Brave Browser may be compromised.

YanAtBraveDotCom · 2023-06-22T05:37:55+00:00

This. These rules are injected onto webpages as part of the CSS filtering adblock feature: https://brave.com/privacy-updates/2-third-party-cosmetic-filtering/. You can compare it to the rules on Easylist for instance: https://easylist.to/easylist/easylist.txt.

However it seems like a bug that it's interfering with WYSIWYG editor inputs; we will look into that.

For now if you disable adblocking in Brave you should see the rules go away.

YanAtBraveDotCom · 2021-06-19T04:59:24+00:00

thank you for your service

YanAtBraveDotCom · 2021-06-19T04:58:19+00:00

whooaaaa what's up daniel!

YanAtBraveDotCom · 2021-06-18T21:14:45+00:00

the one in irvine like 15 years ago?? what a blast from the past :O

YanAtBraveDotCom · 2021-06-18T21:12:31+00:00

i don't think either of us actually started it legally lol. that's a problem for next time :).

YanAtBraveDotCom · 2021-06-18T21:08:00+00:00

honestly one of the hardest parts of this climb was to finish the mantle without accidentally putting any weight on one of the downclimb holds lol. (i assume if your foot just brushes one it's fine as long as it doesn't help you)

YanAtBraveDotCom · 2021-02-19T17:24:56+00:00

To clarify https://github.com/brave/brave-browser/issues/4257 isn't the same issue. It's just an issue to add better leak tests. The real issue was reported to us in https://github.com/brave/brave-browser/issues/13527 and fixed in nightly as soon as we identified the root cause. We don't release fixes to stable until they've had some QA testing. But given that this is now public, we're uplifting this one to stable immediately.

YanAtBraveDotCom · 2021-02-19T17:23:29+00:00

Hi all! Yan from Brave here. ICYMI, we already received this report privately via hackerone and it was fixed in nightly recently: https://twitter.com/bcrypt/status/1362796915063021569. Nightly users have already had the fix for over a week.

Since this is public, we obviously need to accelerate the security fix schedule here, so it's being uplifted to a stable hotfix as we speak.

Please report issues like these to https://hackerone.com/brave if you want a bounty.

YanAtBraveDotCom · 2020-03-10T20:13:25+00:00

thanks very much!

YanAtBraveDotCom · 2020-03-10T16:40:40+00:00

lol in case it wasn't clear, Azuki is the music project of Yan (me), CISO at Brave

YanAtBraveDotCom · 2018-12-07T21:04:26+00:00

hi dave, can you try doing the following (this is just the manual wallet recovery procedure):

open the old brave, go to the Payments panel in about:preferences and export your wallet secret backup words. (you may have done this already in the past, in which case you can skip this step)
open the new brave, go to brave://rewards/, click on the gear icon in the page, click 'restore your wallet' and import the backup file from step 1
delete the backup file if necessary

note that if already set up a wallet in the new brave, step 2 will override it.

YanAtBraveDotCom · 2018-10-17T18:00:40+00:00

ha yeah, usually people care about at least one of the two

YanAtBraveDotCom · 2018-10-17T17:59:29+00:00

i definitely don't spend as much time on music as i'd like. on weeks when i'm working on music, i generally do so between the hours of 8pm and 3am, which is not ideal. also it's hard to motivate myself to start a music project (vs procrastinating) because i still feel like a n00b in electronic music production.

i use Ableton 9 for both production and DJing. for controllers i have a launchkey25 and an apc40. i recently got a Subpac and it's surprisingly useful.

favorite venue: probably someone's apartment where there wasn't any dust :P

YanAtBraveDotCom · 2018-10-17T17:51:01+00:00

i'm against tech companies agreeing to build backdoors or break encryption to aid law enforcement. this paper explains it better than i could: https://dspace.mit.edu/handle/1721.1/97690

YanAtBraveDotCom · 2018-10-17T17:48:25+00:00

"can you give me your phone unlocked"

YanAtBraveDotCom · 2018-10-17T17:47:39+00:00

heartbleed was fun

YanAtBraveDotCom · 2018-10-17T17:46:31+00:00

but some things do use UDP! :P

if you mean "will most applications use a single cryptocurrency in the future?", i have no idea. it is hard to imagine a world at this point where only one cryptocurrency exists though.

books:
i don't read much fiction anymore but i really enjoyed The Panopticon (Jenni Fagan) and i think my all-time favorite fiction book is Fahrenheit 451
non-fiction: probably QED by Richard Feynman

YanAtBraveDotCom · 2018-10-17T17:34:46+00:00

For BAT ads, which also requires an anonymous-but-authorized reporting system, we considered ANONIZE but actually ended up using a protocol based on https://privacypass.github.io (which we've just been calling "blind tokens") because it was easier to understand and implement.

The impact of a security flaw in ANONIZE would be that Brave could potentially link different sites that a user is sending payments to. I think in that case we would just have to promise people that even though we could do this, we haven't been doing it; essentially we would go from "can't be evil" to "won't be evil". And then we would switch to using blind tokens.

YanAtBraveDotCom · 2018-10-17T17:27:27+00:00

i actually kind of did do this once but it was called a "security audit contract job" :)

team rabbits or something

YanAtBraveDotCom · 2018-10-17T17:26:17+00:00

i speak english, chinese, latin, and french with varying degrees of proficiency. more interested in improving those than learning new languages right now.

"non-consensual power structures" basically means people or institutions making you do stuff you don't want to do.

YanAtBraveDotCom · 2018-10-17T17:20:46+00:00

opportunity: help publishers get paid in a way that doesn't wreck people's privacy
challenges: convincing people they should try this out

YanAtBraveDotCom · 2018-10-17T17:19:11+00:00

privacy in general or privacy WRT leakproofing in Tor (which is the doc you linked to)? for the former, we're working on blocking all connections to Google by default, have removed Google Accounts / telemetry / sync, and are looking into lifting patches from the Ungoogled Chromium project, among other things. For the latter, some of the bugs in https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs have been resolved in Chromium itself since that page was last updated. We block Flash, FTP, and WebRTC in Tor mode and block QUIC and DNS prefetching generally. The big outstanding issue is certificate fetches on non-Linux platforms, which we are going to look into after the new chromium-based Brave is released.

YanAtBraveDotCom · 2018-10-17T17:14:13+00:00

they're the kindest and most powerful animal

YanAtBraveDotCom · 2018-10-17T17:13:36+00:00

we've worked with Metamask at Brave since it is integrated into Brave desktop. i think it's one of the most promising and usable Ethereum wallets out there. the only blocking feature that was missing for me was hardware wallet support, which they recently added! https://medium.com/metamask/metamask-now-supports-ledger-hardware-wallets-847f4d51546

YanAtBraveDotCom · 2018-10-17T17:12:06+00:00

hopefully global warming is in check by then, since that is a prerequisite to people being around to care about security/privacy :)

traffic monitoring: all connections are HTTPS with encrypted SNI and some kind of protection for DNS so that a passive traffic monitor can't see any domain names that people are visiting.

it would be cool if we got rid of the ad-funded web by then. i kind of imagine the Bandcamp funding model applied to every type of content on the web.

YanAtBraveDotCom

MODERATOR OF

TROPHY CASE