1
00:00:00,000 --> 00:00:04,400
Welcome to the deep dive where we cut through the noise get right to the source and

2
00:00:04,400 --> 00:00:05,100
deliver the knowledge

3
00:00:05,100 --> 00:00:09,480
Directly to you today. We're digging into something that well, I think affects

4
00:00:09,480 --> 00:00:10,880
everyone. It really does

5
00:00:10,880 --> 00:00:14,870
We're talking about the permanence paradox. Yeah, this this digital reality where

6
00:00:14,870 --> 00:00:17,080
nothing ever truly disappears

7
00:00:17,080 --> 00:00:20,920
You know the drill right there. You need to send a password. Maybe an API key to a

8
00:00:20,920 --> 00:00:23,620
co-worker. Yep. So where does it go?

9
00:00:23,620 --> 00:00:26,520
slack teams

10
00:00:27,640 --> 00:00:30,520
Email and in that moment you think it's easy

11
00:00:30,520 --> 00:00:35,080
You think it's fast, but you've just created a permanent record a permanent paper

12
00:00:35,080 --> 00:00:35,440
trail

13
00:00:35,440 --> 00:00:41,240
That data is now sitting in server logs in backups. It's probably on a dozen

14
00:00:41,240 --> 00:00:41,760
devices

15
00:00:41,760 --> 00:00:43,960
It just never dies never truly goes away

16
00:00:43,960 --> 00:00:44,160
Okay

17
00:00:44,160 --> 00:00:48,120
Let's unpack this the whole point of this deep dive is to look at a surprisingly

18
00:00:48,120 --> 00:00:51,960
simple solution the one-time link or an ephemeral secret

19
00:00:52,120 --> 00:00:55,990
Exactly. We're giving you a beginner's blueprint for understanding how this tech

20
00:00:55,990 --> 00:00:58,080
offers a cure for that digital permanence, right?

21
00:00:58,080 --> 00:01:01,080
But before we jump into the secure protocols

22
00:01:01,080 --> 00:01:04,750
We just want to take a moment to thank the partner who makes this entire deep dive

23
00:01:04,750 --> 00:01:07,240
possible safe server committee

24
00:01:07,240 --> 00:01:11,610
Thus hosting these are software and understood stick by Dina digital and

25
00:01:11,610 --> 00:01:12,360
transformation

26
00:01:12,360 --> 00:01:16,320
Mayor in foes under WWW safe server dot see

27
00:01:16,320 --> 00:01:21,320
So our mission today really is to focus on this idea of secure

28
00:01:21,640 --> 00:01:26,120
Ephemeral sharing we're using a tool called one time secret as our main example and

29
00:01:26,120 --> 00:01:27,040
for you the listener

30
00:01:27,040 --> 00:01:29,960
It doesn't matter if you're a developer or just someone sharing the Wi-Fi password

31
00:01:29,960 --> 00:01:30,920
with a friend

32
00:01:30,920 --> 00:01:35,340
The goal is to show you how this technology keeps your sensitive info out of those

33
00:01:35,340 --> 00:01:38,120
really risky places like your chat logs and your inbox

34
00:01:38,120 --> 00:01:40,680
right and the whole idea behind one time secret is just

35
00:01:40,680 --> 00:01:45,560
It's brilliantly simple, isn't it? It's designed to kill that digital risk. But the

36
00:01:45,560 --> 00:01:47,900
question is how how does it actually make something?

37
00:01:48,440 --> 00:01:53,220
Well ephemeral. Yes. How does it really disappear? The mechanism is it's both

38
00:01:53,220 --> 00:01:54,460
secure and you know

39
00:01:54,460 --> 00:01:59,750
elegantly simple a one-time secret is just delivered via a link a single use URL a

40
00:01:59,750 --> 00:02:00,860
single use URL

41
00:02:00,860 --> 00:02:02,720
But here's the crucial part

42
00:02:02,720 --> 00:02:06,510
The data isn't just sitting naked in the link the second the person on the other

43
00:02:06,510 --> 00:02:06,720
end

44
00:02:06,720 --> 00:02:11,170
Clicks it and views the information the system triggers a self-destruct sequence.

45
00:02:11,170 --> 00:02:13,560
It's permanently erased from the server the aha

46
00:02:14,400 --> 00:02:19,130
Moment there isn't just about security. It's it's about control. I think yes, you

47
00:02:19,130 --> 00:02:21,140
get control back over how long your data lives

48
00:02:21,140 --> 00:02:25,680
You share it it's used and then it's just gone. That's the key

49
00:02:25,680 --> 00:02:30,840
It's secure one-time message sharing in a world where every company is archiving

50
00:02:30,840 --> 00:02:32,760
every email for years

51
00:02:32,760 --> 00:02:35,240
And data breaches are a weekly thing

52
00:02:35,240 --> 00:02:39,990
This gives data a temporary existence is just removes the liability of having a

53
00:02:39,990 --> 00:02:42,960
password sitting in an email from you know

54
00:02:42,960 --> 00:02:48,000
Five years ago, but wait a second if the data is deleted forever the moment it's

55
00:02:48,000 --> 00:02:48,280
viewed

56
00:02:48,280 --> 00:02:52,920
Doesn't that create a headache for companies? What about compliance an audit trail

57
00:02:52,920 --> 00:02:53,480
exactly?

58
00:02:53,480 --> 00:02:57,310
How can a company prove anything about their secure communications if the message

59
00:02:57,310 --> 00:02:58,040
is just vanish?

60
00:02:58,040 --> 00:03:02,390
That's a really important question. The focus of a tool like this isn't on auditing

61
00:03:02,390 --> 00:03:03,080
the content

62
00:03:03,080 --> 00:03:07,440
It's on making sure that content can't be audited by a bad actor later on

63
00:03:07,440 --> 00:03:11,000
So the trade-off is maximum security over long-term retention

64
00:03:11,000 --> 00:03:15,040
so the audit trail changes from what was the password to

65
00:03:15,040 --> 00:03:20,700
Did we use a secure method to share a secret at this specific time?

66
00:03:20,700 --> 00:03:25,130
Precisely. Okay. Here's where it gets really interesting for me if we're trusting a

67
00:03:25,130 --> 00:03:26,320
web service with this

68
00:03:26,320 --> 00:03:31,320
What's protecting that self-destructing message before anyone even clicks the link?

69
00:03:31,320 --> 00:03:33,820
It's all about a layered security stack

70
00:03:33,820 --> 00:03:38,160
So first the fundamental layer is what we just talked about the message is

71
00:03:38,640 --> 00:03:42,800
Temporary it deletes after being viewed or after a certain amount of time, right?

72
00:03:42,800 --> 00:03:47,280
And second before it's even viewed it's protected by strong server-side encryption

73
00:03:47,280 --> 00:03:49,960
meaning even if the server itself gets compromised

74
00:03:49,960 --> 00:03:55,180
The data is just encrypted junk. It's useless without the keys and then for anyone

75
00:03:55,180 --> 00:03:56,400
who's extra diligent

76
00:03:56,400 --> 00:03:59,580
You can add passphrase protection. So you're putting a password on the password

77
00:03:59,580 --> 00:04:00,360
link essentially

78
00:04:00,360 --> 00:04:04,250
Yeah, you're putting a lock on the unique link itself. So you're not just relying

79
00:04:04,250 --> 00:04:05,400
on the link being secret

80
00:04:05,400 --> 00:04:09,750
You're relying on actual cryptography and you mentioned time limits. Can users set

81
00:04:09,750 --> 00:04:10,760
those themselves?

82
00:04:10,760 --> 00:04:13,840
Absolutely, the system has

83
00:04:13,840 --> 00:04:17,670
Customizable expiration. So if you know, your colleague is only gonna check it in

84
00:04:17,670 --> 00:04:18,180
the next hour

85
00:04:18,180 --> 00:04:21,040
You can set the secret to expire in 60 minutes

86
00:04:21,040 --> 00:04:24,950
Which stops the link from just floating out there in the ether forever if they

87
00:04:24,950 --> 00:04:28,640
ignore it exactly now with any security tool trust is

88
00:04:28,640 --> 00:04:30,760
Well, it's everything

89
00:04:30,760 --> 00:04:34,780
How do we know we can actually trust the code when we're giving it our most

90
00:04:34,780 --> 00:04:35,760
sensitive info?

91
00:04:35,760 --> 00:04:40,090
Well that kind of trust demands transparency and what's really fascinating here is

92
00:04:40,090 --> 00:04:42,600
that the code base is completely open source

93
00:04:42,600 --> 00:04:47,250
Okay, that's huge. It's critical for security tools. It means the entire global

94
00:04:47,250 --> 00:04:49,380
security community can audit the code

95
00:04:49,380 --> 00:04:53,600
They can check the cryptography they can find bugs before they become a problem

96
00:04:53,600 --> 00:04:57,420
So you aren't just trusting one company you're trusting the eyes of thousands of

97
00:04:57,420 --> 00:04:58,740
experts. That's the idea

98
00:04:58,740 --> 00:05:03,080
So for you the beginner listener the easiest way in is the web interface, right?

99
00:05:03,080 --> 00:05:05,520
It's the fastest way to just generate a secret

100
00:05:05,520 --> 00:05:09,180
You can even try it out at one time secret comm and see for yourself how it works

101
00:05:09,180 --> 00:05:11,480
That's the perfect starting point

102
00:05:11,480 --> 00:05:16,320
But this tool is also built for you know for scale and for integration for more

103
00:05:16,320 --> 00:05:17,560
advanced use, right?

104
00:05:17,560 --> 00:05:19,480
If you're building this into a business workflow

105
00:05:19,480 --> 00:05:24,630
You can use the API a rest API that lets you automatically generate these secure

106
00:05:24,630 --> 00:05:26,360
links right from your own apps

107
00:05:26,360 --> 00:05:30,230
A lot of security conscious companies would probably want to host this themselves

108
00:05:30,230 --> 00:05:32,840
though, right instead of using a public website

109
00:05:32,840 --> 00:05:37,380
Oh, absolutely self-hosting gives you the most control and the configuration is

110
00:05:37,380 --> 00:05:38,540
really flexible

111
00:05:38,540 --> 00:05:42,280
What do you mean? For example a company could disable the web interface entirely

112
00:05:42,280 --> 00:05:45,480
forcing everyone to go through an authenticated API

113
00:05:45,480 --> 00:05:50,330
Or just require authentication for anyone who wants to create a secret exactly you

114
00:05:50,330 --> 00:05:51,320
get total control

115
00:05:51,320 --> 00:05:54,420
And what does that look like on the technical side? We don't need to get into the

116
00:05:54,420 --> 00:05:54,680
weeds

117
00:05:54,680 --> 00:06:00,720
But what are the basic parts needed to run something like this? Well to handle all

118
00:06:00,720 --> 00:06:01,960
that creating and

119
00:06:01,960 --> 00:06:07,160
You know instant deleting of secrets you need a fast application framework

120
00:06:07,160 --> 00:06:12,750
the sources say it's built on Ruby and it's backed by a really high speed key value

121
00:06:12,750 --> 00:06:15,100
store something like Redis is

122
00:06:15,100 --> 00:06:19,830
Perfect for holding on to those secrets for a few minutes or hours before they're

123
00:06:19,830 --> 00:06:20,720
flushed forever

124
00:06:20,840 --> 00:06:25,210
The source documentation had a pretty stark warning about something called a

125
00:06:25,210 --> 00:06:26,660
persistent secret key

126
00:06:26,660 --> 00:06:31,860
What's the critical takeaway there for anyone running their own instance that

127
00:06:31,860 --> 00:06:32,600
secret key?

128
00:06:32,600 --> 00:06:37,340
It's the absolute foundation of your deployment security has to be a long

129
00:06:37,340 --> 00:06:42,320
Random securely generated a key and you generate it once and back it up somewhere

130
00:06:42,320 --> 00:06:42,560
safe

131
00:06:42,560 --> 00:06:45,360
You have to if you lose that key you could lose access

132
00:06:45,360 --> 00:06:49,460
But even worse if it's weak or it gets compromised all that server-side encryption

133
00:06:49,460 --> 00:06:50,640
is basically worthless

134
00:06:50,840 --> 00:06:55,190
Wow, and there's another non-negotiable rule for any production deployment. You

135
00:06:55,190 --> 00:06:56,400
have to set SSL to true

136
00:06:56,400 --> 00:06:58,280
You have to read it over HTTPS

137
00:06:58,280 --> 00:07:02,240
You must running a security tool that handles passwords over the open internet

138
00:07:02,240 --> 00:07:03,880
without encryption. It

139
00:07:03,880 --> 00:07:08,200
Completely defeats the whole purpose. It's a powerful reminder, isn't it?

140
00:07:08,200 --> 00:07:12,300
Oh, the best security tool in the world can be defeated by one bad configuration

141
00:07:12,300 --> 00:07:12,680
choice

142
00:07:12,680 --> 00:07:16,760
Absolutely. Now if we zoom out a bit and connect this to the bigger picture

143
00:07:17,520 --> 00:07:22,090
One time secret isn't working in a vacuum, right? It's part of a whole ecosystem of

144
00:07:22,090 --> 00:07:24,560
these tools a really dynamic

145
00:07:24,560 --> 00:07:28,780
Growing ecosystem. They're all trying to solve the same problem

146
00:07:28,780 --> 00:07:32,720
Email and chat are just not safe for sensitive data

147
00:07:32,720 --> 00:07:36,820
So to give you the listener some context on the market, we did look at a few other

148
00:07:36,820 --> 00:07:37,840
services in this space

149
00:07:37,840 --> 00:07:42,470
For example, there's Proton URL. Mm-hmm. It's designed for simplicity and it's

150
00:07:42,470 --> 00:07:44,240
available in 15 languages

151
00:07:44,240 --> 00:07:48,320
Which really shows you this is a global problem. Then you have something more

152
00:07:48,320 --> 00:07:49,720
specialized like PW push

153
00:07:49,720 --> 00:07:52,660
It's really focused on passwords for IT teams

154
00:07:52,660 --> 00:07:57,460
It uses browser cookies and self-destructing links for that specific use case and

155
00:07:57,460 --> 00:08:00,360
for users who need you know, extreme anonymity

156
00:08:00,360 --> 00:08:03,160
There's service called scree T dot link, right?

157
00:08:03,160 --> 00:08:07,500
That one's aimed at say journalists or whistleblowers where the privacy of the sender

158
00:08:07,500 --> 00:08:10,300
is just as important as the security of the message

159
00:08:10,300 --> 00:08:14,540
We also saw one called crypto John that one's interesting because it goes beyond

160
00:08:14,540 --> 00:08:15,120
just sharing

161
00:08:15,120 --> 00:08:19,660
It includes a secret generator a password generator. Well, it's more like a little

162
00:08:19,660 --> 00:08:20,360
security toolkit

163
00:08:20,360 --> 00:08:25,610
And just to show how broad this field is the sources even mentioned team password,

164
00:08:25,610 --> 00:08:27,000
which is a bit different

165
00:08:27,000 --> 00:08:29,760
That's more of a team password manager. Yeah, it's for collaborative storage, but

166
00:08:29,760 --> 00:08:31,820
it highlights the same core issue

167
00:08:31,820 --> 00:08:37,400
People are desperate to get passwords out of their inboxes and we have to add a

168
00:08:37,400 --> 00:08:38,920
critical thinking point here

169
00:08:39,200 --> 00:08:43,480
The sources are really clear that listing these competitors doesn't mean they

170
00:08:43,480 --> 00:08:45,800
endorse them. It's just for context, right?

171
00:08:45,800 --> 00:08:50,400
Whenever you are handling sensitive information, you have to do your own research

172
00:08:50,400 --> 00:08:54,540
You have to do your due diligence on whatever service you choose. So what does this

173
00:08:54,540 --> 00:08:55,280
all mean?

174
00:08:55,280 --> 00:09:00,050
I think the big takeaway here is one of empowerment. I don't grow this idea that

175
00:09:00,050 --> 00:09:01,920
our digital data is permanent

176
00:09:01,920 --> 00:09:04,720
It doesn't have to be a given

177
00:09:04,720 --> 00:09:09,440
Tools like this. Let us bring back ephemerality when and where we need it. It gives

178
00:09:09,440 --> 00:09:11,540
you control over the lifecycle of your secrets

179
00:09:11,540 --> 00:09:15,680
Exactly, and you know, this leads to a really fascinating final thought for you to

180
00:09:15,680 --> 00:09:16,080
explore

181
00:09:16,080 --> 00:09:21,490
The sources are surprisingly open about this the development of the one-time secret

182
00:09:21,490 --> 00:09:23,620
software was done with help from AI tools

183
00:09:23,620 --> 00:09:27,000
specifically Claude Google Gemini and

184
00:09:27,000 --> 00:09:31,640
GitHub copilot Wow, okay for security application for security application and the

185
00:09:31,640 --> 00:09:33,400
developer chose to be transparent about it

186
00:09:33,400 --> 00:09:35,400
so the question to think about is

187
00:09:35,400 --> 00:09:41,450
Considering that security relies on trust and human verification. Hmm does knowing

188
00:09:41,450 --> 00:09:44,360
that AI help generate the code for a security tool

189
00:09:44,360 --> 00:09:46,960
Does that increase your confidence in it?

190
00:09:46,960 --> 00:09:50,820
Or does it decrease it that is definitely something to chew on especially as AI

191
00:09:50,820 --> 00:09:51,640
gets baked into?

192
00:09:51,640 --> 00:09:56,880
Well, everything it's a big question for the future of software development and a

193
00:09:56,880 --> 00:09:57,880
perfect place to end

194
00:09:58,000 --> 00:10:02,190
Thank you for joining us on this deep dive into ephemeral secrets our pleasure safe

195
00:10:02,190 --> 00:10:03,160
server committee

196
00:10:03,160 --> 00:10:07,110
Does hosting these a software or understood stick by Dana digital and

197
00:10:07,110 --> 00:10:11,540
transformation mere infos under webby www.safe server dot de

198
00:10:11,540 --> 00:10:15,160
Thanks for listening. We'll see you next time