Before You Begin

Lesson One: The Big Picture

Transcript of video lesson

Link to Lesson

Welcome to Digital Currency Ownership: Before You Begin, an original Coin Academy course. This course is designed to give you information that you need to understand before you embark down the path of digital currency ownership. The course is divided into 6 lessons. The first, this lesson, is called The Big Picture. The second is Passwords & Encryption. The third lesson is Backups & Offline Storage. The fourth is Mobile Security and then we wrap up the course with 2 primer-type lessons: the first on Soft Wallets and the second on Digital Currency Exchanges. The entire focus of this course is giving you not only the information you need to understand the key issues related to Digital Currency Ownership but also the techniques, and tools, and processes you need to adopt to safely and securely maintain ownership of digital currency.

Let’s go ahead and get started with the Big Picture lesson. As the name implies, we’re really going to look at some large concepts here that underlie the entire course.

During WWII this poster was popular. It emphasized the need for control over information and security in communications – Button your Lip! Loose Talk Can Cost Lives. We can update that to the digital era to – Button your Lip! Loose Talk Can Cost Bitcoin.

The essence of digital currency ownership is the maintenance of a Public Address and a Private Key. This is an attribute of all current digital currency models. The public address, as the name implies, is the information you give somebody in order to get paid. It’s okay to share this publicly. You have to do it to receive funds.

The private key, in contrast, is something that should be closely held, should be confidential information. Why? Because this is the key to the safety deposit box. It is the combination to the safe. If you give someone your private key, you give them your wallet. They can empty that wallet if they’re an unscrupulous individual.

The private key has to be maintained private. If you give up your private key, that’s it. It’s all over with. Similarly, if you lose your private key, and you don’t have it backed up, you’re stuck. You no longer have the combination to the safe. You no longer have the key to the safety deposit box, and unlike the physical world where you can find a locksmith who can get you into those things, in the virtual world that does not exist.

The private key data is actually encrypted and there is no way that it can be recovered. No way at all. Otherwise, it wouldn’t be much of a security device. So if you lose your private key, you’re doomed. If you have your private key compromised, you give it away, you allow someone else to see it, you expose it unintentionally in a transaction, you open yourself up to the possibility of theft.

What we are saying here is that ownership requires a consistent exercise of diligence. And diligence in two regards – diligence to maintain your information so that you don’t lose it and diligence to protect your information because there are unscrupulous individuals, cyber criminals, that actively target the digital currency world.

This is no different than cyber criminals who are targeting bank and other aspects as well. But in this case, since we have digital currency that is actually under our control, we become the targets ourselves. Therefore we have to take steps to protect ourselves, and of course we also have to take steps to make sure that we don’t lose our critical data.

Let’s talk for a second about attacks because attacks are really what the scariest concept is for most people. The concept of being hacked and having something stolen from you even if it’s digital. It’s a daunting thought, it’s an insult to your personal integrity. An interesting statistic came out just in the last 30 days, it found that in financial malware attacks, Bitcoin was being targeted in 22% of the current round of attacks. In other words, Bitcoin has become a high-value target and a lot of hacking resources are being focused specifically on Bitcoin. It’s true also of other digital currencies but Bitcoin is the big target so they’re going after Bitcoin.

What are the attack vectors? In other words, how do they come at you? We can divide this into a pyramid and the lowest level, the highest frequency attacks are what we call Mass Attacks. These are mass internet attacks orchestrated across networks. The second category would be what we call Spear Phishing and I’ll explain all these in more details in just a moment. Then the top tier, the fewest types of attacks we see are Targeted Attacks. These are highly-specialized attacks.

What are the attributes of these things? Mass attacks are typically driven by exploits, Trojans being one of the most common methods that are used here. That is a piece of software that is put on your device whether through computer or your phone that allows someone else to access that device. These Trojans often make it on to your machine via a variety of techniques including the most popular which is phishing.

Phishing simply refers to sending out bulk emails that have a link in them, or they have a download in them and if somebody is not careful, they’re not being cautious, they click on the link, they download the file and that link takes them to a website that inputs malware on their machine, that Trojan on their machine.

Or that file that they download installs malware on their machine. The target of most mass attacks is actually computing power. They’re actually trying to obtain access to your machine to use your machine for other purposes, in some cases mining Bitcoin, but oftentimes for broadcasting spam or for launching attacks on other systems.

By stringing together all of these zombie computers if you will, they are able to focus that power and bring it to bear whatever target they want whether it’s a denial of service attack, a mass spam attack, or mining Bitcoin. That said, they also can be targeting control over your data or access in your data. But typically, that happens in a different way and that’s when we get in what we call Spear Phishing.

Spear Phishing is highly targeted phishing emails. This is typically driven by social engineering, what I mean here is, these are the emails that you receive that say something like – “Oh hi, this is Barbara. I was in Istanbul and we were robbed. I’m at the hotel, I don’t have any money. I need you to send me money, it’s an emergency. I need your help right now. I know it’s been a long time since we talked but please send me money.” They rely upon human reaction to these. “Oh I vaguely remember somebody named Barbara.” “Oh they’re in trouble I’m going to help them out.” It is completely fraudulent. These sorts of orchestrated social engineering attacks are designed to prey upon human nature and they’re actually extremely effective.

They also do things like sending you things under the banner of a recognized corporation such as Amazon, or Citibank saying, “hey your account has been compromised, you need to click this link to reset your password.” Of course, that doesn’t go to their site, it goes to the fraudster’s site and then they are able to obtain information or control of your machine.

Spear Phishing is almost always targeting the ability to act. That is they want to be able to act on the information you have given them. For example, you have given them a password, or you have given them a credit card number, or you’ve given account data. That’s more and more about you but their next spear phishing attack can be even more closely tailored and it can even be refined and they can really zero in on the target. This requires diligence and common sense.

The last area, targeted attacks, this is driven by espionage but also surprising number of times this is driven by social engineering. The target here is intellectual property and large, high-value target thefts. This isn’t something that affects most of us individuals. This is people going after a Bitcoin exchange, or going after a bank, or going after a major corporation trying to obtain information off their machines or actually defraud them, or in some cases ransom them.

In terms of what’s most dangerous to us as individuals, it’s the mass attacks and the spear phishing. Common sense goes a long way but you also must have proper anti-virus and anti-malware installed on your local machine. Do not think “oh I own a Macintosh, I’m immune from these attacks.” That is not true. There’s an increase in number of exploits that do target Apple iOS. This includes the tablets and the phone devices as well. There’s an increase in number of attacks that target all sorts of mobile devices particularly as people carry more and more of their financial data on those mobile devices.

In the subsequent lessons in this course, we’re going to look in depth at security, at encryption, and building good passwords. All the things that you need to do to harden your systems against these sorts of attack vectors. But there’s one thing we can’t fix and there’s a joke in the hacking business that says – you can’t patch human stupidity. We can’t protect you from social engineering. This is something that you have to be diligent about yourself. You need to learn to detect what is a good, valid email from what isn’t. You need to be suspicious. You need to be doubting Thomases towards these things. Do your due diligences before you click on those links.

Moving on, one of the things that we want to plant as a seed is that people have different needs when it comes to security and there’s always a cost/benefit calculation involved in security. Increased security does take time, and in some case does take money, and it does take increased diligence. Some people are not always comfortable with those high levels of security or they’re just simply not practical for them because of their personality or their situation. What we would want you to think about is perhaps coming up with an adaptive strategy. A multi-tiered approach may work best for some people.

Think of it this way: divide your digital currency holdings into three pools. The first pool is your short term holdings. These are the funds you need for use on short notice – to pay for dinner, to buy a book, to pay for a taxi, to buy tickets – these sorts of things. Typically this is time sensitive, “oh how much funds do I need for the next 7-10 days?” Put that pool of funds in a mobile wallet. That way it is handy, it is usable and you can use it when you’re out and about in the world.

Next create a medium term holdings fund. Think of this as your main bank account. This is the funds that you use to top up that short term holdings account and to make larger and less frequent purchases. It is best to put this on your computer. This is the best device for holding this.

Then finally for your long term holdings, the things for investments, for large amount of capital, use offline storage for those. Do not put them in the computer permanently, do not keep them on a mobile wallet, and most certainly do not keep them on an exchange. In fact, you’ll notice we don’t recommend an exchange for any of those three pools – short term, medium term, or long term. It’s never a good idea to leave large amount on an exchange.

Next we also want to encourage you to be adaptive. You need to adapt to changing needs. Your needs will change as you step further into this world. As you expand your stake, it’s appropriate to move from online, to your local computer, to offline. It’s simply a matter of increasing the security, the scrutiny, and the control in the process.

This is typically velocity driven. How much of that money do I need right now? How much do I need in the next week versus in the next 6 months? It can also be driven by simple caution. The most cautious approach is the offline approach, followed by your local computer, followed by your mobile device, and the least secure being the exchanges.

Regardless, never leave funds in an exchange for any lengthy period of time. Let the Mt. Gox situation be a lesson to everyone. There was a theft at Mt. Gox and a number of people lost their Bitcoin and then after that Mt. Gox became bankrupt as a result of the theft and even more people lost their money because there is no liquidity to cash the amount in their Bitcoin funds. So we’ve seen situations like these where exchange are vulnerable and let’s face it, exchanges are high value targets so let’s not leave our holdings in there for any period of time, and if you do, you should be very very clear on the risk that you are taking on.

Bottom line, security never ends. You need to review your process periodically and ask yourself where this can be improved. Never forget that cyber criminals are a resourceful lot. They’re likely more technically capable than you. They’re likely have better hardware than you. They’re likely have better access to expertise than you. But you must be agile as well. You must look at your protocols, you must look at your processes, try to patch holes and constantly be thinking, “am I being smart about this?” “Do I have all of my eggs in one basket?” or “have I segregated things where minimizing my risks?”

One thing that we’re going to talk about in depth in the next two courses is the philosophy called PEBO. PEBO stands for Passwords and Passphrases, Encryption, Backups, and Offline storage. This is a security philosophy that we believe in and we advocate quite strongly and we’re going to actually step you to the process, giving you tips and pointers and in some cases actually show you how to take steps with your computer to implement these things.

That’s it for lesson one: The Big Picture. Join us for lesson two where we start to dive into the PEBO philosophy with a look at Passwords and Encryption. Thank you very much.