Everyone, Kevin Rose here. Welcome to proof big announcement to make for this show. We have hired Ryan. Carson to join us as Chief Operating Officer at proof. Ryan comes with deep Community operations experience, having been the founder and CEO of Treehouse, which is an online coding school that he recently sold. And then also Futura web apps conference, which was one of
the largest conferences during the web to era, actually spoke there a couple times and it's where we first met now, Ryan is in charge of operations, that includes managing our community. That means he's going to be hiring up a team to help support the proof, Collective Discord. Also, building out, nft industry, research reports for our collectors and planning, our in-person events around the world. Now, the reason for this show recently Ryan hosted a private panel within our proof Collective Discord on wallet security. I was actually
Another meeting of the time by tuned in a little bit late, as I started listen to it. I was just blown away by the information, a lot to learn here and I have actually since moved to Harbor wallets since listening to this panel. Now these types of panels are typically private for our proof Collective Community, but since security is such an important topic, we wanted to release it on the Main feed as well. Lastly, just so, you know, we don't have our audio equipment set up yet. So expect panels and talks like this to have even more Polished in the future. Also, I want to thank all of our panel participants and the
The proof Collective members for their questions. OK let's get into it. Enjoy the show.
Welcome, welcome. Welcome everybody. We are recording this for you all. This is our wallet, security proof panel where we've got some great experts on stage to teach us and guide us and give us some best practices. So we let everybody file in for a minute, Alex and Drew, if you all could
Exit stage for me, please.
It's called. You have to move to audience. Oh God. It's one of the buttons in the bottom. Yeah. There you go. Got it. I
just did it for you all. Sorry. I always feels kind of weird to do that. Like, okay. I'm going to move you to the
audience just like you imagine doing it on a real
stage pushing them on. So I used to run conferences. Actually. I wish I had that button. So there's a couple times. We just wanted to get someone off stage. So
Um great to see everybody filing it. It is a Thursday afternoon here in the east coast. We've got people from all over the world joining us, which is fun. So wherever you are in the world, I hope you're having a great Thursday today. I've got some great guests. We're going to talk about wallet security and this is is supposed to be a very, very valuable Q&A for everybody. So the whole purpose of this is to make sure that all proof
purrs understand how to get there while it secure and get their questions answered. And so I'm not ask the panelists introduce themselves in a second, but I know one specific question. You all have is is it safe to Mint from the wallet? That my proof pass is in so the the speakers are going to talk about that as well. So if you have questions you don't, and if you don't feel comfortable asking to be on stage, please.
Going to the text chat channel in the proof of voice category. So popular question. There. I'll be monitoring that channel to make sure that I bubble your questions up to the to the speakers. But if you feel comfortable, you can also request a, come on stage and ask your question through voice. So let's get Rockin first off. Let's do quick intros. I am Ryan. Carson proof remember, good friend of Kevin.
Been a CEO for like 20 years and had three companies and just fell down the rabbit hole. So here I am Kyle over to you.
Yeah. Hello everybody. I'm Kyle. I work at Ledger now, but I've been supporting Ledger products on Discord for far longer than I've been at this company. I think I started Legend, like, October 20th, or something like that. But if you're on the Friends with Benefits Discord, you'll probably know me. I'm just like the resident question guy and I just, I'm there answering every question that comes my way. It's like,
I learned cryptos answering these questions and I started doing a like weekly how to not get hacked talk there. And at one point, I was doing a talk on the Discord and then Ledger joined the talk and we were doing it together and then you know, one thing led to another and now I'm at Ledger building my own customer service team here in
Portland. Cool. Thank you. Thank you for joining us, appreciate it. And I'm going to try to say your name 0x, but why don't you just introduce yourself? Go ahead.
Yes, my name is Emmanuel. A sorry about
the nickname. But just how you find me on the internet. I used to run product, security Pinterest. And another project I did is Salukis which is an open source, security, key, hardware, but then more on a software guy. Let's say and nowadays. I work in a custody solution, that is to say, essentially a wallet, but for Enterprises, like, we than 200 million dollars.
And it's going to be open source on, like everything. I try to do
awesome. Well, I appreciate you joining us. Thank you very much. And where are you? Where you physically today?
I'm based in San Francisco today. I'm in Chicago because the company I work for is in Chicago. So I'm traveling for
work. Awesome. Cool. Well, great to have you both on stage. Thank you. And if any of you have just joined us, we are recording this. Make sure to throw your questions in the text chat Channel, and and we'll make sure to get those over to the to the panelists. So, let's get started. I want to start off with just kind of
W, security, Basics 101. So Kyle, why don't you start us off, you know, maybe talk for 23 minutes about, you know, while it security basics, please.
Yeah, I want to give a an overview of seed phrases, because even people who know the stuff, often don't know, all of this stuff, like this is something I found that. I once I really started to go into the how the seed phase has worked it all. Just clicked for me. I'm like this all makes total sense. So the premise of cryptography,
Fe in general, is that you have a secret number that nobody else has and the person who owns that secret number can cryptographically signed messages on behalf of your account. And so it becomes critically important to like, keep your secret number secret, but everybody in the audience might be going like, well, I don't have a secret number and I know you're talking about it, turns out that long random numbers are really hard to write down accurately. Like I'll show you, I'll show you how string of numbers you'll be like, I you know, you're going to make a mistake when you ready come. So some.
Person at some point. This is decided that it'd be better to write them down as words instead. And so that 24 word demonic or that 12 word demonic is literally a number encoded as words. And that is your cryptographic secret that you take with you and used to sign things. But going one level deeper. What's cool about this? Cryptographic seed, is that with one secret number, you can use some rules to generate you, more secret numbers that sort of come mathematically from that. And so what happens is,
Is that if you have a Single Seed phrase that's used phrase. Can mathematically generate your, if your game account one, if they're gonna count to, if you're doing the count 3, it always produces the same account numbers in the same order every time mathematically from that seed phrase. So like one question, I got earlier today. It was like, how is it possible? That all of my everything on the blockchain, all my entities, all my stuff can come with me with just these 24 words. There's no way that can encode enough data to bring all my information with me.
Well, it's not all that number is that 24 words is just encoding, your account information. And then of course the blockchain has all the data. All that data is just stored with that account number on the
blockchain. So that's one question I think is going to come up. Is if my seed phrase gets compromised, all of the accounts attached that are compromised, correct?
Yes, exactly. Like one seed phrase, generates infinite etherium accounts. So if you ever gone to Med a mask and click the add account button and it just produces a new numbers, like, here's your new account to sometimes. Just scratch your head. Go any where did that come from? Well, what that did is it just looked at your seed phrase in generated you. What mathematically is account to from that seed phrase. It'll always be at the same account to no matter where you were, you click
generate. Awesome. All right, so now we've got kind of seed phrase 1
On down. What do you? You know, walk the proof Community. Little bit through, you know wild security basics.
The
only thing you need to know is that your job in life, is to keep your seed phrase, like it, make it so only, you know, it and nobody else knows it the thing. I like if your seed phase becomes known to another person, that's a state change to the universe. Like there's nothing you can do. You can't change any passwords. You can't move it anywhere, like it is now known, and you cannot, you can't put that Genie back in the bottle. It's like a really critical failure. If your seed phrase becomes known to anybody.
But you got it. He can't undo it. So then like thinking one step further, how like, what can you do to make sure your seed. Phrase doesn't become known to anybody, but you I'll tell you one thing, that would be a bad idea would be to put it on a computer that's connected to the internet, right? Because like are our attackers out there that want, but with all their soul to like get that seed phrase off your computer and they'll do whatever they can. So like putting it on your computer is just kind of asking for
trouble. What about take a
picture of it?
Yeah, taking a picture of it. Let's see what could happen. Most of the time when you up take a picture, might when I take a picture of my iPhone actually uploads to Google photos and to iCloud. It's for some reason, it's going to both places and who knows where else. And so let's say you have an iCloud password. That is something that's that you reuse across different services and it was leaked from some other service. Like your bank lost it information, so that somebody could log into your iCloud, see your photo get your text out of it, and I'm sure.
Our robots out there that are just sweeping the. Have I been poned.com password list, checking them in iCloud? If they get into iCloud, go to iPhoto and sweet for 24 word, seed, phrase, pictures. I bet that's the
thing. Yep. Got it. So do not take a picture of it. People.
It's like anytime you digitize it like you're turning, you're taking these 24 words and you're putting it you're just adding exposure. Like anytime you get exposure on that thing. It gives you a chance to have that seed phrase become known to another party.
Like got it, even in this actually, it seems something as innocuous as copy it to your clipboard. If you sweep across your Google Chrome extensions see which one's of them have access to your clipboard because I bet you some of them do. And at that moment. Thank if you don't trust that Chrome extension, who knows what it did with that? Once it passed the
clipboard. Absolutely. Alright, so I'm going to give was, it was Manuel, right? That's how I pronounce your
name. Anyone
Willie Manuel a mandroid. Can you speak a little bit about seed phrase hygiene for?
I can and then Carl go back to you.
Yeah, so I think
the point attached our really great well in terms of a gene in the sense in a sense so that you cannot really choose your, your seed trays unless you're really doing something crazy. So it's a random thing that you can get. When you create your first account. For example, of meta mask, I guess one recommendation I could bring to the table. Is that generally speaking try to have
Multiple independent account, for example, and I'm sure we are going to touch that later, but you can have a metal mask which is purely software. You can also create another system service in Freight or Ledger Hardware Ledger and then imported that zip file. So sorry, connect that into your meta Mass. So this is going to essentially create not just multiple addresses, but multiple wallet that are completely
Be unlinked. Got it. And yeah to what the same line. If you are a person that also Builds on the blockchain and experiments on that. It's so, you know, deploy contracts, and test net. So, try to maintain these things as separated as you can because clearly you don't want to use the same address with real money and we test accounts,
got it. Thank you. So I just want to acknowledge everybody audience. I see your questions coming in.
And we will get those answered probably. Well. Let's just tackle a couple of really quick. So the first one that's really the seed phrase was by William. Is this Eid phrase and the private key this the exact same thing just one expressed in in English words question mark,
pedantically know they're not the same thing. Actually the the seed phrase is a single Central core secret and then using math. The math is actually called be
Hi p44, what you can do is you can run math on that seed, phrase to generate you an account and I'm using air quotes around the word account. And if the area of account is an address a public key and a private key. So account one has an address, public key, private key account to has an address public key private key. And you can generate as many of those as you like. So the seed prices actually more serious more important than a private key because the private key being lost you lose access to just the account that that private key is associated with. But if
Is control of your seed phrase, you lose control over all of the accounts that came from it?
That makes sense.
Got it. Yep. I appreciate that. Next question.
All right. Go ahead.
Let me I'm so I just want to say I'm not here to show Ledger products. Like really I like to talk about seed phrases as objectively as possible because what I want to lead you to is this idea that the way you handled your seed, phrase is equivalent to your security level, like the more exposure, your seed phrase has been has been great given in its lifetime. The more likely you are to be hacked like for somebody else to know your seed trays and take your money, got it. And
Person might reasonably go like, well, how what's the best way to generate a seed phrase and make sure it never touches my computer. And that's where Ledger comes in like Ledger is that way to generate a cryptographically random seed phrase in a way that never touched a computer has never been online. Lets you write it down on paper directly while still using it, you know, like you could make a seed phrase on paper, but you can't you don't know how to cryptographically sign things in your head. And so it's like that device think of it as a USB drive. That's only job is to store a single file on it. That is
your seed phrase in a way that can't be that you can't extract the seed phrase out of the
device got it. And yeah, so let's talk a little bit about okay. So let's start off with hot wallet. So say say that the first thing folks are doing is creating a metal mask wallet, and they see their seed phrase. Their let's just talk through a little bit about best practice with that. Hot wallet and then we'll move onto onto Hardware wallets. So as soon as
See that seed, phrase on the screen. You know, what should you then do?
You see your seed phrase on a computer screen. Are you saying a gun, the like, the legend devices screen?
Or let's presume people are for like their first kind of step into this world as all. Right? I'm gonna get a metal mask while they don't have a hardware wallet yet. So when they're setting up their metal mask wallet, and it's showing their first seed phrase, the first one they've ever seen. What are the event due to keep that
secure?
So that the idea that you can see your seed phrase in plain text on your computer screen, should make you scratch your head and going like, well wait, that's not good. That means this seed. Phrase is now clean text visible on a device that's connected to the internet. That could be running arbitrary software, etc. Etc. Like that seed phrase, no matter what you do, or how you treat it. From that point onward. It can only get to like a 3 out of 10 on the security level. Like, you can't get to the 10 out of 10 because it's been on your computer. Got it. Yeah, that's exciting internet.
Love that. Okay. So this
is mean you can't do stupid things with it. Like, it's like you're trying to minimize exposure. Let's say you're willing to accept the risk of metal mask storing that seed phrase on your local computer, in a on your file system, which is what it's doing. You can still avoid putting it into other sources. That might also be compromised like let you put into evernote. There's one more chance for it to go away. You put it into one password. There's one more chance for to go away like everything you do with that taking a picture of it Etc. Like
Each of those ads more risk, so it doesn't mean you can't add more risk beyond what you've already
done. Got it. So, so the lesson here, for everybody in the audience is, you know, this is why hot wallets are so dangerous. Because the, the old, you know, when you sign up for metal mask, it's going to show your seed, phrase on the screen. And at that point, it's already. Like Kyle said, a 3 out of 10, you know, and hopefully downgraded right? And hopefully you're then looking at screen and writing it down on a piece of paper and never selecting and copying it.
Stay anywhere because yeah, yeah.
And let's say you have a metal mask with a lot of funds on it. It's actually, that is a good sign that it's not been compromised, because if it has a lot of money on a metal mask, it's likely if it was compromised. Somebody would have taken your money by now. But what you could do from that point, onward is don't, don't continue to view your seed phase. Again. Don't reveal it over and over again. Don't set up a new browser every day with the seed, phrase like copying and pasting it into anything else. Should be a very, very
Very scary experience for you. Okay, all of that is bad,
got it. All right. So let's Manuel Lee. Do you have any any thoughts that you want to share one? Make sure you get a chance to speak. Yeah, exactly. Yeah, I guess I did play devil's advocate here. But
just to remind people that, of course, let's say, you bought your first 10 ft last year and now the nft is worked enough money. So, of course, there the counter argument is that you want to have a bet. So I guess the question here.
He's where do you feel comfortable having the better? Like I said, you know, maybe you want to put it one password. Maybe you don't, probably one password is better than ever notes on. So it's up to you to decide what level of content comfort, you have with different services and I think in general the best solution or what, in general, I will recommend is you probably have anyways document at your place.
That you consider somehow important and you keep them whether it's in a safe or in a special place. So maybe that's exactly the thing. You want to write down on a piece of paper just for emergencies
got it. Thank you. So let's continue on best practices and then we'll really dig into more question. So. So let's let's let's instead go back and time and say, okay. Well if you set up a hot wallet and you sow your seed phrase in the screen, but it is what it is, right? And hopefully
You didn't take a picture of it or copy and paste anywhere. Hopefully, you wrote it down on a piece of paper and and but it is your hot wallet and it's not super secure. So let's let's go back in time and say, okay. Well, let's do this the right way and use a hardware wallet, you know, from the beginning and and Kyle. I know you're not shelling Ledger, don't worry, but just talk about how you do this in a ledger. That's okay. So, so walk everybody through this. I just want to presume that maybe folks don't know how to do this or they haven't done this. So
Yeah, so like I've seen some YouTube videos out there that show you one one cool trick that lets you use your accounts and bring them into a ledger. So, here's remember. Remember we're talking about seed phrases and exposure here. They The Ledger wallet and metal mask and Tresor and everybody else. The seed for a standard is consistent and it's the same. It's the VIP 39 standard. We all support it. So what you'll see, if you Google the wrong things, is that you can take your metamath seed, phrasing.
In The Ledger because the standard is there. You can do that. The question is, why is that a bad idea? It's a bad idea because that's that metal mask seed phrase, may be compromised. It's Ariana three out of ten and simply by moving it into a ledger, doesn't make it a 10/10 suddenly like you're still at the if it leaks do metal Mask. The Legend doesn't help you. The ledgers job is to make sure you've generated your seed phrase offline and kept it off line. Yep. And so if you want to get to that 10 out of 10 on security you need to use, you need to get a ledger and
Have it generate you a seed phrase on its little screen offline. Write it down on paper, never take a picture of it. I keep it offline, keep it at the 10 out of 10. And then what that means is that you end up with a new account number that belongs to your legendary. You actually end up with this many new account numbers as you'd like, but in this case, you have a new etherium accountant. Number that belongs to your Ledger and you have no choice. But to and this is the pain. This, this sucks so bad. I know, but you have to actually transfer assets from your hot wallet to your cold wallet. Got some teeth at one. One by one.
And that's what sucks
because you're going to pay gas. And yes, what it is.
Yeah, making the new like setting up the Ledger and making a new account is super trivial. It's like kind of fun. Actually the part that's not fun. Is the transferring of assets from one wall to the
other got it. So, all right. So we're presuming now. Everybody in proof understands. You have to have a hard wall Hardware while. Okay. So once you
do want the 10/10,
yes, well, yeah, and I, you know, I think we're saying you should do that everybody that is absolute best practice, especially
Lee with, I mean, even your proof pass right? Is, you know worth almost 40 years now so. So everyone, you know, probably start off with the hot wallet, probably bought some things that are valuable and now is sent them to their, to, their Hardware wallet, paid the gas great. Now, let's talk a little bit about how to be smart about about minting, you know, especially say that you want a mint from your Hardware wallet is, is that safe. Can you walk everybody through?
To do that safely,
please.
And sort of, I want to sort of sweep through questions as I go to, see if I can hit as many of them as possible because you're, you're talking about this is actually a couple things. People are like, well if I have my proof pass in my ledger, people kind of put equate in their minds. That ledger is cold storage and that you can't do anything with it. But on the contrary leather and metal mask work really well together. So if you're a metal mask user and you're comfortable with that, all you do is if you've probably seen the settings in the menu before you go to like connect hard.
Wallet. And what that will do is meta mask will suddenly have your Ledger in the selection options. It's like, oh I'll just use my ledger account for this mint or I'll use my ledger account for you know, it's not like it's locked in there. You can even sign you can sign collab land, Discord office with with the with metal mask and it just uses your ledger to do the cryptographic signing part. Yeah, like in a lot of people's minds that a mask is the everything tool. It's the this two things that a mess does. It's like the
browser extension part that watches for blockchain interactions from websites and handles them and it for a lot of people it has their their seed phrase and can cryptographically signed things. But very much has the ability to defer to The Ledger for the cryptographic part and still do the front-end part that you love and you're used to. So I will tell you that anything you can do in metal mask, you can do in metal mask with the
Ledger. Okay, cool. You all are super chatty and the text chat and I'm struggling to read all of it. So I'm going to try to go through this and see if
I'm what questions I missing but while I do that Kyle, can you talk a little bit about blind signing, you know, and is it safe to do that or not? Because I know you. Yeah, you have to kind of do that. So why don't you talk through that a little bit?
Yeah, thinking about that threat vectors like the ways that people can can convert, like can get you. It can trick you in this world. So if you have your seed phrase in a ledger wallet, you can be sure that that seed phrase cannot be extracted.
Acted from the device even with physical access, even if it's unlocked with the pin. You can't extract a seed phrase, back out of this device. Once it's been set up like you get to see it once and only once that set up time and hopefully you write it down because you can't get it back again. So then if you are an attacker and you know that the Ledger is not something you can get the seed phrase out of, how do you, how do you then get the money you want? So dearly one way is, you can trick the user into giving up their seed phrase. We've covered that to death.
But don't do that, another way to trick a user, even with a ledger is to trick them into signing a transaction securely cryptographically. That does something that's not in their best interest. This is a thing that happens to like holders of large value in FTS all the time. I think is like they'll be targeted with at some people are drop a coin to them that takes them to the sends them to a website because it'll be like a coin show up in their wallet with a website address as its name, the go to the website. It'll say like
Like special and a teammate for board 8 users and they'll just like click, it'll pop up a window that they didn't read. It's a bunch of hex did. Like it's a long hex string that they just said like sign this and they sign it like actually cryptographically signed it on The Ledger screen, but what that thing that you just signed was a transaction that you didn't know what it was doing. Wow. That's a blind sign. You didn't read what it was doing. You can't realize doing because it's like hex characters. Okay, and so that's like be careful of that. And that's
That is the Vendetta that ledger live is trying to solve. Like, that's what we're, that's the Vendetta. It's on. It's like everything you do and let your live is clear signed. It says, steak .5 eith with this person. Like, it tells you exactly what you're doing on little devices screen. It's decoding the data so I can you find signings. Yeah.
Can you can you meant though from say a standard, you know nft drop Insight from Ledger live, or do you have to use metal mask?
You can, but either way, you're actually buying signing because like that mechanism, unless you live is simply just using wallet connect, which is passing arbitrary. Contract data into the device. So. So for like, going out into the wild web and just clicking on a random smart contract, is that that's out there. What do you connect to that website with metal Massacre Ledger live doesn't change. The fact that it's an arbitrary contract that we haven't decoded yet. So it's like I guess is a ledger line. I'm talking like the things that you can click and let your life that are like
Not arbitrary wallet connect. Those are the ones that have clear
signing. So so that it sounds like the lesson is do not mint from any sites that you don't really trust, you know, with with your Ledger with there's anything valuable in your Ledger.
Yeah. Let's let's see how we want to deal with this because
Like yeah, I will blind sign all day every day on Sushi swap because I know that Sushi swap is this. They're fine. Like I trust that. But yeah, and it's he Community is, especially Rogue you guys. Go Rogue really hard and just go to random websites and mint and try to and especially like people, send you things saying, you have the next five minutes to click the mint button. Go go, go. Honestly that the attack. I've seen the most often for NFC holders is actually just a fomo website where they go, you got to do this in the next five minutes and all
Does is you think you're submitting a mint transaction, 4.5 youth, but all it was doing was a transfer of .5 Youth and you're like, oh no, there's my money.
Got it got him. So the last look at what you're doing, you do not for a moment. So let's there's couple of questions coming in. So MB says, once you have your proof on your Ledger, do you need to have it connected all the time in order to be connected to proof? And you mean I think no bites. You mean this court a server.
And the answer is no, you basically. We're going to use collab land to check, you've got your proof pass and then you don't have to worry again about it. Again. So
collab, lines job is a one-time association between an etherium account address and your Discord handle. Cool. That's so you just need to do that once. And as long as that etherium account, address continues to hold a proof and ft, then you'll retain access to the
Discord. Awesome.
All right. Check Manuel Lee. There's a lot in here. Yeah, let me know if you have anything to share. Just go for it. I'm going to try to start reading through all these questions.
Yeah, I can actually tell a story because while maybe you select a few question great because I actually inadvertently participated in a scam so I can maybe share the story how we went so that people are aware. But yeah.
It was exactly what Kyle said as a result in the sense that I signed something. I was expecting. I mean, th that I was sending it here into our on-demand us. So, the learnings on my side have been two or three in the sense. First of all, why that happened was that I was on Discord on my mobile. And so, I saw the icon and I did a distinguish, a message, a direct message from a real chart, right? And so for like,
Honesty is are typically, I'm going to get in communities in a disco Channel. No direct messages. Every entry project is broadcasting that loud and clear. So always get the links, click the links from the official channels.
S exactly the decide like Kyle mentioned. So, there was this effect of former, so it wasn't really towards the end when
you maybe give it giving up because you say, oh there is a gas
War. I'm not going to be up. It was kind of in the middle. Now that is giving you that sense that you are going to miss out unless you are quickly and that's also one sign or so. I randomly like you arrive exactly in the middle, its kind of weird and like I was actually sick.
Combined defense that they but you know, I refresh, I open another browser. I saw that I saw it was kind of tricky but I was really into that and so I continued finally. Finally, this is the part where I would like more people to kind of merge together and fight. So the attacker got the money Shore, but then they went to do an exchange, a particular one to do dream demanding. So I think there is an opportunity for people.
People that get scammed to kind of get together and complain with exchanges. And I know for a fact that if you are a big company, you can go to exchanges. And they essentially give you the money back and see is the counts. It's really hard to do
it. If you are
like us. And so I think there is a huge opportunity for people to kind of collectively fight. This comes even after they happen. The way I did it was finding the
DNS name of Summer, dry season, searching them on Twitter, and reaching out to those people on Twitter.
So I found three or four people
we all vote to this change. Unfortunately, this time we weren't enough to fight back but you know, next time it's going to be better. And of course, if you get scammed count on me because even if I'm not scared, I'm going to be there.
Gosh. Well, thank you for sharing that story. Yeah. Absolutely. I am seeing a couple questions come in and also reciter I want
To say, hello. Thanks for joining us. I know you are one of our panelists. What are you quickly? Introduce yourself?
Yeah, I make the podcast darknet Diaries. And so I interview a lot of hackers and criminals and thieves and kind of get into this world. I'm kind of drawn into the cyber crime world and then report on it as kind of like a journalist would. So yeah. This is something that I'm, if you've asked me, what do I have laser eyes on? It's it's these kind of scams and these kind of hacks, which is related to web 3 as well.
Got it.
Why don't you again? I love that. Dark that Diaries. I want to we should like do a whole thing with with us and talk about all the
scams. Yeah, I was actually going to ask you could, you just share right now? The, the most common scams that people should be watching out
for? Well. I let's I think what we, what triggered. This is a guy lost his board Apes this week. I think it was like 13, mutant Apes, board, apes, and some Doodles. And so when I looked
Into it. I saw that he was trying to mince something called moshi-moshi and after he and in the Discord it somebody got packed in that Discord. So maybe an admin or somebody had the privilege to change the official Links Page or the announcements page to say. Okay. Minting is now open come here. But the thing is that it was the wrong. Moshi. Moshi website. It wasn't the official. And so when he went there, the minimum
Contract said, we would like full access to your Apes Doodles and I think it was kind of club and some other stuff. I so like the approved approved withdrawal method on each of his his valuable and FTS. Yeah. It was I think it was set, set, allow all or something like that and it was first for a specific those for specific contracts. So it wasn't for his entire wallet or even the Ethan as well. It was just for that and so he was trying to get
Get this minted and so he kept clicking approve approve of prove on many masks something like 15 times and every one of those approves was a transfer of aboard, a poor something to this website. Oh my God. Yes and ftes and Arc 20s have the same idea where if you set approval for someone a specific address, they can pull from your accountant which like ether you have to send to someone but ERC 20s and nf2 use they can take from you. And so like that.
Set. And actually many masks was showing that to him. I'm sure and is face. It said, set approval for all in plain text and he just didn't read like what it was
saying. So I well, I want to tell everyone listening and to both the recording and live that if you ever see one of us mods or admins or anything official ask you to Mint. Inside proof. We've been hacked. Like will never do that. So I think what reciters is
Explaining as, you know, if you trust a Discord and then suddenly they're telling you to men, you should always pause and walk away. So. Wow, that's scary story.
Yeah, lock it down to write with the Discord. They take over the Discord. Also lockdown dissenting opinion so you can post at the moment.
Yeah, I'm probably kick all of us mods and admins, right. So yeah, so reciter tell us another scary story,
please. Well, I just want to help you out here. So, you know, when you go into Mass, can you prove stuff? You might wonder. Well, if I just did
From this, I am. I safe not necessarily. And this case with the person losing is for tapes. He actually the contract was with aboard, a contract, and he's hold the board of contract. This, this new wallet has full control over my wallet. And so now, it's not even in as many mask anymore. Now, it's on the blockchain that there's a connection between the aboard 8 contract, and this person's contract. So if you were to get another board ape that person could just suck it out, without his approval of many masks or anything on the contract. It says
Says that they
have full control because, because he's if he puts in the same wallet, correct, but if he hadn't Fallen, yeah, Hardware, while he'd be fine, obviously,
exactly. Yeah. So one way to check what you've done is to go to either skanda IO / token, approval Checker and you can type in your address there. And it will tell you all the ERC tokens that have, you know, that can be controlled on your behalf and all of your n of T, is it can be controlled on your house on their behalf? And there's a
Way to connect your wallet to this and then revoke these permissions. And so, once again, that URL is either scanned IO, / token, approval, Checker. Yeah. I just posted the link to revoke dot cash by. I'm with you, like, actually, The Ether skin one is more full proof that the revoke site has this slider that nobody notices that switches between ERC 20 and at ease that nobody. Nobody knows this slide that and so yeah. Yeah. If you see on the top of the sort of nor the top of the page, I'll tell you how many coins are at risk and how many end
These are at risk and so if you see that, you have some entities but they're not showing up. There's a little slider that you can click to
see that got
it in always, you got your degree, but I think from a Nifty perspective. There's that there is very little use for approval. So you should a good rule of thumb is that you shouldn't have any approval at all. Well, this is for tokens can be here. This is the tricky. Part is when you go to so many places not Yuna swap, specifically, but some
Other of these swap mechanisms, they just say, well, instead of you having to pay gas every time you want to trade this token pair. Why don't we just do approval for all? And it's like that in some other games that you can stake, your entities and stuff. They want to know. Okay. Do we have permission to move these around? I believe even open sea has this permission, where it's like, yeah, we need to move your nfc's around and we would like to have the permission to do that. And so we do actually give a lot of permission here, just
Order to make it work. And it's just if you give the wrong permission to the wrong site, that's where the problem. Yeah, and the other thing is going nuts. Yeah, so the other day, I did a swap on pseudo Swap and that had set approval for all. And I was like, whoa, and so I went back and I revoked it because even though I may trust you to swap if somebody were to break in as soon as swap they would have that control over my wallet. So it's nice to just go back and say okay. That was a one-time deal. I'll ever deal with that website. I'm going to revoke
it. So
So I think that well it's good real quick. So I think one thing we should all do right now. Is that a recurring task, you know, every so often to go and then use, you know, revoke a knees on either. He's either scan or Vo-Tech cash. So I'm gonna, yeah, I'm gonna do that right
now. Let's take a step back here and just like nicer. Yeah. Well, there's this, the potential hack Vector, where you can approve others to take your money and it happens. A lot of times D, Phi. The mechanics are invoking. It is just so,
The thing that you're approving is actually that particular, smart contract, so it's not pseudo swap.com or whatever that has access to that Arc. 20 particular. Yes, you 20, it's like that specific smart contract. So, even if somebody were to take over the pseudo swap website and you've only approved that one contract to take that ERC 20, but but yes, like in general, we're talking about revoking, your RC 20s and ERC 721, like allows that are out there and you can go to this website to see what's out there. And if you don't like what you see, you can.
Submit a new approval amount, 40 and say like I no longer a preview to taking more money from
that's clever. All right, we've got a good question. I want to make sure we get to scroll. Okay. So any of the kids says I have everything in a hardware wallet and follow all the rules but I keep everything in that one wallet mainly because I and I assume he's talking about a hardware wallet. I keep everything in that wallet mainly because I'm afraid of missing airdrops length of time. Held for token drops Etc. Should I be putting things like
Apes and proof in their own quote, unquote vaults, but then my question is, we need to use it for drops like like the recent heart you drop. So, is it really a vault question mark?
And it's a good question. Yeah, I think as your as your collection grows and it becomes more valuable, you might want to consider sort of segmenting that. So if somebody does get into your wallet, they only have half your collection or a quarter of your collection. It does kind of give a stop Gap in that
way.
Got it, Kyle. What's your
opinion? Yeah, it's we're talking specifically about those approvals that you just if you didn't sign them, that it doesn't matter. I have all my stuff in one. Big. Big old wallet associate with my DNS domain name. Just, yeah, the thing about approvals is that they're on a per account basis. So if you did a rogue approval that you didn't, like, if the, and if he is no longer in that account and it's not there anymore. So it makes a lot of people feel more safe and more clean to have accounts that are segmented. Like this is my
Dave account, you're talking about,
you're talking about etherium account on Ledger, right? Not a separate wallet with a separate seed phrase,
yet. Not a separate walls, that precede phrase. My table stakes in this discussion are that your seed phrase is not leaking. Like, we're talking about beyond that your seed, phrase is not something you should worry about. Because if you set it up, right, it's not leaking. It's on paper in my house. You know, like it's fine. We're talking about like account configuration in a way that makes you feel
safe and you can have it.
Infinite numbers of ethereum accounts on your Ledger, right? I mean infinite, but right. Yeah, it is. Yeah, I
you can generate them until you are blue in the face. I think it's like 20 billion or something. It may not be infinite but it feels
has anybody have 20 billion. That's amazing.
Yeah. All right. So what what I've seen recently as well is like some people have really big accounts, their whales in this space. They don't want to click on any website or any link period because they're so frightened that something could happen. And so, what they've done is they will transfer, you know, a little bit
Money into another wallet to do all of their interactions if they want to buy some open, see the put in your wallet by the things and then transfer back to their main wallet, or their vaults. So that gives another separation of. If you accidentally, click the wrong length, the most that they can do is get the stuff out of that wallet. That you've kind of temporarily set up, or it's just kind of like a the military's own wallets where things can interact with the world. But then once it does, it just gets sent to your
fault, got it,
but the origin of this
In is like but wait, I get all these nft drop early Alpha access because I have this NFC in this wallet. But in order to get that like I have to use that same wallet that has the value of n of T, and it's a mint, the next thing, but you can do a little bit of diligence because what you'll click that contract minute, mask will pop up. And I'll show you like what you're about to do Ledger or not. Like whenever you're using a ledge with metal mask is Just One Step Beyond what you're used to with them in a mask. Probably have to do the sign on the device. Anyway, you can see what it's doing. Is a lie.
Mint. I'll show you the contract to dress. You can go to either skin. See the contract. Does it say what you think? It does about a project? That is reputable? Should also upload the code, the so you can see the code. If you can't read the code is probably a scam. Anyway, there's things you can do basic diligence to like just double-check that you're signing a method called mint. The mint method is not stealing your board ape, you know, yeah, it is still
scary. So mr. Pink has a cool question. If you go into text chat you could actually see
E it. He or she has screenshot it, you know, this and they're saying I assume this is. Okay, question mark, can you see that question?
Yeah. Emotes by heart you: for allowance for all tokens to open sea, I mean open sea, is, is a beast of its own. It loves to just allow for all on your NF teas.
I don't think it puts anything back. If you were to say like unlisted on open, see you still have the allow for all set. Which means your yeah, and if you have a nice gate on them, it's like you can't transfer an entity to someone until you first allow for all. I think that's how it works. So like to usually the usually the gates closed but open see whenever you listen to an open, see it opens the gate wide open on that entity and then doesn't put the gate back. So yeah, it's okay, but it's also not a bad back. Exactly.
What was that reciter
it cost gas to put the gate back? And that's kind of the thing. Is it once you trading something new on open? See you got it, do a approval for this open and then you can do a trade and then after the trade, you have to spend gas again to close that gate.
Got it. Yeah, it's frustrate. So if mr. Pink clicks revoke, if they have an active listing that would then
Shut down that
listing.
I think that is probably true. The reason why it's a bra like hesitating for a moment here is because a lot of what Open Sea does as far as listing is actually done on their server and not on chain. That was the origin of that open sea. Exploit that happened last week, where it turns out that they were storing cell offers in a way that could be extracted and used even though the the like user didn't remember that they had something for sale and so like it, you theoretically if you are to revoke access
The sale offer that you had open, would then be closed. But in reality, I'm actually can't tell you what, open? See whether open sea and validates your sale offer or not.
Got it. So got another guest. Go ahead,
go to hold of time, but could be that, let's say you have an honesty and you're thinking, you wanna either trade it or try to sell it or transact on that collection. It's good to leave open sea with the with the permission because you know this way you save gas.
On every interaction you do with Open Sea, vice versa. If you're saying, okay. I'm just going to hold it for the next year. So you can also safely her book and that way, you are protected against any malicious thing happening on Open Sea.
That's a great point. So William is asking, answering question with a screen grab. Yeah, has he come to, should I? Yeah, should I want you to so recent cider? Why do you tackle happy cows? In case people are listening. If you could describe
What you're seeing,
please? Yeah, it's I mean, it seems like a lot of people have gone to this site and they're looking and seeing that RN F, TS have delegation power on some other contract and people are worried. Well, it should I remove this and if you think you're never going to deal with that site again, or it just doesn't feel relevant to you anymore. Like, like one person went to wyvern. I believe that's a place to. I'm not sure it's name. That's the name of the Open Sea.
The proxy thing that when you know, hang on you first, make it open. See account. It says like deploying your proxy contract. That's the river and thing got it. So he whoever this is posted a picture of wyvern, which is like a confusing looking thing that has access to infinite rapt ether which sounds scary. But that's it. Does that because if you place an offer on an N of t on Open Sea, they need to be able to pull that rapt ether from your account. At the moment that the end of T offer is accepted by the seller.
And so it is necessary for functionality and Open Sea to have raft. Ether approval. I wouldn't, I wouldn't provoke that actually but I don't know. It does look scary. And I wish they didn't call it with her, and because it should say, like Open Sea proxy
crazy. Gosh, this is so we're again, we only have 13 more minutes apparently, and there's so many good questions and so such. Good interaction here. Let's pause for a second. Yeah. All right. So Kyle, reciter Manuela.
Not anymore, like vital best practices. You want to communicate to the proof Community before time, and I'll call you. I'll go down the line. So reset, or what. Are you go first?
Yeah, you know, I'm just bouncing off what Kyle said earlier, which is it, make sure you don't share your pre-shared seed phrase with anyone and one of our proof members had this happen to them where they were in another nft chat room and said, hey you can make it now. Go ahead and you know, was one of these spam DMS and they went to the site and the sites that will connect your Madam asked.
Then it asks for the process, 15 word phrase, or whatever, and that the abnormal metamath connection. And so he had they actually put their 15 word phrase in lost their xcopy and their proof from this. So you really do need to not put your seed phrase into anything and unless you're setting up your metamath wallet or your met or any wallet at the beginning. That's the only time to see praise needs to come into action as when you're actually setting up the wallet, not connecting to a site or going to
Mint or anything like that.
Got it. Thank you. Kyle, over you.
Okay, so, let's see that.
The this. Yeah, the seed phase should fill you with fear. When you see it, like my is hidden hidden away somewhere that like it should be actually see phrases. Should be rather hard for you to access. It should make you feel like something is wrong when you need to pull it out because if you want to think about it, and now it's analogous to all of the account information for all of your accounts. And so like the fact that meta mask is so flippant about, like showing it to you and encouraging you to put it in your mobile device and to put it in. Another browser is like it's a little crazy that they're so flippant about that.
Like do this is the literally a string, encoding, all of your account information for all of your valuable assets. It does say, be careful with this, but it also like makes it a little bit to normalized to see and move your nft. Like there's yeah, there's no way to get to the 10 out of 10. If your computer, if your seed prices ever been on your computer and oh, yeah, I we there's one thing I wanted to mention about that too. Is that a mask by necessity has to store your seed phrase locally on your computer. It's actually like users /. You / Chrome / local.
It's literally stored on your file system is stored on your file system, encrypted locally with a password. So that password you used for metal mask is just simply encrypting the file that contains your seed phrase. And so I, if an attacker were to gain access to your machine, one of the things I could see them doing and this is what happened to some artists that were like, give it a rogue Ser file to open, what it did? Is it likely extracted, the volume that contained the encrypted seed phrase from metal mask storage.
Location and sent it away to an attackers computer. Then they could all fly in just guess passwords guess pastors until they unlocked it and got the seed phrase out. So a secure. Like the password length on meta mask is very important. If you're like, worried about people, extracting, the volume and cracking it as a ledger user though. I don't rely on that password to protect my secrets. I rely on my ledger to protect my secret. So I actually would wish. I wish been a mess. Didn't have a password for me. I don't want it. You don't want
that. So what is it?
Is it safe to be using public Wi-Fi or talk a little bit about safety on
Wi-Fi?
Yeah, so people worry about The Ledger having Bluetooth and the interesting thing about cryptographic signing. Is that both of the messages going into and out of The Ledger are not secret. Like that's that's kind of the thing about cryptography is it's the study of sending messages through an adversarial environment. And so what you can do is you can send a message from your computer through USB or through Bluetooth to a ledger device. That message is plain text. It's the message, you're admitting to the blockchain and then the
Stuff happens inside the secure part of the chip, then it sends the side message which is also public. You're actually emitting the sign message to the entire world to the blockchain. And so neither the thing going into or out of The Ledger, our secret information. The secret thing is inside, so I don't mind using Bluetooth. I don't mind using public Wi-Fi but like there are
I don't know if you're using public Wi-Fi in your website, doesn't have https. Then people can just watch what's going on, which has its own implications, but I don't know. I'm confident in my cryptographic security with The Ledger device, but there's other things that can happen. I guess
it's totally fair. So there was a question. No B asked. If you could share your personal protocol to keep your wallets secure and I presume it talking about your Hardware wallets, you know, it is a little nerve-racking. You know, where physically is your
Is your heart? Yeah,
so, personal personal protocol for me, is I have by 24 words on steel plates. I just bought a 10 dollar engraver on Amazon and some steel plate. So it's kind of a DIY thing. But I do store all 24 of them together in one location. I won't tell you where but it's kind of people like to split 12 and 12 or there's ways to split it in three. So you can recover with any 2 of 3, which is kind of a fun way to split. But for me personally, I just have them written down on.
Steel hidden but altogether. Cool
reciter. How about you?
Yeah similar. It's it's it's hidden in a secret place, but I do want to just touch on like coinbase or Gemini security as well. Like if a common attack here is that somebody gets into your email address. And then from there, they can reset your coinbase account. And if you have text based 2fa there, they might be able to sim swap you as well and get that.
If a code that's very difficult for them to do. It takes a lot of work, but that's possible. And so what I recommend in this situation is actually using a separate email address just for such as coinbase and making sure use something like Google Authenticator and not a text-based. Authenticator. This will kind of stopgap some of the stuff as well because somebody gets in your email. You don't want that. That's either gonna be able to reset every password you have. So maybe have a separate email address just for your high value stuff.
Smart. Thank you Manuel a
What's your personal protocol?
Yeah, I would I call the things that were said so well, like I said a bit at the beginning, one of my project was decided to security. So I'm also into protecting us to account like including Gmail including coinbase Etc. And so for example, I just saw someone posted a Google has it that an advanced Protection Program. You can enable that if
It's not convenient for your primary email. You can create a second email that you use. It's not really just for crypto. I would use it also for banks and for wherever there is money and they basically will here Remains the Same for mending. So don't click on anything, don't click on spam email. Don't click, just always. Go to the put on a dress that, you know, it's correct. Whether it's a bank, an exchange of a meeting side and with this simple rule you can get
That is Shop
Smart. If I'm not wrong Ryan, correct me, but I assume The Ledger can also be used as a fighter security key. So, basically you get two in one, you can protect both your online assets and your character. Fun fact, The Ledger actually works as a Fido you to F key if you want to do
cool, so, Ned Ryerson, just did something. I was helpful to me in the chat. If you have a question, why don't you tag me? Because then I can see it.
It easier it's hard to tell sometimes if y'all are talking to each other or asking a question. So let's tackle Ned's question. Can you create multiple wallets with different seed phrases from one Ledger or treasure?
Kyle,
you have multiple seed phrases to one Ledger know that I think treasure works the same way. There's there's this, like, sort of core implicit thing that when the device launches it starts up fresh. It's like you have two options either. Generate you a seed phrase or it'll take in your seed phrased. It is kind of like this one to one thing. It's like the heart of a ledger is a Single Seed phrase and that's like how it was built. But there's this one thing called the 25th word or the passphrase.
You can actually I won't go into it because it's a bit complicated but it's a very cool security setup where you can have multiple pins on The Ledger in each one of them unlocks, a different seed phrase. It locks it different passphrase. So you can actually make different sandboxes with different, totally different sets of accounts with different pins. So you can end up with a security setup where you like, if somebody were to like, you know, threaten you threaten you with violence and say, unlock this Ledger. I'm going to take all your money. You could use one of the pins to unlock it and use some in there.
Access some of your accounts, but they wouldn't know.
Can you pop a link into the chat where people can learn about that, please? Yeah. So now I want to take a couple minutes and get some folks up on stage. Just acknowledge you've asked to be on stage. We were definitely run out of time to tackle. All the questions. This has been so valuable, we can do this again. Y'all just so you know Kyle, would you be willing to come back up another time?
Absolutely. I'm willing to say later also, but also we
So I'll Stick Around in the text chat and just just sweep
up. Okay, cool. Andre sadder. If we do this again, would you be my, would you be able to come back? Cool, so, okay. So let me get some people up and Stage that ass. So glow. We're going to walk you up on the stage and just please be as brief and succinct as you can. So welcome to Stage glow. Okay. Can you guys see me?
Yeah.
Awesome. Yeah. Thanks so much. It's been super valuable. I was on a Twitter spaces. When one of the Apes got hacked about two weeks ago, when it's sort of cascaded with this Open Sea, sort of saga. I think the guy was T dollar or something like that. There's a cyber security guy that jumped off on the call. And he was adamant about, these are drops, you know, a lot of them are obviously on polygon about, you know, getting these things that don't interact with sort of airdrop rubbish, because they could be a dodgy contract and he
Was like this sounded weird to me and I'm not a security expert, but he was adamant that essentially those are drops could have malware on them and that, you know, they could essentially compromise your laptop or your computer. There's a lot of other people on a Twitter space to do was sort of, like, unless you interact with its dodgy nft. You're fine. Just leave them in Hidden folder,
but can you guys speak to that? Is he just out of his mind saying that? Yeah, there was a bug found an Open Sea about two months ago where you know, one of
Polygon gifts that people send you just to try to get you attracted to their, and of tea, or whatever, it had some JavaScript in it, and JavaScript, interacted with open sea, and such a way that it requested new transaction in many masks and actually asked you to connect to a different, you know, contract and pass things over. So, just by looking at it, it triggered this meta mask, you know, request if you if you so. The takeaway here is if you see if you're going on Open Sea.
He and like, you're not buying or selling anything, but all of a sudden metamath pops open. That's that's a warning. That there may be a malicious entity there. Yeah, so that's the thing. You got to look for. Well, I mean a lot of this art is javascript-based, right? And so you're pulling up part, that's got a lot of JavaScript in it or you're pulling up, you know, stuff that's got code in it. I mean, there's all what nfc's our is code. So yeah, it's just doing that. It's but Open Sea found that bug and removed it. So as far as I know.
It is still safe to. Look at all your, all your junkie junkies stuff. Got it.
Uh, can I just one? Just one more quick, one R12 work. I
have the transit T12
words worse than 24
words in terms of. Like, I don't know
what the mathematical equation is, but is someone more likely to guess your 12 words rather than 24? And that's a basic question,
but not really. So it is significantly less complex from a long. Number percent point.
Point the number is 2048 to, the 12 is the large number that you're working with here. So guessing a number that's 2048 to the 12 is he's is easier to do than guessing a number that's 2048 to the 24, which is the 24 words, each phrase, but realistically, both of those are very long and very hard to guess.
Cool. Thanks again guys is valuable. Thanks. I appreciate it. All right. Let's get some more Folks up on stage Tower room. I'll write you up.
Hopefully you're still there and glow emit at the kindly move, you talents.
All right. So, tell room has been invited. See, if they pop up. I think they've gone an active. So I'm going to know a tower and welcome. If you could keep it short and brief. We'd appreciate it on God. He's like a cold feet. She's out. Yeah, screen. Let's welcome screen up to Stage. Welcome screen.
Hey Brian, thanks for having me. My, I have two
questions on my first was indeed to emit a middleman and of t
attack. The second question I had
was fuck Runner. Actually got hex a while back yet. And that was through a foul. He was sent sent to through this court. So should I be not opening any thousand all that are shared for the score?
If you're a Mac User, you should be wary of all files. I mean, there's nothing in scr. So that was where I was referring to have the scr file sent to them. That did something question marks, but it somehow extracted their seed phrase, but that's only because their seed phrase was on their computer to begin with. And that's, that's part of the problem. So I'll open whatever file, because my seed phrase is not on my computer. It is on my ledger. But yes, if you're, if you're have a lot of assets backed by a seed phrase, that's on your computer. You should be like super skeptical of
Being suspicious of all files. And, you know, let me, let me leave you with a bit of more scary idea. Where if somebody were to extract your local volume that had your past, or your seed, phrase on it. They're going to crack it offline. So this is going to guess password is guest passwords on this file until they unlock it and get your seed phrase out which means that you could have a fuse like a time bomb going right now, where someone has your seed phrase, they're guessing passwords on it. And you are six months away from being compromised. You just don't know it yet. So like,
Maybe everything I said about the fact, you have a lot of money in, your account means that you haven't been hacked, as maybe not necessarily true. Like somebody could be actively guessing on your password right now.
All right. Thank you. And yeah, I couldn't a virus
like key lock the password as you type it in on Minimus. Oh, yeah, keylogger is kind of game over sometimes with these things if they can. Well they'd have to get your their password and also the encrypted volume, so they could crack it. But if they installed a keylogger, I'm sure they have the ability to install whatever.
To prevent this from happening.
I would say, the better thing is to just not have your seed phrase, somewhere that could be typed at. All.
Right. So screen. I think what we're trying to say is your you'll have a hot wallet, but theoretically and if someone installs a keylogger, then they could theoretically Log In The Meta mask as you. That's why you need a hardware wallet, right? Because even if there's a key logger, they've got your meta mass pass.
Word. They can't do anything with your Hardware wallet unless you approve it on the hardware device. So that's why it's so important to have, you know, all of your valuable assets on a hardware wallet. So did I get that correct, Kyle, and reciter and memo like? Yeah, cool. Okay. Thanks green. I'm going to ask you to move to audience now just so we can keep going. If that's okay. Thank you very much for having no problem. Okay, so we're over time I have time. So I'm going to keep going.
If that's cool with you all will try to get through as many of these as we can. Okay, so people are kindly tagging me in their questions. Now, it's a lot, just
if somebody were to extract your encrypted volume, by the way, there's you can't change your password. It had the password at whatever it had at the time, it was taken from. You just so, you know, like there's nothing you can do after the fact to change the password, on the thing that was stolen from you.
Yeah, so here's a question. I think for Kyle. My current setup is hot wallet from minting Hardware, wallet, for long-term holds valuable pieces. Now, the gas Wars are less of a thing. Less speed needed is the ideal setup. The following hot wallet, gasps Wars Hardware wallet one, minting / interacting with sites, Hardware wallet, to long-term holds
I would say that my setup is that I just use the Ledger for everything. I don't don't even
Hot wallets anymore. You don't need to. The thing is that people that are really into these nft drops that want to be like fomenting at a moment's notice. While they're driving in their car. Whatever like you will do that, while they're driving in the it having a ledger, having your account on a ledger could slow you down in certain situations. Like, if you don't have the device on you, you can't mint and then you feel like you're stuck. That's why people like hot walls to begin with, is that can take it with them and do it on the fly. So, yeah. Yes, you're not.
Long and team then just use the Ledger for everything. It's the simple straightforward way to go. But if you are a fomo chorus and then you can have somebody on a hot wallet and then transfer it when you're home and not driving anymore to your
Ledger. I'm going to be the dad here and remind you all you should be taking a breath before you fo moment and walking away anyway, so it helps. Yeah, so wait till you get home and use your Hardware lat. All right, I should be feeling that I'm yeah, especially while you're driving. Okay, one question from Alex are Max safer than PCS since our last axon Max.
I think this is ignored a general security.
Yeah, I mean, I always thought were talking a lot about hacks just against metal mask, which is your browser. And so there's not. I mean, you could try it in Safari and see if there's a difference but it's really not. It's going to be social. Engineering you to change your to enter your thing here that you shouldn't be entering as far as downloading malware. That is more common on on Windows, but it's not uncommon. It's not unknown of on Max. So I think the attack is a little bit bigger on Windows, just to get infected. But
When it's just talking about social engineering, your meta mask that can be done on any platform just as easy got it. I will say like mac is better at showing you anything that has access to your screen. It's like, you know screen recording is a say protected thing on Mac. But as far as I can tell Windows, doesn't care about who's watching your screen at any given time. So that might be an advantage for Mac.
Got it. I think I just kicked Manuela some house, man. What if you want to come come back? I will happily put you back on stage all
Geez about
that, Lift-Away mid-sentence. I
know, I don't know. I did there. Let's crank to him. A couple more questions to confirm with the panel. A hardware wallet will not underscore protect you if you accidentally interact with a malicious smart contract,
correct?
I beat the account is an account. As far as the theory of network is concerned, what the hardware will allows you to do is cryptographically signed messages offline. But if the thing you signed is malicious, and it does something to your account to make it open to being like, some asset being taken from your something like that. The Ledger does not The Ledger device does not help you Ledger live in the surrounding software, ecosystem, that Ledger's building is, is trying to be that part that protects you. If
Use Ledger's like ecosystem and we're building it bigger and bigger every day. We're making sure that there is no more blind signing in the world. That's our mission. For the next year is to get rid of all this blindsiding. We're all doing, but at the moment like yeah, it doesn't the hardware wall. It doesn't do anything to protect you. If you sign a thing that you shouldn't have
signed got it manually. Sorry for kicking you if I did that. Well, now Waters wasn't Okay, click the Run button. So Al new has a question as well. Should folks, avoid traveling with their Hardware wallets.
Question
mark.
No way. I love it. Like, bring it with you. You need to do a claim your defy kingdoms, Jewel. On the go, like, you gotta have your lecture with you, right? And in fact, we just have, we had a Fendi collaboration where there's a literal Satchel that you wear over your shoulder. That has your Ledger kind of tucked up under your arm. So some people like to flaunt it. The only problem would be like makes you a target for like physical attack. Having a ledger on you, but I was just security risk.
Yeah.
I would say do not show anybody yet for sure. Because you're kind of lead pipe. You know Vector. Yeah. All right. Yeah, but I wouldn't really like
it's better to use hardware and trouble with the hardware, rather than say, or because they were true, want to travel. I'm not going to use Hardware at all.
Got it. Alright, so, another question and, and all of you on the panel, just feel free to speak up. If you want to say anything.
Passion for Marwan, if you were a dummy and don't feel bad, our, when we've all done stuff and you've had your seed words on the computer at some point, but you have updated the file with junk and then deleted it. Are you still
compromised?
I think like, you know, like I was saying before like the moment you generate and see and storing a specific place, your key. Essentially that's giving them a 3 out of 10 or 2 out of 10. So it's not going to improve anymore. Not because there is always that chance that got compromised in that moment. So the best solution is probably to generate a new one, if we are in the position and transfer the things.
Makes sense. Kyle. Did you want to say something as
well?
No, it's about that. Right? Perfect.
Okay, let's get. We've got couple folks popping up. So am on and invite you up to stage.
Hopefully, they're welcome.
Thank you. Can hear me? All right.
Yeah,
awesome. Instead. It was great. So thank you all for walking us through all this. But yeah, so I just had, I mean, I had a couple questions, but I'll just like, do one. But so for risks around like like I know we went over some, I talked about actors on hot and cold wallet or there any that we missed four.
For like Hardware wallets and hot wallets later blindsiding. I know that's one, one issue. Is there anything else we should be aware of as an attack Vector for a hardware
wallet?
Hmm. It's like, Yeah, The Ledges job is to keep your tip. So there's lots of risks and the one. About your seed, phrase leaking to the world is something you do you no longer have to worry about with a hardware wallet, that one gets put to bed. Then the rest of it.
It is account-based problems. Like these blind signs in these approvals. And whatever, I would say, all of these account-based, like exploits are they all fall into the, the banner of blind signing signing something, you don't understand that does something malicious, is that General thing? We apparently keep finding new ways to do things that we can have people signed the tricks them, but
Yeah, it does. It's all covered under blind siding and really like you can maybe I don't know how to reset it. What do you think about like, how do you, how does a normal person do any diligence on a contract? That's arbitrary and out there? Yeah, it's really difficult. And I think that's the main thing we've got to worry about, is not so much the attacks on our computer or device, but the social engineering to trick us into doing something. We shouldn't be doing clicking, a link that is malicious, entering your info that smell.
Is giving control, oftentimes it's just screen sharing and then something on the screen is there, you know, there's a link to there's a password or seat phrase or something on your screen, and that's how some people have been able to get into other accounts. So you really got to be paying attention to that social engineering aspect and that's what it's an absolute war zone out here every single nft website or you know, Discord Channel gone to. I've gotten some sort of scam sent to me in a DM
And it's the same as websites and I always place and you know what, some of these discords are falsely inflated. They bought the Discord a week ago with 100,000 members already, there all Bots, and they're programmed with AI to just constantly say this projects going at any, if it's going to the moon, and it just keeps saying that over and over, and they're just bots in the channel and it seems like a pop in Discord. And you're like, oh, I got a mint this but there was never, it was never any intention to give you anything valuable. It was a part from Fiverr and it was just
To make a bunch of money for someone and then they're going to leave you alone with with your art at the end.
Scary. I'm on one thing. I'll say is be careful on Twitter. I've noticed as soon as you mention anything like meta mask, you'll get, you know, Bots popping up called meta mask help. So just to so much Social Engineering, that can happen, even outside of Discord. So thank you. That makes sense.
I had one other really quick question around redundancy of your see craze. So I
I know that it's like really important to keep that a secret but also having like a single point of failure is probably not a good idea either. Do you
have thoughts on like
like giving parts of it out to like friends or like creating some sort of redundant or do you just have like 11 metal sheet?
I have one metal sheet, the best thing I've thought of so far with the redundancy is to do that two or three backup. We're like any two of the three plates can come together and recreate the seed phrase and I would imagine a situation where it's you have one of the three. You give the second to a trusted person like your mom or something and give the third to a trusted institution, like a banker safety deposit box. So then you and the bank can come together to make a recovery account you and your mom can come together and your mom.
And the bank come together in the event of your death. That's the best thing I've come up with so far.
Got it. It's great. What's the name of that algorithm that does that or the option and that we need to look for if we want to do that? It's called like shamir's secret. It's a it's like a seeds. Putting tactic. The dumbest version of it is just literally, like, right down 1245 is like you write down certain numbers of the words in different plates and then it just makes it. So the any two plates, have no holes in the words.
And by the way, I think the reason why we use plates as because I've seen a lot of people have their house burned, or good stuff. Gets scratched, build on when it's on a metal plate. It's a lot less likely to be destroyed.
Yeah, plus it's fun to a great
things. Yeah, this is y'all from proof at the communities want to thank you for showing up and being so engaged that I can't even keep our this chats Bonkers. So got a couple more questions that just came in from mr. Pink. You should put the official website and in the Discord here, would be surprised if someone makes a fake site and chasing wallet. Connects. Yeah, we will. Yeah.
Also, but even that, I mean even then if anyone is telling you in our Discord to go do something, it's like we got hacked. So what we'll do is we'll add those official links to the to the FAQ channel. So I'll do that. All right,
we should do our fishing - sighs. Well, we implanted one of those sites and so
are we great? I think there's a couple more.
Looks Martin Mars. You've been waiting for a while. Kind of walking up to stage now.
Gosh, the wallet security is such a important Hot Topic and everyone's really, really interested. Martin Mars. Welcome.
Hey guys, how are you? Good. Thanks for showing up.
Well, thank you for doing this. Is really super useful.
I was actually like ask question a we way back like in the help section about wallets and buzzer and like a jerk and you you actually one of the people to help me with that Ryan. So thank you. And I also like to thank you guys for making the time to talk about all these things which you know, security is super important. And my question was that, you know, how do you
Or your your seat phrase, do you do you have like multiple copies of it in different places of? How do you think about it? Like, I know that serpent different acts. Like he said that she, he stored his bill bill folder like the the billfold though, from bludger destroying the safe would like an air tag on it. But, do you have any best practices for storing seek?
Praise. And so, on, so forth to make you.
Yeah, no problem. And cute Be Friends by the way, we did.
Just talk about that. So as far as using shamir's secret as far as separating, but it was serpent tax. Did have an interesting idea of putting an air tag in your safe. So in case someone walks away with your safe, you can theoretically find it. So reciter Argyle remanded you any any other thoughts that we did talk about on seat phrase. Yeah,
tamper evidence is an interesting one where let's the evil made attack is what it's called where a maid comes through.
Like two snaps a picture of your seed phrase in the way by. It would be nice. If the way you stored your seed phrase, even if it was all in one place on steel plates, if it was done in a way that you could tell whether somebody touched it and looked at it like a lock through that steel plate, that was just posted. Or if you I saw a bunch of washers, strung up on a bolt. And if you were to like put dip it in wax, at the end of the bolt to make sure you could tell somebody, unscrewed it. That kind of stuff is interesting thing. Dad.
It feels like a movie now, doesn't it?
It's so many things were protecting.
Is that aren't actually going to
happen? Yeah. Reciter any thoughts as well on
that. I posted a link to the billfold. I'm surprised you haven't mentioned it yet Kyle, but this is the kind of a device that you can enter one phrase seat phrase at a time, and then kind of lock it and put a padlock on it if you want and store it somewhere. So, it is a metal plate, back
up. Awesome.
As this lots of fun ways. They're all just fancy ways of putting metal letters in a row, right? In some capacity.
Cassidy. Yeah. All right, Martin. Thanks so much. Thank you for thank you, appreciate it. So I think we've done. Well, there's one more person. I want to make sure we give them a chance and let's have this be the last guest on stage. Huge Gil. Butchering that totally. I'm sorry. Welcome up to the stage. Hey guys. Hello.
Hey, thanks for taking my question. Something. Someone else has something in our Discord recently. It's a whitelist or an upcoming and ft project. And if you hold boarded Yacht Club, you name a mutant. Uzuki Cool, Cuts, Etc. Then you're automatically on the white list. I was wondering if you hold one of those things in your Ledger and go through the collab. Land Etc. Like is, are there any risks there?
If you hold that on your on your
Ledger.
No, I mean it's it's fine that the collab land is simply just associating your Discord handle with your etherium address. These waitlist mints. There's two ways. You can usually happen. It's either like you get whitelisted through Discord, which means you can put a different address on the white list, which is, which is nice. It's friendly because you're not, you don't have to Mint with the account, holding your valuable asset and the other way to do it is just simply. If you show up to the minting page early and you have aboard, a pin, the account, you're on the wait list. So you have to use the same account that
Was libertate Ledger or not. I'm just talking like accounts in general, but the good news about waitlist. Main thing is that you should have enough free time to look at the contract to assess whether it's like the correct one and, you know, take your time when you're looking at it to make sure you're just literally calling a mint method and not a set approval for board ape, you know, like if you see that, you're interacting with the board 8 contract, when you think your minting a different thing, that's, that's a problem.
So, if so, as long as you know, you're just
In the Discord, letting them look at the fact that you own that item. Even if it's in your library, there's no risk to the rest of your bugger.
Oh no. Oh, yeah. Anybody can look at your account by address and that's all, that's all that's happening. Is like, okay, that account address is linked to your Ledger because the seed dressing, your Ledger generated that account address, but anybody could look at it, pleasure or not, and that's what collab lens effectively
doing. I feel like this is a new question though. So if so, forgive me, but so if your
Looking quote, unquote looking at the contracts during that, are you, you can't see the method on your on your Ledger, correct on the little screen. So are you? Are you saying, go to ethers can look at the contract there?
You can do a preview and metal mask before you send it down to The Ledger, metal mask does a like, it does a okay job at decoding what you're doing. It says it usually says like mint or ands or buts, at least The Ledger screen. There's the to address and if you really want to be safe, even blindsiding. You says like what you're interacting to and if that to address is your board, a poor, your cool cats or something. That's like something you own, this valuable. You should never be interacting to that contract. When you think you're minting.
New n of T. So you could check that the to contract is something that's not one of your valuable and of T's, I
suppose got it. I don't know. Make sense. So so you could
pull off right
now. Well, and I think we're trying to say is if you don't understand it, if you're not sure, then don't do it.
Well, ask ask a friend. Like, I don't know, it's the problem is like, right now, we're expecting people to be able to go to either scan and read code or go to either scanning. Like, check that the
Act addresses done. A tiny Ledger screen 0x, ABCD type that in to eat. This can check that. If it's board Apes, be scared. But like the you have to know to do that to begin with, the better way to do it is to like wrap all this in better software tooling that alerts you that hey, you're about to do something that you probably didn't think. And that's where like Ledger lives devs are at, that's what we're Ledger's. Head is that is trying to like add more software tooling around what you're doing to make it. So like transferring an entity is all-clear sign. Ideal. It shows you the entity you're sending. And then says,
Like, you know, everything is clear to you as you going,
got it. All right, I think there's one more question here. I'm gonna tackle and then I think we'll, we'll call the voice chat. Quit. But stick around in the and the text. Yeah. Are when asked, if I order a new Ledger, can I generate new seed words to replace the old ledger? So replacing the old seed words on the old Ledger for a
New account.
Yeah, definitely. When you're setting it up. It'll ask you to do you want to set up fresh seed phrase or do you want to use an existing indicate? There has been a some situations where if you're not getting it from Ledger specifically you can keep buying it. Use from eBay or something. Somebody might open it up to look at your seat phrase and then package back up and send it to you. Right? So, if you're getting a new Ledger, I recommend putting kidding. It
fresh seed phrase. Set up to begin
with.
I definitely like a theoretical type of attack where somebody were to, you know, because it's really it's impossible to guess a random number. So wouldn't it be easier if you just gave the recipient a number that you already knew to set up with? And so if you do buy a ledger from eBay and it has a card in the box with with words already written on it and there's like some instruction telling you to use those words. That's a somebody's trying to scam You by having you set up your device with their secret. Bad sign.
Yeah. All right. Well, we're
To call it quits in the voice chat. I just want to thank Kyle, Reese cider, and Manuel, a for spend their valuable time. Thank you so much. Y'all appreciate it.
Yes. Do it again sometime.
It's been very, very educational and thanks everybody for for showing up and interacting and asking so many great questions. The proof team we want to help you feel safe. Educate you. And, you know, make this one of the best communities you've ever been in. So,
You tell us what you need. This this came from a suggestion. Someone said, hey, let's do a town hall around security. So keep those suggestions coming. I recorded this and we'll get it up and the announcements Channel a little bit later, but we'll stick around in the text chat to try to keep answering questions. So thanks everybody. We will see you next
time.