Okay, I believe we're all here.
Hi, this is John with CASA.
Thank you for joining us for today's Travel Security Q&A.
This is a perfect time for this discussion with Bitcoin 2022 happening next week
and many of us traveling down to Miami for a little sunshine
and some good old Bitcoin shenanigans.
And there's some other events coming on in the next few months
that we wanted to give you some insights about how to prepare for.
And so Ron and Jameson, if you could give us a brief intro
of why you're so knowledgeable about security.
Thank you.
Sure. Thank you, John.
So my name is Ron Stoner.
I'm the head of security at CASA working with the team
to help architects secure solutions, provide secure advice for our customers,
and just architect great products for our customers in the community to use.
I've been a hacker most of my life, starting in the phone system
and then playing around on computers
and not expanding out into the physical security realm
with lockpicking and pickpocketing
and all of the great things that we worry about on a day-to-day basis.
So my interests very much lie in all things security and circumventing systems
and kind of using the rules of the system against itself.
That's where my interests lie.
And we spoke about this last year for the Bitcoin 2021 conference,
and it seemed to be very well received.
So I'm excited to be speaking about it again this year for Bitcoin 2022 and beyond
because we actually did see some attacks and some use cases
and some things that happened at Bitcoin 2021 and other conferences.
So providing some updated information and keeping people safe is what I like to do,
and I'm excited to be here speaking with you all today.
Throw it over to Jameson for an introduction.
Hi. Yeah, I have been working full-time in Bitcoin private key security
for eight years now.
So that is my primary exposure to all of this space of watching attacks happen
and watching people suffer from catastrophic losses.
And I wasn't really a hacker or an adversarially minded person
before I got into this space.
So I've kind of been molded through trial by fire
of all the crazy stuff that's happened in Bitcoin during my time here.
Great. Thank you both.
So I wanted to start at the top and just ask,
why is traveling such a major security threat to Bitcoiners?
In my mind, travel alone is a security threat in itself
because you're in an unknown environment
and you're interacting with a lot of different people
and systems and transportation networks.
And it's very easy to get scatterbrained while trying to maintain all of the details
and awareness of your personal self and security as well as your items.
So travel alone is already a big undertaking for some people.
And depending on who you are and how visible you may be,
it's a little bit more of a risk.
And now when we talk about the Bitcoin marketplace,
criminals and scammers, you know, they know that there's money behind this.
They know that there's conferences going on and after parties
and different social events and meet and greets.
And they know that there's also going to be things like alcohol
and illicit substances involved, right?
Everybody likes to party and have a good time.
But while you're doing that, you may not be paying as much attention
to your awareness, to your surroundings.
It's easier to become distracted because you're carefree.
And generally when we're traveling,
we're a little bit looser with our inhibitions
than we are when we're at our home or when we're in our general locale.
So it makes it a little bit more risky.
Our space is a very vocal space where people love posting their pictures
and tweeting about things and meeting up with people.
So it's not hard for me as a hacker and an attacker to do those searches, right?
And to look for that public information to determine where are you
and who are you interacting with and how much are these people worth?
And, you know, how much can I, how can I leverage them?
What can I do to lean on them to appeal to their emotional state
or their good nature in order to benefit me as a malicious attacker?
So, yeah, there's the security issues of actually being at the event,
especially if you're going to what's essentially a honey pot
that's going to attract a lot of attention.
Then there's the actual act of traveling itself.
And one thing that we get a lot of questions on
are especially issues of border crossings, going through security checkpoints,
really anywhere that you don't have a reasonable expectation of privacy
or security where, you know, theoretically anything that you have on you could be searched.
So there's some extra considerations there,
especially if you're traveling with crypto assets that have value.
You know, I would say don't travel with private keys
that have a substantial amount of value around them in the first place.
But sometimes there are people in situations where they are basically a nomad
and they spend their entire life traveling.
And that makes it really tricky to try to come up with good security models
for someone who basically has to, you know,
carry their whole life and savings around with them.
Thank you.
And today's format is going to be relatively loose.
If you have a specific question,
feel free to raise your hand and we'll have them answer it.
And I'll continue to ask questions as we go.
So how are the risks different if you're traveling internationally
versus domestically, say, to Miami for this conference?
I think it's a different risk model,
where if you're traveling domestically within the United States,
you really only have to worry about the differences in state-by-state laws.
You're still under the federal laws of the United States.
But when you're traveling internationally,
we're dealing with things now like customs and seizures and declarations.
And it gets very tricky.
Anytime you're flying with money through an airport,
I think you need to be careful.
But anytime you're flying with money or value internationally from airports,
I think you need to be doubly careful in that regard.
So it's different risks for the use case.
And I would be worried about things like hardware wallets or electronic devices
or the things I need to interact,
especially if I'm a little bit more of that digital nomad,
worried about those things being held up or seized or searched
or never possibly seeing those again.
That would be more of my concern with international travel.
Yeah, I mean, it's tricky whenever we start talking about international stuff.
Mainly because every country is different.
There's different jurisdictions, different laws, different customs
that you have to deal with.
And it becomes hard for us to give specific recommendations
without necessarily knowing every country
and what it's like traveling through any given border checkpoint.
So I guess the short version is, especially if we're talking about Bitcoin security
and privacy and whatnot,
the simplest and most straightforward way to protect yourself
is to just not have anything on you in the first place
that you have to worry about being seized.
And I think to that point, if you're going to a Bitcoin conference
or you're thinking about transacting in Bitcoin,
limit your amount of risk and exposure.
Don't take your entire stash.
Don't take three of your 305 multi-sig setup.
Don't take those keys with you.
Take a very small amount.
I'm a person that loves Bitcoin poker games, right?
So maybe I have a very, very small hardware wallet or lightning wallet
or something with a very limited amount of sets
that I know I'm going to be using to transact.
But if a worst case scenario happens and I lose that device
or something happens where the funds are at risk,
it's not game over for me in that instance.
It's very limited with the amount of risk I took.
Do you have any suggestions for the best way to carry
or spending Bitcoin when you're at a conference like Miami?
I don't think, number one, you wouldn't want to advertise.
And I always laugh at some of the conferences
when I see people checking their balances
because there's a lot of shoulder surfers.
So I'm the type of person where I don't use it unless I need it,
and I use it at that point in time.
I'm very aware of my surroundings and who's around me
and what cameras are looking at me
and what privacy I have at that moment.
And then I also like some of the different features that apps have
with doing things like hiding balances or needing two-factor
or limiting the amount of spend you can out of an account
or having to wait list certain addresses for spend.
So depending on what features and what products you're using,
you may have some additional security steps you can take.
And then I've heard of other people doing things
like they may have an encrypted backup
and they download the app when they need it
and sync to that encrypted backup.
So that way the app's not necessarily on their phone
at the time while they're traveling,
but they install it when they need it
and transact and do what they need to do
and then uninstall it and move on.
I would caution people with that though
because you do want to ensure you have proper backups
and you do need access to those backups.
So you are taking some risk by doing that as well.
So it's kind of different risk models
and methodologies for different people and use cases.
And I think depending on the amount you're traveling with
and what you intend to do with it
is going to really drive your security paradigm and posture.
Okay.
Are there any threats or tactics from attackers
that you would be looking out for
at this year's conference in general?
I think one of the things that we saw was
someone last year got into a taxi
and basically the taxi cab driver kept asking
or coming up with reasons to get to their phone.
So I guess short version is
I would protect your phone at all costs
because generally phone is the most important device
that we have on us.
It tends to have access to basically every part of our life
and at CASA we had a client one time
who was drugged and had his phone taken
and they basically used that to clean out
exchange accounts and stuff.
And attackers know that if they have access
to things like your email address,
which generally you have access to that on your phone,
then often they can use that to get access to everything else.
And even I guess more sophisticated people who have 2FA,
in many cases that's either an SMS-based 2FA,
which of course the phone is going to have access to,
or even if it's a time-based rolling code 2FA,
you're probably using a phone app for that as well.
So your phone can easily become a single point of failure.
Another thing I think we saw was people being attacked
while they were getting in and out of taxis.
Miami specifically has a lot of weird scams
with taxis doing double charges or charging you more
or their readers don't work.
So they do all kinds of weird things
that distract you to get you to double pay.
But we've also seen things where people were getting in the taxi
or the Uber and their phone's unlocked
and somebody runs up and snatches it.
So at that point your device is unlocked
and if they get it, they're going to immediately go
to your exchange accounts or whatever you're transacting with
or you look for your wallet software
and try to transfer that stuff out as soon as possible.
There's really like four or five pertinent attacks
that people should really be aware of
when they're interacting with people around the conference.
And some of these are classic pickpocket attacks,
but the first one I call bump and grab,
where basically there's a distraction
where you're bumped into by people on a busy street
or somebody spills something in front of you
and you back up real quick
and the three people behind you bump into you.
Now just stole all your stuff.
They pickpocketed you when you were distracted
and because your attention was focused on the thing in front of you
or the person in front of you,
that bump into the back of you felt natural,
but you didn't realize that things were being lifted off of you
at that point in time.
Other variations of this are people that try to be friendly with you
and come up and give you a hug
or they touch the back of your neck
or your arms or your hands.
And what they're doing, some of these pickpockets and thieves
are extremely skilled where by doing that,
they know the different nerves and pressure points and touch points
that distract you and gain your attention.
And this can be a romantic hug.
It can be a friendly hug.
It could just be mistaken identity.
Hey, Bob, come here and comes up and hug you real quick, right?
They're going for your watch.
They're going for your rings, your wallets
and sometimes your phone or your computers in some cases.
I saw an amazing attack in person once
where a lady walked up to a gentleman at a conference
and everybody at the conference was wearing badges around their neck
and went up and gave him a hug.
And when she walked away, his badge was gone
and did not realize that.
So there's very crafty people doing these bump and grab attacks.
They also do a variation where they try to distract you
where there was a woman who was seeing somebody,
she was dancing with him, met him that night
and was dancing with him on the floor
and he was able to separate her from her purse.
She left it back at the table at the booth.
And most people would say, you know,
I would never leave my purse in my wallet.
But if you're inebriated, if you're having a good time,
if you're meeting somebody and you guys are clicking,
you're not going to be on alert as much.
So while she was dancing with this gentleman,
he was distracting her and his friends were rifling through her purse,
taking all of her stuff.
So that's kind of the distraction technique.
And then they also do things with like map scams
where they walk up to you on the street with a large map
or a sign or an advertisement.
Or if I wanted to get people at a Bitcoin conference,
I would have a clipboard that says, you know,
sign this to say Bitcoin should always be proof of work
and we'll send you a thousand sats, right?
And while I'm standing in front of you with that clipboard
and you're standing there signing it,
my hand's under the clipboard going through your purse or your bag
taking all of your stuff.
And you're distracted because you're thinking you're getting sats
and you're fighting for proof of work
and you've got this clipboard in front of you,
but you don't know what's going on behind it.
So be aware of that if they're asking you to point things out on a map
or help them with directions.
And then I think the last stuff is like the ATM skimmers.
It's a classic attack.
It's been around for a long time,
but it's better and more prevalent than ever
because the technology gets better.
They start getting molds and copies of all the ATM equipment.
And it's gotten to the point where it's, you know,
you can walk up and you can tug on the skimmer,
but it may not be going anywhere because the devices are that good now.
So limiting your risk and your exposure to that stuff, you know,
traveling with limited amounts of money
and being aware of these types of attacks.
You know, I don't want people to be paranoid,
but having this awareness and this education
so when that person is standing in front of you with the map
and you go, oh, Ron said something about this,
let me make sure I'm upping my awareness for a couple of minutes
so that I can get through this situation.
And then we can go back to enjoying the conference.
So what's the best way to make sure you don't get pickpocketed?
Are there certain types of pockets?
Should we get zippered pockets?
You know, what's the hardest thing to lift items from?
They actually say you shouldn't keep anything in your front or back pockets.
If you're traveling with money or with stuff,
I'm a fan of the money belts,
the ones that actually attach to underneath your shirt
and stay close to your chest.
Things like that where they aren't standard storage areas.
But, you know, maybe I'm not putting everything in there,
but my very, very sensitive stuff or my cash
if I'm traveling with a large amount at that point
or maybe I'm coming out of the casino and I just want a large amount,
I'm not keeping that in my front pocket.
I'm going to be looking for belly belts, money belts,
those types of things that they actually make
that are purpose-built for that.
Yeah, I'm actually a big fan of money belts.
My grandma gave me one a long time ago
and I haven't tried to put an open dime in it,
but it's worth a shot.
The next question I had is about something
that we've seen a little bit recently.
I don't know if this is Miami-specific,
but we're seeing a little bit of some spearfishing
taking place of people being targeted.
What should you do if you're being followed,
say, coming out of a party or a cocktail hour?
I think you can do some steps to make your chances a little bit better
and your odds better to begin with,
and that's, you know, use the buddy system.
We referenced that before where if you're traveling in groups of people
and you have friends with you,
you're not as big of a target as the sole person.
If you're stumbling out of the club and you're raided by yourself,
you're a way bigger target than if you're with a group of people.
If you do feel like you're being followed,
my immediate advice is just go to the nearest police station
or security guard or security center and say you need some help.
Don't try to be crafty, don't try to do weird things,
because you may try to take a corner into an alley
and there's a brick wall at the end of that alley.
So if you do feel like your life is in danger, you know,
call the authorities and try to get to them as soon as possible.
Otherwise, I think being with friends and being aware of these attacks,
having a general awareness of how this stuff happens and when it happens,
but also not making yourself a big target.
And it's hard in this industry and it's hard for people
not to necessarily celebrate wins and want to gloat a little bit,
but the more you do that, the more people do take notice.
And the scammers take notice as well.
On the subject of don't make yourself a target,
I have a little bit of a story to share about my experience
at last year's conference that I think could help people at this year's conference.
So last year, I got a whale pass on the cheap.
And when you checked in, they gave you a bracelet that said whale on there.
It looked a lot like, similar to how they had bracelets that said speaker.
But what's interesting about wearing something on your body that says whale
is people would come up to you and immediately know that you're a so-called whale.
And I don't consider myself a whale by any means.
But there was one woman in particular at the conference while I was there
who approached me and she said that, oh, oh, it's so nice to meet you.
She seemed super intrigued by me and really wanted to meet up later.
And she kept touting the fact that she knew Michael Saylor
and she could get me to meet him at some point.
And she really wanted to meet up with the both of us.
And she asked for my phone number and she was insistent about it.
And so what I ended up doing is I just gave her a fake number and walked away.
But I would suggest to others that I'm not sure exactly how the conference
is handing out badges or things like that.
But what I ended up doing after that experience is I still had my whale wristband
so I could get in and out of stuff.
But I had other wristbands on top of it so that I could cover it up
and only reveal that information when I was getting in and out of places.
So that's just a suggestion.
Ron and Jameson, has there been anything else that you have learned the hard way
at, say, an event or conference in the past?
I think I relayed the story about how I saw a person get free admission
by pickpocketing the badge off someone.
That was an interesting one that kind of blew my mind a little bit.
And those are going to happen in those big touristy areas
because they know people are on vacation and they're walking around.
I've met people before at conferences and they've used my name without meeting me.
And I look down and realize, like, oh, you dummy, it's on your badge, right?
There's your first name and your last name and where you're working at.
So it's things like that where you're at a conference and things are different.
You may not realize you're walking around broadcasting when in reality you actually are.
How did that actually make you feel, John,
when you realized what she was kind of doing with her scam?
It was interesting.
I picked up on it immediately because I'm a married man.
And I understand at this point if I'm at a Bitcoin conference
and a woman's really intrigued by me, she's not intrigued by my personality.
And so I happened to be in a conversation with somebody that was fairly young.
And so I kind of used it as a teachable moment to him.
And I just kind of told him, like, hey, look, I did not give that woman my real number.
Watch out for things like that.
But it definitely kept my head on a swivel after that.
Yeah, you bring up a really good point, too.
I think the most more popular documentaries recently on the Netflix app are
The Tinger Swindler and then Bad Vegan.
And the similarities between those is they both use novel romance scams
where you either meet somebody at the conference or they're on Tinder
and you guys decide to grab a drink or meet up and learn more about each other.
And maybe this person is also into crypto or Bitcoin.
And it's like, oh, my God, this is amazing.
Here's this amazing person.
And I'll say this goes for men and women and everything in between as well.
It doesn't matter who you are or what your makeup is.
If they know you have money or they want to scam you, they're going to try to do it.
And they're going to try to appeal to things to heighten your emotional state and distract you
and to get you making mistakes and not thinking clearly.
And it can even go as far as where these people are extremely professional,
where in the Tinder Swindler documentaries, they weren't asking for money.
They weren't trying to get the prize, right, the bounty from their scam until a month or two later.
So they establish rapport with people.
And the people you meet, this doesn't even have to be novel romance scams.
It could be, hey, my name's Ron and I work for Bitcoin Co.
And I want to partner with you guys because I love what you guys are doing.
You know, here's my card or here's my name and number.
And most of that stuff is legitimate.
But if I'm a scammer, I could just blend in with everybody else.
And now I've got a gateway directly to you or your company and a false pretense to operate under.
So I do definitely suggest people watch some of those documentaries
and read about previous scams and how some of these professional thieves work
and the lengths and extent they will go to to fleece people that thought that they were smart
or otherwise thought that they could not be fleeced.
I don't have any great personal stories that come to mind, though.
I've certainly heard a number of stories and roundabout ways of basically, you know, the long cons, as it were.
You know, I think especially the more professional folks who are looking for big paydays, they're patient.
And, you know, they're willing to put months of effort into something if it might be a jackpot.
And so, you know, just forming initial relationships that they can then foster over a long period of time
and try to build up more trust to the point that they can basically execute something
that otherwise would have been tough to do with someone who had no idea who they are.
That's the type of thing you've also got to guard against.
It's not, you know, obviously there are going to be the crimes of opportunity, the people who will just want to, like,
grab your phone and try to get any money or information off of it as quickly as possible.
But it runs the whole gamut.
You've also got the people who are willing to put months, if not years, into the long con.
So, yeah, be wary, be suspicious.
The thing about cons, too, is the best ones never let the people know that they're being conned.
So it can even be something as a very innocent conversation of, you know, I don't think this would ever happen
because I know how he operates.
But if someone came up to Jameson at a conference and started asking him a bunch of questions about CASA
and then immediately comes to me and says, oh, yeah, I'm friends with Jameson and I know about this, this, and this,
you know, they're using that information to pivot and to establish false pretense.
And it falls into the realm of social engineering, which is getting access to information and using that information
and to ways that people don't think that you're using it, getting that out of them and getting them to do things
or using that to build a pretext and false pretense.
So you do have to be careful because something as an innocent two-minute conversation may be getting up information
that is then going to be able to be used against another target or even more further pivoted for more information
for an even bigger scam.
Excellent point.
I'm going to come back to that.
But I just we just got a question from the audience.
Guess who?
Do you have a question for Ron or Jameson?
Yeah, I appreciate the panel here.
It's a really interesting topic.
And I do have a question.
It might be a little specific use case, but I know Jameson just kind of brought it up at the beginning of the conversation.
Being mobile.
And here's my kind of specific use case.
And I wonder if Casa might be able to assist, not specifically on this call, but, you know, following on.
So without giving out too much detail.
So we're going to be leaving the states as a family and traveling overseas, moving permanently.
So just trying to figure out based off of some of the concerns that Ron and Jameson just brought up about getting through,
you know, customs and things like that and traveling with your private keys and hardware wallets and things like that.
So just trying to think through some strategies.
And I was wondering, you know, if Casa supports or helps customers who are looking to kind of make that transition and, you know, become a bit of a digital nomad,
but dropping everything, you know, the safe has gone here, all that stuff and going to be mobile.
So it's a concern is moving across border.
Yeah, we've definitely had clients who have moved and had to think about, you know, how do I actually move my keys so that, you know,
I don't have like a threshold of spending keys that are easily accessible in one specific location at the same time, you know, that could be compromised or lost or whatever.
And of course, there's a variety of options, but, you know, it really depends on, I think, what you're doing more long term.
So when it comes to just like an initial move, there are ways where, you know, if you're in a multisig setup, you can basically move like one key at a time
and make multiple backups of keys and either ship them if, you know, you have encrypted backups so you don't have to worry about packages getting intercepted.
Personally, like if I was moving and going across borders where I had to go through security checkpoints, I would not want to be like carrying actual key manager devices with me.
But I would probably have an encrypted backup of a seed that, you know, even if the data itself got seized or whatever that I knew they won't be able to access it.
So, you know, once again, it's hard to say without, you know, specifically knowing what borders you're crossing because I know like there are certainly some jurisdictions where if you refuse to decrypt your data, then you could find yourself in a sticky situation.
Fair enough. I know it's a big world and there's a lot of variables and specifics, but going to Europe is our final destination. So from the States to Europe.
The other thing I would consider too is making sure that you can source new hardware devices in your new location in case you ever have a failure or breakage, or if you do get through the border and you still don't feel like you've got that full sense of security.
You could sweep them into a key rotation or move those to new addresses just to get that, you know, final step to say you know there's no chance that these funds could ever be moved.
But again, I think it also depends on the amount of money in your risk profile and your experience with actually moving and traveling.
Yeah, good points. Yeah, appreciate it.
Okay, well thank you. Gave me a lot to think about and some ideas to kind of move forward with. Yeah, this is one of those situations where it certainly warrants longer discussion and you know we have people who are happy to talk with you privately about any specific questions or other complexities that you have to deal with.
Yeah, yeah, I think, I think I might be reaching out to kind of say her, the team. And, yeah, take it offline. But, alright well thank you again guys I don't want to overtake the conversation, so I'll just sit back and listen.
Thanks again.
Our pleasure and good luck with the move.
Stan added you to the stage to have a question for us.
Yeah, you can hear me.
Yes. Okay, yeah, thanks for putting me on here so it's kind of similar to the previous, the previous gentleman but I work for an organization that requires me to like move every, every two or three years.
And it's just kind of comes down to, like, I don't feel like I have a choice but I have to keep the hardware wallet on me whenever I drive across the country or fly across the country to wherever I'm going next.
So is the answer here just try to hook up a multi SIG just to reduce the like attack vectors here before doing that or what's kind of your guys's recommendations, as far as frequent flying and when you have to do permanent moves.
You're currently on a single hardware wallet Stan if I, is that correct. That's correct. Yeah.
I think, depending on.
It's going to be dependent on how static your location is.
I would definitely look into multi signatures, if you have locations that you can trust that you can get back to. But if it's something where you can't get multiple disparate geographical locations that you have easy access to.
There could be some other things for your specific use case you should be looking at like maybe some seeds or backups or some of the other different things that are out there because everybody's use case is different.
So, you might want to look at that but I would be concerned about that device being compromised or stolen.
I don't know what model it is but there are some local physical attacks and things for older firmwares. So that would be the concern there is like fixing that portion of the security first and then looking a little bit further down about what else can we tweak to make this better for you.
Okay. Okay, yeah, I appreciate, I appreciate the answer.
And of course, you know it, it really depends on how frequently you need to actually access your funds. And in many cases, you know, it makes sense for people to have different levels of security because each level of security is going to have a corresponding level of
convenience. So, you know, we certainly see a number of clients who they'll, they'll have some funds that they will keep just on a hardware wallet, sort of like pocket spending money, then they'll have a larger pool that has been like a two of three.
So it's still pretty easy for them to access if they need more liquidity, and then they'll have the like super duper cold storage three or five highly distributed solution that they may not be touching.
Yeah. Yeah, I guess in terms of how often I need to use it I pretty much isn't needed just to create new addresses when I like DCA into it. That's kind of like why I probably use it more frequently than, than as ideal I just try to get it off the exchange
as much as possible but not can see how you have the different tiers there as well so something to consider. Yeah, and also you know if, if you're, if you're really an accumulation mode and you're not spending, then it's actually quite easy to create watch
only wallets that you can generate the receive addresses from you don't even need to have the private keys you don't even need to have your hardware device.
Yeah, I'm not spending it's just DCA and putting in cold storage so well can you say that again what's that called watch only. Yeah, yeah, what do you want is a watch only wallet, and it's pretty easy, especially if you're already using a treasure
cold card or whatever. There, there are various wallet software out there that make it pretty easy for you to essentially create a watch only wallet. You know you could look into something like Electrum or Spectre desktop, where you can just, you can plug in
that device to initially create the wallet, and then just unplug the device and you'll be able to continue generating receive addresses without having the device on hand.
That's great. That's great. Thanks a lot. Thanks a lot.
Thank you, Sam. So I have a, I'm going to change the subject a little bit to networking at events. We touched on a little bit of not making yourself a target and being careful on what types of information should people consider not sharing with
strangers at these conferences.
I always like to train people to not reveal their last name and their place of employment.
It's not hard to like identify people and try to match their like this, but what you're basically doing when you do that if I say, you know, my name is Ron Stoner and I work at Casa, you can Google that you can Google my first name my last name, you can Google my place of business
information. But at a conference, right as a Bitcoin conference, we're all Bitcoin fans. So I can be there as Ron, Bitcoin user, Bitcoin fan, right, and I don't have to disclose that I actually work in the industry.
I don't have to disclose that I'm a security guy, and I actually like doing that because it's funny to see how braggadocious people do better what they talk about and then how they change their tune when they realize you're a hacker or security professional, but they show their
mindset with everybody.
So, like, when I'm talking to people, that's what I do is I use my first name and I'm here as a Bitcoin fan, you know, where'd you travel from the United States, right, we're in the United States, the East Coast or the West Coast, what state what city in the state.
I'm not going to go that far, right, I might say I'm in the Midwest and that's as that's as comfortable as I want to get disclosing my location, because I'm not giving you my state I'm not giving you things you can look up to me.
What I don't advise people to do is I don't advise them to lie, because deceit is very hard to keep up. And the longer you have to do deception and trickery, the more of a facade you have to put on and keep all the details straight.
And unless you're very skilled in this and trained in this, we are not very good at this as humans with the amount of body chemistry and tells and different things that we do and tricks that we play.
So you don't want to get caught in deception or lie because you're going to lose all of your credibility, and you're not really gaining anything from that.
So I like to actually take a like a trickle truth type of approach to this where I'm not giving you specifics or details, but we are able to converse and get a general idea of who's who.
And then as I'm doing some of my verifications and trust checks and different things that I do as a security professional, I can start opening up a little bit more about myself and my intentions and what I do if I'm comfortable doing.
That's a really good point. In fact, I have a friend of mine that works in the film industry, and they have a version of that to where they just don't say they work in the industry at all, because if they if they let it be known that they work in the in movies, they'll have they'll get inundated with scripts.
So, what information could you actually, yeah, what information would you be feel perfectly fine saying
at this point for me I'm public so I would probably have a different conversation than most people, but I think I would be comfortable saying I'm a user and a fan because I'm at a Bitcoin conference right so maybe you could pretend to be the person that's there for educational
aspect or you're learning or one on one, but I'm worried that then that's going to open up the scammers to jump on you at that point and try to guide you in the wrong direction.
So like I'm comfortable detailing the information it doesn't open me up or my family to personal attacks, I'm not going to give you my home address, I'm not going to tell you my balance.
I'm not going to tell you my security setup. But if we want to talk about the Bitcoin or video games or how cool, you know, some of the personalities are, I'm more than willing to jump into those types of conversations.
Pass that though it depends on who I'm talking to, and what the purpose is.
Good deal. So I'll shift gears to outside of the event when you're at a hotel or in an airport.
What are some best practices, do you like to keep up.
I don't like to use phone chargers and community chargers. That's a big one I think we touched on the article, where it's very easy for me to build a Raspberry Pi or a microcontroller on a charging table.
And while it looks like your device is charging, I could be sending all kinds of different exploits or commands to enumerate your system right give me more information.
So I always worry about that I always bring my own personal chargers, my own cords, my own power bank. I turn off things like airdrop and file sharing.
I don't keep those on unless I actually need to use that functionality.
Especially when I'm in public places I like to do a device health check sanitization, where I go through and look at all my settings to say is Bluetooth on is Wi Fi on is my Wi Fi setup to connect to open access points, or am I restricting it only to my
home Wi Fi. Do I have generic names in there like Starbucks or AT&T Wi Fi, because as a hacker I've stood up fake wireless access points that are called Starbucks and AT&T Wi Fi, hoping that that was in your list of access points.
So that it could connect on the name and get to my access point instead of where you were trying to go. There's a lot of other magic and trickery involved there but in a very simplistic way. That's essentially what's going on.
So those are the types of things device sanitization health check, being aware of my location so doing some of the research about where you're going and what are the common scams and what is the temperature, the political climate, is there protests going on actively.
There's been a lot of crime reports. Recently there's a ton of neighborhood apps and crime apps that you can go on to help do some of this open source research and arm yourself a little bit, a little bit better.
Any, any tips for simple one is, I would never connect to really any Wi Fi network without a VPN, you just, you don't know what they might be monitoring.
Something that we haven't touched on quite yet is, is a phone numbers. And I mentioned it a little bit in that anecdote I gave earlier about this malicious actor looking for my phone number, why shouldn't we give our phone number out to people we meet.
I, I don't want the calls. Number one, and I've made the mistake of going to the conference where the every salesman scans your badge and your badge on your registration information on it.
And I've had to burn email accounts and phone numbers as a result of that because you get sales calls and leads for four years. So that's the first reason I don't do that.
The second is my phone number.
But if you look at a lot of banks and things like PayPal and different sites and registrations.
Some of them force you into that or gate you into it, or they keep that information on file whether you gave that to them or not. Once you log in with that and it pulls your registration or pulls a centralized registration from some identity service.
It's associating all that information with your an account with your account. So as a scammer, it's very easy for me to call up one of the three or four big phone services and go, you know, this is john my SIM cards not working.
I'm going to put this in my house here on the account so I can try to get back into my account where I'm missing a work meeting and our customer service reps going to feel bad and do that.
And the second I have your phone number, I'm immediately going to go to Google and Facebook and Coinbase and all the top 10,000 Alexa websites and say text me a reset code and try to take over all of your accounts that way.
Even with proper security health practices, your phone number, unfortunately, is associated with a lot of things, whether you want it to be or not.
And not having that awareness of what it can be done with it, what people can reset with it, whether you're taking those steps those hygiene steps or not. It's just another layer of protection by protecting that information.
Hey Ron, some tip that we gave people sometimes in travel security content is using a pseudonym when it when it suits you.
Ron or Jameson Do you have any experience working with pseudonyms Are there any like best practices you worked, you figured out from using them.
Yeah, every day. Um, I think this really kind of goes back to what Ron was saying earlier with, you know, not coming up with just outright lies or outrageous stories or whatever they're like the main thing when it comes to having a pseudonym or
alternate identity is you need to pick one and stick to it. That was one of the mistakes that I made early on a few years ago was using like multiple different names and backstories with different people and it very quickly became onerous for me to try to keep
track of so I consolidated to one and my backstory is very believable because it's not far from the truth so you know I can I can speak pretty eloquently and sound like I know what I'm talking about and that you know the backstory is real and believable as a result of that.
So, you know, you shouldn't, you shouldn't come up with a backstory of being in sanitation management or whatever if you don't know anything about that area, because you never know when you might run into somebody else who is interested in that same thing and then they start
wanting to have a deep dive discussion and it gets really awkward when you don't know how to converse in that language.
I think it's situational dependent and depends on how much prep work you've done.
If I'm ordering a pizza and they asked me for the first name or I'm in a deli or waiting on something, you know I give them a fake name all the time that's fun, because all they're going to do is call it out when your orders writing or say your pizza is here, you know,
Satoshi, but if you register for your hotel room under Satoshi Nakamoto and then they ask you for your ID to confirm that you are, there's no way for you to pass that check, unless you're signing away the original Satoshi coins and then, yeah, there's other stuff happening
there. But what I would say is, be careful with that because how many people also are going to be using the name Satoshi at a Bitcoin conference, right so you can cause confusion, you can cause issues with it.
I think it depends on what you're doing it and what you're doing it for. As I said, anytime I'm in a public place and I know they're going to call the name out.
You can use a fake one for that but if you actually have to use something that corresponds to your legal physical identity. I would be careful about that unless you have the paperwork and the identity and all of that stuff in place prior to be able to prove that.
Otherwise you eventually will get caught in the deception. That's a very awkward conversation to have when you're saying your name is Jeremy and it's really Bob.
Awesome. Thanks for sharing. I wanted to remind the audience that this is open q&a so if you have any questions, feel free to step up to the stage. And so, what are some, what would be a tip that isn't so obvious to people that don't work in the space.
When it comes to being in a bar being in a party being in the being on the yacht.
How can you stay safe and say not get roofied or something like that.
Well, first of all, I would recommend not going on any boats.
I actually don't recommend going anywhere that has limited exit options.
The other other stuff is, unfortunately just fairly common advice, which is you, you have to be mindful of your surroundings, and it's, unfortunately it's it's challenging to do especially if you're intoxicated one way or another because you're walking a fine line there
of not being able to keep track of your surroundings and then of course it being possible for for someone to take advantage of that.
I think the biggest thing that people don't realize in the industry and outside of the industry is how easy it is to locate someone when they're giving you partner information.
So that would be a good time to go rob them. I see a lot of people post on Twitter that they're going to the Bitcoin conference and they're really excited and that's that's great I don't want to kill their good times.
But I can make a very short list right now of all the people that I know are probably going to be in attendance there. If I need to try to get in front of them or I want to make something happen.
Right. So the scammers are doing that too we're giving out free information and we're telling people where we're going to be.
The other thing that really scares me is people post pictures you know I got my picture with Andreas I got a picture with Vitalik all this stuff that you see people doing.
But they don't realize there's hotel names in the background or restaurant names or street signs where they're tagging themselves.
And I can go look that stuff up super super easily. If it's in another language, I can use Google Lens and translate it on the fly.
Some of your phones and these social media sites have what's called exit data EXIF and it's data about who owns the phone and what model is it what was your GPS coordinates when that specific picture was taken where is the location of that picture.
So if you don't know that your phone is not stripping that or the site that you're posting this stuff on doesn't strip exit data when you upload it.
I download the picture and I run an exit tool and now it gives me your GPS your longitude and latitude. And if I'm in the area how long is that going to take me to go to the location where you're physically at or to try to get there and determine where you're going next.
You know after party at the club. Well I know you're going to be there. I know you're probably going to be drinking and I'm going to be there too. So what's up.
That's the stuff that really scares me when you take pictures when you share this stuff. Do it after the event. You know I've had a great time at the conference. Here's my pictures that I took.
And we've gotten in the habit of like real time updates on Instagram and Facebook and Twitter and all this type of stuff. And that's really really scary when you've got an evil person on the other side trying to figure out who are you and where are you and how do I get near you.
Thank you both thoughts attitude at the stage. Do you have a question for the panel.
Yes, first of all thank you everyone for all the good advice and learning a lot and that's great.
I have a question that relates to moving to a different location permanently from one continent to to a different one. Let's imagine that from Europe to Latin America, for example.
And, and let's imagine that this person is absolutely alone. So multi sig is is an option, but then you would have to make trips back and forth, I guess.
What would be the best option for them. Let's say if they want to move their whole stash, which isn't called storage from one continent to another.
I don't know that you necessarily have a good option, because it sounds like in your situation you need to move a quorum of keys and be vulnerable for that amount of time and risk seizure of the entire key set versus not taking it and not having access to it.
So I think if it were me and I was doing a one time move like that. I would probably put my cost account in the lockdown to ensure that nobody could access or use it during the time of my travel.
I think in my instance because I'm a paranoid security professional, I'd probably figure out what quorum do I need in order to rotate the new hardware once I got to my location and figure out how to do that in some way where I'm not risking my entire key center access to the account.
While I was in transit or travel.
Would you do an emergency, would you have an emergency contact in that case.
Well, the idea is to be able to bypass having an emergency contact like this would be a plus to have one. But what would someone do if they if they didn't want to even use that.
Also, and maybe this is this is a crazy idea but I'm asking.
What about memorizing something and destroying the hardware wallet and buying a new one, once you're on site.
So memorization is interesting because I see it get recommended a lot and I think the short version is, I am very afraid of memorization for anything other than a super emergency purpose of, you know, like, you need to get out of an area with very little
notice.
And and that's your only option, like you don't have any other way to securely travel with it.
I would, I would, you know, it's a single point of failure if that's the only place that the seed phrase exists.
You don't want yourself and your brain and your memory and whatnot to be a single point of failure.
You know, for.
And once again, this this really depends on a number of factors like can you go back and forth multiple times do you have like a mailbox in the other country that you can ship stuff to and be sure that it got there is like, you know, if it was me, and I think I touched on
this a while earlier with a similar question but if I needed to securely move private key data across borders and really long distance and wanted to do that in a way that I was sure could not get intercepted and and compromised, then I would probably
encrypted data containers that I would then put on various forms of media and I would I would send those because I could be sure that, you know, if the if the media itself got intercepted that an attacker couldn't actually do anything with it.
But, you know, this, I think comes down a number of other variables such as time and your ability to verify that the data got to where you wanted it to go so you know basically you, you need to have some sort of integrity checks on the other end.
So that would be tricky to do if if it's only you and you can only travel, you know, back and forth one time. So, you know, there's a number of variables here.
Thank you very much. Got it. Thanks.
Neo I just add you to the stage. Do you have a question for the panel.
I'm going to add somebody else up here.
Yeah, I was sorry I was immune.
No worries. Go ahead. Yeah, we've seen in the last few years.
A lot of companies are well that, you know, companies and others that, although they haven't been breach.
They used third parties marketing companies that they actually stole data right marketing data emails names phone numbers.
Information names but we all know who they are. And it happened with Shopify.
It happened with active campaign.
It just recently happened with some other company.
So what's the best course of action, if it happened to you. When you get that email saying, you know that your information basically ended up in somebody's hands right, would you change your email automatically when you change phone numbers.
Obviously this happens a lot. You continue to have to change emails and phone numbers all the time. So, you know, I'm guessing maybe using aliases.
And, you know, layered phone numbers that forward to another phone numbers that you never share the real one that could actually be helpful but I would like to know your take on that best practices.
Yeah, we actually published a blog article in the similar reaches happening with a wallet vendor and a lot of people's personal information got exposed.
And they've been seeing scams scam text and scam phone calls as a result of that and even a lot of cases physical letters mailed to their home.
So we published a blog article on what you can do when that stuff kind of happens on and you do you have to migrate off of stuff right if you don't want to keep getting getting getting annoyed because the information is out there and once it's out there you can't take it back.
So you do have to move to new emails and new phone numbers. But in reality an ounce of prevention is worth a pound of cure. Right. That's the same.
I think Jameson said that a few times. And what we're talking about with that is like you can actually do things so that you anticipate these breaches happening so that when they do it's not your personal information or, you know, everything in the basket is being exposed.
I have many different disposable and burner email addresses that I use specifically for different sites and forums and banking and all kinds of different various use cases so that if one or two of them ever gets hacked or breached.
I'm not losing everything. I'm not relying on one or two email addresses, and then I can burn the one that was breached and migrate and move off.
The other thing people should do Troy Troy hunt the security professional Microsoft runs this website have I been pwned with a pin.
And you can go check your emails to see if they've ever shown up in these data breaches. And that may explain why people are seeing scam calls or how do these people know about this email address or this phone number, because it's the information that you give to the various
third party sites and services that get stored in databases, and depending on the security of those databases that information is eventually leaked right it's breached and sold and leaked.
And that's where these scammers are getting all of these leads to be able to perpetuate these types of digital scams. So by doing some prevention with using pseudonyms and disposable different email addresses and burner emails and things like VoIP numbers,
you know when that information does get exposed, and it is when not if you're minimizing the risk and mitigating it and that's really the name of the games is risk mitigation.
Yeah, thank you. And I do take that seriously and right now I'm assuming that whatever I put my email and phone number is going to be stolen by somebody.
So by starting from that assumption, I think you can, you know, take better decisions. Now, if I have time for one more question, I don't know if you want to address it. I've seen this in many conversations lately.
Sometimes we get too cute with security measures to the point where sometimes we lock ourselves out right or maybe we set up this complicated multi-sig settings and then something happens to us and maybe we haven't
left recorded to our wives or, you know, whoever, and then they are no longer able to figure out. So what's the best practice? I don't know if you have any article that talks about this.
If, you know, not only it's suffice to know it ourselves, but also to train our significant others to be able to access if, God forbid, something happens to us.
I think I'll let Jameson think about some of this, but it's a huge concern for CASA and part of the reason why we exist. The big reason why we exist is to help people with things like key recovery and rotation, multi-signature rotation that people have never migrated from a multi-signature key set.
And even more recently, things like inheritance. We're always talking about those, looking at how can we help people, how can we build products to make it easy because the inverse is you can learn and try to do all this yourself, but eventually you do see some limiting factors
where it gets too technical and complex to where you've architected this insane system that's just going to fail by design to begin with.
So we like to keep things simple, full-proof, leverage properties of the protocol, but looking at products and making those types of things easy for people because doing it yourself is hard and eventually you do hit some stop-gap where it's like, I need to give somebody this in clear text or else, you know, if I get hit by the bus they can't get access to it.
And that's security versus convenience and the trade-off there.
Yeah, so CASA offers inheritance planning with our premium tiers where you have either five or six different keys, and we're happy to help onboard a significant other or family member or whatever as a named beneficiary on your account and also help them understand how it all works.
And I believe that basically the way that we're recommending doing inheritance these days involves having your executor keep an encrypted copy of one of your keys.
We make it very easy to create that encrypted copy, and then they'll also have access to a hardware device.
Come again?
Hello?
Ah, I guess we were still in the middle of answering questions, but anyways, the final point being CASA has a key which then we can authenticate with your beneficiary with our own protocols and basically asking for a copy of the death certificate, at which point you'll have three signatures that you can then have a sufficient threshold to spin from the account.
Hello?
So I would like to ask a question.
I'm a lawyer, and I've recently gotten into trusteeships regarding crypto, so I currently run a series of trusteeships in Singapore and other locations for clients, you know, in Asia, and it is hard to explain them how it would actually work.
So, one thing that clients would naturally ask is how does the trust trustee themselves not actually have access to it.
Now one of the arguments could be it happy a family member, correct, of that person, and maybe of the trustee, and perhaps their own personal lawyer, each of them would add phrases right.
However, it should be said that what happens if the trustee himself dies, typically speaking when trustees hold some form of access, let's say if it's to a bank vault, like a key, the trustee himself does not actually hold that key.
The bank of that trustee, meaning the bank that they work for, let's say if it's like Namor or whatever it is, they have their own vault inside the bank, and then the person who would replace a trustee then acquires possession of that key, but still in the vault, right.
So they're still doing that job.
I'm a bit unclear about, at that level, how to implement something like CASA.
So there are clients of billions of dollars and hundreds of millions of dollars worth of crypto, for example. The difference between having stocks and things like this is that when they die, it's very clear how that trustee would execute the ordinances of the trust and distribute that to other countries' bank accounts where that beneficiary would be, right.
For a variety of reasons, stocks are held under particular names. There's a clear understanding of local banks that would also be the local trustee for that person, how that would work.
But in the case of crypto and something like CASA, it is somewhat unclear. Currently I see clients using exchanges, and they have their own login.
So what they would do is they would basically give the login details to a lawyer, and the only problem with that is if there's two-factor authentication and they can't get into that person's phone, then they have to call up the exchange.
And then for some of these countries, like in Vietnam, it's okay because the exchange is a small enough world where if a bank calls the exchange, they can figure it out. But if it's an international trustee and obviously CASA is not in that situation, how would this type of thing be resolved?
I mean, it sounds like you're basically asking about having a sort of a succession list for trustees, which is certainly possible to do from a technical level.
You can have, depending on how you have the keys set up, you can either have multiple copies of the keys or you can have keys placed in places like safety deposit boxes that have their own designations of successors and beneficiaries and whatnot.
Well, it should be said one of the reasons why having it in a safety deposit box, let's say in Singapore it can be tough, is that let's just say the client dies, then the trustee opens a safety deposit box up and takes a seed phrase.
I think a lot of clients might feel uncomfortable with the idea that that person actually has access to just that seed phrase rather than having it in some form of distributed manner.
Again, you know very well that if it's a case of stocks, you can't, the trustee has no authority to actually transfer stocks on their own volition to someone's account because it requires a number of, I'm sure you've worked at a bank maybe before, the number of signatures required to pass things through the traditional financial system is quite ridiculous.
You have the operations side, then they have the compliance side. There's a lot of eyes that will look at an email and have to approve. And I think that's more the issue rather than succession. I think the issue of having it in a bank vault doesn't really solve very much. If not, it would make things probably much worse.
Well, to be clear, you would only have one set of keys there. You know, you don't want any single person to have a spending threshold of keys at any point in time. So the whole idea is that you do have multiple signatures from multiple, preferably disinterested parties.
But you know this is, I think, part of the complexity that can throw people for a loop because there is a lot of flexibility and in fact I mean the design space for how you can set this stuff up is so huge that it can be overwhelming and I'm not sure if we have any clients in Vietnam.
Would it be possible to do it? Well, it's not a question about Vietnam or Iceland. I don't think there's anything to do with it. Would it be possible, for example, to do with an insurance company? I mean, if there's any kind of institution in the world that would be capable of handling this type of process, it would be an insurance company.
Like AIG, for example, would have a crypto insurance unit whereby the trustee, all they have to do is call the AIG and then they would basically distribute that crypto to the beneficiary.
That would seem like a pretty clear way of doing it and that works a lot for, you know, when you have life insurance, right?
Yeah, it's technically possible and we've also had clients who have had, you know, an attorney or, you know, the firm, for example, that is expected to be executing the estate may hold a key.
Unfortunately, it comes down less to what is technically possible and more to what these various entities, institutions, trustees, whatever, are personally comfortable with.
And, you know, it's such a new thing that, you know, I think the default response is, you know, I'm very wary of any liability that I might take on by entering into this.
That's a fair point.
Diddy, did you have a question for the panel?
Yeah, thanks, guys. Thanks, Ron Jameson. This is all helpful.
Question I had real quick is just around QR codes. I'm not talking like payment QR codes or trusted wallets, but I know at these types of conferences, there's just QR codes abound for a lot of things.
So I'm just curious to get you guys' thoughts on, you know, just best practices around security and, you know, just blindly using your camera and signing things or taking pictures of the QR codes.
I think this, I hear this a lot and I get people's trepidation with that.
The thing you'd be worried about is like maybe there's an exploit or state in the QR code that the second your app reads it, it can exploit your phone. I think the bigger risk was that you could hide URLs and stuff in there and some QR apps and cameras and readers.
When they would read the QR code, it would just auto navigate to the URL.
So if I put a bank phishing website or it's one that looks like your app login page, maybe I can get you to put your credentials in there or get your IP address or load some JavaScript trackers on your phone or your browser or your desktop.
That was more of the biggest risk. A lot of the new phone apps and stuff when you take a picture of the QR code, it actually tells you the data that's in there.
And I use different QR code readers that show me the data like what's actually encapsulated the QR code just because I'm a big nerd and I like doing that anyway.
And even I myself have put like bitly links in there that Rick roll people and then just put up random QR codes in public, because I know they're going to scan them and be like what's this thing and click it.
So that's the real risk there is navigating to a link and it's the same thing like clicking a link in an email, an unsolicited email. If you don't feel comfortable doing that, then you probably shouldn't just go around scanning QR codes and clicking the links there.
Or, you know, calling the number. It's the only one I've seen is they put a number like an 800 number or some cold charge number to another country where you pay exorbitant rates.
They just try to keep you on the phone because you scanned it and your phone picked up and said, you know, call this number and yes, see what it was.
So those are the things you really kind of want to watch out for there.
Do you have anything to add to that, Jameson? Have you seen any other QR code weird stuff out there outside of that?
No. You know, QR codes are also really limited in how much data you can even pack into them in the first place.
So I think that also really limits like how malicious you can really get.
But, you know, maybe it's just something that hasn't been sufficiently explored yet.
Cool. Thanks, guys.
I think I saw an article the other day talking about QR codes and with AirDrops being a way to gauge somebody's location.
But at the conference, they'll know your location anyway.
But that's just a practice to be mindful of with AirDrops in general.
If you accept an AirDrop and it goes to your wallet on your phone, they can use that to learn about your location via IP address.
I wanted to give everybody one last chance to to request if you have a question.
And then but in the meantime, I'll go ahead and tell people a couple of things.
So we've got an article on our on our blog, blog.keys.casa.
It's an article by Ron Stoner, which is our travel security guide.
And it has lots of tips for going to Bitcoin 2022 and other conferences.
We talk about we talk about VPNs.
We even talk about door braces for your hotel rooms.
And yeah, it's a great place to get to.
You could print this out and take this with you and use it as your little cheat sheet when you're traveling to conferences.
And then the second thing is we'll have a CASA booth in Bitcoin 2022.
So drop by and say hello.
We'll have members of the team and you can learn all about CASA and ask your security questions.
So, yeah, thank you so much.
And I'm not seeing any other requests, but thanks, everyone, for joining us.
And Ron Jameson, do you have any final thoughts?
Yeah, I think the goal of this is not to scare people and have you walking around level three paranoia all the time being like, who are you and what do you want?
Why don't you try to take the money?
That's not how we should live our lives.
I think the goal of more of this is to educate people and to drive awareness of how this stuff happens and some low level steps you can take just to protect yourself.
A lot of these instances, it's making yourself not as big as a target as the other guy or the other person, right?
You don't have to outrun the bear, but just outrun the next slowest runner and the bear is going to eat them.
And I hate to say that with scammers, but this stuff's going to proliferate until the end of time.
And the more we highlight it and put it out there in public and tell people this is how they're pickpocketing you, this is how they're scamming you, this is how they're fleecing you, the more we can highlight that, the less it's going to be able to occur.
And that's the goal, right?
I think one positive aspect of Miami is that it is a fairly flashy place with a lot of nightlife and people showing off.
So it shouldn't be hard to stay below the radar as long as you aren't putting on anything like expensive jewelry, designer stuff, whatnot.
You'll be able to blend in with the nerd crowd pretty easily.
Well said. We have one last question. I feel like Billy Moyes, but wait, there's more. So BitCasey, do you have a question for Ron or Jameson? And this will be our last question.
Yeah, hey guys, thanks for all the awesome info. Going back to what you were saying about the phone numbers, are you guys familiar or have you vetted a tool for generating phone numbers, sort of aliases that would forward directly to my cell phone number, similar to a simple login for email addresses?
I don't know. So CASA is not looking at anything like that currently. It's an interesting product or pitch to develop something like that.
I use VoIP phone numbers that I've had for a few years now, and a lot of those have automatic forwarding for text messages and number forwarding.
So if I need to get a number, those are the numbers I'm getting out and using. Not very many people get my actual real phone number.
And most of the time, anything I'm giving out is always going to be masked and obfuscated by some other VoIP number or forwarding service. And I don't have any good recommendations for you.
The free ones are free because they artist your data, right? You're their product and your data is their product. And then the ones you have to pay for, I usually look for people that aren't big on advertising.
The same thing goes with VPNs. When I do VoIP and VPN, I always look for more of the little guy that's not the big fish in the pond because the big ones that advertise that you see all the ads during the Super Bowl and on the radio,
those are the ones that have the backdoor agreements and all the access. And those are the ones that are keeping logs and sharing the data with the people that are trying to control and pry into your life.
So anytime I'm looking for those types of things, I always look for the smaller unknown kind of niche player in the industry because generally those are the ones that actually take security a little bit more seriously and privacy a little bit more seriously too.
There is a virtual phone number service that has mobile apps that supposedly make it really easy to generate new ones.
I can never remember what it is. It's recommended by Michael Bazell in his Extreme Privacy book. And the only reason I don't use it myself is it doesn't run on my phone operating system, which is too locked down.
Perfect. Well, thank you everyone for joining us and safe travels to Miami or wherever you're headed. And in the meantime, don't trust, verify.
Thanks everyone. Stay safe.