Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Community Security Session - tips for GG19 grantees & donors π«‘
Recorded: Oct. 24, 2023 Duration: 1:12:10Space Recording
Full Transcription
Yo, yo. How's everybody doing? Can you hear me?
Loud and clear. GM, GM.
GM, GM. What's up?
Oh, doing pretty good. It's nice and cold and rainy here on the west coast of Canada. How are you doing?
Nice. It's rainy, not too cold and beautiful colors in the backyard in the eastern middle Canadian world that I am living in.
Amazing. Cool. I think we're waiting for a few more people to filter in here.
And then we can start kicking off. GM. GM, how are you?
Doing good. Doing good. Good to be here. Let's go. Let's get some people in here. Hit that box at the bottom right of the screen. Like and repost the room. What are you doing right now? There's almost 20 people in here already and I don't even see a single like. What's good? What's good?
Yeah, right on. You tell us. I'm doing a share. Let's all do it. Who wants to share this? Let's go.
We got to get them riled up. We got to get them riled up. I'm going to pin the post to the top. Look, we got six likes already just by saying that. Good to the top.
There we go. There we go. Let's get started, people. Let's do this.
Yeah, super excited for the second session, security session that we're hosting here on Gitcoin with some amazing speakers with us again today. So, yeah, let's get into it.
Yeah, we'd appreciate a retweet and a like. And, yeah, maybe we can do the same like we did last time. Go around the speakers. Everyone, we've got a few familiar faces, but we have some new speakers on the stage with us. So, maybe go around, introduce yourself, your project, and then one high-level security tip to share today.
Awesome. Yeah, I'll get started. My name is Michael Kay. I'm the Partnership Director for WalletGuard. We provide tools and educational resources to help you protect your crypto.
And a tip that I could give, let's see. Definitely, we've seen a lot of scenarios with SIM swaps and issues with people's two-factor method being their phone number.
So, please, if you haven't done it already, remove your phone number from your social networks, from your email accounts.
There's absolutely no reason you should be using your phone number as a recovery method. That's my tip.
Amazing. Plum, how about you? Welcome.
Hello, hello. Can you hear me?
Loud and clear.
Sound like good.
I'm Plum.
I work officially for OpenSea, but I am the founder of ServerForge, which is a community of
Web3 security nerds, basically.
My tip would probably be, if it seems too good to be true, don't click on it.
Pretty simple.
But if you are going to click on it, make sure you've got the right security.
Right. If you are going to click on it, there are things you can do.
Right on.
Mac, how about you?
Hello, and welcome back.
Hello, GM, GM.
Hope you can hear me okay.
Still getting over his sickness.
Congested as crap.
I'm Mac.
Do security with a bunch of companies in the space.
Brand ambassador for Wallet Guard.
Also doing some stuff with Gitcoin behind the scenes.
Ben, which, by the way,
I'm not even going to say it.
You already know.
A security tip, I guess.
So this has happened a lot lately,
so I guess this will be my one security tip.
Check the headers of your emails before you click on a link.
If you get an airdrop email from company XYZ,
and the header in your email says that the email came from a company at ABC,
probably shouldn't click that link.
Okay.
So your tip is to read, I'm assuming.
Common thing that people don't do.
Reading.
Who does that anymore?
Yes.
Yes.
Read what you are doing before you click.
That is the tip.
Wiz, nice to have you on stage with us.
Go for it.
Can you hear me?
Wes, you got this, bro.
You got this.
I don't think I'm up here.
Oh, you are.
There you are.
Well, I can still request.
Yeah, I got a tip for everyone.
Use bookmarks.
It's so simple, but everyone just forgets to do it all the time.
And it's just something super simple, but it can save you big time.
100%.
Love that.
Hey, Wes, tell them where you're from.
I'm from Cleveland.
Oh, sorry.
I meant like who you repping, where you work at.
I'm repping WebEasy.
We brought WebEasy in here, too.
We're listening.
WebEasy is just a bunch of security tools as well.
So super cool.
Glad we're all in the space together.
Right on.
Thanks for being here, Wes.
Yeah, that's super exciting.
And then Oex saying, God, I actually thought you weren't going to make the space.
So I'm super excited that you're on stage with us.
Please introduce yourself and share a security tip.
Hey, hey.
Morning, guys.
GM, GM.
Glad to be here.
Can you hear me well?
Yep.
Loud and clear.
Sounds great, guys.
Yeah, no.
So hi.
I'm just your friend, the neighborhood hacker, security researcher.
So my tip for you guys, after all the great tips that we've had today, is never assume
that you are not the target.
That's like as plain as I can state it.
All these guys have told you how to click links, how to read.
Thank you, sir.
And all these beautiful things.
Now you just have to assume that there's a reason for you to do it.
Otherwise, you're not going to care and you're not going to listen to a word of advice we
say today.
Staying out.
Facts.
Love it.
Very nice.
Amazing.
Well, I am.
My name is Matilda.
I'm behind the Gitcoin account here.
I am.
What do I do at Gitcoin?
I feel like there's a lot that I do.
But in short, I work for the marketing team at Gitcoin and I am a project content coordinator.
That's what I do.
And I've, you know, I'm kind of part of the security working group as well that we've
started at Gitcoin, which has been very exciting, but also super scary and but also just very
important.
So, yeah, we're just really beefing up education around security and our own OPSEC within Gitcoin,
especially everything that's happened this year.
And, yeah, so it's just super exciting to spin these up.
Ben, why don't you introduce yourself for everyone who doesn't who don't know who don't know you?
Hello, everybody who don't know me.
Hey, I am Ben.
I am thrilled to be here with all of you.
So much love for everybody up on stage right now.
Big thank you to Mac and Plum and Cyan in particular, who have like just gone the extra mile to really
help beef up our security, you know, all reached out and like, you know, made an effort to be
helpful in a whole bunch of different ways.
You know, when we lost our Twitter account, you know, just really meant the world to to all
of us.
So I guess if my my piece of advice is like, don't feel like you got to do everything on your own.
You know, there is a whole community of really helpful, supportive people out there, you know,
and like, if you're not 100% sure about something like just post it on Twitter, talk about it.
Don't FOMO into things, you know, like take the time to talk to your community.
And like, you know, even just outside your immediate community, there is like so many brilliant
people like the folks up on stage.
And now that you know who they are, you know, you know, tag people and stuff.
Say, hey, what do you think about this?
Like, you know, we're all figuring this shit out together.
It's all one big experiment.
So, yeah.
Oh, yeah.
And what the hell do I do?
I'm the grants program lead at Gitcoin.
And today we're going to talk about like tips for grantees, which, you know, frankly,
is pretty similar just to like general Web3 security stuff.
But I think we'll also touch on some things that might be a little bit more specific to Gitcoin
and curious about the thoughts that some of our friends on stage have.
But we'll also just kind of share some of the stuff we're doing.
Yeah.
So and I got to say, Matilda, you are an absolute badass.
And I don't know how to describe what you do, but it's I don't know how the hell we do
what we're doing without you.
So I'm thrilled to be here co-hosting with you.
And quick shout out to John and Umar and Carlos, other team members that I see hanging out.
You know, much love to all of you.
Everybody here is pitching in and trying to make sure that, you know, our grantees, our
community, our our team members, everybody is as safe as possible.
Oh, yeah.
And thanks to John HQ and the folks from Boring Security who helped us with a security session
as well.
Like I said, so many awesome people trying to help make Gitcoin a better place for everybody.
Web3 a better place for everybody.
Much love.
All right.
That's that's me introducing myself.
Amazing.
Oh, I didn't I didn't share a security tip for my end.
I think, yeah, it's just slow down.
I think Web3, since I've been in Web3, I just and the work that I do, everything happens
so fast.
So I think the biggest lesson that I've learned is just to slow down around everything that
I do.
So, yeah, I think let's hop in.
And yeah, Ben, do you want to maybe kick us off?
So we've got a few things that we want to discuss from like a grantee point of view.
GG19, the save the date.
The dates were posted last week.
It's kicking off on the 15th of November, which is in a few weeks.
And, you know, during this time, we always see an uptick of scam links, of scam airdrops
on, you know, on Twitter and everywhere else.
So it is just really important to actually have this conversation to remind everyone how
to stay safe and to keep their own community safe.
So, yeah.
Ben, what do you want to start off with?
Dang.
Yeah.
Good question.
I'm just trying to open the dock where I put the notes to actually answer the question.
But I think basically we're going to go through some like kind of common places that people
get stuck or have problems.
And, you know, just kind of get some expert opinions on like where people might be going
astray.
So, yeah, maybe I'll just start.
Actually, I don't think it was the first question, but I think it's a good one.
You know, because it crosses a lot of different issues and definitely is part of what we talked
about with the boring security folks.
You know, like basically like how many different wallets should you have and how do you build
a online reputation in a way that also protects your security?
I think this is particularly important for us with our Gitcoin passport.
Like, you know, we're basically asking people to like verify their humanity because we're trying
to prevent against civil attacks.
But, you know, the flip side of that is like, you know, maybe you don't want to keep your,
you know, most expensive NFTs in the same wallet as the one that you're building up your
passport reputation.
So, like maybe just kind of like at a 10,000 foot view, you know, for many of the folks
that we got up here with us, like, you know, what do you kind of recommend to people in terms
of like how many wallets should you have?
And so, how do you decide what to use each one for?
Michael, I see you got your hand up there, sir.
Yeah.
So, I think this comes down to a matter of convenience over security.
So, a lot of times people are told, make sure you have tons of wallets and you have it all
separated.
You know, I think what makes sense is to have a cold wallet that holds assets you don't plan
on selling or interacting with, you know, completely separate from your wallet that you're using
to do mints and claims and different kind of, you know, DGEN projects.
This way, in case something happens, all of your eggs are not in one basket.
And a lot of times people say, well, I have 30 different wallets.
That's insane.
I don't think there's a point to have 30 different wallets.
That's like having 30 different email addresses.
It makes sense to segregate your wallets.
It makes sense to segregate your emails.
Maybe have a few accounts of segregation, but there's, again, convenience over security.
Does it make sense to have 30 wallets?
In my opinion, no, but it definitely does make sense to have a cold wallet that you consider
a vault, completely separate from your daily DGEN wallet.
Nice.
Yeah, that makes sense to me.
And I'm sitting here going, do I have 30 email addresses?
I think I might.
But I'm one of them.
You're staring at me.
Well, I mean, I use that.
I, you know, I just, I got a lot of burner, you know, alias addresses, right?
Diane, you came off mute, sir.
You got any thoughts on that?
I'm sorry, I stayed off mute.
I was actually commenting and saying, welcome to the club of 30 plus emails.
Right on.
But yeah, I mean, what do you think the right number of email addresses is?
Like, you know, we've definitely talked about like.
The right number is three.
Three?
Yeah.
So I'll put it this way.
It's like the same thing as having a hot wallet, a warm wallet and like a cold wallet, right?
So you want to have, for example, all of your banking accounts should not be tied to the same email that you use for all of your social networks and random shopping, right?
Just like your important assets that you don't want to touch should not be sitting in the same wallet as your assets that you are interacting with on a daily basis.
So I think three is really the number to go by.
So for example, I use one for all my crypto related stuff.
I use the other for all my banking and sensitive credentials.
And then I use the last one, the third one for all the random websites and everything else on top of that.
So I think it's a little easier in that manner because sometimes people get to the point where they have 10 different email addresses and they're not even keeping track of all those thousands of unread emails.
I mean, that gets to a point where it's unmanageable.
So you can best bet that those three emails I have still only contain real emails coming in.
Don't hit yes and I accept and I agree to every single instance of you asking to be signing up for a newsletter or signing up for coupons or agreeing to their platform terms.
Like you don't have to do those things, guys.
Keep it clean.
Understand what you're accepting and what you're hitting I accept to.
Love that.
That's great advice.
You know, I take that's probably even to an extreme.
Like I use just aliases for basically anything that I sign up for and then just have totally segregated email for like anything to do with like health or banking that I just don't use for anything else.
And like the nice thing about using aliases, which you can use like a service like Mozilla's got an alias creator plugin or there's like Fastmail or there's a bunch of other ones too.
But what I like about that is I can like if I end up on some list or something like and I'm starting to get a bunch of spam, I can actually tell where I signed up for it based on the the alias that I was using.
Like, yeah, anybody want to add anything to the to the to the wallet or email discussion?
Well, you actually meant here what I was going to hit with then.
I'm glad you mentioned the whole alias thing, because when breaches happen, as they do, I can recommend password managers.
But then again, we all kind of see what's been happening lately there.
So I'm not saying the idea, but if you're going to or if you're someone who feels like you need to do the exact opposite of what Michael suggested.
So once you start getting to those, you know, those little emails, just make sure you have good passwords, store them in a password manager.
Again, we're not saying that is a fail proof process, but you don't want to be trying to remember those passwords.
And you definitely don't want them to be using the same password just because you have 30 emails and think, you know, no one's ever going to find them out.
Right. So that's just a tip on being safe.
Love that. And you gave me a good tip on how often to change your passwords.
I think that's an important one for people, too.
Especially as it relates to Discord, but probably related to all kinds of things in general.
Do you want to throw down a little bit more on that?
Before Matt goes, I'll say personally me.
That depends upon your security posture.
So honestly, people on stage and, you know, we could always talk about this.
I'm going to say anybody on stage is probably changing their passwords in 30 to 60 days.
Why? Because the host? Very important.
You're scaring me, bro. You're scaring me.
Hold on.
Is it?
Do you want to go, like, even shorter than that?
I mean, go ahead.
If you want to drop that down, I'm just being very generous right now.
Oh, no, no.
I'm just trying to have it.
No, no.
I'm just trying to have it so people aren't sitting around spending their entire lives changing passwords for hundreds of accounts because it's just not practical.
Right. Well, see, and that's my thing.
But that's why I said it.
And that's why I said it also depends upon the security posture.
So that's why I'm going to definitely be, like, critical about that.
So for Michael's example, his wallet guard accounts, you know, maybe that's something he wants to change more often, even more often.
I'm not saying any more often than 30 days, obviously.
But that's something he would change way more often than he changed his Twitter password, potentially.
That's just an example to kind of get at probably what he's saying.
And you can definitely let me know if that's what you're kind of trying to get at, Mike.
But that's where I was going with that explicitly.
For me, I could change my stuff every 30 to 60 days.
But that depends.
Something else that I'm more concerned about, don't spend your password.
You know, again, don't spend all day changing passwords.
Don't try and change all 20 accounts on the same.
These are the types of things you have to consider.
Your bank, your email, and your socials are definitely going to be on, in my opinion, different schedules.
But it's something to be mindful of, given that breaches and your data is way more easily accessed than it used to be.
So I also want to be considerate of that, Mike.
The breaches are happening faster than they were five years ago.
100%, man.
I definitely agree with you.
And I think it does matter.
Like, what's the level of security behind the account?
If it's your main social network and your main email address, you can best bet that's going to be a password that's rotated much more often than, let's say, just like your shopping websites or some newsletter that you're signed up for.
So definitely some great points.
And real quick, I want to point out, I just pinned to the top an article that I wrote up a few days ago.
And it actually gives a breakdown on everything that you need to do when it comes to the best practices to secure your assets.
And it starts off with Web2 security.
I think Web2 security is something that is often not talked about, which is why I'm so happy that we're having this conversation.
And you should definitely Web2 before you Web3.
So when it comes down to managing your passwords, having multi-factor authentication, understanding how to secure your online identity and your credentials, or even using an antivirus,
I really broke it down in that article, and I highly recommend that you bookmark it and check it out when you guys get a chance.
Because even if you're onboarding somebody into the space and you're not talking about security, you're doing them a disservice.
So you might as well point them in the right direction and have all those resources in one place for them.
Damn, I wish I could share a fire emoji on here.
That was great, man.
Let's go.
Mac, you've been patiently waiting with your hand up, sir.
Yeah, I just wanted to add in, like, some password managers will let you password protect not only, like, a master password,
but then for each account that you want to put extra security on, like, you can password protect that password.
Now, some password managers use the master password to protect it, but some of them will let you pick a new password.
So if you want extra security, like, on the password side, like, on your side, just in case somebody gets into one of your accounts,
gets into your password manager, that's what I do.
Like, I use literally different passwords to guard different accounts other than the master password.
So it's a good thing to do.
Just another tip.
Love it.
Yo, real quick, because we're talking about password managers, please, guys, if you're using LastPass,
stop using it immediately.
It's been involved in multiple data breaches.
Unfortunately, a lot of users saved their private keys and seed phrases inside of their password manager,
and those are starting to be compromised.
We've seen it happening over the past year since these LastPass data breaches.
So please, if you are using LastPass, immediately stop, switch your credentials,
and move over to another password manager, one that we recommend that's open source
and allows you to self-post your credentials so you're not relying on a third party is Bitwarden,
which is also outlined in that document that's pinned to the top.
Worth pointing out in your security briefing from Michael Kay.
That's a good one, man.
Love it.
You know, it's worth pointing out that you can use the free version of Bitwarden
and get a hell of a lot of security for free, too.
And frankly, I think it makes your life more convenient, not less convenient.
Like, it takes a few minutes, whatever, to set it up.
But, like, once you're set up, it's, like, you're just, you know,
you can use, like, a keyboard shortcut and just fill in all your passwords
and know that you're much more safe and secure.
You pay a little bit more for it or, like, have your company pay for it.
And, you know, you can have YubiKey or, like, you know, real hardened security on there.
And, you know, yeah, it's a good way to go.
Also, you can connect it with other services
and have it generate passwords and usernames for you for alias accounts,
which is pretty cool.
Yeah.
So I got a question, actually, that I think is kind of a question for Matilda.
But I'm curious what other people think about this, too.
You know, so we, you know, obviously we just had this recent breach of our Twitter account.
And, you know, we have a lot of different Twitter accounts.
We've also had people imitate our emails, in particular for grantees,
like, in the midst of our grants rounds when, you know,
there's a lot of potential money on the line and, like, you know,
you're just, like, hyped up and doing a lot of work.
Like, what do you think we should be recommending to people?
Like, how do you know that correspondence that's coming from Gitcoin
is actually from Gitcoin?
Yeah.
So this is something I've been thinking of for a while.
You know, like, we have a lot of Twitter accounts and we have, you know,
email as well.
What I've actually done quite a while ago,
I put a footnote in our emails that we send out,
just reminding people to check, like, how do you know this is the real Gitcoin?
Like, this is, if it comes from team at gitcoin.co,
that you know that it's safe and just always make sure to check that out.
I think, you know, there are ways of creating,
creating a more secure way, you know, like, the verified tech mark on your email,
which is something we haven't been able to do yet.
We're having a bit of trouble with our host currently to get all of that sorted.
But I think what we've also done is we've created a list of all our trusted domains
and all our trusted accounts and email addresses.
And then what I'm going to do as well is, like, these are the official Gitcoin accounts.
And then these are trusted.
That might not be Gitcoin, but they're affiliated in some way.
But then also making sure, like, what I've done since the hack is that if any account is listed on there,
it has to go through security protocols.
Like, it has to be secured a certain way with really strong 2FA or YubiKey.
And it has to, like, go through security protocols to be able to be listed on there.
But then I'm also curious to know, you know, from the speakers on stage, like, what they do as well.
I think we're also, you know, we're still learning and we're still improving ourselves.
But I think just making sure that we link that out there for people to know, like, these are trusted domains.
Because we're working with a lot, right?
Like, we've got a lot of products on the go.
We've got a lot of domains.
So, yeah, I think it's also just making sure that you know that something is, you know, from Gitcoin.
Because even if it's got the Gitcoin name and it's got a Gitcoin brand,
it just always makes sure that it is actually, you know, from Gitcoin.
So, yeah, Michael, go ahead.
Yeah, I think the easiest tip that I can give for this type of scenario, and this applies for both Web 2 and Web 3,
is that when you're getting a message, whether it's through email, text, phone call, a DM,
that's telling you to do anything, meaning they are inciting the action, you are not choosing what the action is.
So, to give you a quick example, you get an email from Chase Bank telling you to secure your account.
Click this link.
Or you get a text message from Amazon that says, hey, your shipment is delayed.
Click this link.
Or even if you get an email from GitHub and telling you, hey, this is a new article.
Check this out.
I personally always tell people, do not entertain the link that you are being provided.
Instead, go directly to the source.
And what I mean by that is, if you get a text message from Chase or an email from Chase, go directly to Chase.com yourself.
Do not entertain the links they are giving you.
Same thing with a text message from Amazon.
You want to check your Amazon shipment?
Don't check it through the link that's being provided to you from some random phone number that you've never seen in your life.
Go directly to Amazon.com instead.
So, you can confirm what's being served to you is actually legitimate.
So, it's really, if you're not incepting the action, it is most likely going to be a scam.
More fire emojis coming your way, Sarah.
Yeah.
I love that.
That actually happened to me last week.
I got this weird text message from FedEx or something saying that my shipment was delayed.
And I was like, oh, I think I had a FedEx shipment, but I've already received it.
So, I literally went straight to FedEx instead of clicking any links.
So, that's a really great tip.
Well, that's the thing.
What they do is they use FedEx.
They use Amazon.
They use Apple.
Things that they know that majority of people already have.
And what they're doing is they're sending that message out to hundreds of thousands of phone numbers.
They don't know if you have a shipment or not.
But what they do is they send that message out and they sit there and they wait for people to bite.
You are not necessarily being targeted directly, but there is a campaign that is trying to blanket the entire space of people they're trying to hit.
And hopefully, people end up biting and submitting whatever info they're requesting.
So, yeah, that's definitely a good point.
A situation like that, everyone always has a shipment coming in.
That's kind of a blanket message that could apply to anyone.
So, of course, if one of our parents sees a message like that, what are they going to do?
They're probably going to click on it.
So, another great tip I like to give is have a discussion with your family at least once a year about their own security.
Make sure they're not clicking random links.
Make sure they're not constantly paying somebody for a service that is not legitimate.
There's so many scam computer services out there that call up our parents and grandparents and tell them their network isn't secure and they need to pay $200 a month for security.
These are all active scams, and I highly recommend at least once a year, again, sit down with your family and do a personal audit with everybody and say, hey, are you paying someone for something you shouldn't be paying them for?
Did you ever let anyone into your computer?
Because people sometimes are actively being scammed, even our own family members, and we don't know about it.
Yeah, I love that.
I love getting texts from banks that I don't even bank with.
That's a pretty clear indication that it's a scam.
Yeah, Matt, go ahead.
I was just going to suggest, so on the email side, since you do have a lot of domains, you could implement something like a few other platforms have done.
Have people pick out a security word, and any email that comes from any domain to that person would have their security word on it.
Nice.
Yeah, I like that.
Yeah, that's a really good point.
Yeah, I mean, this is this interesting challenge that we have right now, right?
Because Gitcoin, like everything in Web3 land, is decentralizing more and more all the time.
And we have a bunch of different products.
There's Passport.
There's GrantStack.
There's our grants program.
There's our various different grants rounds.
And, you know, we have a proliferation of, like, Twitter accounts and community-led, you know, Gitcoin radio events and things like that.
And a lot of people posting stuff that, you know, is using our branding because they're part of the grants round.
They're, you know, a grantee.
And it does worry me that, like, we're going to see, you know, just more people, like, not only, you know, clicking on something from, like, let's say, our Twitter account getting hacked, which, you know, God forbid that ever happens again.
But, you know, definitely be careful.
I think there are some things that we could say that we'll just, like, probably never do, too.
Like, you know, we're not going to use FOMO other than just telling you that the grants round is about to end and reminding you.
Like, we're not going to try to get people to FOMO into, like, an NFT sale or an airdrop or something like that.
Like, you know, Gitcoin is, like, pretty committed to just, like, trying to be a stable, like, safe place for the community.
Yeah, go ahead, Matilda.
Yeah, that was going to be my next point for sure is that I think part of this as well is the messaging you choose to use with your community
and, like, the way that you communicate, and that is something that we have focused on.
So, like, we don't, yeah, there's certain ways that we won't write tweets.
Like, we won't create a huge urgency or a FOMO or anything like that.
And then, yeah, we don't, yeah, like, exactly what you just said.
And I think the messaging around it is also an important point to remember.
So, yeah, it is a lot to keep track of and for sure.
And I think, like, you know, what we're working on as well is just making sure that we're on our end, you know, giving the, like, just giving the community the resources to check all of this,
but then also just making sure that what we're putting out and if someone wants to check as well.
And that was something else I also thought of.
Like, if you're unsure about something, hop into the Discord and ask.
Like, is this legit?
We had someone last week, you know, got an email from us, which was a super legit email, but they just hopped in and, like, just asked if it was from us,
which I think is just a great practice if you're unsure as well.
Totally.
Yeah, I honestly made my day last week when I saw a community member wondering about a new Twitter account that just got spun up.
We, as we're decentralizing, the climate team has now spun off and become its own entity with its own Twitter account.
And honestly, every time we do something like that, there's this little part of me that's like, oh, God, another Twitter account.
Like, it's already so hard for people to know what's legit and what's not.
But, like, it really made my day that, like, somebody saw a post from that account, just, like, tagged me and John and was like, is this real?
You know, like, again, like, don't feel like you got to do this stuff alone.
Don't feel like you're going to be annoying people, like, asking questions like that.
Like, it is exactly the kind of thing that we should all be doing.
It's just, like, double checking if something actually is legit before, you know, before going further down that road.
And, you know, we were able to point people to, like, here's the governance post where this decision was made.
And you can see, you know, it being followed by a bunch of the people that work on the team.
Like, you know, those are the kinds of things that you can look for.
But I guess to move to another question, and it's kind of related to this first one, you know, what can grantees do to make sure that their payout wallet addresses are not hacked?
This has actually happened, unfortunately, to a couple of different grantees.
I just posted a link to one of my personal favorite projects, this project, Ayueca Uganda, who, unfortunately, when our Twitter account got hacked, clicked on the link and, like, you know, gave permission to something and, you know, lost, like, a little bit of dye.
Like, I think, like, 30 dye at the time.
But then, unfortunately, never took away that permission.
And when the payouts came, they just lost substantially more money than that.
I think, like, a few thousand dollars, which is, like, a huge amount of money for this project that does really, really good work with every dollar.
You know, just super heartbreaking to see happen.
So, I mean, one thing people do is they use, you know, safe wallets, like, or multi-sigs.
You know, that's one thing people can do, you know, which we do have functionality to facilitate as a payout wallet address.
You know, but I know there's other things.
And I can think of at least one really good one that I'm sure Michael could tell us about or maybe Plum, if you want to jump in, or Mac.
You know, but, like, could you just share, like, some tips for, you know, I think we covered this a little bit already.
But, like, just in particular, there's a lot of focus on these wallet addresses when people know that there's about to be some cash dumped into them.
You know, like, what else can people be doing, you know, in that sort of particularly heated moment, you know, kind of leading up to the payouts to ensure that their wallets are safe?
Yeah, great question.
I think a lot of it comes down to understanding what you're about to interact with.
Because even if they see a random link get posted, or even if, you know, the Twitter account looks like it's the legit account and it's not, there's really no line of defense unless you realize that security tools in Web3 exist.
And that they actually work, which is why we take so much pride in providing a tool with WalletGuard that lets you break down swaps, claims, mints, signatures, pretty much any interaction in your wallet into plain English before you hand it off to your wallet of choice.
I think it's important for people to also know that, you know, our service, we're not a wallet.
We're protecting your wallet of choice.
And I think a lot of people have that confusion.
So if you are able to see tools like WalletGuard or Pocket Universe or any of these other tools that are available, this is what makes it easier to understand what you're about to interface and transact with.
And security exists in the space.
We talk about it all the time.
So it's a matter of understanding that these tools literally take seconds to get.
And from then on, you at least have a security layer for your Web3 because an antivirus is not going to do what WalletGuard does.
This is the main difference.
We're looking at on-chain data.
We're breaking down what you're about to do before you do it.
So definitely take a look and implement these security tools.
I think it's super important.
Fun fact, as you were talking, I just saw a notification in my browser from my wallet card telling me that I should update something.
And I won't tell you what it is because I'm trying to not be that stupid guy who tells you too much about my own security profile.
But, you know, I just β I love the dashboard that you guys have.
This is a good opportunity to talk about Revoke Cash too, I think.
Maybe, Mackie, you can jump in there.
But, Cyan, I see your hand, bro.
What's on your mind?
No, I just wanted to back Michael up real quick again and just remind you guys, if you don't think that these things apply to you, you won't remember this advice.
So remember, we're talking about these things because they've happened to people who, just like you probably, assume that you weren't the target.
And I want to give Ben a hand clap.
Why?
Because he's using WalletGuard and he just made sure that he's keeping his stuff up to date.
I know WalletGuard is doing that for him.
So that's how I know what he's using.
Take care, guys.
Let's go.
Yeah, it's really like β we take the approach of multilayer, right?
Like we're not just going to tell you about transactions.
We're going to stop you from entering like a wallet drainer before you even have to connect your wallet, before you even have to run a simulation.
That's security alpha, a zero-touch environment where you don't even have to interact with your wallet to determine if something is something you shouldn't be touching.
And real quick, the other part of this is what you just mentioned is on-chain approvals.
A lot of times people leave approvals open, which allows bad signatures to take advantage of your open approvals and immediately rip items out of your wallet.
So in the new dashboard that we have with WalletGuard, we also allow you to revoke approvals directly.
You can see all of your assets at risk.
So it's super important to have all these different layers in play and to have people not constantly thinking about security.
It's not enjoyable when all you're doing is thinking about protecting yourself.
You have to have some sort of, you know, streamlining of your OPSEC so that you can enjoy degenning.
You can enjoy clicking links.
That's the point of the internet, guys, is to click on links.
So, yeah, it's really great to, you know, to build this tool that's kind of bringing all these different layers together.
Beautiful.
Hey, Mac, do you want to share a bit more about Revoke Cash?
You were one of the first people who really got that on my radar.
I think you do some stuff with Revoke Cash, if I'm not incorrect.
I mean, yeah, he's in a security chat with a lot of us in this room.
Well, a lot of us up on stage, especially.
So they have the Revoke things like WalletGuard does now.
They also have to where you can use an increment nonce contract.
It literally does what it means, or it does what it says.
It increments your nonce.
That way it effectively...
It's a null and void for signatures.
Not for the allowances, but for the underlying signature.
It gives that allowance, you know, meaning, which gives it...
It makes it able to be used.
So they do have those on Revoke.cash.
Just make sure you go to the right website.
There are literally a ton of fake profiles and a ton of fake websites for Revoke.cash.
It's Revoke.cash.
I'm not sure his handle.
Mike, do you remember his handle off the top of your head?
I don't want to say the wrong one.
I don't remember it off the top of my head.
This is why it's scary, guys.
You got to confirm the right usernames and site.
But yeah, Revoke.cash's website is literally Revoke.cash.
And please, I think this is an important time to note because it happened previously again
that when you are doing a Google search or a Bing search,
99% of the time, the first links are going to be scam ads.
And this happened last week with Revoke.cash again, unfortunately,
where a scam ad shows that it's Revoke.cash.
Once you click on it, it looks like a copy-paste of Revoke.cash,
but you're not on Revoke.cash if you look at the link that you're actually accessing.
So please employ having at least an ad blocker so that you don't have to worry about even
accidentally clicking on those fake links.
And the ad blocker we recommend is Ublock Origin, the letter U, the word block origin.
It's free.
It's open source.
It's available for all your browsers and definitely a big way to avert getting scammed
by those fake links.
And yeah, Revoke.cash is Revoke.cash.
That's literally the website.
You don't have to do a search for it.
Type it in directly in your address bar.
I did want to add in that they also have a browser extension.
So if you want to add that browser extension as well,
it also does cool things like WalletGuard does.
It does a lot of the human-readable transactions.
So you will have to approve it on WalletGuard and Revoke.cash
if you want to do a transaction.
But I mean, that's also adding another layer of security,
which in my mind is a good thing.
The more security, the better, especially with Web3, guys.
Yeah, absolutely.
I can't actually raise my hand because I'm on my laptop,
and I just realized that Twitter Spaces does not allow for hand-raising.
On the desktop version, yeah.
But I wanted to add something about Revoke.cash,
is that they have an option that you can switch between chains.
So when you're there,
make sure that you are not just revoking things on F main network,
that you also go to Polygon or anywhere else that you frequently use,
or that you may have assets.
Don't just stick with one.
There's a little button up on the top corner that lets you switch networks.
And that is something that your grantees should be doing
before they receive their funding,
is going and taking their receiving wallet to Revoke
and going through all the different chains
and making sure that they don't have anything up that they should not.
That is a really good idea.
You know what?
Maybe, Matilda, maybe we could even send out a reminder to people
right before payouts go out to do that.
Like, I think that's like a little nudge that we could do
over socials or email or whatever,
just like making people think about that moment
right before they're about to get some cash in their wallet.
Of course, all throughout the grants round,
it's worth thinking about
because, you know, all the donations people are getting
is just going directly into their wallets.
But definitely before the matching funds go out in particular,
I think is a moment worth paying attention to.
A lot of the time I've seen what will happen
is that they'll have an approval sitting on their account
from some time before that they didn't realize was there
from some dodgy site.
But because they don't have the right thing in there
or enough or whatever, it's not doing anything.
And then suddenly they'll get the money and it disappears.
And they go, well, what happened?
Yeah.
Yeah, that's exactly what happened with the folks from Iowaka, Uganda,
who I saw hanging out in the crowd earlier.
I think they're here.
Yeah, they are.
Much love, Jonathan, and all of you.
If anybody feels like helping out Iowaka, Uganda,
they just posted a tweet about what happened
along with a new wallet address,
trying to see if they can recoup some of the funds
for some commitments they've got
from the funds they were anticipating coming in.
I'll definitely be pitching in
and trying to get some funds from Gitcoin
just to show a little love to them.
And, of course, the next grants round is coming up soon.
So there'll be another way to do that as well
through the grants program.
But, you know, if you are feeling generous
or just want to help out a good project,
you know, I think, you know, they lost about 3K
and, you know, could go a really long way
for this community in Uganda.
Go check out their Twitter profile.
And I just want to say, yeah, definitely,
please help them out.
I took a look.
This is one of those small things Ben asked me
to take a look at,
and I just took a look at those approvals.
So for real cash was actually
one of the first things I recommended.
So, again, help them out.
They were really kind of devastated by that.
My feelings were even a little bit hurt
just taking a look at how all of that happened.
And, again, if you're not thinking about these things,
they will sit in your wallet for a while.
The last approval that I saw was from in December,
and then another one was from seven days ago.
So, you know, we have to be mindful
that even after things happen,
when you get help, take some cleanup.
There's been a lot of great output given on this day.
So please take notes.
Yeah, and just to confirm again,
if you guys don't understand
what this on-chain approval stuff means,
this means that if you have an asset,
let's say it's an NFT that you don't want to get rid of,
and you once in the past tried to list it
or list any part of it in a collection,
and you didn't revoke that approval,
this gives the ability for somebody
that wants to, you know, be a scammer
to list your NFT for zero ETH
to a private sale directly to their own wallet address,
aka literally ripping it out of your account
because you have an approval
on something that is being exploited.
So it takes seconds to do this,
just like it takes seconds to get an ad blocker,
just like it takes seconds
to employ some security OPSEC.
Please, guys,
this is security alpha we're dropping,
and keep in mind,
this is a recorded space.
I'm sure we're going to keep on doing these more
with Gitcoin
and all these amazing security advocates.
So hit that box at the bottom right.
Like and repost the room
for people that couldn't make it,
people that couldn't be here to listen in.
Thank you, guys.
Dang, bro,
you're doing better at the shilling on our space
than we are shilling our own space.
Yeah, we got to have you back more often.
It's very helpful.
Thank you, in a variety of ways.
You know, so we mentioned one thing.
This has actually happened to me,
I'll admit, you know,
I once went to a Mint for something.
It was a fake version of a Mint.
I clicked on the wrong link to get there.
Luckily, I was at least not using like a wallet
that had a bunch of cash in it.
It was a wallet I'd just set up
for this particular Mint,
but did lose the money.
I was going to go into that Mint.
I worry about the same thing happening
with Gitcoin Grants program at some point.
We haven't seen it happen yet.
But now that, you know,
the program is decentralizing,
the tools are available for anybody.
I don't want to freak people out,
but, you know, there is the possibility
that somebody could fork Gitcoin,
create a malicious version
of a grants program around.
I'm just thinking through like out loud here
with the community building in public.
You know, what can we do
to try to help people
ensure that the grant program
that they are participating in is legit?
Like definitely there's like the ones
that we run and the stuff that we feature
that you can find directly
through our website.
You know, but we really are trying
to give the ability for anybody
to run their own grants program
just like Gitcoin using the exact same tools.
You know, but there is the potential
that somebody, you know,
bakes in some malicious code somewhere.
So any thoughts on like what we could do
to help prevent that from happening
in the future?
You know, what could we do now
as a community or as Gitcoin
to like try to, I don't know,
create some guardrails or some safeguards
or whatever it might be
to sort of help prevent
that kind of problem down the road?
Yeah, I think auditing, you know,
I'm sure you guys have performed audits
on the contract, right?
Yes.
Although I'm sure you could always do more,
you could always keep them up to date.
We are always pushing more code,
but, you know, definitely have done audits
on the code.
Yeah, I think one of the big things
with auditing is, you know,
the code constantly changes
and a lot of times
when audits are performed,
a lot of the code is also not
ran through those audits
because it's being worked on
or has changed even by the time
the audit is out.
So, you know, being transparent
about the audits
and also the concept of like
who you're auditing with,
I think is super important.
For the users themselves,
I mean, verifying, right?
Like if, for example,
you are going to use it
to apply for a grant
or use it to spin up your own grant,
verifying you're dealing
with the right contract,
which a lot of times
people just don't take a second
to just check EtherScan
or to check, you know, the source.
It could help you go a long way.
Love that.
Yeah.
And we definitely could do more
to be transparent about our audits
and when they're being done
and who they're done by.
I think that's a really good call it.
Thanks for that.
Cyan, yeah, what's on your mind?
So in addition to audits,
I think another thing to do
when you're dealing with auditing
is be intentional about your scope.
The one of the investigations
that I had a chance to be a part of,
the audit was not the problem.
The audit was done.
The team didn't,
in my opinion,
they didn't do anything crazy,
but there were changes.
And like Michael said,
if you've done an audit
and there were changes,
you have to be cognizant
if those changes
are actually affecting
your bottom line.
If someone made a change
to a major part of the contract,
you might want to have an audit
or have someone make sure
they took a look at that
unless it was expressly recommended
from the audit.
But that's the type of things
that happen when we do these audits.
Everyone gets an audit.
Six months later,
there's a big update
and then there's a compromise.
That's a really good point.
And like, you know,
I think there's like
what happens with our own version
of the platform
and then there's like
forks of the platform
and what people do with it.
And it's tough.
Like, I think it's going to just
take a fair amount of like
community participation,
you know, like third parties
taking a look at these grants programs
that are floating around
that people are promoting,
you know, like,
and I think it just comes down
to that not FOMOing
and like really being,
you know, careful
to like check with people.
We'll definitely have like pages
that we create
as more and more
of these kind of rounds
run by others
are out there.
But, you know, truth be told,
there'll be tons of them
that we don't even know
are happening,
which is kind of
what we're hoping will happen.
But, you know,
I think it's going to take
a little bit of extra
community participation
to just make sure
that we're all kind of
making sure what's out there
is legit.
You know, it's a wild world
and, you know,
the beautiful thing
about this community
is that, you know,
more often than not
the community
looks out for each other.
So, you know,
definitely, you know,
something to think about
as we see stuff unfolding.
Maybe I'll pivot from that
to actually something
that's very much a unique
to Gitcoin attack vector
that we actually have seen
in the wild
a couple of times now,
which is the approval process
for grantees.
When a grantee
is not approved
for a round
in the grants program
and they want to appeal
and they're reaching out
to, you know,
the people running
that program
in particular
to like featured rounds
that are not being run
directly by Gitcoin
but are being run
by community members,
what we've actually seen happen
is it's kind of like
the equivalent
of one of those
MetaMask support requests
where somebody pretends
to be MetaMask support
and, you know,
and then tries to send you
to a drainer
or something like that.
We've seen the same thing happen
where somebody gets
not approved
for a grants round
and then somebody pretending
to be the person
who's running that round,
you know,
on Telegram
or on Twitter.
In this case,
it was actually on Telegram
that I'm thinking about
in a couple of different occasions
where somebody reached out,
you know,
in the chat
where people were
looking for answers
and pretended to be
the person running the round.
You know,
they used their name
and their picture
and then tried to send them
fishing links
and luckily
in, you know,
at least the two cases
I'm aware of,
those people
felt something
was a little off,
something was a little fishy.
I mean,
what they were asking them to do
or asking them to click
seemed a little wrong
and they reached out to me
or to somebody else,
you know,
just double checking
and we were able
to set them straight.
But anything,
I think we've basically
covered this
with some of the other
sort of similar tips,
you know,
as it relates to like
just being careful
what you're clicking on
and like really double checking
that it's like
the actual real deal
and, you know,
not FOMOing in
and being careful.
But, you know,
it's particularly predatory,
I think,
when like people have a problem
that they're trying to solve
or they feel like they're,
you know,
in a tight spot
and like they're just looking
for a solution
and they're so happy
somebody shows up
to try to solve their problem.
Anything in particular
that jumps out at you
about that scenario?
Anything slightly different
that we could bring up
or anything you just want
to kind of close us out with?
Yeah, Michael, go ahead.
Yeah, this is
where social engineering
is such a massive problem,
but it's also very easily
avoidable.
So a lot of times
these people are in your DMs
for months,
they're acting like your friend,
or they do put up a persona
that they are somebody else
and they use their profile picture
like Ben was saying.
The concept there
is to always stay vigilant
and always, again,
source it yourself, right?
So if you see a DM
from something
that looks like
a legitimate account,
go ahead and do a search on X
for the same account,
the same username,
the same profile name
and see if other accounts exist
and maybe you're not even talking
to the real person.
So staying vigilant
right out of the gate
I think is one of the best things
to do when it comes down
to being socially engineered
and also to know
that if someone's in your DMs
and they're attempting
to only converse with you there
and not in a public forum,
which is also super important,
asking questions in a public forum
like it was previously mentioned,
keep it in public
when it comes down
to trying to get those answers
outside of just believing
someone in the DMs
where no one could really vet
what they're telling you.
So yeah,
for people that are,
especially it's very unfortunate,
like you said,
you know,
they're trying to get grants
and then they're being
taken advantage of again
when they're just trying
to do the right thing.
You just,
there's not much
you could protect
in that scenario,
just like there's not much
that a security tool
could protect you
from sending your crypto
to a specific address
if you're doing it manually.
You know,
you're choosing to do that
and I think that's one
of the double-edged swords
of blockchain in general,
that things are final
when they happen,
which is a good thing,
but things are final
when they happen,
which is a bad thing
if you're not paying attention.
So stay vigilant,
guys.
100%.
So maybe just one last question
and then like,
we can just round this all out.
I know we're at the top of the tower.
I think Plum had her hand.
Yeah,
she was hitting the,
correct me if I'm wrong,
Plum.
Please jump in.
I would say honestly
about the possibility
of running some of your grantees
through maybe a specialized
sort of course
like what Boring Security offers.
Like maybe,
you know,
just a cut and dried
kind of version
of things that they should be
looking out for
if they haven't already
done one,
but something like that
might be very beneficial,
especially if they're not
exposed regularly
to the sorts of
scams
that
the rest of us are.
Yeah,
that's a great idea.
Plum just coming out there
with the,
with the bangers.
Thanks for,
for patiently
trying to raise your hand
using the,
the weird desktop interface.
You know,
that,
that,
that is a great idea
and,
you know,
it may be even the kind of thing
where like you get a,
you know,
some sort of certificate
when you're completing it
and maybe we even tie that
to a passport stamp
or something to like
motivate people to do it.
I think that's a great idea.
We did do like a
how to participate
in the grants round course
a couple of rounds ago
just to kind of help people
with the user experience,
but we didn't really go
that much into security.
We definitely could do
a heck of a lot more
than,
of that kind of thing
and would love to,
to partner with some of you
or just,
you know,
do something that like
even people can do
on their own time
that's just kind of
an automated walkthrough.
But yeah,
thank you for that.
Make it like a condition
of something
that they need to do
before they sign up
for getting awarded.
Yeah.
You know,
free,
free complete your,
your security training
so that you can sign up
for the next round.
Yeah.
You know,
we in particular
have a lot of like
noobs who show up
to be part of our grants program.
Like Gitcoin is a,
you know,
a great bridge
between the web 2.0,
2.5 world
and web three.
You know,
for a lot of people,
it's like a first experience
in this space
and it's always
that balancing act
of like friction
you know,
sort of the best possible
user experience
and safety.
You know,
whether it be
with our passport tool
trying to prevent
civil attacks
or like the things
we do to try
to keep people safe.
Cyan,
go ahead,
sir.
Nope.
Can't hear you.
I think I'm not
looking at this,
but I think I had
to capture this on
to see what you,
what you're saying,
Ben.
I'm actually about
to step out
for a work thing.
So I really,
really appreciate
the Gitcoin team
for trusting me
and Plum
to help them out.
You making me crazy.
Good stuff
on the initial attack,
bro.
And everyone else up here,
keep passing your alpha.
Can't wait to talk
to you guys soon.
Cyan out.
Right on,
bro.
Thanks for being here.
Appreciate all your help
and all the things
you're doing
for the community.
I was just going
to leave us
with one final question,
but feel free
to answer this
however you guys want.
Like,
basically,
there's just so much activity,
so many links
people are clicking
during this,
the grants program,
whether you're running around
and like verifying
all the grantees
or you're a grantee
looking at all the posts
and the links
that people are sharing.
You know,
a lot of people
are doing it
in a pretty degen way,
although they're doing it
for good cause
a lot of the time.
But,
you know,
people are burning
the candle at both ends,
you know,
doing late nights
and,
you know,
and just clicking
on a ton of links.
Like,
just any final thoughts
on like how to keep
yourself safe
in that kind
of an environment,
you know?
Like,
malware bytes
is like one thing,
like maybe just like
so that you're not
accidentally going
to phishing sites
or whatever.
You know,
there's probably
other tools like that
that maybe people
could use or browser
extensions that like
just help you prevent
like ending up,
you know,
putting something
malicious on your
laptop or your desktop
or whatever it might be.
But any other
final thoughts
you want to add
just to like
what to do,
you know,
in those kind of
two weeks of
insanity of the
grants program?
Yeah,
Michael.
Yeah,
definitely great
to mention
malware bytes,
but specifically
the premium version.
There is a massive
difference between
the free and premium.
The free one's only
going to allow you
to run manual scans
and that's it.
But the premium version
does proactive scanning,
proactive detection.
It also does
scanning automatically
for you.
So it's definitely
worth the $20
or $30 a year
for the premium version
of malware bytes.
And like I mentioned
before,
an ad blocker
is an easy win.
You block origin
free open source
and it works with
pretty much any
browser you're using.
This is again
desktop based browsers
and like Chrome,
Firefox,
Edge and all that
good stuff.
And of course
there's other
security opsec
that you should
always employ
like having strong,
unique,
randomly generated
passwords
and making sure
you're using
software or hardware
based two-factor
authentication
instead of
phone based,
text based,
two-factor
authentication.
So I definitely
tried to break
all that down
in the article
that I did post
to the top
and it's been
an amazing space
again, guys.
I think this is
such great information
that gets shared
in these spaces
and even if
one person
benefits from
any of the tips
that any of us
gave up here,
it was worth it.
So big shout out
to everybody.
Thanks again
for having me up.
Right on.
Thanks for being here,
Michael.
You contributed
so much to this space
and so much
to Web3 in general.
Much appreciated.
Mac, Plum,
you want to round us
out with some final
thoughts?
I think we lost
Wes there too.
Sorry to not call you
up there more,
Wes.
Appreciate you being
here with us.
But what about you,
sir?
Mac,
any final thoughts
you want to share?
Just be safe.
Be careful.
If you're not sure,
double check.
Ask multiple sources.
I mean,
there's little things
that everyone can do
on a daily basis
to keep themselves
safer in Web3,
especially in Web3
where most people
store their entire
net worth on one
wallet for some
god-awful reason.
Yeah, that's pretty
much it.
Just be safe.
Stop Clicking on
Stupid Links.
Download Wallet Guard.
Right on.
Thank you, sir.
Plum,
any final nuggets
of wisdom you want
to share?
Pretty much the same
kind of thing,
honestly.
You can get all
of the protection
and all of the
tools and all of
the checks and all
of the software
that you want,
but in the end,
generally the errors
are caused by the
humans.
The person at the
other side of the
computer keyboard
is the weak link
and that's always
where the failure
ends up lying.
so try to protect
yourself from
yourself and
that means if
you're stressed
out, if you're
tired, if you've
been dealing with
sick kids, if
you've got a
million things
going on at
work, if you're
zipping through
emails, if you're
clicking on stuff
while you're
sitting on a
space, you know,
try to envision
scenarios like
that, that you
can protect
yourself from
yourself.
You know, I
had a friend who
worked in the
computer department
at London Drugs
many lifetimes
ago and he
told me they
used to have
this code that
they would call
out when they
needed a technician
to come help
with something
that was really
the user's fault.
They called it a
webcam error, a
problem is between
keyboard and
monitor.
You know, and
I think more
often than not, a
lot of these
problems are
webcam errors.
They're a problem
between keyboard
and monitor.
In other words,
it's you sitting
there clicking on
the wrong thing,
but definitely
can help to
have a bunch
of safety and
security steps
in between, like
even just like
using a ledger
for some things
or another hardware
wallet, like, you
know, that can be
great or like
using multi-sig for
your payout wallet
address as a
grantee can
definitely be really
helpful and just
ask questions.
Don't rush, ask
questions, you
know, take
your time, you
know, touch
water, eat
grass, eat
grass, touch
water, drink
water, touch
grass, something
like that.
I don't know,
whatever you're
doing, slow
down and do
I always heard
that that was
the Pebcat
error.
Problem exists
between keyboard
and chair.
I might have
messed it up, or
maybe there's
different variations.
Maybe that's the
Canadian one from
Vancouver.
Well, that
ID10T error, which
is one of my
favorites.
Perfect.
I love it.
If you haven't
figured out what
that one means,
just type it out,
you'll figure it
out.
ID10T.
Matilda, I've
been talking a lot.
What's on your
mind?
Let's close this
thing out.
Any final thoughts?
Yeah, I just
want to say how
much I appreciate
everyone on stage
and for everyone
taking the time to
be here and, you
know, jam with
us and also
everyone just
tuning in and
listening and,
you know, learning
more about security
and, you know,
I've learned a
hell of a lot
this year and,
you know, it's
something that I
think maybe a lot
of people avoid
because it's scary
and it's time
consuming, but it's
just so important
and I agree, you
know, we all
take, we got to
take, that's how I
see it, you know,
my security is my
responsibility.
So I do everything
that I can and
I learn as much
as I can, but
yeah, I'm just
excited that we
are also hosting
these spaces and
yeah, you know, I
love the idea of
just educating the
grantees ahead of
the round, you
know, we've got a
grantee portal and
yeah, I'm seeing
like maybe we have
some resources on
there that helps
them, like here's
some steps, you
know, that just to
follow, you know,
before you participate
and really just slow
down and all of
that, you know, it's
a two-week period
so, you know, there's
time and everything
as well because we
love leaving things
to the last minute
so yeah, I
definitely see that
I'd love to set
that up for GG19
and yeah, I just, I
love it, I use
WalletGuard as
Anne Revo Cash, I
absolutely love it, I
have, I just
installed that ad
blocker as well
that you, that you
mentioned, you know,
all the tools and I
love the new
WalletGuard
dashboard, I just
have to say, really
good job on that
so yeah, it's been
another incredible
space, we're hosting
these every month
now, I'm sure we'll
have, you know,
another one sometime
in November, probably
after GG19, after
all the madness, so
yeah, I just want to
say thanks and
yes, go inhale some
nature as well from
time to time, whenever
I, that's what I do,
like whenever I'm
stressed out or
whenever I have a lot
on my plate, I just
go take a walk and
like, go take a walk
and come back and do
the important things
when I'm in like a
clear, clear head
space, so yeah, that's
it from me and thank
you everyone, we are
10 minutes over, so
yeah, I think it's a
good time to wrap and
yeah, appreciate
everyone on here and
thank you to Ben as
well.
Just for the sake, just
one last thing, Matilda,
you know, if Matilda can
keep herself safe, you
know, falling out of
airplanes, we can keep
ourselves safe sitting
at home on our couch or
our desktop, you know,
so it's all a matter of
perspective, right?
Like, but it comes down
to preparation, I'm sure,
and like just being
thoughtful and like
taking advice from
experts, so, you know,
like stay safe out there
and, you know, funny
thing, we didn't even
mention it, but
applications are just
about to open for the
Gitcoin grants round.
I literally later today
with some of the
co-workers will be
spinning up the next
set of grants program
rounds, so stay tuned,
applications opening
very soon for the
program rounds and
probably very soon for
the community rounds as
well, so yeah, just a
little bit of alpha for
you if you didn't know
that already, but
November 15th, the
rounds kick off, they'll
be going for two weeks,
it's going to be a good
old time as usual, but
yeah, just to end
things off, you know,
if you're thinking
about being part of
the program and
applying, maybe it's a
good time now to go
look at those
permissions in your
wallet and revoke
permissions for
anything that you
don't recognize or you
don't need, you know,
that's a great place to
start and Plum, I love
your idea of a course,
maybe we can go there
before the round kicks
off, at least something
pretty simple, even if
it's just a little
Google meet that we
invite people to or
something, you know,
I think that'd be
great, so yeah, thank
you again to everybody
who shared their time and
their energy up on the
stage, Matilda in
particular for like
coordinating all of
this, you know, for
pulling together the
speakers, for really
pushing this initiative
and really just for
being one of the
leading voices for
security inside of
Gitcoin, raise my
hands to you, yeah,
thanks to all of you,
high fives all around,
please pass this on to
somebody who needs to
think more about
security, which is
everybody, so pass it
on to everybody, all
right, much love y'all,
peace.
Much love, bye.
Let's go.
Let's go.
