Unchained - The Chopping Block: Top White Hat Hacker Samczsun Discusses the State of Crypto Security - Ep. 579
Episode Date: December 7, 2023Welcome to The Chopping Block – where crypto insiders Haseeb Qureshi, Tom Schmidt, Tarun Chitra, and Robert Leshner chop it up about the latest news. This week, they are joined by Samczsun, an anony...mous security researcher at Paradigm, who delves into the intricacies of crypto security, ethical hacking and the shifting landscape of smart contract vulnerabilities. He also discusses his strong feelings about the “Code Is Law” philosophy and gives tips on how people in crypto can best protect their online security. Listen to the episode on Apple Podcasts, Spotify, Overcast, Podcast Addict, Pocket Casts, Pandora, Castbox, Google Podcasts, TuneIn, Amazon Music, or on your favorite podcast platform. Show highlights: what led Sam to a career in crypto security and his current role at Paradigm how Sam uncovered one of crypto's most legendary vulnerabilities why security experts like Sam choose the path of white hat hackers over black hats The craziness of the KyberSwap hacker's proposal parallels that Robert draws between this case and Avi Eisenberg's Mango Markets exploit what advice Sam has for the KyberSwap hacker whether Sam, as a security expert, trusts storing his money on-chain how the Platypus hack ruling by a French judge challenges the 'Code Is Law' philosophy what the Security Alliance aims to achieve and its impact on the industry how Sam suggests individuals should practice personal crypto security, including the importance of using password managers and hardware wallets, and avoiding SMS two-factor authentication Hosts Haseeb Qureshi, managing partner at Dragonfly Robert Leshner, founder of Compound and Superstate Tom Schmidt, general partner at Dragonfly Disclosures Guest: Samczsun, security researcher at Paradigm Links Hacks Episode with Ogle: The Chopping Block: How This DeFi Hack Negotiator Gets Hackers to Return Stolen Money Unchained: $48 Million Drained from KyberSwap in Hack Kyberswap hacker's latest message Cointelegraph: KyberSwap hacker offers $4.6M bounty for return of $46M loot Platypus exploiters walk free after claiming to be ‘ethical hackers’ Code is law: The Chopping Block: ‘Code Is Law’ Is ‘Obviously Not How Anything Works Ever’ Unchained: The Mango Markets Attacker on Whether His 'Trade' Was Ethical or Not Thread by Gabriel Shapiro on the topic and Vy Le’s response Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
I think Cota's Law is bullshit.
Anyone that in 2023, almost 2024, is still going around either A, claiming it's not and it's legitimate or B, claiming that the Crocto 3&D embraces Cotas law, I think they're being disingenuous or just stupid.
I think Codas law, most reasonable people in the space have moved on from, you know, two, three years ago.
Not a dividend.
It's a tale of two quans.
Now, your losses are on someone else's balance.
Generally speaking, air drops are kind of pointless anyways.
Unnamed trading firms who are very involved.
D5.Eat is the ultimate.
DFIPITES are the antidote to this problem.
Hello, everybody.
Welcome to the shopping block.
Every couple weeks, the four of us get together
and give the industry insider perspective
on the crypto topics of the day.
So quick intro, first you've got Tom,
the Defy Maven and Master of Memes.
Hello, everyone.
Next, we've got Robert, the Cryptoconisurer and Tsar of Super State.
GM, everybody.
And today we've got a special guest,
son, the white hat wizard at Paradigm.
Hey.
Is where you say something.
And I'm a Sieb, the head hype man at Dragonfly.
We are early stage investors in crypto, but I want to caveat that nothing we say here is
investment advice, legal advice, or even life advice.
Please see chopping block that XYZ for more disclosures.
Okay.
So Bitcoin just hit $44,000 or just below $44,000 from being in the 30s last week.
So really crazy run up in crypto markets.
we were basically front page news once again.
It's been a long time since crypto has been in the front page news in positive light.
But once again, it feels like we're in the early throes of a bull market.
And alongside that bull market, we now have ourselves in the curious position that it's hacking season again.
And there's a lot more, I've been seeing a lot of stuff going around about people being targeted
and hacks and scams and frauds and giveaways.
and, you know, I'm giving away free ETH, send me one Eth back after I send you.
This kind of stuff is going around again.
And so I thought it would be a great time to bring on Samsung.
So for those of you who do not know, Samson is probably the most famous white hat hacker in crypto.
Tom, I remember you actually were at ZeroX when Sam discovered, I think it was probably
one of the most legendary vulnerabilities in crypto history.
Tom, do you want to describe how that played out?
Yeah, I think, I don't know if that Sam, that was.
your debut, so to speak. But yeah, there was a pretty gnarly bug in Zeroxv2 that Sam caught. And it was a
approvals related bug, which is one of the scariest. Basically, the TLDR is it would have allowed
anybody to create a fake ZeroX order on behalf of anybody who had used the protocol and basically
drain any assets that you had allowed the protocol to trade to trade on your behalf out of your
wallet. And luckily, Sam spotted this, got in touch with us.
I think we spent a whole overnight 24 hours thing trying to patch it, fix it, put out the upgrade.
But that was my first introduction to Sam, which we were incredibly lucky to have had.
And that was one of the largest vulnerabilities ever discovered at Defi at that time.
Yes.
It was a pretty crazy debut.
And that's how I remember first hearing about Sam.
Sam, I know that you're a very secretive person.
I imagine being a white hat and a cyber sleuth and having a lot of enemies from the sort of
dark side of the internet requires you to have really good opsac. But whatever you're willing to
share with us, and for those of you who are just listening to the podcast, Samsung is appearing here
in anime avatar. He has a voice changer. So he's a very, very, he's a real deal. Sam, what can you
share with us about who you are, where you came from, and how you got into the world of white hat hacking?
Yeah. I mean, you know, I've been doing security my entire life. And so all of my IRA friends know
this. And years ago, way before I started doing crypto, what if I reached out to me? And he said,
there's this thing happening on this Ethereum tank. It's really interesting. You're going to love it.
It's like some multi-sig, whatever, something or other. But I was like, that's really awesome. I'm sure I will.
And then I completely ignored it for like half a year because I was busy doing other stuff.
And I continued ignoring it until one day I was just so absolutely bored out of my mind doing non-exciting, not-cryphal thing.
and I was sitting there going,
what could I possibly be doing right now?
That would be more productive than,
I don't know, like watching YouTube or whatever I was up to.
And I remember, you know, this affair was thing.
And so that's how I got started.
And of course, that then,
there weren't nearly as many resources to get started in
health of security as there are now, right?
Today, we have so many, you know,
there's blog post stuff right, there's YouTube videos.
They're even data impairing really easily
through any of these training programs
or just the contest or code arena.
So today it's really, really, really easy to get into the security.
Back then, you know, you had maybe one or two block posts about here's the top in solidity vulnerabilities.
But, you know, that's sort of why I got started.
And so I was looking to, you know, what exactly was this multi-sync bug, what exactly was ran to see, what exactly was delegate call, and just slowly work my way up in there.
Very cool.
And so now you work with Paradigm.
You're a, I guess, white hat in chief or something.
I don't know exactly what your role is security researcher, I guess, is probably what
they call it. So what exactly do you do at Paradigm? Like, how do you fill your days?
Yeah. So I think of my time of Paradigm, you know, mainly broken down to the three parts.
The first part, obviously, is dedicated to Paradigm itself. It would be quite embarrassing.
If Paradigm were to be hacked, I think I would actually just, well, fortunately I'm anonymous.
So I can just disappear. But I still don't really want to do that. That's like the last resort there.
So obviously, a lot of times been considering how to how to protect paradigm, how to protect our assets.
you know, obviously, we're also on an investment firm.
And so, you know, the second part chunk of my time is dedicated to figuring out,
how do we protect our portfolio companies?
No, if they have security asks, if they need an audit, if they need some code review,
if they need advice on non-triff security, right?
A few days ago, I tweeted out about these people going around,
threatening to claiming they found a bug in, you know, your website,
and they would take it offline, they would dedos it,
and then they would say, okay, before,
we tell you what this bug is, please pay us like 5'8th.
And so understandably, if you're a first-time founder, you might be really stirred at
that, right?
You might be going, uh-oh, no, what do I do?
I got to pay up to figure out what's going on here.
And so not necessarily crypto security, but I'm so there to help advise them on situations
like that.
You'll let them know that this is actually just extortion.
They don't have anything of value.
You know, you can just like go on with your day.
And then the third part of my time is mainly focused towards the community itself.
And so whether that's finding bugs in other protocols or putting out these write-ups like I've been doing recently about these sort of security self-audits, really just figuring out what I can do to help further the security of the space itself.
So many people might not be as familiar with the crypto security world.
And so in crypto security, there are two kinds of players generally.
Well, there are many kinds, but the two main ones we like to talk about are what we call white hats and black hats.
And a white hat is basically like a superhero.
They are on the side of good.
They're just out there to do the right thing, find bugs and protocols and be helpful to the people who are trying to build useful things in the world.
And then the other side is what's called the black hats.
So the black hat hackers are people who are in it for themselves.
They're trying to do harm.
They're the supervillains in this whole story.
And they're praying on civilians and trying to trick them into giving them money one way or another or outright breaking protocols.
So a natural question many people have when they're thinking about somebody like yourself who's a white hat.
how does one decide to become a white hat hacker rather than a black hat hacker,
given that many people realize that it's very lucrative to be a black hat hacker,
especially when you have skills as good as yourself.
Why do you end up becoming a white hat?
The big reason for me is basically, I mean, I think I was raised in an environment
where, you know, I was sort of taught that doing the right thing is more important
than doing the thing that makes more money.
So I think I really took like the positive valleys to heart.
growing up. And so really that the main
sector I consider what I think about
all of these biggest flights is not necessarily
oh, I would be so rich if I stole
$500 million from this protocol. But I think
more importantly, where did that $500,000 come from? Right. And while
after the not, it's going to be from these individual families,
you know, parents, grandparents, like it
people who for better for worse by the foot their entire life savings
in a defyper. I'm not to
excuse them and say that was like the right choice right like a lot of these times people
davely their entire life savings on a defybrily goal maybe not the most responsible choice but the
factor of the matter is that is their livelihood and so you know just thinking about victimizing
just like these large swaths of the population uh really decimating their future like that
is just the i can't live was and so it really isn't about the dollar amount on the final payout as it were
but just the fact that, you know,
I was destroying somebody alive.
It's just something I can't live with.
Sam, you're really like an anime hero.
I hear you tell him.
He's calling from his secret underground bunker right now.
It's the fortress of solitude we're seeing in the background here.
Yeah, the virtual reality laboratory.
On that note, I mean, Sam, you know, total tangent,
but what is your favorite anime?
Well, you know, I think over the years as I've sort of matured,
my taste of evolved,
I think actually, funnily, it has, most recently I've been watching Eminus and Shadow, which is just like this totally, it like takes all the tropes in animated, like, stream.
The plot is about this guy who just wants to be super fucking cool, and he has no idea what he's doing, but he's just like, you know, only around the, the plot and like everything has happened to work out.
When Ashley, as it turns out, I think apparently one of the more popular projects managed to do it to co-eye with him, which is,
It's saying to me, I didn't realize I, in a major anime studio would be open to that.
But I think that just speaks to how awesome the anime is.
They'll launch it in a channel.
Okay.
It's a very thoughtful answer.
Yeah, yeah.
Okay.
Well, all right.
So, speaking of white hats and black hats, I wanted to get into the meat of the story.
So last week we had Ogle on, Cryptoogle, which Sam, I know you know well.
And he was discussing with us the Khyber hack.
So for those who are just tuning in, there was a massive hack that took place over
a week ago now into a defy protocol called khyber.
And so khyber,
Khyber swap, they're an on-chain
DFI DeFi Dex, basically, and Dex aggregator.
So they were hacked on the order of something like
50 million plus that was stolen from the protocol.
So the hacker was kind of erratic.
He was sort of initially last week,
he sent over a message saying, hey,
everybody chill out.
I need to get some sleep before we start negotiating.
And he was kind of telling everyone, hey, back off.
You know, I better not have any trouble
if you guys want to see this money.
And so then on November 30,
which is about a week ago from today,
he sent an even more unhinged message.
This was like right around the time
that our last episode got published.
So I'm going to read an excerpt from the message
that was sent by the hacker.
And this is probably the strangest message
I've ever seen a hacker send to a protocol.
It is the wildest.
It is six out of six on the unhinged scale.
That's right.
Okay.
So I'm going to go ahead.
So now I'm switching over to the hacker's voice.
Okay.
So I'm going to skip over some of the stuff.
But basically he says,
okay, here are my demands from the protocol.
I offer a treaty.
What I demand is complete executive control over Khyber, the company.
I want temporary and full authority and ownership over the governance mechanism,
Kiber Dow, in order to enact legislative changes.
I want all documents and all information related to the company and protocol formation,
structure, operation, revenues, expenses, profits, assets, liabilities, investors,
salaries, et cetera.
And I demand that you surrender all of Kiber the company's assets.
On-chain and off-chain, including shares, equity, tokens, partnerships, blogs,
websites, servers, passwords, code, social channels, and any and all creative intellectual property.
Once my demands have been met, I will provide the following.
Executives, you will be bought out of the company at a fair valuation.
You'll be wished well in your future endeavors.
You haven't done anything wrong.
A small error was made, rounding in the wrong direction.
It could have been made by anyone.
Simply bad luck.
Employees, under a new regime, your salary will be doubled.
It is understandable that many current employees will want to leave regardless.
The employees who don't want to stay will be given a 12-month severance.
with full benefits and assistance in finding a new career, no questions asked.
Token holders and investors, under this treaty, your tokens will no longer be worthless.
Is this not sweet enough?
I'll go further still.
Under my management, Kyra will undergo a complete makeover.
It will no longer be the seventh most popular decks, but rather an entirely new cryptographic
project.
LPs, these are the people who had their money stolen.
LPs, you will be gifted a rebate on your recent market-making activity.
The rebate will be for 50% of the losses you incurred.
I know this is probably less than what you wanted.
However, it is also more than you deserve.
This is my best offer.
This is my only offer.
I require my demands be met by December 10th, otherwise the treaty falls through.
Additionally, should I be contacted by agents from any of the 206 sovereigms?
It means countries.
Concerning the trades I place on Khyber, the treaty falls through.
In this case, the rebates will total to exactly zero.
Khyber is one of the original and longest running DFI protocols.
No one wants to see it go under.
To assist with this transition of leadership, I may be contacted on telegram, and he drops his
telegram handle, which is Khyber director.
thank you signed
Kyber director
so this
I have in all my years
to be clear we still don't know this hacker is
we have no idea who this attacker is
maybe you know maybe people in the war room might know
but this is the fucking
craziest message I have ever seen
from a hacker
reactions
well I mean I will just say that
the hacker voice sounds a lot like a great investor
I know called Hasib and I've never seen
Kyber director in the same room
so I'm not quite sure to make it
this, but maybe we should get some of the FDI on it or something.
You know, this does actually sound like the kind of language I'd use in an ultimatum,
so I can see the connection.
Yeah, this is like a very sadistic form of like a bear hug.
You know, they're trying to do a, do a, do a, an LPO by acquiring the assets first
and then taking over.
I mean, I don't know how they also expect this to work.
They want to run the company while also being anonymous criminal.
And I don't know, how are they going to take over the off-chain assets?
Like, the only doesn't actually.
even make any sense. The demand is kind of nonsensical on top of just being totally insane.
Well, it has a lot of parallels back to Avi Eisenberg and Mango Markets, where, you know,
the hacker or market manipulator, whatever, so to speak, was of the opinion that it was
legitimate market activity, that there was nothing illegal about it, and that it was all fair
game to take all of the assets from the protocol and try to negotiate from a position.
of strength or at least self-perceived strength.
And obviously, you know, this hack was not perpetrated by Avi.
But it sounds very similar in the response where it says, you know, it takes the opinion,
oh, this was, you know, fair game.
This was the LPs, you know, were market makers and I, you know, simply traded profitably
against them.
And coming from this, you know, position of wisdom and, you know, success, I would take that
further and say, I want to take over all of Khyber in a legal fashion. It's just, it's so perplexing to me
that, like, somebody has this level of both delusion and self-aggregization. I mean, this hacker is
nuts. And I think in their head, they might think that there's a shot that Khyber, you know, takes
them seriously, whereas anyone, you know, in the outside world, you know, immediately, you know,
sees the, you know, preposterous nature of what they're asking. I was going to think. I was going to
say it's a it's a good deal for the employees like 12 months severance and doubling their pay i'm like
the employees at khyber might be like hey guys i think we should we should maybe work for this hacker
yeah clearly there's some weird grandiosity like kind of personality uh disorder going on with this guy
like some people were saying like okay well i think he's trolling i think this is a joke
this didn't read to me like a joke it was so specific and i i don't know i mean so sam i know that you're in the
war room. And we got a sense from
Ogil last week that
maybe you're constrained in what you can
say given that you might be in the room where
this stuff is happening. Anything you can share with us
about how this is being perceived by the first responders?
I mean, yeah. Well,
you know, you've asked slowly noted out of the heads.
I am definitely a bit limited.
Just out of respect to
the process, you know, I don't want to
be disclosing the information that isn't public.
But I think,
you know, like most people on
Twitter and just in the
general media sphere.
The demands don't seem particularly reasonable.
And if I were the hacker, I would assume I know that, like, you know, he went quiet
for a handful of days, no response, and suddenly comes out with, you know, these demands.
I mean, even if Khabber were to start making progress towards those, like, how do you,
how is that when you hand control over those off-chain components to someone who they absolutely
doesn't want to be doxed. It just doesn't quite make sense to me. If the hacker is being genuine,
and I'm sure he's probably listening to this podcast the moment it comes out. But if he is being genuine,
you know, he's more than welcome to reach out and clarify how he wants to do that. But I'm assuming
he's not. And so we just have to kind of proceed like, you know, he isn't. And I think
another big part of the problem here is basically setting the understanding that this actually
isn't what we want to allow in crypto in the feature.
And so, you know, what Tyver does here actually has, you know,
it's actually very meaningful down the line, right?
And so we want to make sure we're treading very carefully to make sure we're not
at any bad precedents for future projects and feature hackers.
Right.
I think Kyber, I mean, it seems like an obvious non-starter to have this hacker take over
Kyber.
I mean, that's, again, don't have no idea how that would possibly work.
We'd also have to docks the hacker, right?
like in order to take over a company,
you will have to know who is,
who they're transferring the shares to.
The thing is like,
this person is clearly quite sophisticated
in the sense that the things they're asking for
are the kinds of things you would actually ask for
if you were taking over a company.
So this is not like some child or just some,
you know,
somebody who has no idea how companies work,
which is what makes it so interesting
is that clearly this person is a black hat.
Clearly, they're also a business person
and they have some understanding
of how a deal like this might be manufactured and executed,
but they don't,
have sufficient understanding to realize what a crazy thing this is to propose. Or maybe they do.
And maybe they, you know, I don't know, maybe they say, okay, well, great. If you're willing to go
through with this, please transfer over the ownership into this shell company in the Seychelles that
nobody has ever heard of. And that is, you know, seven layers nested deep into some the structure
of other shell companies that you're never going to get to the bottom of. And this thing is going to make
all the decisions. Maybe that's how this thing turns out. I would be so fascinated just to know.
if you say yes, what happens?
What's the next thing?
I don't think there's any chance in hell
that anybody would say yes to this,
but it's such a fascinating alternate timeline.
So anyway, given all this,
it sounds like from the voices I think we're hearing
from Khyber is that probably this is going to be a no.
Victor Tran from Khyber Network tweeted out,
no one fucking cares about Khyber users
like we do, you deserve the best message tomorrow.
And then they kind of wrote some general stuff
about how Khyber is trying to help
leave some of the pain for the folks who had their
money lost in the hack as they're continuing to work through things with the recovery.
And apparently there was also some funds that were moved into tornado cash from the Khyberswop
exploiter.
So it does seem like the Khyberswop exploiters, more or less moving money around and it doesn't
seem like this money is coming back home anytime soon.
It's an unfortunate situation, but it is very crazy.
Sam, I don't know.
I know this is not your domain.
You're more on the kind of smart contract vulnerability side.
Just give us an understanding, though, when something like this happens, how does a
war room come together, right? What's the mechanism by which, okay, some shit went down, how are you
and Ogle and all these people kind of summoned to the right place? And how does the thing come together
that the response gets organized? Yeah. So I think the moment, anything happens on chain,
there's always a handful of people that, you know, find out immediately. They have thoughts running,
they have alerts running, they have monitoring. Sometimes they have borne monitoring and the projects
themselves, which is probably not where you want to be in the future, but it is where we're
at right now. Then these people will reach out to people they know that are typically, you know,
that typically like as the first responders, such as myself or Ogil or any of the other white hats.
And then from there, we sort of, I think everyone in the white hat community sort of understands
what the correct composition of a worm is, that is to say, you know, it should be, you know,
orchestrated by the project. They should have filed saying, what happened.
should have dairy.
It should be very exclusive,
so you shouldn't be inviting
just everyone, you know,
and everyone they know,
and suddenly it's like a hundred percent broom
and I'm really sure
where all this information is going.
And so it does happen, you know,
sort of organically in the sense
that at the moment the project finds out,
I think everyone basically advises them
you should make your war room
if you don't have one.
You know, you should invite people
that you think are trustworthy.
Obviously, everyone thinks they're they're trustworthy.
And so the project has to make some choices.
And then from there,
once you're all gathered and same place,
It tends to follow a pretty steady rhythm.
I mean, at this point, I think everyone basically knows that, you know,
got out there, make sure any head it's possible as pause, make sure that you identify the vulnerability,
make sure you've, you know, you've done what you can to alert than users.
On the tracing side, you know, let's not my year of every special fees at all,
but people like pay them one ahead and Zach XCT, they'll go out there, they'll piece together all the little
clues. So it really does work like a well-ahed machine once in a spot is there. And then it just
you just have you just have to get the money back. I think most people in crypto, especially who are
building smart contract based applications or defy protocols, you know, they all wake up in a cold
sweat having nightmares that Sam DM'd them about something happening in their protocol. Like that is
the touch of death is Sam sends you a DM about hey, I saw this thing happening on chain.
I mean, you watch this, but yeah.
Yeah.
Just from your perspective, Sam, what is that like?
Because I imagine this is kind of a very common occurrence for you, but for many people,
this is when you DM them is the worst day of their lives.
Yeah, I mean, there's really two forms that DM can take.
I think the one that everyone prefers is, you know, I'm trying to message them about something
that no one else knows yet, right, or hasn't been exploited.
And in that case, it is still pretty heart-wrenching, but at least you know that your money is safe
if you follow best practices,
that the one that's not as good,
and unfortunately the one that's happening more often now,
is I or someone else message them
because something has happened on chain.
And so now it's not a question of, yeah,
what can you do to not sure you don't lose anything,
but how much have you lost and what do you do next?
And that is that, I mean, you know,
I always acknowledge in every war room
that I'm here to provide advice.
I'm here to provide in,
objective sort of from an objective viewpoint what I think might be the right thing to do
but I'm not the one in the hot seat right I'm not the one who's staring down the
barrel of you know a nine-figure loss and I will never know what that feels like
and so I can only imagine it's it must be it must be hell like I wouldn't want
to subject my worst enemy to that that's that must be terrible when you're on sort
of the prevention side of things when you're when you're looking for vulnerabilities
How do you decide where to focus your time?
Do you just go on Defy Lama and sort of like TVL?
Are there sort of signs that sort of, you know, activate your spidey sense that like, oh,
there might be an issue with this protocol?
How do you sort of prioritize things?
There's like a lot of different places I get sort of new coverage from.
Defyla was one of them.
Doe 3ES scan used to be one of them.
But now the sort of verified contract space is just not a great view.
It's like what's happening on chain.
anymore. It's just way too noisy. People messaging me about the things that they're working on
is also another great source. And so really just gathering, you know, signals from all these
different places and then sort of, yeah, it's hard to say what I prioritize by. I think it's a combination
of does it feel like it's a very complex thing that's trying to do? Does it feel like it's going
to have a lot of money in it? Were they nice about it? Like sometimes, you know, people are not
not the nicest and then I'm
wasn't inclined to to put in time to it
but generally for our and so it's really a
multitude of factors
I mean I think that's that's pretty much a
so you've seen almost everything possible
go wrong on chain at some point
in your career
what do you do on chain
what does Samsung actually do on chain
do you like trade NFTs do you sit around
and LP in protocols or do you just like
look I'm gonna never touch any of this stuff
with my own money
oh my god well so before
I joined Paradigm, I
also didn't do much.
I really
having found so many
bucks in protocols at the time,
I think security has gotten
a lot better since
when was that? Like, 2020?
Wasn't I joined paradigm?
Security's gotten a lot better. But at the time,
having been the one to find
all these issues and all these protocols, I was like,
yeah, there's no way in hell I'm using any few
days. I'm going to keep my money in the youth and I'm going to keep
my money and die.
item is a pretty strict compliance policy
so nowadays even if I wanted to do stuff on chain
it's pretty tricky to do it in any meaningful capacity
which is fine I still am pretty conservative
about how much risk I want to take
which is what makes it all the more ironic
that having been very inactive on change
I'm like speaking of which actually side tangent
there's these addresses that people keep linking to me
because someone bought an E&S that looks like my handle
and all these supposed like chain analytics companies
while I tagged me on Twitter
and they'll be like
this multi-million dollar
address linked to Sam
has been doing these trades
follow us for more Intel
and I'm just like
if you're gonna get me wrenched
for you know
owning like a like a multi-million dollar address
like at least let me own a
multi-million dollar actress first
I don't want to get wrenched for having
you know like
there's like a hundred X loss
in what you're claiming at anyways
it's just really ironic because
adding made an effort
like not really for purchase me
too heavily on chain.
There's only like maybe five or six
because I'm actually involved in purely
just by like holding a stable going whatever.
And one of them happened to be
like the year in USDA
like yielded variance
token, which
you know, as of a few months ago,
maybe like half a year ago,
no one if there was any yield because it got hacked.
So yeah,
I guess, you know, even when I try to
avoid it, I can't avoid it. It's just
it half us to everyone.
Well, let that be.
a lesson to you. Never touch any of this stuff. It's all, it's all just poison for your bank account.
Okay. So speaking of all this, actually, there's another interesting story in the news that kind of relates to
black heading and white hatting, which was there was a French court that was trying somebody.
There was, there were a couple of exploiters who had hacked a protocol called platypus,
which is an AMM on avalanche. And the attackers claimed that they had ethical intentions,
that they were whitehating,
even though they were taking some of the money
for themselves,
but they were giving back most of the money
or something along these lines.
And a French court acquitted them,
and the judge basically described the,
sort of analogized what these people had done
in hacking the smart contract
as taking something from a machine
that gives more than it should give.
So it's kind of like, okay,
well, this vending machine
kind of had a bug in the vending machine,
but like that's not the same thing as, you know,
breaking the thing open.
That was sort of the analogy that the judge gave.
So there's been a bunch of arguments about this
and that basically is this French court upholding
the code is law meme that is often thrown around in crypto
which is that because this thing is code
that should supersede what any other legal analysis
might otherwise define as being the contract between two people.
Curious for you, Sam, having looked at the situation
given that you are a white hat,
what did you think about this French judge
acquitting these two folks who exploited platypus?
Yeah, well, so first of all, I think Cota's Law is bullshit.
Anyone that in 2023, almost 2024, is still going around either A, claiming it's not, and it's legitimate, or B, claiming that the Crocto 3&D embraces Cota's law, I think they're being disingenuous or just stupid.
I think Codis law, most reasonable people in the space have moved on from, you know, two or three years ago.
And so just want to get that, you know, out there right off the top.
I think as for the actual, yeah, case itself, not a lawyer, don't want to pretend like I am.
I think there was some, there was a huge discussion about this in the 8th security program, which I, you know, participated in.
It was a nice three plus hour, I feel like flame war where we just kept going in circles.
I probably didn't help in that.
So, you know, not to not to pretend like I'm innocent here.
But I think what someone did point out to me was that this happened in a criminal court.
And the judge, I believe, said something like, you know, you can try pushing this in civil court and you probably will be successful.
And, you know, people pointed out the nuance here that, you know, it might not actually be desirable for any crypto is said to be tried, prosecuted, whenever the time is in criminal court.
And that is to be set on civil courts.
But again, not a lawyer.
So I don't quite understand the nuance here.
I think, you know, generally speaking, though, I would like to see some, you know, some justice carried out here.
I'm not the witch court aside.
Like, it seems a lot of ridiculous just from curing tuition that you know exactly who did it.
You know for sure they didn't have good intentions, despite what they might claim to the contrary.
And you just have to walk free.
Like, you know, you've had the justice system that perpetrator on the silver platter.
And if you walk away from it, I think that very, very clearly sends a message that, at least in France, this is fine.
And I don't think that's a message we should be sending at all.
And was that the prevailing view of security folks in the Ethereum world?
I do think there's two major camps here.
One of them is this view.
And the other hand is that actually there shouldn't be, like we shouldn't necessarily embrace Kodaslaw, but we also shouldn't, you know,
basically run to daddy
whenever something goes wrong
and that we should try to settle
like a more crypto native way
do you mean the what is it
is it Claros courts is that the crypto native way
wait maybe finally
use case well someone filed a
a Clare's court case against the Kiver
hacker and they were like we should
what was the phrasing up again they were like
we need to stop them from using
all the chains or something
I don't know maybe finally use case
All right. So yeah, we got to stop running toward French daddies when things go wrong. Okay, got it.
Yeah, but I mean, to be clear, like, I'm not discounting that the other camp, other opinions here.
I think they're like, you know, looking back to what FIFTal was originally meant for, which is like this idea of being like a truly neutral, you know, like, you know, this is like independent, you know, financial system.
I can see where they're coming from in a sense that like,
well, you know, if you welcome like third-party intervention into your system,
sometimes, then you're going to have to welcome third-party intervention at other times when it doesn't sue you.
And so actually, we just shouldn't welcome in at all.
I don't necessarily agree with this, but I can answer where they're coming from.
And so, but yeah, just to like put a bow on that answer.
I think that's sort of worth it to two major camps a lot.
Robert, what's your take on all this?
my take on all of this is that I still think of the entire ecosystem as being in the first inning.
So maybe the second inning, so to speak of figuring out the social, legal, contractual, moral, and economic conditions of how on-chain systems should operate.
I mean, this debate is only going back to really beginning at the Dow Hack.
So eight years ago is like the real first origin of this.
And I feel like we are going to be debating these things for another 80 years.
And I think like there's going to start to be consensus, you know, emerging over time, but it's still incredibly early.
Like just the knowledge about how security even works on chain is a relatively new field.
And so, you know, I think the standards that exist now are still evolving quickly.
You know, these are not ossified expectations.
You know, on the last episode, we were talking about the expectations around hack voluntary
of recoveries and returns of funds.
And these are like new, new being like less than a year old standards.
You know, the standards have not ossified.
And, you know, my personal take is that, you know, I don't think that, you know, I don't think
the current operating conditions for on-chain systems are good enough.
I don't think they're safe enough.
I think that as a user, this is still a minefield for the most part.
You know, you're still taking risks that are extremely hard to calculate when you use
any smart contract created application.
And, you know, I don't think where we're at today.
even, it's good enough. I just don't think so. And I think there's a lot of improvement
left to go before systems are good enough for end users from a safety and security perspective.
Sam, you've been around the space for a while. And I mean, earlier, you said, hey, security has
improved a lot since 2020. What do you see as those main areas of improvement where standards in
the industry are just so much higher than three years ago? And what do you see as sort of
of the frontiers of new attack surfaces, you know, new types of vulnerabilities.
What is sort of that vanguard?
I think it's important to disambiguate between security and what I would consider, you know,
sort of like the leading projects in sort of Ethereum, Polygon, Avalanche, all the more,
how we consider reputable chains and then like everything on the SC, I think they're definitely
feels like there's this
completely separate universe
of projects that
keep getting hacked by these
very simple stakes, like
not having a fun should be private
or not changing constant
everywhere in the code or just like
things that I don't
I just want to explain from the conversation
because I don't think they actually represent
what while attention actors
are doing as far as securing their projects.
As far as like
you know, these good actors
go, we don't see
many simple ranches
anymore. We don't see
I mean, in fact, a lot of
a lot of the bikes that I would have read
when I first got started in
Social Security in that block post for like top
and solidity of our abilities. We're not being
applied one out today. And I think that's partly
due to just better educational resources.
I think that's due to more
accessible security resources.
I think it's just the prevalence of
security contests themselves, right?
Where you benefit from the
this sheer numbers of people walking out your code compared to a not a firm which would
assign you'll maybe like two, three, four people max.
I think all these things have done wonders for security.
Obviously, it hasn't been enough because even though we've raised the bar to fighting a bug,
these bikes still exist, case in point, Khyber.
And so I'm actually not really sure what specifically the next step is.
One thought I had was basically with all of these hacks that we're seeing,
It's not as if these hacks are being executed using inside of Nolma,
Troy.
It's not like you had to have the admin key or you had to have push access from the code
to like Instagram Act, or these were setting in plain sight for some definition
to plain sight.
And so a part of you wonders if there's any way we can, again, use the power of numbers
to our advantage, where evil there might be five white hats looking for a bug in the next fiber.
there's actually 500 white hats,
lucky for that same bug.
So the question I'm wondering is,
how do we incentivize that behavior
beyond what we already have
with bug boundaries and audits and contests
and all these other things
that we job at earlier years?
So I know that one of the initiatives
that you've been very involved in Samsung
is this thing that you call the Security Alliance.
And we've seen a bunch of initiatives
that you've instigated from your position
into trying to improve the overall security environment
for Ethereum as well as
just, you know,
smart contract-based projects across many different chains.
There's a bunch of stuff that you guys have come out with recently, such as CL911 and this
crisis handbook.
Can you kind of talk us through what's the security alliance?
Where did this come from?
Why does it sound like a league of superheroes?
And what exactly are you guys doing that you feel like is moving the needle on Ethereum
security or just smart contract security generally?
Yeah.
I mean, the idea actually is to give it sort of the vibe, you know, like a league of superiors.
heroes, like a group of just like people who are not self-interested. They're working for
the benefit of the public for the greater good. And that is really the focus of what the
Security Alliance is trying to do. And so, as you said, we've launched CO-9-1. We've launched
CO-D drills. We've launched the CO-M inbox. And the goal of all these projects and, you know,
future ones that we're working on is to be able to put aside, you know, individual interests
in personal motivations and actually do the things that matter, actually do the things that will
move the needle in the space. You know, if you try to convince some audit job or a handful
white hats or, you know, whoever else, like, you should set aside, you know, minutes, hours, days
of your time every week to, on a purely volunteer basis.
do this like, you know, frontline help desk service, right?
And by the way, it's going to be branded under my symphony.
I think that's like a pretty hard sell to anyone who doesn't work for your company.
Because it's like, why are we doing this for you?
Right.
There's always questions of what the motivations are who's benefiting, you know, all that's fun stuff.
And so, you know, let's just sit aside the question of who it's benefiting.
It's going towards this future organization.
It's going towards, you know, the crypto ecosystem as, you know, the crypto ecosystem as
it were. And let's just focus on the fact that what we need right now is this service where people,
if they need help, if they have some bug that they can't get to the right person at a protocol,
which, you know, we've had put a few of these reports where people can't get to the protocol and
they need to report a bug. Now, let's make the service available for them, right? Let's not make
them pay for. Let's make you so that if they need to contact a white hat, they can do it really
easily. You know, same thing with CO drills, right? In one, two, we have solved the problem of
how do you train people on security?
We just get through the training, right?
But in YWI, three, if you were to say, hey, you know,
please pay us $20,000 and we'll run the training of sites for you,
well, now you have all these, like, Dow governance debates about what are, like,
you know, why should we fund your grant?
Or, like, what are the, what is the, like, the proposal?
You know, what are the deliverables, et cetera.
You have to do all these, like, Tao politics.
If some, you know, for-profit company was trying to do this,
people might be like, oh, like, are you trying to fill out of service?
Is this going to be like, what's the catch here?
And actually, there's no catch, right?
Like the whole point is there's no catch.
What we're trying to do is it to profit off this.
It's not to sell your service.
It's not to, no, like, it's not to attach hidden strings to it.
We just want to make security space better, right?
And that's something I think everyone in security and everyone in crypto in general can't stand
behind.
They just needed something Tuesdays that behind that wasn't allied with any particular
or a company they might dislike or any particular group or pressure on whatever they might
dislike.
That's the purpose of the security lines.
That's awesome.
And tell us a little bit for projects.
Let's say I'm a founder.
I'm at the very beginning of building up my protocol and I don't, you know, I'm not an expert on cybersecurity.
What should I be looking for?
What should I be doing?
What should I keep in mind as my project scales?
Tell me about how I should think about seal drills or the handbook or a seal 911.
Yeah.
So I think there's this vision that over-
time, what will be able to fly
is, you know, from
the very moment that you get started
to when your protocol is live
on main net, resources
that will help you as a founder
or developer make the best
choices for your protocol from a security
perspective. But until
we get there, I think the same things
apply as they've always have, which is to say
I think the crypto has always
has this spirit of like being open to all.
And so maybe not necessarily gaykeeping
on. You have to be like a senior developer
to start writing solidity, but whether before we're during your development process, like
learning about, you know, best practices of development, right? Like, learn about all the different
ways that slowly might have foot guns, make sure you're writing tests as you go, make sure
you're, like you to test or fuzz tests or property tests, make sure during the things you're
supposed to be doing. Once you're done with development or even during development, make sure
you're engaging the security committee
you, right? Whether let's do an audit
through a contest, through just
reach out to a few people, see if
they're open to a peer review. And then once
you do deploy, we have systems in place,
like black counties, right? And so
I think that the advice there hasn't
necessarily changed that much from
what it used to be.
Really just continue following those rest practices.
But my hope is that
over time, as we continue to
mature, you know, into 24 and 25,
and as the security alliance, he continues to
develop these public goods that, you know, do significantly move that, you know, in a way that,
you know, for an individual researcher or individual auditor, it's just hard for them to gather
the resources or the mind charge to do that. I'm hopeful that for a future developer, much like
when I first got started in security, there weren't any resources for me. I'm hoping that in 24, 25,
there will be resources that will just be, you know, 10x, 100x better than what they are right now.
and that's something that we can work on Boehde.
That's a really awesome vision.
And I've heard some of the stuff behind the scenes about how the security alliance has come together.
And it's inspiring.
In crypto, people often have this view that, you know, look, we're kind of out in the state of nature.
And, you know, we don't believe in, you know, the state or the government.
And as a result, a lot of times public goods aren't really provisioned sufficiently.
And it very much reminds me of almost like police in that,
you know, one can imagine like, well, you know, if you're a pure, if you're a pure anarcho-capitalist,
you might say like, well, you know, can't people hire their own private security? Why do we need
government-backed police? This seems like a private good that can be provisioned totally fine by
private markets. But smart contract security shows you that, look, when you have enough
things that are vulnerable, then that it's kind of like just having, it's like having rats or like
having ants that just create an infestation.
And when they know they can survive, then people just, an ecosystem gets created of black
hats and people who are going around, you know, rampaging and, you know, holding things
for ransom and, you know, dedossing websites to convince you to pay them or something.
And the more that there is a unified front from the entire industry, from all protocols,
that one shows people that, hey, using stuff on chain can be safe, not always safe,
but if you use the right kinds of protocols with the right kinds of teams that are reputable,
and using best practices, they can be safe to interact with.
And if you're a black hat, you're not going to have a good time.
You know, you're not going to get your money out.
You're not going to be able to make away with these goods.
And most things that you find are going to be secure.
It's a great way, I think, to strengthen the proposition of moving more and more stuff
on chain and making it more trustworthy for users.
So I huge hats off.
And especially after having Ogel on last week, I kind of feel like, hey, you know, in the holiday
season, it'd be nice to sort of give a salute to everybody who's working on security.
on the white hat side, because what you guys do is so, so important and so valuable and so often
is underappreciated.
I just want to jump in and just comment that, like, I think it really is about the community
and the ecosystem.
And the way that the line structure, like, this, I couldn't have done this by myself, right?
And I can't do this by myself.
It really is a community effort.
And so I'm most really thankful to everyone else from, you know, all these different auditors,
putting in their time to help triage its issues.
you know, Nacent themselves directly worked on the first copy of the handbook.
That was a lot of time that they put in, you know, without traditionally compensated in any way.
It really was for the greater good.
Parano, I'm letting me do this itself.
This has been huge times think for the entire year.
And, you know, let it be sort of, I don't want to say neglect by other duties,
but maybe letting that third pillar that I talked about eat up a little into the first and second pillars.
So it very is, I think, a huge thing effort.
and I'm really grateful that people in crypto are open to that
and not just sort of closed off in their own silos
trying to figure out how to maximize for themselves.
Speaking of somebody that, you know,
created a protocol many years ago,
I oftentimes have this experience where, you know,
people tell me, oh, you know,
you've contributed so much to space, it couldn't exist without you.
And I don't necessarily like feel like I'm a hero.
But when I look at Sam's son and I look at the people
that are the white hats in this industry,
You know, you're the people that I idolize that, you know, I think are heroes that, you know, make this possible for everybody else.
And so I think it's hard to overstate, you know, how much good you've done.
I think there's a lot that people don't know about how much good you've done for, you know, protocols and for the industry.
A lot of this stuff doesn't always, you know, reach Coin desk.
It doesn't always reach crypto Twitter.
And, you know, I can state, you know, very clearly that you've done an astronomical
amount of good for the industry.
Wow.
If this avatar could blush, I would be butting right now.
We'll add some blush and posts to your anime avatar.
So I talked earlier about how we're entering into a bear market,
and I think that likely means we've already started to see an escalation in phishing,
scamming.
Sorry, did I say bear market?
Bull market.
Yeah, it's a bull market.
Yeah, sorry, we're entering into a bull market, and we've already seen an escalation in
cybersecurity incidents.
So I think this is also a good time going into the holiday season for getting people to start thinking about their own personal security.
And Sam, I think you'd be kind of the perfect person to ask.
You released some stuff earlier that I saw through the Security Alliance about best practices around Twitter security, email security, telegram security.
Can you just, I mean, obviously there's a podcast.
So there's people with a variety of different technical backgrounds and probably many people here don't even use Telegram.
But can you just give like a general overview?
you know, random person in the street who's part of the crypto world or interested in the
crypto world, how should they be thinking about what are the easiest things you can do
to uplevel your own personal security to make sure that nothing bad happens to you this holiday
season?
Yeah.
Well, look, I think there's some really easy table stakes things that everyone should be doing.
I think if you're not already using password manager, you should be using a password manager.
If you are clearly using a passive manager and it's called Last Test, you should be using a different
password manager.
I would recommend something like one password, for example.
Right, you know, don't feel bad.
Even if you're using the last pass, it's so good that you are using password manager.
It's just they don't have a great reputation or track record.
So you should have me try to find a different one.
I think if you're currently using SMS 2FA on anything,
that is made by far the most common way people, people in crypto for high value targets.
you know, by far the most common way they get hacked is they get sim swapped and all of a sudden
everything they have is hacked because everything they have is checked at the phone number and it's
so easy to just do a passage reset. So it goes through and I'm going to put out a guide on this
in a few days but you know goes through your, you know, your bank accounts, your exchanges, your
social media, any of these accounts where if you just sit down for one and you go, it'll be really
bad if someone could
impersonate me there or see
all the stuff I had. I stored there
since, you know, when I first made the account, like
all of your past emails, all of your
stored pictures, all the messages he
sent five years ago.
If that would be bad for a doctor to have,
get rid of SMS2FA because
if you're in crypto, that is not safe
for you. Let me pause you there
because I think you're using a lot of
acronyms that people might not be familiar with.
So just for everybody, because I think there's
probably the most useful public service
announcement we can give. So 2FA stands for two-factor authentication. It's when you have a second
way to log in. You know, like you get a password and then it's say, okay, we're going to text to you.
Using text or SMS is not a secure way for most people to use second factor authentication.
Many, many, many, many people in crypto get their phone numbers taken over through what's called
sim swapping. So swim swapping is when somebody calls your, um, uh, your network provider.
So if you use Verizon, use T-Mobile, whatever, they'll call Verizon, they'll call T-Mobile.
They'll say, hey, I am Tom Schmidt.
I lost my phone or whatever, blah, blah, blah, but this is really me.
They find some information on you online that can corroborate.
Oh, here's my name.
Here's my address.
Maybe they have your social security number from one of these old data hacks.
There's a billion of them now.
So everybody's social security number is no longer really that secret.
And they impersonate you and they take over your number.
And by taking over your number, now they can log in as you because they say, oh, I forgot
my password.
It says, oh, really is this you?
Answer this text.
They answer your text.
They get into your email, blah, blah, blah.
This is sim swapping.
It happens to many, many, many, many, many, many people in crypto.
Happened to me, twice.
Twice?
Wait, hold on.
Happening once is that a statement.
How did it happen twice?
You know, I, after it happened once, you know, I went, I kept my number at T-Mobile.
I went and I said, put on port protection, you know, put on, you know, a full lock on transfers.
Like, like, don't allow this to transfer again.
I think someone was bribed, you know, as an internal employee and whatever protections I had were
removed and I was sim swapped twice.
That's insane.
Well, I agree.
Yeah, yeah.
All right.
So one thing that I would recommend is if you're, if you use Google Fi as your phone
provider because Google Fi cannot be sim swapped because it's tied to your,
as your Google account, but in general, never use SMS.
If you can ever use anything besides SMS as your second factor, always, always, always do it
because SMS is just riddled with problems.
Anyway, sorry, Sam.
I wanted to stop you there just because, uh,
I know that this is probably the most important piece of advice that most people have never even heard of.
All good.
And actually, I'm really glad you did because I want to actually follow up on Robert's point a bit.
And just, if you don't mind, dive a little into the nuance, not too deeply into what actually happens in a sem swap.
And it's actually really, I'm really happy that you mentioned your experiences because it actually is a perfect example for how there's two layers to sim swapping, right?
The first part is
you're sort of run at the mail.
As a attacker, I know
I have no sexual access.
I know, you know,
no, yeah, extra special information.
I just know that my target is
Palm Schmidt, I guess.
We're all going to be on Palm today.
And, you know, I'm going to call in to a T-M-A-W store
or Verizon store,
and I'm going to say, hey, like,
I'm running super behind.
I'm like, in the mail of no,
I really need my phone back.
I lost my SIM card.
I lost my phone.
I need to get back the SAP.
And that poor store rep has no idea what's going on.
He doesn't work a cup though.
He's just like, there's this poor guy.
In Christmas, no less, right?
It's the season of giving.
And so, you know, he has no idea what's happening.
You might have a note on our account,
but that's totally up to whichever support representative that is handling the case,
whether or not they want to look at it, right?
There's no formal process in the system that says,
click his button only after you, like, uploaded the past,
support and our systems have verified it, right?
Like, that doesn't, that doesn't exist.
And so the first half is basically, can you, without any prior context,
social engineer, a support agent into handing the account over, right?
And this applies, you know, if you've bought, you know, a plan directed from ATT,
from Verizon, from, you know, MIT mobile, whatever, right?
Google Fi, although certainly protects against this.
There's just no support agent you can talk to.
if you're dealing with Hugo.
And so there's no one to fish or no one to social security here.
But to have its point, GoogleFi actually doesn't protect against the second type of attack,
which is someone actually bribes an insider or compromises an insider at the cavity itself, right,
at AT&D or a Verizon or T-Mobile.
And because every, at least in the United States,
every cell carrier ghost or one of these major, you know, infrastructure providers,
your account is in their systems.
And if you bribe a T-Mobile employee,
as Robert Simpson-Soper did,
no amount of notes,
no amount of locks,
none of that will matter.
It doesn't matter if you're West T-Mobile directly
or you're with Google FI
or any of the other,
what we call MZNOs,
which is mobile virtual network operators,
I believe, a number operator.
It doesn't matter because you're in their backend
and that employee has full access to that system, right?
It's not why one just like
Refinite that you Google Fy
and other cell providers that
are sort of designed to be more secure
than the average cell provider for consumers
will protect you against social engineering
but it won't protect you against an insider
And if you're also high valley target
like Robert is
It might be worse by being an employee with say $5,000
To get access to your phone
Which potentially will last your coin base account
worth millions of dollars
And so actually the most important thing you can do is
yeah the most important thing you can do is actually completely
if you have an option to remove your phone number from the account remove it
if you haven't said as the two-factor authentication methodly remove it
because just to seem that if you're bought with certain networks
and that that could be you know as high as like six figures right or even like
mid five figures because it doesn't actually cost a lot of bribees of plays
so if you have bought some certain network like just get rid of
stop real light your phone number because a mode
motivated attacker will get access to insider if they want to.
And then there's no level of pressure you can do to solve that.
Got it.
Anything else that you think is kind of low-hanging fruit for people to improve on their security?
Yeah, I think the last one is just get a hardware wallet.
Again, same concept.
If you're a bottle of a certain net worth and you don't have a hardware wallet and you have
all your funds in a MetaMask or Rainbow, whatever is Saur, whatever wallet you're
using these days, like that is just such a big risk.
There's a reason that everyone recommends hydro wallets, and that's because it guarantees that no, even if your computer is fully compromised, the computer has to send a request to the hydro wallet to perform an action, and the harder wallet will not lie to you about what you're doing.
So as long as you're reading the strain or whatever display on your wallet is telling you, and you see that action much suspicious, you will protect yourself.
God forbid, I mean, there's always that point zero percent chance that someone fights an O-Day, and you see that action.
in the firmware.
But like, that raises the bar for you to get copyrighted through any sort of fishing attack
exponentially.
So if you don't have one yet, get a Harvard wallet.
Great.
Okay.
Fantastic advice.
If people want to learn more about the security alliance or just learn more about your work, where should they go?
Yeah.
So my telegram is always open for DMs.
My Twitter account is not because I hate Twitter DMs.
But paying me a telegram, send me an email.
There's a page online with other contact methods.
but I probably won't be looking at those.
And depending on, you know, what the question is, what the request is,
like I'll prioritize and respond to them in order.
But always happen to chat.
And if you have questions on all security, always happen to answer them.
Just reach out.
Awesome.
Well, Sam, it's great to have you on.
You're an absolute hero and a legend in the industry.
You've got a multi-billion dollar rap sheet of hacks that you have stopped.
So it's an honor to have you on.
And thanks for all the work that you do for everybody.
Thanks for having me.
All right. That's it for this week.
See, everybody.