u/dkong1026: What are the most effective ways (for you/in your opinion) to keep up with the ever-evolving tech ecosystem/landscape? Security and crypto move fast!

As much as it sucks in other ways, Twitter is pretty good for keeping on top of the latest security news, especially during conferences where people are live-tweeting the talks and papers coming out. I'm also on a private mailing list run by a friend who aggregates and sends out links to security news articles.

@PandaCP78 (Twitter): What are the tasks you perform daily at your job?

Lately a lot of security reviews, which is a code review/audit that focuses on security and privacy aspects of a feature before it is merged. I also write code, mostly security or privacy related fixes. I try not to be invited to any meetings :P.

u/scooptoop: What led you to join Brave?

I thought it was great that finally, someone was trying to improve privacy on the web (blocking ads and trackers) in a way that could be financially sustainable through micropayments.

u/groovingraphs: Hi Yan, Big fan ") I myself am a big believer in new business models that have the potential to make fundamental changes in industries, which I believe BAT is well positioned to do. I have tried to play devil's advocate for myself in analyzing BAT and have not come up with as many visions of road bumps as I'd like. So in your opinion, what are the biggest hurdles BAT and brave face in taking on the biggest in the BIZ and trying to convert such a large user base?

Not sure if I would call it the biggest hurdle, but a big hurdle is convincing people (non-cryptocurrency/tech people especially) that they should use a new browser. Probably the most common question I’m asked when I meet someone who hears about Brave for the first time is, "why should I use this over my existing browser?" A lot of people think that the idea of blocking ads/trackers by default and offering privacy-protecting ways to pay publishers is cool, but they are not really incentivized to pay for something that's been ostensibly "free" for them. There's also the chicken-and-egg problem of getting publishers signed up to receive Brave Payments. (Some publishers don't find it worth the effort to sign up until there are sufficient Brave paying users, some users aren't interested in using Brave Payments until they see that their favorite publishers can be paid through Brave.)

u/shumwhere: I feel obligated to vet your claim as an information security expert by asking: What is your password? If the Brave browser is collecting data on-device, will there be anything built in to protect its users from having that data stolen by hackers? I get it doesn't make sense to target users individually so I'm speaking more to something like a virus, worm, etc., that spread across millions of devices that does it.

my password on every site is p@ssw0rd obviously. Brave's local data collection is not really more significant than other browsers' IMO, since every browser in non-incognito mode will generally write your browsing history to disk by default so it can show you the history after a browser restart. Like Chrome/Chromium, we have some protections against people getting their devices hacked in the first place: SafeBrowsing, a blacklist of sites which are known to spread malware/viruses or engage in phishing

Running tabs in sandboxed processes such that it's harder for a website to get remote code execution

Protecting sensitive data like passwords on-disk encrypted with a key in the system keychain

Brave also has some additional protections:

Blocking ads helps block malware that is spread through ads

HTTPS Everywhere is built-in to upgrade connections to HTTPS when possible

Prominently showing the origin of downloads in the download bar since this can be different from the site that is currently being viewed

u/SuperSiayuan: What do you think of the Metamask project? Should more people be aware of it and are you using it?

We've worked with Metamask at Brave since it is integrated into Brave on desktop. I think it's one of the most promising and usable Ethereum wallets out there. The only blocking feature that was missing for me was hardware wallet support, which they recently added! https://medium.com/metamask/metamask-now-supports-ledger-hardware-wallets-847f4d51546

u/Cryptotips_io: Hi Yan, thank you for taking the time to do an AMA! What are the biggest opportunities, as well as challenges, you face with your work at Brave Software?

Opportunity: Help publishers get paid in a way that doesn't wreck people's privacy. Challenges: Convincing people they should try this out.

u/AdmirableAwareness4: What if any efforts are being done to solve the privacy problems in Chromium, of which the Brave engine is based?

Privacy in general or privacy WRT leak-proofing in Tor (which is the doc you linked to)? For the former, we're working on blocking all connections to Google by default, have removed Google Accounts/telemetry/sync, and are looking into lifting patches from the Ungoogled Chromium project, among other things. For the latter, some of the bugs in https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs have been resolved in Chromium itself since that page was last updated. We block Flash, FTP, and WebRTC in Tor mode and block QUIC and DNS prefetching generally. The big outstanding issue is certificate fetches on non-Linux platforms, which we are going to look into after the new chromium-based Brave is released.

u/SuperSiayuan: If you picture a utopia (or the closest thing to it) in about 100 years, what does it look like in regards to security, privacy, traffic monitoring, etc.?

Hopefully global warming is in check by then, since that is a prerequisite to people being around to care about security/privacy. 🙂 Traffic monitoring: All connections are HTTPS with encrypted SNI and some kind of protection for DNS so that a passive traffic monitor can't see any domain names that people are visiting. It would be cool if we got rid of the ad-funded web by then. I kind of imagine the Bandcamp funding model applied to every type of content on the web.

u/dkong1026: I have a few music-related questions. Feel free to answer any or all of these :D. Sorry for all the questions. Been following you on Twitter for a while now and always thought you've been involved in cool stuff. How do you balance your time between music and tech? Both of them are time-consuming and demanding fields, I can imagine it's dizzying trying to keep track of it all. What software and/or hardware do you use? Favorite venue you've played at? (Burning Man, by chance?).