In this episode, I speak with Jameson Lopp, a cybersecurity programmer. He is the CTO and co-founder of CASA, which is a fascinating multi-signature Bitcoin wallet, and an editor for the BTC Times. Jameson was a perfect guest for the show. Not only is he serious about the use of technology and programming to help people achieve privacy and self-sovereignty, but he takes his privacy quite seriously outside of the digital world as well. This began when Jameson was the victim of a swatting attack. He has told this story on many forums and I have linked his own account of the event in the notes of the video version of this show. Basically, several lowlives became upset with Jameson online and managed to find his home address, most likely through the myriad people's search websites that plague the internet today. They called in a series of threats to the local police and this led to Jameson's entire neighborhood getting shut down. Fortunately, Jameson was not in his house and the situation was resolved amicably. This has not been the case in other swatting events, where people have actually been killed. It's a dangerous thing. In the aftermath of this event, Jameson went to privacy extremes, spending tens of thousands of dollars to hire lawyers, set up trusts and holding companies, and really getting off the grid in a serious way. I talk to him about these techniques and then we gravitate towards digital and crypto privacy techniques. This is one episode you don't want to miss. Jameson Lopp, welcome to the Watchmen Privacy Podcast. How are you doing? Not bad. Always a good day to talk about privacy. Absolutely. I must say, Jameson, that you are an ideal guest for this show. You're a crypto guy and we're going into a month of crypto coverage here. You're also huge into privacy. You've done a full reboot, which we'll discuss, and you promote privacy, but you're also a down-to-earth guy. You're interested in making privacy and crypto available and accessible to everyone so you don't have this personality or elitism as some in the crypto and especially the cybersecurity community have. Thanks. It's kind of a weird stance to be in to be both pro-privacy and a somewhat public figure promoting privacy. It certainly throws some people for a loop and seems antithetical. The best way that I can describe it is that, sure, if I wanted even stronger, better, perfect privacy, then the obvious solution is I would just delete myself from the internet and never talk to anybody. That's how you achieve perfect privacy, by not ever leaking any information. But I have chosen what I believe is a more difficult path to follow because I still want to be able to share my knowledge. I want to be able to continue to leverage my reputation. I want to be able to continue to build and interact with people. To do that while still retaining what you would consider to be the more important and more sensitive aspects of your life that you want to keep private is definitely a challenging thing to do. Yeah, for sure. That's definitely the paradox of being public about privacy. I also wanted to recognize your website, lopp.net, L-O-P-P dot net, which is just an incredible resource for people interested in Bitcoin and crypto. It's one of the best resources out there. So I would encourage people to look into that lopp.net. I wanted to start, Jameson, with some practical things we can discuss regarding your privacy reboot. Quick summary, of course, you got swatted. Kid got access to your physical address. He called in essentially a SWAT team, which coordinated off your neighborhood and caused all kinds of havoc. It was very costly. And you decided at that point to take your property and such out of your real name and put it in the name of trusts and LLCs, presumably, and things of this nature. From that, and my first question was, how did this kid, how did he find your physical address? I don't know exactly, but I can tell you that anybody with 10 or 20 bucks who was willing to go to one of the dozens of public people finder engines would have been able to find it. It's just sort of the nature of how the modern economy works, that you own things, you create accounts with many different services. And then any of those that are in any way connected to sort of the credit system and the financial system, they end up all getting aggregated together either by credit reporting companies or by other shadier data collection and reseller companies. And so at the end of the day, if you're going about your normal life operating as everyone else does, then the default is that your name and address will one way or another get correlated together and become fairly public or easily accessible information. So while I don't know exactly what tool was used, I found out in hindsight that it was not too difficult at all. And in fact, it may have even just been a simple Google search, because I had been living in the same place for over 10 years and leaked out my name and address to thousands of different entities. Basically, you were out there using your real names and using your real name online. And it was a matter of just going to one of these hundreds of very, very shady people search sites and getting some of this information that has been collected from all kinds of things, voting records, all kinds of databases, some of which are public. It's just the nature of the internet that as you go about your business, as you're browsing the internet, as you're interacting with hundreds and thousands of different machines and companies around the world, that you are leaking information like a sieve, if you're not very careful about what you're doing. And ultimately, as we were saying earlier, that information all gets aggregated, collected, disseminated, sliced and diced a million different ways, and it will get used against you somehow. Now, maybe it'll only get used against you to try to sell stuff to you, but maybe some more malicious person will try to use that against you in innumerable other ways. I wanted to, before we get into more of the digital privacy stuff, just get a little bit more about your privacy reboot. You dealt along the way with a lot of lawyers to help you set up the legal entities to own property and this and that. You said that you've spent around $100,000 on the whole endeavor. Looking back at that process, which as you said, not a lot of people are going to do, but for the people that do want some idea of this, what is some advice and general observations that you took away from that whole legal experience? Well, I mean, the first thing you need to recognize is that this is a very uncommon path that not many people walk. And so when you then are going out and trying to find service providers, whether that's lawyers or other just semi-trusted people to act as proxies for various aspects of your life, that you're going to encounter some friction and you're going to probably have to talk to a number of different people before you even find the right fit, either the person or company or entity or whatever that is willing to work with you, because it'll probably be a novel thing for them. And in general, people don't like having to learn and do new things. That was something that I ran into both on the privacy side and on sort of the whole aftermath of the swatting incident and trying to find justice for myself with that, because that was, once again, another type of legal path that not many people go down basically trying to prosecute their own case rather than having state-based resources doing the prosecution. Right. And that was a very interesting story of you tracking down this guy who did that to you. And I'll put links to both that and your ruminations on going through this extreme privacy reboot in the notes so that people can take a look. It's quite compelling information. Now, when some people do this kind of complete reboot, they'll, as you said, they'll run into some problems because the world is not designed for people who don't have things in their own name and all the rest. And I'm just curious if, for example, credit reports are something that people who have done reboots or who own various things in the name of various entities, they sometimes have trouble getting access to their, just something as simple as their credit reports. Have you had any trouble with that? Are there any things that have come about as a result of this privacy reboot that you hadn't thought of and that have been a little bit of a hindrance for you? For sure. And I probably won't even remember them all. But if you are going for extreme privacy, then you obviously are going to have to make sacrifices. And there are certain things that are just simply incompatible with privacy. One of those is ownership of any publicly registered assets, so houses, cars, whatnot. Voting is incredibly antithetical to privacy, at least in the United States, because that creates public records. And you'll have to think about how you want to even manage your own persona and your relationships with your neighbors, for example. And so I took that to the extreme and I said, well, basically walking away from my existing neighborhood and moving somewhere new. And because I can't trust anybody not to leak information, I have to tell my neighbors that I am some completely other identity. And then I have to get used to that. And that was one of the bigger things is really building a new persona and being able to stick with it. And it's almost like putting yourself in a witness protection program. Yeah. Back when, before I had done some of this stuff myself, I remember getting a note on my door one day and it was addressed to my own name. And I realized that one of my neighbors who is just trying to get in touch with me about something in the yard where our yards kind of connected, they had just gone to the local records that are available and they saw my name attached to the house and there you go. So, but let me ask your, and what you said also reminds me of a good Robert Frost quotation, he says, fences make great neighbors. So what about utilities? Do you have any advice for people trying to get utilities not in their own name? Yes. So, and I should have mentioned this as well. Like one of the other major sacrifices that you have to give up with extreme privacy is credit. Credit is based upon your personal history of your financial dealings. And it's also extremely antithetical to privacy because that data gets disseminated amongst many different entities. And then almost anybody else who wants to can then basically pull your information. And I do on a regular basis, I have not only my credit report, but basically like an entire rundown on my identity pulled by private investigators, not only from public databases, but also from semi-private databases that you generally have to be either law enforcement or a private investigator credentialed person to get into. And I basically just do that to check up, do a health check and make sure I haven't been leaking anything. But when you don't have credit, this is yet another reason why privacy or at least extreme privacy is expensive. You had better be willing and able to pay for everything with straight up cash. And that was actually a mistake that I made early on was trying to figure out a way to do a house that was owned by an LLC, but still had a mortgage on it. And actually what happened was the lender ended up leaking. It may not even have happened the first year that I did it, but eventually the lender ended up leaking some like my personal, my actual name and associating it with that mortgage. And I think it showed up on a credit report for a bit. And of course I freaked out and had to tell them to take it off. But that basically, it goes to show how difficult it is to once again, go against the grain is because even when I initially set stuff up and I was working both with a private banker and an attorney who they knew everything that was going on and knew why we were doing it, they went to the utmost extreme that they could to keep things private. And my understanding is that inevitably it was just something with the backend systems where the data automatically gets ingested, shuffled around, reused for other things that there were some leaks that happened. And kind of going actually back to your story, I was at a house that I had purchased with, well, through an LLC and received some mail there in my name, which should have never happened because there was nothing that should have associated my name with that address. And you know what it was? It was either a holiday card or a birthday card or something from the bank that the mortgage had been through. And it was because all of their systems are tied together. And so some random system pulled up my information in the database and said, Hey, send this guy a holiday card. Yeah, it can get so messy. One of the most aggravating, but also entertaining episodes I've listened to of Michael Buzell's podcast was when he tries to go in and buy a new car in the name of an entity without giving out any personal information. And let's just say he got kicked out of many a place. You said at the time of this swatting that one of the reasons why you didn't want the police to do a search of your home, obviously there was nothing there and you don't want police coming into your home was that you had multiple guns sitting around. And I'm just curious for our American listeners who live in a civilized country where they don't come at you with guns for having your own guns. Since then, have you made any changes to your gun privacy? Interesting, like from a privacy standpoint, I actually have not purchased any new weapons in several years. And part of that is, is because you know, normally I've always done it through federally licensed firearm dealers, I have made perfectly legal private purchase sales in the past can be a little bit weirder to do just takes a little more effort to be careful. But I guess it just, it hasn't really been at the top of my list. I've felt like I've, I mean, I've been collecting firearms for 15, 20 years now. And I feel like, at least from a personal defense standpoint, my collection is sufficient. I will probably eventually want to get into collecting more antiques, curious relics and stuff. I actually had a federal license for doing that for a few years, though that was a huge privacy problem in and of itself because you have to fill out a lot of paperwork and you have to actually essentially give permission to the ATF to come and check in on you and check your logs and everything. So I actually let that expire as a result of my desire for more privacy. From a security perspective, I still go about my self-defense in pretty much the same way that I had before where at any of my locations, I have a decentralized series of quick access safes, which will have the firearms that I am familiar with and believe are best suited for home defense situations, starts to kind of get off into a whole other tangent to which I've written extensively on as well. But it's more on the physical security rather than privacy side of it. Yeah, it's actually just the title of it is just called Firearms for Home Defense. Yeah, I basically talk about all the different considerations and some of these things could be applied to other weapons if you're in a country that is not firearm ownership friendly. The long and short of it is that if you want to be able to defend yourself, then you need to have a plan and a way to be able to access whatever weapons you can in a very short time period if you believe that someone is attacking you because you probably won't have a lot of time to go spend 30 seconds or whatever on a dial combination safe to try to open it up while you're in the heat of the moment and fearing for your life. Exactly. So you've had various interactions with the police both at the time of this event and presumably in subsequent years. And we recommend on this podcast, Boston Tea Party's book, You and the Police, which is a great place for people to start. Any observations about how to handle interactions with police? A lot of this stuff is very jurisdictional specific. So it's not really possible for me to even give state level advice because I'm not familiar with all the different states and their guidelines, much less to give international advice. So really, the most important thing is for each person to do research on exactly what the requirements are in your jurisdiction because there are different levels of compliance that are required. Now, I think one of the many things that I have mentioned in the past is that, like we said, we want to avoid leaking public information. And one of the many types of public information that can get out there is unfortunately police reports. So what you want to do is avoid the police as much as possible. You want to be the perfect model citizen. You don't want to break any laws. You don't even want to get traffic citations because these are all things that can end up creating records that eventually get disseminated and ingested once again by all of those services and can essentially create traces that people can start to follow. That's a good point. A lot of people think that their car gets broken into, they have a shattered windshield, call the police right away. But if you can afford the hundred dollar fix and you can stay off of a police record, in most cases, that's perfectly legal, then you should certainly consider whether that's the best course of action for you. And in insurance, for example, you still obviously have to deal with insurance for various things. And in many cases, insurance is legally required for certain things. But whenever you're dealing with an insurance company, as far as I can tell, that's a fairly private interaction. I still have insurance coverage with various providers and I have never had any of that leak and show up on any of my investigations that I have performed against myself. Hopefully, if you need to file an insurance claim, you can do so without also filing a police report, but that can also vary from provider to provider. Maybe I could follow up here with a few kind of basic computer privacy questions. If someone is using a Linux distribution and they are taking basic good OPSEC, are they by and large safe from your average cyber threat? Well, you're going to be safe from most of the common malware that ends up infecting, usually Windows machines. I guess that sometimes we're seeing some Mac OS malware that ends up infecting some Mac OS malware get out there. It's hard to say, though, if that's necessarily because Linux is more securely designed or if it's just because it's such a small target in the sense that not many people run Linux machines. So if you're a malware writer, you're going to be targeting the distributions that, of course, have the most people running it. And maybe it doesn't really matter either way, but it's still not a panacea. There are still a million different things that can just happen at the web browser level. A lot of hijacking that happens can happen through something like just a web browser plug-in or an extension, for example, that can be malicious and can basically take over the entire web browser. So you still have to be careful. You don't want to install software if you don't absolutely need it. You don't want to install software unless it's actually reputable. Good advice. As regards VPNs, a specific question. A lot of people who use VPNs have noticed websites discriminating against them in various ways. Shops online will cancel orders because they detect fraud, etc. Have you noticed this? And do you have any strategies, I guess, more importantly for getting around that? Absolutely. I mean, you're essentially a second class citizen because you automatically get red flagged by a variety of different denial of service or other firewall type systems that various commercial services will erect because if they don't do that, then they're going to get hit by criminals who are trying to mask their behavior. And it's unfortunate and it's once again, really one of those, your mileage may vary type of issues. So I've had plenty of times when I just try to open a website and it's just straight up blocked. Usually it'll be a sort of more security conscious like financial site or something like that that's a bit more locked down. And if that's the case, then I may simply try switching VPN servers a few times to see how comprehensive their blacklist is. If that doesn't work, I may try switching to a completely different VPN provider. These things only take a few seconds to do if you have the VPN software installed. Worst case scenario, if there's something where you absolutely need to be on clear net, but you don't want to be leaking your home IP address, then you can always just go to your local free Wi-Fi place. I mean, free Wi-Fi is so pervasive if you're anywhere near civilization that it's not usually too much of an inconvenience to do. But then also I think in my experience, Google and Apple are some of the worst when it comes to their fraud detection in the sense that they have the most sensitive fraud protection. I think Amazon's pretty bad too. But for example, for many years had a Google Fi phone, which was awesome because it was basically unlimited bandwidth anywhere in like 130 countries for basically $20 or $30 a month. And when I tried to improve my privacy, obviously I knew that I had to get rid of my current account because it was under my name. And I tried for hours on probably half a dozen different occasions to try to set up a Google Fi account using any of my LLCs or other entities. And they would just block it immediately and not let me finish setting up the account and getting a phone. So I ended up having to use some random international SIM card provider with an Android phone that I basically bought from some other random website and had shipped to a remailer box all under the name of an LLC. So it's unfortunate sometimes just how much more difficult those fraud detections can make your life if you're trying to protect yourself. This unfortunately gets a bit more technical because I expect most people just use commercial VPNs and that's a whole other can of worms in and of itself is like which ones are the good ones. And I have several links on my website to try to help people differentiate, but you can of course always run your own VPN. I've never heard of anyone who is running their own VPN getting blocked like this. And I don't know why you would because you wouldn't show up on any blacklist because there would be nobody else performing malicious activity through your own personal VPN's IP address. I guess for me I see one of the benefits of a VPN as sharing an IP address with a group of people to kind of generate some anonymity. Let me ask you a different question. You mentioned in your privacy article where you talk about doing the reboot that Shia LaBeouf had his secret art collection found from just some people on 4chan who were doing some basic putting of evidence together based on the things that he's revealed or said or the background of his photos, his exit data, whatever the case may have been. I'm just curious if you could give the audience a sense of what are some of the little things that we do or post or say that reveal us enough. I believe there was a lady in Japan who was some kind of influencer and stalker tracked her down just based on seeing a sign for the subway stop in a reflection of a puddle on a photo that she had and he just waited for her and got her one day. So what are some of the things that we are revealing just in very mundane activities that could lead up to bigger and worse events? Yeah, if you're doing anything on social media, that is a really big avenue for you to leak information. Especially if you're posting videos or photos, there can be quite a bit of metadata that's embedded in there. Now, one thing that I do like about Twitter, which I think not many people ever bring up, is that they actually strip all of the metadata out of at least of images that you post. I have an additional exit stripper tool that I use myself before I post anything just because I'm extra paranoid, but I would not expect for the average social media platform to go to that length. Now, if we're talking about just what might you be leaking, even if all you're doing is posting little text tweets with nothing else. If you're not using a VPN, of course, you're going to be leaking your IP address, which can be used to get a course geographic location on you. Even just from the patterns of the time of day that you're posting will most likely, over a long enough period of time, give people a very good idea of at least what time zone you're in based on your sleeping patterns. If you're posting audio or video though, you have to realize that those things contain so much more information. They're just really information-rich media that you never know what you might be leaking. Like you said, it could be something in the reflection or the background of a photo or video. It could even be audio like perhaps the sound of an airplane or a train, not completely unique noises, but unique enough that especially if you have enough data points over a series of time, then people can start triangulating all of the possible places that it could be and then continue to whittle down and whittle down further and further. And I think if I recall correctly from that story about LeBouf, eventually the final triangulation happened because some of the crazy fans who were trying to track him down were literally driving around in the rough area where they thought he was and honking their horns and then waiting for other people to hear those honks over the live stream. Let me move on. I want to get to Crypto and CASA, which is your service. But if I may, I'd just like to do a few rapid fire kind of what is your preferred software? Just to start, what is your preferred password manager? I like one password. It has a lot of features. It's open source. It works well with teams and sharing and it works on pretty much every platform. It even runs well. And this is a big one for me. Its mobile application runs on Graphene OS, the completely stripped down, de-Googleified Android operating system. Preferred 2FA application? Ubico's OTP manager that you can use with the YubiKey to keep the secrets on the YubiKey. A daily driver operating system? Ubuntu. What percentage of your browser usage would you say is on the Tor browser? Less than 1% actually. What about your daily driver phone operating system? Graphene OS. Search Engine? DuckDuckGo. Do you have a VPN at the router level? Sometimes, but that's a whole other story. But lately no, and it's an ongoing project and I believe technology will continue to improve. And then preferred VPN? I'm a fan of Mulvad and any other WireGuard based VPNs, especially the ones that accept crypto and don't require email addresses for setting up accounts. Excellent. Let me move on to some crypto questions. What is the first thing that you would say people have to understand about, let's start with Bitcoin, about Bitcoin and privacy? Well, that the design of Bitcoin in many ways is highly antithetical to privacy and it really is meant to be a very open and transparent system. And the reason for that is to maintain the integrity of the system against malicious actors trying to double spend money or defraud you, basically to corrupt the actual monetary properties of the system. And so people will sometimes say, well, why are people using Bitcoin? You should use a privacy coin like Monero, which hides the blockchain. Is Monero by hiding the blockchain contradicting the whole point of the blockchain, which you just said, which is to be transparent? This is a fun rabbit hole to go down. And suffice to say that I believe, especially if you're performing any activities that you want to be private, that they're sensitive for any reason, like for example, paying for a VPN, then absolutely you should use Monero. I don't think it's controversial to say that it has far better privacy by default than Bitcoin. Now, is it going against some of the properties? No, it's just making some slightly different assumptions. Basically, you have to have some additional trust in the ring signature aspects of the system that no one is able to inflate the money supply. But I would say that in terms of the ethos of Monero, that it makes sense because it places a greater weight on privacy, whereas Bitcoin places a greater weight on auditability and transparency of the system. Interesting. What a lot of people don't talk about is how to acquire Bitcoin to begin with privately. Do you have any thoughts on the best ways to acquire Bitcoin privately? By offering goods and services for it. That's absolutely by engaging in commerce or other means of exchange privately between yourself and one other person directly in a peer-to-peer fashion as it was originally intended. Now, if that's not an option for whatever reason, if you're not operating some sort of business that can do that, then you have to figure out a way to basically do an over-the-counter or face-to-face trade. There's a variety of platforms that will let you do that. The one thing that I caution people on is don't obviously take a suitcase full of cash and meet some random person in a parking garage and expect to do a face-to-face trade unless you're also bringing a whole lot of security and taking other precautions. There are a few peer-to-peer trading apps where you can basically set up multi-signature base escrow and do it over the internet without having to take the physical risks that come with doing a face-to-face trade. Good advice. You hear or I hear these days of tainted Bitcoin, of Bitcoin that institutions see as having at some point been tied to a crime and therefore they don't accept it or they might even report it. Is that something that's on your radar? And if so, what is to be done about it? Well, yeah, not only that, but what we've seen over the past couple of years is more of the regulated financial institutions considering anything within several hops of your activity on their system to potentially be suspicious. And so something as simple as if you withdraw your Bitcoin from an exchange and then send it to a mixer, they might see that and shut down your account because they just think it's too risky. Or if the opposite happens and you have funds that you have sent through a mixer and then you deposit them on the exchange, they may do the same thing. Shut down your account and say, we have decided not to service you anymore. However, it's only really a problem when you're dealing with these regulated institutions. You're not going to go buy a computer from some retailer who is accepting Bitcoin and they're not going to perform that level of analysis on you because from their perspective, all they care about is the fact that they got paid. And once that Bitcoin hits their account, they know that it's not going to be charged back and they're going to send the goods or provide the service to you. It's just something that I think about more often when I'm managing my own wallets. And I make sure that if I have a wallet where I've been mixing or doing more private or sensitive activities with it, I just make sure I never let those funds be associated with any of these regulated institutions. Well, that's good advice. And it leads into another question, which is, what is the best way for people to go forward using their Bitcoin in a way that does not expose their various aspects of their identity over time? So what I think a lot of people will tell you is that you need to be mixing your coins. I don't necessarily subscribe to that, for one, because we don't necessarily know just how good the mixers are. There was just some news that came out today talking about Wasabi wallets, coin joins getting traced and demixed. And there's also the question of who are you actually trying to protect yourself from? So when it comes to mixers, I don't think it makes sense to be regularly mixing your coins. What I think it makes sense to use mixers for is if you want to make a payment and you don't want the recipient to be able to just go onto a blockchain explorer and trace it back one or two hops and see, oh, this person has hundreds of thousands of dollars because they can now see a large portion of what your total holdings are just due to the nature of how the blockchain has linked all the transactions together. So I think it makes sense to use them when needed as making a payment. Otherwise, second layer technologies like Lightning will actually offer better privacy because these are actually making the payments off chain. So there is no explorer that someone can go to and look up and sort of trace back the payment to your wallet and see your total holdings. Lightning is still gaining adoption. It's been around for a few years, but we're still, I think, on the cusp of it becoming used at the same level as Bitcoin as a whole. Well, let's talk about storing one's Bitcoin. I know you're a fan of cold wallets. Now, let me ask you this scenario. If someone is using a Linux distribution and they practice fairly good cybersecurity procedures, very careful of what they do online and they're using an Electrum wallet, is that scenario much more risky than, say, having a cold wallet? Yes. I mean, assuming you mean like you're keeping the keys on Electrum on that internet-connected machine, there's just a far larger attack surface. Now, is it likely that your machine is going to get compromised and the funds stolen? If you're careful, probably not. I mean, in the early days, I had all of my funds sitting in a Bitcoin Core GUI wallet on Ubuntu, probably for several years, because there were no hardware devices to manage my keys. How would someone, in all likelihood, gain access to your Electrum wallet on a Linux distribution if they were going to? What would be the most likely scenario for them to do that? I mean, on a Linux distribution, it would have to be some kind of crazy new zero-day exploit, I would think, where it would probably have to be a highly targeted thing where they would have to essentially get you to click on something and accidentally install some software that basically allowed them to tunnel into your machine. One of the more common ways that we see people's machines get compromised is via team viewer software or other remote desktop type of software. Generally, I think what happens is that someone essentially gets targeted and scammed, usually via something like Telegram or Discord or some other social media platform, and they get tricked into installing the software. Then it's basically game over. Now, with Linux, it's not really something, at least that I've heard of very often, of someone's Linux machine being compromised, but still, it takes so little effort. You spend $100, essentially, to get those keys off of the internet-connected device, and that just saves you from even having to worry about the possibility. Right. We'll get to CASA here in a second. Do you have, though, any cold or hot wallet recommendations or preferences? There's probably hundreds of wallets out there to choose from. I am a big fan of Electrum, at least on desktop. They actually have a Lightning wallet as well now, so if you're using that for small amounts of money, that's fine. I wouldn't put thousands of dollars on there. I'm a fan of Samurai wallets and Blockstream Green for Android and iPhone. If you're going to go with a single one-off hardware device, I'm a fan of Coldcard, and that's really because it's open source. It has been repeatedly attempted to be attacked by various security experts in the space, and it's still held up very well to a variety of different attacks, and even having millions of dollars worth of lab equipment directed at it trying to extract the seeds from it, and it still holds up quite well to that. Now, I do want to get into CASA, which is your crypto service. Now, maybe we can frame it in the context of the discussion so far, privacy, self-sovereignty. Why was CASA so important for you to develop, and what exactly does it do that helps us with some of these things? Well, what I've really been trying to do is to build a software wallet that has a lot of the best practices built into it, because after developing software for 15 years, it's quite clear to me that users are not going to read the manual. You have to create an experience that makes it so that people don't have to go read instructions. It's just as simple as following the directions on the screen. And so what I've learned over the years after seeing a wide variety of different catastrophes happen to people is that essentially we need to eliminate single points of failure if people are going to self-custody. And while a lot of the discussions in the space tend to center around the bigger news stories that are usually various types of hacks and thefts and attacks and whatnot, the boring, unfortunate, bigger problem is actually just users making mistakes, screwing up, shooting themselves in the foot, and locking themselves out of their own Bitcoin. So when we look to eliminate single points of failure, it means not only that there's no single point that an attacker could compromise to steal all your money, it also means that there's no single thing or single mistake or single decision that you can make that would result in you having a catastrophic loss. And we do that via a variety of different ways. We use these hardware key managers to get the keys off of the internet to close up a lot of those potential exploits and attack vectors. And most importantly, we use a multiple key set so that you're essentially requiring authorizations from multiple different keys that are on multiple different devices. And each of these devices should be different brands, essentially different supply chains. And by geographically distributing those devices, you then get additional resilience against loss and physical attack, because there's no longer any one single catastrophic event, whether it be flood, fire, famine, what have you, that will that will wipe out all of your keys in one go. Right. And I don't want to bury it bury the lead here. So just to be clear, CASA and the website is it's keys.casa. It's just keys.casa. Keys.casa. Excellent. Excellent. Not even a.com domain. Excellent. Love to see those love to see the.io domains cropping up as well and maybe potential for blockchain domains in the future. But so people go to CASA, they already have their Bitcoin, maybe it's sitting in Coinbase. They don't like the fact that Coinbase is the actual owner of that Bitcoin. And they want to have some more control over it protected a little bit. They're not content with just having all of it on an Electrum wallet. Maybe they don't want the hassle of having simply a hardware wallet. What are kind of the first steps for them to get to the point where they have their crypto on CASA and they can use it and take advantage of its features? Yeah, so we have a few different things that we offer. We're not like your average Bitcoin wallet. The vast majority of Bitcoin wallets out there are just completely free software that you download, you install, and then you better read the manual and do it yourself. You may be able to get some email support if you're lucky and it's not peak hype bull season when everybody's flooding their support. But most of these projects really rely upon community support and rely upon people doing a lot of research to figure out how to navigate using the system. One thing that you're getting with us is you're paying us and you're paying us not only for having a great user experience where we've worked through all of the workflows of getting set up and maintaining this key set with multiple devices, but you're also paying us for having a high level of support and we have a few different tiers there. We have a really entry level tier that essentially comes out to about $10 a month, which will just get you into a two of three key sets. So you'll have multiple keys in multiple locations. But then depending on your level of assets, your paranoia, your general level of service that you want, we have several higher tiers that get into the thousands of dollars per year. And what you're really getting there is a white glove level of service dedicated client advisor. And we will discuss with you basically anything that you are concerned about on the technical side, on how to actually store these devices, on inheritance issues. It's much more than just key management. It's actually how do you incorporate this whole idea of being your own bank into your life? You talk a lot about self sovereignty and having your own private keys. Now, let's say your crypto is on CASA. Do you at any point have to get approval permission or reach out to somebody besides yourself in order to make use of that crypto? Right. And so like I said, one of our primary tenets is to eliminate single points of failure. And that includes ourselves as a company. So one of the first things that actually happens when you finish setting up your account is you get an email that is personalized and gives you step-by-step instructions on what to do in a worst case scenario. We call this the sovereign recovery process, but basically it's because we're not reinventing the wheel. We're not doing anything out of the ordinary or novel that's proprietary to us. We're using standards and well available industry hardware that is produced by other companies. Once again, continuing to decrease the level of trust that you have on us. But point being, you can recreate your entire setup and spend your money without ever touching CASA's software, without ever touching our servers, as long as you have a sufficient quorum of keys and you have the data required to initialize that multi-sig wallet. There are multiple other compatible pieces of software out there that are completely unrelated to CASA that you can do that in, and we provide instructions for that. Thank you again, Jameson. And just so people are reminded, it's keys.casa, C-A-S-A. And I also recommend his website, lop.net, L-O-P-P dot net, all kinds of great resources there for beginners even. With that said, any other places, Jameson, that you'd like to direct people? Not offhand. I mean, I think you'll be able to find a lot of my ruminations on my website, on my blog. And the main thing that I try to get across to people is that you don't need to feel overwhelmed by any of this. It's much like going down any rabbit hole of any particular subject. You don't need to go all the way to the bottom. You can just spend a few hours here and there continuing to pick away at it. And the same is true for privacy in general, for learning about Bitcoin and continuing to increase and fortify your posture there with your holdings. People should take this approach to all of the important aspects of your life is that while it's good to go really deep on some subjects and be an expert, you also need to have some breadth and just spend a little time here and there and continue learning. And that's the most important thing is just don't stop learning.