In this episode, I speak with Jameson Lopp, a cybersecurity programmer. He is the CTO and
co-founder of CASA, which is a fascinating multi-signature Bitcoin wallet, and an editor
for the BTC Times. Jameson was a perfect guest for the show. Not only is he serious about the
use of technology and programming to help people achieve privacy and self-sovereignty,
but he takes his privacy quite seriously outside of the digital world as well.
This began when Jameson was the victim of a swatting attack. He has told this story on many
forums and I have linked his own account of the event in the notes of the video version of this
show. Basically, several lowlives became upset with Jameson online and managed to find his home
address, most likely through the myriad people's search websites that plague the internet today.
They called in a series of threats to the local police and this led to Jameson's entire
neighborhood getting shut down. Fortunately, Jameson was not in his house and the situation
was resolved amicably. This has not been the case in other swatting events, where people have
actually been killed. It's a dangerous thing. In the aftermath of this event, Jameson went to
privacy extremes, spending tens of thousands of dollars to hire lawyers, set up trusts and
holding companies, and really getting off the grid in a serious way. I talk to him about these
techniques and then we gravitate towards digital and crypto privacy techniques. This is one episode
you don't want to miss. Jameson Lopp, welcome to the Watchmen Privacy Podcast. How are you doing?
Not bad. Always a good day to talk about privacy. Absolutely. I must say, Jameson, that you are
an ideal guest for this show. You're a crypto guy and we're going into a month of crypto coverage
here. You're also huge into privacy. You've done a full reboot, which we'll discuss, and you promote
privacy, but you're also a down-to-earth guy. You're interested in making privacy and crypto
available and accessible to everyone so you don't have this personality or elitism as some in the
crypto and especially the cybersecurity community have. Thanks. It's kind of a weird stance to be in
to be both pro-privacy and a somewhat public figure promoting privacy. It certainly throws
some people for a loop and seems antithetical. The best way that I can describe it is that,
sure, if I wanted even stronger, better, perfect privacy, then the obvious solution is I would just
delete myself from the internet and never talk to anybody. That's how you achieve perfect privacy,
by not ever leaking any information. But I have chosen what I believe is a more difficult path
to follow because I still want to be able to share my knowledge. I want to be able to continue to
leverage my reputation. I want to be able to continue to build and interact with people.
To do that while still retaining what you would consider to be the more important and more sensitive
aspects of your life that you want to keep private is definitely a challenging thing to do.
Yeah, for sure. That's definitely the paradox of being public about privacy. I also wanted to
recognize your website, lopp.net, L-O-P-P dot net, which is just an incredible resource for
people interested in Bitcoin and crypto. It's one of the best resources out there. So I would
encourage people to look into that lopp.net. I wanted to start, Jameson, with some practical
things we can discuss regarding your privacy reboot. Quick summary, of course, you got swatted.
Kid got access to your physical address. He called in essentially a SWAT team, which coordinated off
your neighborhood and caused all kinds of havoc. It was very costly. And you decided at that point
to take your property and such out of your real name and put it in the name of trusts and LLCs,
presumably, and things of this nature. From that, and my first question was, how did this kid,
how did he find your physical address? I don't know exactly, but I can tell you that anybody
with 10 or 20 bucks who was willing to go to one of the dozens of public people finder engines
would have been able to find it. It's just sort of the nature of how the modern economy works,
that you own things, you create accounts with many different services. And then any of those that are
in any way connected to sort of the credit system and the financial system, they end up all getting
aggregated together either by credit reporting companies or by other shadier data collection
and reseller companies. And so at the end of the day, if you're going about your normal life
operating as everyone else does, then the default is that your name and address will
one way or another get correlated together and become fairly public or easily accessible
information. So while I don't know exactly what tool was used, I found out in hindsight that it
was not too difficult at all. And in fact, it may have even just been a simple Google search,
because I had been living in the same place for over 10 years and leaked out my name and
address to thousands of different entities. Basically, you were out there using your real
names and using your real name online. And it was a matter of just going to one of these hundreds of
very, very shady people search sites and getting some of this information that has been collected
from all kinds of things, voting records, all kinds of databases, some of which are public.
It's just the nature of the internet that as you go about your business, as you're browsing the
internet, as you're interacting with hundreds and thousands of different machines and companies
around the world, that you are leaking information like a sieve, if you're not very careful about
what you're doing. And ultimately, as we were saying earlier, that information all gets aggregated,
collected, disseminated, sliced and diced a million different ways, and it will get used against you
somehow. Now, maybe it'll only get used against you to try to sell stuff to you, but maybe some
more malicious person will try to use that against you in innumerable other ways. I wanted to, before
we get into more of the digital privacy stuff, just get a little bit more about your privacy reboot.
You dealt along the way with a lot of lawyers to help you set up the legal entities to own property
and this and that. You said that you've spent around $100,000 on the whole endeavor. Looking
back at that process, which as you said, not a lot of people are going to do, but for the people that
do want some idea of this, what is some advice and general observations that you took away
from that whole legal experience? Well, I mean, the first thing you need to recognize is that
this is a very uncommon path that not many people walk. And so when you then are going out and trying
to find service providers, whether that's lawyers or other just semi-trusted people to act as
proxies for various aspects of your life, that you're going to encounter some friction and you're
going to probably have to talk to a number of different people before you even find the right
fit, either the person or company or entity or whatever that is willing to work with you,
because it'll probably be a novel thing for them. And in general, people don't like having to learn
and do new things. That was something that I ran into both on the privacy side and on sort of the
whole aftermath of the swatting incident and trying to find justice for myself with that,
because that was, once again, another type of legal path that not many people go down
basically trying to prosecute their own case rather than having state-based resources doing
the prosecution. Right. And that was a very interesting story of you tracking down this guy
who did that to you. And I'll put links to both that and your ruminations on going through this
extreme privacy reboot in the notes so that people can take a look. It's quite compelling
information. Now, when some people do this kind of complete reboot, they'll, as you said, they'll
run into some problems because the world is not designed for people who don't have things in their
own name and all the rest. And I'm just curious if, for example, credit reports are something that
people who have done reboots or who own various things in the name of various entities, they
sometimes have trouble getting access to their, just something as simple as their credit reports.
Have you had any trouble with that? Are there any things that have come about as a result of
this privacy reboot that you hadn't thought of and that have been a little bit of a hindrance for you?
For sure. And I probably won't even remember them all. But if you are going for extreme privacy,
then you obviously are going to have to make sacrifices. And there are certain things that
are just simply incompatible with privacy. One of those is ownership of any publicly registered
assets, so houses, cars, whatnot. Voting is incredibly antithetical to privacy,
at least in the United States, because that creates public records. And you'll have to think
about how you want to even manage your own persona and your relationships with your neighbors,
for example. And so I took that to the extreme and I said, well, basically walking away from
my existing neighborhood and moving somewhere new. And because I can't trust anybody not to leak
information, I have to tell my neighbors that I am some completely other identity.
And then I have to get used to that. And that was one of the bigger things is really building a new
persona and being able to stick with it. And it's almost like putting yourself in a witness
protection program. Yeah. Back when, before I had done some of this stuff myself, I remember
getting a note on my door one day and it was addressed to my own name. And I realized that
one of my neighbors who is just trying to get in touch with me about something in the yard where
our yards kind of connected, they had just gone to the local records that are available and they
saw my name attached to the house and there you go. So, but let me ask your, and what you said also
reminds me of a good Robert Frost quotation, he says, fences make great neighbors. So what about
utilities? Do you have any advice for people trying to get utilities not in their own name?
Yes. So, and I should have mentioned this as well. Like one of the other major sacrifices that you
have to give up with extreme privacy is credit. Credit is based upon your personal history of
your financial dealings. And it's also extremely antithetical to privacy because that data gets
disseminated amongst many different entities. And then almost anybody else who wants to can then
basically pull your information. And I do on a regular basis, I have not only my credit report,
but basically like an entire rundown on my identity pulled by private investigators,
not only from public databases, but also from semi-private databases that you generally have
to be either law enforcement or a private investigator credentialed person to get into.
And I basically just do that to check up, do a health check and make sure I haven't been leaking
anything. But when you don't have credit, this is yet another reason why privacy or at least
extreme privacy is expensive. You had better be willing and able to pay for everything with
straight up cash. And that was actually a mistake that I made early on was trying to figure out a
way to do a house that was owned by an LLC, but still had a mortgage on it. And actually what
happened was the lender ended up leaking. It may not even have happened the first year that I did
it, but eventually the lender ended up leaking some like my personal, my actual name and
associating it with that mortgage. And I think it showed up on a credit report for a bit.
And of course I freaked out and had to tell them to take it off. But that basically, it goes to
show how difficult it is to once again, go against the grain is because even when I initially set
stuff up and I was working both with a private banker and an attorney who they knew everything
that was going on and knew why we were doing it, they went to the utmost extreme that they could
to keep things private. And my understanding is that inevitably it was just something with the
backend systems where the data automatically gets ingested, shuffled around, reused for other
things that there were some leaks that happened. And kind of going actually back to your story,
I was at a house that I had purchased with, well, through an LLC and received some mail there in my
name, which should have never happened because there was nothing that should have associated my
name with that address. And you know what it was? It was either a holiday card or a birthday card
or something from the bank that the mortgage had been through. And it was because all of their
systems are tied together. And so some random system pulled up my information in the database
and said, Hey, send this guy a holiday card. Yeah, it can get so messy. One of the most
aggravating, but also entertaining episodes I've listened to of Michael Buzell's podcast was when
he tries to go in and buy a new car in the name of an entity without giving out any personal
information. And let's just say he got kicked out of many a place. You said at the time of this
swatting that one of the reasons why you didn't want the police to do a search of your home,
obviously there was nothing there and you don't want police coming into your home was that you
had multiple guns sitting around. And I'm just curious for our American listeners who live in a
civilized country where they don't come at you with guns for having your own guns. Since then,
have you made any changes to your gun privacy? Interesting, like from a privacy standpoint,
I actually have not purchased any new weapons in several years. And part of that is, is because
you know, normally I've always done it through federally licensed firearm dealers, I have made
perfectly legal private purchase sales in the past can be a little bit weirder to do just takes a
little more effort to be careful. But I guess it just, it hasn't really been at the top of my list.
I've felt like I've, I mean, I've been collecting firearms for 15, 20 years now. And I feel like,
at least from a personal defense standpoint, my collection is sufficient. I will probably
eventually want to get into collecting more antiques, curious relics and stuff. I actually
had a federal license for doing that for a few years, though that was a huge privacy problem in
and of itself because you have to fill out a lot of paperwork and you have to actually essentially
give permission to the ATF to come and check in on you and check your logs and everything. So I
actually let that expire as a result of my desire for more privacy. From a security perspective,
I still go about my self-defense in pretty much the same way that I had before where
at any of my locations, I have a decentralized series of quick access safes, which will have the
firearms that I am familiar with and believe are best suited for home defense situations, starts
to kind of get off into a whole other tangent to which I've written extensively on as well. But
it's more on the physical security rather than privacy side of it. Yeah, it's actually just the
title of it is just called Firearms for Home Defense. Yeah, I basically talk about all the
different considerations and some of these things could be applied to other weapons if you're in a
country that is not firearm ownership friendly. The long and short of it is that if you want to
be able to defend yourself, then you need to have a plan and a way to be able to access whatever
weapons you can in a very short time period if you believe that someone is attacking you because
you probably won't have a lot of time to go spend 30 seconds or whatever on a dial combination safe
to try to open it up while you're in the heat of the moment and fearing for your life.
Exactly. So you've had various interactions with the police both at the time of this event and
presumably in subsequent years. And we recommend on this podcast, Boston Tea Party's book, You and
the Police, which is a great place for people to start. Any observations about how to handle
interactions with police? A lot of this stuff is very jurisdictional specific. So it's not really
possible for me to even give state level advice because I'm not familiar with all the different
states and their guidelines, much less to give international advice. So really, the most important
thing is for each person to do research on exactly what the requirements are in your jurisdiction
because there are different levels of compliance that are required. Now, I think one of the many
things that I have mentioned in the past is that, like we said, we want to avoid leaking public
information. And one of the many types of public information that can get out there is unfortunately
police reports. So what you want to do is avoid the police as much as possible. You want to be
the perfect model citizen. You don't want to break any laws. You don't even want to get traffic
citations because these are all things that can end up creating records that eventually get
disseminated and ingested once again by all of those services and can essentially create traces
that people can start to follow. That's a good point. A lot of people think that their car gets
broken into, they have a shattered windshield, call the police right away. But if you can afford the
hundred dollar fix and you can stay off of a police record, in most cases, that's perfectly legal,
then you should certainly consider whether that's the best course of action for you.
And in insurance, for example, you still obviously have to deal with insurance for various things.
And in many cases, insurance is legally required for certain things. But whenever you're dealing
with an insurance company, as far as I can tell, that's a fairly private interaction. I still have
insurance coverage with various providers and I have never had any of that leak and show up on
any of my investigations that I have performed against myself. Hopefully, if you need to file an
insurance claim, you can do so without also filing a police report, but that can also vary from
provider to provider.
Maybe I could follow up here with a few kind of basic computer privacy questions. If someone is
using a Linux distribution and they are taking basic good OPSEC, are they by and large safe from
your average cyber threat?
Well, you're going to be safe from most of the common malware that ends up infecting, usually
Windows machines. I guess that sometimes we're seeing some Mac OS malware that ends up infecting
some Mac OS malware get out there. It's hard to say, though, if that's necessarily because Linux
is more securely designed or if it's just because it's such a small target in the sense that not
many people run Linux machines. So if you're a malware writer, you're going to be targeting the
distributions that, of course, have the most people running it. And maybe it doesn't really
matter either way, but it's still not a panacea. There are still a million different things that
can just happen at the web browser level. A lot of hijacking that happens can happen through
something like just a web browser plug-in or an extension, for example, that can be malicious and
can basically take over the entire web browser. So you still have to be careful. You don't want
to install software if you don't absolutely need it. You don't want to install software unless it's
actually reputable. Good advice. As regards VPNs, a specific question. A lot of people who use VPNs
have noticed websites discriminating against them in various ways. Shops online will cancel orders
because they detect fraud, etc. Have you noticed this? And do you have any strategies, I guess,
more importantly for getting around that? Absolutely. I mean, you're essentially a second
class citizen because you automatically get red flagged by a variety of different denial of
service or other firewall type systems that various commercial services will erect because
if they don't do that, then they're going to get hit by criminals who are trying to mask their
behavior. And it's unfortunate and it's once again, really one of those, your mileage may vary type
of issues. So I've had plenty of times when I just try to open a website and it's just straight up
blocked. Usually it'll be a sort of more security conscious like financial site or something like
that that's a bit more locked down. And if that's the case, then I may simply try switching VPN
servers a few times to see how comprehensive their blacklist is. If that doesn't work,
I may try switching to a completely different VPN provider. These things only take a few seconds
to do if you have the VPN software installed. Worst case scenario, if there's something where
you absolutely need to be on clear net, but you don't want to be leaking your home IP address,
then you can always just go to your local free Wi-Fi place. I mean, free Wi-Fi is so pervasive
if you're anywhere near civilization that it's not usually too much of an inconvenience to do.
But then also I think in my experience, Google and Apple are some of the worst when it comes to
their fraud detection in the sense that they have the most sensitive fraud protection. I think
Amazon's pretty bad too. But for example, for many years had a Google Fi phone, which was awesome
because it was basically unlimited bandwidth anywhere in like 130 countries for basically
$20 or $30 a month. And when I tried to improve my privacy, obviously I knew that I had to get
rid of my current account because it was under my name. And I tried for hours on probably half a
dozen different occasions to try to set up a Google Fi account using any of my LLCs or other
entities. And they would just block it immediately and not let me finish setting up the account and
getting a phone. So I ended up having to use some random international SIM card provider with an
Android phone that I basically bought from some other random website and had shipped to a
remailer box all under the name of an LLC. So it's unfortunate sometimes just how much more
difficult those fraud detections can make your life if you're trying to protect yourself.
This unfortunately gets a bit more technical because I expect most people just use commercial
VPNs and that's a whole other can of worms in and of itself is like which ones are the good ones.
And I have several links on my website to try to help people differentiate, but you can of course
always run your own VPN. I've never heard of anyone who is running their own VPN getting blocked
like this. And I don't know why you would because you wouldn't show up on any blacklist because
there would be nobody else performing malicious activity through your own personal VPN's IP address.
I guess for me I see one of the benefits of a VPN as sharing an IP address with a group of people
to kind of generate some anonymity. Let me ask you a different question. You mentioned in
your privacy article where you talk about doing the reboot that Shia LaBeouf had his secret art
collection found from just some people on 4chan who were doing some basic putting of evidence
together based on the things that he's revealed or said or the background of his photos, his exit
data, whatever the case may have been. I'm just curious if you could give the audience a sense of
what are some of the little things that we do or post or say that reveal us enough. I believe there
was a lady in Japan who was some kind of influencer and stalker tracked her down just based on seeing
a sign for the subway stop in a reflection of a puddle on a photo that she had and he just waited
for her and got her one day. So what are some of the things that we are revealing just in very
mundane activities that could lead up to bigger and worse events? Yeah, if you're doing anything
on social media, that is a really big avenue for you to leak information. Especially if you're
posting videos or photos, there can be quite a bit of metadata that's embedded in there. Now,
one thing that I do like about Twitter, which I think not many people ever bring up, is that
they actually strip all of the metadata out of at least of images that you post. I have an additional
exit stripper tool that I use myself before I post anything just because I'm extra paranoid,
but I would not expect for the average social media platform to go to that length. Now,
if we're talking about just what might you be leaking, even if all you're doing is posting
little text tweets with nothing else. If you're not using a VPN, of course, you're going to be
leaking your IP address, which can be used to get a course geographic location on you. Even just from
the patterns of the time of day that you're posting will most likely, over a long enough period of
time, give people a very good idea of at least what time zone you're in based on your sleeping
patterns. If you're posting audio or video though, you have to realize that those things contain so
much more information. They're just really information-rich media that you never know
what you might be leaking. Like you said, it could be something in the reflection or the background
of a photo or video. It could even be audio like perhaps the sound of an airplane or a train,
not completely unique noises, but unique enough that especially if you have enough data points
over a series of time, then people can start triangulating all of the possible places that
it could be and then continue to whittle down and whittle down further and further.
And I think if I recall correctly from that story about LeBouf, eventually the final triangulation
happened because some of the crazy fans who were trying to track him down were literally driving
around in the rough area where they thought he was and honking their horns and then waiting for
other people to hear those honks over the live stream.
Let me move on. I want to get to Crypto and CASA, which is your service. But if I may,
I'd just like to do a few rapid fire kind of what is your preferred software? Just to start,
what is your preferred password manager?
I like one password. It has a lot of features. It's open source. It works well with teams and
sharing and it works on pretty much every platform. It even runs well. And this is a big one for me.
Its mobile application runs on Graphene OS, the completely stripped down, de-Googleified
Android operating system.
Preferred 2FA application?
Ubico's OTP manager that you can use with the YubiKey to keep the secrets on the YubiKey.
A daily driver operating system?
Ubuntu.
What percentage of your browser usage would you say is on the Tor browser?
Less than 1% actually.
What about your daily driver phone operating system?
Graphene OS.
Search Engine?
DuckDuckGo.
Do you have a VPN at the router level?
Sometimes, but that's a whole other story.
But lately no, and it's an ongoing project and I believe technology will continue to improve.
And then preferred VPN?
I'm a fan of Mulvad and any other WireGuard based VPNs,
especially the ones that accept crypto and don't require email addresses for setting up accounts.
Excellent. Let me move on to some crypto questions.
What is the first thing that you would say people have to understand about,
let's start with Bitcoin, about Bitcoin and privacy?
Well, that the design of Bitcoin in many ways is highly antithetical to privacy and it really is
meant to be a very open and transparent system. And the reason for that is to maintain the
integrity of the system against malicious actors trying to double spend money or defraud you,
basically to corrupt the actual monetary properties of the system.
And so people will sometimes say, well, why are people using Bitcoin?
You should use a privacy coin like Monero, which hides the blockchain.
Is Monero by hiding the blockchain contradicting the whole point of the blockchain,
which you just said, which is to be transparent?
This is a fun rabbit hole to go down. And suffice to say that I believe,
especially if you're performing any activities that you want to be private,
that they're sensitive for any reason, like for example, paying for a VPN,
then absolutely you should use Monero. I don't think it's controversial to say
that it has far better privacy by default than Bitcoin.
Now, is it going against some of the properties?
No, it's just making some slightly different assumptions. Basically, you have to have some
additional trust in the ring signature aspects of the system that no one is able to inflate
the money supply. But I would say that in terms of the ethos of Monero,
that it makes sense because it places a greater weight on privacy,
whereas Bitcoin places a greater weight on auditability and transparency of the system.
Interesting. What a lot of people don't talk about is how to acquire Bitcoin to begin with privately.
Do you have any thoughts on the best ways to acquire Bitcoin privately?
By offering goods and services for it. That's absolutely by engaging in commerce or other
means of exchange privately between yourself and one other person directly in a peer-to-peer fashion
as it was originally intended. Now, if that's not an option for whatever reason, if you're not
operating some sort of business that can do that, then you have to figure out a way to basically do
an over-the-counter or face-to-face trade. There's a variety of platforms that will let you do that.
The one thing that I caution people on is don't obviously take a suitcase full of cash and meet
some random person in a parking garage and expect to do a face-to-face trade unless you're also
bringing a whole lot of security and taking other precautions. There are a few peer-to-peer trading
apps where you can basically set up multi-signature base escrow and do it over the internet without
having to take the physical risks that come with doing a face-to-face trade.
Good advice. You hear or I hear these days of tainted Bitcoin, of Bitcoin that institutions
see as having at some point been tied to a crime and therefore they don't accept it or they might
even report it. Is that something that's on your radar? And if so, what is to be done about it?
Well, yeah, not only that, but what we've seen over the past couple of years is more of the
regulated financial institutions considering anything within several hops of your activity
on their system to potentially be suspicious. And so something as simple as if you withdraw
your Bitcoin from an exchange and then send it to a mixer, they might see that and shut down your
account because they just think it's too risky. Or if the opposite happens and you have funds
that you have sent through a mixer and then you deposit them on the exchange, they may do the
same thing. Shut down your account and say, we have decided not to service you anymore.
However, it's only really a problem when you're dealing with these regulated institutions.
You're not going to go buy a computer from some retailer who is accepting Bitcoin and they're not
going to perform that level of analysis on you because from their perspective, all they care
about is the fact that they got paid. And once that Bitcoin hits their account, they know that
it's not going to be charged back and they're going to send the goods or provide the service
to you. It's just something that I think about more often when I'm managing my own wallets.
And I make sure that if I have a wallet where I've been mixing or doing more private or sensitive
activities with it, I just make sure I never let those funds be associated with any of these
regulated institutions. Well, that's good advice. And it leads into another question, which is,
what is the best way for people to go forward using their Bitcoin in a way that does not expose
their various aspects of their identity over time? So what I think a lot of people will tell you is
that you need to be mixing your coins. I don't necessarily subscribe to that, for one, because
we don't necessarily know just how good the mixers are. There was just some news that came out today
talking about Wasabi wallets, coin joins getting traced and demixed. And there's also the question
of who are you actually trying to protect yourself from? So when it comes to mixers,
I don't think it makes sense to be regularly mixing your coins. What I think it makes sense
to use mixers for is if you want to make a payment and you don't want the recipient to be able to
just go onto a blockchain explorer and trace it back one or two hops and see, oh, this person has
hundreds of thousands of dollars because they can now see a large portion of what your total holdings
are just due to the nature of how the blockchain has linked all the transactions together. So
I think it makes sense to use them when needed as making a payment. Otherwise, second layer
technologies like Lightning will actually offer better privacy because these are actually making
the payments off chain. So there is no explorer that someone can go to and look up and sort of
trace back the payment to your wallet and see your total holdings. Lightning is still gaining
adoption. It's been around for a few years, but we're still, I think, on the cusp of it becoming
used at the same level as Bitcoin as a whole. Well, let's talk about storing one's Bitcoin.
I know you're a fan of cold wallets. Now, let me ask you this scenario. If someone is using
a Linux distribution and they practice fairly good cybersecurity procedures, very careful of what they
do online and they're using an Electrum wallet, is that scenario much more risky than, say,
having a cold wallet? Yes. I mean, assuming you mean like you're keeping the keys on Electrum
on that internet-connected machine, there's just a far larger attack surface. Now,
is it likely that your machine is going to get compromised and the funds stolen? If you're careful,
probably not. I mean, in the early days, I had all of my funds sitting in a Bitcoin Core GUI
wallet on Ubuntu, probably for several years, because there were no hardware devices to manage
my keys. How would someone, in all likelihood, gain access to your Electrum wallet on a Linux
distribution if they were going to? What would be the most likely scenario for them to do that?
I mean, on a Linux distribution, it would have to be some kind of crazy new zero-day exploit,
I would think, where it would probably have to be a highly targeted thing where they would have to
essentially get you to click on something and accidentally install some software that basically
allowed them to tunnel into your machine. One of the more common ways that we see people's
machines get compromised is via team viewer software or other remote desktop type of software.
Generally, I think what happens is that someone essentially gets targeted and scammed, usually
via something like Telegram or Discord or some other social media platform, and they get
tricked into installing the software. Then it's basically game over. Now, with Linux,
it's not really something, at least that I've heard of very often, of someone's Linux machine
being compromised, but still, it takes so little effort. You spend $100, essentially,
to get those keys off of the internet-connected device, and that just saves you from even having
to worry about the possibility. Right. We'll get to CASA here in a second.
Do you have, though, any cold or hot wallet recommendations or preferences?
There's probably hundreds of wallets out there to choose from. I am a big fan of Electrum,
at least on desktop. They actually have a Lightning wallet as well now, so if you're
using that for small amounts of money, that's fine. I wouldn't put thousands of dollars on there.
I'm a fan of Samurai wallets and Blockstream Green for Android and iPhone. If you're going
to go with a single one-off hardware device, I'm a fan of Coldcard, and that's really because
it's open source. It has been repeatedly attempted to be attacked by various security
experts in the space, and it's still held up very well to a variety of different attacks,
and even having millions of dollars worth of lab equipment directed at it trying to extract the
seeds from it, and it still holds up quite well to that. Now, I do want to get into CASA, which is
your crypto service. Now, maybe we can frame it in the context of the discussion so far, privacy,
self-sovereignty. Why was CASA so important for you to develop, and what exactly does it do
that helps us with some of these things? Well, what I've really been trying to do is to
build a software wallet that has a lot of the best practices built into it, because after developing
software for 15 years, it's quite clear to me that users are not going to read the manual.
You have to create an experience that makes it so that people don't have to go read instructions.
It's just as simple as following the directions on the screen. And so what I've learned over
the years after seeing a wide variety of different catastrophes happen to people is that essentially
we need to eliminate single points of failure if people are going to self-custody. And while a lot
of the discussions in the space tend to center around the bigger news stories that are usually
various types of hacks and thefts and attacks and whatnot, the boring, unfortunate, bigger
problem is actually just users making mistakes, screwing up, shooting themselves in the foot,
and locking themselves out of their own Bitcoin. So when we look to eliminate single points of
failure, it means not only that there's no single point that an attacker could compromise to steal
all your money, it also means that there's no single thing or single mistake or single decision
that you can make that would result in you having a catastrophic loss. And we do that via a variety
of different ways. We use these hardware key managers to get the keys off of the internet to
close up a lot of those potential exploits and attack vectors. And most importantly, we use a
multiple key set so that you're essentially requiring authorizations from multiple different
keys that are on multiple different devices. And each of these devices should be different brands,
essentially different supply chains. And by geographically distributing those devices,
you then get additional resilience against loss and physical attack, because there's no longer
any one single catastrophic event, whether it be flood, fire, famine, what have you, that will
that will wipe out all of your keys in one go. Right. And I don't want to bury it bury the
lead here. So just to be clear, CASA and the website is it's keys.casa. It's just keys.casa.
Keys.casa. Excellent. Excellent. Not even a.com domain. Excellent. Love to see those love to see
the.io domains cropping up as well and maybe potential for blockchain domains in the future.
But so people go to CASA, they already have their Bitcoin, maybe it's sitting in Coinbase. They
don't like the fact that Coinbase is the actual owner of that Bitcoin. And they want to have some
more control over it protected a little bit. They're not content with just having all of it on an
Electrum wallet. Maybe they don't want the hassle of having simply a hardware wallet. What are kind
of the first steps for them to get to the point where they have their crypto on CASA and they can
use it and take advantage of its features? Yeah, so we have a few different things that we offer.
We're not like your average Bitcoin wallet. The vast majority of Bitcoin wallets out there are
just completely free software that you download, you install, and then you better read the manual
and do it yourself. You may be able to get some email support if you're lucky and it's not peak
hype bull season when everybody's flooding their support. But most of these projects really rely
upon community support and rely upon people doing a lot of research to figure out how to navigate
using the system. One thing that you're getting with us is you're paying us and you're paying us
not only for having a great user experience where we've worked through all of the workflows of
getting set up and maintaining this key set with multiple devices, but you're also paying us for
having a high level of support and we have a few different tiers there. We have a really entry level
tier that essentially comes out to about $10 a month, which will just get you into a two of three
key sets. So you'll have multiple keys in multiple locations. But then depending on your level of
assets, your paranoia, your general level of service that you want, we have several higher tiers
that get into the thousands of dollars per year. And what you're really getting there is a white
glove level of service dedicated client advisor. And we will discuss with you basically anything
that you are concerned about on the technical side, on how to actually store these devices,
on inheritance issues. It's much more than just key management. It's actually how do you
incorporate this whole idea of being your own bank into your life? You talk a lot about self
sovereignty and having your own private keys. Now, let's say your crypto is on CASA. Do you
at any point have to get approval permission or reach out to somebody besides yourself in order to
make use of that crypto? Right. And so like I said, one of our primary tenets is to eliminate
single points of failure. And that includes ourselves as a company. So one of the first
things that actually happens when you finish setting up your account is you get an email
that is personalized and gives you step-by-step instructions on what to do in a worst case
scenario. We call this the sovereign recovery process, but basically it's because we're not
reinventing the wheel. We're not doing anything out of the ordinary or novel that's proprietary
to us. We're using standards and well available industry hardware that is produced by other
companies. Once again, continuing to decrease the level of trust that you have on us. But
point being, you can recreate your entire setup and spend your money without ever touching CASA's
software, without ever touching our servers, as long as you have a sufficient quorum of keys and
you have the data required to initialize that multi-sig wallet. There are multiple other
compatible pieces of software out there that are completely unrelated to CASA that you can do that
in, and we provide instructions for that. Thank you again, Jameson. And just so people are
reminded, it's keys.casa, C-A-S-A. And I also recommend his website, lop.net, L-O-P-P dot net,
all kinds of great resources there for beginners even. With that said, any other places, Jameson,
that you'd like to direct people? Not offhand. I mean, I think you'll be able to find a lot of my
ruminations on my website, on my blog. And the main thing that I try to get across to people is that
you don't need to feel overwhelmed by any of this. It's much like going down any rabbit hole of any
particular subject. You don't need to go all the way to the bottom. You can just spend a few hours
here and there continuing to pick away at it. And the same is true for privacy in general, for
learning about Bitcoin and continuing to increase and fortify your posture there with your holdings.
People should take this approach to all of the important aspects of your life is that while it's
good to go really deep on some subjects and be an expert, you also need to have some breadth
and just spend a little time here and there and continue learning. And that's the most
important thing is just don't stop learning.