I think that at a macro level, if we want Bitcoin to go in the direction where most people are
taking advantage of the self-sovereignty aspects that are available, then we need to continue to
push the convenience forward so that it's easier and easier for people to feel confident that they
can manage their own keys. This episode of Empire, I sat down with Jameson Lopp, who is the co-founder
and CTO of Casa. Most folks know Jameson for his pretty crazy story of getting swatted. For those
who don't know what that means, the SWAT team literally showed up in his neighborhood and shut
down the entire neighborhood. We got into that story and so much more on this episode. It was a
long episode. I think you'll enjoy the entire thing. Jameson is probably the most well-known
security and privacy expert in the space, but we talked about so much more, including why he holds
such strong beliefs around this, what financial sovereignty really means, why you should care
about your privacy and your security, even when it comes with the trade-off of convenience. I
love this episode. I think you'll really enjoy it as well. After you listen, stick around. Let me
know what you think of this episode. Shoot me a message on Twitter. I hope you enjoy the episode.
I'll see you on the other side. This episode is brought to you by Luca Tax and Exodus. Stay
tuned for more info. Jameson, thank you so much for joining. I sent out a tweet right before this
saying I'm interviewing the legendary Lopp later today and it's gotten quite the excitement. You've
built quite an audience, my friend. Yeah, I don't really know how it happened because I've really
been tweeting about whatever interests me for 11 years now. Even the first few years I was tweeting
after I got hooked on the Bitcoin, basically nobody paid attention to me. It's like the saying,
you can become an overnight success after like 10 years of hard work. Yeah, we're seeing that right
now with Beeple. Beeple's putting out art every day for 15 years and now he's getting 69 million
for it. When did you start tweeting and when did you actually get this following? I know I joined
Twitter in 2009. I started getting interested in tweeting about Bitcoin in 2012. Interestingly
enough, my first Bitcoin tweet was actually about the first having. That was the first time I felt
like something interesting has happened in Bitcoin that's worth tweeting about. At the time, I think
I had maybe a couple hundred followers and so I got no retweets, no likes, but I've referenced it
a few times since then and now all the stats are jacked up on it because people have been wanting
to reference my 10-year-old tweet about the first having. That's amazing. We're going to talk a ton
about just private key management and CASA and your story and all of that kind of fun stuff that
people requested and people wanted us to talk about, but I actually thought we could start
somewhere different outside of crypto. You spend your early days in email marketing,
for lack of a better word, just kind of stripping away people's privacy from what I know about email
marketing. Can you just talk about these days and really what I'm curious about is if you could just
share your knowledge of how did that teach you about the trails of data that everybody's leaving
behind? I spent the first 10 years of my career working at the same startup, though I changed
jobs I would say every 18 months as that startup grew from 15 employees to 300 employees from
million dollar a year to tens of millions of dollar a year business and it was actually
kind of fortuitous at the time when I got out of school was 2007-2008 like the major economic
correction was occurring and a lot of people were having a tough time. It was actually a boon
for the company that I joined which was fairly random for me because I didn't care about email
marketing. I was just looking for some sort of computer science related software engineering
job, but what happened was all of these big companies their marketing budgets got slashed
so they took that money out of more traditional print and billboard and radio marketing which is
very hard to track the ROI on and instead started putting it into internet and email marketing
because all of a sudden you know exactly how much you're spending on marketing and you can see how
much money you're making from the marketing because you're tracking who's clicking on stuff
and then who's going through the whole process of then buying something and so what this came
down to over the years is wanting greater and greater sophistication and controls over
predictive analytics and being able to say okay we've done all of these different campaigns in
the past and our marketing manager has tried all of these different things now what can we
learn from it in order to tweak our campaigns in the future so that more people buy more stuff
and so while you know none of this stuff interested me like from the ideological standpoint like I
don't care who sells what to whatever it fell upon me to use whatever tools were available to
to make these type of of analytics and like predictive associative features possible so like
when we first started out we were just using regular old mysql database that's fine for most
things but you get to a point where you're working with petabytes and petabytes of data
if you want to be able to manipulate that stuff in real time you've got to use more cutting edge
stuff so that's where we start getting into the whole non-relational database cloud computing
google scale type cluster based approach it would get to the point where you know we were even
looking at things like we know this person is usually in this time zone and they open
their emails in a cluster around this hours in the day and so we want to be at the top of their
inbox when they're they're like waking up or whenever they're usually looking at their email
and so we're gonna we want to send it you know just a few minutes right before then and so I mean you
can you can become sort of infinitely complex with this type of stuff and it's all in the pursuit of
making another buck right so it's all financially motivated the the the system is is in place there
for people to devote as much as you know 99 cents per dollar of expected revenue coming back because
if you're making a penny on any of these things that you're putting a lot of effort into then you
just multiply that by millions of automated actions and you can see how you know you can
basically create new revenue streams out of thin air from enough behavioral science as it were it
seems it seems a bit funny doesn't it that the world some of the world's smartest people are
you know in silicon valley working on making better customer relationship management platforms
and and optimizing the conversion rate to go from five percent on email marketing to five point one
yeah i mean it's and it's even i mean it's worse than that of like what are the smartest people
working on these days at least if it if it comes down to uh rational financially motivated people
who want to maximize their income then i would say some of the smartest people are working on
wall street or basically working at some sort of trading desk trying to eke fractions of a penny
out of trades that happen you know millions of times a day uh you know playing zero-sum games
that don't benefit society they just benefit a small number of players that have the sophistication
to find your various arbitrage or or other uh efficiency gains um or you know a really sad
thing uh for me ideologically is you know a lot of the smartest mathematicians you know where they
end up working the nsa the nsa is like one of the biggest hires of of high level mathematicians in
the country and i i mean i obviously we don't know everything that they're doing but i suspect that
there's probably more society friendly type of things that they could be building rather than
intelligence-based tools yeah yeah the smartest mathematicians i feel like right now are going
to one of three places they're going to trading they're going to hedge funds right they're going
to the nsa or they're going and working on machine learning algorithms at places like facebook
which none all three of those uh don't seem like you know uh i don't know ideologically uh
too amazing of a place at least for at least for me personally but i mean what what happened with
you like when you were at this email marketing firm i mean a lot of people who are going to be
listening to this know you as the kind of very ideologically grounded in privacy and security
did bitcoin cause that for you or and create that or did you already have that kind of mindset back
then i would say it definitely was a catalyst um i i was interested in privacy and security
you know tangentially but i was not a hard uh practice what you preach type of advocate of
these things i i cared about i think i think privacy more from the aspect of not wanting
government surveillance uh i wasn't as uh against i guess a lot of the the corporate uh for-profit
surveillance stuff obviously i was steeped in it um it uh you know it did affect my own behavior
in the sense that i knew how not only our system but a lot of the other similar systems worked so
you know obviously i was running everything with tons of ad blockers and uh i knew not to click on
things and emails because they were inevitably going to get tracked um and uh even to this day
i'm very studious about anytime i get an unsolicited email i immediately unsubscribe or market is spam
depending on like what options are available there but um it was i would say the biggest incentive
for me to improve my privacy and security direct direct results of bitcoin uh both uh from having
to secure that data itself and then from events happening later on that showed me that my privacy
was terrible and i needed to to fix it but um we had you know security incidents and i think anyone
who runs any type of online company that has some sort of cyber infrastructure is going to have to
deal with it because you're basically you're you're running a business that has a front door that
anybody can come knock on and so the security incidents that we had while i was at the email
marketing company were generally around people wanting to get in and steal data you know steal
email lists steal personally identifiable information even though we told our clients
you should not be storing any sensitive personal information in our system we couldn't stop them
so there were plenty of times when we found clients that were storing things like credit cards or
social security numbers i mean anything you can imagine even though we weren't we never made any
claims about being a high security system as soon as you you know open up an api that you allow
people to put arbitrary data into they're going to use it for the dumbest things because it makes
sense to them and so um you know data has value uh so it was you know it was a valuable asset in
its own and that you know if someone can uh steal you know millions of uh of contact information
more detail about them that they have the more valuable it is you can always go to sell that on
the black market if you don't want to use it yourself or spamming or whatever so what does
that actually mean for those who don't know including myself i've never sold data on the
black market how does that work um i mean it's you essentially you you go to a website usually
it's going to be on uh the dark net as it's known aka you know tor based networks that provide much
stronger privacy features for the people that are accessing and using these sites and so
on and a lot of them are just simple forums uh it's it's almost analogous to like over-the-counter
trading type stuff where you say hey i've got this information you will probably provide a small
snippet of the dump just sort of to prove its legitimacy and then you say you know this is how
much i want for it and uh you know before bitcoin i guess you you would probably have to deal in
either like mailing physical cash or using some sort of prepaid debit cards or something
or you could of course if you're in the carding industry you could just swap
people's credit card numbers and then get into sophisticated laundering schemes around that but
you know today you can just say hey i want you know half a bitcoin for these 10 million contacts
that are associated with this stuff and that you know you could probably use to either scam them
or steal their identities or who knows what all right guys we're going to take a quick break from
the show talk about two sponsors you guys have heard them on the last two episodes it's uh luka
tax and exodus i wanted to rerecord both of the ads though uh just because they're kind of two one
story and one update from one of the companies so i just want to fill you guys in the first one is
luka tax luka just i mean it's tax season right now as some of you guys probably know taxes are
so damn complicated that the irs pushed back the deadline another month so you guys including me
could figure out our taxes uh for folks in crypto you guys know that crypto taxes can be an absolute
nightmare fun little story i tried having my accountant this guy host way figure out how to
do my taxes and it was an absolute nightmare because of the crypto right all of us a lot of
us at least have crypto held on a few different platforms i've got crypto on like exodus a few
other places and you know you've got to deal with fifo you've got to deal with lifo there are
exchanges there are custodians there are wallets and what luka tax basically was able to do was
first off super cheap right i had host way go over to tax.luka.tech forward slash empire which is my
url i get hooked up if you guys go over there and create an account so do that but i had host way
head over to luka and it just made it super easy for him to do my taxes so you can have your
account and plug into luka you can do it yourself um but yeah i highly recommend luka if you guys
are trying to do your crypto taxes this year tax.luka.tech forward slash empire all right head on over
all right a lot of you know the second partner for the show is exodus i've about 20 or 30 people
hit me up last time said is exodus legit who is exodus how do you hear about exodus i want to share
a little background on that story basically exodus a lot of people don't know them they've been around
since you know 2015 they've over 100 employees they've raised a boatload of money which we'll
talk about in a second and they're one of the best kept secrets in the space hardcore bitcoiners
people who have been around since like 2012 2013 love exodus because they basically let you manage
your private keys which is really sought after if if anyone's heard of you know not your keys not
your crypto exodus allows you to basically do this they got super low fees when you're buying
bitcoin got a built-in exchange they let you plug into defy really easily so they're an amazing
wallet when i first heard about exodus actually our sales team had brought it to me and said do
you want to work with this company i hit up peter mccormick because i knew that they advertise with
pete pete said yeah they're super legit i do a lot of my business banking with them he basically
gave his stamp of approval i checked out the product gorgeous ui ux really good security so
i'd really recommend it they just raised 59 million dollars in four days super impressive
so they're really well capitalized and yeah i'd recommend checking out exodus you can find them
at exodus.com forward slash empire all right let me know what you think so we're going to get into
the kind of crypto and and you know the bitcoin rabbit hole in a second but if i am a listener
who doesn't have much bitcoin and i'm kind of like i understand that folks in bitcoin not your keys
not your crypto like you know they take privacy and security very seriously because it's a bearer
asset what about if i don't own any bitcoin like why should i care about data you're really talking
about a trade-off between privacy and convenience right that's what all these things are whether
you're talking about security or privacy and i argue that security and privacy are kind of two
sides the same coin i see privacy as kind of the outer layer of security you know if you can prevent
someone from learning about you in the first place then they can't attack you and then the next layer
is the actual security of okay someone is targeting you they're trying to attack you what do you have
as safeguards in place that will slow down and hopefully completely stop the attack once
we start talking about threat models either for privacy or security there's no such thing
as you know perfect privacy or perfect security there's only the question of how much effort
how what level of resources is going to be required by an attacker to pierce through whatever
protections you have set up so you know ultimately at least the ultimate attacker is the nation state
attacker generally people do not have that in their threat model pretty much any privacy or security
guides unless you're just talking about straight up like communications security which is totally
impossible to to set up as being nation state attacker resistant if we're talking about anything
like physical privacy or physical security related you probably do not have enough resources to
defend against at least nation state that you're physically residing in that may have a nearly
unlimited level of resources that they would be willing to use against you so why should i mean
why should the average person care because what is it a an ounce of effort or an ounce of
effort or an ounce of prevention is worth a pound of cure is that even if you don't use
any of the bitcoin or crypto related stuff like i was saying before data is valuable you don't
want to get your identity stolen for example so just making it more difficult for your your
your credit card or your bank account or other important aspects of your identity to get stolen
and sold traded you know that can save you innumerable hours of work trying to clean up
after the fact and you know i've i've heard stories of people who've had to spend years
before they were able to like clean up their credit after an incident yeah yeah that actually
happened to a family member of mine they got their kind of credit taken over and it took them like
two two or three years to get that back so yeah because i mean usually you don't even notice for
six months to a year that's exactly what people are pulling their credit reports every month
exactly exactly all right so let's um a lot of people know your story but i think it would be
helpful to just um recap it you clearly care about this stuff and for good reason right because you
have one of the crazier stories that i've heard about a SWAT team showing up to your door so
let's let's take a you know a little journey through history can you share what happened here
yeah uh and i have all of the details in a long blog post that i wrote a few years ago but the
short version is that some random person you know once my my twitter following had grown large
enough i encountered the problem that anyone with a large audience eventually encounters just due to
the law of large numbers is there's going to be some deranged individuals out there who are willing
to do things that other people are not and so eventually i had an incident where someone
who was sophisticated enough to cover his tracks he basically used some throwaway services to place
a phone call to my local police department and then claim he was me give them my home address
and claim that i had killed people and was holding someone else hostage and i had explosives in the
house and you know basically uh touch all of the like red flags that you know is going to result
in the highest level of uh of threat and therefore uh police response and so naturally the police
even though they were suspicious of this for several reasons because the call did not come
into the local 9-1-1 number came into a non-emergency number and got transferred which is
what all of these SWATR attackers have to do and because they traced the call out of state
they also suspected it wasn't me they were still probably due to department protocol
uh they they had to come in and shut down my entire neighborhood block it all off and figure
and figure out whether or not the threat was credible so um it it was really weird how it
worked out for me at the time because i was actually not in my house uh i i was actually
at the gym and i was driving back to my house and i encountered the police blockade they wouldn't
let me into my own neighborhood and it took me a while of sitting outside uh the the neighborhood
to eventually figure out that they were there for me and at that point uh i you know i got hooked up
with the captain or the lieutenant who was like in in charge of the operation and went up into
their mobile command center and i was like sorry about all of this i i was like i already know
what happens and i can because you know i've heard of these things happening before in this space
and they were and they offered to to you know search my house and i was like no no i think
i'm good i i'm feeling pretty safe and so did you uh it how did you figure out that that they were
after uh you did you did you walk up and they you said what's going on here and they said we're
looking for this guy Jameson and you said i am Jameson well they didn't say my name but but
you know they said we have a possibly armed individual and i was like okay where and then
they were like on this street and i'm like at this address and they're like yeah i'm like hi
wait so i so can you explain that though Jameson like why does so i get that this person's trying
to screw with you and swatting and i've heard it's happened to some other folks in the bitcoin
space as well but why does that then give this person access to your bitcoin or are they just
screwing with you yeah it doesn't give them access to my bitcoin it's a form of extortion
because uh shortly after the police had packed up and left i sent out a tweet that was basically
jeering at the attacker saying you know you're gonna have to do better than that and um and
within an hour or two after i sent the jeering tweet i got a direct call to my phone um that i
did not answer i let it go to voicemail i actually saved the voicemail it's on the blog post that i
eventually wrote um and it was basically another threat saying uh it was like i was asking so in
both the 911 call he mentioned something about like around fifty thousand dollar ransom and then
once again in the call to my voicemail he demanded like fifty thousand dollars worth of bitcoin
otherwise he was going to do something worse and of course nothing ever happened after that because
whoever did it is you know probably living in his mom's basement and making most of his money by
doing various uh cyber crimes it's a crazy story so so and just so everyone knows you can find this
article and a whole bunch of other articles that it's a lop.net i think it is i've sent your website
to probably over a hundred people at this point who are trying to learn about bitcoin so if anyone's
just getting into the space or if you've been in the space for a while you should go to a lop.net
let's see jameson what so what happens after this you're i mean i'm assuming i know you're a uh you
know gun holding uh gun wielding you know kind of uh you understand security better than most but
i'm assuming you got freaked out right yeah uh well also i remember when i was when i was in the
the swat's mobile headquarters and they offered to search my house or to clear my house to make sure
it was safe i actually remembered that just the day or two prior i had gone to the shooting range
and i still had like a dozen guns just laying out in my living room that i needed to clean
and after having taken them to the range i was like oh shit i definitely don't want to get into
a situation where they're rolling up and you know i'm sure they could come up with a reason to like
confiscate my guns or you know say something was wrong and so um yeah i mean in general i
i just i started thinking about you know what is my threat model um and i you know i went into a
lot more detail in my blog post about this but i approached it from a security analysis perspective
of you know what has actually happened here well due to a combination of multiple events and changes
in technology but uh lack of changes in government and law enforcement protocols
we're in a situation now where someone with a modicum of sophistication can for probably less
than ten dollars uh create an anonymous phone call that then has the right trigger words the
right information and can result in a disproportionate you know asymmetric level of response
uh you know the level of resources that got deployed in my neighborhood was i would estimate
on the order of tens of thousands to maybe even a hundred thousand dollars worth of resource i mean
we're talking about dozens of officers you know the swat team um innumerable people in my community
of 400 houses that were inconvenienced in one way or another i mean this just had a huge impact if
we assume that the attacker probably only had to spend 10 20 30 dollars actually you know setting
up the the technical pieces of the puzzle required to pull this off and and so how do you protect
against that well there is no security level that i can implement that will keep a swat team away
from my property if they know the address and they're targeting it so you have to go one layer
out we need a level of privacy so that no one can feed the right information to your local law
enforcement and trigger a response like this and i went back and forth on some of the different
options i spoke to a lot of attorneys um you know we discussed things like in some cases i know that
people have have just gone the i'm gonna trust law enforcement route and they go to their local
law enforcement and they say look this is me this is my situation i'm at high risk of being swatted
please put me on a special list so that you like call me if you think you know call this number if
you think that uh i'm like crazy and gonna blow people up but i don't trust my local law
but i don't trust law enforcement to you know follow an arbitrary white list exception like that
like i don't trust government i don't trust bureaucracy i can only imagine the number of
ways that someone could screw that up and and and that being a single point of failure that
ends up not protecting me so i chose not to go the um you know try to work with law enforcement
route on all of this and instead i said okay i'm going to use the other legal tools at my disposal
to protect my privacy and it became apparent very quickly that you know i'd been living the same
house for 10 years i had given my address to hundreds if not thousands of different merchants
and online services and i knew that my name and address were associated in more databases scattered
across the internet than i could possibly count so there's no way i was going to clean all of that
up that meant the only option was to burn it all down and start all over and so that's what i ended
up doing it took me almost a year it cost me i want to say 30 plus thousand dollars in in legal
fees and of course i had to sell all of my publicly registered possessions and purchase new things
that were no longer owned by me but rather owned by other legal entities that could not be directly
tied to me so this you know is the extreme level of privacy that it takes a lot of dedication a
lot of resources really no one other than celebrities should ever have to do stuff like
this um and and i don't consider myself a celebrity like i'm i'm not uh i'm not like big headed rather
it's that i understand that now in the communications age it's it's another type of asymmetry that can
happen where uh everyone knows about viral effects everyone is well aware that due to social media
someone who's a nobody can do one interesting weird creepy whatever thing and that can go viral
and that can result in them going from having a few hundred people paying attention to them which
is like their dunbar number of friends and personal network that they're associated with
to having tens of millions of people paying attention to them the very next day uh you know
this once again is an extreme scenario it's not going to happen to the vast majority of people
but you never know if you might win that lottery and so the question comes down to you do you think
it is worth the time the effort the resources for you to protect yourself against that particular
edge case because you might win the lottery in a number of different ways i so that so crazy that
you mentioned this i uh yesterday was the one year anniversary of this tweet i sent out about
coronavirus when it was just kicking off in early march and the tweet went completely viral got
like 300 000 likes 40 million people have viewed it it was linked to in like cnn and all this shit
and i was you know i was ecstatic i was like i was getting all these followers and i was like
this is incredible i went from like 5000 followers to 20 and then my email starts to get i start to
get pinged people are hacking into my email people are trying to break into my various
bank accounts crypto accounts every social media account uh and it was a nightmare it was an
absolute nightmare and that's i'm gonna burn it all down that's actually when one of my one of
my friends i was i was kind of complaining about this and he sent me your article and he's like
you gotta read Jameson stuff um so i thank you for that um let so one more note on this burn
it all down thing and then we can start getting into uh bitcoin a little bit Jameson when you
burned it all down how far did you go like does your do your parents and friends know where you
live do you use your same name or like how far are we talking yeah yeah um so i really you know
part of this of course was a direct response to a credible threat uh that i would consider to be
ongoing but it was also somewhat of an experiment that i wanted to see how far i could take it
so you know i would say like the number of people who know like the actual address of my location
at any given time is probably like five the vast majority of people in my my family friends whatever
do not know my actual address um you know even pretty much everybody in my family um they have
mailing addresses uh they don't have like my actual you know if i receive mail in my name at
my location then i know i've screwed up like that but yeah uh i also don't use my real name
with like the actual people that i encounter day-to-day life you know i have a couple different
pseudonyms that i use for different things i learned very quickly not to come up with a
new pseudonym for every person that i met because that was untenable to keep track of
um but yeah um i'm also lucky that i'm not a celebrity i think a lot of people who follow me
just kind of assume that i must get recognized all the time i've only ever gotten recognized once
uh in real life like outside of a bitcoin conference and that was in uh i guess it was
in nappa valley so you know it was near silicon valley so uh i kind of consider that to be like
it'd be like okay nerd nerd world um otherwise um i just try to blend in and uh not do anything
too bitcoiny uh when i'm you know hanging out with other people so do you do friends in your
town who call you by another name yeah fascinating do you get to pick how do you pick the name are
you like are you like dave or tom or are you are you did you pick some crazy crazy name no i mean
uh you know when you're when you're picking a pseudonym it should be something that you know
is average but not too average so obviously you don't want to go with like john doe but i mean
something along those lines that that it matches your uh ethnicity your geographic location your
gender you know it's uh you just you don't want to be too memorable yeah what are um what are some
for i've heard you mention a book a few times that you might recommend here but my question is like
so so on one end of the spectrum you have what you did which is i don't think anyone's going
to replicate who's listening to this podcast i'll be honest with you and then on the other end of
the spectrum you have uh there's the book for people who are watching on youtube you've got
extreme privacy what it takes to disappear yep this is the book that i wish had existed when i
undertook a lot of these efforts and and every time a new edition comes out i learn a lot so
you know michael bazell uh is one of the premier privacy experts and he's always he's also got a
podcast so if you're into that interesting and i think he also has a service where you can pay
him like six figures and he'll take you off the grid yeah yeah uh i suspect that you know he
primarily deals with actual celebrity clients who um would rather spend a few hundred thousand
dollars than have to put in all the time that i did to like figure these things out myself like
instead that was i do kind of i mean i like the idea of of just paying someone like him to do it
all because the one thing that i did have problems with even though i spent tens of thousands of
dollars uh with attorneys and bankers and stuff is that they screwed up multiple times and you
know i would start off at the very beginning i gave them the whole spiel like this is why we're
doing this this is why i need this privacy i'm not a criminal who is trying to like hide any sort of
ill-gotten activities or gains or whatever um and so they understood but they were just so not used
to it that there were multiple times that they would just be following a process and data would
leak and so unless you're your address on some on some piece of paper by accident because they're
a lawyer and they're yeah it would go into some database and then i would get like a birthday
card in the mail to my actual address and i'm like what the hell is this people like this
my name is not even supposed to be associated with this address so uh you know from that
standpoint using a privacy expert like michael bazell for him to act as a proxy um my understanding
is like the way that he does it is like he doesn't even tell the other service providers you know
what the name of his client is and that's that's like that's the only way that you can be 100
about any of this my problem is that you know the banker and the attorney they knew who i was
because they were acting as my direct proxies so you know whoever is acting as your proxy for a
certain thing has to be airtight and there's always going to be some level of trust there
unfortunately yeah we've talked a lot about data privacy and just security in general um but one
thing i think that you're big on as well is just financial sovereignty and i think this is could
be a good segue into bitcoin what is you know what does bitcoin mean to you in relation to all of
this self-sovereignty and privacy and security well um it's it's crude but i think the best way
that i've been able to describe bitcoin is it's fuck you money um that sums up so much of self
sovereignty of the the the way that i measure sovereignty um because this can be applied to
many different aspects of of your life it's who can you tell to go fuck themselves and and you
can only tell someone to go fuck themselves if they can't really do anything to harm you so
you know you're not going to lose anything by severing that relationship so this is very hard
to do when you're working with service providers that you're entrusting with very important things
so take a bank for example uh you know if you tell your bank you know i'm not going to follow
whatever your rules are i'm not going to submit to you know all this stupid paperwork then they'll
tell you okay we're going to close your account now goodbye um you know if you're going to tell
like your grocery store or your other you know food provider you know i'm not going to follow
by whatever rules you want then they're going to say okay we don't have to sell you any food
so you know if you if you want to be uh you know self-sovereign from a food um production standpoint
then you better have your own farm your own sustainable uh setup in that term you know same
thing for energy provider there's so many different aspects of our lives that we're entrusting to
third parties because this is how society has organized itself and uh capitalism has found
efficiencies and that of course is through um specialization and so instead of instead of us
being like a mountain man who has to spend 90 of our day working on survival you know and basically
fulfilling the the most basic level of the was it maslow's hierarchy of needs we can instead work
our way up that ladder by only focusing on tasks that are uh you know higher output they're they're
more economically efficient and so we let other people specialize on these more base tasks where
they can find more efficiencies there but in general you know the issue with creating more
efficiencies in the system is efficiencies almost always create fragility and it's the fragility
that we're talking about uh being worried about when we talk about sovereignty whether that's
financial sovereignty economic sovereignty food sovereignty energy sovereignty whatever
it's it's trying to reverse that trend back into the other direction where hopefully we can use
some various aspects of technology so that we can have our cake and eat it too you know so that we
can uh not rely upon third parties but also not have to spend 90 of our days uh focused on boring
mundane stuff because you know humans are creative creatures uh we want to be doing
new interesting things that are challenging yeah i take it you're a fan of the sovereign individual
uh absolutely um it was you know quite prescient and uh i wish i had read it long before um you know
i didn't read it until after i got into bitcoin but if i had read it before then perhaps i would
have joined up even earlier companies that become large enough powerful enough resourceful enough
are already able to and are taking advantage of a lot of the things that the sovereign individual
thesis uh has you know around essentially negotiating with governments for preferential
treatment or taxation or or what have you and you know the sovereign individual thesis is just kind
of like well what happens if we take that all the way to the extreme and each individual is at the
level where they can negotiate for favorable conditions from different governments now that
i believe is still going to be relegated to sort of the billionaire status level people but hopefully
should things continue along the same track it will continue to ratchet down ratchet down ratchet
down uh and become more available to a larger portion of the population let me ask your take
on this then um right now i think it's four percent of all bitcoin supply is held in corporate
treasuries you would know that stat better than me that number might have changed i think it's
around six but you know it's probably even higher than that that's like the only that's just the
ones that we know about yeah so like so okay so you've got that you've also have a small a very
small number of custodians hold the private keys to most of the bitcoin right this is pretty
antithetical to bitcoin and just this sovereign individual thesis what what's your take on this
is it is it good because more and more companies are buying bitcoin and bitcoin's getting adopted
more or is it or is it bad or it's a little bit of both i wouldn't go as far as to say it's
antithetical to bitcoin um because there's actually precedent going all the way back to 2009 where
Hal Finney was postulating on some possible ways that bitcoin could scale and one of those ways
was that the majority of bitcoin would be held by banks and that you know it would really be more
of a reserve asset and there would still be sort of banks with their own private ledgers that are
getting updated behind the scenes now obviously that is not the way that a lot of us want to see
it go it's kind of been going that way at least from the institutional standpoint i think what
it's not helped by some of the existing regulations that require for large funds like really anyone
who is managing i think more than a couple hundred million dollars of other people's money has various
regular regulatory requirements where they have to use a quote-unquote qualified custodian
and that that's what ends up pushing them to you know one of these large custodial providers
you know hopefully that will change at some point i i'm not the legal expert though i'm not sure
you know if anything is underway regarding that there's also just the issue of even for like the
large providers or even the high net worth individuals who they're not legally required
to use a custodian due to the nature of bitcoin how new and confusing and complicated it can be
a lot of them probably feel safer just once again letting a third party with the expertise and the
efficiency the the i would say focus on all of the minutia you know someone who lives eats and
breathes like security aspects of the space to be worrying about that they're you know they're
willing to pay for that service because that gives them more peace of mind than them taking
on the responsibility to do it themselves and so that's what i am actively fighting against
i'm kind of fighting against the tide of convenience you know as you mentioned at the very beginning
a lot of this is trade-offs between convenience and security and so i think that at a macro level
if we want bitcoin to go in the direction where most people are taking advantage of the self
sovereignty aspects that are available then we need to continue to push the convenience forward
so that you know it's easier and easier for people to feel confident that they can manage their own
keys that means we need to continue to improve user interfaces we need to continue to to learn
from users like what aspects of key management are scary which aspects are foot guns you know how are
people screwing up every time somebody screws up bitcoin custody we need to learn from it and
improve our knowledge our collective you know consciousness and improve our our technology of
like how do we even let people you know interact with bitcoin so you know there's there's also i
think an argument to be made that the real power the real value here is optionality it's not that
we should force people to hold their own keys it's that the option should always be available
because that gives you some you know flexibility against systemic risk and that like if the if the
if the system starts collapsing then at least hopefully some people will be able to to get out
into self-custody but you know obviously it's better to be in self-custody in the first place
so that you don't have to worry about running to the exits if if something starts to go down
how do you let's talk about casa for a second it's one of my just on a personal note one of my
favorite companies in the space so if i am what are what are what's kind of the spectrum of
security in the crypto space like on one end you have store your coins on an exchange then you have
store it with a what like a bit go or something like that and then there's ledger and then there's
casa like what's the spectrum for folks who might not be as familiar with security yeah i mean it is
a very large spectrum because there's a sort of i guess you would say almost like polymorphic number
of combinations of different things you could mix and match for the security so you know worst case
scenario is you don't even own your own bitcoin you know some other third party has the actual
private keys and all you really have is an iou and you can request that your bitcoin gets transferred
somewhere this is like a robin hood or something like that not even robin hood because they don't
even let you withdraw right so i guess that would almost be that's the worst but then you know like
a like a coinbase or exchange or whatever so then you get into self-custody the worst type of self
custody is what's called a hot wallet so basically you're using a piece of software that's running
on a general purpose computing device whether it's your laptop or your phone or whatever
and the the actual private key is also on that device which means that you have a sensitive
private material that is technically connected to the internet so that means if somehow an attacker
manages to walk through one of the front doors on your device and exploit something in any number
of ways then they could take that key and steal all your money you have no recourse the next step
after that is taking your keys and putting them on a dedicated air gaps device this is where
treasure ledger cold card so on and so forth come into play this effectively protects you against
most hacks uh you know there's we've still seen some hacks in uh actual like software wallets
like metamask extension or whatever where users uh even though they had their keys on a ledger
they were still tricked into sending it somewhere else but that could get that could send to other
complexities of like ethereum and all of that stuff so you're like 99 i would say protected
against hackers if you're using a dedicated hardware device because it's doing independent
verifications on non-internet connected hardware after that is when you start getting into multi
sig and you're actually instead of having one key on one device you start having multiple keys on
multiple devices and now even if one key gets lost stolen whatever then you're fine you can use the
other keys to uh to spend your money and and this is the level that casa is operating at where
we're we're making it easy for you to get into a setup that is very diversified using uh multiple
different types of devices to store keys you're storing them in uh different geographic locations
which gives you more robustness against loss from any number of different things and you know it's
actually a fairly complex threat model we've got like 30 pages of a threat model uh that are
accessible on our website for you to understand like all the technical decisions that went into
this um and so while it's you know it's a lot of technical decisions that went into the architecture
we we slap a really nice user interface that that guides people through the process so this
is really what we're trying to do is take a decade of hard lessons that were learned through all
types of different laws and build software that essentially acts as like a guide rail
for people to follow the best practices without having to be um you know a crazy obsessed bitcoin
nerd who spends all of their time reading about best practices and hacks and thefts and stuff
i know several friends who uh close friends who use casa and unfortunately they only started
using casa uh once something you know once something pretty bad happened to them so just
to make sure i understand how casa works and to make sure everyone understands how casa works
let me try to repeat it back to you so basically you might need in in this lockbox analogy you
might need three keys to unlock the lockbox you're going to give the user let's say five keys casa
holds on to a key you send a key to you know a storage box held held in the safe i get a key
and two other keys go out somewhere if two of those keys get lost you're fine because you you
still have the other three keys no single key can with if you only have one key so say someone hacks
me and gets one of my private keys i can't unlock that lockbox is that in general understanding of
it exactly and we make it very easy to replace keys in the app you know if you if you have a
device that gets lost or or you think it might have been compromised it's very easy in our app
to mark it as compromised and then go get a new device uh add that to your key set and then
basically perform a key rotation so that you're you're you're kind of like rotating your funds
out of that old key set and into the new key set are most of your customers individuals or are they
is it more of a b2b sale no it's definitely individuals that's uh we we originally in 2018
we kind of took a tesla model uh like starting premium and working our way down so we started
off really only targeting high net worth individual like og bitcoiner types and then over the years
we've added a few other tiers with uh you know less white glove service i think is the best way
to describe it so you know we've we've we've got a very simple uh ten dollar a month type of tier
which is really a self-service setup uh you bring your own hardware plug it in um easy to get going
but only really offer email support and then at our higher tiers you'll get more complex setups
but also these tend to you know require more hand holding and so you'll get higher levels of like
phone and video call support all the way up to our top tier which we have a specialized inheritance
program which is really onerous to get set up because we actually onboard your estate attorney
as a key holder your key set wow that's amazing um in terms of we're gonna start to wrap this up
i have one question that's non-security related you've been in the space for a long time
you clearly like the data side of things uh most people in the space look at the exchange rate
right of bitcoin to us dollars but exchange rate is just one pretty simple metric that we can observe
actually one of the less quality in my opinion metrics that we can use to observe the evolution
of the space what are some metrics that you pay attention to and what metrics right now excite you
well i have an annual post that i do that goes through all of the metrics uh that i pay attention
to it's basically my my annual recap there's probably a hundred different metrics in there
um and of course my first ever project was a fork of bitcoin core called statoshi which is a it's
just metrics of bitcoin nodes and anyone who goes to statoshi.info can see some eye candy charts
of what my bitcoin node is doing right now but um yeah i mean i'm i'm tracking things
like sustainability um one thing that's been coming up more recently is uh you know how does
the bitcoin network continue to pay for its thermodynamic stability as the block reward
keeps going down you know we like to see uh transaction fees uh continue to offset the
decreasing subsidy but you know this is there's just a lot of aspects of bitcoin that are not
a hard and fast science of um you know from a thermodynamic security standpoint bitcoin
could work at any level you know it'll automatically adjust to whatever amount of energy is put into it
by miners so it's it's hard to say how much is enough i did see one person on twitter said
it just needs to be higher than the energy output from the biggest nation state and that's that
that should be enough to be safe which i thought was an interesting point but um
i mean i also like to look at adoption of of like lightning network uh you know see
you know what are the number of nodes and you know amount of bitcoin that we can tell is locked up
in there you know it's it's not all even publicly available so some of these things are fairly rough
estimates uh seeing seeing things like adoption of various aspects of bitcoin like segwit which
it looks like has been adopted by almost everyone except for blockchain.com uh
and uh yeah just like continuing to see how the uh network moves forward and evolves you know i
also do annual tests of bitcoin node performance and it's interesting to me because i'm often
surprised year after year where i expect the sync time from genesis to blockchain tip for a fully
validating node to increase because of course we're adding like another 50 gigabytes or so
of data that need to be downloaded and verified uh and actually uh with a number of node
implementations it actually keeps going down year over year because of the various optimizations
that they keep making at very low levels so um you know there's no there's no one thing
but i would say that like price is the least interesting to me i believe that price
is only interesting as a sort of lagging indicator for how ignorant the world is about bitcoin
uh well said well said um this was an audience question uh that at gorilla v2 asked on twitter
when will you be able to run your own node with your multi-sig setup so when will yeah
well in terms of casa
connecting to your own node from the casa app has been something people have asked about us
uh for a while um if we if we did end up doing that it would probably only be against an electrum
node because we spent a lot of time actually swapping out our infrastructure last year we
wrote a whole post about that about electrum performance so we're already using electrum on
the back end at casa but there is kind of a workaround for it and we have some blog posts
and knowledge articles about how um part of the process for casa is us proving to the user that
casa as a company is not a single point of failure and that includes casa itself so part of
getting set up with a multi-sig wallet in casa is actually us providing you with instructions
and data for how to recover your funds using other software that supports the same standards
as casa and these very common multi-sig standards and as a result you can go recreate your wallet
in electrum or in spectre desktop we have specific instructions for both of those
the nice thing about spectre desktop which i just wrote a blog post about uh i think a month or so
ago is that spectre desktop actually requires you to be running your own node and it connects to that
so what you can do is you can essentially recreate your casa wallet as a watch-only
spectre wallet and ensure that any of the data that is appearing in casa is actually being fully
validated by you and your full node and this uh this helps keep casa honest as well it protects
against other edge case things like if if you suspected that casa might be screwing with the
multi-sig and like changing the keys in there then um the neat thing about the way that bitcoin
addresses work is that they're based on a hash of the redeem script the redeem script is essentially
the bitcoin language that describes all of the conditions for what is required to spend that
bitcoin and since the bitcoin address is a hash of all of that if you change a single byte of any
of those spending conditions it results in a completely different bitcoin address so by
by cross-checking the bitcoin addresses in your your own watch-only wallet versus what casa is
telling you you can actually independently validate and ensure that we are not screwing around with
any of the aspects of your bitcoin hodl very interesting we're going to wrap it up with
two questions here and then you can if you'd like to you can ask me one question to finish this but
my first question is just we talked a lot about security and privacy and financial sovereignty
and custody we didn't talk that much about just you as a founder and building casa and it's not
easy to build a company right it's pretty damn tough what is the biggest challenge that you're
going through as an entrepreneur and as a founder right now
well right now is actually a good time because it's a bull market this is my second cycle my
second bitcoin cycle you know working full-time in the space and interestingly enough i actually
joined bitgo right at the beginning of the the last bull cycle like early 2015 you know after
after the the gox crashed basically bottomed out and so it was like it was a good two years of
two years of bear market slow going during that time until the the scaling war is really heated up
and then i started casa right after the last crash it was early 2018 and so it had two and a half
almost three years of of bear market with casa and it was it was slow going because really the
people who are around in a bear market are the hardcore believers usually who have been in it
for a while so you know it's it's hard to grow because the ecosystem at a macro level is not
growing you're you're you're kind of searching for scraps you know that's one of the reasons
why we we tried diversifying from the multi-sig to also having the node product to try to you know
increase our like total self-sovereignty package and pull in more bitcoiners you know that ended
up not working for a multitude of reasons including the fact that just the total addressable market
size for node owners is actually far smaller than for self-custody and you know i would say like one
of the hardest things that we had to do was actually cut that product it upset a lot of
a lot of people it upset us you know upset having to let team members go who had been working on it
but you know ultimately it it was the right decision and we came out the other side doing
well you know there are multiple other companies in the space who also had to cut node products
you know this was i think not a unique one-off thing but more indicative of you know trying to
sell nodes in general fundraising this is the first time i ever did anything with fundraising
and that is totally not my jam if i never have to fundraise again it'll be too soon
i'm a technical guy i want to be reading writing reviewing code you know doing the occasional
shit post on twitter but you're talking to venture capitalists and trying to convince them that you
know like my business is the best business it's definitely not the way that i roll because i'm
i'm more of the fuck you i'm building something because it's cool rather than you know this is
going to be a billion dollar company you know the the reason that i actually switched from Bicco to
casa well one of the reasons but i would say one of the primary reasons was that despite me being
a bitcoin security expert with years of experience i found myself spending an entire weekend every
year refreshing my cold storage and i was like well if it's this painful for me i can only imagine
you know other people and most people are just not going to want to go through all this trouble so
it was less of me being like oh this is a business opportunity right here it was more of
of this is a requirement if we want bitcoin to go mainstream we need to build products that make
normal people feel comfortable doing secure bitcoin operations so so for me it was more
of an investment in bitcoin the system as a high level of like what is the next greatest impact and
contribution that i can have to the system because i'm not a cryptographer i'm not even
a protocol developer i have like a few minor trivial commits to bitcoin core mostly as a result
of my satoshi fork and just things that i ran into but that's just not my thing i'm i'm a like
application infrastructure uh type of engineer and um i think that the you know the the most leverage
that i can apply will be making contributions at that level what was your least favorite meeting
with a uh with a vc um well you know there were a few of them you know we talked to a bunch of
crypto vcs we also talked a bunch of regular vcs i mean the the worst ones there were a couple
where they were obviously just like uh bitcoin skeptics and i'm like you know what the fuck am
i even doing here i was like you're not even watching convince me about bitcoin so yeah i
mean it's like i'm supposed to convince you not only that my business is good but ultimately i
have to convince you that bitcoin is also going to be an amazing thing it's like i'm not up for that
if you don't believe in the mission that i am trying to follow then i don't need your money
like i i want someone who is willing not just to give me money but also to support the business in
a variety of other ways and that means you need to believe in the business yeah what is um last
question here just be what is something that folks don't know about Jameson or that folks
don't know about casa that you'd feel comfortable sharing well i mean i i still think the biggest
misconception is that like casa is a lot of people still think casa is a node company or
that we started out as a node company we actually started with multisig probably at an even higher
level the bigger misconception is that casa is a bitcoin company and it's not that we support
anything other than bitcoin or even that we plan on adding support for anything else in the near
term but rather casa's mission is to be a personal sovereignty company you know that was the mission
that drove us to go down the route of of adding the node a couple of years ago but what this means
is that whenever there is a way for us to help people use cryptography and technology and private
keys really anything that people can use to to leverage their own sovereignty that we can as
technologists and as customer client services can help them you know navigate if that will empower
our users and we can provide like a better user experience than the current current level of
tooling around whatever these technologies are and we can package those all together
that is what casa is going to do amazing love that take it or leave it we can wrap this up
with one question for me if you'd like uh well kind of going back to your own personal incident
are you ready to burn it all down and what are you willing to commit i am i'm not ready to burn
it all down i'll be honest with you i i tried burning it all down actually and um i didn't try
burning it all down that's that's not an honest thing i tried really going towards your end of
the spectrum and then i took a trip to portugal and i was trying to navigate portugal i was
refusing to use google maps and i was trying to navigate lisbon portugal with this like printed
out map and i got so frustrated i was in these weaving in and out little roads and um even the
gps devices and that type of setup can be wonky they are yeah but what's really wonky is these
printed out maps from the 1990s and i just said you know what this is literally i'm living right
now the trade-off but you know between convenience and privacy and i wanted privacy but in this moment
it's hot as hell and i'm lost and i want convenience and uh and i and i slipped up i'll admit it and um
um i was kind of a setback i will say that um i really encourage people to go beyond just i think
the obvious one is kind of just 2 fa turn on 2 fa for like security but there's so many layers
that they can go beyond that and it's what you said at the very beginning of this conversation
which is just spending i think you said like an ounce for a pound or whatever it is really just
spend a spend a weekend doing this stuff and your security and your privacy can increase by 95
percent right that extra five percent is going to could take months or weeks and a lot of money to
get to but just spend two days to just reassess your privacy and your security and it'll go a
really long way so yeah um it doesn't have to be full bore 100 uh going off into the mountains
at once right is that privacy can be an incremental thing security can be an incremental
thing i mean it's just kind of like personal fitness as well as like you don't have to go
into the gym and start benching 400 pounds and you start slow and work your way up exactly exactly
jameson thank you so much for coming on i appreciate it everybody can check out casa
you're obviously on on twitter at lopp at lop folks should also check out lop.net lop.net
anything else you want to share with the audience
no uh that's enough to keep people busy i would say there's at least like six months worth of
educational resources on my website if you're looking to go further down the bitcoin rabbit
hole totally all right well i appreciate it thanks jameson thank you
that was jameson lop uh unbelievable episode head over to lop.net if you want to learn more
about him he's also at lop on twitter as always go to our website blockworks.co forward slash
newsletter subscribe to the newsletter if you enjoy this type of content subscribe on apple
spotify or youtube or really wherever else you get your podcasts um i think we're at i don't
know 40 or 50 reviews so far we need to get to 100 reviews and apple told me they'll uh consider
putting us on the home page of apple so yeah head on over to apple give us a five star review
and uh yeah we'll see you next week for another episode of empire