Unchained - Famed White Hat Hacker Samczsun on How to Improve Crypto Security - Ep. 613
Episode Date: February 27, 2024Listen to the episode on Apple Podcasts, Spotify, Fountain, Overcast, Podcast Addict, Pocket Casts, Pandora, Castbox, Google Podcasts, Amazon Music, or on your favorite podcast platform. Well-known wh...ite hat hacker and head of security at Paradigm samczsun recently took the wraps off a new security organization called the Security Alliance (SEAL) that offers a 911 hotline for immediate response to security threats, runs war games to simulate potential security incidents, and provides a safe harbor agreement to protect white hat hackers from legal liabilities. He joined Unchained to discuss why he and his fellow white hat hackers decided to start the Security Alliance and how it operates, how the safe harbor agreement works, the measures he takes to maintain his anonymity and why, the top security measures people in crypto should take to protect themselves, and what attack areas in crypto Sam still considers “scary.” Show highlights: How samczsun got into white hat hacking The most memorable saves and rescues sam was able to perform Whether there's a reason why sam is so good at noticing bugs in crypto The origin of his samczsun handle What the Security Alliance is and why it was formed How SEAL would approach a bug or a hack Whether black hat hackers are trying to exploit open groups Why the work in the group is volunteered, not paid, and whether that's sustainable How the SEAL War Games help in training on how to respond to an incident in Web3 What the Safe Harbor Agreement is and what it aims to accomplish for white hat hackers How sam protects his identity and whether his coworkers know what he looks like The top security measures people working in crypto should take How projects should approach the audit for their smart contracts given it's an expensive endeavor What attack vectors still scare sam What is ‘White Hat Hacking’? White hat hacking, often referred to as ethical hacking, is a cybersecurity practice where skilled computer experts use their knowledge for good, employing the same methods as malicious hackers (black hat hackers) but with a significant difference: they do so with permission and for a constructive purpose. These ethical hackers identify vulnerabilities in computer systems, networks, or applications before malicious attackers can exploit them. By detecting and resolving these security weaknesses, white hat hackers help organizations strengthen their defenses against cyber threats. Thank you to our sponsors! Popcorn Network Polkadot Guest: Samczsun, CEO of Security Alliance (SEAL) and Head of Security at Paradigm Previous appearances on Unchained: The Chopping Block: Top White Hat Hacker Samczsun Discusses the State of Crypto Security Links Introducing the Security Alliance Bloomberg: Paradigm’s Famed ‘White-Hat’ Hacker Unites Peers Against Crypto Attacks, White Hat Safe Harbor [Github] Chainalysis: Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises sam’s tweet on security practices Halborn: Explained: The Nomad Hack (August 2022) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
But I also knew that this effort would be, you know, a massive undertaking.
This isn't, we're not talking about let's write a single block post and sort of do a call to action and then be done with it.
This is like, you know, a massive change in the way that we think about how to do instant response.
Hi, everyone. Welcome to Unchained. You're no hype resource for all things crypto.
I'm your host, Laura Shin, author of The Cryptopians. I started coming Cryptoians.
eight years ago and as a senior editor at Forbes was the first MainTree Meteorporter
took over cryptocurrency full-time. This is the February 27th, 2024 episode of Unchained.
Pocodot is a leading Layer Zero blockchain with over 2,000 developers, and the Pocodot 2.0 upgrade
will be a massive accelerator for the ecosystem, making faster, more secure, and adaptable.
Perfect for GameFi and Defy to build, grow, and scale. Join the community at Pocodot.network
slash ecosystem slash community.
Streamline your defy with ValtCraft,
the ultimate on-chain toolkit
for deploying custom automated DFI
products on any EVM chain.
Join Valkraft's referral program,
unite with the community,
and supercharge your crypto.
Details on Valkraft.io.
Local news is in decline across Canada,
and this is bad news for all of us.
With less local news,
noise, rumors, and misinformation fill the void.
And it gets harder to separate
truth from fiction. That's why CBC News is putting more journalists in more places across Canada,
reporting on the ground from where you live, telling the stories that matter to all of us,
because local news is big news. Choose news, not noise. CBC News.
When McDonald's partnered with Frank's Redhot, they said they could put that shit on everything.
So that's exactly what McDonald's did. They put it on your McChrispy. They put it in your hot honey
McNuggets dip. They even put it in the creamy garlic sauce on your McMuffin. The McDonald's Franks-Rad
menu. They put that shit on everything. Breakfast available until 11 a.m. at participating Canadian
restaurants for a limited time. Franks Redhot is a registered trademark of the French's food company LLC.
Today's guest is Sam CZ Sun, CEO of Security Alliance, aka Seal, and Head of Security
of Paradigm. Welcome, Sam. Hi. Let's start with your history and cryptic.
You are a famed white hat hacker.
And now, you know, as we mentioned, you have launched this new organization.
But tell us your origin story.
Yeah.
So I got into crypto.
It feels like quite a few years ago.
The long and short of it is basically a friend knew that I was into security and had been nagging
me about what we now know are the parody motisic hacks.
At the time, of course, I didn't know anything about it.
And I sort of just brushed them off.
for months on end, I was like, I've got better things to do than this cryptocurrency nonsense.
You know, thanks for letting me know, but I'm going to just keep doing my thing.
And eventually one day, you know, as we all do, I was just sitting there watching YouTube.
I wish I could tell you specifically what Vyato I was watching, but that, you know,
will be lost forever to the sense of time and the YouTube employees for watching my account.
But I was watching YouTube and I was like, I'm being so unproductive right now.
I'm like, slosh in my tear.
There's got to be something better I could be doing.
And then I thought, well, hey, let's just look into this cryptocurrency thing.
In the worst case, you know, we spend a few hours and wait, we waste some time.
But in the best case, we might learn something new.
And it turns out that, you know, over the past couple years, I've learned so many new things in the space.
And it's been such a wonderful journey.
And so before that, you say that you were interested in security.
But why in particular have you taken the path of white hat hacking?
That's a really good question.
I think it's probably largely how I was raised.
specifically how I'm not quite sure
but ever since how it's young
this idea is
you know doing the right thing
and sort of
I wouldn't go so far as to call it justice
because I think in the real world
we're not living in some sort of superhero film
but I've always had a very
stubborn you know
sense of right and wrong
sometimes the frustration of people I work with
and so I think it was pretty natural
to translate that to sort of
trying to do my best for one I think is right for crypto in crypto security.
And so how did you come to be known for the rescues that you have been doing?
And then how did that translate into a job at Paradigm?
Well, I think what happened there was basically I had started with finding these critical bugs.
And of course, when you first start, no one knows who you are.
And so you have to sort of convince them that you're not just done of the spamber.
reporting fake bikes. And then once you build some reputation, then people want to work with
you and they want to share your advice and they want to make sure that they're doing the right
thing when they're faced in these critical bites. And so slowly you just get lived into more
and more of these rescue situations where, I mean, it sort of is that it's a slyweil effect
that all of us nature capitalists love to talk about. And eventually, I guess, you know,
I landed on paradigm's radar. Yeah, I'm not, I'm not sure what specifically must have caught their
retention, but something did. And then they reached out, I think around the same time,
at the higher Georgia's, and it was all just a paradigm from there.
And so of those early saves and rescues that you did, like what are some of the more memorable
ones? I mean, I have to talk about the Dark Forest one. That one's a two-potter, right?
The first part was when Dan Robinson, the head of research and Georgiaos again, CTO paradigm,
when they reached out about this very small amount by today's standards.
I think it was less than 50K.
But there was some of the other tokens that were stuck in a Utisop B2 pool
where anyone could burn the tokens and redeemed the Adelaing collateral.
And I remember telling them that I had seen these generic flatliners,
as we now call them, lurching the men pool.
And so that should really be careful.
And I think under time pressure and other circumstances, you know, obviously the rescue didn't work out.
But that sort of set the stage for the famous Ethereum's the Dark Forest Post, which I think, you know, in hindsight, it was worth it.
And then a few months later, I followed up with that, with escaping the dark forest.
And that was, you know, by far, one of the most stressful rescue situation I'd been in.
I think if I refer correctly, it was a combination of the team being anonymous.
So it was very hard for us to confirm who we should even disclose to in the first place.
The bug being so wide open in the sense that there really weren't many requirements necessary.
You didn't need to have a lot of collateral.
You didn't need to have any sort of special insights.
It was just sort of sitting right there in the open.
And also the amount being, you know, I think it was around $10 billion, which is at the time, again, a very very important.
high, a very high number, right? It's all of these things together just made that one of the most
numberable warms for me, I think. And so at that time when you were like less well known,
when you would reach out to people in that kind of situation, like, did they take you seriously?
What was it like trying to do this when you were not well known? I think before my CROX bud,
I definitely had some trouble connecting with people.
and in Web 2, it's so much more different because the bug bounty space is just so competitive
and also so filled with low quality reports that it is now hard to reach certain companies
at times. But, you know, I'm not going to pretend that I've had it, you know, as rough as a lot of
other people in the space because I did sort of, you know, start off with just this very high-severity
bug in Xerox.
And so, you know, right off the bat, I think my public debut was one where people were like,
this guy knows what he's doing. And, you know, if he DMs us, we should have a listen.
So how do you monitor for vulnerabilities? I heard you say on another podcast that you have alerts set up.
Like, are there particular websites where you set that up? Or like, how are you running nodes? Or how do you do that monitoring?
That was a while ago. The landscape has really changed over time.
I remember back a few years ago when I could feasibly sort of monitor the entire space for myself.
I could sort of watch all the new deployments, watch all the new contracts being verified,
and have a really good grasp of what was happening across the entire ecosystem.
Nowadays, that's very much not the case.
Today, just the fact that there's multiple L1s and alternatives today is a major departure from previously
where it is mainly just a theorem activity.
And so if you answer your question, I actually don't.
do much monitoring myself anymore, I leave it to the companies that I was spun up specifically
for that purpose and, you know, the countless amounts of in-now requests that I actually,
maybe a good tanton or a good redirect, but, you know, previously I used to get all these DMs
from people, you know, asked me for help about their smart contracts getting hacked or their wallet's
getting trained or some other security question. And, you know, I knew that a lot of my friends,
could also answer these questions or help if I wasn't available.
But it's hard getting the word out that, you know,
hey, instead of Sam, here's the list of 30 other people you should try if he doesn't respond.
That's not very good.
It's not very ergonotic.
And so that was one of the motivations behind C091-1,
which actually today now does handle quite a lot of these cases that normally would have landed
in my DMs.
And of course, I still jump in help, but it's been a great way to low balance, you know,
the delusion of incidents across all these people who are.
are equally capable.
Okay, yeah, we'll talk about that in a moment.
I do want to ask you a little bit more about how you work.
One thing that I was wondering is why you,
why do you think that you're so good at recognizing vulnerabilities?
Like, is there something about your personality that you think allows you to see
things that others can't see or think of things other people haven't thought of?
I mean, I think part of it must be intrinsic.
because I'm not quite sure
and I've asked myself this numerous times
I'm not quite sure
how I would teach someone
to find security vulnerabilities
beyond walking them through
a list of things to check for
so I think there is something intrinsic
about being able to reason
through these complex scenarios
and to come up with these scenarios right
to figure out what potential attack factors are
At the same time, I do think it's necessary to essentially credit luck of it in this.
I think way too many times people try to pass off, you know, being lucky in the right place of the right time,
and happening to read over the right file in the right function and noticing a bug with, you know, skill.
And I think it is necessary to disclaim that, you know, part of it is being able to reason through.
these issues. The part of it is also
being early at the cloud base
or kidding
upon the right file or other
circumstances like that.
And before you were hired at Paradigm,
how were you making money from these exploits?
Or, sorry, catching the exploits.
I was going to say, I don't exploit
things here.
I'm good. Yeah, before I joined
Paradigm, I was working at Trail Athletes
and so I was both getting paid there.
and also, you know, much more active in the buck bounty scene.
And so, you know, if he found a critical bug, he would get 50, 100K or so.
And so, you know, to be clear, like, very good money for both at the time and also for like the average person, right?
So no conflates.
All right.
So I asked on X, formerly known as Twitter, what I should ask you.
And some people told me to ask you if you were going to change your handle.
Because Sam, meaning Sam Pinkmanfried and CZ are no longer a big part of crypto.
Actually, we'll put a question mark on the CZ bit.
So that made me think, oh, do I not know that his name is based on some mashup of
Sam Pinkman-Fried's name and CZ's name?
And then, you know, I would assume the son is like Justin's son.
But I actually don't know that that is the origin of your name.
So is that the origin of your handle or does it have nothing to do with those three people?
Well, you know, the magic does become dispelled if I reveal its origins.
That's what I was told by the wizard who granted me these powers.
And so I don't think I can say, but if anyone has suggestions for what I should change my handle to, I guess, Dian may?
I was going to say, like, to be clear, my handle wasn't necessarily...
based on men. But I do think it is funny how things turned out. And I mean, hey, if I somehow
discovered, you know, like the crypto equivalent of death note, well, one, Lawrence is going to be
very upset that he didn't, you know, somehow discover it first. But, yeah, I mean, whatever it takes
to, you know, do good, I guess. Uh-oh, I've just become an enemy protagonist. That's not good.
Okay, okay. Because, yeah, all three of those were sort of like main characters in crypto at different
points. So yeah, it's just interesting that it could be seen as a reference to them. All right. So now
let's talk about your recent big news. You just launched the Security Alliance. Tell us what it is.
Yeah. So we launched the Security Alliance a few, or I guess, you know, a week ago or so. And it's been in the
works for over a year now. The origin story is basically
Well, it really started with the nomad hack.
And as I mentioned in my thread, it was, yeah, at the time,
one of the even more stressful worms, mostly because it was very painful sitting there
watching these funds get trained and not being able to do anything.
And remind us why it was that people couldn't do anything?
Yes.
So the main reason is basically, you know, for the, for the ones,
Whitehats, we want to do things by the book. We want to do things correctly. And so, usually what
that entails is getting permission and making sure that, you know, you've done all your due diligence
and making sure that you're well-prepared for the exploit or for, you know, performing the exploit,
but obviously with their intention to return funds. But in the case of the Nomad incident,
not only was the war room just super stressful
and to be completely honest, I think,
the idea was even asking for fruition
just totally slipped my mind.
It was so chaotic by the time that, you know,
we really understood the bag,
but these people had been copy-pacing the payload themselves,
that we were sort of already focused on trying to, you know,
prevent the bug.
externally, outside of the war room,
a lot of people didn't even have the ability
to contact nomad team. And so
for them, there was no way they could have gotten permission
in the first place. And so
put together,
it just sort of fed back into
this idea for Whitehats that, like,
if there's an incident that's happening,
it's probably not in your best interest to get involved,
whether it's because, as before, you
won't get permission from the team, or you can't get permission
from the team, or,
what happens if you try to perform the rescue, but it's your off day or you hit
into too soon or you make some sort of mistake, right? And then now where does the liability
fall, right? Is it, like, is it your responsibility because now you're directly involved
in losing access to all those funds or, you know, is it a check between you at the team or, like,
what happens there, right? And so it's just always been extremely ambitious for White Hatts to the
point where I generally don't really consider getting involved directly at all, I almost always
prefer to advise the team, right? I'll tell the team, here's what the bug is, here's what you need
to do next, but I'm not going to hit that button for you. And after the nomad hack, my thought
process was basically, is there any way we can change us? Because it's been years since I started thinking
that way, and it feels like, you know, the ecosystem has moved on. And if we're going to
prevent these sorts of hacks in the future, if we ever arrive at one of these incidents again,
we need more tools to empower the people that know what they're doing and can help save the day.
But I also knew that this effort would be a massive undertaking.
This is in, we're not talking about let's write a single block post and sort of do a call to action
and then be done with it.
This is like, you know, a massive change in the way that we think about how to do incident.
response. And, you know, I wanted to make sure that we were doing it right. And I want to make sure that
people were on board with what we were trying to do. And so from there, I've realized that
there's actually a lot of stuff that I wanted to do in this regard where it seems like a really
good idea. And if executed, it would probably do, you know, a huge amount of gate for the security
ecosystem, but also required just a lot of collaboration, a lot of sign-on from different parties. And
I realized there was no structure in place to do that.
And so from there, you know, which way is the Security Alliance, which is, yeah, the solution
to all those problems that I just described.
So let's say that the Security Alliance gets pinged for a vulnerability that's been identified.
I guess there's probably two scenarios we could discuss.
One would be that there's a hack that's in action.
I don't know whatever reason, but for some reason, maybe they couldn't take all the funds right away,
but people can see that this is out there. Maybe other people are copying and stealing extra funds.
So how would you handle that? And then the other scenario would be you've identified something.
Nobody seems to know about it yet. You need to move the funds safely. So walk us through how seal would approach both of those scenarios.
Yeah. So in the former scenario where someone has identified or is exporting a bug,
You know, in the previous world before SEAL, that that news would have made it around to a handful of people.
It would have slowly circulated around the security community over time as people remembered other people would reach out to you.
You know, I myself, during incidents, over the course of hours, we'll be like, ah, wait, here's another person that we should reach out to.
And now all these people are in one room, right?
And so before, that news would have slowly circulated as more and more people were brought into the loop, we would have identified other protocols that might have been at risk.
which, you know, again, is a very slow process.
And we would have resolved incident.
It just would have been much slower than we would for saying.
Today, when someone reports a critical bug,
either one that they discovered or one that's being exploited through C0911,
all the people on the C11 team see it immediately.
If we remove that delay,
Frantable slowly bringing all the input into a loop.
And one of our first priorities is to identify
which forks of that protocol might be affected.
And, you know, as we slowly resolve more and more incidents,
we refine this workflow so that over time, you know,
we've evolved from actually not prioritizing forks to now, you know,
prioritizing forks to pay heavily,
making sure that everyone understands the roles of disclosure
and that we should keep everything under wraps
until we've resolved the incident, you know,
refining our incident response playback,
really just making this process much more optimized.
And that's something that we just didn't have before C1NM1.
And then as for the case where we find a bug entirely,
well, again, before if I find something critical,
my choices are to go to the protocol if I knew who they are,
or if I didn't, you know, DM a handful of people that I trust
and hope that they did.
And again, it's this sort of web connections that sort of spins out.
And today, I know that everyone in C1N,
I don't know what I can trust.
And actually, that everyone at the security lines I can trust.
And so I can just drop a message in those group chats and ask, hey, does anyone know this
protocol?
Here's some details.
Really just be much more open than I could in other security communities.
We have the mute security telegram, for example, which is where people used to go to drop
these sorts of questions.
But that telegram group has, you know, 2,000 and 3,000 he's going by now.
And it's almost a guarantee that if you drop a message in there, say,
hey, does anyone have a contact at some protocol? That's just the giant strove light for hackers
to tell and look at that protocol really quickly before the bug gets fixed. Oh, interesting.
So Black Hat hackers are monitoring those groups in order to figure out where they can
exploit a vulnerability and get at it before the white hackers remove the funds. Is that what you're saying?
Yeah, the group is public and public access by design because we want to facilitate
you know, people interested in
security in having
conversations with the other, in
discussing, you know, research, discussing
latest news, whatever. But as a
side effect, it does mean that the group is so big now
that
it really isn't safe for
disclosing or even hinting at potential
vulnerabilities and protocols because
it's almost guaranteed that there's at least
one black hat hacker in there who's just
watching and waiting to see if someone is going to make
that mistake. And if they do, that's
a really clear side for where they should go.
to find their next block, right? And so we want to avoid that. Okay. So you mentioned the CL 911
hotline. So basically, that's this telegram group. So let's say that I work at some project,
and I'm realizing that there's a vulnerability and funds need to be moved or whatever needs to
happen in order to prevent that from being exploited. So I contact the 911, CL 911,
which is this telegram group. I imagine it pings, you know, some number of people,
How many people are in that group?
How is it structured?
Is it just whoever's up, starts working on it?
And then how do you even vet the members of that?
Yeah.
So let me try to answer as many of those as I remember.
One, how does it be in the group?
The sooner one bot is what meet up people communicate with.
And that bot sends messages into a group chat that we're all in.
The structure is very flat.
In other words, everyone is in the same group chat.
We all see all the tickets.
And it is a first come for service basis.
And again, keep in mind that everyone hears of all the tears with full-time jobs at their own.
And so sometimes it does take, you know, anywhere from a few minutes to a few hours for someone to respond.
But depending on what you come in with, like if you come in with a critical bite that's being exploited, people will see that and people will respond pretty quickly.
As far as how to vet people.
Oh, sorry.
I guess first, who's in it?
We have a public list of the members on GitHub.
The bot actually links you to it when you are about to open a ticket.
Because one of the things that we really value is transparency and, you know, establishing that higher amount of trust in the system.
And so we want to make sure that people know exactly who is going to be seeing their reports.
And if any of them are people that they're not comfortable sharing with, they know ahead of time.
And as far as betting from new livers, that's a pretty informal process.
It's basically people that I or someone else in the group trust.
And then I haven't had to yet, but I've reserved the right to veto someone is.
I think that they're just really interested with the, which hasn't happened yet.
But, you know, but.
And how many members are there total that get hit for the Seal 911 hotline?
We're about 40 people or so currently.
Okay. And then I'm sure there's, well, so you've been live for just, I guess, a really short period. Has anybody called it yet?
We've actually been live since August of last year. Like I said, CO has been operating in stealth for over a year now. And so, you know, we've launched 3011 and we've launched SEAL War Games, but we didn't launch the org itself until, you know, a week ago or so.
over the last couple of months when
no one has been active, we've gotten quite a few
tickets. We've managed to save
but maybe not necessarily safe, but at least help
protocols dissolve. You know, there is it from
the moment they noticed that they were hacked to
they sort of wrapped with things in whether or not they got the funds back.
And of course, we've helped a lot of individual people
who were scammed or had their role restrained.
I think that's actually something that's really underappreciated is stressed.
For a lot of these people, they get scammed or they get trained.
And they feel very helpless, right?
They don't know where to go or what to do.
They're just sort of stuck in their little, you know, they're just very isolated.
And even if we can't get the funds back, I think there's something about being able to talk to another human being about what they just went through and hearing that, you know, at the very least, it wasn't just them, right?
It's a very common thing that happens.
And, you know, someone is on the other line,
on the other end of the line listening,
I think that's still really valuable.
Of course, since Seal Lodge,
our volume of tickets is just, you know,
gone up by an order of magnitude.
And so we're still sort of sorting through those new ones
and trying to figure out how to improve our workflow
to adjust for the newfound attention.
And for the hacks that you were able to disrupt your intercept
in the last six months,
are like what number was there in that time period? Like I'm curious how frequent it is that
these kinds of vulnerabilities are caught. Yeah. So a lot of the stuff we find are again observed
by these monitoring companies whose job it is to detect these hacks in flight and or after
they're executed. But understandably, these monitoring companies are not in the business of
intercepting these hacks, right? They might observe it happening. But, you know, as legal entities,
with even more responsibility than the anonymous white hack,
they really can't just go and front run a hack without any sort of, again, permission, right?
And so the answer to your question is, currently we frontrun maybe a handful of hacks,
a very small amount, usually from the mess searchers in our group.
But my hope is that with this white hat safe harbor agreement that we've worked on for the past year,
it does empower one of these MF searchers and maybe even other individuals who have the capability to
inges off these hacks to actually go and do it, provided that they have sufficient confidence in their
system that they can actually intercept and not make something worse.
Yeah. Honestly, it reminds me of in my book when I wrote about the Dow hack and the White
Hack group trying to figure out how to rescue the funds in the Dow that remained vulnerable,
there was this one meeting where, like, some of them chickened out because they were like,
well, if we're trying to rescue this money, we will also basically do the same exact hack as the hacker did.
And so they waited until they noticed other people trying the same exploit.
And once they noticed that, then they were like, okay, so now we have a clear reason to rescue these funds.
But, yeah, they had this, like, long debate initially because they just really didn't know what would happen.
legally to them. One other thing I was curious about is, you know, you mentioned that all the people
on the CL 911 group have other jobs. So do these workers get paid at all? Or, you know, yeah,
I don't know how, is it all volunteer or how does compensation work? Yeah, it's all volunteer basis
right now. If we get a bounty from someone that we've helped, we split it between all the people
that participated. There's no, CIL doesn't, you know, take a cut of that or anything.
But other than that, it is all volunteer.
I think it was working very well when the volume of tickets was low.
If the volume of tickets continues to be at this new increased rate now that we've gone live,
we might have to either explore where bringing more people on the team.
Because I think there are also a lot of people who are genuinely interested in voluntary
and providing the time to helping other people.
It's just the number of tickets might be too high for that.
And so we can either bring more people into the loop, or we can explore some way of, you know, maybe hiring a few-foot-hunt triosures.
But we haven't gotten that far yet, so only time can tell.
All right.
So in a moment, we're going to talk more about skill war games and the safe harbor agreement, but first we'll record from the sponsors to make this show possible.
Pocod is the largest layer zero blockchain with over 2,000 developers.
And the anticipated Pocodot 2.0 upgrade will be a massive accelerator for the ecosystem.
Upgrading the infrastructure with 8 times higher transaction throughput and twice as fast block times,
perfectly tailored core time for the needs of every protocol, trustless bridges internally and into
Ethereum, Cosmos, Near, and Binance Smart Chain, revised tokenomics and the implementation of a token
burn to reduce inflation. Perfect for GameFi and Defi to build, grow, and scale with one of the
most active crypto communities in the space. Pocodot recently announced a partnership with mythical
games, bringing top games like NFT rivals with over 650,000 players and 43 million transactions
to pave the way for GameFi and the PogoDOT ecosystem.
Get your Web3 ideas to market fast with economics that work for you.
Think big, builds bigger with Pocod.
Join the community at Pocodot.network slash ecosystem slash community.
Defy just got way easier with Faultcraft, a blockchain infrastructure for building,
deploying and monetizing non-custodial yield strategies in a few clicks. Forget spending months of
R&D, capital, and human resources when you can now instantly launch your crypto fund with
Valkraft on any EVM chain. From wallets and institutional service providers to an non-defi-D gens,
Volcraft supercharges your crypto assets by enabling instant cross-chain yield strategies that you can
deploy in one minute. Now anyone can supercharge their crypto portfolio
with custom tailored defy strategies.
Join Valkcraft's referral program,
unite with the community,
and supercharge your crypto.
Details on Valkraft.io.
The scorebed app here with trusted stats
in real-time sports news.
Yeah, hey, who should I take in the Boston game?
Well, statistically speaking.
Nah, no more statistically speaking.
I want hot takes.
I want knee-jerk reactions.
That's not really what I do.
Is that because you don't have any knees?
Or...
The score bet.
Trusted sports content, seamless sports betting.
Download today.
19 plus, Ontario only.
If you have questions or concerns about your gambling or the gambling of someone close to you,
please go to conicsonterio.ca.
With Amex Platinum, $400 in annual credits for travel and dining
means you not only satisfy your travel bug, but your taste buds too.
That's the powerful backing of Amex.
Conditions apply.
Back to my conversation with Sam.
So you've alluded to it earlier in the conversation,
but you talked about how the Security Alliance also has the SEAL War Games.
Tell us what that is.
Yeah.
So like the name suggests, SEAL War Games is designed around the idea of war games,
which is from the Web 2 security world.
And it's basically the practice of doing incident response treating, right?
It's simulating what might happen in an incident and running to those war.
case scenarios and making sure that the people responding know exactly what they're doing
have gone to the motions are prepared to the real thing.
Right. And that's something that were left really missing in Web 3.
Because for a lot of these protocols, not only do they not have the security engineers on hand
to do this in the first place, but even if they do, they might not have the resources to
dedicate to running one of these things, right? It also is very complicated.
Isaac has spent so much time building out the infrastructure for running war games,
which I'm evidently grateful for it.
But it just goes to show how complicated running one of these things is.
Of course, that is the benefit of CO operating it is because if an individual protocol runs one of these,
they build all those wheeling, they run the exercise, and they're sort of done with it.
Whereas we can run many of these war games, one after the other, and each time we do it,
between refiner processes open source actually.
We use most of the infrastructure that we built,
and it's just much more efficient.
And do projects hire you for that?
So like all things that COs clearly done
and likely we'll do in the future,
war games is free, and so there's no,
you know, there's no fee that process to pay,
there's no expectation of payment.
A few of them have talked about
making a donation after the fact,
but, you know, we stress that it's not obligated at all, right?
The goal of seal war games,
like with CIO in general is to, you know, improve the overall security posture of the community
and to do it in a way that doesn't, like we, you know, we don't charge a membership fee and we
don't want to charge for any of the things that we do. Okay. And are there certain types of
situations that you test out? So currently, we mainly specialize in SWI contract advice just because
that's the most prevalent. And so, well, you know, when we write a war game, we do it in terms
two parts. And so the first part is sitting down with the protocol and doing what's known as a
tabletop exercise. That's where you can basically imagine it as like a security role-playing game,
right, where we would say, hey, let's see hypothetically we do this, what would you do? And the
protocol responds, well, we would do X, Y, C, and we say, okay, you just did Y, now we follow up with A,
what do you do, right? And we sort of explore on paper how the protocol might respond to various
sorts of incidents. From there, we can take that information and design an actual scenario for them,
one that we think would test the things that the pro-cauls we kind or needs practice in.
And then we run one hands-on simulation for one scenario, right? And so that's sort of the life cycle
of a war game. Well, so now let's talk about the White Hat Safe Harbor. This, you know, as you
mentioned is a way to give the white hat hackers who participate in these rescues a way to know that
they're legally covered. And I saw, and you know, maybe this isn't how it would work for all of them,
but I saw like a diagram discussing how this would work. And the first step is that the White Hat
Safe Harbor begins with the Dow creating the legal proposal and then voting to adopt it.
And I wondered for kind of a potentially fast-moving situation like a hack, is there even time for that?
Because some of these DAOs have long voting periods, et cetera.
So I didn't know if that's like set in stone or how you deal with those kinds of situations.
Yeah.
So before we get too deep into anything about the safe harbor agreement, I will just disclaim.
I think it's obvious that I'm not a lawyer.
And so there are questions which I will just opt out of entirely because I can't speak off
to the U-Side of the thing.
But on this question, particularly,
the answer is that's actually, you're right,
that a lot of these now have flown voting processes
and time to adopt proposals.
And so, you know, if the intent was to have a doubt,
grant permission on the spot,
then this would be the wrong way to do it.
But part of the goal of the Safe Harbor agreement
is to encourage these protocols
to stop leaving so the last minute, right?
we want to encourage them to adopt the safe harbor agreement beforehand,
before they're innocent.
Not only does that mean that their granted permission, you know, not last minute,
but also I hope is the first step towards solving one of the big issues in security today,
which is to say protocols get hacked, the hacker takes all the money,
and now the protocol is negotiating for 90% of the funds back,
with the quote-unquote white hat, right?
And they'll call the 10% a bounty,
or they call it over-award or whatever.
But, you know,
I think most people looking at that situation
can becky-ta is that it's not quite legitimate.
And I think most security people,
if you ask them whether or not they sort of are happy with what's going on,
they're going to tell you they're not very happy with that state of phase, right?
So the hope is with the safe harbor agreement,
we remove that need to negotiate in the moment at all
because the protocol will outline ahead of time
exactly what they're willing to pay
for the interception of a hack that is ongoing
or about to proceed, about to start.
And then if the hack does proceed,
while the terms are there, right?
And so if you do return the funds, great.
If you don't return the funds,
the protocol, ideally doesn't bother negotiating
with the hacker at all.
And so can you describe a little bit kind of the basic tenets of the safe harbor, like for White Hats that want to participate in this kind of rescue?
Like what can they be assured of?
Yeah.
So the agreement basically is designed to protect both the protocol and the White Hat against civil liabilities between each other.
Right.
In other words, those who adopts the agreement agreed that if the.
if the white hat has taken proper precautions,
has done their due diligence,
I don't remember what the legal term is,
but basically represents themselves
as a competent white hat
who is able to perform these rescues,
then the protocol agrees to give them safe Harvard, right?
Because, you know, at the end of the day, we're off-human.
And so, in the grand scheme of things,
across, you know, hundreds of thousands of these rescues,
someone is about to make a mistake at some point and we don't want to discourage white hats from doing anything
just because that one isn't might cost them their entire like savings.
Apart from that, it also dictates the terms that the protocol, you know, has outlined for the rewards payout.
And so, you know, that means that ahead of time, before the white hat even engages in anything,
they know exactly whether or not the protocol is willing to pay, for example, 10% up to a million dollars, or, you know, 5% of to $2 million.
Or maybe the protocol is saying, we actually don't want to pay anything up front.
We want anyone who is interested in participating in this agreement to return all the funds to us first.
We'll conduct an investigation.
Yeah, we'll perform the instant response.
We need to do QIC because we're based in the U.S.
and then after all that, we'll send you you ever wide.
But regardless of what it is, the protocol sets out very clearly what the streams are.
And so the white hat knows head of time.
And I guess the other thing is just the white hat is required to, or, you know, not required,
but, you know, ideally would notify the protocol before they present any rescue.
And this is just to make sure the protocol can differentiate between who is a white hat under the agreement
and who is just sort of out there causing chaos, right?
And I think to be clear, the entire legal document is very long.
It's like 45 pages.
And so I've definitely only summarized the very high level points here for more information.
Listeners should definitely, if possible, review the whole thing, or at least a human readable summary.
But that is sort of the gist of it, right?
It is to provide safe harbor to these white hats.
And so for this safe harbor, I wondered, is this something that has some,
some analog in Web 2, or are the problems that White Hat hackers in Web 3 face?
Are they sort of unique to Web 3 in some respect?
There is an analog in Web 2.
It is also called Safe Harbor, and it applies in Buck Bounty programs.
And so what almost every major company in Web 2 that is adopted to Buck Bounty program has said,
is if you access our systems, quote unquote, illegally, but you don't cause destructive
damage and you report the bike to us without disclosing to anyone else, then we will offer you
safe harbor by agreeing not to, you know, try to see you for illegally access to your systems,
right? And that's sort of necessary these days because the anti-abase laws in various countries
are so strict against illegal access that theoretically any company that you so much as like
blink towards in the wrong way has a right to see you. And so this just makes a very
clear that these companies will not see you if you're doing security research provided you
also report it to them. Obviously, in WIF3, these are a little different because the impact
of a security vulnerability is so obvious, right? In WIP2, you can get hacked and the public
might not know for months or years. But in Web 3, you get halved, and the public might know
before you do. And so we've had to, you know, adjust the terms of the C-Phyber idea a little
that to accommodate for our industry. And I think that's something that we'll find a lot more in the
future is that as we try to adopt these sort of best practices that Web2 has already, you know,
long been using, the fact that our industry is so unique in some ways means that we have to
make a few changes here and there to make sense basically. And in December on the chopping
block, you said that most reasonable people in crypto have moved on from the notion that code is
law. I still see it, though. And I wondered,
what made you think people moved on from that or why it is that you think that that's
probably not something that either should be the case or is the case?
It's possible that only within my close friend, close group of friends, you know, we sort of
moved on from it. But I do think most of the time on Twitter, when I look at people trying
to promote that idea, most of them I look up to you or, you know, acknowledge or respect.
so we're dissing me with it.
And I think the reason is because at this point,
you know, we,
the idea behind Cota's law is
essentially trying to
almost
disclaim responsibility, right?
It's sort of a way to
say, well, it's not my fault.
You know, I can't be held accountable
for the consequences of my actions
because really it's code's fault, right?
It's the developer's fault.
They should have known better when they
started engaging with
a platform like the blockchain, like smart contracts, right?
How dare they not, you know, be perfect human beings and output perfect code,
even though no one to go up to us managed to do that.
And I think at this point, we have to acknowledge that humans are not perfect.
And told us lie, as I'm familiar with it,
is primarily being used as a way for people to strike out responsibility for their actions, right?
Most of the time, those actions being ones that cause damage to either of the protocol
were users.
I think it is true that there are parts of the community that are much more sort of align much
more with the original crypto ethos of like, you know, very cipherpong, very decentralized.
But I think for the sake of adoption, for the sake of making sure that crypto is actually
usable for people beyond the most technically sophisticated, we can't do cortisol
anymore.
That just this worked.
So, you know, here we are chatting on this podcast and you're using your avatar.
You even have a voice, an automizer on.
And I wondered generally what all the things are that you do to keep your identity safe.
Yeah, I mean, a lot of it is just good privacy practices in general.
You know, don't reuse passwords.
Don't upload pictures on the internet that you don't have to.
Because, again, those pictures, like the internet never forgets, right?
And in some of it is a little more out there.
I have a few virtual mailing addresses that I use that I've bought from different companies.
And so I give those out in lieu of my actual address.
Way possible, I use thank names or things, although it has gotten me banned from a handful of services,
which think that I'm being a fraudster, which is fair.
I've told people, especially close friends or founders, that if they want
advice on how to do
sort of like good obsec, I'm happy to give it to them.
But it really is, I think,
a case-by-case
situation because once he moved
beyond the basics, right, which again,
use a password manager,
you know, make sure that you're using,
you're not using SMS2.
If they don't even, you know, call anything,
you know, make sure you're,
make sure instead of two FAA in general,
those kind of things. Once you move on from that,
it really is specific to you.
your situation. And so, yeah, I mean, there's a lot of things I do. And some of them, I guess,
I also am that comfortable sharing. And out of curiosity, do your coworkers at Paradigm know your
real identity? Like, can they recognize you in a crowd? Yeah, yeah, they can. I thought it would be
too awkward to wear a helmet every day. And so I didn't meet them the person. Although,
I don't know.
I think it's interesting because anonymity is like a ratchet, right?
It only spins one way.
And so, you know, there are times where I wonder, you know,
what would I feel like if I had done even more anonymous than I am today?
But for now, this is why not, right?
Where if something why I've been in a person,
I do meet people, IRO at times when I know I can trust them.
And then other times, especially when it comes to things that will be sort of stored forever
on the internet. I try very hard to make sure that I have anonymized it in some way.
And why is that? Like, is it because you feel that you've offended or, you know, pissed off
so many Black Hat hackers that they will try to go after you in some fashion?
Well, part of it is just precautionary. Because, yeah, like, even if I don't upset anyone
today, I might upset someone two years into the future. And I would be very disappointed on
myself if someone two years in the future can pull up, you know, some very personal information
about me from today that I hadn't taken the, you know, the efforts to anonymize in some way.
Part of that is also, you know, years ago, when I stopped posting pictures and stopped posting
Dracortis of myself with things like that, part of my fear was essentially, you know, that
one day it would be possible to take samples of someone's likeness, and then through some algorithm,
you know, generate copies of that. And here we are in 2024, and AI models can do just that, right?
You can feed them a bunch of pictures and they can generate more pictures of that person.
They can feed them a bunch of voice clips and they can generate more voices of that person.
And so in a way, that is one scenario where, you know, like my quote-unquote war spheres having realized,
you know, am I saying that I'm important enough to justify someone taking all that effort to clothe my voice and make me say some really bad things?
I don't think so.
But if ever someone does feel that urge, I feel a little better knowing that the number of clips of me out there, you know, without a voice danger is low enough that I think it should be fairly difficult.
Of course, now that I've invited everyone to try it.
And so I can only expect that, you know, there will be clubs with me saying the dumbest things a week from now.
So, you know, given how carefully you are with your security and your reputation for finding exploits, you know, it's pretty understandable that maybe sometimes you would get a little bit annoyed that other people don't take the same precautions as you.
And so I did see that in December you tweeted, getting pretty fucking.
sick of seeing friends burn out after
dedicating all their time to protecting people
instead of getting rich. And then half the people
on this fucking site can't, which is
Twitter, can't even be bothered to remove
their phone number so they don't end up spreading the next
drainer. And by the way, this again
reminds me of the Dow where
the White Hats spent
most of their waking hours for months
and then made no money because
nobody ever donated to thank them for their
help. But anyway,
so I was curious
is, you know, if you were to call out certain kind of low-hanging fruit security practices
that you think aren't being enough, but aren't being practiced enough in crypto, what would
those be?
I mean, that tweet right there is like the number one low-hanging fruit.
So many Twitter accounts getting hacked, spreading these traders, those are real people
being affected, right?
and if these projects just take the time to go into the Twitter account,
just make sure that they don't have SMS2VA on,
that immediately removes any risk of sent-stopping affecting them.
These days, we're also seeing a large volume of these fake-calidly hacks,
which is where someone pretending to be a journalist reaches out to you,
and after sort of setting you up with a bait,
sends you what seems to be like to calumably,
but instead of walking in, it says,
authorized with Twitter.
And that authorization involves grant the ISIS
the app between posts on behalf and do all sorts of other things.
And so there's just a lot of these basic security best practices
from the fake calendar to like the fake discord verification
to like the JavaScript book, Michael it.
These are things that are pretty well understood in what to.
that we're just out doing.
And once we sort of get rid of all this little hanging fruit,
hopefully it'll be much harder for these hackers to sue people's funds.
Of course, they'll keep intimating,
what's deep intimating in response,
but it does sort of feel like right now
we're letting some of these very bare basics just sort of go untouched.
So instead of SMS to a FAA, like a text message being sent to your phone for security,
would you then recommend something more like either a Ubiki or Google Authenticator,
just like something that's not related to your phone?
Yeah, I think anyone in crypto should not be using SMS2FA for anything.
Just by being in this industry, you are already at higher risk than the average person.
Let's face it, there's hundreds of billions of people out there.
Scammers need to figure out who is the highest value people to target.
Just because you're in crypto, you automatically get sorted into that high.
high-value give-with-people.
So, yeah, no one should be using SMS2FA.
Google Authentator is good.
Just make sure to turn off setting
that syncs your backup codes to the cloud.
Because, and again, this is a case by case basis,
but you can imagine hypothetically
someone might have the backup sync enabled
and their Google account is their weak in security, right?
And so now someone can get used to their Google account
and then retrieve those backup codes
or those authenticateers seeds
and suddenly get access to the other accounts again.
UBTs are also good, but I actually wouldn't recommend those for the average person, just because it is a bit of a pain to manage.
You know, you have to make sure you have your primary in UBC and your backup UBC in case the primary you would dies,
and then you have to store your backup one in a safe place, except you also need to register with any new sites that you go to you,
but it's other rights to not to get backup.
So it is just a bit of a hassle.
I think that based on authenticators are good enough for most people.
So because auditing smart contracts is expensive, what recommendations would you have for projects that care about security but also are on a budget and maybe can't afford to have an audit very regularly?
That's a really good question.
I mean, I think part of the problem here is basically there are many good resources for developers who want to either do the right thing to prepare themselves, prepare the code base before an audit.
or even independent of the audit
or to level up and learn more about security, right?
And that's one of the things that I want to try and solve in the future
what seal is to provide those resources
so that we can reduce the load bearing factor on auditing
as the primary way to make sure that your code base is secure.
I think the other thing is there are also audit contests, right?
And so those are, I think, typically a little cheaper
than traditional audits.
And so that might be a good way for a project
who wants to get an audit, has someone out of money to spend an audit, but maybe not enough
for like a tier one auditor, they can consider trying a contest instead.
So, you know, blockchain technology is continuing to develop in so many different ways with
all these layer two's happening. Now layer three is. We're even seeing layer two's on Bitcoin.
Like there's, it's really, you know, we're seeing smart contracts come to Bitcoin. Like, it's kind of
all over the map. And so I wondered what development is.
what developments in crypto are making you worried about kind of the potential surface attack area that they create for hackers?
I think bridges are always scary. I think anything that involves an offshade or two component is scary.
And anything that requires proving or, you know, I think that that, I guess that is an offshade or inching component, right?
It's like trying to prove something happened in one place to another place.
because that usually involves a very complex code.
You need to parse the proof.
You need to parse the data.
You need to validate the proof.
And then that proof probably gates some very critical action, right?
Like unlocking a bunch of funds.
And so I think at the end of the day,
I still just basically ended up discovering bridges in other bridge-like things.
I think those will get to be really scary for me.
So I imagine that the Security Alliance is just, you know,
one of the initial steps toward a more secure world in crypto.
But I wondered, you know, where you thought this could go, like in 10 or 20 years, what other kind of institutions or standards or, you know, whatever do you think might be implemented that would make crypto even more secure?
I mean, 10 to 20 years out, it's like multiple lifetimes in crypto.
I really don't know if I can take that far ahead.
I think, yeah, on a short of time horizon, part of the reasoning behind the security alliance, like I said earlier, is that a lot of people, you know, myself included, know,
what needs to happen
whether it's a safe harbor
or the war gains
or anything else, these are things
that people in WAP2
have sort of developed over
the past decades, right?
They have so many more years
of experience on us and
as just like a
like a tasty off wine,
I think we should just start adopting
as many of those best practices as we can
right? And so what
I really want to focus on what the security lines right now is just let's bring the bar up right
we have so many good things we can take inspiration or straight a poppy from in web two that we just
haven't done and mostly because it takes a lot of effort to organize adopting those things it takes a lot
of effort to get the ball rolling and I'm hopeful that the security lines is the way to get that
to get that process started all right sam well this has been a fascinating discussion is there
anything i have not asked you that you think listeners should know no you
really hit, he really hit all the, all the topics.
All right. Well, thank you so much. Where can people learn more about you and the Security Alliance?
Yeah. To learn more about the Security Alliance, we have a website, security alliance.org,
where we have some information about the initiatives that we've released. If you have any other
questions beyond that, I'm always available on Telegram at Sam Sussi Sun.
Perfect. Well, it's been a pleasure having you on Unchained.
Thank you.
Thanks so much for joining us today to learn more about Sam and the
Security Alliance, check out the show notes for this episode. Unchained is produced by me, Laura Shin,
with help from Nelson Wong, Matt Pilchard, Juan Navanavich, Megan Gavis, Shashonk, and Market
Curia. Thanks for listening. Unchained is now a part of the Coin Desk Podcast Network. For the latest
in digital assets, check out markets daily five days a week with host Noel Atchison. Follow the
CoinDesk Podcast Network for some of the best shows in crypto.