Show Notes - https://forum.closednetwork.io/t/episode-58-the-price-of-being-watched/198 Website / Donations / Support - https://closednetwork.io/support/ BTC Lightning Donations - closednetwork@getalby.com / simon@primal.net Thank You Patreons & Direct Supporters! - https://www.patreon.com/closednetwork https://xmrchat.com/closednetwork Direct Support - https://closednetwork.io Subscribe Without Patreon - https://closednetwork.io/#/portal/signup Michael Bates - Privacy Bad AssDavid - Privacy Bad AssTK - Privacy Bad AssTrying - Privacy Bad AssVO - Privacy Bad AssMrMilkMustache - Privacy SupporterHutch - Privacy AdvocateInferno_Potato Privacy SupporterDolores Y - Privacy SupporterDirect Support - Craig D Thank You Producers! You Produce This Show! TOP LIGHTNING BOOSTERS !!!! THANK YOU !!! @bon thousands and thousands and thousands of SATs sats!!@fireflygow - 5,000 sats!!frigolay - 34,540 SATs.. HOLY SHITEwardemoff - 5,000 SATsSilas ThornbrookThank You To Our Moderators:Unintelligentseven - Follow on NOSTR primal.net/p/npub15rp9gyw346fmcxgdlgp2y9a2xua9ujdk9nzumflshkwjsc7wepwqnh354d MaddestMax - Follow on NOSTR primal.net/p/npub133yzwsqfgvsuxd4clvkgupshzhjn52v837dlud6gjk4tu2c7grqq3sxavt Join Our CommunityClosed Network Forum - https://forum.closednetwork.io Join Our Matrix Channels! Main - https://matrix.to/#/#closedntwrk:matrix.org Off Topic - https://matrix.to/#/#closednetworkofftopic:matrix.org SimpleX Group Chat - https://smp9.simplex.im/g#SRBJK7JhuMWa1jgxfmnOfHz7Bl5KjnKUFL5zy-Jn-j0 Join Our Mastodon server! https://closednetwork.social Follow Simon On The SocialsMastodon - https://closednetwork.social/@simon NOSTR - Public Address - npub186l3994gark0fhknh9zp27q38wv3uy042appcpx93cack5q2n03qte2lu2 - primal.net/simon Twitter / X - @ClosedNtwrk Instagram - https://www.instagram.com/closednetworkpodcast/ YouTube - https://www.youtube.com/@closednetwork Email - simon@closednetwork.io Special Thanks to - EloquentWinter for creating - A Linux guide on MAC address randomization https://forum.closednetwork.io/t/a-linux-guide-on-mac-address-randomization/189 TOPICSEncourage curiosity - This week ties together a single thread: someone else holds your data, and therefore holds the power. From algorithmic pricing to supply-chain malware to government scanning to cloud-AI assistants — and the hopeful counter-move, taking your data back. The episode theme is curiosity: in every story, one extra question would have changed the outcome. Segment 1 — Surveillance PricingInspired by More Perfect Union, "We Found the Radical Solution to Surveillance Pricing" Surveillance pricing (a.k.a. personalized / surveillance-based pricing) = charging you an individual price based on sensitive data about you — purchase history, browsing, geolocation, social activity, even biometric and financial signals. The economic endgame is "perfect price discrimination": charging each person their exact maximum. DoorDash holds a patent describing promotions based on a user's stress level.Delta Air Lines (with AI firm Fetcherr) has talked about expanding generative-AI pricing to ~20% of domestic fares, with ambitions to go further. Senators (Gallego, Blumenthal, Warner) and House members demanded answers.A Groundwork Collaborative / Consumer Reports / More Perfect Union study found different shoppers charged different prices for identical Instacart items. Former FTC chair Lina Khan has voiced concern.The "radical" fix is a law: New York's proposed One Fair Price Act would ban surveillance pricing outright — one posted price for everyone.Defensive moves (partial): private/container browsing, block cookies, disable ad personalization, use a VPN, compare logged-out vs. logged-in prices. Honest caveat: this is a structural problem — regulation, not browser tricks, is the real fix. Curious question: Is this price the market — or is it me being read? Segment 2 — "Arch malware btw": the AUR supply-chain attackInspired by Michael Tunnell and Switched to Linux — developing story, June 2026. The Arch User Repository (AUR) is community-maintained, unvetted package build scripts (PKGBUILDs). In a ~24-hour window, a coordinated attack poisoned a large number of packages — reports cite 1,500+ touched, with community trackers confirming ~400–500 malicious package names and rising. How: Attackers adopted orphaned packages (abandoned by maintainers — anyone can claim them) and edited the PKGBUILD to add a pre/post-install hook that pulls a malicious npm package, atomic-lockfile (Sonatype tracked one strand as the "Atomic Arch" campaign). Payload: A Linux infostealer + optional root-only eBPF rootkit. Targets developer secrets — browser creds/cookies, SSH keys, GitHub creds, Vault/npm tokens, Docker/Podman, VPN configs, shell history, Slack/Teams/Discord/Telegram, crypto wallets. eBPF lets it run in-kernel and hide processes/files/connections. If you were hit and the rootkit deployed: rotate every credential (from a clean machine) and reinstall from scratch. A normal uninstall is not enough.Status: Maintainers are removing malicious commits and banning accounts; the official repos of Arch-based distros (CachyOS, Garuda, Chaotic-AUR) were not infected — only users who installed/upgraded a compromised AUR package during the window. Community checker script + affected-package list were published within hours. Action checklist (Arch users): pacman -Qm → list your foreign (AUR) packages.Compare against the community list / run the checker script (CachyOS advisory).If matched → rotate credentials from a clean machine, then clean-reinstall.Curious habit: Before installing, ask who maintains this, when did it last legitimately update, and did ownership recently change? On the AUR, read the PKGBUILD — the malicious line was visible to anyone who looked. Segment 3 — UK Device Scanning: 90 Days to ComplyInspired by "Signal's Warning: The UK's Phone Scanning Plan Just Got Real" The UK government signaled that phone makers (Apple, Google) will get ~90 days to start scanning photos on young people's devices for nude images. Running alongside: Online Safety Act powers for Ofcom aimed at encrypted messaging (key report expected ~April). The mechanism: client-side scanning — every message/image checked on your device, before encryption. Why it matters: Client-side scanning doesn't break encryption directly — it inspects content before the lock clicks shut. The "end-to-end encrypted" label survives, but the privacy guarantee (nobody is looking) is gone. Signal's position: scanning won't protect children and builds surveillance infrastructure that "endangers us all." Security: once scanning exists on every device, the match-database can be expanded — swap it and you're scanning for slogans, documents, faces. Signal would withdraw from the UK rather than build a backdoor. Mullvad raised parallel alarms.Misdiagnosis: real child safety = better-funded education, social services, AI-platform guardrails — not default scanning. Rallying phrase: "Surveillance is not safety."Bigger picture: This is a template (cf. the EU's "Chat Control"). Sympathetic justification + a mechanism that, once built, can point anywhere. Curious question: Not is the goal good? (it usually is) but what else can this machine do once built, and who decides what it points at next? Segment 4 — iOS 27 at WWDC: the Privacy Fine PrintApple WWDC 2026 keynote coverage. Genuine wins: New Siri AI (next-gen Apple Intelligence) uses a tiered architecture — simple requests on-device, moderate ones via Private Cloud Compute (inspectable, hardened). Plus stronger family safety: child-account setup, parental controls, redesigned Screen Time, new Safari safeguards. The fine print (two concerns): Total context access. Siri AI indexes across your messages, emails, photos, and apps — a unified, queryable view of your whole digital life. Conversation history syncs via iCloud ("with privacy protections"), but strength depends on whether you've enabled Advanced Data Protection (Apple's E2EE for iCloud — not on by default).New Google dependency. Apple made official a Gemini partnership — the heaviest reasoning routes to Google Cloud. Apple says queries are anonymized and tokenized so neither Apple nor Google can link them to you (Federighi: "privacy in AI is non-negotiable"). Critics counter that PCC/anonymization is "only as private as the weakest link" — if Google retains any path to usage data for training/debugging, the guarantee weakens.Takeaway: Apple's defaults are still among the best of the mainstream — but don't let "privacy" in a keynote switch off your curiosity. On update: review Siri AI indexing settings, turn on Advanced Data Protection, and understand where your hardest queries travel. Curious question: A magical assistant that knows everything about you is, by definition, a system granted everything about you. Did you make that trade on purpose? Segment 5 — Self-Hosting 101: What to Migrate FirstOriginal recurring segment — Part 1 (scope). Part 2 next week: hands-on photos build. Self-hosting = run the services yourself, on hardware you own, instead of renting space on a company's servers. It's the deliberate counter-move to every other story this week. Honest caveat: you become your own IT department (backups, updates, downtime). Don't eat the elephant at once — scope first. The five candidates (ranked by impact-to-effort): Photos — highest emotional and surveillance value (faces, locations, timestamps). Self-host with Immich (Google-Photos-like: app, auto camera-roll backup, face/object search). Difficulty: moderate; biggest single win.Calendar — a forward-looking map of your life. CalDAV via Radicale or Nextcloud; syncs to your existing calendar app. Easy–moderate; great first project.Contacts — your social graph (everyone else's data too). CardDAV on the same Radicale/Nextcloud server — bundle it with calendar. Easy.File backups — documents a
