Hello everyone and welcome to this very, very special emergency livestream about the Ledger hack and leak.
I am delighted to bring on some very special guests.
Please welcome to my left, I guess, Jameson Lopp, the Chief Technology Officer of CASA.
Right below Jameson, Peter McCormack, podcaster, filmmaker and host of What Bitcoin Did.
And right below me, Taylor Monahan, founder and CEO of MyCrypto and security expert.
We're going to be talking about the Ledger hack and the most recent leak and publication of all of the Ledger hack database.
We're going to talk about what happened, what you should do, what can the hackers do to you,
countermeasures to prevent this from happening again and what should companies do.
This is probably going to take more than an hour. Let's see how we do.
If you have questions, please jump in the Slido, slido.com and the code is ledgerhackhelp.
At least I think that's the Slido. We'll find out. Someone's going to correct me in the chat if it isn't.
Welcome, welcome, everyone. How are you all doing?
Crazy. Who's going to go first?
Jameson, how are you doing?
Just trying to keep up with my inbox at this point.
Yeah, a bit crazy. Peter, your DMs are blowing up.
Yeah, they were most of the day, but all good. Learned a lot from it.
Got a lot of useful information to help us with this.
Fantastic. Taylor, how's your day going?
Yeah, well, this is the first day of our holiday break, so I would expect them to not have any phone calls.
But, you know, here I am.
Yeah, I want to really, really thank you for jumping on this.
It was absolutely last minute. I sent a message to Peter.
He was already in bed last night in London and then bombarded Jameson and Taylor this morning with requests to join me.
I think this is something that could really benefit from a bunch of different perspectives.
And so that's why I've invited you. You all have obviously very, very broad expertise in this space.
And lots of things to talk about.
And we're going to see what we can do to help people.
Now, what are we trying to achieve here? Let me be very, very clear.
You know, it's easy to nitpick after the fact.
To use hindsight and go, oh no, Ledger should have, could have, would have, none of that.
Not interested in that. This is not the place, not the time, and it's not helpful.
So please try to refrain from doing that in the chat as well.
The real issue here is there are a lot of people who are honestly quite scared right now.
And for good reason. And have no idea what to do next.
And this is a very complex, very challenging environment we're operating in.
And the goal here is really simple. Help people figure out, have they been affected?
What can they practically do about it?
How to react in a calm and deliberate way.
Respond in a calm and deliberate way and not react out of panic.
And how to learn something from this that we can all apply for the future.
So let's dive right in.
Wow, 1500 people watching this.
That is by far the largest audience we've had this year.
I wish it was on the happy topic.
Listen, a couple weeks ago I did a livestream which was awkward holiday conversations with your relatives.
It was much more fun than this one.
That's the one you should have been on.
But I guess necessity is what happens.
All right. Let me jump right in.
Section one of this conversation. What happened?
So first of all, who is Ledger?
If you don't know and you're trying to figure this out, Ledger is a company.
They're based in France.
They make hardware devices that are hardware wallets.
They make a bunch of different models.
They also manufacture the software that's related to this.
Now, what happens?
A database of theirs leaked.
Does anybody know the exact date?
Do we know exactly when this happened?
I think it was June 2020.
So June 2020 is when it first was we started seeing the reports of people getting like phishing emails
or seeing this database supposedly for sale on the hacker forums.
As far as I can tell, the database dates were some point after March 2018, probably all the way through June.
So if you bought a Ledger between those dates, you probably were in the database.
So what leaked exactly? Do we know that?
We know that.
From what I have gathered, it seems to be a database like a sales marketing fulfillment type database.
So, you know, something that they probably store customer details in in order to ship them the Ledger
and then email them newsletters?
Yes, it appears to be two different data dumps.
One is obviously just an email newsletter.
The other is an actual order data dump that has email, phone, physical address, name and phone number.
Yeah, so that's that's the actual shop where people bought a Ledger device and had it shipped to some address.
And the information they put in that shop is what leaked 272,000 ish records from that database.
This is now public.
Now, the hack happened somewhere between May and June of 2020, as far as we can tell.
First indications that it was happening sometime around June.
And so this affected people who had bought devices before that date.
I've heard some rumors that some of the people who are receiving emails bought devices after that date, some recent.
But I don't know if those are true or not.
That would indicate an ongoing attack, but I have no basis to validate that.
So it may be that people are getting emails, for example, and they were in the newsletter before they bought the device.
They were in the newsletter and they got hacked there.
They bought a device later, but they're actually getting phished because of their newsletter.
So one was the customer database.
The other one is a MailChimp database or something like that.
Some kind of newsletter database.
All right. So quick disclosure, my information is in there.
So I bought a ledger in that time frame.
And I also have a database like that, by the way.
I have a shop.
So I also have information on my shop that contains information like that.
I also have a newsletter, a mailing list that people can sign up for.
I think all of us do, right, in some professional capacity.
So it's important to note that this is something that, yes, it happened to ledger this time.
Six years ago, it happened to BTC-E at the time, a very big exchange.
It's also happened to a couple of other smaller exchanges in the meantime.
This is not a rare phenomenon, right?
If you're in this industry and your information is in various databases of private companies,
eventually someone's going to make a mistake and your information is going to leak.
All right. Let's audience question.
Lucia, aka Dancing With Crypto, asks, is this a new leak?
It was one a couple of months ago and I'm still getting spammed on SMS.
So two events happened.
In June of 2020, this information was stolen by hackers.
This information has been circulating on various dark websites,
hacker forums being bought and sold, and a bunch of different actors apparently have used it to send out.
I've been receiving phishing attacks as text messages since about September.
They really escalated in the last month I've received, probably a couple of weeks at least in the last month.
And what happened that's new?
Yesterday, someone dumped both of the databases on a public...
Does anybody know where that was?
It was the RAID forum. It's a fairly common hacker forum where you can find all types of databases.
So that was dumped, which means now everyone has this information.
Now, there's some arguments to be made as to whether it's better to just have it out in the public.
Hackers had it already.
The real problem was we couldn't really check, am I affected, until it was public.
Now it's public. Now we can go check and find out if we're in that database.
Alright, so the time frame approximately is up to July 2020.
So how do you know if you're in this database?
Well, most likely you've been getting spammed with phishing emails and texts since September.
That's a good sign. There's two places we can check.
One of them is called haveibeenpond.com.
Haveibeenpond.com. Pond is P-W-N-E-D.
So haveibeenpond.com. Someone's going to drop that in the chat right now. You can take a look at that.
Now what haveibeenpond will do is if you type in your email address.
This is a site that's been run by a volunteer and a couple of assistants, I believe, for years now.
They collect all of the public leaks, billions of records, and they won't actually show you what information about you was leaked,
but they'll tell you when it was leaked, which specific leak it was involved in.
I put my email address in there. My email address has so far been leaked 28 times in 28 different breaches.
That's because I've had this email address since 1994 because I'm old. I know, you millennials.
So that's one. If you want to see more detail, IntelX.io. IntelX.io is one of the companies that collects this information and also catalogs it.
So on IntelX.io, so it's like Intel, like the chip company with an X afterwards, IntelX.io, you can go and search again with your email address.
When you find that you're in the ledger leak, it's going to say ledger leak July 2020.
If you click on that, you can then see specifically what information is in there about you.
The links are in the video description. They're also in the chat now and you will be able to find.
But what you'll see is either just your email if you're in the mailing list database or your email name, shipping address and telephone number.
Did I miss anything? My dear guests, have we covered everything is out? What happens? What information is out there?
I think one common question might be, well, if my email address has been leaked, do I need to change emails?
If you're still using your email after 28 leaks, then it must be safe, right?
Right. Yes. No, I won't change my email. Spam prevention has gotten good enough.
I need to be very, very careful anyway with what I get. I assume my email is known by everyone. I assume that it's leaked.
I assume that I'm going to get phishing emails all the time because I get phishing emails all the time.
Listen, these ledger people are not even creative. You want to strike fear into the hearts of men and or women.
You send them the email that says I've hacked into your computer. I turned on your webcam while you were surfing porn.
I now have a video and I'm going to send it to all of your family on Facebook.
Do you know how many of those I get a week? I get so many of them.
I used to report all the Bitcoin addresses to my security guy too. And then finally he was like, stop, Taylor. I don't care.
Yeah. Yeah. The scary thing is when you see how many people are actually paying that extortion.
And I think we should actually have the opposite thing, which is do like a privacy or security based fundraiser,
which is if you are concerned about a webcam video of me watching porn leaking on the internet,
you should really pay the attackers not to release it to protect your own sanity.
Anyhow, let's let's see another question here, which relates to the topic we just said.
I gave you two places where you can check if your information has been leaked.
Nakatomo asks, I have downloaded files from Pastebin to check if I was affected by the leak.
Is there a reason to think my computer might be compromised?
What would you advise people do that have downloaded the files and are worried?
Generally speaking, don't be worried. First of all, Pastebin is something that you can access. It's a public source.
All of the stuff that's on Pastebin, Pastebin is a place where people just dump text files,
is also indexed on Intel X and Have I Been Pwned?
So you don't really need to go searching for this stuff. You can just use an intermediary.
The fact that you're accessing this information is...
It's text. I would say the one thing to be careful of is don't accidentally end up in some random forum with a black background
and download zips and tars and unzip them. Don't do that.
The original leaks were actually more dangerous because they were RARD files.
I believe there are various Windows overflow vulnerabilities that could be used to stuff malware into those type of extractable compressed files.
The links that we've shared are to safe respected companies that do this for security reasons to help people.
And Pastebin is just plain text. The same thing with Gist, which is the GitHub equivalent of Pastebin.
That's not risky for you.
I don't know if there's any legal implications if you download information that has been stolen in some countries.
If you live in a country where there's some obscure law that says if you're in possession of data that's been stolen from a private company
that makes you culpable in some way. I don't know. I'm not a lawyer. Certainly in the US that's not an issue.
Information that is publicly available and has been published on the internet you can access.
There's nothing illegal about looking at that database.
All right. Now's a good point to clarify the most important point.
This seems obvious if you're in security and you understand how hardware wallets work, but it's it's worth mentioning.
Ledger doesn't have your keys.
They do not have a database of Bitcoin addresses or keys or seeds or any information that is in your device.
The fact that their website sales database leaked has no bearing on the security of your key material on your device
unless you voluntarily give it to them because you're tricked into giving it to the attackers.
Ledger doesn't have any information. They don't know your IP address was not part of this.
They may collect some IP addresses from their app.
We'll talk about that in a bit. They do not know your seed.
They do not have access to your keys, obviously, because then there would be no point in having a hardware wallet.
If the hardware wallets came preceded with seeds delivered by the company, if there was a central database, there would be no point.
All right. Anything to add from my esteemed guests?
Let's do another question. If I do not receive an email from Ledger within 24 hours of the breach, do I assume my data was not exposed?
No. Sorry. I wish I could give you that certainty.
Their initial forensic analysis identified 9,500 customers as affected.
Those are the only people who received a notification. I did not receive a notification.
The first information I received was not from Ledger.
It was phishing attacks because Ledger massively underestimated the impact of this attack.
They assumed 9,000 people were affected, 1.3 million people were affected.
It's a slight difference in opinion there.
OK. Another question about that. Am I excluded from this hack because I bought my Ledger from a distributor?
Can this hack also happen to any other producer of hardware wallets, i.e. Trezor or Shift Crypto?
OK. First part, am I excluded from this hack because I bought my Ledger from a distributor?
So far, as we know, customers who bought their Ledger from, say, Amazon or from another distributor, that information is not passed back to Ledger.
It's delivered directly from that distributor and Ledger has said explicitly that they do not have information on customers who bought from Amazon.
Unless that distributor has a different deal and they were passing, connecting to the database, I think that's unlikely.
Most likely, you're not affected. There's only one way to find out.
Go to the Intellix or have I been pawned website and check for yourself.
The second question is more interesting. Can this hack also happen to any other producer of hardware wallets, Trezor, Shift Crypto and the 68 other brands of hardware wallets that exist?
Who wants to go first? It can happen to anyone who has a newsletter or anyone who sells physical things on the Internet that gets shipped to you.
Or frankly, anyone who has a form anywhere that asks for your personal information, because if that exists on the Internet, then someone can hack it and someone can get it.
But yes, it can happen to hardware manufacturers. It can happen to anyone and it probably will more and more.
Yeah, one of the interesting things is how many companies it's happened with.
So the have I been pawned website, I put in one of my old email addresses that I don't use so much anymore.
It was really interesting because there's Adobe on their Dropbox, Disqus, House, Mashable, Last FM, Tumblr, Zynga.
These are all huge companies who have a lot of money and probably spend a lot of time trying to put data security as an important issue.
Yet it still happened. It doesn't seem like any company is excluded from this as a permanent thing that they will never be hacked.
So I don't think personally the issue is the company that sells.
Yes, you can find faults and blame and you'll find things that they should correct.
But I think the best course of action is probably to talk to someone like Jameson about the things you can do to avoid it.
Like having anonymous email addresses, burner phone numbers, PO boxes.
I think that's the future of protecting your data rather than blaming companies because this could have happened to anyone.
And I think we should be conscious of that.
It is impossible to secure information on the Internet once you have collected it.
The only answer to this problem is do not collect it and if possible purge it as soon as you can.
And purging is not an easy thing because actually purging something from the Internet properly and permanently is in itself almost an impossibility.
So it's even better to just say don't collect it in the first place.
I will confess right now. I have a shop. I collect. I have to collect.
I have to collect an email address. Why?
Because I need to be able to communicate with customers if there's a problem with their order, if I can't deliver it, whatever.
Even on virtual products, I have to at least collect an email address in case there's a refund request and I need to confirm that they're the same person who bought something from me.
I have to collect an address in order to ship something to them.
Everything else is optional. I don't collect first name, last name, phone number.
Anything I don't absolutely need, I don't collect.
The things I do collect, I delete after three months if the account is inactive.
And it's perfectly possible for people to use a fake email address as long as they can go back and check it every now and then to make sure that or maybe communicate with me through that email address.
They can use a throwaway. That's perfectly fine. They don't have to identify themselves.
If they're buying a virtual item that I'm not shipping, I do not collect an address.
I don't want to collect an address. That's the only way.
But I can promise you, my database can be hacked.
I have 25 years of experience in information security.
I cannot stop a WordPress site from getting hacked.
I'm trying. It's not through lack of trying.
It is if someone's determined and if that information actually had enough value, they go after it, right?
All right. Let's let's move on. We've got section three.
I think it's time to go to section three. Now we talked about what happened.
All right. What should I do if I've been affected?
What should I do? The first and most important thing is do not react.
In fact, many of the attacks we'll discuss next.
Expect that you will react, react with anxiety, react with fear.
And it is the reaction where they catch you.
They expect you to do something rash and that's where they get you.
So take time. Before you do something, think and then think again.
Research. Make sure that what you're seeing is real.
And if necessary, respond.
The biggest risk from reaction right now is one, you are being fished.
And so what they're doing is you're reacting, but what you're reacting to is bait.
And your reaction is exactly what they want.
So they use fear and greed, as we'll see in a second.
The second thing that's a problem with reaction is that when people are stressed out and they react,
if you, for example, decide to change all your passwords
and then don't record them or make backups carefully,
then you are opening yourself to loss because of data corruption, a mistake, a typo, something like that.
If you try to move your money off a ledger because you think the device is not secure anymore,
which isn't true, but you get scared because of this leak.
In making that transaction, you can make a mistake and lose your money.
And also you may be effectively taking something that has been comfortably sitting chilled out in cold storage for a while
and making it hot, putting it on a computer, bringing it online, bringing a transaction in,
having to deal with transaction fees, all of which massively increase the number of risks you're facing.
Sometimes it's better to just not do anything.
And this feels wrong, but it might be the best way.
Yeah. And it especially feels wrong in crypto where things move so quickly
and we actually have this culture of like you hear about something and then you act on it right now because that's how you win.
And that's why these types of phishing attacks, they're not only against ledger, by the way,
they're against the whole, they come in a variety of forms, but the ones that capitalize on your fear or your fear of missing out.
The reason they're so successful is that there's this established pattern that you hear about something in crypto
and you're like, okay, go, go, go, go, go. And then the phishers do it.
And they're expecting you to go, go, go, go, go. And then they get your money.
And so pausing and not doing anything really, really, really.
It will save you so much heartache in this space.
That's great advice, Taylor. I mean, honestly, with this entire database leak,
if everybody did absolutely nothing, we'd be fine.
All of these attacks depend on you doing something.
They cannot reach in and take your money. You have to give it to them.
And that means that we'll see this one exception, which is a physical attack, which is extremely rare.
And we'll talk about it in a second. But the vast majority of the attacks we're talking about,
the cheap, easy bulk attacks that everybody's trying right now requires you to be a victim.
And in order to be a victim, you have to do something. You have to make a mistake.
And that's what they're trying to make you do.
So the second thing I'm going to say, this is just like a general idea.
Do not give up on hardware wallets.
Every time you read something, it's like an academic paper by three esteemed researchers
has found an exploit that requires physical access to the device with an oscilloscope
measuring the voltage output of the screen when it's displaying the 24 words
or measuring electromagnetic interference in the spectrum when you're typing in your PIN.
All of that is security research.
The truth of the matter is hardware wallets are incredibly secure.
They're the most secure way you can hold key material if you use them correctly.
And if your reaction to this is to put your money on Coinbase or Binance or Kraken or whoever,
to put them in a web wallet or a software wallet or to say I'm not touching hardware wallets anymore,
you will make yourself more vulnerable, not less.
The devices are safe.
This is the problem with I think security in this space in general is A, it's a dynamic environment.
B, it's a constantly changing and learning type of environment where we're having all of these fears thrown at us.
It's like a new thing to be afraid of every day.
And I think for the layman, for the folks who only watch this space casually,
it can be very difficult to quantify which things you actually need to be afraid of.
What is the actual risk of any given thing happening?
And then we get into these really deep technical debates
and sometimes different securities start slinging things at each other on social media.
And it becomes a major unsolvable issue because a lot of these things are difficult to quantify.
It's not black and white.
There's all types of tradeoffs being made.
But I would say at the very high level, kind of going back to what you were mentioning earlier,
the biggest problem in this space is that we're spending all of our time telling users the 10,000 things not to do
because there are so many things that you can take an action on and screw up
that in most cases doing nothing is actually the safest thing.
Can we even challenge the scenario that for certain people, in certain scenarios, that even holding on an exchange
is going to be a better scenario than a hardware wallet?
So for example, my father would absolutely balls up.
And I know this is against one of the Ten Commandments of Bitcoin.
Now, shalt hold their keys.
And I know that's one of yours that you did, Andreas, and I 100% agree with it.
I also know my father on his own, without my help, imagine I don't exist,
he himself would screw up a hardware wallet.
I tried to teach him how to use a password manager and it was an absolute failure.
He's had to stay using the same password for everything.
He physically cannot manage a password manager.
I can give you a bit of advice for that.
I got my dad a little phone book, alphabetized phone book agenda.
I don't know what they call those.
A little black book.
Another one.
Yeah.
I got him to write down all of the passwords in there and gave him some hints on how to write them,
so that he could tell capital from lowercase, and how to make some semi-random variations of some themes.
Writing them down alphabetically by the site that they corresponded to,
he was able to massively increase his variety of passwords and get a solution that actually works.
And it goes against everything we discuss in security.
Don't write down your passwords.
Don't use similar passwords on different sites.
But the thing is, it was either that, or every time he forgot a password,
he'd have the company reset it to his birthday.
You coded the analog version of one password.
Yes.
And analog is often better, especially for low-tech users.
So the biggest mistake in crypto, I think, is taking the slogan,
be your own bank, which is a political statement, an ideological statement,
and turn it into a user manual of behavior.
The truth of the matter is, we need some users to be able to be their own bank if they choose to do so,
because they're running an insurrection against the Uyghur concentration camps in Xinjiang.
But we don't need my dad to be his own bank, right?
It's a different thing between the technology needs to have the option for someone to be their own bank,
and everyone must be their own bank, or they're doing it wrong.
And to your point, Peter, absolutely, for some people, a custodial wallet is a better solution.
However, you need to be very careful.
So let's go back to the point here and go to the next section,
which is what can people do and what are the biggest risks right now?
So don't throw the baby out with a bathwater and abandon your hardware wallet,
because it's still the most secure device you have.
The Ledger device, and I can say this unequivocally, as it is today,
the one sitting on your desk that you have money in, is still perfectly safe.
It's a tamper-proof, high-security device. It's well-designed.
And unless you do something precipitous, it's perfectly fine.
The biggest risk I see right now is SIM swapping,
and we're already seeing accounts of this happening.
So who wants to take this? What is SIM swapping? Peter?
No, I'm pointing up to Jameson.
Oh, okay, sorry.
Literally up there. It's like the Brady Bunch. I'm pointing upwards.
Taylor, go ahead. Sorry.
I was going to say, has everyone here been SIM swapped, all four of us?
I have never been SIM swapped, but that's because...
Wait, am I the only one who's been SIM swapped?
I took extreme precautions starting in 2013, because...
You were before, you had an ad.
No, I got doxxed early on. I got doxxed in 2013.
They got my email, my phone number, and my home address published on Twitter in 2013.
It was a malicious doxxing, and it forced me to take all kinds of off-site precautions,
which I wouldn't have had otherwise.
So go, Taylor, tell us all about your wonderful SIM swapping experience.
Oh, it was so much fun.
I will say that I did get SIM swapped, but they didn't get anything,
because I had already delinked my phone number from any account anywhere.
So I did get a whole bunch of notifications saying they're trying to get into this.
I got a Microsoft authenticator that was like,
here's your requested 2FA code that I didn't request, things like that,
but they weren't able to get anything.
But essentially what happened was they called up my cell phone provider, which is AT&T,
and they... Keep in mind, I'm not the owner of the account,
nor am I even an admin of the account.
I am a literal child of the account.
So they called up AT&T over and over and over again,
trying to get them basically saying, I broke my phone,
I need you to move my phone number from this SIM that is on my phone
to my new phone, which is the hacker's phone.
They couldn't give the PIN, they couldn't give the security questions,
they couldn't even get the name on the account, because again, I'm not on the account.
Unfortunately, they're talking to people that are getting paid literally nothing in the Philippines,
and they were eventually able to get information like the account holder's name
from the support people.
It took them like, I think maybe four hours or so in many attempts.
Anytime they came up to a roadblock, they would just hang up and call right back.
So this is a classic escalation attack.
This is super classic.
So can we just dive into that, because I don't think people understand how this works.
Oh, yeah.
Okay, so first of all, what is SIM swapping?
SIM swapping is hijacking the telephone number and redirecting it to a new device,
a different SIM, so that text messages and phone calls now go to someone else.
While you're sitting at home, right, your phone simply stops working.
You don't know why.
You might not even notice for hours that it stopped working, right?
I was asleep, so I literally didn't notice, but even when I woke up, I didn't notice
because I was connected to the Wi-Fi because I was at home.
Right.
And so things were still coming through.
It wasn't, I mean, I was aware that I was under attack, so I obviously went and looked.
But if I hadn't been aware of that, I don't know how long it would have been,
probably until I tried to make a phone call, until I would have noticed that I had no cell service,
because again, you're on Wi-Fi, everything's on Wi-Fi these days.
So let's talk a bit about how this attack is executed.
So this is an escalation attack.
What they do is they start by calling customer service at Verizon, AT&T, Vodafone, whoever.
They say, hey, I'm the owner of the phone number.
They have the phone number.
They need something to start, either a name or a phone number, usually a phone number, right?
Yeah.
So if they have the phone number, they're trying to find out the name.
If they have the name, they're trying to find out the phone number.
If they have both, they're already a step ahead.
Right.
And then they try to say, okay, let me in.
And the person says, you don't have the account information.
Yeah.
So then it turns into a social engineering attack.
And they have a variety of ways.
These sim-swappers, they share tips with each other and they've been doing this for a while.
Ways that I've heard that they sort of get past the barriers like having a PIN on your account for security
or not having the required information or whatever is for me,
they basically were able to glean information from the support people until they had the required information.
So they'll badger one of the people, get a snippet of information, hang up, call someone else,
and then use that snippet of information to build to the next level, get a bit more information, hang up,
call another person, and keep building until they've put together enough pieces of the puzzle
that the last person they can persuade that they are the account owner.
So for me, for my case, everyone thinks my name is Taylor Monahan, but that's my married name.
Yeah.
So they had to go from Taylor Monahan to my maiden name and then to that account holder's name,
which is, I'm a child, obviously.
And they were able to get all of those jobs they were able to get from the customer support people.
The other scary way they do it though is that they pretend to be a person that's sitting in a store,
like an AT&T employee physically in a store, and they say, hey, our system's on the fritz.
I can't get my little code thing. I have an irate customer here. Can you just do this favor for me?
If the customer support agent doesn't verify all the... they don't have time base.
They have the one-time password things for the customer support or for the in-person agents.
If they just don't check that stuff, they can bypass it all.
So there's a fantastic video you can watch on YouTube, which is one of the masters of social engineering.
I don't remember her name. She's a fantastic social engineering hacker,
and she's doing a demonstration at DevCon for, or Black Hat, for a journalist.
And she sits down with the journalist in a cafe, and she asks the journalist for just one piece of information.
I think it was the phone number.
She pulls up a video on YouTube, which has a baby screaming in the background.
She then connects, calls up the phone company, and is like,
I'm beginning to be having a conversation with a babysitter who is over her head with the baby.
The baby's screaming. The babysitter's asking questions.
And so she's on the phone with customer service and goes,
Yeah, I need my husband's account. He's at the office right now.
There's been an emergency. I need him to get to the hospital.
Katie, can you please get the kid off the table?
Okay, I'll be right there. I'm on with Variety. I'm sorry. I'm having a meltdown here.
Please just help me. This is so terrible. My husband's...
And playing on empathy, a sense of urgency, the desire of human people to help, right?
In a crisis and an emergency, you hear this mother who's losing her shit.
There's a baby screaming. It's chaos.
And eventually, the astonishing thing about this video is in six minutes,
they have the account information, the PIN number, they've ported the SIM,
and they have complete control of the journalist's account.
Six minutes, the journalist was like, fuck, what do we do?
And the creepy thing that I learned from my SIM-swapping experience,
because obviously I went right up the totem pole and found out everything I possibly could,
I was amazed to learn that they have some training programs
for their customer support agents in regards to SIM-swapping.
But what they tell them is they say that there's these terrible people out there
that try to steal the SIM swap or try to get into the account
so that they can buy a new iPhone through the account.
And that's the threat, right?
The threat is that this bad actor is going to charge an iPhone to an innocent person's account.
So at the end of the day, what these customer support agents are scared of is absolutely nothing
because they're being paid 50 cents an hour to answer irate customers' phone calls.
And at the end of the day, they know that AT&T will pay back that iPhone.
They have no idea the implications of what a SIM swap can actually do
and the damage it can actually do.
Yeah, I think Michael Turpin lost like $15 million or 50 million.
I don't remember.
Like AT&T handed it over twice.
Right. All right. So SIM-swapping is this.
Why is SIM-swapping a risk?
If someone has your phone number and they know you are into crypto,
they can assume that many of the people in this database have used that phone number
to set up the crappy form of two-factor authentication,
which is a text message to the phone number.
They are not going after the money that's on your ledger.
What they're doing is they're assuming if you have money on a ledger,
you also have an account with one of the top 10 exchanges.
They're going to hit every account on every one of these exchanges with the email address.
They can do something very simple,
which is send or click on a link saying they forgot the password
to see if they can find information.
Now, good sites will not tell you if the account exists.
Bad sites will tell you if the account exists.
They're then going to try and do a password reset
or they're going to get a text message verification.
They'll do a SIM swap.
They will get the text message.
You won't.
You may not notice the email.
If they're smart, they're going to use the fact that they know your physical address,
figure out your time zone, and do it while you're sleeping.
You wake up in the morning and you find 20 emails from Coinbase saying
password reset, password reset, password reset, password change confirmed.
Log in from an unusual device, withdrawal approved.
And you're like, what?
And you just woke up, right?
And this can happen with any exchange,
but it's not just exchanges because they're going to drain your exchange.
Then if your bank account is still connected to your exchange,
they're going to buy crypto from your bank account, drain your bank account,
and then drain the crypto.
And then they're going to find out from your
cryptocurrency exchange what your bank is.
Then they're going to try and log on to your bank and use two factor authentication there.
They almost always use SMS.
Banks are the worst offenders.
So then they're going to go into your bank account and do a wire transfer or a
Zelle transfer or something else, right?
And I want to say as well, one thing that we've really, really,
really often seen is they will SIM swap a person,
and then they will go after that person's primary email,
which is usually a Gmail.
And there's two ways to go about this.
The first is that you have your phone number linked to your Gmail
as a two factor method.
So if you have that phone number as a recovery method on Gmail,
even if you have the authenticator, it doesn't matter.
You just click the like use a different method until you get the phone number.
Now they're in your primary Gmail.
Now they know every service you use because you have receipts in your Gmail.
So then they're like, OK, well, they have a Binance and a Coinbase
and a Kraken and a BlockBuy.
And then they go log into those.
And between your primary email and your phone number,
they can access any of those accounts very, very quickly.
And they do it.
They just systematically wipe you out.
When we talk to people who are trying to recover from this situation,
it's unfathomable, like the loss that occurs and how many things they touch
and how much time it takes to even discover what's been touched.
Because again, if they're in your primary email,
they don't just leave the email that says, you know, withdrawal confirmed
or buy 10,000 Bitcoin confirmed.
They delete those emails.
And so getting the receipts to figure out what's actually lost
sometimes can take weeks.
And it's atrocious. It's tragic.
I think that phone numbers as a recovery method for any account,
but especially for an email account, is one of the best things you can do.
Like removing that is one of the best things you can do for your security.
And this is because your primary email is essentially your digital identity
at this point.
And so what we're really seeing is the SIM swapping,
the phone attack is an escalation attack to get to your primary email
because generally people have that as a recovery for their email address.
So, you know, the common theme that we're seeing is these days we have all types
of great security hardware devices.
We've talked about Ledger.
We've talked about UB keys.
But the weak point now is always the humans.
So we're seeing social engineering attacks against employees
of different services.
We're seeing phishing attacks against all types of different users.
You know, even within the SIM swapping sphere,
I have heard of stories of just employees of mobile phone providers
being straight up bribed because, once again,
they're probably getting paid minimum wage.
And if a SIM swapper knows they're going to make tens of thousands
or hundreds of thousands of dollars, then why not, you know,
pay a few hundred or a thousand dollars to bribe the employee
and just bypass all that tedious grinding away of having to ask
all of these monotonous questions of, you know, being able to socially engineer people.
So, you know, what you're going to find is the security people are going to tell you,
you know, eliminate any points of failure where a human can be tricked into doing something.
Use dedicated hardware devices that are, you know, creating these codes
so that you know that you are in physical possession of the authentication.
And you can't just have some random person on the other side of the world
get tricked into authenticating something without you being there.
Okay, we have three specific points of advice now.
And Jameson, I would like you to take the lead in this
in terms of giving us this information because I've been talking too much.
The first one is, lock down your primary email account.
Let's talk about how we do that.
The second one is moving from SMS to FA to TOTP and U2F.
The third one is moving your phone service provider,
your communications provider, to a no-shuman carrier,
MVNO, Google Fi, Ifani, etc. Go. Jameson, please.
Sure. Yeah, so primary email account is very important.
And because of its importance, a lot of these email providers
will give you a variety of different methods of how to recover access to it
because we wouldn't want you to get locked out, right?
So the more recovery methods that you add onto a service,
the more potential security holes you're creating.
You have to be very careful about this.
Everyone is a backdoor, right? Every recovery method
you have to think of as a backdoor as well.
Yeah, so if at all possible, do not even tie a mobile phone
to your email address whatsoever.
The most important basic thing is, of course, to have an extremely strong,
unique password that you're not using with any other service
because, once again, information wants to be free.
Any password you use with any service, you should assume
that it's eventually going to get leaked and compromised,
and attackers are going to go take that password
and try to use it at every other popular service.
Anyone who runs a popular web-based service
sees these drive-by attacks happen every time there is a major leak.
So in order to do that, you're probably going to want to use a password manager
that is able to generate highly long, complicated passwords
that you shouldn't even know them.
You should be letting some other password manager service
handle these for you.
Ultimately, I think you should only really know one password,
and that is the password to unlock your password manager.
Okay, three recommendations of password managers.
I'm just going to jump in. Not endorsements.
These are not specific products. I have no affiliation.
The most common ones people use, LastPass, OnePassword,
and an open-source version of all of the above, Bitwarden.
Those are good.
I think you missed out Dashlane. Dashlane is pretty good as well.
I've used all three. I really like Dashlane as well.
And, you know, any one password manager is better than none password manager.
This is not a let me look at all of the features and take three months to decide.
This is a get one, use it. They're free. You can use them.
So you remember one password, which is probably in the form of a passphrase
because it's a lot easier to type, transcribe, back up, and remember.
Six to eight English words separated by spaces, all lowercase, a little phrase.
You type that in. That's your one password.
And then everything else is a 37 character alphanumeric random mess
that you can't replicate, right?
Except for your banking websites that have a cap of like 18 characters.
I like to try and probe and discover the cap by producing outrageously long passwords.
I did a video called Password and Two-Factor Authentication.
It's a live stream that is published on my channel.
It's two hours of talking about how you do these things from correct horse battery staple
to how to do basic two-factor authentication.
Okay, so very long password with a password manager.
So you change your password. Let's look at more specifically.
I think almost a third of the ledger database was Gmail accounts.
And a whole bunch of others was custom domain Gmail accounts
that people were not able to see are actually Gmail accounts.
So let's speak specifically about Google accounts.
Any specific advice there?
So you can definitely not have a phone number connected.
Google also has a YubiKey integration, which I am a fan of.
And I mean, I recommend YubiKey for as many services as support it.
And in fact, I would recommend using a YubiKey to protect your password manager.
So hopefully whatever manager you're using also has YubiKey integration.
So that's a little USB device.
This one is one of the nanos.
It sits flush inside the USB slot.
So the only thing that's sticking out is this thin sliver of metal for me to touch.
You can also get ones that sit on your keychain.
They cost anywhere from $30.
You can even get non-branded ones even cheaper, $30 to $50.
You can set that up as your second factor authentication on your Google account.
I want to make one more mention.
Google has a special program called the Advanced Protection Program.
If you search for that, Google Advanced Protection Program.
It is a page that you go to that takes you step by step through the process of hardening
and locking down your Google account.
It adds either application-based two-factor authentication.
That's the little app you run on your phone that produces a new six-digit numeric code every 30 seconds.
Or even better, two hardware security keys that you plug into your laptop or phone to authenticate.
You remove the recovery phone number so that you cannot recover through a phone number.
You remove the recovery email and you lock that account down.
Any other advice?
I was trying to remember whether or not Google has recovery questions.
But just in general, whenever I do run into a recovery questions type of flow,
instead of putting in answers, which are usually really common things that someone could search for,
I actually like to just once again generate really long passphrases, store those in the password manager.
I don't want that to become a potential vector where someone can use public information
or other easily searchable information about myself or my family.
Right. What is the city of your birth? Asparagus, banana, couch, telephone.
And that answer goes in the password manager.
So the next time I connect to JP Morgan Chase and they ask me what is the city of your birth,
I know that the answer is actually asparagus, banana, telephone, couch.
None of the knowledge-based answers are actually knowledge-based answers.
Because, of course, all of that information is on Facebook, if you have a Facebook account.
All right. Let's move on.
Changing from SMS two-factor to other forms of two-factor. We've touched on it.
Let's go into a bit more detail.
Yes. So Google Authenticator, I think, is what a lot of people start out with.
It's very easy to install on your phone, and I think that they finally fixed it
so that you can actually migrate between phones now without having to rotate everything.
Personally, if you're a little bit more hardcore, if you go with the YubiKey,
then I am a fan of using Yubico Authenticator, which is basically the same thing,
except those secrets get stored on the hardware.
You have to give it a tap in order to access it,
and then you can carry that around and even plug it into multiple devices.
There's other. There's Duo Security. There's Authy.
There's a bunch of other. All of these follow a single standard.
This standard is called time-based one-time password, or TOTP.
That's where you are presented with a QR code. You scan that QR code.
The QR code actually contains a secret key that is the basis for generating a time-based sequence.
Your clock is synchronized with the server so that every 30 seconds,
it produces a new six-digit numeric code.
The server tolerates up to two before and two after, so you don't have to be absolutely precise,
and that gives you a great mechanism.
If you use a time-based one-time password that has the ability to migrate to a different phone,
make sure that that is turned off unless you are actively in the process of migrating.
A good example is Authy. Authy has a fantastic multi-device feature.
If you have that multi-device feature turned on all the time,
then SIM swapping can actually migrate your Authy to a new phone, and then it's pointless.
So make sure that's off.
I want to harp on that, too.
Yes, please.
By default, it's on.
So if you use Authy, you need to go into your settings.
It's called multi-account or multi-device or something.
Turn it off. Double-check.
And then the best way to actually check to see if a hacker could get it if they got your phone number
is to go grab one of your old phones, boot up Authy, and then try to recover your Authy account.
So you're going to say, yeah, I want to load in my Authy.
I don't want to start a new one or whatever.
They're going to ask for your phone number.
If you type in that phone number and it sends you a text and it reads the text
and then all your codes are in there, a SIM swap can destroy your life.
So what should happen is that you put in your phone number and you get an error message
that says something like, your Authy doesn't have multi-device turned on, so we can't do this.
Because that means if you get SIM swap, the attacker will see that error message
and not see all of your two-factor codes.
Great. So that's TOTP and U2F.
Let's quickly go to a question, which is relevant here.
According to the email that I received from Ledger, my cell phone number was exposed.
I have some crypto wallets on my cell phone. Do I need to change my cell phone number?
Good question.
Okay, so this is my advice.
You don't necessarily need to change your cell phone number,
especially if that cell phone number is important to you, socially speaking.
However, you do need to remove that cell phone number
in regards to how it ties into your crypto identity and crypto holdings.
So for example, if that's the only phone number that your grandmother uses
and your grandmother cannot possibly learn a new phone number,
then no, don't change your cell phone number.
However, go into Coinbase and delete that cell phone number from it entirely.
Go into all of your accounts, go into your Gmail, go into every single account you have
and just remove that phone number from any of your online things.
Use that phone number for your social, in real life relationships
and then use other quote unquote burner numbers
for online situations that demand your phone number.
Which, by the way, there's not that many that actually demand your phone number.
You can also just use a fake phone number in a lot of cases
to get through, say, the shipping process.
All right, quick point on burner numbers.
So everyone's heard this, burner numbers.
And you're probably thinking, like, this is an episode of The Wire
and I'm going to go to 7-Eleven and I'm going to get a Carphone Warehouse
phone in a plastic shell and I'm going to use a burner phone.
This is the internet age, people.
Quacker.io, Q-U-A-R-C, sorry, Q-U-A-C-K-R dot I-O.
It's in the chat, it's in the description.
Basically, what this website gives you is
it gives you a list of numbers.
You take any one of these numbers and you plug it into a website
that maybe needs to send you a special code or something like that
and then you can go on a public page and see every text message
that's been sent to that number, including the previous people who used it
for their Amazon account.
It's actually hilarious to go in there, click on those,
and watch what people are sending to text messages to it.
What that allows you to do is get past those hurdles,
get your account set up, and then you can delete it or even leave it.
And that's that.
Don't allow that to be a recovery mechanism, obviously,
but it's a good throwaway number if someone insists on having a phone number for you.
Jameson, you were about to say something.
Some services are starting to get wise on burner phone numbers.
I've run into a few services where they'll somehow detect it and block you.
I've also run into some other services where on the back end,
depending on how their SMS integration works,
if it's not a real carrier, then the SMS might not go through
because some cheaper services actually use these email SMS gateways
that are only really run by the major providers.
But I mentioned earlier that I had not been SIM-swapped,
and that was kind of luck, really.
I was one of the very early adopters of Google Fi,
and they just so happened not to have customer service
that had the ability to reset people's phones and port them over.
And so my phone number was discovered by a number of people over the years,
and if they ever tried to port it, I don't even know.
I never got any notifications, but it requires a PIN in order to do that.
So, of course, nobody was able to get through that process.
And I think there's a few others as well.
Unfortunately, a lot of this stuff can be very jurisdiction or geographic-based.
I think Google Fi is only still available to Americans.
And I think it's also available to Canadians,
but let's talk about this in a bit more detail.
So I was a Google Voice customer even before Google Fi,
five years before Google Fi, since 2002 or 2003.
Very, very early. And I wasn't SIM-swapped because of that.
So Google Voice number is a number that was one of the first virtual phone numbers
that would just redirect to email for SMS and things like that.
Google Fi is a cellular provider. I'm a Google Fi customer as well.
Fi, Google Project Fi.
And you can find that at fi.project.google, I believe is their domain.
Now, what is Google Fi?
Google Fi is what they call a mobile virtual network operator or MVNO.
A mobile virtual operator is basically almost like an overlay service
that buys the ability to use other phone networks
and then resells that under their own brand.
So what's the one they have for really inexpensive pay-as-you-go phones
that's very popular in the U.S.? I can't remember what it's called.
What is Boost? H&T Go has one and then Boost is the one with the commercial.
Yeah, Boost is one that everybody knows. So Boost is a classic MVNO.
And this is typically offered in low-income neighborhoods
as a no-strings-attached pay-as-you-go type option that's branded differently.
When you use one of these services, you're usually using either T-Mobile or Sprint
and now Sprint T-Mobile.
In other countries, you're using some variant of Vodafone
or one of the companies that are the former national carriers.
And they resell their networks for MVNOs.
And they have roaming agreements so you can work it in different countries.
Bottom line is this, you get a SIM card from a company that doesn't actually have cell phone towers.
They're allowing you to piggyback on somebody else's cell phone towers,
but they manage all of the account numbers and the account management and the phone numbers.
And Google has one of these called Google Fi and before that Google Voice.
The best part about Google Fi and the reason these MVNOs are better
is because they don't have customer service people.
And because they don't have people, you can't socially engineer them.
In order to port my Google Fi number, you have to have the Yubi key that's sitting in my laptop.
So that's impossible to do.
There's a specific company called Ifani, E-F-A-N-I, that was started in Silicon Valley a few years ago
that is designed to be a SIM swap impossible company
and is beloved by crypto people because of that capability.
It's the same kind of thing. It's a bit more expensive, but it's specialized.
All right, so let's go to the question.
Do I need to abandon, oh wait, is that the question?
Yes, do I need to abandon emails associated with hack even if they're rather hardened?
For example, Gmail with advanced security protection that requires a Yubi key or similar to Access.
I sure as hell hope not because my email was released. It is one of those and I'm not abandoning it.
Take that, you hackers.
So no, the answer is no, you don't need to abandon them.
You just need to make sure you secure things.
Let's go to the next topic, which is spear phishing and phishing attacks in general.
Who wants to lead with this? What is spear phishing?
What has happened with Ledger so far?
I'll take the first half. I'll take a stab at it and then someone else jump in.
Okay, so phishing is when you are sitting in a telegram or Slack or some public chat room
or in your email or whatever and you get this generic email that's a newsletter or a generic message.
It's targeting a wide swath of people and it says something like,
Did you know the Ledger database got hacked? And now you are going to be compromised
if you do not type your 24 secret words into our public domain.
Here's a URL that looks super funky. That's regular phishing.
It works, by the way. Like it works. If it didn't work, they wouldn't do it. So it works.
Spear phishing is phishing leveled up, meaning that they don't just blanket attack every single telegram channel out there.
They are going to specifically craft an email or a message to me as an individual
that's going to target some knowledge about myself.
So this may be the fact that I have a company or the fact that I'm in the Ledger week or the fact that whatever.
And the reason that this works or the reason that they do this is that imagine you have a –
imagine hackers as businessmen, right? If you just do regular phishing, maybe you have a conversion rate of like 0.0001%.
You can throw this message at 100,000 people and like half of one person will fall for it.
You'll get a few dollars. Even that, you can't really say that you have profits, right?
Because the energy they expended is higher than the reward they got.
So one tack is to just like target everyone with low effort. The other tack is only target high net worth individuals
where we then spend more time crafting the message for them.
But the reward is millions or tens of millions or hundreds of millions of dollars.
And so the spear phishing can be way more creative. They can use your name.
They can use personal information about you. They can use – they can get really creative, right?
Like if they got into your Amazon account, they might know the products that you like.
They might send me a specific message about the fact that my bath bombs have been compromised or something, right?
Well, the best lies have a twinge of truth in them, right?
So that's why the spear phishing that we're seeing going out right now is in many cases going to refer to the recent data breach.
It's going to instill fear in you about this recent event.
I will say the most sophisticated spear phishing that I've come across was just a few months ago,
and it was actually piggybacking on top of a Ripple airdrop.
And these folks were so sophisticated, the reason that it surprised me and blew me away
is that they had set up a perfect replica of Ripple's corporate website that had a working in-browser ledger integration.
And so they were basically saying you plug in your ledger and we'll figure out the whole airdrop mechanics to you.
And if you actually went through it, you could plug it in and confirm,
and it would create and sign a transaction to sweep all of your Ripple out of your wallet, even though it was on hardware.
All right. So let's talk about the primary hooks that people use for phishing.
So phishing has bait. The two primary hooks are fear and greed.
Let's start with fear. Specific examples from the ledger phishing we've seen over the past four or five months.
I've received several of these. Here's a few.
One, your ledger device has become corrupted or compromised or we have detected unusual activity.
Visit this link to confirm that you have control.
You visit the link. When you get to the link, it pops up a message that says ledger with serial number XYZ is corrupted.
Imminent loss of funds. Start recovery process. And it says, do you have 12 or 24 words? Enter word one.
Now, you're on a website. And of course, at this point, all of the alarm bells should be going off.
You're like, why am I entering my mnemonic phrase into a website?
But you're freaked out because your ledger has been corrupted according to error XYZ.
And you were told that there was some suspicious activity. So what you're doing is you're scrambling to fix this.
At least a dozen people I've heard from have lost everything by doing that.
The other one, then they tailor it to current events.
Your ledger account will be disabled or suspended or your ledger will be terminated because of new KYC regulations.
Know your customer regulations. So they're piggybacking over the fact that Steve Minucci is a fucktard.
And sorry, did I say that out loud?
They're piggybacking over the fact that the US government is trying to pass these new regulations to impose.
And everybody on Twitter is freaking out and talking about it.
So they're now trying to tell you that you're now if you think about this for a second with all of these, you immediately realize this isn't true.
Right. So so what if there's no one could remotely disable your ledger?
No one can seize your money. That's the whole point of decentralized systems.
But again, they go for fear.
Another one I've seen, this is really super effective.
We have detected a large withdrawal from your ledger.
Now, if you have a hardware wallet and you see a message like that, you're like, shit, they've taken everything.
Right. You have 24 hours to respond before we make this transaction valid.
So you go online and again, they say, sorry, we can't read your ledger.
It seems to be corrupted.
We are going to authorize the withdrawal unless you start the recovery process.
Give us your seed. No matter what these tricks, the end result is always give us your seed.
So this is the fear approach. The greed approach is a Nigerian prince has given you a million dollars.
You have received an airdrop. Money is coming into your account.
All we need is a verification. An incoming transaction needs to be verified.
You are the lucky winner of a brand new whatever.
So and again, how do you get these riches, these unimaginable riches coming your way completely unexpectedly?
You just have to start a recovery process because your ledger is corrupted.
Have you seen any others?
I have a whole album of once the new days, which are it's an amazing I'll post a link on Twitter,
but it's an amazing insight when you see them all like back to back because the fear and the greed,
just because we're seeing it now with ledger, the tactics were the same back then.
So I'm just scrolling right now. This is one of my favorites.
And this was a very long standing one, which means that it probably was successful.
But they said due to the increased number of phishing attacks and holder requests from the Ethereum network,
we have decided to implement two factor authentication on all ETH wallets.
Please visit myetherwallet.com, which then linked to like a totally fake phishing site to upgrade your wallet to the new security.
Please be aware you will not be able to access your funds, tokens and wallet once the new security,
if the if the new security protocol is not implemented on your wallet.
Wow. So they use phishing as an excuse to phish you.
Yes, and it works.
And it works. All of these things work. They wouldn't do them otherwise.
And, you know, if you look at the success rate they have on these things,
it may cause you to lose confidence in humanity permanently.
But so here, what's the lesson here?
The lesson is this. All of these things have one thing in common.
They're trying to make you act rashly without stopping to think.
So they're going to push all of the buttons. You have to do it. You have to do it now.
You have something to gain, something to lose, and do it now, do it now, do it now.
So anytime you find yourself under this pressure, stop.
Anytime you're feeling uncomfortable about something like this, stop.
Don't do anything. Take a step back. Nothing is ever this urgent, right?
All right.
Next topic, unless you have more things to cover.
One second.
All right. Another piece of important information.
A lot of these phishing attacks, one of their key components is sending you to a website that looks the same.
The only difference you have is the URL. And it's not always easy to see URLs.
They use a whole bunch of tricks.
One of the most common tricks they're using now is registering domains with Unicode characters that look the same.
So, for example, Ledger, but the E has a small accent on top because it's a French E with an accent aigu or something like that.
Or it's a Suomi E with a dot underneath.
So they pick from an international character set and they make an E that has a tiny little diacritic mark that you will not notice.
They register that domain and you go there and they've got a complete replica of your site.
The way you protect against these things is twofold.
One, always have a bookmark in your browser of the site that you want to visit.
And if you are required to go to a site, type the domain name yourself and try to navigate to that page.
You can also do things like checking the SSL certificate, checking that the SSL certificate should be authenticated to a specific organization.
But that requires a lot of checking around.
Obviously, don't click on links.
Don't follow links and emails on texts.
And if you do need to visit a site, type it in or use a bookmark.
Emails are just completely untrustworthy.
They're so easy to spoof.
I would say you should only really trust an email that is, you know, like GPG signed, but nobody does that.
So basically, you should never trust email.
All right. Especially links, attachments and things like that.
You know, if somebody tells you, listen, your password needs to be reset, you can read that email.
Then you can open another browser window and go visit your own bookmark to that page and see if in fact it also has a notice that you need to reset your password.
All right. One more.
Postal phishing. We haven't seen this yet, but I do expect it to happen.
You've become immune to sketchy emails and sketchy text messages because you watch this amazing live stream.
And then one day you get a letter in the mail that looks very official that says the IRS has assessed the fine of seven thousand dollars.
And if you do not pay this fine immediately, you will be sent to jail.
The local prosecutors have been notified.
The SWAT team is on standby.
Social services will take your children. Whatever. Fear, fear, fear, fear.
The number of people who fall for this, you would not believe.
People respond to phone calls like this and then pay out.
There's a video of an Uber driver with his dash cam that has a customer in the back who has who is almost crying on the phone.
Saying, I'm going now. I'm going to the Bitcoin ATM. I'm going to pay your fine. Please don't send the police.
I'm going to do it. And the Uber driver is like, what are you talking about, man?
He's like, the IRS, they're going to they're going to send the police.
And if I don't pay at the Bitcoin ATM and the Uber driver is like, the IRS doesn't take Bitcoin.
What are you doing? You're being scammed.
He's like, are you sure? They've been calling me all day. I'm terrified. Fear.
It's incredibly effective. So we will start seeing letters arriving at the address that they got with your name on them.
Official looking that will say the police, the law enforcement, the IRS, whatever.
You need to send money to this Bitcoin address.
Maybe even you need to send a check or money order or money gram any kind of way or iTunes gift card.
Did you know that the IRS takes iTunes gift cards?
You will find out in that letter. They don't.
All right. So ignore any of that. Let's go to physical attacks.
This one's tricky. This question from anonymous.
I struggle to gauge the risk of physical attack objectively.
What risk tools and processes can I use to evaluate this?
Now they have your address. They know where you live and they know that you have crypto.
First of all, don't panic. I know a lot of people are really scared about this.
The reality is this. When you have a database of 1.3 million people who will happily give you their money with an email, you don't need to go to anybody's house.
Going to people's houses involves a significant escalation in risk for very little additional reward.
Worst case, you send them a letter to try to extort money from them.
And that's still better than actually going there.
So I think this is a very small risk if you're not a very prominent person in the industry.
But let's go into it a bit more.
I want a person in the industry right here.
Yeah, I was about to say, OK, James, I have one question for you, which is an add on, but I want to make sure that we touch on this.
Of the physical attacks that are known in the space or whatever regarding Bitcoin or crypto in general,
how many are completely sort of random, meaning it's not like an in real life friend of a friend
or two criminals who then like beat each other up and then there's this report of a physical attack.
For those who don't know, Jameson keeps a registry of physical attacks related to cryptocurrency.
The link is in the description and in the chat.
Yeah, there have been some good analysis of these attacks.
And to put people's fears at rest, I think there have only been 60 or so over the decade plus.
And of course, they generally get clustered around major run ups in the exchange rate,
which is what results in criminals getting attention that there may be easy pickings.
This is once again a dynamic environment where criminals will continue to assess the risk and reward of these different type of attacks.
Now, like most crimes, I think most crimes are not random.
You are probably more likely to be attacked by someone you know or somehow are connected with.
It could be a friend of a friend, especially if you are leaking information, if you're having extravagant displays of wealth.
Those are the type of things that will attract the wrong type of attention.
So of all of these attacks, I'm not aware of any that were completely random because if you think about it,
there are so few Bitcoin crypto holders in the world.
The likelihood of a random attack being against one of them is extremely low.
The ones that are more high profile and had large sums of money that the attackers got away with.
It was generally people who were engaging in risky activity.
Many times they were doing face to face trades with large amounts of cash, large amounts of crypto.
And those are the situations where if that's what you're going to do for a living, then you need to be worried about the high risk.
There are fewer situations where it was someone who was just hanging out at home minding their own business.
But even in those situations, I think many of the times they were prominent crypto business people.
So it was well known. They had been in the space a long time. They had made a lot of money.
They're probably living in a very extravagant villa.
So it was fairly obvious that they had a lot to lose.
The most dangerous person who is going to go after your crypto holdings is your cousin Jimbo who has a gambling or addiction problem
and believes you're a billionaire with a B because they heard you got some Bitcoin in 2013.
Honestly, that is a much bigger risk.
Just like any situation where you have violence, abduction, physical crime.
It's almost always someone who is someone you know, someone who's related to you.
Stranger danger is the most misleading bullshit thing that has been taught to Americans.
Stranger is not danger. It's the person you know who is far more dangerous.
All right, so let's talk outliers.
Physical attacks are going to be outliers in two broad categories.
The first one is you are well known in the space.
You are taking extravagant risks, having a very flashy lifestyle.
You make your location known and as a result, you are targeted.
Don't buy a Lambo. Do as I do.
I have rented a Toyota that is so crappy that it has windows that open like this.
I'm getting a Lambo.
So the other one is outliers in terms of your location.
Listen, someone said yesterday to me on Twitter, you know, there's a big risk here
because never before has someone been able to simply look up in a database how rich you are.
I'm like, are you familiar with Zillow?
Of course they already know.
If you live in a neighborhood where the average annual income is $400,000 among mansions in a gated community,
the fact that you have crypto and lots of money doesn't put you at risk.
Similarly, if you have a middle-class amount of savings in crypto
and you live in a middle-class neighborhood with a middle-class security environment,
that does not make you at risk.
Even if you live in a low-income neighborhood and you have a tiny amount of Bitcoin, it does not make you at risk.
If you appear to be a whale in a low-income, low-security neighborhood, then you're an outlier.
So it's the outlier that gets you.
Does that make sense?
It's the logic of violence.
It is risk and reward and who has the most to gain and the most to lose.
And the arrogance and the cockiness, I think, is what gets people in trouble more often than not.
So it's one thing if you have a bazillion dollars in Bitcoin
and you live in a lower-income neighborhood and you just sit there.
But once you start either talking about the Bitcoin
or even just getting really, really, really cocky about your anything,
about your life, about your life situation, about what you talk about on forums online,
that sort of attitude, I think, tends to rub people the wrong way
and opens you up to be a target, whether that's online or offline.
Because again, I would say more likely that your neighbor is going to rub you
if you show up to your house in a Lambo than some hacker halfway around the world
who knows you have a million dollars in Bitcoin.
All right. Let's look at three different categories of attack.
What can someone do with this database?
The first one is the one you immediately jump to, which is a home burglary.
Someone breaking into your house when you are not at home or worse when you are at home
in order to steal your ledger device or seed.
Very, very scary, but also extremely low likelihood of that happening.
What can you do to prevent that?
I consider the seed phrase to be the tricky part.
You know, the ledger device itself is protected with a pin.
I believe it's required.
So as long as you don't have the pin also laying around somewhere right next to the device,
then that's going to be safe from a physical attacker.
It's keeping that seed phrase safe that becomes a lot trickier.
I'm not a fan of simply writing it down and putting it in an obvious location like a safe.
There's a million different ways that you can go with this.
But if you want super high security around that seed phrase,
and you're not going to go down the technical route of using encryption tools,
then a place that is really physically secure like a safety deposit box is probably your best bet.
All right. So for those who have a mnemonic phrase at home
and a ledger device at home and are worried about this attack,
possible countermeasures,
a better location than a safe that is obvious is a hidden location.
There are all kinds of devices that you can get that allow you to hide your belongings
from fake books to fake power plugs to fake alarm clocks to soup cans to etc.
It would take far too long for someone to search all of the possible places for decoy things to find it.
Another option is even better.
BIP-39, the mnemonic phrase standard, has an optional passphrase capability.
Adding four to six English words lowercase separated by spaces as a second factor
is a great way to make sure that even if someone steals your seed, they can't do anything with it.
Now, another way to fix this is remove the key material from your house.
So don't have it at home. And that's actually pretty good advice.
Safe deposit boxes can be rented for 100 bucks a year, 150 bucks a year.
You can find them at your local bank, credit union.
You can also find them at private storage locations.
Even finding a storage locker location and putting something there is better than keeping it at home.
Any other advice on this?
When I was a younger crypto person, when the price started going up,
I moved the most sensitive sort of quote unquote documents to my parents' house.
They're no longer at my parents' house.
But if you are just starting out and you don't feel like you're ready for the commitment of a safety deposit box,
think about people that are in your life that are close to you where you can keep something secure.
The most important thing to remember, though, is that even family can be pieces of shit sometimes.
So you don't necessarily want to tell them what this thing is.
But it wasn't very difficult for me to put a manila envelope of stuff with all the other stuff
that families tend to accumulate in that file in the corner of the garage covered in spiders.
And that's also a good sort of backup mechanism.
So one of the things that I hear from people so often is that they don't feel like they're rich enough
or important enough to get a safety deposit box or to do this or to do that.
But just think that there's a lot of things that are in your life that are trustworthy enough.
If you set the scenario up the right way,
that will keep you safe enough for now as you upgrade and increase your security to the full blown
no key stuff in my house.
I think the backup part is something that can't be overemphasized.
We have very good reason to believe.
We're talking about all types of ways that your money can be stolen from you here.
But we should not let that overshadow the fact that you are far more likely to screw up
and shoot yourself in the foot and just simply lose your keys.
Far more likely.
Yeah, so having backups off-site away from your house,
because really house fires are probably more common than you think.
You don't want a single catastrophe to cause you to lose everything because you don't have off-site backups.
Yeah, if you want to look into this further, I'm a huge fan of recording or etching onto a steel device.
I actually have a demo somewhere here that I use.
There's a whole variety of companies that offer steel backup devices.
And steel is very important, not just metal.
Jameson has done a fantastic series of reviews where he subjects these devices to extreme temperatures
and shock cooling and striking and all kinds of other abuse
to see which ones keep together and which ones melt,
because actually they were made of aluminum and not steel.
You can find that on his site, lop.net, is that correct?
That's right, it's on the main page.
Yeah, so a steel device can actually also be hidden much more effectively.
It can be hidden in places that may be susceptible to water and other things without being damaged.
Make several copies of that, spread it around, and if you have a passphrase, you have to back that up too.
The next risk we have is the $5 wrench physical attack.
The $5 wrench idea comes from an XKCD comic that says,
is someone going to spend a million dollars breaking your encryption with a cluster of computers,
or are they just going to go and buy a $5 wrench and hit you over the head until you give them the password?
Okay, before we go into this, I want to also emphasize this is extremely unlikely.
It is a very high risk type of attack that exposes the attacker to enormous risks as well,
especially in the United States where they get the $5 wrench and they discover the $150 AR-15 pointing at them the other way.
So that's extremely unlikely. It's extremely high risk for the attacker and potentially low reward.
There really isn't an effective defense against that unless you simply ensure that you do not have access to your own crypto.
I do not, and I tell people this, I do not have access to my cold storage.
Getting to my cold storage involves travel, airline travel, going to vaulted locations that require biometrics, that have armed guards, etc.
I can't get to my cold storage without weeks of effort.
For most people, this is not a viable thing. The simple answer is this, you give them the damn Bitcoin.
People, it's really simple. Don't lose your life over some stupid money.
If someone has gone to the effort to track you down, come to your house, and is now threatening you, your family with bodily harm, you give them the damn Bitcoin.
Because they're insane, by the way, because they came at you into your house and they actually have no idea what's inside.
They don't have 100% confidence that I don't have a gun, or I don't have a crazy dog, or I don't have, I don't know, a man protecting me, whatever it is, right?
They don't know, and yet they still came in. Give them whatever they ask for, count your blessings, and, I don't know, set up a Bitcoin and go find me afterwards.
Like, deal with the consequences after, because your life is far more important than any amount of money.
Yeah, you can stack sats again later.
Although, if they did try to go after people on this livestream, we all take our own precautions.
And if you ever want to look at this in more detail, Lopp has, Jameson Lopp has some fantastic posts about the physical security measures he takes.
He has made it extremely unpalatable and likely unsurvivable for anyone to try to take something from his home.
It would require a marine expeditionary force to invade Jameson's house.
Alright, extortion. Likely, not very effective, but this is something you can see.
I actually saw a message from someone who already got attacked in this way.
They received an email that said, I know where you live, give me $500 or the next time you're going to see me there, I'm going to visit you.
Okay, 99.999%, this is a bluff, so ignore it. They're trying to make you scared.
Any other advice?
Well, it's the same email as the, I've been there, I've hacked your webcam, I've been watching you watch porn, if you don't pay me, I'm going to...
Is it scareware, you call it, Jameson?
Yeah, it's scarier when they actually have some information. It would be kind of like them sending you a screenshot of you actually watching porn.
Yeah, well that would be time to pay up. But I think it's just scareware. I think a lot is going to be made of this.
And the risk we have is if we all downplay it and somebody actually is victim of an actual physical attack, that's going to lead to shade thrown on the people who did dismiss it.
But at the same time, I believe this is very unlikely. I think the people who should be worried about that and the people on the list,
whereby they can find other bits of information out and go, okay, I know where Pete McCormack lives now. I know where Jameson Lopp lives now.
Right, they're in Bitcoin properly. Okay, right, I'm going to go after them because they've definitely got some Bitcoin.
I think they're the people who should be concerned about.
All right, so this is a valid fear and the human response to fear is fight, flight or freeze. And we have to overcome the urge.
Fight is going to cause us to do rash things like send recovery seeds to various places, flight, abandoning hardware wallets or moving to custodial services.
That's bad. It turns out freeze actually isn't a bad response. So if you freeze and do nothing, that actually might be a good response.
From personal experience, I've been doxxed. Doxxed means people have published my address. I've lived in that address in fear for a few months before I moved.
I've been very, very careful about giving out address information since then.
Same. But that's not because I'm worried about a random person coming.
It's because I have an extremely high profile in this industry, which means that I am realistically a target.
This does not apply to the vast majority of people on this list.
And so, you know, they're going to go through this list and they're going to go for the biggest targets,
the biggest names and the lowest hanging fruit they can find first before they get to you.
So it's really not a huge worry in my mind.
OK, countermeasures. I think we're ready to go to. Oh, yes.
One more thing, which is the fuck off money.
Many of us keep fuck off money.
That is this is the classic thing if you're walking around a new city in a rougher part of the world.
Right. And you have to have some spending money on you.
You have two stashes, one, which is the actual money you want to spend.
And then you have another one that is if you get mugged, if someone points a gun at you or holds up a knife and says, give me your money, you give it to them.
Right. Here's the money. Here's the phone. Just go and you give it to them.
And maybe it's not all your money because you have some more in your sock.
The same thing applies to crypto.
For me, it's a very deliberate and very real equation. My cold storage is unaccessible.
I cannot get to it. And if I try to get to it, it's going to expose you, the attacker, to huge risk.
Here's the money I can give you right now. This is it.
It's enough. It's it's it's fuck off money.
Take it. Go. And I have cash. Yeah, you can have that, too.
I'll give you everything. You can have my phone, my cash and whatever Bitcoin I can actually access.
I will give it to you. So keeping a small amount on you that will protect you against this kind of attack is not a bad idea.
It's kind of speculative based on how much knowledge your attacker has.
Right. If your attacker did a ton of digging and they got a general idea of your net worth
and then you offer them something that's an order of magnitude less than that, then you might only make them angry.
Yeah. But if you realistically can't access it, you realistically can't access it.
So and the only way you can fix that is by making that broadly and publicly known.
All right. All of these attacks also have some context around them.
Physical attacks are very different in countries in which physical violence is much easier to get away with.
Listen, if you live in Sao Paulo, in Bogota, in Mexico City, in Kiev,
in a bunch of places where these types of things happen often where kidnappings and burglaries
and ransom attacks and physical attacks are more common, then your risk is higher.
If you live in North America and the US, Canada, if you live in the UK, if you live in Western Europe,
there's a reason why these things don't happen. It's because they did happen in the 1920s
and then they developed a series of strategies and tactics that are very, very harsh.
If you kidnap someone in the US, the FBI doesn't care about the victim. They will kill all of the kidnappers.
That's their policy. Done. Finished. There is no in-between. There is no negotiating. There is no ransom.
Kill the kidnappers. If we kill the victim too, no problem. Just kill the kidnappers. That's the FBI policy.
Now, attackers know that. So they don't kidnap people in the US. It's exceedingly rare.
And that works to your advantage if you're in one of those places.
It works to your disadvantage if you live in Sao Paulo. That's just reality.
Should we move to Section 5 countermeasures as we wrap up this two-hour live stream?
I'll take this quick question. I don't think it's going to take us very long.
My company's entity name was also exposed in addition to cell name, email, physical address. Does this add any additional risk?
Not really. Not really. The really dangerous things are everything else on that list.
It's unlikely that you managed to register your company in such a way as to not have all of the other information associated with it anyway.
Was it not public before? How did you do that?
I registered all of my companies through Mossack Fonseca, but that backfired a couple years back when the Panama Papers came out.
If we assume that perhaps their company was one of the anonymous Wyoming, Nevada, whatever companies,
and they have unintentionally linked their name to that company name, then that could be a privacy leak.
The only way they would be able to fix it is to essentially create a new company.
Yeah, that is true. I would say that if that's the case, or if you are in that situation where you do not want your name linked to a company,
then do not type your name into an internet form and then type the company name into an internet form, because that is where you linked them.
It wasn't the database link. It was the fact that you typed them in next to each other.
I just want to bring something to everybody's attention and move away from this question. I think we've covered it enough.
Right now, there are about 30 people in the chat, 30 completely new created accounts that are probably bots,
that are spamming Telegram phishing links for the ledger attack.
Unbelievable.
They are attacking right now. They're attacking the chat of this video.
And because I have it so that you can't actually post links, they're all being held for moderation.
None of them are getting through. I'm watching the chats.
They are getting through. Some of them are getting through.
Do not click on any of the links in the chats unless they come from a moderator.
The gumption on those folks.
When you were talking earlier about what does this list mean, right?
Basically, what it means is now there's a list of people who people know have ledgers.
But also, there's a lot to be gleaned about all of your online activity.
For example, if you're watching this live stream, one could possibly assume that you have a ledger and that you're scaredy-pants.
That's why the phishers go after these chats or use this methodology in this way,
is that they look at the environment, they make assumptions on the type of person that you are,
and then they target your fears or your greed in that way.
Does this mean that the ledger scammers are watching us right now?
Probably.
Can I send you a message?
They absolutely are. They absolutely are.
And they've just invaded this YouTube channel in order to fight the message we're giving.
It could be one of us on this stream.
Yes.
That would be better.
All right.
Okay.
Let's talk about countermeasures and other information.
There's a question that keeps coming up, which is,
is it safe for me to update the firmware of my ledger or update and use the Ledger Live software?
I think this is an important question that we need to answer before we move on.
Any thoughts on that?
Yes, but not from an email that's told you to do it.
Yeah.
So what Peter's talking about is there's been an email that was circulating yesterday
that was an email that appeared to be coming from Ledger
that said that due to this phishing attack, you should update Ledger Live and then had a link to malware.
So the phishers were phishing using their phishing as an excuse.
So how do you do the firmware update? How do you get the software?
First of all, and this is important to understand, you do not need to use the Ledger Live software to use a ledger.
There are dozens and dozens of software wallets that connect to hardware wallets,
whether it's for Ethereum or Bitcoin or others.
And there are some concerns about the privacy related practices of using the vendors software
and what they can glean in terms of which addresses you're interested in learning about.
But that doesn't mean that the software is unsafe.
If you get it from their website that you verified by typing in or using a bookmark
and you are sure that you're at their website, I think it's perfectly safe.
So when dealing with firmware updates, you can verify the hash fingerprints of the firmware.
But your device would also be verifying a digital signature on that firmware.
And there's no indication that the attackers have been able to seize private keys
that are being used in the software distribution pipeline.
So I would feel comfortable updating the firmware on my ledger right now.
I can't tell you what to do. Anybody else want to take that?
I don't believe that malware firmware attacks have ever actually occurred outside of laboratory conditions.
It usually requires crazy edge case exploit that it's usually a security researcher resembling a pundit.
I'll just add on that. No, but Jameson's 100% right.
One of the reasons that we see such complex, sophisticated, scary, unblockable attacks against hardware
is that there's a lot of security researchers that are going over the top to try those attacks.
In reality, they just don't happen because it's way easier to give you a telegram link
where you voluntarily hand over your seed. That's reality.
The laboratories as security researchers, they do really fun stuff. It's super fun to think about.
But again, most likely your loss will come from either you losing your seed or voluntarily giving it up.
I mean, it's pretty clear, right? The pattern is don't give up your seed.
Yeah.
All right. So where do you put your seed? You only type it on the hardware wallet itself.
Only on the hardware wallet itself.
Only on the hardware wallet itself.
And then it's like different ones.
Yeah.
Like not here, not here, somewhere.
All right. So you never, never, ever, ever type those 12 to 24 words on any device,
any computer, any online system, any website, any keyboard, anything.
Don't take a photo of it. Don't put it in a Google Doc. Don't try to encrypt it on a USB drive.
Physical recording on a durable medium, multiple copies in different safe locations,
and then you only ever enter it into a hardware wallet device directly on the screen
using the little finicky buttons that take 7,000 key presses to type out everything.
All right. I want to commend and thank the moderators who have been waging a battle on the chat
to shut down all of the scammers. Unbelievable.
Unbelievable. I've been watching them guys. Sorry.
And thank you. People are offering helpful advice on the chat. Like when I ask,
where do you put the mnemonic seed, people answer, in your shorts.
So thank you for that.
All right. This is going to happen again.
It's going to happen again because Ledger is not the last company that's going to get hacked.
So you got hacked. There's nothing you can do about it now.
We're not going to be changing all of our phones, emails, and home addresses as a result of this.
We have to be patient and calm.
How do we prevent getting into these databases in the future?
How do we disappear from the database?
And I think this is Jameson leading this answer.
Yeah. So the short version for pretty much all of the privacy protections that I've put into play
are to use various type of proxies.
There's digital internet proxies, of course, to route your internet traffic through third parties
so that it's not clear what your home IP address is.
When it comes to other things like physical mail, you can use proxies like post office boxes,
private mailboxes, essentially any address other than your home address.
Now, in some cases...
Can we expand a bit on that?
In the US, there is a whole category of what are called commercial mail receiving agencies or CMRAs.
These are private companies that can receive mail on your behalf once you've proven that you are who you say you are.
You do that with a notarized form.
And then they will scan the front of all of your email and send you an email showing you the outside of the envelope.
And then you can click and say shred it or forward it to another address or scan it for me so I can see it inside.
I've been using that now for eight years. It's a godsend.
All of my mail goes to one of these facilities, in fact, several of these facilities, and never to my own address.
I don't know that these exist everywhere around the world.
So you may not be able to find them in your own country.
Some countries require you to use your real name.
You don't have to.
So, for example, let's say you order a widget from Amazon.
You don't have to have it sent to you.
You know how you can send a gift to your auntie and you can put her name on the recipient's shipping address?
Well, you can put a completely fake name and the Post Service will be quite happy to deliver the package.
So I never put my real name on shipping addresses.
Yeah, even for signature required stuff, I've never found that to be a problem.
I've never had someone actually try to ID me to make sure that the name that I give them matches the one on the package or the signature.
And of course, you can sign whatever gibberish you want to. Nobody's checking that either.
So I would say of all of the privacy things that I've done, like the real world operational security stuff over the past few years,
the hardest thing to really get used to is just straight up lying without even thinking about it.
If you are dealing with a third party, some sort of company or just someone who you're probably never going to see again,
there's really nothing to gain by giving them your real identity. And there's so much to lose.
And so once you get ingrained into that mindset, then you stop feeling bad about being dishonest about giving your real name to different entities.
OK, so let me give you very specific examples. When I got doxxed in 2013, I stopped giving my real name everywhere.
Unless the form says under penalty of perjury, I certify that blah, blah, blah, blah.
Or I have just in the last few seconds said, I swear to say the whole truth.
Like because I'm in front of an immigration officer, I'm testifying, I'm being asked by someone who I cannot lie to.
You cannot lie to the police. That is a crime.
But under all other circumstances, Starbucks says, who is this coffee for? Montezuma.
I go into a hotel and they say, you know, who should we say is calling? Bob.
I order my pizza. It's for Helen. Everything I do, I give a fake name.
The person waiting for me at the airport with a car is holding a sign up that says John Peters or Jimmy something.
It never does my real name appear on any of those things.
The same thing with the address. If you have a form where you are putting in a physical address, you have to choose.
It's either a real address with a fake name or it's a fake address with a real name and the address goes to a forwarding agency.
It is never both real at the same time. And you can do this simply with things like, you know, I order pizza.
Well, I can order the pizza under a fake name to my real address or I can order it with my real name to the next door neighbor's address and wait until someone shows up from a car and say, no, no, it's over here and have them walk one door over.
Really, really simple stuff like that. Lie, lie, lie.
And in some cases, you know, especially things like hotel check ins like places where they actually ID you, then you can at least protect your home address.
I usually give my passport because that doesn't have an address on it instead of giving a driver license, for example.
Yeah, I think that's an important one, guys. Keep in mind that your state ID has your address on it.
Your passport does not. And this comes in handy in a lot of cases, especially when KYC at an exchange, for example.
And then the other thing I want to just add on to what Jameson said is, yes, it's uncomfortable to just flat out lie sometimes.
But I think there's also this fear, right? Like when a forum asks you for your phone number because you just ordered a ledger, you put your phone number because you're like, well, what happens if I don't put my phone number?
Are they going to call me? I don't know. But then maybe I don't get my letter. OK, I'll just put my phone number in.
No, just don't put your phone number in. In what universe has anyone ever called you to be like, hey, your package is not going to arrive today?
All it does is get put into various databases and get sent literally around the world with your name and your address and phone number publicly displayed on the label.
Don't put your real phone number. Make up 20 digits. Just do it. Same with the names. Pretend you're a spy. You get to make them a new name every single day. It's super, super fun.
OK, if anybody has an idea on how we handle the fact that the chat has been completely inundated and overrun by scammers, it's gone. It's completely destroyed. We cannot use it.
I don't even know how to turn it off now. So I was going to say the only way you can solve it at this point, because we poked the bear, as my security guys said.
The one thing about the fake names, though, is that if, for example, no one that I meet physically knows my real name, instead of coming up with a different pseudonym for every interaction, I stick to a few so that I don't get confused because it would get really awkward trying to keep track of a hundred different pseudonyms.
Yes, I have had that where they go, you know, Latte is ready for John, and I'm like oblivious and don't even realize they're calling my third fake name.
All right, so fake names all around. By the way, this also helps with phishing attacks. All of the phishing attacks that happened to me from Ledger came to me and they said, Hey, Peter, your device has been compromised.
Peter is the fake name I gave to Ledger. Obviously that's... I use Andreas.
Great. So the same thing with the address that I used. It's not an address that I live at. If anybody wants to visit that, they're going to find some other people. Please don't do that. They are innocents who have nothing to do and not involved in crypto.
All right, so what's next? Disposable emails. If you don't know how to do this, there are great services out there. Probably the most common one is the service called Mailinator.
We'll put the link in the description. This allows you to create a disposable email that you use once. You can use it to verify things. You can even use it later to do some kind of password recovery or something like that.
Obviously you wouldn't use that for a service that you care about like your bank or your exchange.
What you can also do is you can go and buy a domain that is not associated with you and then create email addresses that do not reveal your identity.
So they can be email addresses that are just generic names. So you can be Peter at GreenPastureFarmingDublin.com.
So you get a really long domain that nobody's registered. GreenPastureFarming.com. Whatever. And it looks like a regular email, but it's not. You use it only for these services. You have a forwarder set up.
Anything at GreenPastureFarming.com comes to your correct email address. And so you can keep rotating the thing that's before the at. I do this.
Any other advice for becoming invisible? Mail forwarding, phone forwarding, email forwarding, and lying. Did we miss anything?
And in a lot of like a lot of different identities. So when I first started just flat out lying about who I was and whatever, I wasn't 100% comfortable with doing like the throw away.
Right. So I was like, I might need this later. It took me a while to get over the fact that like you never need it later. But whatever.
Is you can just spin up emails in a whole bunch of different identities and then use those and you can reuse them.
Just understanding that those each identity you make is linked to its other activities.
So like one of my first like fake identities, if you go on how I've been fond, you'll see been fond a whole bunch.
But that's OK, because it's all the same fake identity. However, like the more identities you have, the more comfortable you get doing this.
And the more comfortable you get just like throwing them out there into the world and realizing that it's not going to have any bad repercussions in the future.
The better off you're going to be in the long term. That's what's important.
So fill the databases with junk. Yeah, that's a good start.
And, you know, this is one of those bottomless rabbit holes where if you really want to go to the extreme, then you can't have any publicly registered stuff under your real name.
And that was the hard part for me was getting all of my property not owned by me legally, but owned by other entities that are tied to me.
But that that legal tie is not in the public domain. And and really the hardest thing that I ran into was the driver license issue.
And unfortunately, in most states, that's going to result in you having to set up a quote unquote legal residence that you don't actually hang out at.
So these things can get really expensive, especially if you end up having to hire attorneys and trust managers and all of that stuff.
You should try the driver's license now with COVID though, because I currently have a valid driver's license that's completely invalid because the GMB is not open.
I'm sure that you could probably do the same.
Well, I'm pretty reluctant to say this publicly, but for the past 10 years, what I've done is whenever I have been on the verge of moving to a new address, which at some point was every year,
I would renew my driver's license with proof of address the week before leaving, have the address that I'm about to leave on, then live at the new address until one week before leaving with an address that is wrong on my driver's license and the week before leaving, renewing, proving my new address and then leaving again.
And so that just left a trail of dead end addresses. And this was during the time that I had been physically threatened. So it was a necessity for my own security.
And that's how I never, ever have my actual current address. They're all the legal addresses that I lived in, but they're the legal addresses that I no longer lived in once they appeared on the license.
And that's one way to do it. Of course, passwords, passports don't have addresses on them.
You know, once you start down this rabbit hole, as Jameson said, there's a lot you can do. You also realize how much the world is designed to try to pin you down and find where you are and what you did and who you are.
And a lot of it's completely unnecessary. Security theater has nothing to do with security. And people just mindlessly follow these rules for no reason whatsoever.
And if you just stop answering the questions truthfully, there's nothing really happens. And that's a very, very important insight.
We are out of time. And by that, I mean, we've already gone more than two hours. So I think this is a good place to wrap things up.
Unless anybody has any final thoughts they want to add, I'd be happy to hear your final thoughts.
I would just say that if you are out there and you have crypto and you're concerned about your specific situation and your like how you can be secure and stuff, please don't go on Twitter where you have 10,000 followers and tell everyone your specific situation.
Maybe DM someone in this group for assistance or come up with a new identity and then tweet it out and something.
I see it so often where people are like, if I put my seat in my shoe and walk around the city with this zip code, am I OK?
And I'm like, well, now you're not. Don't do that.
That's that's great advice. And of course, it's important to also let people know when your financial security situation has changed.
Now, most people don't know that just last week, Taylor, Peter, Jameson and I all boarded a beautiful yacht and went on a fantastic evening dinner cruise.
And for reasons that are unclear, we all brought our cold storage with us in order to exchange security tips.
And then a very unfortunate boating accident occurred, leading to the sinking of the ship, the loss of all of our cold storage.
And so we're going to be doing a GoFundMe to recover our Bitcoin.
Are we going to mention that it was Taylor's drink in the corset? Are we going to mention what? It was Taylor's drink in the corset.
Yes. She was drunk. She was drunk and she was loose.
It was a mess. She decided she wanted to drive the boat.
We actually do have one serious question that I see here that I want to answer. What can I do if I accidentally clicked a fishy link emailed to me?
I discussed this with other people on Twitter last week or maybe a couple of weeks ago when this was happening.
As far as we can tell, none of the phishing emails that have been sent out or the phishing text messages have unique domains or URLs in them,
meaning that they can't tell who clicked.
The biggest risk with something like that is if you click, you verify that you are gullible and that you were on the list and that can lead to more phishing attacks.
If you don't follow through, if when you go to the site, you don't do anything, you don't give them the seed,
there is very, very little likelihood that anything bad happens.
I would recommend if you want to increase the security of your browsers that you look into a script blocker.
Script safe or no script are two very popular ones.
The bottom line is that if you visit a website you've never visited before, it by default does not load any of the JavaScript or cookies that are on that site.
When you first run these, it will break everything.
You have to tell it, no, no, I trust Google.
Okay, no, no, I trust Spotify.
I trust the New York Times.
And you go through and gradually it knows all of the sites you frequent and they all work because it loads the script.
But when you click on a link that instead of taking you to ledger, takes you to ledger with an accent,
it's never seen that one and it will actually block all of the script.
That's a very good defensive mechanism to protect yourself.
But far as we know so far, none of these websites had any malware or anything that could attack a browser that's properly updated.
So I wouldn't worry about it.
If you clicked on this link and you didn't give your seed, nothing happened.
As a general rule, fishers are not going to have the sophistication to have like a zero day browser exploit that can then take over your entire computer without you actually downloading and running an executable.
Yeah, so that's generally a good protection.
Do we have another question we need to queue up?
Let me see one second.
Sorry.
It's been a lot of work.
The moderators have been going crazy trying to stop the bots and it almost looks like the bots have been silenced.
I may be tempting fate at this point.
Very good.
We've got a question for Peter.
Peter was supposed to have an interview with someone from Ledger today.
What did you think of them?
Would you buy from them again moving forward?
Yes, I would.
I'll tell you why I would.
Look, it wasn't great which happened.
I've had my data stolen from Adobe.
I still use Adobe.
I've had my data stolen from Mashable.
I still read their website.
I've accepted data theft as just a part of everyday life.
It can happen due to incompetence.
But most of the time, I think a lot of these companies aren't trying to do the best they can.
I think we need a competitive market for hardware wallets.
I think if you've got a Multi-Sig, you at least want a Trezor, a Casa, and a Ledger.
A Trezor, a Casa, a Trezor, a Ledger, and a cold card.
Plus also, they kind of all take swipes at each other.
And the fact that they take swipes at each other makes them all have to work a little bit harder to do a better job.
And so I think to lose Ledger would be actually very bad for the industry.
I think they all do things differently.
I think cold card is probably the safest.
I think Ledger probably has the best UX.
I think Ledger and Trezor do a bit too much of every coin ever.
They all do things differently, but I think it's healthy that we have them all.
And yeah, I think we should actually support them.
I know that sounds stupid.
A lot of people within Bitcoin like to take people down and ruin people's lives and cast them and destroy them if they make one mistake.
But I actually think we should promote them and help them and be positive towards them.
Because I think the industry needs a vibrant and competitive market for hardware wallets.
Yeah, we could all argue about whether Ledger handled this the best possible way as a post-incident response and communication platform.
And I have some qualms about that and I've expressed those.
But that has nothing to do with whether they were doing as much as they possibly could for securing their sales database.
This could have happened to anyone.
It could happen to me tomorrow.
They could, and part of the advice we would give to any company, is try to minimize data collection.
So they could have purged that database, collected less information, et cetera, creating less of a honeypot.
Yes, coulda, woulda, shoulda.
The bottom line is that none of this really impacts the design and security and fundamental principles of the device itself.
A Ledger hardware wallet is an incredibly secure, quite well-designed, tamper-evident, tamper-proof, in fact, device with a robust secure element, with a very tight user interface, well-designed firmware.
And I would say that for the top five or six hardware wallets comfortably, they're all very well-designed.
Some have different features.
Some are open source.
Some don't have secure elements.
Some have better user interfaces.
Some allow more coins.
There's all little differences.
But the bottom line is this.
The difference between one hardware wallet and another hardware wallet pales in comparison to the difference between having a hardware wallet and not having a hardware wallet.
You are always better off having one.
And when people ask me which is the best hardware wallet I should buy, I say sort them by which one can ship fastest and you can buy directly from.
Really?
Because every day that goes by that you don't have one is worse than the difference between one or the other.
Do not just abandon hardware wallets.
If there's one lesson from this, you will not be doing yourself a favor.
Do we have another question?
Yes.
Could the value of my home drop because of this data breach?
No.
No.
Depends on how you advertise it.
If you can say at this home back in 2020 when Bitcoin was only $24,000 and OG lived here.
In fact, the price of your home could skyrocket because it could become a historical artifact.
You know when they have those little plaques that say Benjamin Franklin, you know, stayed here for two nights in 1822 or whatever the fuck.
That's it.
I already saw about the Taylor.
All right.
I lost.
Taylor had lost her first seed phrase somewhere in this house.
Oh, that's a treasure hunt house.
Even better.
That would really be popular.
We also have our first scammers on the chat who are saying that they got Bitcoin from someone on the chat.
So there is novel fishing going on.
And that's all of the questions we had for today.
I cannot thank you enough for jumping on at the very last minute and doing this as a public service and tolerating my tangents and the crazy people on the chat.
It's always a pleasure to talk to all three of you.
I have enormous respect for the work and the contributions you've all given to the space.
Thank you so much.
Anybody who has more questions, please add them in the comments.
We're going to be responding.
Look in the description of the video for additional links and information.
As soon as we end this livestream, this video is going to become available for you to watch again.
And if you like this work, please do subscribe, share, like and comment.
All right. Thank you, everyone.
Have a wonderful day. Bye bye.