Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
The Security Show🔐WEEKLY with Certik! Episode 2: Discord Security
Recorded: Sept. 7, 2023 Duration: 1:03:31Space Recording
Full Transcription
Hello, hello, hello.
GM, how you doing?
GM, tired, but it's another day.
Yeah.
I'm sharing out the link to the space now.
Wait a few minutes and get everybody in here.
I will send some retweets right now.
Yo, how do I get the, you know the music that plays when no one talks?
How do you even get that?
I think it's automatic, but I'm not sure.
I remember I did it one time, but I had trouble turning it off.
I was like freaking out.
I think there's a little button at the bottom.
Are you on your phone or a desktop?
Desktop.
I'm not sure on there.
It might not be on there.
Actually, it might be here.
Run an emulator.
I'm running the Android app off a Windows computer.
Yeah, I used to just play like YouTube background music on my, like on my laptop and then hold
my phone up to it for a while.
All right.
So the space automatically tweeted for us.
So that works.
Yeah, it does.
I retweeted it for both accounts.
Let me, uh, let me send it to Drew.
Tobin, how are you doing?
GM, GM.
Pretty good.
I was just about to ask if you guys could hear me all right.
Oh, yes, sir.
Sounded great.
Perfect.
Certic is a little robotic-y for me, but not sure if that's just on my end.
Whoops.
I think you're, yeah, I hear it all right.
Cool.
Cool.
There we go.
Yeah.
Started, uh, about a minute late here, so.
Cool.
We'll wait like another two minutes and then he's over here, he's here.
I'm sure they'll trickle in slowly.
Yeah.
Tobin, are you, uh, east, east coast or west coast?
I'm, uh, I'm like 30, 40 minutes south of Washington, D.C.
Oh, okay.
So east coast.
How's your weather out there?
Hot and humid.
Like, average of 95, 96 at the highs for the last two weeks or something.
Yeah, that's up there.
Yeah, I went down to New Orleans last week for a bachelor party trip, and I think we landed.
It was like 105.
It was like above 100 all week.
It was kind of miserable, but.
Yeah, no thanks.
I'll, uh, stay away from that.
Yeah.
Hi, it was way better.
What's going on, Drew?
Yeah, good morning, good morning.
We're, uh, we're just waiting a minute.
I started the space about a minute late, so we're gonna, I guess we wait another minute
till 11.05 and then just go ahead and get started, see if anyone else trickles in.
Works for me.
Okay.
I also can't get the background music going.
I think it just comes on automatically, but I'm not sure.
So, uh, Drew, you're just gonna have to sing for us.
Just gotta, give me a request.
No pressure.
No pressure.
Jim Mac.
Okay.
Okay.
Okay.
Okay.
Okay.
Okay.
yeah i think it's uh it's moving people around
can you guys hear me okay a bunch of discord experts in here
what was that i said can you hear me all right
yeah all right perfect
i mean we can go ahead and get started just because it's uh i mean it's recorded
there's not a lot of people in here but sure they'll start trickling in slowly
yeah most coming after anyway most of the listens
yeah well all right yeah no we'll go ahead we'll give some intros
i'll start for those who don't know me i'm wes webc i handle a lot of
growth partnerships i've been with webc for about two years
but most of you guys in this space know me except for a slight few
uh webc itself is pretty much a security suite uh we have a bunch of
tools out there to help keep you safe uh we're pretty much similar to any other
app where you go and you can connect your wallet analyze your wallet's risk click
transactions monitor your wallets and pretty much keep them safe
um i pretty much got in the nfts about
she's shown two years ago now uh used my bitcoin for a few years and that's pretty
much how i got into it uh the rest was pretty much history so uh
hey wes yeah wes you're cutting in and out you found like a robot i'm not sure what's going on
with your mic but it sounds pretty bad on our end it's not good
i'd go ahead and intro while you attempt to restore that but um my name's chase i'm the
social media manager here at certic those aren't familiar with certic we're uh pretty much a web3
security company we have a bunch of products our main one being auditing we also do kyc bug bounty
incident response pen testing basically the whole suite we have a leaderboard at sky net
dot search dot com where you can do your due diligence on a bunch of projects we have security
scores and a bunch of info on over 10 000 projects so i'd recommend checking that out
and then uh drew or tovin or whoever else wants to go yeah i can kind of go next so my name is drew
i've been in the crypto space for almost about eight years now uh been in the nft space for i guess
almost about four years now uh do much of cyber security uh auditing uh consulting those kind of
things and then specifically do kind of discord security audits and kind of security training in
the web3 space hello hello my name is tovin um been in crypto since about 2017 about six years now nfts
since mid of 2021 been working full-time thanks to uh my company jadu avas since about late 2021 um working on
discord security bot development on chain analytics um a little bit of everything related to blockchain technology and web2
technology um recently um recently well more recently been a part of server forge and boring
security um both in terms of educating people and um kind of offering services for consultation and stuff
like that thanks for having me
i think i'm good now
yeah sounds better
yep yep mac did you give your intro that might have been when i was fixing the mic
no um so i'm mac you're making me crazy blockchain ninja uh been doing security for four years
uh started after i got rugged and i wanted to keep other people from feeling that gut-wrenching feeling
of losing everything so uh started doing everything i could to help people in the space to try and keep
them safe uh right now kind of focusing on getting people back in sim swapped accounts which
i will have to go here in a second uh ordinals wallet got sim swapped yesterday and i have
a call with the founder here in a few minutes to get them back into their account but uh
yeah focusing on getting people back into their accounts and getting scam accounts banned uh current toll
for the last two and a half weeks is over 17 000 scam accounts banned so i'm really happy about that
well i hope i'll never need your services but nice to have you around i guess
yeah mac pretty much does well which does it all go ahead but uh great intro uh i mean we're all
just out here pretty much helping everyone in every way we can uh but the reason for the space today
is obviously discord security uh it still happens to this day it's been around for a long time now
people just they never really fully understand that they shouldn't click links that lead them outside
of discord um and especially i know that all of you guys probably saw uh but if you didn't discord
actually made an announcement which it really wasn't the best announcement they simply posted in
their support articles and sent a few updates in the developer news feed uh that you can now hide
links behind other hyperlinks so therefore you can make an open sea link simply take you straight to a
drainer website without even knowing where you're heading even though there is a little pop-up model
uh that lets you know you are leaving discord on an external link but the problem is is that it's
standard for any pop-up that you may receive when you're leaving discord so the bigger problem is that
it's already standard and users are accustomed to clicking outside of discord uh but do we think this is
going to lead to a lot more compromises for wallets and the other question is is discord in general dead
because i know there's a lot of servers i'm in where there's not much activity anymore um but then
there's there's a slight few for new projects new companies and they still seem popular and people are in
there almost every hour of the day so i kind of wanted to hear what you guys think um like do projects
and companies still use discords is it even necessary at this point um and what do you think about the
latest update i'll go ahead and lead it off i just say i mean personally i'm not a huge discord um
guy um you know telegrams kind of where i've always been as far as you know cryptos web3 related stuff
i think it's easier i think it's simpler but we did create a discord um for certic won't say i was an
advocate for it but it happened um but in general i think the new update easy answer is yes it's going to
cause more problems um i don't think the pop-up really does much because i'm able to expect the
user is aware they're leaving discord they just don't know where they're going and if it doesn't
have anything to do with that then you know like thanks yeah i'm clicking a link i know i'm leaving
discord but do i know where i'm going not necessarily but i'd like to get you guys's uh expert opinions on
this matt go matt go ahead because i know you're uh you're on a bit of a time rush
yeah he just messaged me and said he was he was ready so uh look i don't know why people use
discord and like don't get me wrong i've made a ton of money doing audits and stuff for different
projects but it is one of the most unsecure platforms there is and people have chosen this
as a way to like gather and congregate and like link wallets to their profiles and use their phone
numbers to secure discord like it doesn't it just it it makes me want to cry inside not outside just
inside um i know they're trying to make it more secure like they're trying to make it a better
platform but with the underlying structure being so unsecure like even letting you do like xss script
injections and stuff like that uh you can literally go on there right now and you know anything anyone
has ever sent in media like through their cdn file network you can view anything you want you just
have to know like where to look um i'm not a fan of discord anymore like i'm just really not uh if
they're trying to make it more secure kudos to them but it's just until they fix the underlying
structure it's not going to be secure at all
yeah i can expand on that a little bit uh mac here makes a lot of good points you know the the discord
platform if we're kind of comparing it to quote unquote older platforms like for example irc or skype
or something like that or team speak um these platforms were for communication between relatively
smaller groups of people people that have trust built in between the existing users inside of that
community they weren't necessarily like big public groups that you could easily you know join or get a
bunch of accounts into but obviously discord has a product market fit of not just personal friendship
communities but also larger fan bases and organization based kind of feedback and chat rooms
for people and i think you know as you approach bigger and bigger scale with more and more accounts and
and more um expansive uses of this basically chat room platform this is where you start running into
problems um you know the the i'm kind of making up statistics here but i know some people on the
side and i can tell you that 98 to 99 of discord servers don't worry about security like that's not a
concern for them so when we're talking about discord building out security features and you know rolling
out markdown which includes mass links they aren't thinking about how to protect the largest
organizations on discord they're thinking about how to make the lives of the you know six million
whatever daily active users they have that are using the platform for smaller organized events and
more you know high trust situations where there are not 50 000 people in a discord there's maybe a
thousand um and for those people things like markdown makes a hell of a lot of sense things like you
know uh the discord auth token which is super insecure structure to begin with doesn't really matter to
them because they aren't actively getting phished they aren't being invited to servers where there's
you know triple verification gates like verification gates in and of themselves is something that
discord has tried to tackle recently with the the onboarding system to essentially try to reduce
friction for users which was great again for the vast majority of people that are using discord but for
servers that are related to crypto and try to add some anti-bot measures it created way more friction for us
and had kind of crazy requirements that that weren't necessarily applicable to the types of
communities we're trying to run so it's both a problem of the platform and of how we are attempting
to use it um and i think mass links is just a symptom of that core issue i personally don't see it as
you know something to raise too many flags about but that's because i run my server with various
automations and i already have methods to block links whether they are masked masked or not
that doesn't mean that there are going to be other communities and other server admins that don't
have their setups nearly as secure as we do so of course it is going to cause problems when
like brand new servers for example don't have any link protection and three accounts join in and start
spamming chat with mass links and all they have is a single mod trying to sit there and manually delete
stuff you know that that's never going to work but uh drew i mean from an engineering standpoint i'm
curious about your perspective on all this yeah i mean i i kind of think of it and and everything
that y'all said but also kind of another degree right like discord was started to have uh private
communication for gaming right so just like you said you know maybe not on the scale like very private
you know gaming you know you want to go hop on there hang out with your friends and you know you
guys all wanted to play a game maybe on steam on pc you have a way to communicate like that was the
purpose and i think that's still a pretty majority core of the purpose of discord i think that's still
the highest user count is is gamers um but you know i think discord is still very much needed for
projects and businesses because i don't see why you would cut off a medium of communication or preference
to a certain group of users uh just because you don't want to take the precautionary steps of setting
up you know server right it's you know why do projects or businesses
whoops it's kind of like oh you're good it's kind of like you know shooting yourself in the foot you
know like especially because this is global you know certain people that i interact with on a global
perspective some just prefer telegram some just prefer discord and so if you kind of silo one or force
people into one you know it doesn't really help grow or you know really extend your reach i'm a
global perspective um but just like anything i mean markdown i use it on a day-to-day everyone
uses on a day-to-day basis whether you're dealing with text messages emails uh articles that you're
reading links i mean it's nothing new it's just hyperlinks um you know discord introducing it i really
don't think is makes any difference there's always risk in anything that's going to be there
malicious actors are always going to go ahead and manipulate anything so it's just another vector but
i think it's just a normal feature that should have probably been implemented years ago if it
wasn't um you know obviously a lot of people just take a look at things and you know assume the worst
which you know we have to and then went through space at this current moment but that's also not
any excuse at all just to kind of ignore that and not have proper security to prevent anything
that can be manipulated for a malicious purpose yeah drew i like how you brought up uh the gamers
for discord because i think um i mean a lot of us in the nft space and especially myself uh before i
got in the nfts i actually used to manage uh gaming servers on discord so that's how i got all the
discord knowledge that i have now but i think the biggest problem is that if you are new to nfts
so you're recently onboarded and you don't have any gaming gaming experience or discord experience
you jump into a discord you just you don't know any better and i think that's where the problem
lies i don't think the people that have been around for a while they've been in other servers for years
i mean you just understand how it works at this point you don't really think twice uh like hey i'm
going to click this link and go to this random website unless obviously it's trusted it's from
one of your friends but you still do you'll still do your due diligence before you just click on it
um but i think the problem just aligns lies with uh onboarding new users and them joining discords and
they don't really understand how it fully works um but cyan i see you have your hand raised we'll
jump over to you
hey so uh hey morning everybody jim i actually hopped up because i was actually talking with uh umcc
about the discord um access controls so for me specifically i wanted to address it from a
permissions standpoint of there should be something that stops you from accessing other people's dms or
images and things sent but as you mentioned um i actually worked on the poc for that so
and for me it was fun to say hey um can i actually get a response from this can i actually download the
content can i scrape this if i have any inkling of an idea and while it is seemingly unfeasible i mean
the numbers are huge but i still wanted to express that it's a bad access control and from that
perspective being mindful of where your data is despite whether you're using discord or any other
app overall being extremely mindful of where your data is is going to be important this is something
that i never would even consider doing but it just happened to come out someone else has probably
thought about this and it's probably not that big of a deal to discord because it seems to be the way
that their system is designed but i'm pretty sure we could all imagine sending you know um sensitive
things in discord dms because we're working in teams or groups um it may not be the worst thing
to other people but it's private or it means a lot to us you know to protect that information
it would be nice to talk with somebody at discord and actually ask them about that but you know these
are things that we deal with yeah i'd love to comment on that maybe explain like i'm five it a little
bit because cyan's talking about something pretty important there so a cdn is uh essentially a i might be
making up what the acronym stands for but content distribution network essentially imagine it like
a big database that discord has where every time you upload media it's stored there and you get a
link to it and it's you know embeddable so that you can kind of see that content or download that
content directly from the discord platform it's basically like having google drive within discord
and what cyan is saying is that every time you upload to discord that link is public right
there's no permissions on that link um so it's uploaded to discord's database and then you know
you can access it and share it however you want but um you know the access to that link to that content
is not restricted solely to you and the people you share it to a smart enough person like cyan can
take a look and figure out some parameters essentially within which they can iterate over and scrape
and just try to guess at what these links might look like and download the content uh stored you know
or or you know uh pointed to by these links uh within the discord database so i have a couple of comments
on that um the the kind of security measures that you have around that is basically once you delete
your your original file that's hosted on discord discord deletes it from their back end um sometimes that
takes a little bit of time to actually happen but that's like one consolation right you can share
something the other person can download it to their local computer and then you can delete it and it
will no longer exist after a little while that's similar to how discord messages work but obviously
the the root problem there is you know you send something you forget to delete it or somebody sends
it somewhere else it's still going to be there and it's still going to be accessible you know something
like this is similar to going on imager and just trying to scrape all imager links because people
don't really realize that you know when they upload to something like a cdn or imager or google drive with
the wrong permissions then you know people can access it regardless of what they're doing um i'm really
curious to see more about this poc cyan because i think that's something that could definitely get
escalated um but uh well i want to ask because i think you might have just actually given me a bit
of comfort in it because i don't know if i how long i've checked i want to go see if i can find
the link that we tested to see if we delete it in chat does with the link you know still refresh on
their cdn but i would be interested to know how about that time length was and how long you would have
to wait before you deleted something to go back and check and see if it actually deleted but in the
short term it doesn't sound like it would be the most dangerous thing because again it's it's a bit
unfeasible unless you know exactly where to look now there are a couple standard file names you can
check for i will not disclose those on a public platform but uh that is one way that people could
potentially try to you know do those types of things because they're standard file names that
discord just it gives you when you copy and paste things yeah yeah for sure um my understanding is
the sooner after you post it that you delete it uh the faster it gets deleted right like after
i don't know how long it is maybe an hour or two hours that the content exists on their cdn
it starts propagating out to like other servers that they hosted on so once that time has passed
then you know if you delete it on your end it takes more time for that deletion to then propagate
out to other servers um we are getting a little bit off topic so feel free to reset the room a little
bit but that was that was an interesting uh sidebar there sign on thanks guys
so oh drew go ahead you got something i was just gonna add i'm pretty sure the last time i checked
discord's privacy policy i think they can keep it up to 180 days after deletion for their trust and
safety uh and for legal requirements too so super curious to see uh if that's a hardcore uh hardcore
180 year yeah so up to that i can actually comment on that a little bit as well if you report a message
or a piece of media via their in-app reporting then that's where that privacy policy comes in where they
can maintain that data for a certain amount of time if it's reported through their support tickets
essentially and you just send them a link to the message um they can't retain that if it's been
deleted but specifically their in-app reporting system like on mobile you know you click to report a
message that they then store indefinitely okay nice interesting so i guess one question i have or
kind of just something i've been thinking of is like listening to you guys talk and a lot of people
aren't going to understand or be as in-depth as you guys are being experts in this topic so like
does the average user essentially have no choice now but to become kind of knowledgeable on this stuff
and i mean it used to be you know you could mind this mindlessly surf the internet do all these
things but now it seems like to get into the point where even if you're an average user you have to
know what to look out for you have to be aware at all times essentially is that kind of what we're
coming to do you guys think
i i think so i mean i think as technology advances so do malicious actors and so does the risk of
anything that you're doing on the internet right i mean back in the day you know the worst thing
that would happen is you'd get a call on a landline from you know some prince from a country asking you
to mail over physically ship a gift card right um you know we're involved in two obviously emails
when that got popular and phishing scams that way and now it's like oh my gosh can i even click a link
do i have to go through and actually read every character is that a lowercase i or is that an l
you know am i going to the right link so i definitely think you have to be optimistic and kind of
like you know trust nothing at all stances without you know kind of going too deep over the edge
i'm going to jump a little bit to kind of what you want to bring up wes is with the
who does the fault lie on essentially you know say you're in a disc projects discord and there's
malicious link posted and you fall for it is that this kind of goes back to what i said earlier is
this on the user or is this kind of the project's fault for not having the rights i mean you can
have all the right setups and everything i'm sure but then a malicious link will get posted anyway
like do you guys think it's at the project level it's their responsibility to make sure
everything is set up securely and professionally or do you think it kind of goes back to the users
you know do your own due diligence dyor it's your fault if you clicked on it or whatever type of
thing who do you think that kind of fault lies on yeah i was uh i'm going to jump in i think if uh
if you're a project and you have the tools and you have the funding and you have obviously the
community of continuous activity in discord i don't see why you wouldn't want to protect your server
um and just because like as soon as it happens when a project gets uh pretty much a discord server
taken over by hackers or scammers it's just like absolute chaos community's going chaos twitter's
going chaos it's just a bad look all around and then everyone knows in the end you didn't really
have a secure server and it's happened before where numerous projects have been like yeah our servers
locked down it's been audited in the past but no one really questions by who or when they got it done
and then next thing you know a few weeks later they're just completely compromised and it's utter
chaos so i feel like it's uh it's the project's responsibility uh especially the founders and we've
seen it before where founders have gone out of their way to use the community funds to reimburse
the community but i think at this point like you just you have to know better it's like if if you're
a business and you're not going to have locks on your door it's just that simple and i feel like a lot
of people just don't understand it at this point yeah i can comment on this my you know full-time job
responsibility is securing our discord um i came in you know when i was first hired as basically a
contract moderator one of the main things that uh my team was struggling with was people being able to
spam uh sexually explicit gifts within our server and other links and things like that um
and you know they were trying to handle it with manual moderation which kind of legacy wise for
smaller communities like that's fine for the most part you ban the individual user that's causing the
problem it's all said and done discord automatically deletes their messages you're all good to go but when
you're a target especially around mint time which is when i got brought in um you are explicitly being
targeted by large account raids that means you know a variety of botted or human controlled accounts
that are going to spam you know in a variety of channels in a variety of ways and that's much harder to deal
with manually so my responsibility was to come in and install bots and set up automations and um you know
processes that really reduce the need for manual moderation for things that are blatantly kind of uh
malicious or impactful negatively or would require moderation of any kind as kind of this niche of
discord communities has grown we've seen a lot of bots pop up including you know hashbot um goodnight
wick was already a bot that existed but wick became basically a staple of of web3 communities
and so when we're discussing whether or not it should be on projects you know to to reimburse or to
be held responsible for these setups it does kind of depend on how exactly that breach happens
um for the most part what you're seeing nowadays is uh server owner or server admin accounts themselves
are being phished and tokens are being stolen and from that uh you know vulnerability people are getting
there are getting links posted in announcements channels uh chat you know chats being locked down so people
can't send messages anybody that tries to report them as scammers gets banned from the communities
team members get kicked out of the server um in which case that's pretty obvious like you lost control of
your own account you're responsible however you know if it's something that's like god uh you know
god willing this never happens but if the wick bot which i promise you is installed in basically
every nft or crypto server that cares if wick gets compromised then that's hundreds of servers at the
same time that have one of their most secure bots gets compromised and starts posting stuff it's hard to
blame the project founder himself this kind of happened with me six back in the day back in 2021
um somebody compromised a me six uh staff member and that staff member had basically administrator access
to all the servers me six was in i i you know that when that day happened i don't think anybody
reasonable was clamoring to the dozens of project founders to reimburse everybody because like what
can you do there right like that was basically out of your control um so there's definitely some
kind of scale from were you explicitly incompetent incompetent or negligent in your security setup
to was this something that was relatively out of your control um which makes the you know the
answer pretty pretty difficult but for the most part i'm on the side of you know we do what we can
to secure our users but at the end of the day the person clicking on the link the person signing the
transaction the person connecting their unfortunate hot wallet with a bunch of assets you're the one
that's responsible for making those clicks i'm not there to physically stop you from using your mouse to
click on things so i can't really be expected to be held responsible would you say the most common
kind of way that people get in is you know i mean if i'm looking at this to the outside looking in i
would go after one of the individual admins kind of try to get control of their account and then post
the link or whatever is that kind of the most common way you've seen it go down yeah there's definitely
been you know spear phishing is one of the more common tactics you get job offers from you know
fake corporations that look very explicit like this is the same strategy north korea is using for
larger crypto things like the polygon bridge hack was a spear phishing with a job offer discord hacks
nowadays are spear phishing with a job offer um and so you know that if if an admin gets their token
compromised a that's bad but b you shouldn't have admins like hot admins just regular users with
admin accounts on your on your server this has been a protocol again the issue here is like how many
people even know about cold admin protocols if you're not like in the niche and worried about
security that much so yeah it from my perspective yeah go ahead yes i didn't realize you weren't doing
my mic was my audio was a little backed up but in all fairness i'm one of those that just started
using a cold admin uh it was funny because one of my uh security friends it was a joke at first but
he probably didn't realize that i legitimately could not you know give him the permission in the chat
because it was on an entire account so i had to wait until i got back to that device log in to that
account and then extend the permission but it wasn't clear to him what was going on it was just like
oh you know more discord accounts it was a joke until i got no these are legit cold admins for a
reason um but i got introduced that concept just about two months ago and it was immediate you know
implementation yeah and you know it's not a simple concept necessarily right like we're talking about
separate devices but we're essentially talking about enterprise level access control for a community
discord server which is above and beyond what most people are going to be willing to do
but if you're in the space you have a community manager or somebody that's responsible for your
discord and they aren't trying to keep up with the most recent you know attack vectors and and
mitigation strategies there is some negligence there right like everybody sees these discord hacks
zach you know has 500 000 followers or whatever and he posts about them regularly enough or you know
to anybody that's been around long enough you are aware that these things are happening and if you
don't at the very least look into how to prevent some of it or you know have some kind of strategy
in place then in my opinion it is it is a bit of negligence there uh told me real quick before we pass it
over to drew uh we're gonna explain it i'm gonna have you explain it like uh everyone else in here is
five years old uh so can you explain exactly what a cold admin is real quick because i wanted to bring
that up because i think it is super super necessary and i i mean to this day a lot of projects just
still don't do it yeah so i'm going to shout out a big homie of a bunch of people in this space
john underscore hq who formalized these uh cold admin kind of policies into you know multiple versions
multiple documents i just pinned his thread of threads to the space but essentially the cold
admin protocol the way this works is you have um at the very least one or two accounts that are not
your main discord accounts that are not the ones that you're logging into every day to use your
community um one of these quote-unquote cold accounts you're when i say cold accounts you're thinking
about these similarly to like your cold wallet or your ledger wallet you know a separate device
that is used much less frequently and for very specific reasons so one of these cold accounts is
going to be the new server owner what that means is the kind of end-all be-all account that has full
control over the server is not going to be someone's day-to-day discord account the reason this is
necessary is like i mentioned before these accounts the the server owner or server admins
they're explicitly targeted by attackers so by removing the server owner from your active account
they can go and target that account however much they want they can send dms blah blah blah
but by virtue of it being a separate account you are aware that none of those dms are real you aren't
going to be interacting with them you're going to turn your dms off completely you're going to have
this account on a separate device so that your main account doesn't really matter if it gets
compromised because it's not going to have server owner or server admin permissions and then on your
cold accounts just like you would with your ledger you are going to log in you're going to be very
careful about what you're doing this is going to be again on a separate device you're going to make
the changes necessary and then you're going to log out and essentially continue to keep that that
separate account secure this includes various other explicit things that you need to do for example
making sure that the password is is changed often securing it with two-factor authentication via you
know a hardware key like yubico or authenticator app but the the core idea is essentially having
what would what you know the the closest analogy is a hardware wallet or a ledger wallet but for your
discord account admins and server owners the main reason for this again is just to mitigate people
phishing your discord account credentials and using that to post malicious links or make changes to the
server so you can continue to use your main discord account as freely as you would like knowing that
it does not have the required permissions to create an issue within your server if you well not if most of
the time it's when you get compromised thank you thank you true you have you've had your hand up for
a while take it away yeah i was just gonna too i mean you know a lot of people also think that they
won't ever be a target when everyone's a target like it doesn't matter if your discord is small or if
it's large it doesn't matter like a lot of these actors will target smaller discords in groups like
five or six so they'll go ahead and compromise the accounts and you know they won't immediately act on
that right they'll go ahead and get five or six of them and then at the same time post malicious link
take control of the server and especially for the bigger ones i mean i i've worked with someone where
they didn't take the advice of the cold admin and the server owner account got compromised they booted
everyone else out and they were literally just spamming links all night and the reason why they were able
to do it all night is because they're not dumb they're smart like they know when these server
founders uh you know the time zones they're in they know when they're sleeping so they know that
okay hey let's give it an hour when they stop responding when they say hey they're checking out
for the night letting their community know and then going ahead and compromising that and they probably
got a solid seven or seven or eight hours of just time to just spam the links and you know even if a
community member you know isn't sure there's always going to be one two or three people that just act
on fomo you know don't have the proper free tools and start like pocket universe wallet guard or
cash you know have it webc set up those kind of things um all really available to you and then you
know it's kind of so sad too bad it's that's kind of the the i don't want to say downfall but you know
we're in a decentralized space there is no 911 number when this stuff kind of happens so you really
have to be proactive about it yeah and it comes down to um like just as a reminder just
don't be putting your personal info anything that's i don't know just like any anything that's
uh important any type of information like that don't be sending it discord especially if uh one
day your token does get compromised and they have full access to your account they'll be able to see
any type of that information and uh mac i know he jumped out of here but we dealt with it uh the other
day with the project founder who he actually had his iCloud compromised and they just absolutely took
over everything he owned and they actually tried to extort him by some information that he actually
sent in discord to one of his other friends so that's just a reminder out there that the information
you send it's not safe yeah it's one of those things where you know you think it'll never happen to
you until it does and then you're gonna wish you took all the right you know steps beforehand um i
don't know if i'm jumping ahead here west but one thing i wanted to ask these guys is kind of you know
what the pre and post discord security looks like so pre being what does the discord security audit look
like what do you guys do in that like the steps you take and then post i'm curious on if you're a
project owner and your discord gets compromised what are the first steps they should do you know
is it they reach out to you guys you handle that or like what's that look like that they you know
the first steps they should take once they realize there is their their discord is compromised
drew do you want to handle the um audits of kind of what that looks like yeah i can i can kind of
tell you from my side so you know in a perfect world obviously the audit will be done prior to
you know even being within 30 days of mink going live or 30 days of a big event something that
you know would obviously be a prime target or just in general um a lot of this is scenario based so it
really is just completely dependent on you know what the founder wants like maybe they have moderators
maybe they have someone who is familiar with handling discord but they just want you know and i don't say
experts because i don't think anyone's an expert i don't think anyone's experience but maybe they
just want second eyes they want to make sure everything's set up right those kind of things so
it would definitely be just an initial meeting saying hey okay let's take a look at what you got set up
go ahead and get an initial audit done saying hey these are the severities these are things i found wrong
maybe you know twerk this or have you thought about that uh depends if they either want you making the
changes yourself or if you pretty much just present them saying hey these are the changes i suggest
um if you do it yourself and you go ahead and just do another quick glance over or just let them know
inform them right if they do it then obviously a second audit would need to be funded um and they
kind of take it from there on a reporting basis and you kind of do it that way i'm always for one
for offering you know kind of monthly support not like a retainer basis or anything but you know hey
maybe let's think up those kind of things i think it's super important also to include training for the
team especially moderators or especially collaborators i think those two are kind of
some of the high risk of those kind of people because obviously those are the ones that are
joining those are joining um you know a lot of uh a lot of discords or they're engaging with a lot of
other communities or just clicking a bunch of links and a bunch of qr codes so you know having the
bots and other things in place to where they have the access they need but not too many
um but also the training right you can have the most secure social media the most secure discord
the most secure things but that can still get accounts compromised now obviously if you have
a discord set up properly then bots automation and other things in place will go ahead and prevent
anything but you know you need to make sure okay hey if something does happen this is what you need to do
if your discord does get compromised obviously gain control of the account kick out any web hooks
check out the audit logs go ahead and see what they actually did gain back control go ahead and
you know hit the red button nuke the server if you can to go ahead and just hide everything
um so no one sees anything from a community standpoint again obviously contingent on scenario
basis but you know there is a lot more involved in there especially when a hack happens uh you know
a lot of people are sweating a lot of people are freaking out they're overreacting and there isn't
necessarily a logical thought process and you know they're kind of scrambling a bunch of places
and you know it's always best to be more prepared than it is you know kind of scrambling at the
last moment especially when you know there is a link where people are literally just clicking
non-stop and your community is getting drained and drained over and over and for all the people
that say oh like you know why charge for community uh security or security is too expensive i promise
that an audit is one one hundredth cheaper than you trying to reimburse or your community getting wrecked
seems like there's a lot of synergy between the discord audits and then the smart contract audits
everything that we do we have many of the same uh problems and preach many of the same things
yeah i totally agree uh well we're already uh close to the hour here so i want to ask the last
question i drew you brought it up before that you thought it was a necessity for projects and
companies to pretty much have a discord um but what alternatives do you think there are and i know
i'll uh i'll start with one is uh i think that uh twitter communities like how they let you create
a custom community on twitter was kind of their way to combat discord um but i i totally agree i think
it's uh it it is a necessity to a point i've seen projects where they hold off on creating one but
eventually they do uh but i think the biggest problem is that discord and it's not necessarily a
problem but it's just a discord name like if a company or project doesn't have a discord uh i
think that it's just like they'll eventually create it it's pretty much inevitable um but it's just a
name like everyone creates a discord just because of the name but no one wants to be like hey we're
gonna be the first project that creates a twitter community because it's better you never really see
that anywhere um so i just kind of wanted to hear your guys's thoughts like do you think there's
alternatives and if so why haven't they taken off yet
i think part of it is like it's just discord has the the incumbent advantage basically everybody's
already on discord the accounts are already made um obviously you can kind of say the same for
twitter um but twitter tends to be you know they they serve different purposes um posting feedback
for example or or getting you know one-on-one customer support on twitter like how are you
going to do customer support via dms i guess that's okay but they're you know not the best place to do it
either and i mean nowadays you have account delegation so you can kind of have one uh project account be
delegated out to a bunch of people but you can't really do like moderators or you know support staff
or qa members all in the same project account um so i think part of it is like you you tend or you
should have a discord community for a specific reason and in my eyes that specific reason is
real-time active communication and feedback between your team and your users and then your twitter feed
tends to be more informational more specific more important kind of like your announcements channel
on discord but a little bit more catered um i do think you know as as niche of a community as we are
there are alternatives there are platforms like i believe console.xyz i might be making that up but
essentially a wallet gated version of discord you know that has its own positives but it also has its
own downsides right like i don't necessarily want to be connecting my wallet and signing stuff on
a platform that is new for example um and there's just a variety of reasons where um trying to migrate
as you know especially if you're not a new project right if you have an existing discord and you want
to migrate to another platform the odds that you retain all of your users or the odds that they
continue to come back to this new platform if you're the only one on there just makes it really
difficult in terms of like marketing kpis and just general communication kpis like do you want to
maintain eyes on your content or do you want to try to secure improve their experience it's the end user
at the end of the day is just going to go with what's more comfortable what's more familiar
yeah i totally agree um one thing i did want to ask because i know we touched on it so i'm gonna
leave it as our final question for the space um so we talked about bots bots being compromised
bots being ingrated in the servers and everything along those lines we talked about the me6 uh
employee that actually got compromised and he pretty much had full admin access to pretty much
everything the bot was in every server so what bots are really safe like do we know i know it's easier
for a hacker or someone trying to fish an account to specifically go through mods or employees of a
company or project but when do we ever really see a bot compromise is it something that's pretty
targeted often um and what bots are safe like should we be using custom scripted bots i know pandas has
created um um which is another name in the space he's been around for a while that writes his own
script but then we also have collab land pop up um i'm also blanking on the other name for the other
company that's pretty similar to them um but just like what bots are safe what should founders be using
in their servers should they have own custom bots created or should they go with what's known and
what's out there now i i think it depends i mean i also think that even if you're using these bots or
security bots like a lot of bots for discord you know and you'd invite it it'll ask you to give it
the admin permission nine times out of ten no bots need admin permission right very very depending so
you know even if something worst case scenario did happen you know there should be a very limited
amount of what they can can't do um you know just from like a least privileged perspective right that
should always be taken uh i i think it depends also on like the founder of the team if they want
a custom scripted bot to keep up with maintenance patches you know kind of evolution of it versus just
relying on other already kind of proven existing bots like wick goodnight bot uh you know whether it be
me six um you know panda server supervisor you know the list goes on and on and you know i think
every bot has its own special kind of okay hey i got this covered and and you can't really just secure
a discord or other things with just one bot right it definitely takes all of them in conjunction together
just because a discord has multiple attack surface areas and you need to use them in conjunction
together to really protect every area and make sure that you're covered from even things that
you couldn't imagine or things that you can't see yeah i'll add on to that a little bit drew is
absolutely right about there being you know multiple layers um i think i have you know running 24 7
i have hashbot i have wick i have goodnight i have dyno and i have discord's native automod rejects
all checking messages joins user profiles usernames the links being sent uh wick checks you know what
bot activities are happening how many channels are being created how many roles are being created what's
being deleted so you know to an extent um you basically form this like kind of star wars droid
perimeter around your server that is physically impossible to do you know manually um so to to some extent
none of these discord bots are secure right they're not built to be enterprise like microsoft isn't using a
discord bot to secure their own servers but it is more secure than not using them um i personally you know
develop my own bot for the jadu community but i'm not worried about coding my own security measures
or moderation measures because i know or at least trust enough in the tools that i'm currently using
to be better and more worth my time than developing my own solutions especially when it comes to like
drew was saying uh discord's api updates relatively frequently there are new features that roll out
relatively frequently for a variety of different reasons and there are you know these development
teams are uh aware ahead of time and make the changes ahead of time and make it so that you know i
don't have to spend a week prior to a big update just making sure and testing you know changes to the
discord api or or however the messages are being sent and things like that um so to to reiterate i think
the general stack that people are seeing for discord bots like the group of discord bots that we're seeing
for for web3 community specifically is you have um the good night bot by captain plantain we'll go ahead and
see if i can i can link to the top of the spaces is a newer bot that um luckily the developer has been in
server forge actually basically all the bots that i'm going to talk about um we have as part of our community
over at server forge um good night is our anti-link bot it also has essentially what is called a um a
temporary admin feature so that you can make changes on a hot account but it's secured via password or
authentication app which is really useful for you know making changes without having to necessarily go to
your cold device while still keeping that relatively secure but again the main point of good night
is anti-link including anti-masked links um you then use wick or wick bot um to protect yourself from
both malicious spam and malicious bots themselves it basically monitors changes in your server entirely
and quarantines accounts that are making changes outside of their permitted scope so again kind of what
drew was saying um anything you add should be scoped down to the least uh possible permissions you will
find that bots get added with admin permissions just because they think it's easier for um you know
server owners and moderators to add it with admin and not have to worry about setup but for our space
you know scoping those permissions down and making sure that they can only impact what they need to to
absolutely function um and then using wick to make sure that they can't escalate that privilege or
you know uh move sideways or laterally to to use that permission in any malicious way and then there are
things uh for anti-impersonation which nowadays includes discord's native features for auto mod lets you
scan profile and usernames but i rely on a bot called hashbot which also uses rejects same uh regular
expressions system that discord uses to monitor people's usernames for things like airdrop or claim
or moderator or official um so hashbot wick and goodnight as well as um some other tools especially
you know the discord native you know not a bot auto mod is uh the main three or four things that i
recommend everybody look into if you are trying to up your security yeah i appreciate it toby
and i was gonna uh pretty much leave everyone with the question of uh if you're listening to this
space uh what's a standard or basic way to pretty much navigate discord while staying safe um but you
pretty much covered everything in there and if you still are unsure just go back and listen to space
because it is recorded um but for any project founder that happens to listen to space i kind of wanted to
cover what drew brought up in the beginning is that would you rather pay for a discord audit
uh pretty much to have your entire discord locked down or would you rather pay to reimburse your entire
community um and i think that hits a bit closer to home for a lot of project founders and people that
are employed in other projects and stuff like that because you guys and they fully understand the
issue that lies within discord and the security that needs to pretty much be in place to keep your
community secure um but as we approach the hour i want to thank you guys both for uh or drew tovin
mac especially who hopped on for a brief moment uh cyan as well for coming on and sharing every
everything that you guys could about discord the knowledge that goes in the audits locking it down
keeping it safe etc um so i'm not sure if you guys have anything to uh end with you guys want to get
out a last minute sentence or a few feel free to go ahead but thank you guys again for coming out in
the show and sharing your alpha yeah apologies for not speaking much i've been kind of just sitting back
and taking it all in and learning myself so i appreciate all the uh alpha you guys have dropped and i've
definitely learned a bit so thank you guys for coming on for sure thank you all for having us i hope i
didn't uh inundate too much of the space with my own voice but uh it's definitely a topic that i'm
pretty passionate about no you guys crushed it you guys crushed it and if like this is where the alpha
is right now everything you need to know about discord security it's within the space and i'll cut it up
i'll throw it in different pieces share it for anyone that hasn't listened thus far
uh so i appreciate it again thank you guys for coming on
all right well that is it i'll uh i'll go ahead and close up the space unless anyone has any other
last minute words they want to get out
i will just reiterate that audits are cheaper than dealing with the repercussions
both on the discord side and the smart contract side so everyone get audited be smart take the
right steps and i'll i'll leave it at that drew tell us
oh maybe he doesn't have anything to add
drew do you have anything to add
he's raising his hand but i think he's just waving goodbye twitter's doing this i can't hear any
oh i hear you i think i hear you but yeah just to reiterate what everyone said just
be proactive and make the right decisions and uh yeah definitely appreciate y'all for hosting this
space it's uh you know we're trying to switch the the kind of motto from you know security is never
important to us too late so be proactive instead of attractive as i always say i'm we're trying to make
security sexy make it a topic people want to learn about and all that stuff it's not always something that
you know catches people's eyes or attention but it's something that is very important and
you know us coming on here and having these conversations i hope you know at least changes
a few minds and gets a few people looking the right way so that's basically all we can do and
uh i think we've done a good job with that today agreed i'm gonna go ahead and wrap the space up thank
you guys again for coming on and thank you to our listeners who joined in and hopefully learned
more than a lot from this space thank you guys
