Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Geeq Community Hangout
Recorded: July 24, 2025 Duration: 1:01:06Space Recording
Short Summary
Geek Labs announces strategic partnerships and project launches aimed at enhancing security and privacy in the crypto ecosystem, while also integrating advanced technologies like AI to drive growth and innovation.
Full Transcription
Thank you. Hello, hello everyone.
Good to see you guys.
John, if you would request to become a speaker, I'll accept it, obviously.
Thank you. Oh accepted obviously hey john okay perfect how are you doing i'm doing good okay perfect perfect um so let me just okay
so i see paul g paul g good to see you buddy great. Great for you to join as well. Thank you for being so active on Telegram and Tweet.
X, I should say X, right?
Really much appreciated.
Speak English, Robbie.
Sorry?
Speak English.
Yeah, sorry, sorry.
It's Z and X.
Z and X, yeah, right.
All right.
So let's just jump in.
I'd like to welcome everyone to another geek space.
Today we'll be hanging out with the geek community.
I'm sure more people will join along the way.
And we'll be diving into a topic that's getting actually more relevant
and more dangerous as well by the day, which is called social
engineering, right? So we'll talk a bit how
people, not systems, are often the weakest link in cybersecurity
and why it's time to rethink our protection.
I think this is a bit overlooked nowadays as well, you know,
with all these potentially shady links people would need to click or like advertisements, all these kind of things, right?
So, John, let's start with the basics, if that's okay for you.
We're told to be careful online.
So, what does actually social engineering look like in daily life?
And could you maybe bring up some examples on this as well?
Sure.
It's all over the place and it gets worse and worse.
So the one that you're probably most familiar with are phishing emails.
So these are getting more and more sophisticated.
So they, I get at least four times a week,
something that's allegedly from DocuSign,
you know, here, sign up for your new benefits or, you know,
here's the contract that will make you a million dollars,
that kind of thing.
Oh yeah, yeah, yeah. I remember these.
Yeah. So that's one. And then there are alerts that you logged into someplace or that if you
didn't, you should log in and change your password. Or Norton is going to bill you $57,000 unless you
click here and tell us that you don't want to renew your subscription.
And on it goes. And the point here is to make you feel like if you don't do something, there will be a very bad consequence.
And so the social engineering part is, I guess, two parts.
One is it's to get that behavioral reaction where, you know, whereas you would try to ignore spam and filter spam,
somehow this one gets you concerned and you therefore have to respond or feel that you do.
The other is to try to prevent you from knowing what the, from figuring out that the origins are
not what you think they are. So there are various ways that they're disguised.
And there are lots of ways that you can protect yourselves.
One of them is if you see a link, you know, click here to do whatever.
Almost always the link will not even remotely be like what you expect. So if it's from Amazon, the link will be 123kazoo.xyz.
And so that's an easy way to figure out
that it almost surely is not true.
But sometimes it's something like amazon.email.com.
Well, most people don't realize that email is the URL,
and that's one that you can use as an email address
through a provider that has purchased email.com.
And the other part, amazon.email, that's a subdomain.
And so that has nothing at all to do with Amazon.
It could be anything at all.
So it gets clever and clever, and there are other ways to obscure.
So you make a mistake, you click, you change your password
by giving your current password, and now your credentials are gone,
and the rest is lots of fun.
Right, right, right right right because like actually um
so you mentioned docusign i've used docusign as well along the years like can a can a request
to sign a document also be a trap somehow sure um usually the the document will request that you provide personal details.
So fill in your email address, fill in your phone number, give us something to guarantee. reasonable that if you're signing a document to get get a i don't know to get an invoice paid or
something that you would give your banking details for example so that the transfer can be made so
you know lots of different approaches but effectively you're all of these are asking
you to give up some kind of credential or information so that it can be either just used as information
or used for some other kind of attack.
Right, right.
I'd like to welcome as well, Brave, Kieran, Obi, good to see you guys as well.
So we'll be, we're talking about social engineering, the dangers of it.
And actually, like maybe it was two weeks ago or something.
So as many of you guys know, I live in Portugal.
When you become a resident in Portugal,
you have a certain tax number,
which means the government has a platform
where you can log into,
and you can see if you have open bills to pay
or if you have a speeding ticket, everything comes into the platform.
And so I had an email which looked very similar to the email that I would get from the proper authorities telling me like, hey, we have a potential tax return to pay you.
You need to click on this link and fill in the data and everything. Obviously, I didn't click on the link.
The first thing I did was to look at what the
email URL looked like. It was very similar, but
obviously you cannot be
vigilant enough, so I checked another email I had from them maybe a year ago or something,
which wasn't the same. So then checked i logged into the platform that they used and nothing was open
you know so like i mean it's it's really scary right so for example what could happen if i would
have clicked on that link i didn't click on it like what could happen you know like
click on it like what could happen you know like uh well first of all let me say that you cracked
the code there um what you did was you went and independently went back and verified so instead
of clicking through on the link you found the link or you you know you you went to an email that you
believed was authentic or you looked it up on google or something. So you found the tax authority. And then so that's, so we'll discuss this later,
but what you did is called a pull.
So you went to a source that you believe that you trusted and pulled information.
Now the email is pushing information.
It is unsolicited.
It's coming to you and you don't know the origin.
So pushed information is untrustworthy because you don't know the origin so pushed information is untrustworthy
because you can't tell the origin pulled information is trustworthy to the extent that you're pulling
it from the correct source and so the challenge is it's much easier to know where you're where
you're pulling from than what's being pushed at you um but anyway so your question was what would
happen well what would, a variety of things
need to happen actually, but one of them is, as I said,
you'll be solicited for information,
but there's a whole range of other kinds of attacks.
For example, there's one now called Quishing,
and Quishing is where you photograph a QR code.
And it's very insidious because it doesn't necessarily
have to be a QR code that you mean to photograph.
You know, you could photograph a menu QR code
and pull up the website that has the menu
and you do that intentionally.
But if, Robbie, you and I are on vacation in Paris,
as we often are um and
and we we uh you know i took a picture of you the eiffel tower and behind it was a poster
with a qr code your your phone may actually view that as a voluntary photograph and then go to that
site and it can be configured depending upon how well your security is set,
the operating system and so forth, to download an app
and then put an app on your phone that's in malware
and can spy and various other things.
You know, it could, for example, if you've authorized location,
it could find out where you are all the time.
So that's a very insidious one.
If you click on a link, same thing can happen.
Windows is not a very secure system.
You can install software or get permission for something
and now your system is compromised.
So it's not supposed to happen,
but we know that Windows is not well patched.
So all you have to do is find an exploit
or somebody that hasn't set the settings correctly.
Won't work for everybody, but it'll work for enough that it's worth it.
Right, right, right.
So actually, these things are really getting more advanced, right?
So could we talk a bit about like
modern forms of manipulation
in a sense like
could you maybe explain how
scammers could use fake websites
with real phone numbers or links
to legitimate organizations
to look trustworthy
well it gets harder and harder
so that's right
back in the old old old days there was something there was
something called a con artist con artist uh con comes from confidence so a confidence man and the
idea was that they would present you with a social situation and a set of apparently supporting
evidence like i turned to the guy on my left,
who I don't know. And I say, yeah, didn't you see that guy, you know, drop the $100 bill?
And yeah, I did actually. And then it appears to be true because you have no idea that they're
connected or you should, but you don't. So the idea is to build confidence, to make you think
that what you're seeing is authentic and you know email is
a simple example of that but somebody could call you on the phone as an example and because of of
the way that all your data is collected i could say well i see that you know your daughter is
at the university of kalamazoo and she's just been admitted to the hospital.
So could you give us her student number
and, you know, to confirm,
because I can't give you any information
unless you give me your student number
so that I know I'm really talking to her parents.
And she has this bill or, you know,
and how long can they push me along
until I give them something?
Another would be, you know, I get a warning that my Microsoft software is compromised as malware.
Now, that's, of course, a redundant notice because Microsoft is always broken.
So you don't really need the notice that it's broken.
But you get a notice and you panic.
You know, you're not sophisticated.
You call and you get a support center.
And now they just walk you through it.
And one thing that they often ask is, oh, this is so difficult.
Why don't you give me remote access to your computer?
You know, and I'll just fix it for you.
And a lot of people are so impatient by that
time and they don't know about computers they'll say yeah okay well now he's got administrative
access and he can do absolutely anything take all your files you know get your get your password
anything that's possible he can do you know he for example, perhaps look at the passwords you stored in your browser.
So there's, that's more in the spirit of a competence man, because they do get you to go
there, you know, through an email or something else. But once you're there, it's a person-to-person
conversation where they're using data they've collected on you, just bought it from the social
networks, and then using that to convince you that they're
the real thing. Right. What about scam ads? Like, can someone get redirected even to a legitimate because, you know, I don't know if you,
I have an application that shows me
every source of elements of a webpage
and you can selectively block them.
And that's because I'm a nut.
I'm crazy about security.
So I systematically block certain sites like Google.
But if you pull up a webpage, it has information from whoever it is, you know, New York Times.com or something.
But then all the widgets and all the ads are coming from somebody else, from Google, from AdWorks, from National Weather Service, from some data feed, from somebody that's got a tracking pixel that just wants to know that you clicked on the page and take a fingerprint of your computer.
So there are usually at least 10 different sites feeding in.
Okay, so do you think the New York Times has vetted all those?
Maybe they've done some effort,
but how can you know that 15 different entities
are at that moment completely honest
in doing what they say?
They certainly aren't.
So there's an ad there on the page,
looks legit, it's right there in the New York Times,
you click on it and then anything could happen right so basically that also means like even a
properly registered domain name can be used to trick people right that's that's
true and that's a more subtle problem actually let's let's put that one off
for just one second.
But yes, that is absolutely right.
Let me just say one thing that I've gotten recently.
So I used to get, at least once a month, an ominous email that said,
is the bad news for you we've been we've infected your computer with malware we've got access to
this is bad news for you. We've infected your computer with malware.
your to your your browser history into your phone and your microphone we can turn them on without
you noticing and you've been visiting naughty sites and unless you send us two thousand dollars
to this Bitcoin address we're going to release it to all of your friends and co-workers and so forth
as we have your social media contacts so they'll know all of your friends and coworkers and so forth, because we have your social media contacts.
So they'll know all of your disgusting predilections and so forth.
And recently I got another one that said,
I'm a very bad man and I've been following you
and I know where you live and your family and everything
and send me $2,000 or else such terrible things will happen to you
take this seriously you know so these are threats and there's a place that you can you know allegedly
put uh you know send them bitcoin and then everything will be good so you know this is
a different kind of scam because what they're trying to do is,
it's a low return thing.
So you're,
you have to voluntarily decide that you're going to take this seriously and,
and click and send the money,
which of course will show that you're an idiot and then they'll send you more
emails like this. But,
it, the reason that these things work, you can say, I'm smart, it'll never happen to me.
But okay, you're smart, but is your aunt, is your mother, is your 14-year-old? And I won't be smart,
I won't be smart. There'll be a period. This is what happens to everybody. I think I've said this
there'll be a period, this is what happens to everybody, I think I've said this before,
before. There'll be a period for most people right before you have to be put into a home when you're
declared incompetent. So there'll be about a year between the time where you're sort of losing it
and the time when it's obvious to everybody that you've lost it and they take care of you and they
take power of attorney. in that year you can
make terrible mistakes because your judgment is no longer any good so that's i don't know what
a hundredth uh an 80th a 60th of our life so one in 60 anybody is going to be in that situation
and so i don't have to get everybody but if I can get even 1%, that's an amazing return.
Everybody's incompetent sometimes.
Yeah, that's true.
Does that mean that it's a numbers game for them?
Like just get contact information and just send the same email to, I don't know, like 10,000 people
in the hope someone would take the bait?
Absolutely, yeah.
And it's a numbers game with the advertisements and the emails and the texts and everything else.
You don't get a high yield.
It's the same thing with asking for donations.
If you're the Democratic Party, Republican Party, you send out thousands,
millions of texts. I got millions of texts. And, you know, maybe 1%, half a percent donate,
but that's enough to pay for the effort. So yeah, lots of all advertising, including
phishing, is a low return gain.
is a low return game.
Right, okay.
So another thing that's been active already for a while,
and I have experienced something myself as well,
which is deepfake, right?
A lot of people know what deepfake is nowadays.
So it's a serious issue right if someone
is pretending to be someone they're not during a video call um so what happens when you can't
even trust what you see or hear anymore right yeah like no deepfakes and synthetic voice making
What about deepfakes and synthetic voices making these scams hard to detect?
Right.
So one thing that we used to use as a filter was basically proof of work.
So if a scam cost somebody so much effort, thought it was implausible that they would do this to perhaps get $5 from you.
So just the difficulty of doing the attack made it credible.
Anything that came at you that you were concerned about,
if it was difficult to do, you took that investment of effort
that it required as evidence that it might be the case.
So that's a reason, for example, to simply reject anyone that claims
that they've seen you watching pornography
because that's an absolutely free email to send.
Costs nothing to send that threat.
So because it costs nothing to send the threat,
it's a very uncredible threat.
So anything that costs nothing is not credible
because it can be replicated for that low yield.
And so to be taught, now you come to artificial intelligence.
So you send me a link and I click on it.
Well, you can have AI look at Bank of America's website and replicate it almost for free down to the very last detail.
And even maybe make an estimate of what my bank account numbers
are or lots of other things you know you could you could send me there and make it hard for me to
log in so i try to get my credentials and i give you my two-factor authentication my phone number
and then you do a sim card uh clone and you can get my two fat you know know, so, but it's, it's, it's easy to make on the fly, any kind of website that is absolutely believable.
And as AI advances, you're going to have a phone call that is intelligent and sounds like somebody and can tell you things that, that apparently only they would know, you know, how would my dad know that I, who would know that I was in Bermuda in 2012?
Well, they have my receipts and that's a thing they happen to know.
So they might say, I remember when, and that adds credibility.
And that would have been almost impossible to believe 10 years ago.
But now it's certainly true that that data is available.
So I can create synthesized voice
i have information i can react the way that i should react because i know that i'm imitating a
35 year old woman or whatever it happens to be and i might know something about her as well
and video just one step further websites and so so the things that are going to be used to make you make mistakes are going to get
better and better and almost indistinguishable from reality.
But then also AI is going to help target.
So they're going to look at whatever my information is and say, you're depressed or you're greedy
or you're in financial trouble or something and tailor the attack for that kind
of person or your demographic suggests that you're not sophisticated and so or you're sympathetic
and i just have to pull on your heartstrings and you'll make a donation so targeting plus the
quality is going to make it really hard for anyone, and certainly for people that are not that sophisticated,
to protect themselves.
So basically, it's all about to break.
It's already pretty broken, but it's all about to break.
Right.
And I mean, you mentioned multi-factor authentication.
Yep.
I would like to discuss this as well like why does gig believe
that mutual authentication is more important than multi-factor authentication all right so so let's
get to this idea of push and pull yeah so we go way back to you know to this idea that if somebody
sends me an email or you know somebody calls me on the phone somebody sends me an email or, you know, somebody calls me on the
phone, somebody calls me on the phone and says, I'm from the fire department, would you donate?
Or I'm from, you know, Greenpeace, I'm going to do a survey. Well, never answer a survey question,
because that's just giving personal data to somebody on the phone who could be anybody.
You know, I could use that against you to fish you further or, you know, say, okay,
you're an untrustworthy person. You're a,
you're a person whose politics I don't like. And then I can record that.
So never, ever answer questions to somebody on the phone, you know,
unless you're calling them, but if they call you, assume,
absolutely assume they're a scammer because that's a push.
So if you're worried, call them back, call call look up the fire department charity call them back look up you know whoever says that
you need to pay a bill and and so forth lately i've been getting i'm sorry i'm going to have
on track i've been getting bills um by text so one alleged that I had gotten a speeding ticket in New York,
which I haven't been in, and I should
pay it by
clicking on the text link. Another
claimed I had a medical bill from a doctor
I'd never visited.
that...
Sorry, John, I just want to pick in on
this because you were in Naples
a few weeks ago. Do you think it has to be related somehow?
Oh, no.
That was not a very good scam.
It's very plausible.
You got an e-ticket from a traffic camera, and New York is now sending you the bill.
And if you don't, they're going to send it to a collection agency and ruin your credit so how do i know i could have easily had had a ticket if i'd been
in new york and i don't know where the traffic cams are could even be a false one but you know
it's still a ticket oh you said you said new york i thought you said europe oh no i'm sorry i said
new york no just just a random my bad yeah okay okay but let okay let's go to this idea pulls and
pushes yeah okay so you know somebody knocks on your somebody calls you up
somebody sent you an email somebody sent you a text all of those are pushed
information somebody sends you an alert you know somebody logged into your
account and all of that's pushed but on on the other side, it's also pushed.
So if I go to a website and I give them my credentials,
they didn't pull those from me.
I'm pushing my password and my username at them.
So that could come from anywhere.
They don't have any idea.
So they're sort of hoping that with the two-part authentication, when they text my phone, that that's a pull.
But it's not really because I've provided that information.
And also, we don't really know that you're pulling from the right source because of SIM cards.
And I could have captured your email address and lots of other things.
So it's not a very good method, but,
but on both sides of that transaction it's pushed information.
So I pushed my passwords and then I get emails and so forth pushed to me.
So what is, what's the solution? When I,
when I go to bank of America.com we'll talk about why it might not really be,
but for some values of confidence,
it is Bank of America because I have gone there.
I have found the URL.
It's a URL I've already used.
So I go there.
So I'm pulling that data.
So I might be reasonably confident
I'm talking to the right group.
But Bank of America isn't
because they're trying to authenticate me.
They don't know who the heck is knocking on their door.
And that's why we have all these credentials.
And certainly when they send me an alert,
then that's pushed to me and I'm responding and going who knows where.
So what's the solution?
Well, the solution, simple solution,
when somebody calls you on the phone call
them back that's the poll so the solution here is to have the
authentication work as a pull in both directions and so the bank pulls
information from me and I pull information from them and that way we're
we have this two-sided authentication
where i've given a credential that only i could have not a password that i could use i could lose
but a credential that only i could have and therefore the bank knows that it's me and when
the bank asks for the credential sends me an email sends me a text or or just asks me to log in when i get to
the site it also authenticates to me and i know that the bank actually wouldn't be able to do that
unless in fact it was the bank so this two-sided authentication we can go into the particulars of each attack vector,
but it defeats basically all of the attack vectors
that we see.
Some are a little bit more complex to defeat
and some are easy,
but all these attack vectors are destroyed
by this two-sided authentication.
So that's our solution without telling you our solution but that's the solution
is to by magic get two-sided two-sided authentication right i'll tell you how the magic works
yeah go ahead a little bit anyway yeah but that's that that's the big picture the two-sided
authentication where the credentials couldn't be faked on either side.
So how do we do that?
All right, so now let me get into a little bit of
a protocol of internet protocol detail.
So when you go to a website,
you might notice
that you're going with something called HTTPS,
Hypertext Transport Protocol Secure.
And so this forms an encrypted connection between you
and whoever the URL that you're going to.
And technically, this is done through what's called
a Diffie-Hellman handshake. But that doesn't matter. But what
happens is, I go there, and I've got to form an encrypted
connection. And the way I do that is I, the bank has what's
called a transport layer certificate, secure socket layer
certificate, SSL or TSL certificate.
So that has a public key for the bank
and I go to the website, I ask for the certificate.
That has a public key.
Now I can use that public key to encrypt a symmetric key
and AES key. So public key to encrypt a symmetric key, an AES key.
So a public key is limited.
It can only encrypt only about 32 bits, which are 32 bytes.
So you can send a key back, but I can't send, you know, a request or a longer text message, just a very small amount of data.
So the data I choose to send is an encryption key that lets you encrypt screens.
AES keys are very efficient, and that lets you encrypt screens.
AES keys are very efficient and they let you encrypt as much as you want.
And it's very computationally easy to decrypt and encrypt.
So I send them this symmetric key.
And from then on, we communicate with encrypted information
using the symmetric key.
So we have this Diffie-Hellman handshake.
I asked for the public key, I we have this Diffie-Hellman handshake. I ask for the public key.
I encrypt a private key.
I send it back.
And then all further communications
are encrypted with that AES key.
And that's how we get HTTPS connection,
a secure connection that no one can read
because the AES key is effectively unbreakable.
Okay, so that's how we get security.
Now then, the weakness there is that I have to believe,
I have to know the certificate I'm getting
is from Bank of America.
So how do I know that?
Well, there's an infrastructure called the Web of Trust,
and that's sort of a superset of something
called the public key infrastructure.
So the certificate that the bank gives me
is signed, for example, by Google.
So Google has signed the certificate,
says I've investigated this
is the bank allegedly and I'm gonna sign it which says that Google attests that
this is a certificate issued to Bank of America and well now it just it's
turtles it backs it up how do I know that that's Google's signature how do I
know what their public key is well Well, there's another SSL certificate.
So I have to retrieve that. And that's the public key infrastructure. So I retrieve it. Well,
how do I know this is Google? Well, because it's signed by VeriSign. So I have to go to VeriSign
and find their certificate. And where this ends is that in your browser, there are what are called roots of trust.
So it's provisioned with a set of public keys.
You don't even know this.
You can change them.
But there's a set of keys that Chrome and Firefox and whoever did your browser has already pre-provisioned it with.
So usually that's Google and Verisign, maybe Microsoft. So there's a few
keys that the browser has decided you should probably trust these because we've looked into
them and we're telling you this is in fact Google's key. So you hope that Firefox and Chrome did it
right and that in fact you can trust Google and VeriSign.
All right.
So that's the big complicated mess.
And if I believe that string of attestations, then I believe that this is, in fact, Bank
of America.
So that's how it's supposed to work.
The problem is it doesn't. And the reasons are many.
But one of them is that actually the attestation
does not really tell you, it's not meant to tell you,
this is Bank of America.
It's what we sort of imagine it does.
But what it really tells us
is that the entity that asked for this TSL certificate from their registrar, like
Namecheap or something, when they registered it, the entity asked for a certificate. And all
Namecheap is saying is that the person that asked me for the certificate, in fact, owns this URL.
So they own bankofamerica.com.
So that's what Namecheap is saying.
And then Google is saying, yeah, this is Namecheap's signature.
So Namecheap did, in fact, agree that some entity owns this URL.
So we're going to the entity,
if all that set of attestations is true,
we're going to whoever owns the URL.
Okay, so if it's bankofamerica.com,
probably that's nobody but Bank of America,
this Delaware registered corporation,
that actual Bank of America, that physical Bank of America owns that URL but do they own B of A do they own
Bank of America net deck of Bank of America dot PK Pakistan do they you
know there's all kinds of URLs that are very, very similar sounding that you might not recognize as probably not being Bank of America.
So your certificate will say, yes, you're going to the owner of that URL, but it's up to you to say, yeah, that's really Bank of America.
And it might be okay for big things, but a smaller company, how do you know what url they have you know how do you
know what uh you know what your your software service company has it's it's it's it's very weak
and nobody checks anyway so it's it's a very weak form of of confirmation mostly it works but it's
not going to work into the future because this is a really
really open attack surface that ai is going to take advantage of right right like what is it
about geek slayer zero and zero trust architecture that solves this problem in a way others can't
i mean you you kind of warmed it up a little bit already.
Yeah.
So let me step above this.
This is the problem with security.
So here I'm giving you this little discussion.
And it's really technical.
It's really, you know, TSL certificates, certificate authorities,
routes of trust, web of trust, public keys, private keys,
URL registrars.
Who knows this?
You know, this is not a thing that anybody, but maybe 10% if you're lucky, knows.
And if you really get into it, it's 0.1% or less.
But the normal person probably doesn't even know what encryption is.
So, you know, if you don't understand what's going on, it's magic. And then you just hope that the incantations are right because you don't really understand what's going on. So already
it's above the heads of almost everybody. So they're just sort of hoping that it works.
So any solution has got to be bulletproof. It has to be unbreakable by somebody who has no idea
what's happening or else we're going to have those scammers because they can take advantage of our ignorance.
All right, so how does geek solve it?
So we have this idea of a geek ID chain, and this creates what we call a local web of trust.
So the example might be this.
Suppose, so I work for Vanderbilt,
and I go in to Vanderbilt, I get employed, I go to HR.
When I get to HR, what they do is they give my device,
my phone, for example the the geek ID that they have that they have minted onto a geek chain in the form of an NFT
so when I walk in there I'm talking to the guy in person and I'm at Vanderbilt, I can see it's around me. So they zap me the NFT and the NFT is signed by,
it has the public key of Vanderbilt and it might be signed
by the Department of Education if it still exists
or somebody that's a higher authority that again,
we can verify.
So it's a local verification.
Department of Education verifies
all of the college NFTs or something.
All right, so now after they send that to me,
then my Geek application creates a public key,
a public private key pair.
And technically this is done
in a trusted execution environment, a T key, a public-private key pair. And technically, this is done in a trusted execution environment, a TEE,
something that is already configured to keep these kinds of public-private key pairs secure
and use them only when they're properly authorized.
So it takes my public key.
It issues a certificate, a geek ID for me in the same chain and
so now we have two certificates one says Vanderbilt here's my public key one says
John Conley here's his public key and maybe it says things like he's a
professor or has other data about made permissions like he can he can look at
these students records or he's teaching these classes so he can look at these students' records, or he's teaching these classes,
so he can give grades in these classes.
So he might include permissions
and things like that as well.
Right, so now I go home.
And I wanna log in to Vanderbilt.
How do I do it?
Well, I log in, and using Vanderbilt's public key,
the one that I have from the geek ID that they sent my phone.
So my geek application absorbed that public key
and labeled it Vanderbilt.
So when I go to vanderbilt.edu,
my application says, ah, that's the URL
that I've connected to this public key.
So I'm going to take that public key, which I know because it was given to me by Vanderbilt,
and I'm going to encrypt and we go through the whole Diffie Hamlin handshake.
And so now they've sent me a, I've sent them an AES key.
key and so now we already can talk in a in an encrypted way but uh what vanderbilt does then
And so now we already can talk in an encrypted way.
is instead of just continuing to talk it looks at my at the at the blockchain and says ah this guy
claims he's john conley is he really well let's go and take the public key that he gave us, take it off of his geek ID, NFT,
and I'm going to encrypt another AAS key.
And I'm going to send that back over the secure connection to John Conley.
Now, Vanderbilt could not speak to me.
Whoever is at the other end, I don't have any idea who it is.
I hope it's Vanderbilt, but it might not be. They are not able to decrypt the AES key that I sent
them unless they have the private key. In other words, unless they're actually the entity that
is on the other half of that Vanderbilt geek ID.
So I've got the public key there.
Unless they have the private key that corresponds,
they cannot decrypt the AES key I sent them.
So they can't speak to me.
They send me back nonsense because I'm decrypting it
with the key I sent them and it doesn't make any sense.
So the fact that they can even send a message back
proves to me that that's Vanderbilt that I've actually reached at the other side, across the invisible internet where I can't see
the destination. All right, so then they send me back an AES key with my, encrypt it with my public
key, the one they know belongs to me. Now, I can only decrypt that if I have the private key, and only I have the private
key. So I decrypt it. Now I use that AES key for the rest of our communications. So
I've proven to Vanderbilt, I have the right private key, they proven to me that they have
the right private key. So both endpoints of this communication are now authenticated to
each other. And it happens automatically, because you've connected Vanderbilt's public key
to Vanderbilt's URL.
And they look and they say, your login name is John Conley.
Are you really that guy?
OK, well, they go and they test me with my established public key,
which is visible on the geek chain.
So now we're both authenticated.
We have an encrypted connection.
Nobody can spoof, and we're all good.
And so that's the basic model.
And then it extends.
You know, they send me an email.
Well, they can sign the email and my SMT, my email client, or if I'm doing webmail, my geek application can say,
okay, this claims to be from Vanderbilt EDU. All right. We know what that public key has to be.
So I will check for you and see if that email is signed. And if it's not signed properly,
it's a fake email. So if anybody's sending you an
email, you know, either you know them, and you can tell if it's them, or it's from somebody you never
met, or maybe a fake. And if you answer things from people you never met, we really can't help
you. You know, that's, you know, you've never met them. And the infrastructure will show you you've never met them. But whatever happens, nobody can pretend to be LinkedIn
or Amazon or anybody else that you already know.
The world would be so better off
if everyone would be using Geek, right?
I mean.
Well, of course, of course.
Yeah, yeah.
Go ahead.
Go ahead. I just want to say one and there's there's two things that make
this solution attractive there's many things but but just at this highest level what makes it
attractive is it can be totally automated you know you're not having to remember passwords you're
not having to you know go ahead and like a like crypto wallet and enter your pen and so forth. All you have to do is authenticate one time to the, you know,
what amounts to a password store.
So if you use LastPass or something like that,
first thing you do in your browser is you log into that application.
And from then on, that application will find the right public keys
and generate the right messages and do all the things
for you and for reasons i won't explain it doesn't matter if you've gone to the wrong site so if i
send you know if i attempt to authenticate to a fake site they're going to get data they can't use
so it nothing is revealed if i make a mistake or the system makes a mistake. So this is what I'm saying, that it needs to be foolproof.
Because if you can break it, people will break it.
So it has to be that you really can't break it, even if you try.
Right.
Thank you for that, John, as well, to explain everything
and the importance that Guy could bring actually in this world like for from small to big businesses
and from young to old people right like everyone basically um and which reminds me actually as well
is that stephanie has been diving into uh identity and access management recently. Yeah. Basically managing like who gets access to systems, right?
Yep.
Especially important with like,
especially actually after COVID with so many remote workers,
freelancers and contractors everywhere now.
Like how does identity and access management tie into the bigger picture of
social engineering defense?
Yeah. So this is actually a really important attack vector now.
In fact, I think that Coinbase's recent loss
was because of a vendor, a support vendor,
that exploited their access.
It was the right support vendor,
but they used their access to steal coins
and to take advantage of their position.
So the first thing at the highest level
is that the one thing,
I think I've said this before,
the one thing that AI cannot fake is cryptography.
So it doesn't matter how good AI gets.
If you have the private key, you have the private key.
And if you don't, AI can't pretend it does.
So this is why it's robust and it's future proof
because nothing that's on the horizon
is gonna defeat this as an authentication method.
But let's take this example of a contractor
like a support person for a bank or for coinbase
all right so they have they're a different entity they're not coinbase so they're somewhere else
and they have a bunch of workers coinbase doesn't have any idea who they've actually hired
you know so they really don't know who is connecting on this VPN
that they've established and if they're the right people
and what they're doing because it's all going right
between the support group and Coinbase.
It's never visible except just to the servers.
So the solution would be this, and this is this works for interactions between
any two non trusting enterprises. So this could be a doctor in a pharmacy, or a an employer
and his customers are his vendors, or it could be that I worked for Vanderbilt and somebody else works for University of Missouri and I'm saying, hey, I'm part of this grant and I want to access the data that they have there at Missouri.
Well, how do they know who this guy at Vanderbilt is unless they give me an account at Missouri?
And that's risky because now I've let somebody inside my firewall. I've given them credentials and I hope that they're the right guy.
And I hope that my firewall is good enough to keep them where they ought to be.
And we know that that's often not the case.
So here's what we do.
Coinbase, when they hire this group, they issue a certificate to the management.
So that's their, they've said,
yeah, this is the group we've hired
and we're gonna give them a public key.
And so now that's their master public key.
And then when they hire somebody,
they're going to issue their own NFT from their side.
And so all of their employees are gonna have ID NFTs endorsed by that master
ID. And all of Coinbase's employees will have similar credentials and all customers will have
similar credentials. And so now if I call this group up, if I call this group up,
how does that group, if they're honest,
know that I'm really a Coinbase customer?
I could have spoofed them.
And how do I know I'm talking to the right,
to an actual support person
instead of somebody that, you know,
who knows who's on the other end of that link?
Well, again, we can do the same kind of authentication.
I can look up their public key endorsed by their boss, endorsed by Coinbase. They can look up my public key endorsed by
Coinbase. In that NFT, there's my account number and maybe other details about my permissions
and the same thing for them. And so now a guy I've never met working for a different company that works for a company that I use, but also I've never met.
We can know who each other are through this connection with the public keys.
So I know that there's an endorsement of whoever's at the other side.
Well, that's the first step.
It's the right guy.
Now, how do we know whether they're doing the right thing? Okay, well, now I'm just going to
mention this because this gets into a whole other topic. The way that we know that we monitor that
things are going correctly is that if I ask for something to be done, like send coins and send a Ethereum somewhere, I can
do that through an attestation I put in the same chain.
So I compose a request and I say, I want to send this to that address.
And this is my, you know, this is a, that's, this is my account number.
And then I sign it.
So now Coinbase has permanent, irrevocable,
immutable proof that I asked for something to happen.
And then the support guy can say,
okay, I'm gonna feed this into the system.
He sends his own attestation and Coinbase absorbs that.
And then they send it in or they alter the database
or whatever it is he has to do for support. But they have real-time evidence that exactly particular people that can't be identified
requested or did certain things that are exactly in the in the in this attestation.
And so if it doesn't look right, they can they can stop it. They can have artificial agents say, well, that's not right. If it exceeds the permissions, again, that's evident from the IDs.
And so we have an audit trail as well.
And also we know for sure that the right people have been on each end of the transaction.
So we're safe in real time and we're also
safe in the identities of all of this myriad of vendors and subcontractors.
All right, so like we're almost heading towards an hour so like I'd like to
summarize as well from this call, basically social engineering.
I mean, it's not about fear.
It's about awareness and action.
Social engineering is built to confuse and mislead.
Geek's work is to cut through this chaos with real solutions, right?
Right.
But I'm going to say it's more than that.
Here's the thing.
You're not smart enough and I'm not smart enough to defeat artificial intelligence.
And I don't, you know, I'm a reasonably sophisticated security expert now.
But even I could be fooled.
And if you're not me, you're absolutely going to be fooled, because you really don't know what's going on.
It's really complicated, and it changes all the time.
And we know this is true, because Bank of America gets hacked.
You know, Kaiser Permanente
gets hacked. People that ought to know better and spend lots of money still get hacked. So it's
broken. It's not working. It's not going to get better. AI is going to make it worse. So, you know,
it's a broken system about to collapse. And that's despite the billions spent on it. And even for
really sophisticated people.
So the current system won't stand.
It's broken.
It's going to be a catastrophe.
And what we're offering here is a solution.
But it's a solution that is usable by somebody that doesn't know what they're doing.
And that's, I think, the most important part.
That it's simple.
Anybody that knows anything much about cryptography would understand how this
works. It's, it's not really, there's not a lot of, you know,
it's not a Rube Goldberg device if you know what that is. But,
but it can be used almost automatically by anybody. So it's not,
not only will it protect people from themselves
but it also is not going to be something that is beyond the abilities of just ordinary people
So anyway, that's our objective.
so anyway that that's our objective i think you cut out there robbie
I think you cut out there, Robbie.
Yeah, my microphone got stuck again like last week.
I don't know why.
Well, I think at least we're understandable this week.
That's something.
Yeah, that's something.
That's something.
We're going somewhere.
Thanks, John.
Thanks for adding this as well to elaborate on things.
I wanted to share as well some stuff for the community, actually,
because the team is actually really excited
because we've selected the three major partners for Geek Labs
who all have an interest in security and privacy of data.
So we will be introducing them and their plans to build over this quarter.
So each of them has actually significant business plans
and plan to use Geek.
You heard it well, plan to use Geek
as the base level infrastructure for the entire platform.
So like there's a lot of stuff,
there's a lot of stuff cooking in the background.
And we're really eager to start showing you guys what's going on.
And actually, the Geek Lab partners, who these people are, what the plans are.
So that's also very exciting.
That's also very exciting.
Also want to remind everyone that Continuum will be co-hosting with us every third Thursday of the month.
The next invited guest in August actually is led by someone working in AI for years.
And I mean years,
like long before this last rush has been happening.
So it's also something very interesting to look forward to.
We'll have next week,
we'll also have another guest speaker,
also something to look forward to.
In the meantime,
if you guys have any questions whatsoever,
like as I say every week, we're very
accessible.
Chat to us in Telegram,
tag us, post
something on X. I want to thank
everyone as well this week
again for joining.
Paul, good to see you as well. Wisco, it's good
to see you. Obi, Emi,
Tony, Michael,
AC Crypto, Nicola. Let me add, let me let me let me add one last thing robby
go ahead go ahead okay and uh one thing that's that's interesting i think and a little bit
different about this thing i've just described is many things on geek could be done on a private
instance and there are people that want private instances
for various reasons.
But this application works exactly right
on a public instance where coins are used.
And the reason is it's set up between,
it's not one entity's chain.
It's lots of entities that don't trust each other
that need to know who who their who their agents
are who their employees and so forth are and their other applications but that's just one to think
about so we don't have one master guy that that owns the chain and pays for the chain so somebody's
got to pay for the chain who pays for the chain the people that do transactions so you authenticate
and you might have somebody paying
for you. There are ways we can do that, but, but, you know, it'll cost you a transaction fee
to authenticate once something very minor, you know, fractions of a cent, but, but each one of
these interactions is a key transaction. And how many times do people authenticate, you know, so
it's volume. So this is something that if you're going to make it
so that you have untrusting entities working on this,
you've got to have a public chain,
which means that you have to have lots of transactions fees.
So this is the perfect use for that kind of public instance.
right
Right.
it's actually it's really exciting
It's actually, it's really exciting.
like
we've been
working hard
for a long time
so yeah
it's really awesome to
to see everything grow
and coming to light very soon as well
so that's very exciting
okay well thanks Robby I appreciate it
thanks everybody for showing up thank you thank you John again for this week's page
thank you everyone for listening in hope to see you guys next week as well and
see you in the trenches in telegram okay thanks guys bye-bye see you see you guys
see you bye bye
