The Wolf Of All Streets - Protecting Your Assets with Jameson Lopp, CTO of Casa
Episode Date: October 22, 2020Jameson Lopp joined the Bitcoin community in 2014, attracted by both its technological and philosophical use cases. His passion for security and privacy led him to jobs protecting both high-level ins...titutional-grade crypto holders and individuals. Having been the victim of a series of coordinated sophisticated attacks, Jameson has been forced to become a leading expert on cybersecurity. His unique experiences led him to develop his own company, Casa, which frees users from the stress of self custody. Scott Melker and Jameson Lopp further discuss experiencing multiple bull cycles, the great lengths one must go to secure crypto, Bitcoin’s largest threats, a nation-state attack on Bitcoin, apathy killing Bitcoin, SIM swapping and SWAT attacks, buying a burner house, moving off the grid, Coinbase’s political controversy, Satoshi’s secret identity, the criminal interest cycle, going dark for good and more. --- VOYAGER This episode is brought to you by Voyager, your new favorite crypto broker. Trade crypto fast and commission-free the easy way. Earn up to 9.5% interest on top coins with no lockups and no limits. Download the Voyager app and use code “SCOTT25” to get $25 in free Bitcoin when you create your account. --- ELECTRONEUM Electroneum, has gained widespread adoption providing a mobile-first payment solution to the world's unbanked, attracting more than 4M users worldwide in less than three years. They have since launched a new freelance marketplace, AnyTask.com, which is providing thousands of freelancers the opportunity to sell their services to buyers globally, without the need of a bank account. Learn more at Electroneum.com. --- If you enjoyed this conversation, share it with your colleagues & friends, rate, review, and subscribe.This podcast is presented by BlockWorks Group. For exclusive content and events that provide insights into the crypto and blockchain space, visit them at: https://www.blockworksgroup.io
Transcript
Discussion (0)
I'd like to thank my sponsors, Voyager and Electroneum, for making this episode possible.
Stay tuned for more info on them later.
What is up, everybody? I'm Scott Melker, and you're listening to the Wolf of Wall Street's
podcast. Today's guest is an original cypherpunk. Jameson discovered Bitcoin early and has done
extensive work advocating for its privacy and protection from governments and other threats.
He's the founder of one of my favorite companies who I use, Casa, where Bitcoin holders can protect their assets like never
before. Jameson Lottman, thanks so much for taking the time to come on the show.
No, it's great to be here. I've actually been a Scott Milker fan since the early days. I was
actually looking back on my tweets and I found one from 2014 where I was telling Nick Carey at Blockchain to listen to your stuff.
When we first connected, that blew my mind.
Absolutely.
Because I've been kind of like obviously quietly following you for such a long time in the
Bitcoin space.
And then I found out that you had been like blasting ball of notes in your car.
That was pretty cool.
So before we get into the questions, once again, everyone,
you're listening to the Wolf of Wall Street's podcast, where twice a week I talk to your
favorite personalities from the worlds of Bitcoin, finance, trading, art, music, sports,
politics. This show is powered by BlockWorks Group, a media company with over 20 podcasts
in their network. You can check them out at blockworksgroup.io. Now, if you like the podcast,
you follow me on Twitter. You need to check out my website and join the newsletter. You can do both those things at
thewolfofallstreets.io. So now that we're done with that part, let's get into what's actually
interesting here. So obviously, you were a very early adopter. You've been in this space. People
know that you've been an advocate for Bitcoin for a very long time. How did your Bitcoin journey
sort of start? Both from the technical perspective and philosophical. I mean, I have been a programmer
my entire career, got a computer science degree. And so I hung out on a lot of the nerd sites.
I'm pretty sure that the time that I finally actually decided to look into Bitcoin was from a Slashdot article. I know I had
heard of it a few times before then on other geeky tech sites and generally dismissed it. But
that third or fourth time I heard about it is when I actually went and read the white paper.
And that's when the technical side of me was like, Oh, snap, you know, this is actually a
very elegant solution. And I don't think that it's going to get hacked and cause everybody to lose their money.
It's actually much more robust than I assumed that it was going to be because nothing like
that had ever existed before.
So that got me intrigued from the technical side.
And then on the philosophical side, once I really started thinking about what is money,
because most people don't
go that deep, they just use what's given to them, then I realized that money as this abstract
concept is something that should not be controlled by any single group. It's something that it really
ought to be a consensus-driven project where anyone who cares can chip in and say, I think the ideal money
should work like this. So money as an open source project, I thought was a really fascinating
concept and basically decided at that point that I wanted to understand this Bitcoin thing as much
as possible. And after doing some side projects for a few years, I was eventually lucky enough
that venture capital flowed into
the space and I was able to just work on it full time. And what year was that? And what did that
look like when venture capital first came into the space? Was it Casa? Was it something else?
What were you working on at that point? Yeah. So when I realized that I was already spending
most of my waking hours thinking about Bitcoin and shirking my regular job duties it was like late 2014 when I started looking at jobs I
actually like applied at coinbase and a few other places and I however did not
want to move to Silicon Valley so that made it a little bit trickier and I
ended up actually getting a job building infrastructure at BitGo doing multi-sig enterprise,
you know, sort of hot wallet handling for exchanges and other payment processors.
And so that's where I really got to learn a lot more about the sort of cybersecurity aspects of the space.
And, you know, we had a wild ride from, you know from 2015 through 2017, just trying to keep up with
everything. And then it was early 2018 when I basically decided to pivot very slightly.
And instead of focusing on enterprise Bitcoin security and crypto key management, instead,
now I'm focusing on individual key management,
trying to help normal people be their own bank and really attain the promise that Bitcoin has
always made it technically possible, but has usually been out of reach for most people.
That's interesting. You and I have discussed this before separately, but it's sort of like
the evolutionary chart of security for people, right? You come into Bitcoin, you buy some Bitcoin on an exchange.
Okay, fine. It's safe.
Then you see a story about a hack and you move on to maybe be self-custody.
You buy a ledger or something like that.
And then it grows and you start to worry about yourself as your single point of failure.
If I die, if I forget it, if I bump my head, all these things.
And then I think you eventually land at multisig. So what is it that drove you to focus more on retail? And why do you think that people
should be that concerned about their security and securing their assets?
I felt like we had done a pretty good job progressing enterprise security. And really,
as of today, there are a lot of best practices. There's even
the cryptocurrency security standard, which if exchanges and other enterprises adhere to the
recommendations of even tier one of that standard, then it's pretty unlikely that they're going to
get hacked. Now, we still see hacks
happen all the time because new companies come into the space, new exchanges pop up, and they
don't know jack about Bitcoin security or crypto security. And they make the same mistakes that a
lot of people have made before. And so that's why we're going to keep seeing those types of hacks.
But I believe that the best practices already exist. So if you actually care enough
to look into it, then a dedicated team of experts can secure private key material pretty well.
However, for the individual to do that, it's still a really high learning curve. It can take
days, weeks, months of education to learn not just the basics, but then what you were talking about, you get into
more and more edge cases of things that are less likely to happen. But still, when we're talking
about something where a single catastrophic mistake can cause you to lose everything,
then you want to have all the bases covered. So I realized that even after working full-time doing Bitcoin key management for three years, my own personal
setup was still a huge pain to actually keep updated. I was spending basically a weekend
every year. At the turn of the year, I would have a little calendar reminder that said,
okay, update all your cold storage. This is going to be a really boring pain in the ass,
but you've got to
do it because a lot of your net worth is tied up in this stuff. So I realized if it was that big
of a pain for me, then the vast majority of people were not going to follow many of the best practices.
And at the micro level, that means that these individuals are going to be less secure. They might end up
losing their money. But at the macro level, it's even more concerning because I think that that
means that more people are going to just be lazy and leave their money with third-party custodians.
And then we're just right back where we started with, where we just reinvented the banking system all over again. And that creates a systemic
risk. And I am concerned about where we might end up decades from now. Because if you really want
Bitcoin to be like the world reserve currency, you have to think of this in terms of generations.
And if we keep sliding in the direction that it seems like we're going, then having the vast majority of keys held by a small number of entities creates new types of attack vectors.
And I don't want us to ever have to worry about that.
So there's the security side, obviously, and then you have to think ahead of the security side.
But there's also the philosophical side that you just touched on, which is if everything's just going to become another bank for Bitcoin,
what was the point, right? The whole appeal for people who get it, I guess,
is to be your own bank and somewhat opt out of the system, right?
Yeah. So it's funny because when you get really deep into it, it seems like almost everything
that there is to talk about Bitcoin has already been talked about. If you go trawling through the early 2009-2010 Bitcoin talk posts, and it was actually Hal Finney who originally was envisioning Bitcoin as ending up like that, where the vast majority of Bitcoin was held by some sort of custodians.
And he seemed to think that that was the natural way for the system to scale. But I think that
there's still plenty of opportunity for us to try to prevent a future like that from happening.
So the argument was kind of, sure, you'd still have a lot of people that were sort of voluntarily trusting third parties, but at least you wouldn't have a single central bank that could then easily debase the currency.
So even if we got into that situation, there is an argument that at least maybe the 21 million total supply would stay the same. But I would argue that the guarantees around that become a lot weaker as the number
of coins that are held by different entities continues to consolidate.
It's interesting though, because the community in general and myself included, if you're
talking about the price of Bitcoin, you see a lot of these, the big news is very bullish,
the OCC saying that banks can custody Bitcoin,
Kraken becoming a bank in Wyoming, PayPal, Venmo, Square, these huge things. But I mean,
to your point, maybe that's good for price, but not good for Bitcoin long-term. Is that somewhat
accurate? Yeah. I mean, it kind of comes down to coordination costs, right? Is that the whole
point of Bitcoin as a protocol is to create this machine consensus that essentially automates the
coordination of the auditing of the financial system. And that is great. That's where the
real value of this system is. It's actually efficient from a like global coordination mechanism, even though we're burning a ton of energy to secure it.
It's arguably more efficient than having a lot of human auditors trying to come to consensus,
you know, on a daily basis. But then at the human level, the problem is that the machine consensus, while that is a very low
level of the Bitcoin network and the Bitcoin protocol, beneath that, there is always the
human consensus level. It's like humans can always theoretically come to a new consensus
to change the rules of the system if they update the code that they're running. And
then the question becomes,
how could that potentially be weaponized and become an attack vector if the number of humans
who have to coordinate that are small enough that they can actually come to an agreement about
something that perhaps the wider ecosystem does not agree about? And of course, that's where
you get into all the scaling war stuff, the 2X and Bitcoin Cash hard fork and all the other stuff of like,
who actually decides the changes?
And are they able to pull along the rest of the majority of the system, even if they are in disagreement?
We also hear that mining is highly centralized, right? I mean, it's four or five companies, whatever,
doing the bulk of all,
are controlling bulk of the hash rate.
So is that another concern,
similar to what you're discussing,
or is that something separate?
It's kind of related, but it's got its own complexities.
I actually wrote a blog post a couple of months ago,
entitled, like,
Does China's mining power pose a threat to Bitcoin?
And that, I think, becomes an issue if you're talking about nation state attacks.
Like, what could a nation state that like nationalize all the miners within their borders possibly do?
And the nice thing about mining is that it doesn't allow you to change the rules of the system. It only allows you to decide which blocks are going into the blockchain
and they still have to be valid. So the biggest attack, well, two different attacks that could
really happen. One is that if a miner already has a lot of money, they can double spend their own money and they would most likely be attacking exchanges. And from a nation state standpoint,
if like China was going to do that, then I would like start attacking the American exchanges and
the European exchanges and try to steal all the, as many coins as possible from them.
The sort of nuclear option that a nation state could do is to just censor everything,
you know, only create empty blocks, don't allow any transactions to go into the blockchain.
And, you know, that could cause a massive loss of confidence. But then there's a question of like,
how long do they sustain that? Because it's not cheap to do. So there's always other counters to this. Like you can go through all possible
different paths of what could happen. And ultimately like the network and the global
community, as it were, would notice very quickly if these types of shenanigans happen.
And so then, like I said, we would know that something funky was going on at the machine
consensus level. We fall back at the machine consensus level.
We fall back to the human consensus level, and then we have to decide what do we do?
The nuclear option there is you could potentially nullify all of the miner's hardware by changing the algorithm for mining.
And that would kind of be like a massive reset and probably push us back to GPU mining for a while.
But it's something we want
to avoid and the nice thing is that i think from a mining standpoint it seems like it's becoming
more competitive it seems like we're seeing more um miners that are using like renewables and and
things like captured like excess natural gas and stuff And they're basically dispersing throughout the world. So
it's not all just going to be like Chinese hydro mining, but rather a diversity of different
cheap renewable energy sources all over the world. Yeah, I'm blanking on the company level
something, but they're in Texas. And I know that they're selling a ton of electricity back to the
grid to offset the cost and make sure that it's reused.
I mean, there's going to be novel solutions for the electricity problem, you have to imagine.
I mean, in a world where we have this many smart people who are working on it, you know, I don't think that that's going to be a huge issue.
So you touched on definitely the nation state, I guess, threat to Bitcoin.
What are the other threats to the future of Bitcoin, or at least the future that
you, the ideal future of Bitcoin in your mind? Are the biggest threats governments? Is it
companies? Is it hacks? What is it? Well, I've said for, I think, quite a few years that I felt
like the biggest threat to Bitcoin was apathy. So that basically means that we get stuck where we are right now. We stop growing and it remains a fairly niche thing.
Now, with the news just in the recent weeks and months and all an asset, Bitcoin is actually becoming more and more
accepted that it's not going away, that it is actually something that you can depend upon.
So I'm fairly confident there that the momentum and the network effect is already
high enough that it's not going anywhere. And I'm even somewhat
optimistic that the nation state threat is less of an issue because I believe, and we've heard
a number of reports that there are plenty of politicians who are already invested.
The politicians aren't stupid. They know how the game works.
And they want to opt out of the current system as well.
So that, of course, changes the incentives.
It's unlikely that nation states are going to try to ban Bitcoin
if a lot of the politicians already own it.
Yeah, I mean, they'd much rather capitalize it than kill it, right?
Like anything else. The thing is, Bitcoin works because, you know,
the incentives are aligned and greed is good and it makes people predictable.
And as you said, you know,
they know better than anyone else, the hazards of policy, right?
I mean,
your average politician in Washington has to be aware of the effects of endless money printing and QE and failed. So you talked about apathy as being the biggest threat, which I think is really interesting. And I agree with you. I think that's not a threat anymore. almost 10 years, you know, almost a decade. Isn't this
like the maximalist wet dream scenario right now? I mean, that's, it's what you guys have been
saying was going to happen, the money printing and the sort of all of these issues with monetary
policy. Isn't it here? I mean, isn't this the time? Yeah. You know, it's, it's hard not to have like a shot
in Freud or whatever. Um, I, I tell some people that, you know, what's really better than, you
know, the price going up orders of magnitude, what, what is really more, um, comforting to me is being right. It's like, I'm basically being proven that I wasn't crazy
for so many years. You know, so many people looked down on me and said that I was, you know,
the crazy libertarian nut job who was talking about things that were never going to happen.
And, you know, there was never any guarantee that it was going to happen. And, uh, you know, it was, there was never any guarantee
that it was going to happen this quickly. That was really, I would say the biggest surprise is that,
um, when I first bought Bitcoin, uh, as an asset, I did so as a hedge, I didn't think,
Oh, this thing is going to make me rich. I was rather that I knew that over the course of
my life that my dollars were going to become worth less. And so I was going to put them into
a system that seemed like it was less likely to decrease in value. And I am not an investor or
really, I'm a terrible trader. Oh my goodness.
I would say the vast majority of my trades over the years have been losers.
There haven't been many of them.
Like the only,
the only really good trades that I would say I've done over the past decade.
I've had a couple of good stock trades like Netflix and Amazon. On the crypto side,
obviously dollars to Bitcoin has been good. I've lost money on most of my other crypto to crypto
trades, but the only crypto to crypto trade that has turned out really well for me is selling off
all my Bitcoin forks for more Bitcoin. But even then, I would have done better if I had sold them for
fiat and then waited for the market to crash and then bought more Bitcoin.
Yeah, I know it's perfect. I mean, traders lose money. That's the way it is. And I mean,
wealth is accumulated by, certainly in a space like this, by just being early and believing and
buying and forgetting
about it. And I'm assuming that's largely what you've done. I mean, they say 95% of traders
lose everything. So yeah. And you know, it's hard to put a number on it, but I would say
that the vast majority of people who got in really early did not hold through multiple bubbles. And
the only reason why I have held through multiple bubbles
is because I've always considered this to be a multi-generational asset. I was not trying to
flip it into something else. I didn't need the money to sell, to buy other things. I've always
been privileged enough to have the skills to,
you know, have high paying software engineering jobs. So this, this entire time I've just
continued living real, basically tried to continue living like I'm only earning like
50 or $60,000 a year and not inflating my lifestyle. And, you know, perhaps someday I'll,
you know, go buy a private island or something. But
I don't feel the need to do that because we still have so much work to do. And this really
has always been more of an ideological mission for me rather than a profit-driven thing.
So interesting because you hear the criticism all the time,
I'll call it a criticism, that people who were early and got rich were lucky.
Right?
And you hear it all the time.
Like, oh, they just happened to buy it.
But you touched on the most important point.
Buying it is nothing.
Holding it through all of that requires just hands of steel.
Right?
So, I mean, there's no luck. Not only that. I would say there is also luck
in the sense that there are always novel types of attacks and forms of loss that are being
discovered. And so I've had my fair share of close calls where I almost lost a lot of money.
And this actually, you'll probably find this funny, but because of what a terrible
trader I am and just like not really understanding trading very much, I lost a decent amount of money
by accidentally crashing the Litecoin market on Coinbase.
Was it like a fat finger? You put too many zeros?
No, I just did not understand how illiquid litecoin was at
the time and i was used to you know making six-figure trades in bitcoin and just you know
market order done and so i made and it was it was like maybe a 30 or 40 000 litecoin sale
and it crashed the litecoin market. And so I basically ended
up losing half of that to slippage. But live and learn.
Yeah. And I think that a lot of people have experienced that in the altcoin market. Certainly
if you were early, but still, we have DeFi and Uniswap and stuff where you can press the wrong
button and send something literally to zero in a matter of moments.
So I want to talk about security basics. Obviously, I don't often have the opportunity
to have someone on the show who really understands or can explain from the lowest to the highest
level what people should be doing. So I guess we have people that are coming into the space
for the first time, as I touched on before, they're buying and just leaving it on an exchange.
What are the most basic steps that every person who's in crypto or just every person in general
for their privacy should be taking at least to like maintain some privacy and security?
Privacy is a lot harder than security. And, you know, And that is because it mainly comes down to what are the on-ramps and off-ramps that you're using.
So I suspect the vast majority of people are going to be using your standard centralized exchanges, the vast majority of which are doing AML, KYC, at least if you're doing anything more than trivial amounts. So if you want to get in and out of the
space through like fiat rails, and you don't want to give up all of your identity information,
then you either need to do like face to face trades, which are actually a security risk.
And that's where the vast majority of armed robberies happen in this
space is meeting people with large amounts of cash. And I actually have a whole repository
dedicated to keeping track of those types of attacks. Otherwise, it gets more technically
challenging because you can acquire and dispose of the assets through
AML KYC, but then use various technical methods on these networks to either mix the funds or try
to hop between different chains. Of course, there are costs associated with that and additional
risks of potentially losing everything. And really, the way that I approach most of the privacy
stuff is that I'm waiting for better privacy. I'm waiting for improved coin join, improved
aggregated signature stuff so that the mixing software is a lot stronger than it currently is. And that's probably another reason why I don't really move a lot of money around
is that every time that you do that,
every time you transact with someone else,
you're potentially giving away a lot of the details of your entire assets.
So privacy is actually, I would say,
one of the latter things that you should worry about because privacy doesn't matter at all if you have terrible security and lose everything. possible with third parties. Obviously, you've got a lot of people who are probably actively
trading and watching your show, and they need to have something available in order to make trades
on short notice. But that should be only a small part of your stack. And if you have the vast
majority of your funds on exchanges, even if they're dispersed between multiple different exchanges, you're at much higher risk than if you have a robust self-custody setup.
And this is actually something that I've heard fairly frequently is people believing that because they have their funds in many different places that they're safer.
And it's an interesting conundrum because what you're doing is you're pushing the risk around.
You're spreading the risk out that you have a single catastrophic event that causes you to
lose everything. So you are safer from that perspective. However, on the flip side, what you're also doing is you're increasing the risk that something goes
wrong and you lose some portion of your assets. So that's some other mental math that people need
to be aware of. So what I focus on is how do you create one single robust setup that is essentially impermeable and,
you know, is flexible enough that we understand that humans make mistakes. And we want to make
sure that those mistakes, those accidents, those acts of God, nature, whatever, are not catastrophic, but rather are just minor annoyances that you can then recover from.
So there's multiple different, I would say, tiers or levels of what you can do with your holdings.
If all your stuff is on an exchange, you don't actually own any crypto.
You have crypto IOUs and you're hoping that that exchange doesn't go bust.
And there are arguments to be made that, you know, you're essentially a creditor to that exchange,
but you don't even have creditors rights. Like I think if there's like a liquidation event,
you're going to be the last in line to get any money. I mean, just look at what happened with
Mt. Gox. How many years this has been? Six years ago. ago yeah and there are still people waiting like there's
what 200 150 200 000 bitcoin that are still just sitting with uh some trust guy in japan who's
trying to figure out what the hell he's going to do with it so yeah that's it and that's a good
outcome because at least they have something that eventually should get paid off. Right, it's not gone. Yeah. But going from there,
the next step is just taking control of your own keys.
You can put them into a software wallet.
That's not great.
There's still a ton of technical hacks and attacks that can happen there.
Going to a hardware wallet is really the great next step,
and it's fairly easy.
Ledger, Trezorger treasure cold card what have you
and uh and that will protect you from the vast majority of remote like technical attacks you're
then still going to be open to uh social attacks like phishing type stuff is is what we're seeing
a lot more these days because now the weak point is the brain,
it's the human, getting them to press the button to authorize the money to go out.
And then the other thing that a lot of people don't spend a lot of time thinking about is just
yourself. It's like you are one of your biggest weaknesses and not having a robust setup. You
could lose all of your money due to a house fire
if you don't have geographically distributed backups, for example.
And I would say that that is really the bread and butter
and value add of our setup at Kasa
is putting the user into an architecture
where they don't have to think about it. They don't have to
spend a lot of time thinking through everything that could go wrong because we've already done
that. And then we've created software so that you're just following the instructions in the app,
but you also have a client advisor that you can reach out to if you have any questions.
And by just following what we have told you to do in the software, you put yourself into a position
that I would argue is even more resilient, more robust than a traditional bank setup.
Because even if you're putting your gold bars into a vault in a bank, there could be some sort of disaster that causes that building to blow up or fall down or fall into a hole.
If there's a giant earthquake that opens up the ground, you never know.
But when you have multiple different sets of keys that all come together to secure one stash of,
of crypto.
And you can put those in geographically secured locations.
Then it's like, unless, you know,
the entire side of the country gets nuked or something, you know,
you can be rest assured that even if you lose one or two of those keys,
you're still going to be able to recover your funds.
So that is where multi-sig is kind of what I consider the final technical step.
But multi-sig is not a silver bullet.
It really depends how you set it up.
And if you set it up the wrong way, it can effectively be the same as single-sig.
And that's what we had some sort of hard lessons over the years when we were in the early days of doing multi-sig setup is favorite place to buy and trade crypto, and it's 100% commission free. Voyager gives you easy access to more than 30 top crypto assets,
and you can instantly transfer cash from your bank account so you never miss a trading opportunity.
Even better, you can now automatically earn interest on your crypto holdings.
Currently, they're offering 5% interest on Bitcoin and 6% on USDC. Yes, you heard that correctly, 6%.
And there are no limits or lockups, which means your funds always stay liquid. Find out why so
many people are making the switch to Voyager. Visit investvoyager.com or search for Voyager
on the iTunes or Google Play Store and get $25 in free Bitcoin when you use the promo code SCOTT25. That's investvoyager.com,
promo code SCOTT25 for $25 in free Bitcoin and start trading today.
Hey guys, I want to take a moment to talk about our sponsor Electroneum and their amazing new
platform, AnyTask.com, a place where freelancers can finally be paid for their work without needing
a bank. Freelancers match directly with potential clients and receive ETN as payment. Even better,
ETN can be spent in over 2,000 physical and online locations worldwide. A lot of companies
talk the talk of mainstream adoption, but Electroneum is truly walking the walk. They're
banking the unbanked worldwide and offering opportunity to those who lack access to the
resources that many of us take for granted. In the next few months, they're also adding more
in-app purchases, including local food and supplies, paid TV, gaming, gift cards, and much more.
If you'd like to learn more, head on over to electronium.com. That's E-L-E-C-T-R-O-N-E-U-M.com.
Yeah, I think that the real light bulb moment for me, well, light bulb moment one was getting
SIM swapped, obviously, and having people attack me and
multiple times and trying to hack me and realizing that this was a real threat and that I couldn't
take it casually. But then when you actually start to secure yourself from that, you realize
and the real light bulb moment, as you said, is realizing what a point of vulnerability you are.
And for me, that was the biggest one. If I die, if my house comes on fire, if anything,
like you said, we all, you know, if you're in ERC 20 coins and stuff, you probably have coins in
five, six, 10 different places. How's my wife going to find that? How are my kids going to
find that if we're both going? It sends you down the trap a hole. That's what led me largely to
you guys. You know, we've discussed this at length. I was extremely impressed at how easy the process was because
it seems very daunting at first to even make the decision to go multi-sig because three of five,
you're going to have to set up five wallets and you're going to have to disperse them.
But you guys, like you said, you have someone who holds your hand literally the entire way.
I mean, I feel like either people at your company or my friends who check in on me once a week to
make sure that I haven't done anything stupid. It's amazing. I mean, so you have gotten to that
point, right? I mean, you feel like now you have the product.
Yeah. I mean, we try to strive for like a private banking experience. If you have a
high net worth that you need to secure,
traditionally high net worth individuals, they have private bankers who manage all the aspects
of their financial life. And we wanted to provide the same type of experience from a service
perspective, but do better than that because we don't want to actually control your money.
We don't want to be a single point of failure where we could be coerced or we could screw up or even have an internal employee attack. There have been exchanges and other providers that have
had rogue employees that have ended up stealing lots of money. So it's a high stakes game. And
we just want to help people help
themselves. That makes sense. And so, I mean, obviously, I said I've been SIM swapped and
hacked. But you've really, really gotten a big taste of the worst of the worst in this, right?
I mean, I remember reading the New York Times article about how you took yourself completely off the grid.
I know that the SWAT team came to your house a few years ago.
Can you talk about those experiences, what happened, and then how they shaped your view?
I think it'll show people why you're so serious about privacy and security. Yeah. And unfortunately, I did not really walk the walk when it came to privacy until I had the massive jarring event that made me realize
how exposed that I was. Essentially, rising to prominence during one of the bull runs,
it results in more people paying attention to you.
And this is a common celebrity problem, of course. Traditional celebrities who have millions of
people paying attention to them, it's just a law of large numbers where eventually there are going
to be some unhinged people who are willing to do things that you wouldn't have considered. And so that's when eventually someone figured,
hey, this guy's been in Bitcoin for a long time.
Maybe I can screw with him enough to extort him.
And they had the technical ability to anonymously place a phone call
to my local police department and pretend to be me,
say I had killed people and was holed up in my house,
like barricade situation with explosives and all this other stuff. So essentially,
they hacked the system, not only from a technical level, but they understood that it's actually very
easy if you say the right words to get a large amount of lethal force targeted at really anyone you want.
At least in the United States, this is easy to do.
Yeah, and it's really an asymmetric type of attack where the person who did this
probably spent less than $100 on the technical aspects to be able to get away with it.
And in exchange, they were essentially able to probably use
hundreds of thousands of dollars of public resources
to shut down my entire neighborhood for the morning.
And then subsequently, who knows how much in investigation man hours
got spent trying to find them and failing.
And that's when I realized that if you're in the space,
then you are a target not only digitally for SIM swapping stuff,
but potentially also physically.
And while the project where I keep track of physical attacks,
I think there have only been three or four dozen documented. I know
there have been plenty of other undocumented because most people, and like after this happened
to me, I had several people reach out to me privately and tell me the same thing had happened
to them. And I was like, well, why the hell didn't you tell anybody? Yeah, they're scared.
They don't want to become a target again. And the other issue is that, of course, I didn't go into all the details of what happened until a year later after I had burned down my
entire life and moved to a new secure location where I felt like, okay, now I can actually talk
about it. And for a variety of reasons, of course, that's not an option for a lot of people.
So unless you start out in the
crypto space with really strong operational security, then you're going to end up having
to spend a lot more on the back end if you want to put yourself into a really good
standpoint, I guess. It really depends on what you're trying to protect yourself against. And I've written a number of articles on this and it gets expensive. So it really depends on how much you think it's worth to you. It's a new type of insurance. And this is really what I consider security and privacy, both different types of insurance.
There are a number of people who ask Casa, do you offer insurance on the Bitcoin that I store with you?
And my response is, well, you're obviously asking about traditional insurance, which is some sort of legal contract where you hope that they will pay out.
And if you follow along anything in the insurance world, then you know that the insurer will do the most that they possibly can to not pay you out if something happens to you.
Obviously, yeah. happens to you. Insurance itself is not necessarily a great insurance because the guarantees are
often pretty flimsy. So instead, I think it's better to insure yourself. And the way that you
create guaranteed insurance is by setting up a strong privacy, setting up strong security
in a way that you're not relying upon, once again,
a third party. If you're relying upon a third party for insurance payouts, then they might
let you down. And that would be pretty terrible to happen in your time of need.
You were able to completely remove yourself from the system effectively. Right. I mean, you, you know, uh, I, if I recall,
like, you know, you started a, an anonymous company basically, and did everything through
the company you moved, you, you went as far as to buy a burner house, right? I mean, you bought a
separate house to have a different address just so the mail could go there and people wouldn't know
where you were. I mean, was that sort of an experiment to see if you could do it? Or was it
were you at the level where you were saying, I need to do this or somebody's gonna get me?
Yeah, it was both. You know, first of all, you know, the the attack happened near, it was like,
as the 2017 bull run was really taking off. And so that's when a lot more people were paying attention, including criminals. So I felt like I had a few years after that of bear market where I assumed
there would be less of an issue, but it's always about preparing for the next bull market.
Whether that's a personal thing or a company thing, it's like, this is my second full cycle working in Bitcoin full time. And I can see a lot of parallels. And so one of the things that we've spent a lot of time the past couple of years at the company doing is basically me telling everybody all the shit that went wrong last cycle and how we need to prepare for it so that we don't get completely overwhelmed when demand goes through the roof on the next cycle. And so that is going to continue to happen from a security perspective
is if there's a 10x move in the market, then the entire world is going to be going crazy.
But also that means that criminals and people who are willing to cause harm to others are going to
get more interested in it.
And they are going to be experimenting too. So the stuff that I did, it was an experiment to
try to push the envelope. And, you know, there were some things that went wrong. And I actually,
I went through a whole other cycle more recently to basically do it all over again and fix the
things that went wrong the first time. And so then, you know,
eventually, hopefully in the next year or two, there'll be another major bull run and we're
going to see another new swath of criminal element come in, try to figure out what are the risks and
rewards of different types of attacks against people in the crypto space. And I know I'm going to be a big target. So I want to have
an order of magnitude more security and privacy than I think I need so that I can weather those
attacks. So it's interesting. There's kind of Bitcoin and everything else when it comes to
security. So I know that you guys, multi-sig is a great strategy for people to secure their Bitcoin. But what about everything else?
So it depends from protocol to protocol, right?
Any of the Bitcoin-based protocols will have the same multisig stuff.
It will then just be a question of whether or not your wallet, software, and hardware supports it.
The completely different things like Ethereum does not have native multi-sig.
You basically have to use a multi-sig smart contract. I have blog posts about my experience
with that. It does seem like the Gnosis safe multi-sig smart contract has been well vetted
and I've not heard of any exploits against it. And I think it's been out there for a couple of years now.
So that's probably the best option for Ethereum folks.
You know, Monero technically has multi-sig,
but as far as I'm still aware,
there's not really any good interfaces into it.
It's more of a command line thing.
And, you know, the further down you get in the list,
you know, the smaller the community, the smaller the number of developers, the less likely there is going to be some sort of robust multi-sig even offered to you.
So what we've seen instead is some companies and projects have used other types of things that are similar to multisig, but they're not actually
like on blockchain multisig. So you can do things like Shamira secret sharing. It has its own set
of gotchas, but it essentially allows you to split up keys. I think there are some companies that are doing multi-party computation systems that can allow you to do the same thing.
The tricky things about both of those is they're novel.
And I think like with the multi-party computation stuff, I think a lot of it's not even open source.
So it's hard to evaluate as time goes by. As time goes by, we'll be able to
gain more confidence in them if they don't get exploited. But there have been exploits. I think
there was a Shamir secret sharing in some Bitcoin wallet recently, they were doing this like social key recovery thing.
And basically, an attacker, somebody, a researcher figured out how to turn it
from a like two out of three, basically into a single SIG once again. So it's, it's hard to say,
you know, this, we obviously get people asking us all the time,
like when are you going to add support for X, Y, or Z?
And it's just, it's such a heavy lift,
both to evaluate and then to build on top of,
is that I still feel like we have so much work left to do
improving the Bitcoin experience
that I wouldn't want to start working on something else
until I felt like I was finished
and had the perfect polished Bitcoin vault available for people.
That makes sense.
And we talked about, I guess, exchange security a bit earlier,
but at least it's encouraging, I think.
I'm not saying it's certainly not the end-all be-all,
but that they've added things like whitelisting and hardware,
like a Yubico
key to be able to... Do you think that the exchanges now are becoming far more secure,
at least than they were before? Or do you still think that they're huge points of failure?
I think the exchanges that have been around for a long time are getting more secure, you know, Kraken, Gemini, Coinbase. Though last I checked,
Coinbase still had like SMS account recovery and 2FA. And like, there are still plenty of people
who are getting SIM swapped and losing their Coinbase funds. And I don't know why the hell
they still even allow that. Every SIM swap that I've heard of, people that I've talked to myself
included, and I didn't even have money on Coinbase, but the first reset email I got was from Coinbase. That's definitely the one
that hackers are going for immediately when they SimSwap. Yeah. I don't know why Coinbase
still even offers that. As soon as SimSwapping started to become a thing. It was in 2015, I believe, BitGo had SMS options on our
accounts and we completely removed them. We said, you know what, no more SMS. And we wrote a blog
post about it. And here we are five years later, and there's still huge companies that are
protecting money with accounts that can be reset via SIM swapping.
So that is kind of ridiculous.
I can only assume that Coinbase like evaluated the risks versus I guess how
much trouble it would be. And they're like, well, you know,
we'll have like 0.0 whatever percent of our users get hacked and lose
everything, but everybody else should be fine. So, yeah, the exchanges,
security is always a cat and mouse game, right?
It's never over.
I think even Binance lost like, what,
4,000 or 40, I think it was 4,000
of a coin last year.
And the exchanges at least understand the risk
better and they keep the vast majority of their funds in cold storage. So I do believe we're
going to continue to see exchanges, hot wallets get hacked. But if this is a risk that any exchange
needs to take into account and basically have insurance fund for, right?
So you understand that over a long enough timeframe, there's probably going to be an
exploit and you just want to make sure that that risk is compartmentalized and that you can
essentially pay out on that catastrophe so that none of your users get directly affected.
Yeah. I know it's at the point on Binance,
at least for a consumer,
where you can have an encrypted email,
a ProtonMail account,
and to be able to withdraw funds,
you need to press your Yubico,
use a 2FA code,
and also do an email code.
So that's a lot more than I remember from before.
But like you said,
the exchange can still get hacked
and your funds can disappear. So that's just a matter of someone hacking your individual
account as opposed to the exchange itself. I just tweeted out, I think yesterday,
maybe the day before, a picture of the Gox Yubikeys. They were branded for higher volume
traders. And there were 8,000 or so users who had those.
And I don't think that YubiKey helped them at all when it came down to it.
Right. Because if it's the exchange and I mean, yeah, that's from the other side, unfortunately.
So and just to get back to it, like at a very basic level, what should people be doing sensibly? Is it VPN? Is
it to get to a hardware wallet? And at what point do you have enough, I guess, it's person to person,
but accumulated wealth or accumulated Bitcoin that you really need to start considering multi-sig?
Yeah. So this is the other tricky thing about security. And it's actually one of the reasons
why we also have a high level of client services for our premium tiers is because security is not
a one size fits all thing. It's like everybody has their own particular threat model they're
worried about, their own family and friends situation. We have clients who are globetrotters and they don't stay
in one place for more than a month or two. Everybody has different variables that have
to go into consideration for their own setup. So it's not possible for me to say, if you have more
than X amount of this, then you need this setup.
But rather, the easiest way that I try to describe it to people is, you need to have an order of magnitude more security than you think you need. And by that, I mean, if you have $1,000 in crypto,
then you should act like it's $10,000 and secure it appropriately. If you have 100,000, you should act like it's $10,000 and secure it appropriately. If you have a hundred thousand, you should act like it's a million and so on.
And, you know,
that is going to lead different people to different conclusions and the really
tough thing about security,
especially when we're talking about like the different loss vectors due to
mistakes or natural disaster or whatever,
is that I think people have a hard time
doing the like mental math of how likely it actually is. Like it's the default human, uh,
condition to say, Oh, I'm doing fine now. Uh, nothing's going to happen to me.
It's been a good example of that for people. Right. right? And, you know, and I think, you know, that is probably why a lot of governments have mandatory
insurance requirements. You know, if you're going to get on the road or whatever, you have to have
insurance for these things, even though it's probably never going to happen to you. They
know that it's going to happen to somebody. And so we can't, you know, we can't mandate insurance. We
can't mandate high security for anyone in the space. All we can hope is that sort of organically
over time, the sort of attack and defense story will continue to force people to understand
that if they're not in a good position, they're going to
lose everything. But that's more of a macro perspective. At the micro perspective, if you
end up losing everything, then you're probably not going to get back into the game, or at least not
at any substantial level that you then need the same amount of security that you needed before because you're no longer that big of a target. So putting numbers on things is hard. It's something where you say, trying to remember the exact thing,
but it's like a penny is worth a,
an ounce of prevention is worth a pound of,
of solution or whatever.
I'm sure I'm screwing that up.
But the point being that it's,
it's better to put in a little bit of effort upfront than it is to have a
huge catastrophe on your hands.
Yeah. It's the old argument is like, well, why am I going to buy a hundred dollar wallet if I
only have $150 in crypto? Because you believe it's going to be worth the 1500, like you said,
or 15,000 or 150,000. I'm curious after going through all of this, I mean, there's very few
people who are doxxed in this space who are not anonymous. I mean, do you regret not just throwing up an avatar on Twitter and a fake name and going about life that way?
I mean...
No.
And the main reason for that is that it allows me to do in-person events. And while that's been less of an issue this year If I feel that it's mission accomplished and
I don't have much more to contribute, then there's not much point in me continuing to expose myself.
So that is a long-term goal of mine is the final step of privacy is to really wipe myself off the internet.
In fact, like that would have been the easy thing for me to do after I was attacked is that I could
have just deleted all my accounts and shut up, stop making myself a target. But I took the hard
path because I still feel motivated enough that I need to contribute publicly.
And I need to use the reputation that I have built over many years to continue to try to
educate people and bring more people into the space because we're not there yet. The network
effect is not yet strong enough that we are going to achieve world domination.
So you're doing it for everyone else. I mean, at the end of the day, it's a public service. It's pretty cool. I know we
touched on Coinbase before, and I know we're going to run out of time pretty soon. But I'm
curious as to your take on the recent controversy with Brian Armstrong and politics in the workplace,
because I know that you obviously are a selfdescribed libertarian and that they're kind of the biggest name in this space. And it's been big news. So
I'm curious how you feel about it. It's weird, right? Because
keeping track of like the social justice warriors and then the whatever you want to call them anti-sjw folks
i've actually started like getting annoyed by everyone is basically anyone who gets triggered
by stuff is like there are better ways to to go about trying to achieve your goals.
And, um, admittedly, I say a lot of things that trigger a lot of people too, but that's also just
kind of like my marketing goal is, you know, that's how you get engagement, right? Is that
you say and do controversial things. And, um, you know, from a company perspective, because I've been running a
company for several years now, I completely understand Brian's point that he doesn't want
people wasting cycles arguing about politics when they could be working on Coinbase goals or whatever. At Casa, we don't have anything like that. I mean,
we have a chat room called Random where you're free to put whatever the hell you want in there.
But we have not really had anything devolve into political arguments or anything. So I haven't
directly had to deal with that. Of course, we're a much, much smaller company and I'm sure not as diverse as Coinbase.
So ultimately, it's up to the executives of any company
to decide because they are at the top of the pyramid.
This is a hierarchical command and control structure
within traditional companies.
So he's the dictator, like it or not. He gets to decide what people do because he's the one
paying them. I don't think it's like a freedom of speech issue or whatever, because this is a
voluntary agreement between the employees and the employers. And at any time, an employer can say, you know,
if you don't agree to these conditions, you know, at least in America, most states are at
will employment and you can get terminated for any select few reasons. So I felt that, you know,
his, what is it, four to six months of severance and seven-year option exercise was extremely going to IPO soon. And so there might be
a huge payoff for them to just shut up and go with the flow until they can exit.
So on the one hand, there's my beliefs, but then on the other hand, that heavy scale of
future earnings, basically. So last question, do you have any idea or ideas who Satoshi is?
Uh, there have been so many theories over the years. Um, there's no concrete ones that I land
on. Um, I am a hundred percent convinced that it's not Craig Wright and I've written extensively on that point.
But, you know, I've, I've heard theories, everything from, it was a, an elderly woman at the NSA to,
it was some like Asian teenager whiz kid.
Personally, my favorite and,
and what I hope is that it's actually an AI from the future that
sent itself back to create its own monetary system that it'll use to take over the world
when the time is right. Skynet.
But I don't really care, of course, who Satoshi is.
I do care about Satoshi's motivations.
And so I have been doing some more research over the past year
into the Potoshi pattern and early possible Satoshi mining stuff.
I do find that interesting.
If you've been reading any of Sergio Lerner's writings,
it's a really technical stuff,
but what it seems to be pointing to is more and more evidence that
Satoshi's early mining was not done out of greed, but was in fact done just to keep the Bitcoin network alive as it
was bootstrapping. There's actually reason to believe that Satoshi mined purposefully slower
than they could have. And they were just trying to keep the heartbeat of blocks going at a fairly
predictable pace until enough other miners came on board. And then they
slowly ramped down their own hash power. So I think that that is interesting because it provides
some evidence that perhaps Satoshi is not planning on spending those early Bitcoin. Whether or not they kept them, who knows?
But it seems like they certainly were not in it to try to enrich themselves.
Yeah. It'd be nice to believe that actually believed everything in the white paper and
was more of an altruistic, earth-shattering technology than a get-rich-quick scheme.
Certainly. So where can everybody follow you guys?
Check out what Casa is doing most importantly and, you know,
consider your services and follow you personally after this.
Yeah.
You can learn all about Casa at keys.casa.
It's keys.c-a-s-a.
And on Twitter, I'm Lopp, L-O-P-P. And Casa's Twitter is casahoddle.
Yeah, dude, having a four-letter Twitter name is epic. There's like value. There's a lot of value
in that. I wish I had one of those. I got in early on the Twitter game too,
but I haven't gotten any tokens from that. I think I was ahead of Bitcoin on Twitter,
actually. I think I was like 2008 or 2009 on Twitter. It's crazy that it's been that long.
Well, thank you, man, so much. I really appreciate it. I think there's a lot of
really good information here that people hopefully will take seriously and start to consider
privacy and security because I still think that most people don't. I think they just
think it's like their Schwab account or something and they're just gonna buy a little bitcoin and whatever and even beyond crypto just
you know protecting your protecting yourself unfortunately yes uh you know this is the
privacy versus convenience issue where we seem to be trending towards convenience and away from privacy. So it's more work, but I honestly believe that
putting the work in upfront is going to pay off over the long run.
Awesome, man. Well, I hope you don't go completely dark before we get to
have a follow-up conversation down the road. Thanks again for being here.
Thanks.