to compromise than finding some kind of like crazy exploit and like the product itself. So it’s, it’s often the case that we find that people and employee security is like the weakest link in the chain. I think there’s not a whole lot of interesting work there.

[00:06:39] Like we, we kind of try to just follow the standard industry advice of. You know, using two factor authentication, using SSO when possible, not letting people make their own passwords, using password managers. I don’t think I have a whole lot to criticize about the way the industry currently works. I think I had to pick one, it’d be that people focus a lot on Like certifications, we often get asked [00:07:00] by enterprise customers like, Oh, what certifications do you follow?

[00:07:03] I think there’s this like common conception on the like security employee side that those some of those are kind of just for show, you know, like, because they are point in time audits, you know, like someone comes, they check your setup, they make sure like, Things are in order, like you tick that box and then you can tell your customers like, Hey, we, we finished like sock two or something, but yeah, like in some cases that those translate to actual security, especially if you have ongoing audits and you are like periodically checking those things.

[00:07:29] But I would like like the whole industry to not focus so much on just security. Checking these boxes and getting a better sense of like, Hey, like, what are the people in the security team doing? Like, how do they actually respond to external bug reports and so forth? I think that’s kind of an unsolved problem is like, without relying so much on these like high overhead processes with certifications, How do you really assess like a company’s security posture?

[00:07:51] Luke: Yeah. And one of the other things too, that kind of jumps out to me a little bit, it seems like lot of the security work is really tied to policy work to like the first [00:08:00] principle sides of things of like not collecting something if we don’t have to, right?

[00:08:04] Like, I don’t know, maybe you could kind of give. People a little bit of color as to how it’s almost like a deniability, right? Like, within the org, is that something that happens everywhere? Or is Brave kind of unique in trying not to collect all this data? I mean, I just bump up against it, you know, on the business side a lot, but I’m just kind of curious, how you all are leading there.

[00:08:23] Yan: Yeah, I think everyone at brave runs up into this question at some point because it’s built into our culture. It’s built into our core from the very beginning if we don’t need it, we don’t collect it. That’s to me the strongest like security decision you could make because if you don’t have the data in the first place, there’s no way for it to get compromised by compromising your company, which is this like central lies point of failure in a lot of cases.

[00:08:45] Yeah. And a lot of times we get asked like, Oh, like, how do you protect personal data? How do you protect Financial data like do you follow PCI and so forth? And our answer is like, we just we don’t collect payments data. So we’re not subject to PCI. We also just try to collect [00:09:00] as little personal data as possible and only when it’s very clearly presented to the user.

[00:09:04] Like if brave is collecting your email, know, right? Like you’ve willingly given it, you know what it’s going to be used for. You can request for us to delete it, you know, you, you know, we want to give you the impression. You have like full control of any personal data you hand over to us. And at the same time, try to push things out from like server side to client side to just minimize the amount of data we have to collect in the first place.

[00:09:26] Like our entire Brave Ads model is built around this. idea that instead of building a profile of you from your browsing activity, which we collect, we simply build that profile like on your machine with your consent. And then that data never leaves your machine. And so, yeah, like imagine if we had in fact built ads with like, you know, all of people’s browsing histories, you know, so that we could mine that for like what What kind of ads to show them, right?

[00:09:52] That’d be like a treasure trove of data to protect and it’s just it just helps us as the security team, it really helps us sleep [00:10:00] easier at night, just knowing we don’t collect that data in the first place.

[00:10:03] Luke: There’s always like a risk of like hacking and having that done, but also from things like authorities, right?

[00:10:08] Like, people trying to request users information that. If we don’t have it, then they can’t collect anything, right? Is that fair? Yeah,

[00:10:15] Yan: this is a common thing, right? Like companies get sent, I don’t know if people are generally aware, but companies frequently get sent subpoenas, right? Like in cases like a mass shooting or something like, you know, the FBI is going to want to know, what do we know about the shooter?

[00:10:28] Like what kinds of searches were they doing prior to that? And they’ll send out inquiries to the major tech companies or whatever, you know, they infer that the criminal was using and. Send out requests to those companies for all the data they have related to this individual. And then it kind of falls on like that company’s legal team to say like, is this an overreaching request?

[00:10:48] Is this something we can put on our transparency report, or is it subject to some kind of gag order? Things like that, right? Yeah, and I think being in the position of just being like, we don’t collect that data in the first place saves you a lot of time and [00:11:00] energy, like trying to comply with these legal, um, subpoenas and so forth.

[00:11:05] Luke: Yeah, no, I just one thing that jumped kind of out of me where I was like, really kind of grateful where we did this to where you see like, oh, all of a sudden, I think it was like something with wallets or infrastructure on the crypto side of things. And I think like consensus who has like metamask, and then they also deal with infura, we’re like collecting IP information from users.

[00:11:24] And we had done something that didn’t do that. It was like, Oh, yeah, we don’t need it, we can kind of detect on the client or something like that, service it if it’s not. In a place that’s there. And it’s those little decisions that are like, actually like pretty awesome. You know, when you kind of have to deal with people discovering that, Oh, I’m a little more out there than I thought I was because people aren’t necessarily thinking about their IP addresses when they’re browsing on the internet.

[00:11:45] even though they’re just kind of being broadcast out there. You’ve been here for over eight years. How have you seen things change at Brave in your time from a security point of view?

[00:11:54] Yan: Well, just from a general point of view, it’s, been so different. Like, I think we were like eight people [00:12:00] when I joined, maybe like six engineers, so it was, you know, primarily engineering, I think there was Brad from design and kind of like, like Catherine from PR was there, but yeah, pretty much everyone else was technical at that point.

[00:12:12] So yeah, in the beginning we were just very. Engineering heavy and then we slowly started growing, you know, made our first sales and marketing hires and really like became like more of a, I don’t know, like something that’s, I think there’s this interesting phase between, you know, like when you’re 10 or 20 people and when you’re like 50, when, because like at that small size, you know, everyone, you know what they do, you kind of get a sense of their personality, even if you’re working remotely.

[00:12:40] And then I think around like 50 or so, I just stopped. Recognizing everyone’s names. I was like, there’s still people up, right. But I, I’ve never met, you

[00:12:48] Luke: know,

[00:12:49] Yan: and then I think about that point, like from the security team’s perspective, it, it becomes a little trickier because when you’re a small size, it’s easy to check in on everyone and make sure they’re, They [00:13:00] understand what you’re trying to do when you say, like, you have to get a YubiKey.

[00:13:03] You have to set up two factor. You have to use the password manager. Uh, you can even individually check in on people and say like, Hey, like, when was the last time you updated your machine? Do you need help from me to do it? And then like, yeah, when you’re larger, you just, can’t do that. You have to like set up automation.

[00:13:19] You have to set up like device policies to, to automatically do that. Yeah. And it does become more stressful because you just can’t sleep at night knowing that everyone has. Has been using the password manager. You kind of have to periodically like check in and just, you know, get it, make sure everyone is on the same page security wise.

[00:13:36] Luke: It’s stuff sprawls to like, I remember even when we were kind of growing, the marketing and sales side, it was like, there’s all these just tools out there that everybody who has come to the company later was just a company accustomed to using, you know, where it’s no, actually, like, these aren’t really great.

[00:13:52] And you’re kind of like, you know, lots of exposure there, right?

[00:13:55] Yan: Yeah, definitely.

[00:13:56] Luke: Knowing what’s being used half the time, there’s so many different [00:14:00] permissions, people are just saying yes to and all that in everyday work. Right. Yeah, it is a weird stage. You definitely knew everybody and then you don’t, I know exactly how you feel on that one.

[00:14:10] Oh my gosh, I didn’t even know you were here. Okay. We’ve also grown a lot. Like we didn’t have a search engine when Brave started. we didn’t have any of this AI tooling. how is it adapting to those like major kinds of new lines that the company is kind of. Broaching into, is it, how does the security team kind of grow to be able to manage those new surface areas that we didn’t necessarily have before?

[00:14:35] Yan: Yeah. So, I mean, at the same time we’ve been growing our team, it’s still pretty small. Like, I don’t, I don’t actually remember how many people report to me. I think it’s around seven. Yeah. Like when we started, it was one, it was just me and I wasn’t even full time on security. I was also just, Working on random browser features.

[00:14:50] Yeah. And then at some point we even got like a data protection officer, uh, Pat, who I hope we’ll have on the podcast soon. And he’s really kind of increased [00:15:00] our maturity in terms of the way we think about regulations and legal compliance and a whole host of other issues.

[00:15:06] Luke: How does the security team kind of evolved with, some of these new features, right?

[00:15:10] Like AI features, right? Like, and, I mean, it seems like so much of it’s like training on people, but I don’t know, like, how are you all. Thinking about this one, there’s these things are kind of new to the market, but also new use cases, even something like having this API business where it’s like, Oh, now we have an index.

[00:15:27] And now we’re also like purposing API use for that too. Like, is it a matter of just getting the right people in place to kind of help grow the team or how do you all position around that?

[00:15:37] Yan: Yeah, search was a really interesting one because they were our first, major acquisition only one so far at brave.

[00:15:43] And so it was, kind of like we swallowed another startup and they had their own processes, their own culture, like their own kind of like dev ops person and just way of doing things. And we don’t want to slow them down too much because like brave security, I won’t go into too much detail, but our [00:16:00] processes are very strict.

[00:16:00] They’re very like. you have to get these sign offs and make sure a security team is like tagged on the correct parts that need our attention and so forth. Yeah, it turns out that, like, forcing them to go through that entire process would have been like a big burden on them, it seems. So, we kind of had to adapt and make like a more lightweight version of that for them.

[00:16:19] Which did involve making, our own AI based tools to like automatically flag security instances and so forth. So we could like move a little faster with them. So that was kind of interesting, is just like absorbing another code base, absorbing another team that had its own culture and its own people, etc.

[00:16:36] But also, yeah, it was really exciting to just, you know, Have a, have a search engine. Like that’s been one of the most, I think, innovative things about brave is what we, we not only have our own browser, we have independent search engine, even a search API. Now it hasn’t been a huge challenge in terms of making sure these things are security compliant.

[00:16:53] Cause at the end of the day, search is just another website. And we have plenty of websites, right? Like we have web engineers, [00:17:00] we have that experience and we know what kinds of tax to look for. An interesting example was goggles. So this is actually. one of my favorite features and brave search, I don’t think any other search engine offers it.

[00:17:11] And I think it’s massively underused by people who use brave. Cause

[00:17:15] Luke: I

[00:17:15] Yan: agree. Yeah. Yeah. So basically goggles is this way that you can define rules to rank the search results. So if I’m only interested in getting search results from, let’s say like, Stack Overflow, because I’m only interested in that one site.

[00:17:31] I can write a rule for that, and, you know, it’s not that interesting for that example because I can just search Stack Overflow, but let’s say I only want, like, Stack Overflow, GitHub, and other things. Like technical sites. So I can make a rule that says only search these sites and then prioritize these kinds of results.

[00:17:47] So you can write these like rule sets to shape the web. However you want. People have done examples where they have made rules that prioritize like right wing sites versus rules. That’s the support, like left wing sites. It’s great. Cause [00:18:00] like, you know, if people accuse brave of being biased one way or the other, They can just make their own rules to offset that.

[00:18:06] And, you know, we’ll still use brave as the search engine behind it all. But yeah, so when that thing launched, we, we definitely had some, interesting discussions around like this kinds of syntax we would support and like, just, just kind of like making sure this is something search engines have not generally supported.

[00:18:21] Like we’re not opening new attacks. So yeah, it’s like when we add new features that allow users to like customize forever, like shape it in certain ways, like that’s where we are most. Like thoughtful about new like security surface area

[00:18:34] Luke: when you kind of look at this from the user’s point of view, right?

[00:18:38] I mean obviously like site encryption was like a big one when you started here, right? Is the risk profile for users a lot more severe now than it was when you started at brave or is it a lot of just the same kinds of? Practices that good hygiene and things like that that people should adopt like more generally like is the web a scarier place?

[00:18:56] Or is it getting better or just kind of moving along? [00:19:00]

[00:19:01] Yan: Yeah, it’s hard to answer because I don’t

[00:19:02] Luke: yeah, I

[00:19:03] Yan: don’t talk to users a lot I do know we we have constantly gotten reports from people that said that say like, oh, I’ve been hacked Can you help me fix it? You know, that’s that’s been non stop sent to like the security upgrade email address.

[00:19:15] Unfortunately, we don’t It’s hard to explain to people like we are the security team for Brave, but we don’t secure your entire laptop, you know, you can have a perfectly secure installation of Brave on, you know, a system that’s been compromised through some other app or, or has malware on it, you know, and then there’s, there’s nothing we can really do about that, at least right now, maybe, maybe someday, but my biggest complaint is I don’t feel like we’ve done a good job.

[00:19:39] as an industry of like teaching people about the security model of the web, as shown by the fact that these kinds of like misconceptions never stop, like, you know, being sent to us.

[00:19:48] Luke: Right.

[00:19:49] Yan: I think we have in the last eight years, you know, stepped up two factor security. Like a lot more people are aware that they should be enabling this on websites.

[00:19:57] Many, many more websites support it. [00:20:00] We even have like passkeys now, which are ways you can even use like your phone or your computer’s built in security hardware as a two factor. We’ve also made people a lot more aware of like SIM swapping, which is this attack where you take control of someone’s phone number, use that to take over their two factor authentication.

[00:20:17] And so I think I’ve seen a migration away from sites supporting the phone as the Second factor and more people supporting like authenticator apps or UP keys or past keys and so forth. All of that has been been really positive, I think, for users, but Yeah, like at the end of the day, I just wish the understanding that security people have about like how the web works, like how compromises happen, etc.

[00:20:39] Is more just pushed down to the ordinary user.

[00:20:42] Luke: Yeah. Are there ways that people can use their browser? To better protect other areas of their experience on the web. Like people use different types of tools for different things. Like for example, like we have this VPN, right. That has a firewall built into it to kind of help bring device level of protection.

[00:20:59] Are there any other [00:21:00] ways that like you look at the security model for the web and maybe, you know, like people, talk about like signing things with crypto wallets or, or even with AI and authenticity of content and things like that. Are there ways that a browser can help to bring, you know, improve, like the quality of figuring out what’s actually real in this world?

[00:21:19] I mean, it seems like really timely because of all this election stuff going on,

[00:21:22] Yan: but Yeah, there’s actually kind of two questions and better than the question you just asked. The first one is like, how can people use browsers to improve their security overall? That’s a great question because my answer to that is just Download less software as a security professional, you know, we talk about things like reducing attack surface, which is like reducing the number of ways you can get compromised.

[00:21:44] And many people don’t know that, like the more apps and software you download, the bigger your attack surface, if you think about like what a website can do. Versus what a full app can do on your computer. Like the website has way less permissions, [00:22:00] way less privileges. So a compromised website on its own is not as bad as a compromised app, which could potentially like read files from your computer, you know, access your.

[00:22:11] Store passwords, things like that, things that normal websites cannot do. So an example of this is if there’s a web version of some site, I will use it instead of downloading the app pretty much religiously. So I do not download, like, you know, I trust Slack as a company. I know they have a security team.

[00:22:28] Still, I refuse to download Slack. I just use it in the web browser. Um, I use zoom in the web browser. Anytime I’m prompted to download something, I like look up if there’s a web version and I prefer to use that because browsers have like website sandboxing and so each website is isolated from other websites.

[00:22:45] And websites cannot, in general, like read your file system and do other kinds of, you know, sketchy actions that apps generally can do. Although macOS, you know, and operating systems have made improvements there. Yeah, and as to your second question about like the [00:23:00] authenticity of websites. yeah, I’m curious what ideas you have there because I, I do not.

[00:23:04] I don’t know. I think like, you know, we, we still haven’t solved phishing, right? Like if you make a site that looks kind of like. You know, the login page to Gmail, some percentage of people will enter their Gmail password on it.

[00:23:15] Luke: I just hear like hand waves. Let’s verify your use a blockchain ID, right? Like on some, in, in, in basically like fingerprint, some piece of content you make with it or something like that.

[00:23:26] But I don’t know if there’s anything like meaningful there yet, or if it’s just people talking about it. And so I guess I was wondering if maybe, are you seeing anything interesting there, kind of like where these things could come together?

[00:23:38] Yan: I mean, certainly early on there was, you know, I remember like around 2014, there was this phase where people were very suspicious of like certificate authorities who are the entities that issue TLS certificates to websites, which ultimately prove like that a website is the site that you think it is.

[00:23:55] And yeah, there was a lot of thoughts of like, Oh, what if we replaced that with a blockchain? So instead [00:24:00] of going to. Let’s say brave. com and the certificate is issued by like global sign or someone like that. Instead you check a blockchain like a series of signatures to make sure like this is really You know the certificate for brave and you know, we decentralize things we get rid of certificate authorities maybe in a world where everyone has a blockchain client on their computer that’s trustworthy and can like do these kinds of verifications that would work out but I think, like, for whatever reason, you know, none of those things have, like, really taken off.

[00:24:31] Luke: How much do you think about security when it comes to, like, other types of, like, digital infrastructure, right? Like, voting machines or, just banking in general and all these things where, like, so much of our lives are kind of, pent up in these places or our choices that we’re making. Have you seen improvements on that front at all?

[00:24:49] Yan: Not a whole lot. I guess there’s people who study voting machines, like I won’t try to, you know, research, but I was on the review board for a security conference called DEF [00:25:00] CON for the last seven years until 2024 when I took a break. But every year we just got hundreds of submissions that were People hacking random items around them.

[00:25:12] Some of them were predictable, like, you know, combination locks, you know, things that are meant to be for security. Some are just like, I hate to say the word junk, but just these like random like IOT devices that Is made by some like random company and right and sold to like, you know, thousands of sometimes more people that were no one has audited the security.

[00:25:33] There was a really famous case of like baby monitors being hacked, you know, so these cameras used to like monitor your baby, you know, hackers could get into them like access to video feed and the audio, which is which is very scary, you know, as a. Like if your parent was really concerned about this kind of privacy, like that would be really creepy.

[00:25:51] But yeah, like, I don’t, I don’t see those things getting meaningfully better because if you’re just trying to sell a product, the average person is not going to like audit how secure it [00:26:00] is. Right. So that’s until it gets hacked, like no one, the market has no way of like determining, you If it’s worthwhile from a security point of view.

[00:26:07] And so people will just buy it with baby monitors. Maybe that’s a case where like, that’s a high level of concern. And so people are looking for more reputable companies asking questions like, does this company have a security team? Has it had like third party audits and so forth, but yeah, for random IOT devices, like, I don’t know, like vacuum cleaners and like things like that, which are just being more and more connected online.

[00:26:28] Like, I don’t, I don’t see things getting a lot better.

[00:26:31] Luke: No, that’s interesting. Looking out at the future of these things, are you seeing, or even present to future, when we started at Brave, the privacy, private software industry, like privacy preserving, however you want to bucket it, right. Privacy software, I guess, was still pretty like nascent.

[00:26:48] It wasn’t to where it is now, or like you’ve got companies that have like a hundred million plus users in some cases, or you have something like Signal where tons of people are using it. When you look out at the future, like, do you [00:27:00] see more of these things kind of just being built into other applications people are using, like better security practices or protocols that are, are you seeing better convenience factor with this stuff like over time?

[00:27:11] Or is it still kind of a big point of friction from your point of view?

[00:27:14] Yan: Oh, Signal’s an interesting case because they don’t exist when Brave was founded. They just had a lot fewer users. And I think they were called like tech secure or like whisper systems or something. I was using it at the time, but like most of the people I knew weren’t.

[00:27:28] And Signal, I think did a great job of making this kind of like end to end forward secret encryption, very usable to the point where you could not tell that it was. An encrypted messenger just seemed like any other messenger you would download. And by being so usable, like, I think they inspired other messengers at the time, like WhatsApp, iMessage, even Facebook messenger to adopt their same model of end to end encryption, which has been a really positive change for like people’s privacy in the world.

[00:27:59] So, [00:28:00] so yeah, that’s, that’s like a really inspirational story of like, if you just make something that’s encrypted under the hood, but works the exact same as The things people are used to, like it’s much more likely to get users, right? Because it’s not like encryption is a burden. It’s just another selling point on top of an existing product.

[00:28:17] Right. That’s like,

[00:28:17] Luke: yeah, I can use a

[00:28:18] Yan: messenger or I can use like a messenger. That’s essentially the same, but with better privacy. And so that’s an easy selling point.

[00:28:26] Luke: Totally. Or like, uh, like YouTube with no ads kind of thing, you know, where it’s like, you get all these cool privacy bonuses too. Is there anything we didn’t cover that you want people to know about?

[00:28:37] Yan: questions we were talking about in advance. I think, I think the AI, like everyone’s asking about AI these days, like, how is AI going to change security? And I don’t, you know, I don’t have a great answer for that. I certainly think like a lot of security work is. Very boring and can be automated and then that sort of thing is, would be interesting to me, but yeah, I think right now there’s [00:29:00] a lot of speculation on whether AI is going to be able to find like novel security attacks and make it so like the bad guys who are like attack, trying to attack the American infrastructure are suddenly going to be able to find all these like cool new exploits we don’t know about, but yeah, that’s, that’s kind of like an interesting frontier right

[00:29:18] Luke: now.

[00:29:18] Yeah. Totally. Where can people find more of your work or find you online?

[00:29:24] Yan: Yeah, I hate to say it, I’m like not, I’ve been trying to cut down on my web footprint recently. I still have a Twitter account, so it’s twitter. com slash bcrypt. And yeah, that’s about it. Honestly, I don’t, I don’t really post anymore, but yeah, everyone, uh, you know, they can reach me at yawn at brave.

[00:29:42] com with, you know, specific questions, although I might not respond.

[00:29:47] Luke: Okay. Okay. Thank you. Yon, really appreciate you coming on today and love to have you back sometime too, to kind of go over any updates or anything interesting that you all have to share with us. Thank you for taking the time today.

[00:29:58] Yan: Thanks [00:30:00] for

[00:30:02] Luke: listening to the Brave Technologist podcast.

[00:30:04] To never miss an episode, make sure you hit follow in your podcast app. If you haven’t already made the switch to the Brave browser, you can download it for free today at brave. com and start using Brave Search, which enables you to search the web privately. Brave also shields you from the ads, trackers, and other creepy stuff following you across the web.

Show Notes

In this episode of The Brave Technologist Podcast, we discuss:

  • Security challenges that are unique to browsers, and how Brave builds your user profile differently using user-first principles
  • How security and policy work together for establishing company culture and best practices that ultimately protect both users and the company
  • The potential of AI in automating security tasks, and the critical importance of user education in this evolving landscape
  • The evolution of HTTPS, passkeys, two-factor authentication, and SIM swapping

Guest List

The amazing cast and crew:

  • Yan Zhu - Chief Information Security Officer

    Yan Zhu has been the Chief Information Security Officer at Brave Software since 2015. Prior to Brave, Yan was a Senior Security Engineer at Yahoo working on end-to-end email encryption, and a Staff Technologist at the Electronic Frontier Foundation, where she worked on open source projects such as HTTPS Everywhere and Let’s Encrypt. She has also served on the W3C Technical Architecture Group and DEF CON talks review board.

About the Show

Shedding light on the opportunities and challenges of emerging tech. To make it digestible, less scary, and more approachable for all!
Join us as we embark on a mission to demystify artificial intelligence, challenge the status quo, and empower everyday people to embrace the digital revolution. Whether you’re a tech enthusiast, a curious mind, or an industry professional, this podcast invites you to join the conversation and explore the future of AI together.