Unchained - Paul Walsh of MetaCert on How Not to Get Scammed Out of Your Crypto
Episode Date: April 24, 2018Paul Walsh had long ago predicted that internet scams would migrate from email to private messaging platforms, but it wasn't until crypto mania took off that his thesis was proved right -- in a big wa...y. In the summer of 2017, the founder and CEO of MetaCert discovered many crypto Slack channels were being overrun by scammers capitalizing on FOMO to get people to inadvertently give them their ether and other tokens. Now, the company has several products to help prevent crypto enthusiasts from being scammed and it also decentralizing its work so the whole world can help classify bad links and proven others from being scammed. In this talk, he describes how the scams work, how Metacert tries to keep people from falling victim, and how best you can protect your own crypto. MetaCert the company: https://metacert.com MetaCert the protocol: http://metacertprotocol.com/ Story on phone hijackings: https://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#7125f2f738ba Link to episode where Mike Belshe and I discuss physical crimes against crypto people: http://unchainedpodcast.co/mike-belshe-on-what-bitgos-kingdom-trust-acquisition-means-for-crypto-and-how-security-will-develop-in-the-future Thank you to our sponsors! Bitwise: https://www.bitwiseinvestments.com/unchained Keepkey: https://www.keepkey.com Preciate: https://preciate.org, which is taking suggestions for new people to appreciate at https://preciate.org/recognize Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi everyone, welcome to Unchained, the podcast where we hear from innovators, pioneers, and thought leaders in the world of blockchain and cryptocurrency.
I'm your host, Laura Shin.
If you've been enjoying Unchained, pop into iTunes to give us a top rating or review that helps other listeners find this show.
And be sure to follow me on Twitter at Laura Shin.
Unchained is sponsored by Precce.
Founded by Ed Stevens, Precceed is building the most valuable relationships on Earth.
In each episode of Unchained, Prechate's sponsored.
sponsors the recognition of an individual or group in crypto for an achievement.
Who in crypto will be recognized today?
Stay tuned to find out.
This episode is brought to you by BitWise.
Last year, BitWise created the world's first cryptocurrency index fund.
The BitWise Hold 10, which holds the top 10 cryptocurrencies and rebalances monthly.
The fund has several hundred LPs and is currently accepting accredited investors.
To learn more and invest in the BitWise Cryptocurrency Index Fund, visit
at www.bitwiseinvestments.com slash unchained.
Today's episode is brought to you by KeepKee,
the easy, safe, and simple way to protect your Bitcoin, Ether,
lightcoin, and many other digital assets.
There's no time like the present to protect yourself from hackers, malware, and viruses.
Rest easy knowing that your digital assets are protected.
Visit KeepKee.com to order your secure hardware wallet today.
Today's guest is Paul Walsh, the founder and CEO of Crypto
company, Medusert. Should I call it a crypto security company? Oh, that's okay. Security company in the
crypto world, security company, it's all good. Well, welcome to the show, Paul. Thank you. Pleasure to be here.
So what is the problem in crypto that you're trying to solve? Cybersecurity in its widest sense,
but very specifically where I see a world where you feel safe opening a link. So how do you know that
bot is not a malicious bot?
How do you know the application is not malware?
How do you know the website is not a fishing site?
And how do you know that the website really is owned by Laura Shin?
How do you know the Twitter account is not a fake account or a malicious bot also?
And how do you know the website is not going to mine Minero cryptocurrency
by hijacking your CPU through your computer or your mobile device?
So these are all the kinds of questions that people ask themselves every day before opening a link.
Or unfortunately, for some people,
after they've opened the link.
And so what Metastart does is it has a cyber threat intelligence system,
which is basically a massive database of the World Wide Web split into 65 categories.
And the categories that we care most about are websites and URIs to Twitter accounts
and other social media accounts.
We care about whether they're classified as malware fishing, triple X, crypto mining, and so on.
And what's a URI? I know what a URL is, but I don't know what a URI is.
So a URI is a link and a URL is a type of URI.
So a URI, the last bit just stands for identifier.
So a URI could be when you're inside a Twitter application,
you click on a link and it opens up the Facebook application.
So that's called a deep link in the iOS world,
but it's also called a URI.
A URI could also be a Mac address or an IP address or other type of link that you would open up without thinking about it.
So a URL goes to a web page, whereas other types of URIs could go to other kind of applications and bots or IOT devices or an API.
Sorry, I get used to using the term URI.
We can say URL to keep things simple, even if it does mean it restricts the kind of links that we talk about.
No, no, no, that's fine now that we've defined it.
But and keep going, you were saying something more about, you know, how you define these, divide,
categorize these, your eyes, et cetera.
Not all security companies have their own threat intelligence system.
Only a few of the security companies have them.
The other security companies would license the data owned by the security companies that do have them.
And meta search just happens to be the world's most advanced classification platform
with the world's biggest database of classified content.
And to put the numbers into perspective,
OpenDNS, which is a very respectable DNS service,
which protects people from malicious links,
they've categorized just over 2 million domain names into 65 categories.
And MetaSert has categorized over 7 million unique domain names
just for pornography alone.
And then, you know, more than 60 categories on top of that.
So that's at the heart of Metacert as a security company is that cyber threat intelligence system.
And then we have a number of security products that people use to protect themselves or their communities from malicious attacks.
So one good example specifically within the crypto world is we have a security application for Slack.
We recently launched a security bot for Telegram.
and we have a number of browser extensions.
So in 2017,
Fishing inside Slack was an extremely serious problem
for most crypto communities.
And very quickly, they installed our security application,
and it was almost like turning off a tap
in that it significantly reduced the number of fishing
right across the industry, in fact.
For the communities that installed the application,
it was like turning off a tap, literally.
But at the time, before,
some communities got a chance to install our application, they started to migrate to Telegram,
where there were no fishing scams. And at the time I predicted and said, look at guys, either
stay inside Slack and install Metacert or when you go to Telegram at some point, you will
become a fishing target because the bad guys will move to the platform of least resistance. And now
in 2018, we're finding that, you know, we don't read about fishing inside Slack anymore. And
Now we're reading about it inside Telegram and other platforms.
So more recently, we launched a bot for Telegram.
And what it does is it takes about three seconds to install for a group administrator.
And then it listens in the background to every link posted to the group.
And it doesn't do anything until it finds a fishing link.
And then as soon as it spots that, it sends an alert to the group to say,
hey, beware, don't click on the link.
That's a fishing link.
And then people are less likely to fall for a fishing scan.
And then the browser extensions are actually twofold.
One is to add a utility.
And the second was a social experiment.
And the utility is you install the extension for Firefox or Chrome.
And it does two things.
It blocks fishing websites and also fake social media accounts.
But then the most important thing is it actually turns our shield from black to green whenever you visit a very
crypto website or social media account because the problem is that consumers are looking for
the green padlock in the toolbar of the browser and unfortunately they're falling for fishing
scams because there are certain companies that issue those SSL certificates for free and
the process is automated and there's one company in particular that has issued over 20,000
SSL certificates to domain names with the term PayPal and
that. And so consumers are falling for fishing scams because they're looking at for the green
padlock. That is only a measure of encryption. It's not a measure for trust or authenticity or
domain name ownership. And so by installing our browser extension kryptonite, whenever you
visit a crypto website, the shield will turn from black to green so that even if there are
new fishing websites out, you'll know that you're on a safe website or even a safe social media
account, whether it's Twitter, LinkedIn, Facebook, GitHub. You know when it's green, you're safe.
And the reason that was a social experiment was because we wanted to see if people would really
rely on that shield instead of certificates, and they are. Not only are users coming to us
asking about specific websites that are not verified, we now also have exchanges and wallets
from around the world coming to us asking to be verified because they're community members
are not logging into their website because of the shield staying black.
And that kind of leads me on to where MetaSert is heading,
which is we're moving that entire cyber threat intelligence system to the blockchain.
And that was a decision we didn't make lightly.
It took us probably at least six months to make that decision last year.
In 2017, people would come to us and say,
why don't you decentralize Metacert?
Why don't you decentralize your database?
Why is it centralized?
Why should we trust Metacirt as a security company?
Why should we trust MacAfee or Symantec or Veritaine?
And some people were nice about it, helpful, saying,
hey, dude, we think this is an amazing idea.
What do you think?
And then other people who are kind of more right-wing,
open-source extremists who think everything should be free
and everybody should use open-source no matter what.
what the repercussions are.
And so we thought about it over a period of about six months.
We engaged with community critics and got their feedback.
And then we came to the conclusion that actually we need to move this entire system
and open it up on a new kind of protocol, decentralized trust and reputation for the web.
And the reason we thought it was a good idea was because we couldn't possibly scale
the verification of every crypto site and social media.
account and then scale that to the web beyond crypto. There's no way we could. And, you know,
very Sinai Semantic couldn't possibly scale that either. And so by opening it up on a blockchain,
introducing a reputation score and a token that incentivizes good behavior, it's actually
possible because I've been around the web since the 90s when I worked at AOL. And I was part of the
team that launched technologies like AOL Instant Messenger, 56K modem speed, and a bunch of other
technologies. And I built my first website in 1996. And between then and now, it hasn't really been
possible to crowdsource trust and reputation, particularly if you want to classify websites for
fishing, because how do I know Laura Shin isn't submitting this website as a fishing site,
when in fact it could be a competitor of hers. So kind of get that.
right has been difficult to impossible. There are some open source lists out there that do okay,
but they're not fantastic. And by being able to use the Ethereum blockchain and a reputation
score, which is based on, you know, how many websites or accounts have you submitted, how many
of those were accepted, how many were not accepted by the community. And then by offering a
token, we can then incentivize and reward people to add to that database.
And to kind of just finish off on that point, imagine a world where you're using either
kryptonite or parental control application or an extension that highlights fake news.
Imagine if you could submit or validate websites or social media accounts or bots or applications
that end up being used by those tools to improve the protection that you're looking for.
And then at the same time, you get paid in tokens.
So that's kind of, we have a self-contained economy.
This whole thing is extremely fascinating.
And you just said so many things and I have so many additional questions.
I actually want to go back a little bit because I started asking you what problem it is in crypto that you're trying to solve.
And you listed a whole bunch of problems.
You know, it's like the fishing links, the fake accounts on social media, just whether or not URLs for wallets and exchanges are legit.
things like that. Do you have any stats on how big the problem in general of security and crypto or fake accounts
and security or fake accounts and crypto is or fake URIs? Oh, I should have written this down because I've written
about it so many times in Medium. I believe the latest report from Ernst and Young was about
$150 million a month being lost through fishing, but I would have to double check on that. So it is
significant. We hear about hacks in the industry all of the time because
are big ticket items, they're big headline items.
But actually, the number one problem within the crypto world is fishing scams because it's
less money, but more people losing it.
And some of the hacks actually start with a fishing scam, but you don't hear about the
fishing scam.
So one example is it's not just the crypto teams themselves that are now a target.
It's the suppliers that they use.
And now hosting providers are finding themselves on the end.
of that attack where a member of a staff member at a hosting provider has had their account compromised
through a phishing scam so that the bad actor can access the DNS records of a specific
crypto company and then change the DNS records so that they can actually send people directly
to the legitimate website where when they input the wallet address it's actually going to the wrong
place oh wow so you mean like the web hosting company like if i'm
a crypto company and have a website hosted somewhere, then the attacker goes to that company
and changes the website through someone who works there?
Exactly.
I mean, I could summarize the problem that we solve in the crypto world is we help prevent
people from losing their money.
And we also help crypto teams from reducing the risk of their end users, their communities,
from losing money also.
Unfortunately, some crypto teams are better than others.
I spoke on a panel recently and then attended a panel after that.
And I listened to a couple of people who launched crypto last year.
And they just seemed to be very laissez-faire about the fact that their communities lost some money.
And they didn't refer to investors or enthusiasts losing their hard-earned money and their savings.
they actually refer to those circumstances as lost investment, lost opportunity.
And that's not how I look at it.
But most companies aren't like that.
So we work with a lot of crypto teams to first of all help them understand how they can reduce
the risk of themselves being compromised through social engineering, how they can improve
their own personal security, and so that they become less likely.
to be hacked or social engineered and then also help them understand how to protect their communities.
And social engineering is sort of like this way of hacking without actually using fancy computer
skills as just getting somebody to believe that you are someone that you are not or something
like that. It's like calling up a customer service agent and being like, I'm Paul Walsh,
but it's actually me and convincing them that I am Paul Walsh. And then getting them to
do something that gives me your access to your funds.
Exactly.
You actually wrote, you wrote one of the best articles I've ever read on the subject.
And actually, you may not have realized it, but social engineering is the technical term
given to one example of your SIM card being hijacked or SIM splitting, as it's called.
So not SIM porting to a different network, but it's where somebody pretends to be you,
calls your cell network provider like T-Mobile, and then gets a new SIM card.
card with your phone number and then they'll go to Gmail or another account and do a password reset.
And of course, the password reset code is not going to you because your phone number doesn't
work anymore. And it goes to them.
Yeah, I wrote a huge article on that. And the sad thing is it's still going on.
It is, but Team Mobile is doing a lot in that space right now.
Thankfully, with AT&T, but not before being taken to court by an individual who believes that
they're responsible for it. Oh, interesting. Yeah, recently. I, huh, I know a lot of the victims were
thinking about doing a class action lawsuit and I said to them, hey, if you ever, you know,
file this, like you should reach out to me, but they never did. So I, I don't know who that
individual is. I guess it's somebody who wasn't in that group. One other thing I just, we actually,
sorry, Laura, we actually got a call from the T-Mobile CEO's office shortly after that.
because we actually put out a call also, just like you.
We wrote a medium post after that legal case started and said,
if anybody wants financial aid to take T-Mobile to court,
MetaSert will actually help fund your legal aid.
I'm not saying that was a result.
I'm not saying that resulted in them working with AT&T to do a new campaign
and change your practices,
but hopefully it would have contributed a little bit.
Oh, interesting.
I don't know if it has any, has that been written about?
I feel like somebody should chronicle this because...
Some obscure publication, somewhere wrote about it, I believe.
Maybe other mainstream did, but I got it through Google Alert.
Oh, interesting.
Yeah, if I were still writing, I would jump on that.
Because back when I wrote that story, it was a little bit amazing.
It was completely clear that they had gotten these calls for months from desperate
crypto people and I'd like totally ignore them.
And then the second a reporter called, then they like,
So when I wrote the story, the person who had most recently had their phone hijacked, who was the first person I found out about. Because I named that person in my query, in my first query to them, that person got their phone number back faster than anybody else ever had. There were people who had been trying to get their phone numbers back for months, months had been completely ignored. Suddenly everybody's cases were going to the president's office and like they were being told, like, call the president directly.
if you ever have this problem,
I get stuff like that.
And like,
they were just so scrambling when I wrote that story.
It was really kind of crazy to watch.
But anyway,
I actually wanted to just make a comment earlier,
which is that I think that what you are describing here
in terms of the problem and how you're going about solving it,
I sort of feel like what the fissures and these scammers are taking advantage of
is that there's this moment in time where this phenomenon of crypto,
or just the interest in crypto has taken off, but it really requires a shift in how people treat
their money, right, in terms of security, because normally we're used to thinking, oh, the bank is going to
keep it secure. But in this case, obviously, especially if you're working with this and then a decentralized
manner, then you are responsible for your private keys. And it really requires that change in
behavior. And a lot of people may have gotten in because they want to get rich quick and whatever
and they may not be thinking about their security practices. And I feel like, you know, just while we're
making this transition to this new form of money that does require a different mindset, I feel like
they know that like, you know, probably the window is only a few years, is going to be open a few years
before people realize like, oh, I need to do different things or before there are good solutions to
preventing these sort of attacks from succeeding. And Metastard is a great example of a company that
now has pivoted and is helping to fill that need. But actually, then that's the perfect segue to my next
question, because you guys did not start out as a crypto-focused company. So how did you get into this
business? In 2017, Matt from SinglerDTV reached out to me and said, we have this fishing
problem in the crypto world, is this something that you can help us address? And at that point in time,
we were simply the number one security company for messaging platforms, because a number of years
ago, we predicted that if people are reducing their reliance on email in favor of messaging platforms,
such as Slack and HipChat and Skype and Messenger, then it stands to reason that the cyber attacks
will migrate from email to messaging platforms. So we focused on that, and we doubled down on that. And we had
customers and still have like
NTT security
F5, IBM, Sage,
SAP. A lot of
companies install MetaSert
to protect their companies
when using platforms like Slack and Hipchat.
And when we looked
at the crypto world,
I thought, oh my word,
we've gone from predicting this
is going to be a problem at some point to
the houses are on fire, literally,
because of that point, I knew
what blockchain and Bitcoin was, of course,
but I was not.
I'll be totally honest with you.
I was not a cryptocurrency enthusiast.
I didn't even know what Ethereum was, truth be told.
And I was absolutely blown away.
And this was last summer, like the summer 2017?
Yep, 2017, just before the summer.
And at this point, for example, inside Slack, when you install our security app,
it listened to all of the links inside the public channels.
Because we didn't think for a second that an attacker would think about or use the
incoming Webhawk API or direct messages or the Slackbot reminder system. And that's what was
happening. So even though we had a great product, we didn't have a product fit for the crypto world.
So we doubled down on that for three months because what happened was I remember very specifically
one night, late at night, I was inside a community that invited me in by the team. And I witnessed
a number of scams happening live in the channels where people literally were complaining that they just
lost all of their life savings.
And then I started to get direct messages when they realized that I was in the security world,
but Metasort wasn't installed in there.
And I had conversations with one particular guy in Mexico who just lost $20,000.
And it was this entire life savings that he invested in this cryptocurrency.
And I knew then at that minute that I wanted to address this issue because, you know,
solving the problem for IBM or SAGE from a compliance perspective,
wasn't the same as solving the problem for a real individual in real time.
And then when they started to install MetaSert, I could literally see people say in the channel,
oh, my word, I was about to click on that link until I saw the alert from Metacert.
And then we knew, okay, this is definitely going to be a bigger problem moving forward
as crypto evolves and it grows over time.
And we just have to try and solve this issue.
And that's how we got involved in crypto.
And so what is that, what do these attacks look like?
you sort of kind of glossed over this.
You said something about using the Slackbot reminder and then something about APIs.
So what are these attackers doing?
So they would set up, it's technically impossible for the community administrator or owner
to disable the Slack bot inside Slack.
And an attacker would set up an account and then they would set up a reminder to send a reminder
to every single person in the community to say,
say, don't forget about our magic
irdrop or special
offer or whatever it is.
And they would hyperlink the text
to a fishing site,
which is a website impersonating
the cryptocurrency.
And then when they log in,
they're asked for their private key.
And then they lose all of the crypto assets.
And that was happening literally
every five minutes.
And that's why...
And just what triggers the SlackBot reminder?
Like, how would it...
You just set it up.
It takes five seconds.
You can go into a Slack community right now.
And you do like a slash Slackbot reminder, five minutes and 10 seconds and put it on repeat.
And then it'll send a message to everybody that you've directed it to.
If you've said, do this in a channel, then it'll send it to the channel and keep sending it.
Or you could pinpoint specific people by direct message.
And the way that they would like entice people to click on the links was sort of.
of like saying you're going to get free money if you do this and like there's this you know you have to do
it now or there's this time window before which like you won't be able to get these free coins stuff like
that exactly exactly and one one of the things that i say to crypto teams and i don't know how much
they listen to this i empathize with the need for marketing and time sensitive promotion in order
to get the momentum going in your project but it needs to be balanced with the fact that
that we're creating this world, we're encouraging people to quickly click links, log into websites
to get this special offer that they need to get now. And they're not thinking straight,
especially when it's on a mobile phone. They just happen to, I don't know why, but people just
happen to trust links more than if it's sent by, you know, email on your computer. You're less
likely to believe it if it's coming from your bank. But when it's coming from a crypto team,
they're used to them saying, you know, get it now.
And so they're just kind of just used to opening links very quickly without thinking.
And it's not it's not dumb people falling for these, as a lot of people say.
A lot of smart people fall for fishing scams because they could be, you know, not thinking about it or whatever the circumstances are.
I would never make fun of anybody falling for a fishing scam.
Yeah, yeah.
I've interviewed some of these people.
So we're going to, and I agree with you, they're not idiots. In fact, there are people who
know the rules, but one of them was like, oh, I did it on a morning when I was a little bit hungover.
So we're going to discuss more around your customers, who the scammers are, and also how you plan to centralize this solution.
But first, I'd like to take a quick break to tell the listeners about our fabulous sponsors, starting with Appreciate.
Today, Appreciate is recognizing Jamie Smith.
for her outstanding leadership as CEO of the Global Blockchain Business Council.
During her tenure, which recently included with a handoff to Sandra Roe, Jamie was a tireless
advocate worldwide to advance the understanding of blockchain technology.
We appreciate you, Jamie.
Appreciate Welcome's Unchained listeners to nominate a friend like Jamie to get props on a future
episode of Unchained.
Just go to appreciate.org slash recognize.
And for those listeners who have been listening to this podcast for a while, you may
remember Jamie from a previous episode.
episode. She was on the how to explain blockchains and cryptocurrencies to the average person episode,
which was super popular. Anyway, continuing with the ad. Looking for a new job, Precii is hiring a
senior product lead, iOS developers, and U.X designers. If you believe in design thinking,
love the idea of building the most valuable relationships on Earth and are located in Dallas or San Francisco.
Join more at appreciate.org slash careers.
Cryptocurrency is vibrant and exciting, but it's not without its share of bad actors.
Exchanges and personal accounts can get hacked. Computers can be infected with malware. Left unprotected,
your digital wealth is up for grabs. Don't let yourself be a victim. Keep Key is the safest and
simplest way to protect your Bitcoin, Ether, Lightcoin, and other tokenized assets. This hardware
wallet is a separate device that you control. Brought to you by the pioneering team at ShapeShift.
KeepKee works with a wallet software on your computer to manage your private keys and transactions.
Your device is pin protected, which renders it useless even if it falls into the wrong hands.
Its large display lets you carefully view and approve every transaction.
And if your KeepKee is ever lost or stolen, you can safely recover your device without compromising its private keys.
The bottom line, you'll sleep easier, knowing that your digital wealth is safe and secure.
Visit keepkey.com to order yours today.
works on PC, Mac, Linux, and Android.
BitWise is the creator of the world's first cryptocurrency index fund, the BitWise Hold 10.
The fund holds the top 10 cryptocurrencies by five-year diluted market cap, rebalances monthly, and takes care of secure storage and taxes.
It's an easy, secure way for long-term investors to get diversified exposure.
BitWise is backed by Kostla Ventures, General Catalyst, Blockchain Capital, Naval Ravacant, and several
others. They're a trusted partner to individual investors, wealth managers, family offices, and
large institutions who are navigating the crypto space. The fund has several hundred LPs and is
currently accepting accredited investors. To learn more about the Bitwise Cryptocurrency Index Fund or
download research, visit www.bitwisinvestments.com slash unchained. So let us talk about your customers.
are they? How many teams are you working with and how many users, like everyday users,
do you have signed up for for MetaCert? Within the crypto world specifically, some customers
include big chain DB, Ocean Protocol, Mercury Protocol, Koss, Raven Protocol, Enigma,
and Hello Gold and quite a lot of communities actually would install our software,
either for Slack and more recently, Telegram. And the number of,
of people that we protect in the crypto community specifically would be over 250,000.
So meaning those are people who have downloaded the extension or those, that's the number of people
across all those communities?
That's, well, first of all, it's the number of people, I would say over 200,000 people across
the communities who've installed either Slack or the Telegram Bot.
The telegram bot was released end of March.
And after about a week, it's been installed in at least 15 communities that we know about.
And some of those communities would have over 30,000 members.
And just so I understand how this works, you are just putting all the sketchy URLs in a database.
So like, isn't it sort of a little bit more like whack-a-mole where the scammer gets a link out there and somebody may fall victim to it?
And then you add it to your database and prevent others from falling victim to it?
Or can you be more preventative than that?
All of the above, actually.
Fishing is like playing whack-a-mole.
But come back to it, it's not just a simple blacklist.
We have an extraordinarily advanced threat intelligence system.
I'm one of the two people that co-instigated the creation of the W3C standard for URL categorization,
and the W3C is the internet, it's the standards body for the World Wide Web.
That was started and still run by Tim Berners-Lee.
And I did that in 2004, and it became a ratified standard in 2009,
and replaced an old standard called PICS, which is still used in part by Apple Parental Controls and Internet Explorer.
So I've been working on the whole content labeling URI categorization since 2004.
And that platform, that cost about a million dollars in about two and a half to three years to build and tweak to get it to where it is today,
which is why it's very easy and quick for us to build applications on top, like a telegram bot or a Skype bot because of the back-end technology.
So we also, with fishing specifically, we take a feed from nine different open source lists.
We put that into our database in machine readable format.
And then we add to that all of the suspicious links that are reported and validated by all of the people across all of the communities.
And then inside our own Slack, we actually have data scientists from some of the biggest security companies in the world.
reporting to us on a daily basis many dozens of new crypto fishing websites.
So there's a number of different ways for us to add specifically fishing websites and fake
social media accounts to our database.
But that's why I go back to the, so that they added to, that adds a lot of value to
the telegram and slackbots.
But that's why we also encourage people to install kryptonite for their browser, because
even if we don't catch the,
Yeah, because even if we don't catch the fishing site, then at least if it's not green,
you know that you should go and look for more information before you can trust the website
or social media account.
That's where we think the future is.
It's not just necessarily creating blacklist, but just providing more information about
the content and providing better visual indicators.
So I would like to see Brave, Chrome, Firefox, Safari and Opera provide a different visual
indicator provide a different icon on the toolbar so that they can read the information from the
Metisor protocol or other protocols that are created in the future so that they can actually
provide users with more information about the content before they open it.
So this would be the perfect segue to finding out how you decentralized.
But before we get to that, I'm just so curious to know, have the scams changed over,
you know, you've been working in this for almost a year now.
So I'm just curious to know, have the scams changed in any way?
Or is it kind of just the same thing over and over again and just in different applications?
I would say yes, and they're getting a little bit more sophisticated.
They move from platform to platform.
In 2017, it really was almost like turning off a tap for fishing inside Slack
because so many communities installed our security app that we just didn't read about it anymore.
And in fact, actually, do you remember when you and I had a conversation,
you said, but Paul, I'm not really hearing about too many scams anymore.
And that's because we were installed in so many communities.
And then those communities that weren't installing Metasturt, they'd already migrated to a different platform.
And I predicted back then that the scams would move to whatever platform didn't have security.
And lo and behold, now we're seeing more scams in Telegram because nobody had built it,
but designed for the crypto world to protect them from fishing.
But is there any change other than just moving from platform to platform?
Well, they're doing that, but then I guess the change is they're becoming a little bit more sophisticated. They're spending more time. As these attacks on crypto get more media attention, as crypto gets more media attention through news about regulation and companies raise in large sums of money, then the cyber criminals spend more time. If they know that there's a housing estate going up and they don't yet have alarms installed or they've
never actually bought a house before, so don't know how to protect them, then the cybercriminals
will go directly to that house in a state and attack the houses that have the least amount of
security. And we're hearing about kidnappings. We're hearing about blackmail. I think blackmail
is going to be a big problem where crypto team members or high-profile enthusiasts will be
targeted through spyware and malware, through applications or bots or websites, and then
either their video or their sound will be compromised.
And this all sounds like 007 stuff, but it's really not.
This is stuff that's happening and will happen more.
Their sound or video will be compromised.
They'll be recorded, sane or doing things that they'd rather not be recorded about.
And then they'll be blackmailed through a cryptocurrency that can't be tracked.
So the attacks are becoming a little bit more sophisticated.
The social engineering is on the rise.
That's becoming a little bit more sophisticated.
And I think, you know, 2018, 2019, it's just going to get more advanced and more prevalent.
It's going to become exponential, as I predicted in 2017.
Yeah, well, definitely the physical attacks have been increasing, even if it's kind of sporadically and a lot of it is abroad.
Nathaniel Popper wrote an article about that for The New York Times.
And Mike Belchie and I discussed it in a recent episode, so people should listen to that.
But so now let's get to how you plan to decentralize your network.
This is very interesting to me.
How will that work?
Will users just add to the database and then get paid every time they spot a fishing link?
Or how does that work?
The scorebed app here with trusted stats and real-time sports news.
Yeah, hey, who should I take in the Boston game?
Well, statistically speaking.
Nah, no more statistically speaking.
I want hot takes.
I want knee-jerk reactions.
That's not really.
what I do. Is that because you don't have any knees?
Or?
The score bet. Trusted sports content,
seamless sports betting. Download today.
19 plus, Ontario only.
If you have questions or concerns about your gambling or the gambling of someone
close to you, please go to conicsontera.ca.
With Amex Platinum, $400 in annual credits for travel and dining
means you not only satisfy your travel bug, but your taste buds too.
That's the powerful backing of Amex.
Conditions apply.
Think of our threat intelligence system as not just a list of fishing sites, but as a who is lookup,
because we've categorized over 10 billion URIs into between 60 and 65 categories where fishing is one of those.
So when we pick that up and put it on the blockchain and we create a smart contract,
we're working with in partnership with consensus.
So we're supported by consensus.
they're helping with the token economics and other mechanisms and other areas of the token economy.
So imagine a world where through Cryptonite or one of the bots or somebody else's application,
you can submit a website or submit information about a website,
whether it's fishing, triple X, sports, religion.
If it hasn't previously been classified, you can submit it.
And then other people will validate that.
and through the reputation score of each of the individuals,
we will then, each URI will be classified.
So let's take a sports website, for example.
When one person submits that,
then it might take two people to validate it
or three people to get the consensus.
And then once it's validated,
each person gets paid in tokens.
If it's something like triple X or fishing or malware
or another link that adds a little bit more utility
to society, then it may require more people to do the validation work. And in the case of
fishing, it may require one or two experts to actually evaluate and validate the submission.
And we just happen to have people who are passionate about different types of data sets.
And, you know, when it comes to submitting and validating triple X, for example, we have a number of
parental controls. We have safe browsers for.
iPad and Chrome, but we haven't updated them in many years because we focused on messaging platforms.
And they have probably about 100,000 active users.
And throughout the years, we've had parents submit websites to us, but the technology can
automatically identify triple X.
And if it doesn't identify it automatically, it then puts it into review queue.
So we have over, we have about a million domain names in our review queue.
There's no way MetaSert could actually go through that and evaluate.
what category website each one is.
So by putting that onto the blockchain,
everybody can come pick domain names to validate,
and then you get that consensus algorithm going on,
and people get rewarded in tokens.
And how do you prevent what we're seeing
with these pump and dump groups
where maybe I'm a scammer and I create a fishing link,
and then I get all my buddies who are in on the same scam
to then validate it as legitimate on your site. And then we all earn tokens from Metastart. Plus, we earn all the
tokens that get sent to that fishing link. And then I, you know, divvy it up amongst everyone. How do you
prevent something like that? Well, first of all, it's not easy. But let me tell you a story to demonstrate
the history that we have and the experience that we have, not just with categorization on the web,
but actually human behavior for many different facets. Imagine we're,
we have parental controls where kids are submitting.
When you try to access a triple X website using a safe iPad browser, for example,
you get a block site saying that you're not permitted to access that website.
But you can report it as a false positive.
Imagine the amount of kids that would continuously report the same websites as false positives
when clearly they're not.
Clearly they're trying to unblock websites they'd like to visit.
And so as a team, we got together and said,
okay, how can we reduce the number of times that our databases opening up these false positives?
So we put in some business logic and checking so that if you try to submit a website that was
previously validated after it was reported as a false positive, you then get a message to say,
thank you very much, but we've already evaluated this and we really believe it really is
pornography. If you still think it's a false positive or a website that shouldn't be classified,
then please open a ticket.
So you still leave it possible for them to get in touch,
but you make it a little bit more difficult.
So we're used to that kind of human behavior,
trying to be a little bit malicious or a coy.
When it comes to fishing,
there are a number of different things
that I can't go into detail on,
obviously for security reasons,
but we do want to open it up in as much as possible
so that the community participates in, you know,
what that validation looks like.
But let's say, that actually leads me to believe that, okay, yeah, because it doesn't sound very decentralized, then it sounds like the ultimate kind of backstop will be this centralized service. It's like just a portion of the process will be decentralized.
No. So, well, there's always, it's like if you ask me, how do we handle security and privacy? I'll give you some vague answers. I can't go into detail, obviously, for security reasons.
So the service is decentralized.
The trust and reputation is decentralized, but just parts of the cogs and wheels, you don't
necessarily have to open source every piece of the code to let people understand how the intricacies
work.
So, for example, to answer your question very directly, if you submit a website, the people,
the websites that are reviewed by the community are randomized.
So you can't get 10 friends to validate the same link, because when they log into
or dashboard, they may or may not get the websites that you've submitted for evaluation
and validation.
They may get an entirely different set of URIs to validate.
And then there will also be the ability for us to record the historical data.
So there will be a ledger and audit trail of who validated, who submitted what, who validated
what is the web between, what is the relationship between submitters and validator
validators and there will be ways to see patterns.
And how do you know the relationships between the first group and then the validators?
The metadata, not the physical relationship between you and somebody that you might know.
But, you know, if there's a pattern where every single link that you submit is validated by a guy called Chris.
And he happens to say that you're correct in every one of your validations, but other people,
end up disputing those.
Because once something is validated,
other people can still dispute those.
And that's where the token comes in.
In order for you to submit, validate, or dispute,
you have to stake some token.
You have to put in some skin in the game.
And so you've got an added incentive
to not try to be malicious
because if other people dispute
and then their disputes are validated,
then you lose that token.
but when everybody agrees, then everybody gets paid in token.
Okay, so the scammer would basically lose money in order to try to make the scam work,
and then it might sort of defeat the purpose of the scam entirely.
Exactly.
Okay.
Exactly.
And then also, we just happen to have people who are passionate about different data.
So one example to demonstrate a point about the data,
imagine a world where advertisers and platforms could use the MEDAIR protocol to avoid placing ads on fake news websites and undesirable websites,
while at the same time targeting websites by category type on a granular level.
That's one use case of the MESER protocol.
Now, that's not one that we're particularly passionate about,
but that's an application that may or may not be built in the future.
The areas of concern that we're really interested in are the following.
Protecting people from fishing.
We happen to have hundreds of thousands of people who are using products that protect them for fishing.
So imagine Metacert with the products, they're just a customer of the protocol.
So Medisor Protocol is a new entity that, for the purpose of building the Medisor Protocol,
metacert with those security products is just one customer.
we will encourage other people to build competing products,
other security bots and applications
or other applications we haven't thought about.
We just happen to have good use cases
to demonstrate how the protocol can be used through applications.
And so we already have people,
within three days of opening up our own telegram group,
we had 3,000 people come into the telegram group,
all very enthusiastic because they all came from our products.
They all came in,
knowing that, oh, if I submit links for fishing, that means I'm going to get paid in
Metatocon and then the same fishing links are going to be used to protect me from fishing
links. So I'm going to get paid to protect myself. And it's in my best interest not to
try and submit bad links because then I'm not going to be protected or I'm going to be blocking
myself from innocent websites. Now, copy and paste that to brand protection when it comes to
verified accounts and then also parental controls or news repatriates.
We happen to have products for each of those areas of concern with enough end users and customers to know that there's a real need to solve those problems and people who will be able to get involved on day one.
And just so I understand, so I get how I can earn tokens.
It's by maybe, I don't know about submitting, but definitely verifying or validating.
And then how do I spend them?
Like, what would I spend these tokens on?
First of all, you'd be able to unlock or subscribe to MetaSert services in a way that wouldn't have been possible in the past.
Also, we're working in partnership with a number of companies.
I can mention one of those, and that's Rocket Chat.
Rocket Chat is the biggest open source messaging platform.
That's a competitor to Slack.
And they are going to integrate the Metisorp protocol.
Together, we're going to build an open source security module.
all of their customers get the option to click a button and then get anti-fishing security
or security against other malicious links.
And they've also agreed to adopt our token to incentivize people in their world to submit
and validate links that they care about.
And there's a couple of other platforms that are more abstract than that, that will adopt
the protocol and the token.
But I can't mention those at this time.
But we envisage a world where it's not just people who use tools on top of the protocol built by METAIRP,
but tools and applications built by other companies that will use the token to incentivize their economy.
And there's many different ways to use the token within a household if they're using whether it's parental controls or in use credibility, software or anti-fishing add-on.
So basically I can either use it within the system maybe to like, I don't know what you mean by parental controls, but maybe it's like someone who wants to kind of like you.
Yeah, I still don't fully understand how I would spend it within the system.
Like I could see earning it and then just, you know, converting it to ETH or something.
But like I don't understand.
Okay.
So you're a parent and you pay 12.
$99 a month
dollars for parental controls,
whether it's a browser add-on or a DNS service.
And in order to offset the cost of that,
you get a choice to pay in tokens, our tokens.
And to offset the cost of that,
you may want to submit or validate links
that are used to improve the software
while at the same time reduce and are negating the cost of the software.
But then maybe, and I'm not sure, you know,
maybe you'll be able to
give your kids tokens that they can then use for accessing the web for a certain number of
minutes in the day. Okay. Yeah. Okay. Now I see. That makes sense. And one other thing I wanted
to ask about is so just so I understand this is going to be a decentralized protocol that is for
detecting false links or scammy or fishing links. And
different companies can build services on top of that and then charge or have their users earn
tokens through that. But no one company will control this protocol. Is that correct?
Yeah, but not just fishing. People will be able to submit and validate information about websites,
bots, applications, and social media accounts. It's any web resource. So you may want to submit or
validate ownership of a particular Twitter account or a particular Facebook account or LinkedIn
or bot or application.
And that goes into one big database.
So it's not necessarily just fishing or pornography or other categories.
It's basically a big who is database with more information than what you would get in the
who is database and information that's validated or an IMDB for the web where you can find
out information about the website owner, the social media account owner, is it suitable for children,
is it suitable for mobile phones, is it fishing? And then other companies, you could be an
ISP, a public Wi-Fi hotspot provider, a router, a browser company. You would want to use that
MetaSor protocol in order to be able to protect people or highlight information on the web when
people use your products and services. Wow. This is, this is
pretty all-encompassing. One other thing I just realized is it sounds like this can also be used
for what we're currently seeing in the crypto space, which is that a lot of the social media accounts
for various, I guess, crypto personalities are being imitated. And then they're popping up and saying,
if you send me 0.1-Eath, you will get back a full Eth, things like that. It sounds like this
would be useful for that as well. It would be very useful for that. I mean, CivicD is working on
verification of identity. For me, identity is something new. And when we're moving everything to
the blockchain, we're not just copying and past. We're actually asking ourselves, if we were to
invent what it means to get at Green Shield for a website or social media account? What does that
actually mean? And actually, the answer to that question has been opened up to the community.
We'll create the baseline, but the community will answer it. For example, a Twitter account,
you don't necessarily want to prove you really are Laura Shin by demonstrating evidence by way of
your passport or your license, your driver's license. In fact, you may not even hold either of those
credentials, you may want to actually have an alias. So we have a great guy on our team who's just
joined our administrators. His name is virtual growth. And nobody on the team and nobody in the
crypto world actually knows his real name. He's just known as virtual growth. That's every county has.
I'm glad I'm glad it's not his real name. Yeah, that would, that would, that would be funny.
So he shouldn't have to prove his real name. So identity is more about personas. You may
trust a particular Twitter account that you've been following for a quite considerable period of
time to talk about crypto without actually known who the identity of the person is.
They may be linked to a GitHub account or some other type of account.
Maybe you want additional information.
But the verified symbol may just mean, in some instances, you're just not going to be scammed.
It doesn't mean it's a legitimate token or a legitimate whatever.
It just means that they're not going to scam you.
it really is what they say it is.
If they tell you they're going to scam you, then you can verify that.
But it's really, Metisert doesn't have an opinion about what's good or bad on the internet.
We simply open it up to the community to classify the entire of the World Wide Web,
and then other companies can do what they want with that information.
Not everybody thinks pornography is bad or should be excluded.
Some people may want to look for that information.
So we don't have an opinion as to what's better bad.
Just a very small percentage of the internet.
So it's not for us to decide.
And when it comes to decentralization,
I am so excited by the fact that MetaSert and other security companies
can be removed from the equation of trust.
Because, you know, why should you trust Metacert to verify all the crypto exchanges
and wallets, aside from the fact that we couldn't possibly scale it globally?
We need help from the community.
but why not have a METAIR protocol that actually is owned by the people so that if
Medusert was attacked and brought down or whatever happened, then you still have that network.
You still have that self-contained economy of people who just constantly submit, validate,
dispute, validate links that have a lifespan of maybe six or 12 months and then people
evaluate it again.
And it's constantly evolving and constantly.
growing. Now, the database itself can't be decentralized because we don't have a technology.
We don't have a blockchain solution that could give the performance that's needed. But we're
talking with a number of companies like Ocean Protocol, for example, who are working on that
decentralized marketplace of data. So we do want to decentralize as much as possible.
I think it's really important to demonstrate intent. So I've contributed to eight technical
specifications at the W3C.
I mentioned my URL categorization background.
I'm also one of the seven original founders of the mobile web initiative at the W3C,
and I was the first person ever to rewrite Tim Bernersley's vision of the one web,
whilst we were drafting the first best practices charter for the mobile web initiative.
And my COO, Ian Hayward, he was one of the first 25 contributors to the Mozilla Foundation
and started and fostered the growth of the entire Missilla Evangelist community,
which contributed to the success of Firefox.
So we really care about open source and open standards and in open web and decentralization.
We will open source the products owned by MetaCert when we get the time and effort,
the time and resource to do so, and we will decentralize as much as we technically possibly can.
Great.
So when we're running out of time, but I actually want to ask you just if,
few more questions. One is, do you have any sense of who the scammers are? We see a lot of attacks
coming in from Ukraine, China, Romania, but we don't really know who they are. They could be anybody
because I gave a talk at a blockchain conference in L.A. last year. And one of my main points was
don't use your phone number as a password backup and recovery mechanism, otherwise known as we've
discussed as two-factor authentication. In an hour after that, my own phone number was
compromised. I got a text message from T-Mobile. I can't wait to give a talk at the same conference
in San Francisco this week because it's going to be a screenshot of what happened the night after my
last talk, which is mine was compromised. But it, you know, everybody can be hacked. The good thing is
I don't have core access to anything meaningful. So I knew I would be a target. So I don't have
access to anything that would compromise Metasert or any customer data because I don't have
root access to anything. And I knew that would happen. So it's easier to attack than it is to defend.
And when do you plan to launch your decentralized network?
We plan to have a basic token functionality working on a test net by mid to late April.
And so we will be able to distribute tokens to all of the NU.
users of the products that sit on the protocol. So, for example, Kryptonite, the browser extension,
I told you about, each user is going to get 360 tokens, which would then effectively allow them to
use that software for free for another year. Okay, so you plan to do some Airdrop strategy?
That's right. It'll be possible. It'll have a small wallet built into the extension,
not big enough to hold a lot of tokens for security purposes. And so they'll be able to unlock those
tokens as soon as they're available. And we will be selling tokens privately around end of April
and publicly about six to eight weeks after that. Okay. And it sounds like you're offering them as
a security when you say privately? No, there's a private sale to big participants. So there's no
discount or bonus for purchasing the tokens for future use within the network. So you will be able to
buy the tokens privately, but you have to buy a certain amount, and then you assert how you're
going to use the service in the future. So it's not a security token. It absolutely is a utility
token. And we're doing a number of things to demonstrate best practices within the industry
for the longevity of the project. So the first one I mentioned was no bonus or discount
for people who want to purchase the tokens privately. The tokens, we're going to, you know,
will already be in use by then as well to demonstrate that there is real utility for the tokens
and real demand for the token. The team will have a 75% lockup. So after the platform is live,
75% of Metacerts tokens will be vested monthly over a three-year period. Okay. And this is maybe
the most important question for the listeners. What are your tips for users so they don't fall victim
to any of these crypto scams.
Install one password.
There are other applications that are great if you use them, one that's brilliant, but just
install one password if you're not.
Use that to automatically generate very long, difficult passwords.
It's a fantastic solution.
Remove your phone number as a backup and recovery to passwords.
Call your cell network provider and ask them to put a double opt-in.
to change in the SIM card, which reduces the risk of that happening.
If you're a crypto team, take the time and the money and resource to hire security personnel
instead of just community managers, sales and marketing people when you've got the funding.
Security is very important, not just for your own team, but for the purpose of protecting your
communities.
Install all of our free software, particularly for Telegram and Slack.
And just be mindful that it's not 007.
scenarios. You know, don't leave your computer on the table at Starbucks and ask the person next
to you to look after while you go to the bathroom. They could be sitting there because they're
spying on you because they know that you're a high profile target within the crypto world.
The higher the profile you are in the industry, the more of a target you will become.
And they will go to any degree to access and compromise yourself, your company or your family.
I'm constantly getting email saying my passwords attempted changes on Facebook and other social media accounts.
So everybody's a target and just be mindful of that.
Great. It's been so wonderful having you on the show.
Where can people learn more about you in Metacert?
Go to MetacertProtocle.com for the project.
Metacert.com is the separate company if you want to install one of those apps.
and come join the telegram group, which is where all of the conversations happening,
which is t.me slash metacert.
Thanks so much for coming on Unchained.
It's a pleasure. Thank you so much, Laura.
Thanks so much for joining us today.
To learn more about Paul, check out the show notes inside your podcast episode.
New episodes of Unchained come out every Tuesday.
If you haven't already, rate review, and subscribe on Apple Podcasts.
If you like this episode, share it with your friends on Facebook, Twitter, or LinkedIn.
Unchained is produced by me, Laura Shin,
with help from Elaine Zelby,
fractional recording Jenny Josephson and Daniel Nuss.
Thanks for listening.