Everybody, welcome back to another AMA with Moby Media.
Today, we do have John from Boring Security DAO.
They're doing a lot of great stuff in the space, in the industry.
John, I definitely want to unpack a ton here today,
but before I do, I want to add Evil and Drew as well.
John, Evil, Drew, how's everybody doing?
Good morning, good morning.
You have a great looking doodle.
I'm not sure if it resembles the way you look in person,
but it's pretty, it's a pretty good looking doodle.
It is pretty similar to what I look like in person.
A while back, I was looking at the doodles
that were sitting on the floor, and I just
kept waiting and waiting for one that actually spoke to me.
It was the doodle, but I've gotten really attached to it.
Yeah, and the reason why I bring that up, John,
is because I'm doing that currently right now.
I have a bunch of tabs open on my Mac,
and one of them is the current doodles floor.
So we'll see what happens.
John, so we can unpack this, right?
For those that don't know you, those that maybe do know you,
have seen your name, have seen what you guys are doing.
If you can unpack that, who you are, what you're doing,
what you guys focus, your mission is,
all that fantastic stuff.
I am one of the instructors over at Boring Security.
For my day job, I mostly work with companies, projects
in the space, helping them with their Discord security.
For Boring Security, I'm teaching their social media
Boring Security is basically like a public good for Web 3.
It's a group, an organization that's
offering free classes for basically everything Web 3
So there is a whole bunch of different classes
that we offer, including sort of a general security 101,
a more in-depth 102 class that goes more in depth
with how contracts actually work and how you can explore
And then, like I said, the social media security class.
And then we also have a new sleuthing class
as well that helps you track transactions
across different blockchains.
And like I said, it's free.
So it's partially funded by the Bitcoin DAO,
And it works with a whole bunch of different communities
to even do sort of co-branded community classes as well.
So I will say this first before I ask the question.
Security, as we know, it's needed.
But unfortunately, it is not a super sexy topic
unless something super negative happens.
The sexiness of security runs in complete parallel
with the negative things that transpire.
So when something happens like the way it did two months ago,
I do want to unpack how the whole thing happened
from front end as well if you're allowed to talk about it.
So those two things run, I guess, in parallel,
John, how did you guys kind of get around to the think
about it, the conversations, to start boring security?
Because I mean, obviously, it's something that's needed for sure.
What was that initial, like, OK, the space needs this right now.
And we can't wait for this need.
It has to happen right now.
So I was not around during the founding days.
Feld is the founder behind boring security.
Unfortunately, he's in ancient time zones.
So it's a little difficult for him to find time for spaces
because of the differences in time zones.
But Feld is a huge, huge active community member
inside of the Fort Ape community.
And I don't know how many of you people in the audience
were around during the last bull market.
But there was a bit of a mean going around at that point
where people were just making fun of the board apes
because they were constantly getting drained.
They have a very highly valuable NFT.
And a lot of the community members
with those in the board ape community just
were new to crypto in general.
And there was a lot of fishing going around at the time
and a lot of people losing their assets.
So that, I think, was Feld's focus and mission
was to just make it so that no ape got drained again.
And from that point on, we've taught so many different
classes past just the Fort Ape Art Club community
and helped so many different people out.
One other thing that I think that's important to note
is our success rate with our alumni who've taken our classes
Once people take those classes, they really
don't get drained anymore.
So just a little bit of knowledge
can save all the assets that you've made in the space so far.
Jon, so obviously, those that don't own a UGA asset
can still take part in the classes.
You mentioned that's free.
How does that process look like?
Do people join the Discord?
What's kind of that process?
And it's literally, there's no barrier to entry here.
So what's the process look like and then
take us through the things that the people would
learn in the course if taking those things that
would cater to the massive success rate
Sure, so if people are interested in the classes,
all they have to do is join the Boring Security Discord.
There are calendars that are posted every month,
which list all the different classes
that we're offering that month in the different languages
that they're offering them.
A big push that we're focusing on
is making sure that we have as many different languages
So I know we have Spanish, German.
I think we're working on French.
Drew, if you know what all the languages we're doing this
month are, feel free to speak up.
But yeah, after you join the Discord,
there's a bunch of different ways
that you can get involved and get into these classes,
depending on which one works with your schedule
and the language that you speak.
As for the content that we actually go over,
and there's a lot, talking about different things
like how you should actually set up your wallets,
so making burner wallets and things like that.
We talk about hardware wallets, cold wallets.
We talk about delegating your wallets.
Basically, we go over a lot of different tools
and different protections that you can put in place
if you are participating in riskier things
like mints and transactions.
Yeah, I was just going to add on to this month.
And I'm also part of foreign security
as well, contributed there.
We have German, Portuguese, and English.
And soon, it definitely will be French.
And then we're also exploring other language
as a crossover to our Chinese, Japanese, Asian friends
You guys are definitely branching out, which is awesome.
If I had to ask you guys, who are the courses slash classes
for that are, once again, free?
Who are they for, the beginner in crypto,
the kind of maybe the seasoned veteran,
the person who's been here for 10 years?
Who are these classes for?
And then to stack that question, is security in this industry
I guess forever evolving, forever changing, forever
bettering itself, forever innovating,
and that anyone doing anything that
has really an on-chain wallet, regards
of the profiling of that person 10 months, 10 years,
needs to be somewhat involved?
So yeah, the classes are for everyone.
We don't have any classes at this point
that I think are super focused and technical for a developer
It's meant for the average person in Web 3.
That being said, the content that we
go into in each of these classes can get really in depth.
So I've taken the 101 and the 102 courses as well.
And even though I'm in Web 3 full time every single day,
I still learned a ton because there's
a whole bunch of really technical details
that are unveiled and talked about
through all the different content that we go over.
And the other thing that I think is important to note
is these are live classes.
So there's an actual instructor there teaching you
So if there's just an interesting topic that
gets brought up, so for instance,
blind signing with your ledger.
And you want to learn more about it
than what the course currently talks about,
you can just ask a question with the instructor.
Number one, they love that.
They love class participation.
Number two, it's a professional, a technical person
that you can actually ask live questions to
and learn a whole lot more about that topic
than what's just on the slides.
So it's a really good experience that I
think I'm not enough people are taking advantage of in the space.
Yeah, John, I would tend to agree.
You probably, to some extent, get
an influx of people joining that I would just
think without accessing the data.
Behind this, based on every time a hack happens,
I think people start to care about security
And then after that hack is done on a timeline,
it's almost mostly forgotten about with most people,
not to throw a really blanket statement there.
I've seen it happen multiple times.
Timeline cares for six seconds.
And obviously, the people that are doing this day and day,
like you guys are, you, Drew, John, all your teams,
even Michael, even Michael from WalletGuard,
you guys doing it day in, day out,
those are the constant on a continuum.
But the other ones are just like, ah, two hours,
And then we'll not think about it until we get drained
or until the next thing happens, which absolutely sucks.
John, if I have to ask you, what are the greatest attack
vectors that you've seen become effective
that people should start to combat or know that's happening?
So if I had to ask you, give me two or three things
that you've seen that happened at scale from.
It happens more often than the other things do,
from a attack vector standpoint.
And how can we combat those things that happen more
frequently than others do?
In terms of tactical side from a hacker scam
The biggest thing right now that I
think is giving a lot of security people
in the space of hernia is all the sim swapping that's
happening and the fact that so many different crypto-related
accounts on Twitter are falling victim to it.
If you have a large Twitter account,
just go and remove your phone number from your Twitter
That's the easiest thing to do.
It's going to help secure your account a lot.
You should already be aware of how bad sim swapping
Basically, assume your phone number
is always going to be compromised.
And if you start from that assumption,
you can make sure to never use SMS-based 2FA.
But yeah, that's the biggest issue right now.
And partially, I think the explanation and the reasoning
behind that is when a crypto startup is small
and it's three people in it, the founders and maybe
one technical founder, everyone involved is involved in the space.
Everyone knows what not to do.
I think the big issue is when crypto startups start to grow.
They don't have good onboarding policies.
They don't have good procedures getting new employees onboarded.
And that growth period is when I see a lot of these issues
start popping up in companies.
So when they hire a new marketing person who's
never worked in crypto before, that's
when you start seeing the SMS-2FA appear on accounts.
So another side lesson in that is
making sure that if you're working in a company,
making sure you have good onboarding policies and procedures
to actually train new hires to be aware of all the risks
that they have to face in this space.
Which honestly, part of your onboarding procedures
can be as simple as go join boarding security,
complete all the classes.
We give out actually a little co-app
if you complete the class.
So you can actually check if your employee has completed
A simple onboarding procedure like that,
I barely ever see anything in any crypto companies
even doing things like that.
Yeah, I have some follow up questions
before we go to my questions.
I just have a quick follow up question.
And thanks again for having me.
It's great to see you again, John.
I'm just wondering how you guys are thinking
about that issue, which I agree is pretty massive,
in the context of what Twitter has been doing,
pushing this phone number 2FA
and making it a feature of premium accounts.
Just kind of really encouraging people to do it.
And then slash, if you have a premium account
and you do remove your phone number,
it's interesting because if you, for whatever reason,
lose your tick and you need to re-sign up,
then they require you to reattach your phone number.
And I'm just wondering how you guys are thinking about that
and whether or not maybe there's a dialogue
with Twitter around that.
Yes, there is the dialogue with Twitter.
And yes, I am bitterly complaining constantly.
My recommendation, so the issue is Twitter
has two things going wrong for them, right?
They have a security issue, obviously,
because of all the account takeovers.
But the bigger issue that they're trying to combat
is the spam issue, right?
I actually just signed up for a new Twitter account recently
for a project I'm working on.
I'm not gonna show it here, promise.
But it took me 60 CAPTCHA entries
to actually sign up for the account.
That's how bad the new account creation process is.
And the irony here is about CAPTCHA entry 45
is when I started sitting down and being like,
I can probably go buy a Twitter account for like five cents
and it would be easier than this whole process.
So they have a massive spam issue, massive bot problem.
And they're definitely trying to solve that.
So I think that's the reason why we're having so many issues
on the security front is just because the bigger issue
that they're trying to solve is that spam issue.
On the security front, especially around 2FA,
my recommendation for both them as well as a lot
of different companies in the space
is you shouldn't have one standard security policy
It doesn't make sense from a marketing perspective
and it definitely doesn't make sense
from a security perspective.
So whether you're Twitter or a Bitcoin exchange
or whatever type of company,
you should evolve your security policies based on your user.
So what that would mean for Twitter is if you're a new account,
you don't need 2FA, who cares?
Like you have five followers, you don't care about it.
It's too much of a hassle to whip out your phone
And once you get 1,000 followers,
now you're a little bit of a target, right?
So at that point, maybe requiring email 2FA
At 10,000 followers, maybe that's
when you require at least app-based 2FA.
At a million followers, maybe that's
where you require security key 2FA.
So just evolving the security practices of your users
as they become more and more of a target,
I think, is a really good thing for companies to do,
which again, I don't really see that a whole lot of the time.
John, do you guys kind of stock people's question here?
Do you guys take care of that entire process
with brands you guys work with?
Or is this totally something they
have to do kind of themselves, like the entire process,
the rundown top to bottom, bottom to top
So more security is focused just on education.
And really, education of communities,
not so much education of projects
and how they can keep themselves secure.
But more security is filled with lots of individuals
like myself and grew over there who also
do security-related things on the side
that you can always hire us for consulting-wise.
We just added a couple of new contributors,
including Beau from Pudgy Penguins.
It is Beau, yeah, who is like internal in the Pudgy
Penguins team, which is something I love to see.
I think more web-free companies need
to be hiring a dedicated community-focused security
I think it's just awesome.
Yeah, I was just going to add to Eagle and Andrew's questions
as well, specifically born security.
I mean, the classes are live.
So a lot of times when we are teaching these classes,
there's a lot of misnomers that we get often questions asked
that we can just go ahead and provide an accurate security
answer to the questions that maybe people just float around
And they just want a main source of truth, which
And all of the classes are updated.
We update them pretty frequently.
So it's not like the information in the classes is outdated.
We use real-time examples.
And it's a really good experience
because the education part is extremely key.
If we're up here saying remove, that's
a mess of 2FA because it's bad, like explaining,
understanding why it's bad.
What can people do if you leave it on there?
That's the essential part.
So people aren't just like you're saying, they remove it.
And then let's say they want to get premium
or they want to upgrade and then ask them to move it back.
Their pride is going to move it back because they don't remember
and they don't understand the risk of associating your phone
number on there, for example.
So I think it's just really cool to kind of offer
these classes for free, again, to the whole ecosystem.
You don't have to have a UGA asset and a different languages
and a different time zones and across the board for anyone
just willing to dedicate some time to be proactive
about security and really not join the classes
after it's kind of too late.
Show to you guys for raising the most level of convenience.
Oh, just really quickly, just to add to that confusion, by the way,
because Twitter is amazing.
So if you do remove your phone number and then you want to get premium
and you want to re-add your phone number occasionally,
and I don't know why, because it's really not in their documentation.
Well, their documentation says something different,
but basically it can sometimes then prevent you
from adding the same phone number, which is then causing you
to try to go get a new phone number.
And I think one of the challenges there is now you have this phone number
that's kind of this one-off thing for Twitter.
You may not even remember you got it or where you got it
or how to access it and so forth.
So agree, this is like a really huge problem.
Sorry, I didn't have to cut you off, Andrew.
There's a ton wrong with Twitter and X.
Sorry, you know, X, now we're calling X.
Ton wrong with it. There's a ton right with it.
Hopefully we can fix all the un-sexy stuff.
John, there's something that I personally am worried about.
Every time I see, you know, airdrops, this and this and that,
A ton of FOMO occurs, which means people are not making logical decisions.
When you don't make logical decisions, you know, shitty things happen.
And then to add even worse effectiveness,
kind of Stack Evil's point as well, my timeline,
I have premium and I paid for the most premium on X.
But for some odd reason, I still see the shitty,
and yes, there's shitty scam advertisements
that pop up in my feed for the fake advertisements,
you know, this, this and that.
It's silly, it's stupid, it's a scam, right?
And then mix that in with, you know, the quote unquote real FOMO,
John, are you guys doing anything proactively
to kind of go back to Drew's point here with foreign security
to kind of keep people as secure as possible
through the next, let's say, 12 months
of what can be a predictable, you know, cycle of airdrops, FOMO,
Yeah, so obviously the primary thing we do is education and awareness, right?
So the social media security class is actually getting a little bit
of a revamp, and we're going to be going over a lot more details
of how to identify, you know, what is a fake airdrop,
how to identify if it's a fake website, things like that.
Past that using tools like Walletart are going to be hugely impactful.
I think one thing that people don't realize in this space,
there was a much more popular phrase,
I guess it's still popular phrase, specifically for Bitcoin and crypto,
where, you know, using crypto, you get to be your own bank, right?
So you get to have self custody and all that.
But if you're being your own bank, you also have to be your own CTO, right?
You're in charge of your own security, which, you know, takes a little bit of time
and learning to actually figure out.
So the education and awareness, I think, is the biggest tool in our toolbox
to help prevent these scams from actually being successful.
But there is another service that we actually do offer.
I don't know, it's really more of a private service,
but we do have a bot that we run that checks with some of our partner communities
for any domains that are generated with their brands.
And that lets us send in some reports to try and get those domains taken down
before they're used in the scam attempts.
That's pretty cool. That's pretty cool.
There is, John, so, and like, I think Drew's heard me say this before,
because I keep saying this, like, we continuously have, you know,
spaces like this for the purpose that security is something
that I start to care about more often, because I see people,
I see people care about it less, which means care about it more.
And because that's the way it is, when I came into the industry,
whenever it was, like two, three years ago, my onboarding
and my initial learning curve within the industry
was nothing based around security.
I only learned, or learning, at a constant continuum,
the security stuff, two, three, four, five, six, seven months,
you know, two years, three years.
I've only started learning throughout that process,
and the initial phase of that learning curve
didn't happen right at the beginning,
and I think we really missed place
when people should be learning about security.
How do I know? Well, because there's still scamming that's going on,
and it's only getting worse, right?
So that initial learning curve is not put in place.
John, what do you think? And obviously, I don't know
if you have the answer to this, but we're going to shoot for it.
What do you think we should do as a community at scale
to kind of put that initial learning curve in place,
like, right at the beginning,
so that when people get onboarded into the industry,
the first thing that they're told is make sure it's secure,
opposed to chase the money, try to make the money.
So, again, this is like a classic...
When you have people who are joining the space initially,
they're joining with, you know, maybe $100 in their wallet, right?
They're not joining the space
and immediately investing $50,000, right?
At least most people aren't.
That mismatch is where I think the issues arise, right?
If you're onboarding someone, they only have $100,
they're not going to sit down and, you know,
take four hours learning about how to properly set up their wallet
to make it as secure as possible.
It's just not a priority for them because it's a little money.
And the reason that this becomes a problem
is as people get more and more involved in the space
and they start investing more and more,
they never really hit that step where they're like,
oh, I should go reevaluate my security setup.
And I don't think there's a really great solution for it.
I think the best thing that we have is just keep an eye on your friends,
your friends in the space, right?
So if you notice them getting more and more involved,
I think it should be more common and more accepted
that you just start asking your friends like,
hey, buddy, are you using a cold wallet?
Like, just check in on your friends.
I think that's the best way to deal with it.
I don't think plastering them with a whole lot of information
when they first start is going to be well received
or really result in much.
They're just going to skim through it and not actually do any of it.
It's definitely a fair point.
I think there's another side to this.
I think the other side of this is that the narrative still kind of stinks
that the onboarding has gotten easier,
And then to add to that, there's always the scamming,
this, this, and that, the phishing, all that stuff.
So even for those people that do have immense amounts of capital
to deploy or even thinking about it or have it in wherever it is
and looking to transition it,
there's probably some hindrance there
because they see that there's way too much risk involved
when even just stepping foot or even just attempting
and I think that's probably why that the adoption rate
has probably hindered a little bit.
And that's why I think a lot of people that were here last cycle,
obviously don't stick around for the bear market.
And part of that is due to money can't be made as often.
And it was many different variables,
but I do think one of the variables is that many people got scammed last cycle.
And because that was their experience,
they now make that I know the only thing that's going to happen to them,
which is, I think the worst thing you can do,
just because something happens to you once,
doesn't mean it's going to repeat itself a thousand times,
unless you're insane and incur that same behavior loop.
But I think that's, that's part of the problem.
So John, how do you propose that we, you know, fix that?
Like, do you think that security and making sure that security
is tight, it's knit, it makes sense, it's easy to do,
is one of the things that actually further adoption?
Because I think it's, it's partially hindering it aside from many other things.
Yeah, it's, it definitely is hindering it, right?
If you're trying to onboard a billion people,
requiring them to have enough knowledge that it takes them, you know,
five hours, of course, it's actually learn all of it isn't going to work.
That's the, it just multiplies to be way too much.
But there are solutions coming out,
which I think are going to be a solution sort of for this next wave.
And those are going to be things that are more, you know,
managed accounts, account extraction, things like that,
where, you know, you just sign up with an email
and it generates an address for you, right?
Instead of allowing full self custody, if it's more partial custody,
then a lot of the security issues that you're dealing with tend to go away.
And something that I'm really excited about personally,
which I haven't seen a whole lot of usage of yet,
is all the big tech companies are starting to support past keys, which are super cool.
It's still very early, and I'm not sure if I'm 100%
happy with how all of the different companies are implementing past keys.
But my, my hope and goal is at some point in the future,
those past keys are basically used to generate account addresses for use in Web3.
Because at that point, your onboarding procedure would basically be,
all right, sign in with your Google account, generate an account,
it's stored in your Google account to just make sure your Google account is safe.
That is way easier than going on a whole spiel about, you know,
you have to go download MetaMask, you have to generate a seed phrase,
you have to write your seed phrase down on a piece of paper, you have to keep your seed phrase safe,
maybe you want to split up your piece of paper into three different locations.
Like, there's just so much nuance when you introduce self custody,
that for most customers, for most users who only have $100 in it, they don't, they don't care.
So having that sort of split custody of it, I think is going to be helpful for the onboarding experience.
John, are you guys, is that something you guys are starting to teach as well?
And kind of preach in the classes, last courses, or that's already,
think it's kind of too early for this?
I haven't seen a whole lot of different companies who are offering something like that.
That's my personal opinion of where I think the space is going to head.
Is there, do you think there's means for us to transition ourselves now?
Or do you think it's, it's, you know, not the right time, it doesn't make sense?
I think it's something that's going to come in the future.
Like I said, PASQ support is still very early.
The organization that's behind the standards for PASQs also are not super web three friendly.
So whatever implementation that you create is going to be kind of hacky in a certain sense,
But I think that's something that I see happening maybe in like a year or two.
But account abstraction is here, basically.
So that's definitely something I've been keeping an eye on for what type of companies are going to
be offering those types of services.
And we've already seen some early implementations of it and maybe not so secure of methods,
but like FriendTech was offering, you know, signups with just an email address, right?
So we'll continue to see more customized, tailored experiences like that,
that are easier for the average person to get involved with.
No, that's definitely a good sign.
Always open to you and better ideas.
I do want to get some of the hands as well.
Machiavelli, what's going on?
What's happening, my man?
Greetings to everybody on the stage.
You know, one of the things that I've been wondering about and like,
I'm not trying to get off topic or anything, but this has to do with security is,
one of the things I really liked about the Hashgraph system is that you have to like,
associate your wallet with the contract that you're receiving from.
And I feel like that if we had some type of situation, you know, built into the wallets
to where like you couldn't just receive random scams from anybody in your Ethereum wallet,
you would have to associate your wallet with the token address or the contract.
Then I feel like we could prevent a lot of these security problems.
I agree to a certain extent.
Being able to receive whatever funds, whether illicit or malicious,
is definitely like a concern.
But that being said, that as an attack factor, I think is not really
one that is heavily exploited or super useful.
If people randomly get airdrops some token, it takes very little research to figure out
that that token doesn't have anything associated with it, right?
You can just go check the contract address and open C, see that it has no volume,
And the other thing that is a little bit more annoying is address poisoning,
where people will go and they'll see that you sent some money to an address.
They'll create a vanity address that has the first couple of letters
that are the same as that address, and they'll send you some money
from that address, like a cent, with the whole hope that you go to Etherscan
and you copy the most recent address in your transaction history
and then send that address money again.
Don't ever do that, please.
Don't look at Etherscan to figure out what address that address is.
But, yeah, I think, partially, tools and the wallets that we use to interact
with these different networks should be built with a lot of those attacks in mind.
And with proper UI, UX, you can avoid a lot of the issues with those types of attacks.
I think, I was going to say, I think, especially in that scenario, too.
I mean, you also got to think about, you know, the more steps you add for a user
trying to do something, the more steps that they also have a risk of going down the wrong path.
So there's always a constant battle of, you know, convenience over security,
security over convenience, which is super tough.
I think that UI, UX improvements were still unbelievably so early.
That's the biggest flaw, especially if you're onboarding or doing things safely.
And, you know, it's only going to take time with tools.
Like, the WalletGuard dashboard shows you, right?
Like, what tokens, like, their risk score associated to it.
There's a couple of tools.
RevoteCache has little asterisks there or little notifications now, as well.
And MetaMask, the most recent update, I think it was two days ago,
actually shows some as deceptive, high-risk, et cetera, too.
So I think the more time that goes by, the more that we can get those kind of alerts
that'll let us know immediately whether we should even go down that path of trying to do that or not.
I also think that 4-3-3-7 is going to help a lot when,
as they start to get really kind of natively implemented and rolled out.
I mean, I think the account abstraction stuff cannot be, like,
I guess understated or whatever.
It's going to be so transformative and I think very important to some of these issues.
Like, just like as one example, it's going to allow you to do things like set a spending
limit on your wallet, right?
So imagine, you know, if you did connect to some kind of draining, whatever,
you have effectively a fail-safe on your wallet that says, hey, I can only spend,
or I can only send, let's say, I don't know, $100 to somebody, right?
And if I try to send more than $100, then, you know, trigger some authentication path
that requires a bunch of other stuff, you know, a bunch of other extra steps or maybe
just don't even allow it at all, right?
And I think that those kinds of fail safes and kind of safety nets,
I really am very hopeful that that's going to be, at least, you know, if you do get into trouble,
you're not going to lose everything, right?
So, you know, you can say things like, hey, I don't want any entities leaving this wallet
unless I do, you know, five kinds of authentication or whatever.
Yeah, I think especially, you know, utilizing automation, things that we set in stone.
Like, if you, you know, if you're trading ERC20 tokens now, like, you can set those kind of
And you can also set expirations on approvals.
So, you know, obviously, that's something that, you know, wasn't out two years ago, right?
I think 4337 would be pretty interesting.
For anyone who's unaware of what account abstraction is, the way to think about it
is right now with Ethereum addresses, you basically have private public key pair.
And that's it, like, you have full control of the account.
If you have the seed trades or the private key, you can do whatever.
With account abstraction, what you're basically doing is you're creating a smart contract wallet.
And that smart contract can be designed with whatever limitations or whatever implementations
So, you're no longer limited to just having a seed trade that controls that wallet.
You can do wacky things like social recovery of an account.
So, there's a lot of cool things.
It's basically open to your imagination of what you can do with accounts that are set up like that.
John, I do want to get to these hands.
But before I do, if I had to ask you, could you build a quick starter pack?
And I've asked Michael this too.
I pretty much asked him both.
I've asked both this question.
I've asked Michael this question.
Every security individual person that I talk to, I have the pleasure of speaking with,
I asked them what their starter pack is for those that are in the industry,
those that have been here for a little while.
If you can kind of build your starter pack, I'm going to say three, four things, five max
of tools, things that you would tell a person to use, take advantage of,
to ensure their company security, their brand security,
as well as their social security, and then obviously their asset security.
But I think for a person just starting in the space,
I think the thing that I would focus on most is just making sure that their device is
If we're talking about like the $100 invested range,
I don't think you're going to be heavily targeted.
You still will be at risk of phishing.
So probably the biggest thing that you should be looking for is WalletGuard
is going to probably be your best protection.
I like to think of it as training wheels.
If you click on a link that ends up being a bad link, WalletGuard will tell you.
So it's a good way to start training yourself with training wheels on what things you should
be avoiding, what things are scams, and give you a little bit more insight on the fly training.
As you get some more money invested around the $1,000 range, maybe to the $5,000 range,
that's when I would start looking into getting a ledger and start looking into splitting up
your wallet into a risky burner wallet that you use to interact with things like Mint,
sort of a hot wallet that you use to sell things on a marketplace, and then your ledger,
which will act as sort of a cold vault wallet, which you'll use to store any assets for the
long term that you want to store, and keep safe.
Once you get to the $10,000 range, that's where I think you are starting to get to the point
where you can justify siloing your setup a little bit.
At that point, I would recommend getting a separate laptop that you're using specifically
for interacting with crypto. If you're using a different laptop that has your hot wallet on it,
that is not your main computer that you are downloading, god knows what on,
you're going to be a lot safer that way. It's going to get rid of a lot of your sort of
malware risk. At that point, leveling up and getting a separate laptop that you can use with
the three wallets set up, your burner, your hot wallet, and your ledger, I think is a really good
thing. Once you get more into the $100,000 million range of assets, that's what I think you should
actually talk to a professional. Self-custody is hard, and if you screw up self-custody,
guess who loses the money? I think that's a big thing that I see in the space that people don't
do. They make half a million dollars because they were an early mentor of board apes,
but then they just don't ever talk to anyone about how to actually secure their stuff, which
is really a mistake. Finding trusted people, trustworthy people to talk to about your setup
and get advice on what to change, I think is a super underrated tip.
Your response, John. I appreciate you. Aisha, over to you.
Yeah. Thanks, Andrew. Okay. Are there any plans to establish an educational portal
that allows individual experts and projects to upload their lectures and educational
content for the community? Additionally, is there a consideration for enabling
content creators to potentially monetize their contributions to this platform?
I don't think there's any plans right now to create a video platform or anything like that.
I have actually looked around for any good web-free lecture platforms just for my own content,
and I haven't really found one that I like yet. I know there are a couple smaller ones that are
trying. Quite frankly, a lot of those lecture platforms exist already on Web 2 and are perfectly
fine to use if you want to. At this point, we are focused on instructor-led classes,
just because we think that is going to provide the most engagement and most interactivity to
keep people actually awake during the classes. That's our focus for now. We haven't really
tried to do too much async content because a lot of us create content on the side anyways,
and a lot of that async content honestly just gets ignored because, as we were talking about
earlier in the space, security isn't sexy until you need it. Those instructor-led classes have
been the most successful that we've done, and we're probably going to continue focusing on that.
Towards that end, we're going to be adding more instructors, especially in different languages,
to try and grow that as much as we can. Okay, related to that, could you elaborate on the
process you follow when writing and approving projects interested in hosting partner classes
for your community? How does your team ensure that these external projects and onboarded
experts maintain a high standard of quality education and content to benefit the community effectively?
That is a really good question. For the partner community that we do co-branded experiences with,
we're mainly looking to make sure that they're a large enough project where they can actually
fill seats in the class. We're also looking to make sure that they're not some project with a
really low market cap, not because we don't appreciate projects with a low market cap,
just because we want to make sure that these are dedicated and interested community members
who are really involved in the space. The whole point here is not to promote the project,
so to speak. We're just focused on the security aspect of it. Past that, it's really just a process
where we talk with Feld and one of our community managers in foreign security to get everything
set up and get it going. The other question is how do we pick instructors and make sure that
they're providing quality education? We don't add that many instructors. I think this last month we
added three, which I think is probably the biggest that we've done in a while. For that one aspect
is we actually do almost like a vote before we add more instructors in. Everyone looks at their
work and potentially talks with them before we add them in to teach more classes. The instructors
we have are really, really good and some of them are extremely technical as well. I'm really proud
of these instructors that we've managed to attract. Awesome. Thank you. Thank you so much for answering.
Thank you Aisha. Ramit, over to you. Yeah, thank you Andrew. Okay, I've been listening and I was
thinking that in future do you have any intentions of maybe organizing any events or workshops in the
educational institutions or universities to maybe educate the students about the web free security?
That's a really interesting question too. I don't think we have any current plans, but something
like that, like an IRL activation at a conference, I think would be super cool. Drew might actually
have some information here. Yeah, I think that's something we're definitely discussing. So I will
say as well that monthly we do have like kind of show and tell us like the last one we just had
actually was with Ledger. The one before that was actually with Pocket Universe. So you hold those
monthly in the Discord to where we do kind of allow other trusted security products to come in,
talk to the community, do some kind of like live Q&A so they can get familiar with kind of doing
their own due diligence of security products that we use or security products that are out in the
space. And then as well as there'll be a couple of us at East Denver, we'll be hopping around to
a couple events. I think we're sponsoring a few. So if you're there, definitely hit me up. I would
love to chat. And yeah, I mean, kind of a bigger educational maybe like a security boring security
event or something. I think that's something I felt was looking into. Drew, I have an odd question
for you just kind of off the hop here. Unless you've been asked this before, maybe we'll figure
it out. What advice and what would you recommend for people that are going to events to be as
secure as possible for our social capital as well as obviously financial? Yeah, I mean,
that's the biggest thing, especially when you're traveling and you're into an events where, you
know, it's a larger events, a bunch of crypto people there, you know, may attract others.
Like you don't really need to bring your ledger, right? Like you don't need to bring things that,
you know, if you lose it on the plane, you lose it driving there, you lose it walking around,
you leave it in a hotel room. Like those things are pretty essential, right? Like just really be
mindful of what you're bringing, who you're talking to, what you're saying out loud. And then as well
as kind of before the events, right, like there's NFT NYC, Eat Denver. There's a lot that are overseas
happening as well. There's a lot of scams to where people like to pretend to reach out to you for an
interview, or they want you to fill out this speaker application, right? Like those can all
be social engineering scams to kind of trick you. That seems so legit beforehand to really actually
take advantage of you prior. So, you know, kind of before, during there and, you know, other things,
make sure you're not scanning QR codes. I usually never recommend that. That's like super important,
right? And just, you know, just be wary. I think a lot of it isn't even necessarily web three related
in a sense. It's kind of web two, like would you do that? Would you do these things in web two?
No. So then why are you doing them in web three? John, over to you.
I actually just pinned up a tweet I made almost two years ago, that goes over just a large list
of things that you can do to keep yourself safe at events. The biggest thing to keep in mind here,
right, is if you're going to a crypto event, people are aware of crypto. They're aware that
it's valuable, and they're aware that people who own crypto potentially are valuable targets.
So my recommendation is like outside of the venue at conferences. I personally would not feel
comfortable, you know, wearing like too much NFT swag. If they're, you know, large unknown projects,
it just, it's kind of like wearing a fancy watch, you're saying like, hey, if you steal my smartphone,
there might be $50,000 inside. So trying to keep it low key, I think is important just for personal
safety. But other things too, like not telling people what hotel you're at, what your hotel room
number is. If you're a woman in the space, you are going to be facing a lot of the same risks that
you would at any other type of conference as well. So it's better to go with friends to make sure
that you're always with someone. Just simple, simple things like that can keep you safe.
John, is there any more social engineering tactics that you've seen like airdrops of images,
airdrops of photos, like literally, like going directly to iPhone, iPhone, or Android to Android,
whatever that process is? Have you seen or heard of any stories like that? Or like maybe something
that people probably got fished out of, like at the events, like with someone else's phone or
anything that like the average person wouldn't think about to be aware of is what I'm asking.
Obviously, in addition to what we've currently discussed.
Yeah, so like Drew said, most of the fishing I've seen has actually been related to signing up to
events with a fake form or something like that. Luckily, there have not been that many technical
advancements in bi-harel fishing. But that's something that I think could very easily change,
right? Like we're not we're not seeing that con level of concern at these crypto conventions yet.
But it takes one dedicated group of individuals before that changes, you know.
One other thing that I'd keep in mind is definitely a web to scam. If an attractive
woman comes up to you and asks for your phone, and wants to give you her number out of the blue,
she might just be going to your Venmo app and Venmoing herself $1,000. If you have a hot wallet
on your phone, don't let people go enter things into your phone for whatever reason.
So that's one recommendation I can give.
I love that you said that. No, it's definitely things that people wouldn't think happen,
but definitely do occur. John, I do want to unpack the start to finish process.
If you can obviously give all the details, it would be awesome if you can't. No problem with
how you you and the team recouped, recovered all of the assets. I think it was all the assets,
to my knowledge, from that were, you know, lost through exploits of like flooring and
all those things. Like how did that how did that happen?
I was not unfortunately involved with that process. So that is a question I think it's
best preserved for felt whenever you guys end up having them on the show.
That is such a juicy question. Yeah, I've seen that on the timeline.
And seeing it in real time was was super insane. Obviously, you know, the insane part was seeing
all that happened, you know, so I guess, quote unquote, OGs of the space that you would think,
you know, that's never going to happen to because they've been here for, you know,
x time period. And then you see that happen. That was the one level of what I thought was insane.
And then the second thing was that you guys were getting the things back, the assets back,
which is even crazier thing, because I've also never seen that happen before. So major shout out
to you guys. And obviously, you know, we're not the best person to answer that question to. But,
you know, show to you and the team, nonetheless, for like, crazy, crazy work.
Machiavelli, do you have any more questions? No, sir. But thank you for having me up.
Awesome. Evil, do you have any more questions?
No, man, this has been great.
Good stuff. Aisha, to you as well. Do you have any more questions?
I will take that as a no. Drew, do you have any more questions?
Actually, I do have one more question. Go for it. Sorry. Yeah, no, no, if you don't mind. I guess,
John, I'm just kind of wondering, what's the easiest way for people to kind of find out more,
you know, like, where should they go? What are the safe links to click
to actually, you know, take these courses and so forth?
Yeah, so I pinned the first pinned tweet in the space is the boring security February calendar.
If you go on there on that Twitter account, you can join the Discord
and get more information about how to join classes and get involved. So that would be the
safe link to click. Also, if you follow me or Drew, I think, Drew, do you have? Okay, now,
it's just, if you follow me, I have a boring security emblem on my profile, which if you
click on that will take you to the boring security account as well.
Why does it Drew have one, John? I mean, Drew needs one.
Drew is still a little bit newer to boring security. So he needs to get set up with it still.
Come on, Drew. It's coming. It's coming.
John, where can people consume more content? Like, you know, not as much from the classes side,
but more so from the thread side, maybe the video side, the audio side. Where can people consume
more content about security that, you know, I guess entails less capacity to ingest it?
Like, obviously classes may not be for everybody, but where can they do the quick research on the
quick thing about the quick topic for the quick mean? Like, where can they find all that stuff?
Honestly, it's on Twitter. There isn't a whole lot of good web three content elsewhere,
in my opinion. So just finding people to follow who provide security content, I think is the way
I constantly put out brain farts about security on my Twitter profile every every day almost.
Drew does a whole bunch of deep dives into different phishing scans and things like that.
So he's worth a follow as well. And honestly, looking at who else boring security follows,
as well as other people on foreign security who have the badge. If you go to the foreign security
page, you can click affiliates and see everyone who has the badge. Following all of those people
can get you a lot of good security content as well. Awesome stuff. And if you if you go on
boring security.com on the website, too, there's actually articles there that are pretty good
worth a worth a review with kind of other other hot topics, peace of mind things with some pretty
good examples that are that are definitely worth a read. I should have I should have bumped that
up. Shouldn't I? Good, good, good culture. Yeah, see, Drew's working towards the box,
John, working towards the I'm earning this bad. You get the badge. Get the badge. Guys,
gals, I appreciate your time. John, Drew, the team, you guys have anything else left to say?
I think we've asked a ton of good questions with even better response. Do you guys have anything
else that we didn't ask that you want to maybe throw out there? Yeah, I think my general tip
about security, if you learn nothing else is just take it slow. If you take it slow, you double
check everything. If you get confused, you go and ask people who might know, for instance, the
dimension airdrop for penguins. I don't know what dimension is. I'm not going to go research it. I
asked in a Twitter group chat with a bunch of chubby corns, another project I'm involved with,
how the heck do I even get dimension out? How do I dump it if I want to dump it?
I ask questions all the time. If it's something I don't know, I ask questions. The process to
actually dump dimension? Way too hard for me. I haven't done it, which I guess has been a good
thing. But yeah, taking it slow, if something confuses, you go and ask a community involved in
lots of questions. If you take it slow, it gets rid of a lot of these sort of opportunity fishes
that happen. Definitely a great point. Yeah, when people rush, you know, to make more mistakes.
John, I didn't know you had a penguin. Awesome. I do. People have been bullying me to switch to it.
Are you going to do it? It's so hard.
What's the downside to it?
I built a lot of my brand around the doodle at this point. So that's the main issue. And I have
to restart doing all that again. Yeah, yeah, I can see that. I mean, at least if you were to switch,
John, you don't got to wait 64 days to get the check bar back because you have the badge.
So that's a plus. Yeah, it is. It is a huge plus. And that's something I definitely think
they need to change. But yeah, there's a lot of other things. Ladies and gentlemen, appreciate
your time here today. The space once again is recorded. If there's anything you do want to go
back, listen to. Obviously, you have the capability to do that. I appreciate everyone who's put up
here today. John, Drew, Ivo, Makaveli, Aisha, Ram is up here as well. Great questions, even better
responses. John and Drew, definitely happy to have you guys back literally whenever. I told
Michael this and Bo, open invitation anytime, any place. Security is something that we need to focus
more on. Obviously, it's not the sexy thing, but it is the important thing. And I appreciate
everybody's time here, those who listened. And we'll see you guys next time. Everyone for the
rest of your Friday. Appreciate you having us. Thanks so much. Thank you.