1
00:00:01,960 --> 00:00:03,460
What's up, what's up, what's up?

2
00:00:04,920 --> 00:00:05,740
Freedom Tech.

3
00:00:06,610 --> 00:00:07,380
What's going on, everybody?

4
00:00:08,380 --> 00:00:10,480
I'm going to check real quick that we're live.

5
00:00:14,340 --> 00:00:16,000
It should be here, YouTube.

6
00:00:17,520 --> 00:00:19,380
YouTube says coming soon.

7
00:00:21,760 --> 00:00:22,660
But I'm live.

8
00:00:23,260 --> 00:00:23,560
I'm recording.

9
00:00:26,500 --> 00:00:26,840
Strange.

10
00:00:28,800 --> 00:00:29,520
Go check.

11
00:00:40,340 --> 00:00:41,060
All right.

12
00:00:43,040 --> 00:00:45,040
Okay, I'm good on X, so that's good.

13
00:00:46,080 --> 00:00:47,460
And something went wrong with YouTube.

14
00:00:47,610 --> 00:00:48,720
There we go, now we're live on YouTube.

15
00:00:49,000 --> 00:00:49,360
Right on.

16
00:00:49,910 --> 00:00:50,600
Okay, cool.

17
00:00:50,820 --> 00:00:53,180
Welcome, everybody, to Freedom Tech Weekend.

18
00:00:53,360 --> 00:00:54,860
Today is May 2nd.

19
00:00:55,840 --> 00:00:57,040
Let's see, this is the fifth episode.

20
00:00:57,390 --> 00:00:59,040
So we've done this five weeks in a row.

21
00:00:59,220 --> 00:01:06,120
we just need to do it for like seven more years never missing a week and then we'll start to be

22
00:01:06,160 --> 00:01:11,920
as cool as some other streamers out there but cool no welcome hope you're having a great day

23
00:01:12,240 --> 00:01:18,980
we made it through april and uh let's get going so last week we we did a poll and we asked

24
00:01:19,160 --> 00:01:26,160
everybody what they wanted to cover we had orion web browser from kagi up against bitward and the

25
00:01:26,160 --> 00:01:32,280
password manager. And so the polls won out. We covered Orion last week and Kagi was so

26
00:01:32,410 --> 00:01:36,640
great to provide us with some information that we could cover on the show. Today, now

27
00:01:36,770 --> 00:01:40,600
we have Bitwarden. We're going to be talking about Bitwarden as well as password managers

28
00:01:40,800 --> 00:01:44,420
in general. So I'm going to take us on a brief tour of a few different password managers

29
00:01:44,550 --> 00:01:53,800
and we'll look at some of the pros and cons of using them. But then also, what was I going

30
00:01:53,800 --> 00:01:59,080
to say. I lost my train of thought already. Oh, yeah, yeah. Yesterday was World Password

31
00:01:59,260 --> 00:02:04,580
Manager or World Password Day, right? I don't know who decided it was World Password Day,

32
00:02:04,680 --> 00:02:08,580
but it was. The internet was all about it, especially all the password manager websites

33
00:02:08,880 --> 00:02:12,060
that were doing deals. So you're actually in luck. A lot of them still have deals going.

34
00:02:12,180 --> 00:02:15,380
So if you want to use the password manager that I talk about, you might be able to get

35
00:02:15,380 --> 00:02:20,600
like a 30% off deal or something like that. You know, you can pick your own poison there.

36
00:02:21,460 --> 00:02:23,100
All right, let's go and jump in the stream.

37
00:02:23,240 --> 00:02:25,360
I actually have back-to-back streams going today.

38
00:02:26,720 --> 00:02:28,680
I'll likely be on another show right after this.

39
00:02:29,680 --> 00:02:31,920
So I'm going to try and move through this quickly.

40
00:02:32,240 --> 00:02:35,740
We might have to stop slightly early today, but I wanted to be on time.

41
00:02:36,140 --> 00:02:36,600
Here we are.

42
00:02:37,180 --> 00:02:38,100
Let me go and share my screen.

43
00:02:39,060 --> 00:02:39,920
Let's get going here.

44
00:02:40,700 --> 00:02:43,900
I am at Bitcoin Park today in Austin,

45
00:02:45,980 --> 00:02:50,620
but I'm actually able to remote in and still do my normal setup on my server,

46
00:02:50,720 --> 00:02:51,220
which is great.

47
00:02:51,400 --> 00:02:52,960
Let's share the screen here.

48
00:02:54,340 --> 00:02:54,980
Let me get back.

49
00:02:55,860 --> 00:02:57,120
Make sure that it's sharing correctly.

50
00:02:57,360 --> 00:02:57,960
Alright, so cool.

51
00:02:58,160 --> 00:03:00,480
We've got that going there and then I'm in the bottom corner.

52
00:03:01,100 --> 00:03:03,800
I want my thing to be a circle though.

53
00:03:05,440 --> 00:03:06,660
I always forget how to do this.

54
00:03:08,819 --> 00:03:10,320
But, you're going to have me as a square.

55
00:03:12,000 --> 00:03:12,660
It's all good.

56
00:03:14,800 --> 00:03:15,160
Customize.

57
00:03:15,440 --> 00:03:15,620
Circle.

58
00:03:16,390 --> 00:03:16,480
Boom.

59
00:03:16,720 --> 00:03:18,240
Okay, you don't need to do so much of me.

60
00:03:19,200 --> 00:03:25,920
sunny here in Austin today, which I love. I was out at Presidio Bitcoin earlier this

61
00:03:26,040 --> 00:03:32,080
week. Beautiful place. Had great weather out there. Okay, so let's jump over now. You can

62
00:03:32,120 --> 00:03:41,320
see two cursors. That's fun. Okay, jump right into it. So we've got four things that we're

63
00:03:41,320 --> 00:03:47,079
going to cover on this password manager tour today. We have Bitwarden, and then there's

64
00:03:47,080 --> 00:03:52,300
a tool called Vault Warden which works with Bitwarden. But then I want to actually start

65
00:03:52,300 --> 00:03:56,880
by talking about general password managers that we've seen. Bitwarden was not the first.

66
00:03:57,480 --> 00:04:02,300
There's a couple that are really popular in the business world. First one is LastPass.

67
00:04:03,260 --> 00:04:09,000
This one became really popular first on Windows is my understanding. That's when I first saw

68
00:04:09,120 --> 00:04:13,939
it was a lot of Windows users were telling me to use LastPass. And then another prominent

69
00:04:13,940 --> 00:04:17,720
The one is 1Password, which got its start on the Mac,

70
00:04:18,489 --> 00:04:22,240
became very popular among Mac users and iOS users.

71
00:04:22,750 --> 00:04:24,560
They both are cross-platform now.

72
00:04:25,070 --> 00:04:25,860
These are two big ones.

73
00:04:26,150 --> 00:04:30,300
But then you also have password managers that are built into your operating system,

74
00:04:31,500 --> 00:04:31,700
macOS.

75
00:04:32,100 --> 00:04:34,720
Apple has their own iCloud password vault.

76
00:04:36,020 --> 00:04:37,760
Man, it's been forever since I've been on Windows.

77
00:04:38,020 --> 00:04:39,780
I assume Windows has some kind of password manager.

78
00:04:41,040 --> 00:04:41,460
Probably does.

79
00:04:42,480 --> 00:04:44,840
And then the browsers all have their own password managers.

80
00:04:44,990 --> 00:04:47,140
And I mentioned this last week when talking about Orion,

81
00:04:47,470 --> 00:04:51,480
how every browser wants to store your passwords for you.

82
00:04:51,640 --> 00:04:53,740
So there are plenty of places to store passwords,

83
00:04:54,610 --> 00:04:56,560
but you've got to understand the trade-offs

84
00:04:56,690 --> 00:04:58,260
and secured trade-offs that you're making with those.

85
00:05:00,260 --> 00:05:02,680
So let's talk about those.

86
00:05:02,850 --> 00:05:04,460
Let me quickly check the chat here,

87
00:05:04,600 --> 00:05:06,920
make sure that I'm not missing anything.

88
00:05:07,530 --> 00:05:08,040
All right.

89
00:05:08,480 --> 00:05:10,520
Feel free to drop something in the chat if you want to,

90
00:05:10,840 --> 00:05:13,740
any questions that you have, any experience you have with your password managers.

91
00:05:16,699 --> 00:05:20,360
Yeah, would love to engage with people if you have anything you want to say.

92
00:05:21,410 --> 00:05:21,700
All right.

93
00:05:23,740 --> 00:05:28,300
So, LastPass, this is a corporate password manager along with 1Password,

94
00:05:28,470 --> 00:05:29,760
and both of these are going to be very similar,

95
00:05:30,670 --> 00:05:32,560
but they've got their pricing structures and all that.

96
00:05:33,160 --> 00:05:37,520
However, when I search for the word source on the page,

97
00:05:38,360 --> 00:05:39,140
I'm looking for open source,

98
00:05:39,940 --> 00:05:41,440
There is no open source here.

99
00:05:42,400 --> 00:05:44,100
Same with 1Password.

100
00:05:46,720 --> 00:05:48,260
There's nothing about being open source.

101
00:05:48,710 --> 00:05:52,320
So these are closed source corporate apps that you can use.

102
00:05:53,800 --> 00:05:59,800
And like I said, they do have 30% off right now for that World Password Day.

103
00:06:00,420 --> 00:06:06,760
But let's go over here, and I want to understand a little bit more about these.

104
00:06:07,440 --> 00:06:10,320
So I guess I should back up real quick.

105
00:06:10,620 --> 00:06:14,060
If you've never used a password manager before, let me give you a brief primer.

106
00:06:14,610 --> 00:06:18,860
So passwords, right, we try to store them in our mind.

107
00:06:19,140 --> 00:06:20,000
We log into a website.

108
00:06:20,290 --> 00:06:21,320
You have to generate a password.

109
00:06:22,860 --> 00:06:26,140
And if you are typing in passwords and trying to remember them yourself,

110
00:06:26,910 --> 00:06:31,180
you end up using passwords that are memorable but tend to be weak,

111
00:06:31,250 --> 00:06:32,820
and you tend to share passwords among websites.

112
00:06:33,390 --> 00:06:35,020
Or, you know, maybe you use the same password,

113
00:06:35,240 --> 00:06:36,780
but you alter it just a little bit.

114
00:06:37,900 --> 00:06:39,580
This is inherently insecure.

115
00:06:40,400 --> 00:06:41,980
If someone breaks into one website

116
00:06:42,260 --> 00:06:43,860
and gets your password from that website

117
00:06:43,960 --> 00:06:44,620
and leaks it online,

118
00:06:45,420 --> 00:06:48,260
now all of these scripts out there,

119
00:06:48,300 --> 00:06:49,960
people are going to run these programs out there

120
00:06:50,040 --> 00:06:51,160
that take these known passwords

121
00:06:51,460 --> 00:06:54,320
and start testing that password against other websites

122
00:06:55,120 --> 00:06:57,640
and using your username and password combination

123
00:06:57,960 --> 00:06:58,500
on other websites.

124
00:06:59,080 --> 00:06:59,580
And guess what?

125
00:06:59,720 --> 00:07:03,220
They are smart enough that they can slightly alter the password

126
00:07:03,740 --> 00:07:04,900
and try a whole bunch of things.

127
00:07:05,180 --> 00:07:11,080
So you lower your security when you try to keep all your passwords in your brain.

128
00:07:11,740 --> 00:07:13,260
This is where password managers come in.

129
00:07:14,340 --> 00:07:19,060
So password managers allow you to alter your passwords and have different ones for a website.

130
00:07:20,060 --> 00:07:24,540
But then they go even farther to say, why do you need to have a password be easy to remember?

131
00:07:25,740 --> 00:07:27,240
Why not just have it be randomly generated?

132
00:07:27,600 --> 00:07:32,080
So most password managers, the default is to randomly generate a password per website.

133
00:07:32,700 --> 00:07:35,940
So each website, each login, you get a unique password.

134
00:07:37,080 --> 00:07:37,640
And this is great.

135
00:07:37,700 --> 00:07:41,480
This offers a lot more security, so that way if a password gets leaked on the internet,

136
00:07:42,980 --> 00:07:44,340
you're not vulnerable on other websites.

137
00:07:45,920 --> 00:07:47,120
That's why password names are standalone.

138
00:07:47,800 --> 00:07:52,640
Now we have these who are not open source, so you actually don't know what software they're running.

139
00:07:52,840 --> 00:07:56,240
You don't know what the software is running on the client, the app that you use,

140
00:07:56,920 --> 00:07:58,840
as well as the server that is synchronizing everything.

141
00:07:59,500 --> 00:08:03,200
You cannot verify the security model.

142
00:08:03,670 --> 00:08:07,720
You cannot verify that they are treating your data correctly.

143
00:08:08,090 --> 00:08:12,040
So it's very possible in any of these apps, if you cannot verify the source,

144
00:08:12,630 --> 00:08:13,760
you can't build the source yourself,

145
00:08:14,380 --> 00:08:18,520
it's possible that they have some kind of line of code in there

146
00:08:18,640 --> 00:08:21,340
that is storing your password somewhere else.

147
00:08:21,790 --> 00:08:22,840
Let me make my copy of them.

148
00:08:23,170 --> 00:08:25,520
Or that's simply just printing it out to an error log.

149
00:08:25,800 --> 00:08:31,980
These things happen a lot where apps have like diagnostics that they run, right?

150
00:08:32,159 --> 00:08:35,020
So if someone runs into an error, it prints out a thing on their server.

151
00:08:35,599 --> 00:08:37,960
And whenever there's a problem, they go look at all of their server logs.

152
00:08:39,120 --> 00:08:46,140
Occasionally, you have somebody who accidentally, during development, they're trying to debug something.

153
00:08:46,300 --> 00:08:49,500
And so they print a password out into the log just for their own purposes.

154
00:08:50,180 --> 00:08:51,420
And then they forget to remove it.

155
00:08:51,520 --> 00:08:52,560
And so they deploy it to production.

156
00:08:53,320 --> 00:08:57,520
And now production is spitting out passwords for users in the production logs.

157
00:08:58,140 --> 00:09:04,120
This has happened countless times all over the place at companies that you would not expect.

158
00:09:04,520 --> 00:09:08,260
So it's great to be able to verify things.

159
00:09:08,460 --> 00:09:10,780
That's why we're going to talk about Bitwarden and Vaultwarden today.

160
00:09:11,300 --> 00:09:15,520
But I wanted to cover these two as well because these are really popular,

161
00:09:15,780 --> 00:09:18,200
and I want you to understand the tradeoff, right?

162
00:09:19,280 --> 00:09:19,560
Okay.

163
00:09:20,900 --> 00:09:25,940
Now, let's quickly do, I want to look at vulnerabilities that have happened for these services.

164
00:09:26,750 --> 00:09:28,440
So, we're going to hop into Maple here.

165
00:09:28,710 --> 00:09:32,120
Tell me about prominent hacks.

166
00:09:33,080 --> 00:09:38,540
We'll make it singular or plural for the app last hack.

167
00:09:40,279 --> 00:09:40,720
Okay.

168
00:09:41,200 --> 00:09:44,900
Let's see what kind of hacks and vulnerabilities they have had in the past, data breaches.

169
00:09:45,280 --> 00:09:50,580
I know that last hack actually had a fairly large one, and that's what makes me want to do this.

170
00:09:51,300 --> 00:09:58,540
All right, so we have four that were, you know, 2015, they had a daily breach, and they

171
00:09:58,640 --> 00:09:59,380
supposedly plugged it.

172
00:09:59,520 --> 00:10:05,500
2016, local password tracking, so this was in their browser extension of vulnerability

173
00:10:05,920 --> 00:10:09,960
where an attacker could brute force within the browser.

174
00:10:10,660 --> 00:10:12,740
2019, password vault exposure.

175
00:10:13,740 --> 00:10:17,700
Your researcher discovered a vulnerability in LastPass Android app that could expose

176
00:10:17,920 --> 00:10:19,680
password vault to other apps on the same device.

177
00:10:19,960 --> 00:10:24,540
so other apps on your Android app could potentially access passwords.

178
00:10:24,810 --> 00:10:27,340
And then 2022, data breach and encryption key exposure.

179
00:10:28,250 --> 00:10:33,340
This is where they had a data breach, including encrypted password vaults.

180
00:10:33,340 --> 00:10:38,060
So this is, it's these last two that I remember that are sticking out of my mind

181
00:10:38,180 --> 00:10:42,280
where the actual password vaults were accessed.

182
00:10:43,520 --> 00:10:52,200
However, it looks like it allowed attackers to access LastPass development environment and steal encryption keys.

183
00:10:52,940 --> 00:11:00,700
So they've plugged these up, but there are some major vulnerabilities that have happened in the past.

184
00:11:01,760 --> 00:11:05,680
Now do this for the app 1 password.

185
00:11:05,880 --> 00:11:08,740
It looks like a 1 password, so I don't want to do that.

186
00:11:09,200 --> 00:11:10,060
Go away. There we go.

187
00:11:14,500 --> 00:11:21,700
Okay, so one password also has some browser extension vulnerability in 2017, 2019 security

188
00:11:21,960 --> 00:11:23,340
audit and vulnerability disclosure.

189
00:11:24,570 --> 00:11:29,320
So this is just an audit, has some vulnerabilities, and they patched them.

190
00:11:29,410 --> 00:11:31,320
So this is what's been exploded in the wild.

191
00:11:32,140 --> 00:11:34,140
The desktop app had a vulnerability in 2022.

192
00:11:35,430 --> 00:11:38,340
They could access them through data including passwords and encryption keys.

193
00:11:38,680 --> 00:11:44,920
It was patched, and then 2022's vulnerability in their Android app discovered one password

194
00:11:45,080 --> 00:11:49,100
Android app allows hackers to access sensitive data, including one password and encryption

195
00:11:49,320 --> 00:11:51,140
keys, sorry, passwords and encryption keys.

196
00:11:51,700 --> 00:11:52,420
It was patched.

197
00:11:52,900 --> 00:11:57,900
Okay, so a lot of these are security researchers, but neither of these apps are open source,

198
00:11:58,240 --> 00:12:05,259
and so they hire audit firms to come in, and we have to trust the audit firms, and

199
00:12:05,260 --> 00:12:08,020
we have to trust the password company that they're willing to disclose these

200
00:12:08,140 --> 00:12:11,980
vulnerabilities ahead of time or just, you know, disclose these maps of the facts

201
00:12:12,050 --> 00:12:16,080
so they can get people upgrade. But it's not as transparent, right? They get to

202
00:12:16,200 --> 00:12:21,540
control the message, control the narrative there. Now let's look at Bitwarden. So

203
00:12:22,860 --> 00:12:29,120
Bitwarden is, we're going to do our little search here, resource, open source.

204
00:12:29,740 --> 00:12:33,519
That's right. So Bitwarden is open source and that's one thing that makes it such

205
00:12:33,520 --> 00:12:39,580
a powerful option for people who want to use a password manager. Now something that all

206
00:12:39,780 --> 00:12:49,740
these password managers do is you have a master password that you generate and this one is

207
00:12:49,800 --> 00:12:56,080
something that you need to remember. Don't write it down anywhere. Don't, I mean share

208
00:12:56,240 --> 00:13:02,239
it with someone if you feel like you need to in case your brain goes to mush. But this

209
00:13:02,240 --> 00:13:07,120
This is something that should be long and complex, but also memorable for you.

210
00:13:07,980 --> 00:13:09,960
There are various things you can do.

211
00:13:12,600 --> 00:13:14,320
Help me generate...

212
00:13:14,910 --> 00:13:22,460
How should I generate a long, complex password that is memorable?

213
00:13:24,300 --> 00:13:25,340
Forgive my spelling.

214
00:13:26,680 --> 00:13:31,099
There are a lot of different tricks you can do to generate a long password that you can

215
00:13:31,100 --> 00:13:36,620
right so use a passphrase so instead of a single word use a phrase or sequence

216
00:13:36,650 --> 00:13:39,760
of words that you'll remember for example I love coffee exclamation mark

217
00:13:39,760 --> 00:13:46,760
my dog is named Max exclamation mark right you can make them even longer and more

218
00:13:46,900 --> 00:13:52,720
complex and maybe swap out a few things here and there combine words mix

219
00:13:52,860 --> 00:13:58,219
uppercase and lowercase using the same example here use a password generator

220
00:13:58,220 --> 00:14:00,920
with a twist, create a story, right?

221
00:14:01,540 --> 00:14:04,060
The quick brown fox jumps over the lazy dog.

222
00:14:04,860 --> 00:14:08,400
You take the first letter from each word in that sentence

223
00:14:08,640 --> 00:14:10,040
and you create something like that.

224
00:14:10,680 --> 00:14:14,200
I've heard people use song lyrics before or movie quotes

225
00:14:14,740 --> 00:14:17,580
or really inspirational quotes that they, you know,

226
00:14:17,600 --> 00:14:19,720
that speak to them, a phrase from a book.

227
00:14:20,280 --> 00:14:22,820
So you can take a letter from each one of those words

228
00:14:23,060 --> 00:14:24,540
and make a password out of it.

229
00:14:25,220 --> 00:14:27,780
So there are lots of different things you can do here.

230
00:14:28,740 --> 00:14:35,680
but you want to make one really good strong master password and then that is used to locally encrypt

231
00:14:36,360 --> 00:14:41,020
all of your other passwords before they are sent to the servers of last pass or one password or

232
00:14:41,020 --> 00:14:47,760
one bit warden so that's kind of the key to all of this is that you encrypt locally and then this

233
00:14:47,940 --> 00:14:54,219
app is able to for each website generate a new password per website something that is kind of

234
00:14:54,220 --> 00:14:58,400
temporary if you will, that can be thrown away and replaced at a moment's notice.

235
00:14:59,560 --> 00:15:04,560
And that's what's so awesome about using password managers. So the difference here

236
00:15:04,740 --> 00:15:08,360
between Bitwarden and these others is that Bitwarden, because it's open source,

237
00:15:08,840 --> 00:15:13,300
you can see how they handle your master password and how they handle encryption

238
00:15:13,600 --> 00:15:19,619
locally before they send it to the servers, right? So in theory you don't

239
00:15:19,620 --> 00:15:26,220
have to totally know what is running on the servers for Bitwarden if you are encrypting

240
00:15:26,260 --> 00:15:30,260
locally. So if you can inspect the local client that you're running and if you even build the

241
00:15:30,320 --> 00:15:37,240
code yourself, then it lowers the necessity to trust what software is running on the server.

242
00:15:38,080 --> 00:15:42,040
Now it's still as really nice if you can know what's running on the server, right? That's why

243
00:15:42,120 --> 00:15:47,839
we do secure enclaves here at OpenSecret. Maple runs on secure enclaves. Everybody knows what is

244
00:15:47,840 --> 00:15:53,840
going on with the server software from Maple and that we're privately encrypting all of your data,

245
00:15:54,600 --> 00:16:01,880
right? And if you haven't, go to trymaple.ai, grab private AI for yourself. It's awesome.

246
00:16:03,360 --> 00:16:08,640
Okay, so Bitwarden, let's go ahead and grab it. Now, they are a company, they have pricing,

247
00:16:09,020 --> 00:16:13,979
you know, they do enterprise things, all that stuff, right? But you can use it for yourself

248
00:16:13,980 --> 00:16:17,820
and use it for free. So we're going to do it for free. Get started.

249
00:16:21,740 --> 00:16:28,800
Create your pre-Bitwarden account and you can sign up with their website, right? And I can do

250
00:16:28,810 --> 00:16:34,920
that. I will in just one second, but I want to tell you about something else, which is Vault

251
00:16:35,120 --> 00:16:40,280
So Vault Warden is a Bitwarden compatible server written in Rust.

252
00:16:40,710 --> 00:16:48,140
Right? So somebody wrote their own server software that speaks to the

253
00:16:48,699 --> 00:16:53,640
Bitwarden app. So you could download or build the Bitwarden, you know, iPhone app,

254
00:16:54,040 --> 00:16:59,620
Android app, the desktop, that kind of stuff. But instead of pointing it to

255
00:16:59,720 --> 00:17:03,620
Bitwarden servers, you can run Vault Warden yourself. You can run it at home,

256
00:17:03,720 --> 00:17:09,839
You can run it in your own cloud instance. There are, let's go to Start9.

257
00:17:10,680 --> 00:17:19,880
There are different, start9.com. Okay, here we go. There are these home server operating systems like

258
00:17:20,020 --> 00:17:24,100
Start9. You can buy their server or you can run it on your own server, but they

259
00:17:24,160 --> 00:17:28,940
make it super easy to install things like Vault Worden where you just, it's like an app, you just click and install it.

260
00:17:29,000 --> 00:17:33,700
The other one is Umbral and we are going to cover both Start9 and Umbral in a

261
00:17:33,700 --> 00:17:40,780
episode because these are awesome for getting, helping people to run Freedom Tech tools easily

262
00:17:40,880 --> 00:17:48,040
at home. Okay, got about seven minutes left. So let's keep moving on. But just wanted to call

263
00:17:48,100 --> 00:17:52,480
this out that Vault Warden is really easy. You can run it on your own or you can run it within

264
00:17:52,620 --> 00:17:57,559
one of these. It's kind of like a one-click install and then you point your Bitwarden app

265
00:17:57,560 --> 00:18:03,900
at your own vault warden installation, and you start to have more sovereignty with how

266
00:18:03,980 --> 00:18:04,480
things are handled.

267
00:18:14,360 --> 00:18:16,140
I'm punching ice on a screen.

268
00:18:16,360 --> 00:18:19,360
That's probably like an amateur rookie mistake.

269
00:18:19,740 --> 00:18:26,180
Okay, let's, before we create an account, let's look at vulnerabilities for bit wardens.

270
00:18:26,280 --> 00:18:28,560
tell me about

271
00:18:28,680 --> 00:18:29,360
that

272
00:18:30,379 --> 00:18:30,940
or

273
00:18:31,120 --> 00:18:32,180
the app

274
00:18:32,380 --> 00:18:33,660
bit warden

275
00:18:36,379 --> 00:18:37,560
see if they have any

276
00:18:38,960 --> 00:18:41,080
so we want to give everybody a fair shake here

277
00:18:41,180 --> 00:18:43,920
2018 browser extension

278
00:18:44,260 --> 00:18:45,580
you're noticing a pattern here

279
00:18:47,139 --> 00:18:48,580
all of these password managers

280
00:18:48,780 --> 00:18:49,580
have browser extension

281
00:18:49,940 --> 00:18:50,860
what does that mean?

282
00:18:51,180 --> 00:18:52,000
well what that does

283
00:18:52,100 --> 00:18:53,560
it's really nice and convenient

284
00:18:53,920 --> 00:18:54,080
where

285
00:18:55,700 --> 00:18:56,260
rather

286
00:18:56,260 --> 00:19:01,440
you generate a password for a website, it's quite a process to go to a website and then

287
00:19:01,520 --> 00:19:06,640
open up your password manager app, type in the website address, generate a password,

288
00:19:06,860 --> 00:19:10,460
and then paste it back into the website. And then every next time you want to log in,

289
00:19:10,540 --> 00:19:14,320
you have to go back to your app, copy the password, paste the website. That gets cumbersome.

290
00:19:14,720 --> 00:19:20,480
So they have all created browser extensions where it basically lets the app live within

291
00:19:20,480 --> 00:19:26,920
your web browser, you have to give access to the website, to give the browser extension

292
00:19:27,180 --> 00:19:31,580
access to the website. And a lot of people will just check and say, give it access to

293
00:19:31,580 --> 00:19:35,960
all websites. That is something you should just kind of heavily consider as you're doing

294
00:19:36,000 --> 00:19:40,760
that, that you are giving some third-party software access to every website that you

295
00:19:40,890 --> 00:19:46,160
browse. So they are now effectively getting your browsing history, which again is nice

296
00:19:46,160 --> 00:19:50,600
if you get warden because you can inspect what the browser extension is doing and that

297
00:19:50,700 --> 00:19:52,080
it's not logging your browser history.

298
00:19:53,500 --> 00:19:53,580
Okay.

299
00:19:54,060 --> 00:19:59,060
So they had a vulnerability in the browser extension security audit vulnerability disclosure

300
00:19:59,180 --> 00:19:59,480
in 2019.

301
00:19:59,880 --> 00:20:03,180
It looks like a lot of the apps did audits in 2019.

302
00:20:03,760 --> 00:20:04,980
I'm sure they do them on an ongoing basis.

303
00:20:05,640 --> 00:20:09,060
2020, they had a vulnerability in their Android app.

304
00:20:10,600 --> 00:20:14,440
Allow attackers to access sensitive data including passwords and encryption keys.

305
00:20:14,720 --> 00:20:18,520
it was patched. And then 2022 they have a vulnerability in their web vault.

306
00:20:19,900 --> 00:20:22,700
Research or discover a vulnerability in the BitWard web vault that could

307
00:20:22,860 --> 00:20:26,480
allow attackers to access sensitive data including passwords and encryption keys. It was patched.

308
00:20:27,240 --> 00:20:30,680
Okay, so they are not without their things. I want to

309
00:20:30,690 --> 00:20:34,640
say right now really quick, I am not double checking all of these. This is just

310
00:20:34,900 --> 00:20:38,460
AI telling me this. AI hallucinates all the time.

311
00:20:38,730 --> 00:20:42,320
So, if I were to actually decide

312
00:20:42,320 --> 00:20:47,480
to use one of these for work, I would go look into these and verify and see that these are

313
00:20:47,730 --> 00:20:52,700
true claims and try to look at the articles for all of these. Right, so we're just giving a quick

314
00:20:52,750 --> 00:21:00,640
and dirty assessment here. Do the same for vault warden and just in case you don't know what vault

315
00:21:30,640 --> 00:21:39,300
interface, essentially get access to sensitive data in their API, and a researcher found

316
00:21:39,400 --> 00:21:45,580
that there could be attacks that way through the API, and then in a Docker image, researchers

317
00:21:45,840 --> 00:21:51,880
discovered that an attacker could get access to sensitive data, including hackers and

318
00:21:51,940 --> 00:21:52,160
cryptos.

319
00:21:53,240 --> 00:21:54,320
Okay, so those are a few.

320
00:21:55,520 --> 00:21:56,840
But again, ball warning is open source.

321
00:21:57,180 --> 00:21:58,580
You can see it all right there on GitHub.

322
00:22:00,020 --> 00:22:05,560
They've got 44,000 stars, a lot of commits, right?

323
00:22:06,440 --> 00:22:07,620
Almost 3,000 commits.

324
00:22:07,820 --> 00:22:08,740
They committed just yesterday.

325
00:22:09,560 --> 00:22:11,000
They have a lot of contributors here.

326
00:22:12,380 --> 00:22:17,500
So there are a lot of eyes on Vault Warden, which is great.

327
00:22:18,380 --> 00:22:20,220
And then same can be said for Bitwarden.

328
00:22:20,300 --> 00:22:22,760
They have a lot of eyes on their open source tools as well.

329
00:22:23,960 --> 00:22:25,000
I want to go look at those.

330
00:22:25,180 --> 00:22:26,240
I know I haven't created an account.

331
00:22:28,360 --> 00:22:34,400
yet, partially because we're running out of time. This is turning out to be more of an introduction

332
00:22:34,720 --> 00:22:39,500
into what they are and lots about how to use the software. Maybe we'll have to do a follow-up next

333
00:22:39,680 --> 00:22:46,640
week and actually use it. Or maybe what I'll do is I'll record a video. That's what I'll do.

334
00:22:46,880 --> 00:22:52,580
I can record a video of me like studying that bit more than I'm using it. Or really you could,

335
00:22:52,820 --> 00:22:54,260
you know, go find a house somewhere.

336
00:22:55,300 --> 00:22:57,620
I hope that I'm providing a really good signal for you right now,

337
00:22:57,920 --> 00:22:59,840
just introducing you to the concept of password managers,

338
00:23:00,620 --> 00:23:02,380
what the different ones are that are out there,

339
00:23:02,450 --> 00:23:03,280
and what the trade-offs are.

340
00:23:05,960 --> 00:23:07,000
But let's see here.

341
00:23:07,130 --> 00:23:10,480
So Bitwarden, they have a bunch of different repos.

342
00:23:12,760 --> 00:23:14,660
And not only do they have a server and client,

343
00:23:16,620 --> 00:23:21,039
the clients, to me, are more important to see what they're doing

344
00:23:21,040 --> 00:23:23,240
because this is where your data is supposed to be encrypted

345
00:23:23,840 --> 00:23:25,480
and decrypted and handled and all that.

346
00:23:26,180 --> 00:23:29,820
And so for me, I want to see what's going on client side.

347
00:23:30,380 --> 00:23:32,620
And I can go look at the iOS app, for example,

348
00:23:32,800 --> 00:23:35,440
or the Android app, carry on the iOS app.

349
00:23:35,880 --> 00:23:37,580
And if I want to, I can download this code

350
00:23:37,980 --> 00:23:40,140
and run it myself on my device.

351
00:23:41,020 --> 00:23:43,480
And then I can know for sure

352
00:23:44,480 --> 00:23:47,440
what's happening with my password on my iPhone.

353
00:23:47,600 --> 00:23:49,640
So if you download Bitwarden from the app store,

354
00:23:50,600 --> 00:23:53,720
They can have one set of code here in GitHub.

355
00:23:54,480 --> 00:23:58,380
They can have a totally different set of code that they deploy to the app store.

356
00:23:59,160 --> 00:24:00,300
And there's no way to verify that.

357
00:24:01,100 --> 00:24:03,840
There is a really cool project called Zap.store.

358
00:24:04,660 --> 00:24:06,480
Orion can't open this page.

359
00:24:08,060 --> 00:24:08,540
Okay.

360
00:24:08,960 --> 00:24:11,180
Well, that's right.

361
00:24:11,380 --> 00:24:12,980
There's a project called Zap.store,

362
00:24:13,220 --> 00:24:18,459
which is trying to create builds for Android apps

363
00:24:18,460 --> 00:24:22,660
and basically allow developers to sign the build,

364
00:24:23,360 --> 00:24:25,740
and then you can verify bit by bit

365
00:24:26,040 --> 00:24:30,180
so that the open source code will reproduce the build.

366
00:24:30,320 --> 00:24:32,220
So you can make a reproducible build of the open source code

367
00:24:32,360 --> 00:24:33,940
and verify that it's the same thing that you're downloading

368
00:24:34,040 --> 00:24:36,680
and running on your Android without having to build it yourself.

369
00:24:37,500 --> 00:24:38,180
Pretty cool project.

370
00:24:38,980 --> 00:24:40,860
I hope I'm excited to see how it progresses.

371
00:24:41,880 --> 00:24:45,340
Okay, so let's go download.

372
00:24:45,980 --> 00:24:47,880
I'm going to try and skip this whole creation thing.

373
00:24:50,140 --> 00:24:51,980
There was a download button somewhere.

374
00:24:52,130 --> 00:24:52,700
There was a download.

375
00:24:54,500 --> 00:24:55,480
It looks download for the Mac.

376
00:24:55,700 --> 00:24:56,660
You can use Homebrew.

377
00:24:56,750 --> 00:24:57,060
Look at that.

378
00:24:57,260 --> 00:24:57,620
That's cool.

379
00:24:58,560 --> 00:25:00,500
You can also download it from the Mac App Store.

380
00:25:01,040 --> 00:25:02,140
I'm just going to download this.

381
00:25:04,160 --> 00:25:07,020
By the way, I'm using Orion as my browser if you didn't know.

382
00:25:07,770 --> 00:25:09,000
Oh, that's what I wanted to point out.

383
00:25:09,600 --> 00:25:10,320
Okay, yeah.

384
00:25:11,260 --> 00:25:13,680
On my very first stream, I covered Tail Scale.

385
00:25:14,920 --> 00:25:22,000
And I couldn't show you exactly how it works because I couldn't VPN, like log in while

386
00:25:22,120 --> 00:25:22,840
I was streaming.

387
00:25:23,340 --> 00:25:26,020
Well, I am logged in now and that's actually how I'm doing the stream.

388
00:25:27,440 --> 00:25:31,460
This is my home server that I use every week on the stream, but I'm here at Bitcoin Park

389
00:25:31,480 --> 00:25:33,820
Austin and so I don't have my home server with me.

390
00:25:34,280 --> 00:25:37,200
So I use Tailscale and I am connected.

391
00:25:37,520 --> 00:25:38,680
I've got my network device here.

392
00:25:39,320 --> 00:25:44,900
That's my home server and I was able to tunnel into my home server and do the stream for

393
00:25:44,900 --> 00:25:49,820
So there's Tailscale at work, your own personal VPN, your own private VPN.

394
00:25:50,900 --> 00:25:51,540
That's awesome.

395
00:25:52,920 --> 00:25:53,920
Okay, so let's open up.

396
00:25:55,520 --> 00:25:57,680
Okay, I've got the application folder.

397
00:26:02,639 --> 00:26:03,560
Hit warden.

398
00:26:04,560 --> 00:26:07,540
You can tell I also downloaded one password to play around with that one.

399
00:26:08,860 --> 00:26:09,320
Open.

400
00:26:12,299 --> 00:26:12,860
Okay.

401
00:26:13,280 --> 00:26:15,720
So they want you to create an account right off the bat.

402
00:26:16,320 --> 00:26:17,080
I'm actually out of time.

403
00:26:17,920 --> 00:26:18,360
We got here.

404
00:26:21,180 --> 00:26:25,480
Let me know if you want me to do a video of how to use Gitwarden later.

405
00:26:25,940 --> 00:26:27,340
I can do that and post it to my YouTube.

406
00:26:30,360 --> 00:26:32,360
But I think we're going to have to end it right here.

407
00:26:33,360 --> 00:26:33,840
This has been great.

408
00:26:34,370 --> 00:26:35,540
Thanks, everybody, for joining today.

409
00:26:36,180 --> 00:26:36,760
Appreciate it.

410
00:26:37,340 --> 00:26:40,320
If you're on YouTube, go ahead and subscribe to the channel.

411
00:26:40,920 --> 00:26:41,960
You're going to get these every week.

412
00:26:42,140 --> 00:26:44,140
Every week we do Freedom Tech Weekend.

413
00:26:44,540 --> 00:26:46,620
It is one tool that you can play with this weekend.

414
00:26:47,480 --> 00:26:52,180
And bit by bit, you can take your data back, right?

415
00:26:52,300 --> 00:26:57,420
You can start to pull away from these proprietary systems that don't share their code with you.

416
00:26:57,960 --> 00:27:01,520
They don't let you see what's going on and try to lock you in, right?

417
00:27:01,600 --> 00:27:05,960
They lock you in by having your data and having control over the app and hope that you don't go elsewhere.

418
00:27:06,160 --> 00:27:17,360
Well, we are going to use freedom tools that help us decouple from that so that we are flexible and we're able to move around as we need and know where our data is being stored and really know that we own our own data.

419
00:27:18,800 --> 00:27:19,660
So that's great.

420
00:27:20,080 --> 00:27:25,580
Yeah, I also stream on X and eventually one day I'm going to figure out how to stream onto Nostra as well.

421
00:27:26,440 --> 00:27:27,560
But thank you for joining.

422
00:27:28,000 --> 00:27:31,040
Like and subscribe, all that, you know, cringe stuff.

423
00:27:31,590 --> 00:27:34,960
But anyways, go play around with password managers this weekend.

424
00:27:35,060 --> 00:27:37,840
If you haven't tried out Bitwarden, download it, give it a go.

425
00:27:38,360 --> 00:27:39,060
All right, later.

426
00:27:39,180 --> 00:27:39,200
Thank you.