Welcome everybody, my name is Krush AK and this is the Market Meditations Podcast.
We chat with fascinating people from around the world to extract mindsets, routines, stories and
habits to help you build richer lives. Meditators, today we have with us Jameson Lopp, the CTO and
co-founder of CASA. He is one of the foremost experts in privacy and security in the cryptocurrency
space. He's solving and finding security flaws for both the individuals and the large enterprises
as well. There's so much value add in this episode, I highly recommend you listen and apply the advice
he gives. Before we jump into this episode, don't forget that I send hand-picked market news,
insights and education to over 6,000 traders and investors three times a week. To get access to
this all you have to do is sign up to krushak.substack.com. Ladies and gentlemen, welcome to
another episode of the Market Meditations Podcast. Today I've got a guest very different to anything
we've had on the show before. This is mainly focused on traders, investors and entrepreneurs
specifically in the crypto space. One thing we've not had quite enough of is security focus episodes.
You can be your own bank but with that comes an immense amount of responsibility and this is one
of the foremost experts in the world on privacy and security in the space. Jameson, thank you so
much for joining us. My pleasure. I'd like to start by asking why you care so much about privacy and
security and why you've chosen to dedicate your life and specifically in the crypto space to this
venture? Well, it started off luck slash accident. When I really started looking for full-time
employment in the space back at the end of 2014, there weren't a ton of options. Most of the
employers out there were the exchanges because they were the only businesses making any money.
I actually applied at Coinbase, got rejected and I also applied at BitGo and managed to make it
through their interview process. Even though they were not looking to hire remote developers,
I was on the other side of the United States. I convinced them to give me a three-month free trial
and after that worked out well, it turned into a full-time thing. Working at BitGo is what really
got me deep into the security side of things. While I was not working directly for an exchange,
I was actually in a way working for dozens if not hundreds of different exchanges because BitGo is
essentially a security service provider for anyone who wanted to run enterprise level hot wallet that
had a high degree of security compared to what most people would roll themselves. That set me
down the security path and then it was a couple of years later, which was really once again,
a result of luck and just I guess sheer determination of how much I tweet and getting
a larger audience that resulted in me getting attention from people that I would prefer not to
have attention from. That eventually led to a extortion situation where my whole neighborhood
got locked down by the police and there was basically false bomb threat that was called in
from someone claiming to be me. That just turned into a whole situation that I did not want to have
to deal with ever again. I decided at that point in time that I was going to have to take on a new
project, which was to really push the boundaries of privacy to do the best that I could to ensure
that some random person on the internet couldn't just find my information and target me. So here
we are several years later and so far so good. That is really unfortunate. I'm sorry that
happened to you. I've had nothing close to that, but some instances where I've had cyber attacks
where people have taken over my computer and typed things at me. It's what happens when you
put your face out there. Again, the level of that I'm sure is very different to what you experienced.
Now for me, that was quite traumatic. Your decision to go into pursuing privacy and security so much,
how much of that was driven by a sense of I need to logically go do this and also
and also sentimentally and emotionally, I don't want this to happen to anyone else.
That's why I'm pursuing this. Yeah. So privacy and security are kind of like two sides to the same
coin. You can certainly focus on one more than the other. And I was already focused on security
because of my work at BitGo and seeing a lot of bad things happen. I saw a lot of mistakes.
I wrote a blog post a few months ago, the do's and don'ts of Bitcoin key management,
in which I basically did a brain dump of everything I've ever seen go wrong. And I think
that's probably about 10 pages of different incidents. And so I was already good at least
on the digital security side. I would say that I had actually been interested in physical security
well before Bitcoin. When it comes to personal defense, I had been into firearms, for example,
since I was legally allowed to, I guess when I turned 21 in the US, you can get handguns.
You can get long guns earlier than that, but I was at university at the time and they tend to
frown upon that. So I started off with firearms, which is common in America. And eventually I felt
like I wanted to go further. And I took about two years of instruction with Krav Maga, in which I
learned blade and stick training and hand-to-hand combat. And that was a really good experience,
not just because it showed me how to both offensively and defensively use non-firearm
weapons, because even in America, we don't always have a gun on us. There are a lot of places you
can't take guns. But it showed me what my physical limits were. And it made me realize that if you
have the right mental attitude, you can do a lot more than you probably believe that you can.
And that was definitely the most grueling experience that I ever went through.
Some of the end of level course challenges that I had there, I felt like I was going to die,
essentially. They were like three hour long, 110% of everything that you were capable of doing,
basically military basic training type of stuff where they were just trying to break you mentally.
And so I found that side of things very interesting. And I think you can then apply
those concepts to many other things in your life. And so you spoke earlier about how you mostly
talk to traders and entrepreneurs and whatever. And regardless of what your vocation is or what
your hobbies are and you focus on, I think that getting yourself into the perseverance mindset
and the ability to accept failure and learn from it and move on and realize that even usually the
worst thing that has ever happened in your life is it's not the end of your life. If you're still
breathing, you can still learn and keep going. So it was a fairly long diatribe there, I guess,
of how I got sparked off into the mindset. And over the years, it has just morphed into applying
that mindset to a number of different things. And so I've had other incidents that are personal to
me that I have considered opportunities. Getting swatted was a terrible day in my life, but I
actually believe that the attacker did me one of the biggest favors that he could have. Because
if anything, that has resulted in me researching and learning more about this whole new sphere
than I had ever anticipated happening. And then when I turn around and I try to educate
people about that, that has only, I think, resulted in my prominence growing, at least
in the security and privacy mindset space. Because a lot of people who do this,
they're not the sharing types. And that's something that will probably come up, again,
as we're talking about security, is that for some reason, even a lot of security-minded and
privacy-minded individuals have this belief that security through obscurity has value.
So if I can't tell people, at least generally, what I'm doing to secure myself and to make myself
more private, then I'm just relying on the hope that they don't find out what my techniques are.
And that's very weak, brittle type of security. Wow. Okay. There's so much there for me to
address. Normally, I interrupt in the middle, but every talking point was so interesting, I couldn't
stop. So it seems like it wasn't a sentimental decision for you. It was something that has always
been a part of your personality and something you've been serious about even before crypto.
I love that you mentioned Krav Maga as an example. One of my closest friends is actually the
special forces trainer, the trainer for the Israeli special forces, Krav Maga. And I've
trained with him. So definitely not top tier stuff, but lots of fun. And I see the value.
It's very much not a martial art. It is a self-defense. And what you went on to next
about mindset. One common theme we've had on this show nonstop, whether it be traders, investors,
entrepreneurs, CTOs, CEOs, whoever is successful in anything they do, it all stems from mindset.
And I actually wasn't expecting to see, even with security, that this stems from mindset as well.
Having the right mindset, the perseverance to get attacked and then come back stronger
every single time. It is, whether it be a trading mistake where you lose a lot of money
or a security mistake where you get hacked, whenever it happens, it could have happened
later when you had a lot more to lose, a lot more money, or it could have been a lot worse.
So it's almost a bit of a blessing when it does happen. Now I've commented on a lot of what you
said, but I'd like to go back to the very start, something you mentioned, which was that security
and privacy aren't the same thing, but they do coexist. And then you also mentioned how with
privacy, every decision you make has an opportunity cost. So it's not just privacy increases. There's
got to be a financial cost, a mental cost, a freedom cost. What are the differences between
security and privacy? Can one exist without the other? And how do you find balance?
Yeah. So I consider them to be kind of like different layers of your shield. And I also
have written extensively about this in some of my posts this year about physical defense and home
defense and whatnot. And security is like your shield that you're actually holding where someone
is attacking it. And that security mechanism, whatever it is, is physically or digitally
just blocking them. It's a firewall type of mechanism. I consider privacy to be kind of like
an outer layer. Consider it like a moat or a barbed wire fence that's further out on the perimeter.
And if you have really strong privacy, then an attacker won't even be able to get to your
security. They won't be able to find that real final layer of defense to attack it in the first
place. So this is another type of mindset that I talk about often, is that security and privacy
are not, you shouldn't think of them as a single layer or a binary thing. Instead, what you want is
a multitude and a diversity of different types of privacy and different types of security.
This is, once again, it's something that gets applied to all types of privacy and security
and all types of spheres is because if you're relying on one single piece of privacy or
security to keep you safe, then that's a single point of failure. You never want to have a single
point of failure in anything that you're architecting. That's the major premise upon
which CASA is architected. But the more layers that you have, you have to assume that none of
them are perfect and that they may get compromised. And so you essentially want to make it so
so aggravating for an attacker that even if they get through one layer, they just
immediately run into another layer and that just confounds them even further.
And what that is doing from a practical standpoint is it's raising the cost of a successful attack.
And especially when it comes to privacy, there is no perfect privacy. What you're really doing is
you're instituting so many different layers that you are raising the cost to a level that
you hope and anticipate that a given attacker simply is not willing to commit the resources
in order to penetrate through all of that. So this is when I talk about my own privacy setup,
even though I'm probably in the 0.01% top tier threshold of privacy.
If an attacker was willing to spend millions of dollars, they could probably find me. So
I do not have nation-state level privacy resistance, but that's not my goal. My primary
goal is just to keep the rando, butthurt person sitting in a basement away from being able to
find my physical location and target me.
So I know you've spent a lot of time, energy, and resources in developing this level of privacy.
Is it for just the rando, butthurt person? Or surely there's got to be more you're trying to
protect yourself from? Or maybe not surely. Maybe I'm being naive. The rando, butthurt person can
do a lot of damage.
Yeah. So that's what I consider to be the more common type of attack. And obviously that's the
attack that actually happened to me. So there is documented evidence that this is a real threat,
at least against me. And I would say that's a real threat against anyone who is prominent
and has tens of thousands, but definitely if you have hundreds of thousands of people in your
audience who are paying attention to you, because it becomes a numbers game at that point.
This is not a unique problem. It's a problem that any celebrity and politician has had to deal with
going back throughout human history, really. The difference now is that it's the cost of someone
reaching out to you has become so much lower just due to the energy that you're using.
It's the cost to the internet, the ability for information to flow so cheaply that that attack
cost has gone to almost zero if someone has the right skills. So obviously there are plenty of
other potential threats. And when I extrapolate out, I have a repository where I keep track of
all of the known physical attacks against people in this space. And there is a very strong
correlation between the exchange rate and the amount of physical attacks that happen,
especially with the recent ledger leak of a quarter million physical addresses. I'm very
interested to see if we get a big spike in physical attacks. That type of attack is very low
probability because the attacker is putting themselves and their life in physical danger
by doing it. But if an attacker gets information and then they're doing reconnaissance and
basically any attacker is going to be weighing the odds. What is the cost and what is the
potential reward of a successful attack here? So if they're able to determine that, hey, someone
who lives in this very specific house has millions of dollars in liquid crypto bearer assets,
and all I have to do is put a weapon up against them to get that in a matter of hours.
That's a very, very high reward. Now, while it's also high risk, it's probably safer than
robbing a bank. It is robbing a bank. We're trying to be our own bank, so it just makes
robbing a bank easier. Yeah. And the problem, and this is the problem that I've been focused on for
six years now, is that if we want to be our own banks, we have to realize that it's possible
to have better than bank level security. But the vast majority of people who are even bothering
to take custody of their keys in the first place are nowhere near that. So we've got a long ways
to go. And this is why security I think is important, not only at a personal level,
but at a macro level, is that once again, like I said, the risk and rewards will continue to be
weighed by these attackers as the Bitcoin space becomes more prominent. More criminally minded
people are going to be poking at it and trying to figure out if there are good opportunities for
them. And the only way that we're going to really be able to prevent widespread attacks like this
from happening is to make it a common thing that that type of physical attack is not feasible
because the person is not putting all of their money in one place where they can be easily
coerced into sending their entire life savings with a few clicks of a button.
I think I heard you say this, even if we protect our keys and make sure that it's impossible for
anyone who gets into our home to take them, aren't we relying on them believing us that we
don't have it? So simply the fact that we own it and it is known that we own that puts us in severe
danger. And what would the solution be around that, besides investing a whole lot into your
personal security when you become your own bank, which almost puts an argument away from crypto,
and that could be a significant inhibitor to mass adoption.
Yeah. So, you know, there's a lot to unpack here. There's a lot of sort of intermingling factors,
and I think a lot of people mix them up too much. So there's the security of your actual keys.
You know, that's one thing you have to think about completely separately. That security is
generally completely unrelated to your physical security of your body.
So, you know, that's a whole other problem set that, you know, Bitcoin and like the ability to
be self-sovereign, yadda, yadda, yadda, that doesn't solve anything about the physical security
of your body, your home, your family, your pets, whatever. On the plus side, that type of physical
security is a problem that has existed for all of human existence. And there is a lot of great
solutions that are already out there. And I think there's a lot of things that can be done to
that are already out there, you know, if you're willing to put in the time and the resources,
you know, invest. You have to invest in security up front because I consider security to just be
a preemptive form of insurance. So, you know, a lot of people in this space talk about insurance
products, you know, after the fact insurance products. I'm not a big fan of those because,
you know, those are just trusted third parties that you already know are incentivized to screw
you over and not pay out if something happens. And like, I don't want to have to deal with that.
I would rather just prevent the bad thing from happening in the first place and be confident
that it's not going to happen. And then, of course, there's also privacy, like I said before,
which is yet another, you know, completely separate facet to all of this. And so, you know,
if you're focused on just like your total security well-being, you have to approach it from all of
these different angles in order to have, you know, the strongest shield, you know, almost consider it
like, you know, chain link mesh. You know, if you have links in the chain missing, then those
are weaknesses. So, pretty much everybody has room for improvement regardless of how much
resources they've devoted to it. I love the analogy of privacy being the barbed wire preventing
people from even testing your shield in the first place. It really helps visualize the importance.
In fact, for my shield, I was thinking just researching you made me want to have a guard dog,
a dog that is capable of upping security. It really made me think about things I haven't
thought about before, because even though you said that this is a problem we've thought about
forever, previously, it's not very easy to get into someone's house and get out with $2 million,
for example, a random sum. Crypto makes that a lot easier, which is why I feel the solutions
we had before might need to be elevated, but always has been a risk. So, as an average person
who doesn't really have any barbed wire right now or a shield, what is commonly overlooked?
What can our listeners spend one hour doing after this to level up their security and
something that most people don't do? On the privacy side, the easy thing to do is
just behavioral changes. It's stop putting your name and address and personal contact information
into every database that you come across. This is a mindset change that is difficult at first,
because essentially what I'm telling people to do is to lie. In the vast majority of cases,
when you're interacting with a third party, a merchant or whatever, you are under no legal
obligation to give them your real information. Unless you are signing some sort of legal contract
or you're in court or you're actually doing a specific legal process, then it's not illegal
to give someone a pseudonym. That's one start. If you want to actually protect your physical
address and phone number and stuff, then you need to start figuring out how to use proxies
for everything. This is the way that privacy works as a shield, is that you're using proxies
to put another layer of obfuscation between your actual information and whatever you're giving to
a third party. Any information you give to a third party, you should assume is going to eventually
leak. That's where a little bit more effort comes in. You can throw away phone numbers very easily
with a number of different services. For mailing address, you are going to have to probably spend
somewhere between $20 and $50 a month if you want to rent out a box somewhere. If you want to cheap
out and your company, if you have a physical office that will allow you to ship stuff to the office,
that's an easy free way to not put your home information into a bunch of different databases.
There's also on the internet side of things, in a matter of 10 minutes, you can install
a number of different ad blockers in your browser. You can get set up with a VPN and
probably less than an hour. That will put you in a better position than 99% of people on the internet
just to make it harder for all of these surveillance capitalism websites to track
everything that you're doing on the internet. Jameson, before you move on from that,
I've spoken to a lot of security experts, especially because I've tried to put out a
lot of content myself to help people level up their security. No one has once mentioned an ad
blocker to me yet. Why is that important? It's funny because before I worked in Bitcoin security,
I spent my first decade working as a cloud data analytics engineer for an email marketing company
that would send out over 100 million emails every day through its platform. We had a ton of different
very large e-commerce clients. I was doing the antithesis of what I do today in that I was
collecting petabytes of information and processing it and helping marketers better target people to
sell crap to them. I was never interested in this as an idea. It just happened to pose an interesting
computer science challenge that resulted in this company offering me a nice salary. It put a roof
over my head and food on the table for a number of years, but I never found it to be fulfilling.
I think that that experience gave me a great deal of insight into exactly how much tracking
is going on because I was the one that was doing it. It's very easy to stop that tracking.
Like I said, there's plenty of tools out there and it doesn't take more than a few minutes
to get set up with them, but even that miniscule resource commitment of a few minutes is well beyond
the vast majority of people on the internet. These surveillance capitalism engines don't really have
anything to fear from those ad blockers because it's only the people who actually think about
privacy in the first place that are going to bother. Well, that's fantastic. I'm going to add
that to every resource I currently have. What I try to focus on is the no-brainer easy steps,
which you have no reason not to do because it's very hard to convince people who haven't ever
been hacked or suffered some sort of serious security threat to go set up a proxy address
or spend X amount of times to get their mail posted X somewhere else and get it a day later.
That sort of thing is really hard to communicate, but install an ad blocker, install a VPN. That's
pretty easy to get people to do relative to that. Actually, moving away from the simple solutions,
if on a macro level you want to solve all of this, how much would it cost to get someone
to handle it all for you? Can it even be done without a time investment for those who have
the money but don't have the time? Well, yeah. Like I said, most of this stuff,
it's the same type of problem that celebrities and politicians have to deal with. So there are
certainly services out there that will hook you up. I mean, if you've got the money, I've never
priced them out myself. The only one that I've ever actually looked at was Michael Bazell, who
wrote the book that I recommend everyone reads, which is Extreme Privacy. The second edition of
that just dropped and it was like twice as long as the first edition. I think it's like 550 pages.
He offers a bespoke service. I have no idea how much it costs. I would expect to pay at least
$100,000 to get a full setup. As I have said, I think that I spent around $30,000 and most of
that was in legal fees. I spent $5,000 to $10,000 testing my setup, hiring private investigators to
spend a week trying to track me down. And then I have a lot of ongoing experience,
I have a lot of ongoing expenses. I think if you exclude the fact that I have like decoy
physical, like actual physical apartments and stuff, some of those are needed for like
driver license information. I probably spend $500 to $1,000 a month on all my different
privacy related services. So $100,000 for a one-off cost and then a recurring cost to
get that sort of privacy. But that's just the financial side. What is the emotional or non-financial
cost of this? I imagine you've had to sacrifice seeing certain friends or family at certain
times or occasions simply because it's a security risk and I could be wrong. Please correct me if I
am. So I've worked remotely for the entire time I've been working in Bitcoin. So I've worked from
home for six years now. So that already drastically reduced my physical interactions with folks.
And then a few years ago when I burned down my whole life and moved away, that was me cutting
ties with all of the friends and family that I had spent the past 15 years around. So that
was a major thing. Then deleting most of my social media was another big thing. Your Facebook,
all Facebook related services. So sometimes I will get a random email from someone who's like,
oh, hey, I hadn't seen you post anything in a few years. What happened? But I think what that also
helps me realize is that I think a lot of those social media services were providing a false sense
of connection because the vast majority of people that I would interact with through their services,
I haven't heard from ever since I deleted them. So I suspect that they don't think about me. I
don't think about me. I don't think about them. It's just a simple fact of life that you have a
limited amount of time. Dunbar's number is a real thing. You can only reasonably fit so many people
into your life at any given point of time. I think social media artificially inflates that and makes
it feel like you can fit more people in your life than you really can. And then of course, just with
me being on Twitter and a few other services, I mean, I have like a dozen different communications
channels that are going 24 seven and I never feel alone. I may be physically alone, but I have, you
know, so many people that I am regularly interacting with that I'm busy. I'm happy. I'm building.
I don't regret any of that. I think the annoying thing was, you know, this is always a learning
experience. The first time through when I burned everything down, that was definitely more anxiety
inducing because I figured some things would fail. And over the years they did. And that was what was
really annoying to me is that I had a few incidents where either an attorney or sometimes a close
family member would leak information that I had entrusted them not to do. And this, you know, I
didn't hold it against them because this is human nature. They were just doing what they had always
done their entire lives. Like, you know, like the attorney, you know, would might put an address in
to their database and then somehow that would get sent to another marketing database and then I would
get like a holiday card to an address with my name on it that should never have happened. You know,
extremely frustrating for me to then have to go, you know, be like, what the hell is this? You know,
how did this happen? And so I ended up redoing everything a few years later. And, you know,
essentially the result is I can't trust anybody. I can't trust the attorney. I can't trust my own
family member. You know, I don't, I don't give the family members the real address. If they want to
send me something in the mail, they can get a proxy address and that'll work just fine.
I guess that is the one sacrifice that you've mentioned, even though with a lot of the other
ones, it seems to be in a bit of a blessing like with Facebook finding more real connections,
finding more real connections, focusing more on things you actually care about. And a lot of
these things people are attached to. Once you lose them, you realize you never wanted it or liked it
that much in the first place. And all of this leads nicely into, I mean, CASA, which is what you
yourself have built and run. Could you tell us a little bit about the services you provide and
what it does? Yeah. So the best way to think of CASA is that we are helping people be their own
bank. We don't want to be people's banks, but we want to provide a user-friendly software combined
with a high level of service, almost like a private banker level of service. So that, you know,
someone who has a great deal of wealth that they're storing in Bitcoin and, you know,
wants to self-custody if they see the value in that, but they don't have the time or they don't
want to, you know, invest a lot of resources to figure out, you know, survey the entire ecosystem,
go through all of these security best practices that I've been learning for six years. That is
where the real value comes in is we are providing from a technical level, a multi-signature Bitcoin
key management solution. But, you know, a lot of people don't even really know what that is.
It's easier just to describe it as, you know, we're providing a mobile app interface that is,
you know, as easy to use as any of the mainstream apps like your Facebooks and whatnot.
But what it's really doing on the back end is helping you maintain a distributed set of keys
that with enough of them combined can be used to unlock and spend your Bitcoin. And it's the way
that these keys are stored and the guidance that we give you for setting up and managing them is
how you get yourself into an architecture in which it is robust against single points of failure.
If you have a key, get lost, stolen, damaged, whatever, then it's no longer a catastrophic
loss. We actually have mechanisms built into the system that make it really flexible. So you just
go, you know, buy a new hardware device or buy a new phone or whatever, and you can reconstitute
your key set, you know, bring yourself back up to full security. So this is, I would say, a very
different model than most Bitcoin wallets out there. The vast majority of Bitcoin wallets
are free software. You download it, you run it, you figure it out. If you're trying to get support
for them, you'll be lucky if you can get email support in many cases. You know, in other cases,
you know, if you are able to get some level of support from a company, you know, the response
times may vary, especially if it's during a bull run when there's a lot of people getting onboarded.
And I would say really what you're paying for at CASA is a level of support that we try to be the
best in the business. You know, we prioritize a lot on keeping our support system flowing and
getting, you know, response times to our premium users, you know, in a matter of hours rather than
days or weeks. So very much based on all the philosophy you've been sharing, the multi-secret
removes that single point of failure and employs something I like to do a lot is if I get hacked,
make sure I'm still okay anyway, or if someone breaches anything, I need to still be okay anyway.
And you're definitely someone I'd want to trust with my security, Jameson.
And you seem to know more than 99.9% of people on the topic and have applied it to your own life.
The one thing I'm very curious about with CASA is you can't run the whole thing yourself.
So that means you have to trust other people to carry out these same philosophies that you believe
in. How do you vet the right people? And what measures do you put in place to make sure that
even the CASA employees can't do anything to compromise the security of your customers?
Yeah, I think, you know, I have people come to me and ask if I do consulting services from time to
time. And my response is generally CASA is my consulting service. And what I'm trying to do
here is to scale what I could do on my own, but you know, scale it out so that we can service
a much higher volume of clients than I would be able to on my own. So I'm, you know, I'm kind of
trying to reproduce myself and my philosophy and my security knowledge. So, you know, we have,
I would say it's not a particularly unique hiring process, but you know, there is a philosophy to
hiring that A players want to work with A players. And so the most important thing you can do,
especially when you're starting out with a very small company, is you have to realize that your
culture and your ideology get baked in really early. You have to, you know, define them and
keep them as strong as possible because the likelihood of the culture, you know, weakening
or changing, you know, as more people come in, that's kind of what you have to guard against.
If you're bringing in people who don't align very strongly with your ethos that you started
the company with, that's when you risk eroding it, you know, having people start to try to
suddenly change things. So the most important thing that we can do is, you know, just ask
culture fit questions, regardless of what your actual position someone is coming in for, because
who knows if 10 years from now, they might end up being the manager of an entire department of the
company and have, you know, a lot of power over, you know, how that culture is getting disseminated
to new people that are coming in. But then also that quality level, the A players hiring A players,
like this is why when you're interviewing at CASA, it's not just, you know, the managers of a
particular department that are interviewing you, you get interviewed by all your peers too,
because if the peers don't want to work with you for whatever reason, then, you know, we're just
going to save ourselves a lot of trouble by not hiring you in the first place. You know, we have
had a few people who have, we've had to part ways with over the years, and it was never because they
were bad at their jobs. It's always been culture and personality issues. Another recurring theme
where it's way more important to hire the right people for the company than the right people for
the job. And CASA, I would have thought would be a very unique set culture, given the importance of
each member of staff in there. And sorry to repeat a question, but how do you protect
besides the hiring process? Are there measures in place where like no one employee can compromise
the security of customers, if you're comfortable answering that? Yeah, yeah. No, I mean, this is
important. So it actually starts from a very fundamental level with our key architecture.
And, you know, any given key set that someone sets up with CASA, CASA only ever has one
out of the N keys. So our premium tiers have a three of five and a three of six multi-signature
setup, which means there's five total keys, and you need three of them to add signatures
to a transaction in order for it to be valid and accepted by the Bitcoin network. Now,
only one of those is held by CASA. And even when I say held by CASA, you know, it's completely
offline. We don't keep keys on any of our servers or in any of our databases because we assume,
even though we have very strong multi-layered security, we have to assume that they might get
compromised because they are connected to the internet. So those keys are only held by a handful
of security officers. There's, you know, once again, a variety of multi-layered authentication
processes and also internal processes like time delays around being able to use that key to add
a signature to a customer's requested transaction. There are also just access control. I mean,
a lot of this stuff is common cybersecurity stuff. It's not like crypto specific. Like,
that's the main crypto specific part. The rest of it is just using like principles of least access
such that only a tiny number of people have access to given production systems.
If they do access them, then we have alerts that go off so everybody else knows what's happening.
Access to pretty much all of our critical systems is gated by a number of things. Most importantly,
physical hardware, specifically, YubiKey devices. So, you know, if you want to get into certain
systems, you're going to have to have physical possession of one of a handful of YubiKey's,
you know, so that does a really good job preventing external attackers. Now, the really
interesting question with any of this stuff is, well, how do you guard against an internal attacker?
How do you guard against an employee that goes rogue and wants to enrich themselves? Because that
has happened. There are companies in this space that either the company itself has fully exit
scammed, or in some cases, they just hired a malicious employee. Sometimes, possibly even
most of the time, the employee was a security professional who was supposed to be there to help
everything stay secure. And because they knew how the whole system worked, they were able to
find the weakness and compromise it. And so, to keep malicious code from getting into our app,
for example, we have, you have to have rules upfront to prevent bad things from happening. But
then on the back end, you want to have strong audit trail so that even if something does happen,
it's highly unlikely that the attacker will be able to get away with it. So, on the front end,
like with all of our coding and development and deploy processes, we once again employ YubiKey's
so that all of the code has to be cryptographically signed from an authorized GPG key that is stored
on a YubiKey. It's very hard to fake code. But then if an employee wanted to get malicious code in,
they have to get through various two-man rules where they have to get other employees to sign
off on reviewing that code. So, no single rogue employee would be able to get away with getting
bad code out. There's additional two-man rules around the actual process where non-engineers
have to get involved and have to cryptographically sign off on like the creation of our
mobile app builds in order for those to get pushed out to the store. So, I'm sure I'm leaving out a
number of things, but the whole point is once again, it's no single gate. It's no single security
mechanism. There's layers and layers upon security. And then even if somehow all of those layers get
compromised, what we're doing is we're creating cryptographic attestations at many of these
different levels so that we can say, well, this employee did this at this time so that if we had
to go back and do some sort of forensic examination, we'd have very strong mathematically compelling
evidence of who was the perpetrator. And all of our employees know that. So, they're not going
to put themselves in that position because they're not going to get away with it.
That's incredible. I wasn't expecting anything less. Unsurprisingly, you guys have thought of
everything. Okay, Jameson, so we've spoken a lot about privacy and not that much about crypto
itself. Do you think Bitcoin will ever reach complete privacy? Because it's not the most
private store of wealth out there. Yeah, so there are some conflicting principles
at play here. Specifically, what I think we've learned over the past few years is that
the ability to easily audit the monetary supply is throwing out a number of what I would consider
extremely strong privacy features that could be added to the protocol. When we talk about
some privacy-centric coins like Monero and Zcash and whatnot, it becomes more difficult to audit
them when you can't actually just sum up the values of all the coins really easily.
So, Bitcoin probably will not implement things like zero-knowledge proofs or complete shielding
of the values that are being sent. Rather, I think what we're going to see is a different approach.
The ability to combine information, the ability to have massive coin joins, for example, I think
is a more practical approach. It's been impractical to this point because when you're doing massive
coin joins, you're creating extremely large data size transactions. But the ability to have
aggregated signatures, which we'll hopefully get in the next year or so, I hope will turbocharge
that. There's also work being done on second layer protocols. You could feasibly have stronger
privacy on those layers because you're no longer constrained to work within the specific consensus
mechanisms of Bitcoin. You have a lot more leeway in what you can do. You're essentially creating
your own protocol. That has, I would say, been one of the more frustrating aspects of Bitcoin.
Obviously, we want Bitcoin to be the perfect money, but then you run into conflicting tradeoffs
when you're trying to do different things. That goes back to the scaling debate. Everybody wants
Bitcoin to be lightning fast and extremely cheap and extremely easy to use. We want it to be perfect,
but whenever you try to push the protocol in one direction or another, you're usually leaving
something else behind. Due to the nature of how difficult it is to get consensus changes
into the system, that's why I believe that the game theory behind all of this, it doesn't
necessarily lead to an outcome where we end up with perfect money. I would say it results
in a system that converges on changes that are the least harmful to as many people as possible,
not necessarily the best for everyone, but the least harmful for everyone. It's hard to quantify
or predict exactly how that's going to play out, but I would say that especially from seeing the
result of the scaling debates and other protocol changes over the years, that just seems to be
what you get when you have a system where the default governance of the system is veto. The
default is no. I would say that the strength of Bitcoin from a protocol change perspective,
it's the strength of not having to do anything and to be able to ignore proposals. You don't
have to take action. You have to be convinced to take action to accept changes. That's why
I gave a very lengthy talk a few years ago, which I called it blockchains or inverting
bureaucracy with blockchains. But of course, the blockchain part is irrelevant. That's just
a data structure. It's about the way that a system of independently running nodes converges
on consensus and how consensus is formed is that instead of being this hierarchical
type of system where you have a few actors at the top that then they pass down orders
to other layers beneath them, it's a bottom up where you have all of these nodes at the bottom
and they individually decide what they want to accept and then the protocol naturally converges
on the least common denominator and consensus bubbles up from there. That's just another reason
why I find these systems so fascinating. They've changed a lot more than just money. I think it's
potentially a blueprint for an entirely new form of human coordination.
Stig Brodersen Does that have to come from Bitcoin,
though? Could it not be Bitcoin integrated with different decentralized finances?
Leo Dion Well, I think people are going to try to
integrate as many of these systems as possible to make frictionless finance. I think that
the vast majority if not all of the quote unquote governance schemes that I've seen in the space
are laughable. Obviously, if you want to build voting, you can build voting. You can build
whatever you want. We now have the power to architect whatever rules we want. But the reason
I find most of these governance schemes laughable is because I believe that they are a veneer on top
of the true governance of any of these protocols, which is a bunch of individually independent
actors running software that defines the rules of the protocol. To be more specific, you can build
a protocol in which people are using tokens to vote on whatever aspects of maybe distributions
of other tokens in the protocol or whatever. This is essentially recreating democracy. I
mean, I consider democracy to be like a tyranny of the majority. There are certainly pros and
cons to it. But ultimately, if some minority is upset with the way that some governance action
within the rules of that protocol has proceeded, no one can stop them from forking off any
off and creating their own different rule sets and resetting everything. I think that you may
be able to create a little bit better coordination through some of these schemes. But once again,
unless everybody agrees to abide by those rules, you can't actually enforce it. You can't stop
anyone from going off and creating their own rules. That is really one of the reasons why this space
is so hectic and hard to keep track of is because people are free to do whatever they want.
I get questions all the time of like, what do I think of random cryptocurrency X, Y or Z? The
answer is I have no idea because this system has exploded to a level of complexity that no one can
keep track of it. I am still 99% focused on Bitcoin, just trying to keep track of everything
that's going on within that single space. Will Barron Well, you've just answered one
of the questions I wanted to ask you, which is that you said if something gives you more freedom
than Bitcoin, you will swap to it instantly. I mean, has anything even come close to tempting
you? Have you seen potential in anything in the initial phases and then seen it to be
nothing more than some part of Bitcoin? Will Barron Well, and to be specific about
that quote, I wasn't even constraining that to things in the crypto sphere. I have obviously
used a non-negligible amount of funds to improve my privacy and improve my freedom from that
standpoint. I consider that privacy and security to be more valuable than the corresponding amount
of Bitcoin that I could have bought instead. But if, for example, I can set up my Citadel,
whatever that means, set up some fairly sovereign piece of land, which will once again give me more
security and privacy, then yes, I will probably trade some of my Bitcoin for that.
From a far future looking view, I think I've said this before is that I'm holding my Bitcoin
for life extension technology, for digitization of my consciousness and ultimately decentralization
of my consciousness to rid myself of this single point of failure that is this body.
And I'm holding my Bitcoin for a ticket off this godforsaken rock.
Stig Brodersen Wow, you just hit us with three huge topics
over there. Have you seriously pursued or looked into any of those last three you mentioned?
Will Barron I do need to look into Alcor as a sort of fail
safe backup. I know a number of people in Bitcoin have cryopreservation and Hal Finney being one of
the most prominent. But that's kind of like an emergency backup thing. I do hope that in the next
few decades, we will find ourselves, if humanity can survive, we'll find ourselves at the crux of
this major inflection point, hopefully when computing and AI gets to the point that we can
essentially get rid of a lot of the need for a lot of menial tasks and hopefully create enough
wealth that people will generally be free to pursue the things that they find most fulfilling.
And then hopefully that exponential explosion in technology will also occur in the biomedical sector
and allow us to extend the life of our current bodies, our current forms, and then eventually
figure out how to manifest our consciousness in other forms that aren't so fragile. But that's
starting to get into transhumanism. But these are the things that I am hopeful for.
If we can avoid, I can never remember what it's called, but there's a theory that most
civilizations in the universe essentially snuff themselves out before they're able to become
stellar space travelers. So we just have to get through the hard part.
Yeah. I've definitely heard the same theory when destructive technology just increases with the
creative technology as well. So people just end up destroying themselves.
Jameson, again, just like with the security, you fought so much further ahead than I have.
I mean, I thought of maybe when I take the turn 40, I'll try HRT to stay a little longer. But
you got bio enhancements on the menu. I need to research that a little more. And we could
probably do an entire podcast talking about that because it's another fascinating topic. But alas,
we're reaching the one hour mark. So Jameson, let's finish off with a crowd pleaser. What are
your Bitcoin price predictions and what do you think will happen next year? This doesn't have
to be a specific singular point you think it's going to reach because I know a lot of people
think that's useless information. What do you think the general trend is going to be, especially
given the current world economic situation? Right. Yeah. I mean, I've always found price
predictions to be nonsensical because, I mean, it would make sense if you are only
thinking about it from a Bitcoin adoption and therefore number go up perspective.
But the reason they're nonsensical is because you're pricing Bitcoin in fiat and there's no
floor on the value of fiat. So you can look at it from both ways. At a very high level,
it seems like the hype cycles are generally like 5X to 10X in terms of exchange rate.
But then there's also the this time is different scenario. And this time is different. It seems
like every time is different. But this one is definitely different from the macro perspective
of how much fiat is being printed. So, yeah, I mean, I would be surprised if Bitcoin does
more than 10X from the previous all time high, which would be like around $200,000. You're
the trader. You know market psychology better than I do. It just seems to me like when people
see order of magnitude increase, that's when they start to think maybe I should take some
money off the table here. I don't claim to understand those perspectives myself,
because I've never sold a substantial amount of Bitcoin. I've still held some of the original
coins I got on MT Gox, for example. And the reason that I've held them is for what we just
talked about is that I've never really found anything else that I was compelled to believe
that was going to be better for me than holding the Bitcoin, even during those crazy hype cycles.
Yeah, you know, I should have sold when it hit $1,000 and I could have bought back lower. I
could have sold when it hit $20,000 and bought back lower. But like in reality, because I'm not
a trader, I don't pay attention to the markets on a granular basis. I didn't have time. Like,
I would have missed those things. Like, you know, the exponential blowoffs happen so quickly in a
matter of days, if not hours, that me trying to time them is actually impossible in my current
setup, because I don't have direct access to enough keys to move the coins in the first place. So,
you know, CASA is also good for hodling from that perspective. You know, you're not able to panic
sell. We have a number of traders that use CASA. And I would say, and what I've said for a while is
that the good traders that I've talked to, they don't denominate their gains in fiat. They
denominate their gains in Bitcoin. And what they end up doing is they keep building up their long
term Bitcoin stash. They put that into CASA as their long term storage. And then they have their
trading stash, which is, you know, probably less than 10% of their total holdings. And that's what
they keep in lower security wallets or in, you know, various exchanges and actually do their
active trading with. So, you know, that is, trading is probably my weakest area of knowledge.
I would say that the few trades I've done over the years, I would have been better off if I hadn't,
but live and learn. Well, you have the self-awareness to one,
know that hodling serves you much better. And two, you said you're not a trader,
but you've given a better answer than most traders do, which will be one random singular
number that they think it's going to reach next year. Instead, you've given a very all-encompassing
answer, which takes into account your specific personality and situation, which applies to it,
because there's no way you're going to be pinpointing the exact level it's going to get
to, because the value of it, even though the asset is beautiful, and fundamentally, all this
dollar printing is bad for it, it's only worth what people think it's worth. That's what's going
to be. And you can't predict that sort of human irrationality with anything close to pinpoint
accuracy. So, a fantastic answer to finish stuff off. Jameson, thank you so much for taking this
time on New Year's Eve to come on and help educate our listeners on crypto security. This has been a
huge value-add episode. Is there anything you'd like to leave our listeners with before we wrap
it off? And that could be, you've hopefully had a great time goodbye, or some sort of advice,
or even an advertisement for any of your services. Yeah, I mean, I think one thing we didn't really
get to talk about is just wealth in general, and that this is something I also haven't spent a lot
of time looking into, but I'm starting to look into it now. And it's once again, it kind of
goes back to why I didn't sell a lot of my Bitcoin for fiat during previous run-ups.
And it's a question of what is the point of this wealth? Let's say that you're in
the crypto ecosystem, and you've gone through a whole bull cycle, and your wealth has exploded
by an order of magnitude or more. This can be very overwhelming. I think it's a good example
of why so many early holders don't have much of their Bitcoin left is because it's just too
tempting to trade it for something else. You feel overweight in Bitcoin as an asset, you feel like
you have to diversify. But what I'm starting to think of now just at a higher level is that the
point of wealth is to be productive and is to serve society, it is to create a legacy for yourself.
The point of wealth is not a circular, logical thing to make more wealth. What is the point of
that? Okay, if the numbers in your accounts keep going up, and you're not actually using them for
anything productive to yourself, your family, society at large, then it's like you're playing
a zero sum game. I don't know why anyone would find that to be fulfilling. I'm sure there are
some people who find that fulfilling. But my reasoning for getting into this space in the
first place, it was never to become wealthy. I had no idea that the exchange rate would go up
so quickly over the past number of years. I bought Bitcoin because I saw it as a hedge against my
fiat value going down, not as some sort of get rich quick scheme. But then the reason why I
went full time into Bitcoin is because I decided to make a mission for myself.
And the mission is to use my skills as a technologist to empower individuals,
to try to take as much power away from large institutions, from governments,
from any centralized source of power, and build tools that give more leverage to individuals
to be sovereign. So as I'm thinking about this in the context of the wealth that I have been
fortunate enough to find myself coming through Bitcoin, my goal is going to be to figure out
how to use that wealth to further that mission. If I stop being a CTO and building full time
Bitcoin stuff, if we get to the point where I feel like Bitcoin security has been solved
and is user friendly enough, then there's going to be another mission out there. There's going to be
other technology that will help empower people. And I'm going to use all of my resources to
keep working on that, to keep using the ability for software to empower people.
So I think that's going to keep me busy for the rest of my life. And I just hope that everyone
else who's been lucky enough to find wealth through this system will be able to come up with some
mission on their own. It doesn't have to be that, but there's so many terrible things
in the world today. Each of those is a problem, and each problem has a solution. So I just think
people should be looking at their wealth as a tool for finding more solutions.
I'm going to expand on that because that was a beautiful point to round off this podcast with.
I fully agree that you can use your wealth to do so, but any resource whatsoever. So something I
found personally has leveled up my wealth and the amount of value I can add to society is
previously having been an entrepreneur for the last six years, I have looked for sales arbitrage
opportunities, like a business where I can make money by finding some sort of arbitrage. But all
of these ended eventually. They weren't long-term or sustainable. And the reason for that was they
weren't solving any problem. They weren't actually delivering value for society. But even from a
purely selfish standpoint, taking your advice and building things that are actually solving problems
and making the world a better place will help your longevity, wealth-wise, health-wise, mentally,
or even your social circles, because you're providing value to society. People are going
to want to spend more time with you and work with you and build with you.
Exactly. So we're fortunate to be in the position that we get to worry about these type of things.
And hopefully these systems will continue to free more and more people from a financial standpoint
so that they too have the time and the resources to worry about these higher, unlike Maslow's
hierarchy of needs, you need to get past having to worry about your food security, your home security,
your six-month financial security. Once you have that financial security, that is an amazing
level of freedom that then allows you to really focus on whatever you want.
Beautiful. Jameson, thank you again for your time. Meditators, thank you for tuning in again
for another episode of the Market Meditations Podcast. I will see you again next time.
Thank you so much for tuning into another episode of the Market Meditations Podcast.
If you enjoyed this episode and you'd like us to continue bringing you fascinating people from
across the world, please leave us a review on Apple Podcasts, Spotify, or wherever else
you'd like to listen to these podcasts, and share the episode with a friend. If you have
feedback or an idea for a potential guest, reach out to me on Twitter at KarushaAK.
And do not forget we write a newsletter covering all important topics in crypto and traditional
markets. We send it out three times a week. The Market Meditations newsletter, you also get early
access to these episodes and you get transcripts and extra notes as well. So make sure to subscribe
there as well.