Crypto Market Commentary
9 June 2019
Doc's Daily Commentary
Doc’s latest “Trade School” video from Friday 5/17 was about Options and is posted in the Trade School archive. Due to travels Doc will not be doing any trade schools until Mid-June.
Our most recent “ReadySetLive” session from 5/16 is listed below.
A High risk industry
The cryptocurrency industry is not like traditional financial. The ability to own, send and receive payments in a self-sovereign currency means you do not require a bank or trusted third party to operate. The trade-off here is that if you lose your private keys, send funds to the wrong address or have your computer compromised, there is no reversal and no second chances. Furthermore the entirety of the ledger is auditable and with companies like Chainalysis entering the fray, it can become trivial to establish a link between pseudonymous addresses and real world individuals.
Today I want to talk through some high level suggestions regarding how to maintain good operational security (OPSEC) in the crypto industry. There are is every reason you want to start doing this now rather than tomorrow.
Protect your sovereignty: It remains plausible that cryptocurrency may be made illegal in some nations. This is simply due to the immense threat Bitcoin has on the ‘stability’ of the central banking system. Starting your obfuscation and security practices now will make it harder and harder to trace your activity in the future when central powers are all caught up. This includes if governments start forcing people to disclose how much Bitcoin they own which is already happening in some parts of the world.
Minimise your digital footprint: By utilising tools such as VPNs and TOR, you reduce the digital fingerprint you leave that can be used to build an increasing pool of links as to your movements in the digital space. This is not to hide anything malicious it is simply best practice to prevent malicious actors (both the ‘good’ and the ‘bad’ guys) from connecting too many dots making you a target.
Protect yourself from hackers: The primary reason you have not been hacked by someone looking to steal your Bitcoin is because you probably don’t hold as much as an exchange. That said, if hackers can get into Binance the NSA and government agencies, your laptop doesn’t stand much of a chance. It is best practice therefore to make yourself MORE difficult to attack than the next person which usually is sufficient to divert hacker’s attention to easier targets with poorer OPSEC procedures.
Actions which compromise your security
There are a number of actions which leave very distinct digital signatures that can compromise your security and/or privacy and an example of a series of events which can deanonymize you is:
Googling cryptocurrency specific topics links your digital identity to your digital signature – now google and prying eyes know which IP address to follow.
Transferring coins from a KYC exchange to your wallet links the wallet address and your IP address to your identity.
Checking your address on a block explorer links your IP address to your wallet – people can now establish how many coins you have as well as any other wallets you may check on the same computer.
Re-using a wallet twice for sending or receiving creates increased linkages between both parties. It is unlikely that a ‘mis-sent’ transaction claim will fly if there are multiple transactions to and from the same address. This links all your wallets together following the send-receive paths.
Sending a transaction links your current geo-location to the nearest nodes that see your transaction – this links all of the above to your immediate physical location.
You can see how easily your identity and privacy could be compromised by a malicious actor who not only knows that you are interested in crypto, but may even know exactly how many coins you own and even your physical location. Scary right…
Best practice opsec
Now this is not a comprehensive guide because I am no expert on OPSEC and there is also a balance between practicality and wearing tin foil hats. The sections below will touch on some of the best practices out there to control security and privacy in a reasonable manner and I believe should be your minimum line of defense.
Step 1 – make it difficult for attackers
The first and most important part of your system must be the security of your online identity and email accounts. This is the holy grail for attackers because once they get into your email, they can ‘I lost my password’ attack you all day long. In general, you should have multiple email addresses for different purposes with a minimum of:
* Master account which does NOT get used for services, only as your recovery for all other accounts.
* General life email for all those real world events
* Crypto specific email. Preferably one per service but I understand this is a heavy burden. It is best for this to be relatively pseudonymous.
* Burner email for all the junk traffic and noise.
I highly recommend utilising a password manager like Lastpass or Dashlane (or many others) and creating long and unique passwords for every single service. This means that if a small scale website gets hacked and leaks your password and email, that password cannot access any other services.
Two Factor Authentication (2FA) is absolutely essential. Do not use text message 2FA for any services as SIM swapping is a real risk and extremely insecure. I would recommend using at a minimum an app like Authy or Google authenticator and ideally using a hardware key like the Yubikey with NFC technology. The Yubikey means that you can only access the 2FA codes if you have the physical key and NFC means you can tap the back of your phone to gain access on the go. You should have two Yubikeys, one as your primary and one as your back-up.
This will make it extremely difficult for an attacker to access your accounts. They must crack your master email account which has a very secure password + access your lastpass which also has a very secure password + access to your physical yubikey in order to get the 2FA codes. This barrier just makes it complex enough than there are easier targets and hackers usually will seek less secure prey.
Step 2 – obfuscate your online footprint
The next step is to start minimizing your digital foot print. This aims to reduce the amount of data and personal information you leak which can link together your various online datasets. You should really use these systems 100% of the time but at a minimum whenever you touch anything to do with the crypto industry.
Use an adblocking and privacy preserving browser like Brave. Brave acts to prevent third party trackers from collecting data on your activity and has the added benefit of stopping ads from showing up on all websites. Even Trading-view free version no longer has ad pop-ups when you use Brave. You can couple this with changing your search engine from Google to something like Startpage. Startpage uses the Google search engine except it does not send your search data to Google which further minimizes your footprint.
Use a VPN. This is not negotiable in this industry and even if you’re not in crypto, VPNs are best practice. Using a VPN encrypts your web traffic and is your most valuable line of defense on the internet. When your internet traffic is parsed through a VPN, your ISP cannot see what you are searching and cannot build up a profile of your web activities. Furthermore, you can bounce your traffic to different locations around the world which helps obfuscate your physical location. There are multiple services that offer great rates for VPNs with some coming down to a few dollars a month for multiple devices. For best effect, setup your VPN on the home router so your entire household’s internet traffic is protected.
When you are searching for things like your wallet address on block explorers or accessing things that may link to your real world location or identity, it is best practice to use a TOR browser. As a major convenience, Brave has TOR built in and you can just open a new tab as a TOR browser whenever you need to. This further obfuscates your activities and de-links your digital footprint from your browsing history.
Step 3 – don’t trust, verify
The first part of this is use a hardware cryptocurrency wallet. Your very first investment in this space MUST be a hardware wallet. This keeps your private keys off the internet and is your primary line of defense against loss of funds. Store your recovery seed in two safe locations and make sure that at least some method exists to let your loved ones know how to access your funds in the event the worst happens to you.
When using exchanges, there is the obvious risk of ‘not your keys, not your Bitcoin’ which cannot be overstated. Get your coins off exchanges when they don’t need to be there. With the rise of Decentralised Exchanges (DEX) there are now methods of transacting completely peer-to-peer which can eliminate the KYC risk. One which I just came across is Bisq (link) which is actually a DEX fiat gateway and Nash exchange is another which is under development. Bisq has light but reasonable liquidity for USD and EUR pairings although I’ve not used it as yet so can’t comment to how it works as yet.
Another technology which is extremely effective at anonymizing your coins is CoinJoin. What this does it take many UTXO inputs from many people and then creates a series of output UTXOs where the funds are effectively mixed and very difficult to track individual inputs to outputs. In this way, you can hide the number of coins you own as they get split amongst a number of new UTXOs. The more people who use these services, the more fungible coins become and adoption of CoinJoins are increasing exponentially. The leader in this space is the Wasabi Wallet which has a clean interface and is well documented.
Now this is where things get slightly more technical. When you use services like Ledger Live, MEW and Block explorers, you are trusting those third parties nodes. Now whilst this is probably fine in most cases, unless you run your own full node, you actually do not know whether you actually own those coins. Furthermore, using these services leaks your wallet address, IP and transaction history to those service providers. For Bitcoin, it is relatively well documented how to spin up a Bitcoin full node on a raspberry pi, either using proprietary hardware (Nodl or Casa nodes) or your own via Raspibolt or Raspiblitz. This way you can verify that you do indeed own the coins by verifying the whole blockchain. If you wish to run your node on a PC, Pierre Rochard’s Node-Launcher is a two click path to spinning up a node.
In short, privacy and security online are already rare assets and will be increasingly difficult to maintain into the future. The auditability of blockchains is perfect for self-verification but in the same breath open up tracking at an individual level by malicious actors. Increasingly, hackers and companies are able to combine digital footprints with transaction histories to pinpoint the exact human behind the wallet. This makes everyone in this industry a target.
In crypto, you must assume that you are already a target and act accordingly. The best time to setup your systems is today. Using online best practice of VPNs, secure passwords, emails and 2FA and CoinJoins reduces your risk exponentially compared to the next person and is usually enough to avert most common attack vectors. Nobody knows what the future may look like but the longer you leave it, the harder it will be to do in retrospect. Stay safe and secure out there.
Press the "Connect" Button Below to Join Our Discord Community!
Please DM us with your email address if you are a full OMNIA member and want to be given full Discord privileges.
An Update Regarding Our Portfolio
We are pleased to share with you our Community Portfolio V3!
Add your own voice to our portfolio by clicking here.
We intend on this portfolio being balanced between the Three Pillars of the Token Economy & Interchain:
Crypto, STOs, and DeFi projects
We will also make a concerted effort to draw from community involvement and make this portfolio community driven.
Here’s our past portfolios for reference:
RSC Managed Portfolio (V2)
RSC Unmanaged Altcoin Portfolio (V2)
RSC Managed Portfolio (V1)