Do you even OpSec, Bro? 💪 (Proof-of-Take #004)
Proof-of-Take: a dose of perspective and context in the noisy world of Crypto
Welcome to Proof-of-Take: a dose of perspective and context in the noisy world of Crypto. If you want to learn more about why I’m writing this, check out Issue #001.
Today, we’re going to talk about something called “Operational Security” or as the cool kids say, “OpSec.”
Before we dive in, a quick reminder on what the “Crypto” in “Cryptocurrency” means. “Crypto” is derived from “Cryptography,” a technique dating back to ancient Greece. Cryptography means doing *something* to a message that makes it difficult for a stranger to understand. It sounds complicated, but you use cryptography all the time—usually when discussing things in public.
👥 When you’re out with friends, gossiping about a romantic interest or co-worker, but refer to them by a code name like “long texter,” “finance guy,” or “Stage 5 clinger,” you’re using cryptography.
🍕When you fill out your Venmo transactions by only typing emojis 🍣🍷🚕, you’re using cryptography.
👨👩👧👦 When you use abbrevs around the olds, you’re using cryptography.
Cryptography is awesome! It also allows us to do handy things like: securely send an email, safely use the internet, and reliably use cryptocurrency.
Unfortunately, cryptography doesn’t just make it difficult for ‘bad actors’ to access our cryptocurrency, it makes it difficult for everyone to access it. Even us! This is important to keep in mind when designing systems to protect our assets. If we make our security too extreme, we can’t even access our own crypto anymore. Okay, back to OpSec.
What is “Operational Security” or “OpSec”? Like most things in crypto, it’s a complex term that sounds intimidating and confusing at first. Operational Security describes the actions we take so that we don’t lose our cryptocurrency.
Why is it important? Because with bad OpSec, you’re at high risk to lose your crypto and worse, your digital identity! An oft-cited benefit of crypto is that it will “let people become their own bank.” This sounds great at first — until we remember that banks have vaults 🏦. And customer service hotlines 📞. And fraud reimbursement 💰. Crypto has none of these things. So you, the owner of crypto, have to safeguard it yourself. This sounds like a pain at first. But throughout history, people have learned to dramatically change their behavior to adapt to new technology. Crypto is no different:
🏇🏻 For much of history, people got around by riding horses, yet learning to drive a car became a coveted rite of passage.
🚙Until recently, we wouldn’t dare get into a stranger’s car or sleep in their home. Yet we’ve learned to use Uber and Airbnb everywhere.
📲There was a (brief) time when we were addicted to BlackBerrys and their keyboards. Yet we’ve learned to love our iPhones and Samsungs.
Behavior that was once unthinkable, eventually becomes common and unremarkable.
What does good OpSec protect us against? Two main threats:
Theft by bad actors
Our future selves getting locked out of our crypto
We’ll look at some very basic steps we can take to get better ‘digital hygiene’ on both of these fronts. Good OpSec is kind of like flossing your teeth. At first, it will may seem like chore, but it will eventually become part of your routine with great long-term benefits.
Can OpSec be fun? Yes! Good OpSec incorporates the best practices of the CIA and NSA. So when I’m “doing OpSec”, I feel like Tom Cruise in Mission Impossible.
Cybercrime is Worth the Time; Don’t Get Pwned
Digital theft is called “hacking.” We seemingly read about a new hack every day. Why? Because the economics of the internet (compared to the physical world) makes hacking a very attractive proposition for a thief. Back in the day, in order to rob someone, you had to venture out into the physical world (“meatspace”), find some stuff and physically take it. This was:
⏳Time-consuming— you could only commit one robbery at a time
🔫🔪⚔️ Violent—you needed to use force to commit robbery and
👮♂️Risky—with enough attempts, you’d eventually get caught and arrested.
The team in Ocean’s Eleven had a lot to lose!
Pre-internet, theft was high risk, decent reward. However, today, theft is low risk, massive reward. The limiting risk factors above have disappeared. Since cyberhackers use software to execute their robberies, they can attempt thousands of robberies simultaneously—all from the comfort of their couch. Additionally, there’s no physical violence required. And because of the power of encryption, a thief can attempt these robberies anonymously. After all:
As more and more valuable stuff is migrated from the physical world to the digital world, cybercrime becomes that much more lucrative.
In fact, most of our most valuable stuff has already migrated to cyberspace. There’s a popular misconception that Bitcoin is revolutionary because it’s “digital money.” Nonsense. Only 8% of “money” even exists in physical forms.* The rest of it is literally just entries in a bank’s database. If Bitcoin is “magic internet money,” then so are 92% of US Dollars!
Life as a cybercriminal is much easier than life as a bank robber, so you might think that the modern bank robbery would be to “hack into Bitcoin.” Wrong. In its history, the Bitcoin code itself has never been hacked 🙅♂️🙅♀️. Though Bitcoin can’t be hacked, the people and organizations on top of it can be. For some people, this is a distinction without a difference, but we can debate that some other time. Just know that almost all of the infamous “hacks” of cryptocurrency don’t involve people hacking directly into a cryptocurrency’s code, but rather people taking advantage of others’ shoddy OpSec.**
Okay, I don’t want to get hacked. What now? I’ll link to some solid resources at the bottom. But here are some rules I follow:
💸📚🤓I scale the dollars I invest with the amount of research I do. And I scale the strictness of my OpSec with how much value I have at stake.
🚫🤦♂️💔 I don’t beat myself up about bad OpSec. It’s impossible to be fully protected and OpSec is ALWAYS a work in progress. My goal is improvement, not perfection. I’m not trying to make myself completely immune to any loss of crypto, but to make my attack surface tomorrow smaller than my attack surface today.
There is a lot more to be said here. But I’ll leave you with two really easy steps you can take to up your OpSec game. Even if you own zero cryptocurrency, these two steps will make your digital life far more secure. It takes ~10 minutes and is well worth your time.
1. Use a password manager. And use unique, complex passwords for every site.
This is the single most effective thing you can do to protect you and your crypto. Most people store their passwords in unreliable locations — either their brain, or on a post-it note on their desk. A password manager is secure software that manages all of your passwords for you. LastPass and 1Password are two popular services.
Why is the combination of a password manager & unique password so important? Because every single site you use represents a massive security risk.
The risk isn’t that someone will guess your password, the risk is that by breaching one site, they will then try that same password on every other major website, eventually getting to your email or cell-phone provider. Once they have access to those, they own your online life — including your crypto. (H/T Pamela Morgan)
2. For your most valuable accounts, Use “Second Factor Authentication” (2-FA) and DO NOT use a text message (SMS) as the second factor.
Normally, when you log-in to a website, you only need to present one “factor” to gain access. That factor is a password. When you correctly input your password, you’ve “authenticated” yourself. Second Factor Authentication (“2-FA”) simply requires to give two pieces of identity (your password + something else), instead of one (your password), before getting access. By requiring a Second Factor (other than a password), you can make it more difficult to get hacked.
So what should you use as the Second Factor? Fortunately for us, the most secure & convenient Second Factor we can use is our phone. But not how you might guess.
You should never, EVER use your phone number / SMS as the second factor of authentication. Your phone number can be easily stolen! A popular attack is “number porting.” Thieves call up your phone provider, pretend to be you, try to get them to associate your phone number with the thief’s SIM card. This might not work the first time, but after dozens or hundreds of tries, the thief eventually get a Customer Service representative to “porting” your phone number.*** Do you really trust Verizon or Sprint to protect anything valuable for you? Especially something as important as your identity?
Instead, you should download a special application that generates random, one-time passwords every 15 seconds. Apps like Authy or Google Authenticator are user-friendly, battle-tested and secure.
These are the first steps on your OpSec journey. There are some other, more extreme measures like hardware wallets, fireproof safes, computers that never touch the internet, and more!
OpSec may intimidating, but if you follow these steps, your crypto and digital identities will be MUCH safer. OpSec is important because it applies to everyone. Whether you think Bitcoin is a ponzi scheme, or think all of humanity’s problems can be solved with a blockchain, improving your OpSec with improve your life.
Until next time…
Thank you for reading! Like it? Hate it? Still processing it? Please share it with a friend or enemy, and tell me why I’m wrong. Let’s continue the conversation; the best way to reach me is on Twitter — I’m @CantHardyWait.
Resources & Further reading:
*https://money.howstuffworks.com/currency6.htm
**https://www.fool.com/investing/2018/05/09/the-biggest-cryptocurrency-hacks-in-history.aspx
***How to Lose 8k worth of Bitcoins in 15 minutes (Porting Attack)
Also check out some of these awesome resources:
Pamela Morgan on Why to Use a Password Manager and how to do 2-FA properly
Good reading on cybersecurity from @lopp
Rusty's Remarkably Unreliable Guide To Bitcoin Storage: 2018 Edition
Huge thank you to Eric Walsh and my parents for editing this piece.