Jameson Lopp Bitcoin Opsec

Bitcoin Privacy & OpSec | Jameson Lopp on What Bitcoin Did with Peter McCormack

Check out the What Bitcoin Did Episode Page & Show Notes

Key Takeaways

  • Ask yourself: What is the most important information to keep secure, and who might try to use my private information against me?
  • Services like privacy.com allow you to create throwaway digital credit cards to conceal your billing address
  • Connecting to public Wi-Fi networks? Use fake email addresses. Also, disconnect and “Forget” networks to prevent automatic re-connecting
  • Use VPNs and Ad-blockers, good ones include Brave, Ublock, and Privacy Badger
  • Check out all the tools developed by The Electronic Frontier Foundation (EFF)
  • Bitcoin’s transparency and audibility make it difficult to use privately. Coin mixers can help you obfuscate transactions
  • Hardware Wallets are the most effective way to protect against the majority of hacking attempts (The most popular are Trezor, Ledger, and Coldcard)
  • Every wallet gives you a 12-word seed phrase as a backup, safely store them offline
  • “Your node, your rules” – Run a Bitcoin full node to verify network rules for yourself
  • Never use phone numbers as a security mechanism (e.g., account recovery or 2FA)
  • Password management in a nutshell: “You shouldn’t know any of your passwords other than a master password to open up your password manager” – Jameson Lopp
  • Remember: The most effective actions are basic and free (like setting up 2FA, Ad-blockers, and a password manager)

Intro

Importance of Privacy and Opsec

  • Privacy, the ability to selectively reveal yourself to the world, is becoming increasingly harder in the digital age
  • Understand different information have different potential consequences, this is Opsec (Operational Security)
    • Ask yourself: What is the most important information to keep secure, and who might try to use my private information against me?
  • Keep in mind: data you consider unimportant may suddenly become very important
    • This can cause unpredictable and unintended consequences (e.g., Having your life messed up by one bad tweet)
  • With numerous software hacks, be careful about giving your information out to third parties
    • “At the end of the day it’s a numbers game, if you are giving your information out to hundreds or thousands of third parties you are basically guaranteeing that at someone point your personal information is going to get leaked and then distributed around” – Jameson Lopp

General Privacy Online

  • Don’t trust applications that request more information and access than needed for their operation (Your data will be sold to and shared with third parties)
  • Allowing phone data to be collected by entities that analyze it is like being followed by a private investigator – creepy
    • Using phone apps (like Uber or Facebook) through web-browsers collects less tracking data
  • A service like privacy.com allows you to create throwaway digital credit cards
    • You can lock each card to a merchant and have a payment limit
    • Additionally, the cards will validate with any mailing addresses, this protects your actual mailing address
  • When connecting to public Wi-Fi networks, use fake email addresses. Also, disconnect and “Forget” networks to prevent automatic re-connecting

Tips on How to Setup Your Computer

  • Browsers like Brave allows you to easily browse through the Tor network
  • Using a VPN is a great way to mask your home IP address
    • IP addresses give away your rough geographic location, and acts like a digital fingerprint for everything you do online
  • Setup Ad-blockers browser extensions on your web browser for more privacy, good ones include Ublock and Privacy Badger
  • Check out all the tools developed by The Electronic Frontier Foundation (EFF)

Using Bitcoin Privately

  • Bitcoin’s transparency and audibility make it difficult to use privately, every transaction reveals information about your money
    • With that said, Coin mixers can help you obfuscate every transaction
  • Bitcoin best practices: Don’t post your bitcoin addresses in public places, and avoid re-using addresses
  • The bare minimum you could do is to not associate your real identity to coins on social media or in public

Opsec isn’t a Choice When You Own Bitcoin

  • Ask yourself: What attacks do I need to protect against?
    • For most people, it’s being hacked and having their private keys stolen
  • The most effective way to protect against the majority of hacking attempts? Use a Hardware Wallet (The most popular are Trezor, Ledger, and Coldcard)
    • Hardware wallets securely store your private keys offline, even if your computer is hacked
    • Jameson advises against using browser based wallets even if connected to hardware wallets (More chances of phishing and malware attacks)
    • Important: Always verify the recipient address on the HW wallet screen
  • A security step-up from using a HW wallet is to use multi-signature
  • Every wallet gives you a 12-word seed phrase as a backup
    • Important: Always keep them safe and store them offline
    • Products like CypherSafe, CryptoTag, Billfodl lets you store your seed in a metal wallet for extra protection

Running a Bitcoin Full Node

  • There are two “tiers” of operating on the bitcoin network:
    • Holding your keys: Being in full control of your money
    • Running a Node: Verify and validate the network rules yourself
  • In addition, you can query your node directly for transactions without relying on third parties
    • An added benefit is better privacy against nodes run by chain-analysis companies
  • Memorable quote: “Your node, your rules; Not your node, not your rules” – Andreas Antonopoulos

Protect Yourself Against Sim Swapping

  • Sim swapping involves an attacker tricking phone companies into swapping control of your number to a different device (They can use your number to take over your online accounts)
  • Solution: Never use phone number as a security mechanism for anything – Examples:
    • Putting your phone number on online accounts
    • Using SMS-based Two-factor authentication
    • Allowing account recovery via SMS
  • In the US, the most secure phone provider is Google Fi
    • Jameson goes even further by using a phone proxy service so he never has to reveal his phone number

Use Two-Factor Authentication (2FA)

  • Your password (something you know) is your first factor of authentication, 2FA requires a second factor – something you hold
    • This can be a biometric fingerprint, or a one-time password (OTP) valid for a short period of time
  • Google Authenticator is a popular 2FA app
    • Even better: Use Hardware-based 2FA like Yubico

How to Manage Your Passwords

  • Put simply, “You shouldn’t know any of your passwords other than a master password to open up your password manager” – Jameson Lopp
    • Additionally, your password manager should be secured by 2FA, preferably hardware based
  • Jameson had a good experience using Lastpass, it’s usable across multiple devices and supports hardware based  Two factor authentication

Closing Thoughts

  • The most effective actions are the basic free steps (like setting up 2FA, Ad-blockers, and password manager)
  • Review your security plan whenever circumstances change (For instance, has Bitcoin awareness or price gone up?)
  • Don’t be intimated, this is a learning process similar to securing anything precious you have
    • And as your bitcoin wealth increases, you start securing your coins in more ways
What Bitcoin Did : , ,
Notes By Mostafa Khaled

More Notes on these topics

Top Insights and Tactics From

31 Best Podcasts of All Time

FREE when you join over 12,000 subscribers to the
Podcast Notes newsletter

No Thanks
Array
(
    [type] => 8
    [message] => Constant DISALLOW_FILE_EDIT already defined
    [file] => /var/www/vhosts/podcastnotes.org/httpdocs/wp-config.php
    [line] => 20
)