June 16, 2025 • 17 mins
Several popular Chrome extensions, including privacy and security tools, have been found leaking sensitive data through unencrypted HTTP and hard-coded credentials in their code. Security is both hard and easy - hard because of existing unencrypted protocols and trust placed in developers, but easy because fundamental security practices should be common knowledge in 2025.
• Chrome extensions including DualSafe Password Manager and Avast Online Security are leaking sensitive user data
• HTTP vs HTTPS - the 'S' stands for security and encrypts data transmission over the internet
• HTTPS Only extension from EFF forces secure connections when browsing
• Hard-coded credentials in extensions create permanent security vulnerabilities
• Developers sometimes collect excessive data "just in case" rather than minimizing collection
• OWASP (Open Web Application Security Project) provides essential resources for developers
• Technology abstraction makes users less aware of security fundamentals
• The newly restarted OWASP Nomad chapter offers virtual community for application security
Check out our GitHub repository of privacy resources at "Awesome Privacy Engineering Tools" for more information on implementing better privacy practices in development.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
All righty then.
Ladies and gentlemen, welcomeback to another episode of
Privacy, please.
Cameron Ivey, here with GabeGumbs, we're just hanging out,
we're chatting, we're chatting,we've been chatting, catching up
a bit.
How are you doing?
I'm good man, always good,always good to connect, love,
chatting with you, and there's alot going on, but we pinpointed
a specific story that seemedpretty interesting kind of take
(00:27):
us back to our beginning days.
Speaker 2 (00:27):
Um, yeah, we talk a lot offline about a ton of
security and a ton of privacy,and you know that intersection
of security and privacy is whatprivacy, please, is all about
always has been since day one,and, and we came across, uh, we
came across an article about, uh, you know, some chrome
extensions leaking informationbecause it was using HTTP over
HTTPS, and we're having aninteresting conversation that we
(00:49):
figured was worthy of havingonline as well too.
Refresh me in the details, sure.
Speaker 1 (00:56):
Yeah, yeah, so just for just to kind of high level.
So several popular Chromeextensions, including some
marketed as privacy and securitytools stuff like DualSafe,
password Manager and AvastOnline Security and Privacy
found to be leaking sensitivedata.
So the vulnerabilities camefrom two main issues
transmitting sensitive data,browser domains, machine IDs, os
(01:20):
details, etc.
Speaker 2 (01:22):
It was unencrypted http and using hard-coded
credentials, api keys, secrets,tokens so many things in that
sentence yeah, so break thatdown there's a lot of naughty
things in that sentence a lotyeah, that's a lot um hard-coded
keys bad sending data over theinternet not encrypted bad
(01:47):
embedded in the extension of jobjavascripts, which is pretty
common yeah, bad, and you knowthe internet well.
Why do we need security andprivacy?
Well, we need themfundamentally, as humans, to
feel safe, to fulfill one ofthose, those basic needs of ours
.
Right, security is a very basichuman need and that doesn't
(02:07):
change in our digital world.
Yeah, but the internet wasn'tdesigned with security in mind
initially not for the most part,right, the?
What we know is the commercialinternet grew out of something
that wasn't intended to beaccessed by everyone all the
time in any open manner, and theworld also has changed now that
it's all interconnected.
(02:28):
And so, you know, http as aprotocol is not encrypted by
default.
Https is the S and HTTP is forsecurity.
We're probably telling thingsto much of our audience that
that knows, but you know if youdon't.
You now know the distinctionbetween those two things.
And all the way back to our veryfirst episode, we were talking
(02:49):
about another extension.
So over five years ago, we weretalking about another extension
that we were advising ourlisteners to use, and it
enforces HTTPS.
It's called HTTPS Only.
It's developed by FreedomFoundation I think it's EFFFF,
if I'm not mistaken.
I think they're the ones thatpublished the HTTPS only plugin.
If it's not somebody you'reallowed to at me on this one For
(03:13):
this you can at me, go aheadand at me and correct me, but
what it does is if you try tovisit, say, www, transcend that.
Let me stop, sorry.
Http colon slash, slash,transcendio.
It will automatically send youover to HTTPS, right, and it
(03:35):
won't let you go to HTTP.
Even if Transcend for somereason had an HTTP endpoint, it
will not let you go there.
It will force you over to theother one, because we shouldn't
be transmitting anything overthe internet in clear text any
longer with HTTP.
We should stop doing that.
Period.
The protocol still exists andarguably it exists for some good
(03:55):
reasons.
But it exists because it hasand it is out there and it is
widely embedded into many things.
But anyone developing anysecurity or privacy plugin it
belies logic that anything atall could even communicate on a
standard port 80 HTTP port.
(04:16):
It just shouldn't.
Https by default communicatesover port 443, ssl, and so it's
an interesting article, largelybecause it's a firm reminder
that security is both hard andeasy in some ways right.
It's hard to get right becausethere are all of these existing
(04:37):
things like unencryptedprotocols that are still out in
the wild and the trust we putinto developers and random
plugins.
But it's easy also because it'slike really dude, like HTTP.
Really we're hard codingsecrets.
It's 2025, gee, what's that Canwe not do that?
Speaker 1 (04:56):
Let me paint a scenario, gabe.
So when they're mentioning,even trusted extensions can
become attack vectors.
So what does it mean by that?
What are some of the commonmistakes that you see, or you've
seen or you know about wheredevelopers can neglect proper
security practices?
I mean, that's the human Humans.
Speaker 2 (05:19):
Humans are humans.
But before I pick on the devstoo much, because I spent a lot
of years in application securityand building application
security products and being anapplication security pen tester,
so I spent a lot of yearsbeating up developers in
security, so I feel I owe it tothem at this point to be very,
very nice to them.
There are a few places wherethese things get slippery,
(05:39):
though.
Right Like I can publish my ownChrome plugin and I can make it
look very similar and close toyours so that I trick people in
a downloading mind.
That's a huge problem.
That's a significant problem,and so that's problem number one
I think a lot of people shouldbe on the lookout for is are you
getting that plugin, even fromthe official source?
Is that the official place?
(06:01):
Is that the right one?
Humans being humans, thingslike hard-coded keys probably a
byproduct of development testingIn order to make that process
quicker use temporary, unsafekeys that you reuse in
development because it shortensthe workflow that you need to do
.
But then a lot of times thatkind of thing gets committed
(06:23):
further upstream or downstreamis the case, maybe in your
product pipeline and find itsway into production, and that's
not good.
And so you know communitieslike OWASP, the Open Web
Application Security shit.
What does the P stand for?
I don't remember Open WebApplication Security something,
(06:44):
but it's a nonprofit group thatpromotes web application
securities, right?
So like they publish a top 10of things that you should be
mindful of, and so my shortanswer to you is don't listen to
what I have to say about that.
I turn to the OWASP communityfor web application developers.
Like they have a ton ofresources on what they should do
, how they should do it.
(07:05):
There are no shortage ofresources.
There's also a lot of resourcesalready built into programming
frameworks that willautomatically implement
different security protocols, soyou know.
So as a developer, you don'thave to remember doing those
things.
So hopefully that's advice toyoung, burgeoning developers
that are not intimately familiar.
If you're not familiar withOWASP, go check them out.
(07:26):
There's also a new OWASP Nomadchapter, so most OWASP chapters
are kind of in person.
There's a new global one, orRestud.
We rebooted we I didn't rebootit.
Jerry Hoff has been alongstanding member of the OWASP
community Great dude, One ofthe most amazing AppSec folks I
know.
He restarted the Nomad chapter.
(07:48):
So if you want to join avirtual chapter of the open web
app Clay's Security, becausethere's one near you, go check
out Jerry Hoff.
You can find him probably onLinkedIn, some of the socials.
Go check out OWASP.
Go check out the OWASP Nomadgroup and there's a ton of
resources there for youdevelopers.
We love you, Love you.
We wouldn't have a lot of thiswithout you, Both the good and
(08:11):
the bad.
Speaker 1 (08:14):
What do you think about like?
Do you think that there shouldbe a deeper discussion around
like regulatory pressure, aroundincreased for extension
marketplaces to enforce, likemore development?
Speaker 2 (08:27):
standards.
I don't know if more regulationis gonna gonna help like.
This is just.
We've got so much regulationour heads already dizzy.
Right, like you're already notsupposed to transmit.
You know, like medical recordsand clear text, right?
A lot of that the problem, Ithink, with that type of
regulation that we're nowdiscussing is it's very
consumer-oriented.
(08:47):
Those that have listened to theshow in the past know that I
weirdly do like regulation in alot of ways, like very it's.
It's very antithetical to mypersonality to actually like
regulation, but but I but I doenjoy the guardrails that that
at least helps define, like, hey, everyone, here's what you
should do, right, like.
The problem is when they'rejust guidelines.
(09:08):
People don't just follow theguidelines.
Problem is when they'reregulation.
People just check the boxsometimes, right, but I don't
think regulation helps there.
I don't think it would.
It certainly could be done.
We have consumer protections,we have multiple consumer
protection agencies, in fact, inthe US, but I don't see how you
(09:29):
solve that problem with that.
Speaker 1 (09:30):
Well, like you just said, though, it's funny because
you think of http and somepeople are like whatever yeah
but maybe that's part of thereason, because it's being
overlooked, because people arejust not really thinking that
it's the more abstracted peopleget from technology too, right,
like, think of the generationsbelow us at this point.
Speaker 2 (09:50):
Right, I am not certain how many of them can
tell you the difference betweenhttp and hp.
Like I don't actually know theanswer, but I know that
technology is so abstracted awaythat most of them have never,
like, had to sign their own certor work with a cert authority.
Right, like, because theyprobably didn't intimately
interact with technology as ayoungster.
Like not in that meaningful way.
They don't have to think aboutam I going to a secure site or
(10:13):
not, because most sites on theinternet default to actps.
Now that most people don't eventhink about it, right, like,
they may have learned that.
Oh, I should look to see if thelittle lock is there.
Maybe they've learned that, butmaybe they haven't.
Yeah, you know, maybe they'velearned that when it says, oh,
this certificate is entrusted,continue anyway.
No, maybe you don't continuelike, maybe they have.
Maybe, like, whatever internetera, keep going.
(10:34):
Yeah, yeah, abstraction oftechnology from humans in
general definitely creates morespace for this kind of thing.
Speaker 1 (10:43):
Do you think that privacy tools could actually be
a helpful thing for the securityteams?
When it comes to something likethis, yeah, what's the first
thing that kind of sticks out toyou that could benefit?
Speaker 2 (10:59):
I think it has to start with some education, right
, like it has to start with someunderstanding of what we've
spent a lot of time, just like Italked about OWASP.
Owasp is all about security andso as a by-product, there's a
lot of privacy built into thepractices that are preached
there.
But I know of no justprivacy-focused efforts around
(11:22):
application security development.
We published some resourcesaround this.
We've got a little GitHub withall those privacy resources.
We can drop the link again hereWith.
You know, with all thoseprivacy resources, we can drop
the link again here.
It's awesome, awesome privacyguy Privacy.
Awesome privacy engineeringtools.
Awesome privacy engineeringtools.
That's the name of it.
(11:43):
Yeah, it's on GitHub.
You'll find it under that nameor under my name on Cape Gums,
you'll see it there, and sowe've published some things
around those.
But it starts with definitelysome education.
(12:03):
I think those developers needto before we blame them for
leaking things like did theyreally understand that they
shouldn't have been doing?
that I would hope so and I wouldhave expected, like I
absolutely would have expectedthat.
But do we know that?
Has someone told them that?
Has that communication occurred?
I don't know.
Speaker 1 (12:15):
You know, this makes me think too, and I don't know
if I'm too far out in left field, but I think there's the term
like lack of visibility.
I think that's why it's soimportant to have a good privacy
tool in place that alsointegrates well with your
security tools.
So, first of all, companies arestill doing this.
They're collecting way too muchdata that they don't even need,
(12:37):
so that hurts your lack ofvisibility, because you don't
even know what you got, why yougot it.
Exactly so.
If someone does get in, it'd benice that.
That's why having a goodprivacy tool that integrates
with-.
No, you're right.
Speaker 2 (12:49):
These browser extensions are sending back a
lot of sensitive data that youjust right here.
I like OS is like all kinds ofthings, which I'm certain I know
why the tools send those thingsback.
But now you're collectinginformation about the users of
your products, like, did youneed all of it, right?
I can tell you that, as adeveloper, sometimes there's uh,
(13:10):
not myself, but you knowdevelopers will, sometimes they
will they will sometimes capturemore than needed because it's
easier to throw things out thanit is to go back and go get it
right.
It's like ah, let me just graball of the data and then I'll
just sift out what I need.
Speaker 1 (13:26):
Do you also do that as a developer?
Do you also do that as like fortesting too?
Speaker 2 (13:30):
Sometimes absolutely.
Speaker 1 (13:31):
Yeah, yeah, absolutely.
Speaker 2 (13:34):
Makes sense.
Telemetry, just generalunderstanding of what's
happening at the other end, yeah, but sometimes that's not
really, it's not always needed.
Can you achieve the same goalright, Like can you whatever
problem you were trying to solvefor development?
Can you solve that problemwithout getting more data?
Speaker 1 (13:55):
That requires a lot more work, Gabe.
Speaker 2 (13:58):
And I'll tell you data being what it is, everyone
is in, the more data is betterthan less game these days and AI
is when they made that problemworse.
Right, like more data, becausewe have to train on that data.
We want more data, more, moredata, more data we want more
data, more more data, more data.
Speaker 1 (14:19):
Yeah, I agree with you.
I think this topic is actually.
You can go pretty far with this.
Obviously, we could talk youguys into the ground, but We'll
post some resources.
Speaker 2 (14:31):
Let's post some OWASP resources.
We'll post the awesome privacyengineering resources.
Um, I know you guys over attranscend have some great
resources on this stuff too.
Um, we've got a couple ofthings also because myota
actually, you know, we we createa, an infrastructure product
that application developersactually do use.
So, like some of our, some ofour customers like, when their
(14:51):
application takes data in it, itgoes inside of a secure MyOta
vault and that's where itoperates out of.
It's actually it's part oftheir application infrastructure
.
So we'll post some resources onthis topic.
It's a lot of good reading onthis.
Love it.
Speaker 1 (15:07):
Yeah, all right.
Well, thank you guys.
Thanks, gabe.
All right, I'll see you guys inthe next one.
Till next time.
All righty then.
Ladies and gentlemen, welcomeback to another episode of
Privacy, please.
Cameron Ivey, here with GabeGumbs, we're just hanging out,
we're chatting, we're chatting,we've been chatting, catching up
a bit.
How are you doing?
I'm good man, always good,always good to connect, love,
chatting with you, and there's alot going on, but we pinpointed
a specific story that seemedpretty interesting kind of take
(00:27):
us back to our beginning days.
Speaker 2 (00:27):
Um, yeah, we talk a lot offline about a ton of
security and a ton of privacy,and you know that intersection
of security and privacy is whatprivacy, please, is all about
always has been since day one,and, and we came across, uh, we
came across an article about, uh, you know, some chrome
extensions leaking informationbecause it was using HTTP over
HTTPS, and we're having aninteresting conversation that we
(00:49):
figured was worthy of havingonline as well too.
Refresh me in the details, sure.
Speaker 1 (00:56):
Yeah, yeah, so just for just to kind of high level.
So several popular Chromeextensions, including some
marketed as privacy and securitytools stuff like DualSafe,
password Manager and AvastOnline Security and Privacy
found to be leaking sensitivedata.
So the vulnerabilities camefrom two main issues
transmitting sensitive data,browser domains, machine IDs, os
(01:20):
details, etc.
Speaker 2 (01:22):
It was unencrypted http and using hard-coded
credentials, api keys, secrets,tokens so many things in that
sentence yeah, so break thatdown there's a lot of naughty
things in that sentence a lotyeah, that's a lot um hard-coded
keys bad sending data over theinternet not encrypted bad
(01:47):
embedded in the extension of jobjavascripts, which is pretty
common yeah, bad, and you knowthe internet well.
Why do we need security andprivacy?
Well, we need themfundamentally, as humans, to
feel safe, to fulfill one ofthose, those basic needs of ours
.
Right, security is a very basichuman need and that doesn't
(02:07):
change in our digital world.
Yeah, but the internet wasn'tdesigned with security in mind
initially not for the most part,right, the?
What we know is the commercialinternet grew out of something
that wasn't intended to beaccessed by everyone all the
time in any open manner, and theworld also has changed now that
it's all interconnected.
(02:28):
And so, you know, http as aprotocol is not encrypted by
default.
Https is the S and HTTP is forsecurity.
We're probably telling thingsto much of our audience that
that knows, but you know if youdon't.
You now know the distinctionbetween those two things.
And all the way back to our veryfirst episode, we were talking
(02:49):
about another extension.
So over five years ago, we weretalking about another extension
that we were advising ourlisteners to use, and it
enforces HTTPS.
It's called HTTPS Only.
It's developed by FreedomFoundation I think it's EFFFF,
if I'm not mistaken.
I think they're the ones thatpublished the HTTPS only plugin.
If it's not somebody you'reallowed to at me on this one For
(03:13):
this you can at me, go aheadand at me and correct me, but
what it does is if you try tovisit, say, www, transcend that.
Let me stop, sorry.
Http colon slash, slash,transcendio.
It will automatically send youover to HTTPS, right, and it
(03:35):
won't let you go to HTTP.
Even if Transcend for somereason had an HTTP endpoint, it
will not let you go there.
It will force you over to theother one, because we shouldn't
be transmitting anything overthe internet in clear text any
longer with HTTP.
We should stop doing that.
Period.
The protocol still exists andarguably it exists for some good
(03:55):
reasons.
But it exists because it hasand it is out there and it is
widely embedded into many things.
But anyone developing anysecurity or privacy plugin it
belies logic that anything atall could even communicate on a
standard port 80 HTTP port.
(04:16):
It just shouldn't.
Https by default communicatesover port 443, ssl, and so it's
an interesting article, largelybecause it's a firm reminder
that security is both hard andeasy in some ways right.
It's hard to get right becausethere are all of these existing
(04:37):
things like unencryptedprotocols that are still out in
the wild and the trust we putinto developers and random
plugins.
But it's easy also because it'slike really dude, like HTTP.
Really we're hard codingsecrets.
It's 2025, gee, what's that Canwe not do that?
Speaker 1 (04:56):
Let me paint a scenario, gabe.
So when they're mentioning,even trusted extensions can
become attack vectors.
So what does it mean by that?
What are some of the commonmistakes that you see, or you've
seen or you know about wheredevelopers can neglect proper
security practices?
I mean, that's the human Humans.
Speaker 2 (05:19):
Humans are humans.
But before I pick on the devstoo much, because I spent a lot
of years in application securityand building application
security products and being anapplication security pen tester,
so I spent a lot of yearsbeating up developers in
security, so I feel I owe it tothem at this point to be very,
very nice to them.
There are a few places wherethese things get slippery,
(05:39):
though.
Right Like I can publish my ownChrome plugin and I can make it
look very similar and close toyours so that I trick people in
a downloading mind.
That's a huge problem.
That's a significant problem,and so that's problem number one
I think a lot of people shouldbe on the lookout for is are you
getting that plugin, even fromthe official source?
Is that the official place?
(06:01):
Is that the right one?
Humans being humans, thingslike hard-coded keys probably a
byproduct of development testingIn order to make that process
quicker use temporary, unsafekeys that you reuse in
development because it shortensthe workflow that you need to do
.
But then a lot of times thatkind of thing gets committed
(06:23):
further upstream or downstreamis the case, maybe in your
product pipeline and find itsway into production, and that's
not good.
And so you know communitieslike OWASP, the Open Web
Application Security shit.
What does the P stand for?
I don't remember Open WebApplication Security something,
(06:44):
but it's a nonprofit group thatpromotes web application
securities, right?
So like they publish a top 10of things that you should be
mindful of, and so my shortanswer to you is don't listen to
what I have to say about that.
I turn to the OWASP communityfor web application developers.
Like they have a ton ofresources on what they should do
, how they should do it.
(07:05):
There are no shortage ofresources.
There's also a lot of resourcesalready built into programming
frameworks that willautomatically implement
different security protocols, soyou know.
So as a developer, you don'thave to remember doing those
things.
So hopefully that's advice toyoung, burgeoning developers
that are not intimately familiar.
If you're not familiar withOWASP, go check them out.
(07:26):
There's also a new OWASP Nomadchapter, so most OWASP chapters
are kind of in person.
There's a new global one, orRestud.
We rebooted we I didn't rebootit.
Jerry Hoff has been alongstanding member of the OWASP
community Great dude, One ofthe most amazing AppSec folks I
know.
He restarted the Nomad chapter.
(07:48):
So if you want to join avirtual chapter of the open web
app Clay's Security, becausethere's one near you, go check
out Jerry Hoff.
You can find him probably onLinkedIn, some of the socials.
Go check out OWASP.
Go check out the OWASP Nomadgroup and there's a ton of
resources there for youdevelopers.
We love you, Love you.
We wouldn't have a lot of thiswithout you, Both the good and
(08:11):
the bad.
Speaker 1 (08:14):
What do you think about like?
Do you think that there shouldbe a deeper discussion around
like regulatory pressure, aroundincreased for extension
marketplaces to enforce, likemore development?
Speaker 2 (08:27):
standards.
I don't know if more regulationis gonna gonna help like.
This is just.
We've got so much regulationour heads already dizzy.
Right, like you're already notsupposed to transmit.
You know, like medical recordsand clear text, right?
A lot of that the problem, Ithink, with that type of
regulation that we're nowdiscussing is it's very
consumer-oriented.
(08:47):
Those that have listened to theshow in the past know that I
weirdly do like regulation in alot of ways, like very it's.
It's very antithetical to mypersonality to actually like
regulation, but but I but I doenjoy the guardrails that that
at least helps define, like, hey, everyone, here's what you
should do, right, like.
The problem is when they'rejust guidelines.
(09:08):
People don't just follow theguidelines.
Problem is when they'reregulation.
People just check the boxsometimes, right, but I don't
think regulation helps there.
I don't think it would.
It certainly could be done.
We have consumer protections,we have multiple consumer
protection agencies, in fact, inthe US, but I don't see how you
(09:29):
solve that problem with that.
Speaker 1 (09:30):
Well, like you just said, though, it's funny because
you think of http and somepeople are like whatever yeah
but maybe that's part of thereason, because it's being
overlooked, because people arejust not really thinking that
it's the more abstracted peopleget from technology too, right,
like, think of the generationsbelow us at this point.
Speaker 2 (09:50):
Right, I am not certain how many of them can
tell you the difference betweenhttp and hp.
Like I don't actually know theanswer, but I know that
technology is so abstracted awaythat most of them have never,
like, had to sign their own certor work with a cert authority.
Right, like, because theyprobably didn't intimately
interact with technology as ayoungster.
Like not in that meaningful way.
They don't have to think aboutam I going to a secure site or
(10:13):
not, because most sites on theinternet default to actps.
Now that most people don't eventhink about it, right, like,
they may have learned that.
Oh, I should look to see if thelittle lock is there.
Maybe they've learned that, butmaybe they haven't.
Yeah, you know, maybe they'velearned that when it says, oh,
this certificate is entrusted,continue anyway.
No, maybe you don't continuelike, maybe they have.
Maybe, like, whatever internetera, keep going.
(10:34):
Yeah, yeah, abstraction oftechnology from humans in
general definitely creates morespace for this kind of thing.
Speaker 1 (10:43):
Do you think that privacy tools could actually be
a helpful thing for the securityteams?
When it comes to something likethis, yeah, what's the first
thing that kind of sticks out toyou that could benefit?
Speaker 2 (10:59):
I think it has to start with some education, right
, like it has to start with someunderstanding of what we've
spent a lot of time, just like Italked about OWASP.
Owasp is all about security andso as a by-product, there's a
lot of privacy built into thepractices that are preached
there.
But I know of no justprivacy-focused efforts around
(11:22):
application security development.
We published some resourcesaround this.
We've got a little GitHub withall those privacy resources.
We can drop the link again hereWith.
You know, with all thoseprivacy resources, we can drop
the link again here.
It's awesome, awesome privacyguy Privacy.
Awesome privacy engineeringtools.
Awesome privacy engineeringtools.
That's the name of it.
(11:43):
Yeah, it's on GitHub.
You'll find it under that nameor under my name on Cape Gums,
you'll see it there, and sowe've published some things
around those.
But it starts with definitelysome education.
(12:03):
I think those developers needto before we blame them for
leaking things like did theyreally understand that they
shouldn't have been doing?
that I would hope so and I wouldhave expected, like I
absolutely would have expectedthat.
But do we know that?
Has someone told them that?
Has that communication occurred?
I don't know.
Speaker 1 (12:15):
You know, this makes me think too, and I don't know
if I'm too far out in left field, but I think there's the term
like lack of visibility.
I think that's why it's soimportant to have a good privacy
tool in place that alsointegrates well with your
security tools.
So, first of all, companies arestill doing this.
They're collecting way too muchdata that they don't even need,
(12:37):
so that hurts your lack ofvisibility, because you don't
even know what you got, why yougot it.
Exactly so.
If someone does get in, it'd benice that.
That's why having a goodprivacy tool that integrates
with-.
No, you're right.
Speaker 2 (12:49):
These browser extensions are sending back a
lot of sensitive data that youjust right here.
I like OS is like all kinds ofthings, which I'm certain I know
why the tools send those thingsback.
But now you're collectinginformation about the users of
your products, like, did youneed all of it, right?
I can tell you that, as adeveloper, sometimes there's uh,
(13:10):
not myself, but you knowdevelopers will, sometimes they
will they will sometimes capturemore than needed because it's
easier to throw things out thanit is to go back and go get it
right.
It's like ah, let me just graball of the data and then I'll
just sift out what I need.
Speaker 1 (13:26):
Do you also do that as a developer?
Do you also do that as like fortesting too?
Speaker 2 (13:30):
Sometimes absolutely.
Speaker 1 (13:31):
Yeah, yeah, absolutely.
Speaker 2 (13:34):
Makes sense.
Telemetry, just generalunderstanding of what's
happening at the other end, yeah, but sometimes that's not
really, it's not always needed.
Can you achieve the same goalright, Like can you whatever
problem you were trying to solvefor development?
Can you solve that problemwithout getting more data?
Speaker 1 (13:55):
That requires a lot more work, Gabe.
Speaker 2 (13:58):
And I'll tell you data being what it is, everyone
is in, the more data is betterthan less game these days and AI
is when they made that problemworse.
Right, like more data, becausewe have to train on that data.
We want more data, more, moredata, more data we want more
data, more more data, more data.
Speaker 1 (14:19):
Yeah, I agree with you.
I think this topic is actually.
You can go pretty far with this.
Obviously, we could talk youguys into the ground, but We'll
post some resources.
Speaker 2 (14:31):
Let's post some OWASP resources.
We'll post the awesome privacyengineering resources.
Um, I know you guys over attranscend have some great
resources on this stuff too.
Um, we've got a couple ofthings also because myota
actually, you know, we we createa, an infrastructure product
that application developersactually do use.
So, like some of our, some ofour customers like, when their
(14:51):
application takes data in it, itgoes inside of a secure MyOta
vault and that's where itoperates out of.
It's actually it's part oftheir application infrastructure
.
So we'll post some resources onthis topic.
It's a lot of good reading onthis.
Love it.
Speaker 1 (15:07):
Yeah, all right.
Well, thank you guys.
Thanks, gabe.
All right, I'll see you guys inthe next one.
Till next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!