Paul Walsh had long ago predicted that internet scams would migrate from email to private messaging platforms, but it wasn’t until crypto mania took off that his thesis was proved right — in a big way. In the summer of 2017, the founder and CEO of Metacert discovered many crypto Slack channels were being overrun by scammers capitalizing on FOMO to get people to inadvertently give them their ether and other tokens. Now, the company has several products to help prevent crypto enthusiasts from being scammed and it also decentralizing its work so the whole world can help classify bad links and proven others from being scammed. In this talk, he describes how the scams work, how Metacert tries to keep people from falling victim, and how best you can protect your own crypto.
Metacert the company: https://metacert.com
Metacert the protocol: https://next.metacert.com
Story on phone hijackings:https://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/#7125f2f738ba
Link to episode where Mike Belshe and I discuss physical crimes against crypto people: http://unchainedpodcast.co/mike-belshe-on-what-bitgos-kingdom-trust-acquisition-means-for-crypto-and-how-security-will-develop-in-the-future
Thank you to our sponsors!
Hi everyone, welcome to Unchained. The podcast where we hear from innovators, pioneers and thought leaders in the world of blockchain and cryptocurrency. I’m your host Laura Shin. If you’ve been enjoying Unchained, pop into Itunes to give us a top rating or review. That helps other listeners find the show and be sure to follow me on Twitter @Laurashin.
Unchained is sponsored by Preciate. Founded by Ed Stevens, Preciate is building the most valuable relationships on earth. In each episode of Unchained, Preciate sponsors the recognition of an individual or group in crypto for an achievement. Who in crypto will be recognized today? Stay tuned to find out.
This episode is brought to you by Bitwise. Last year, Bitwise created the world’s first cryptocurrency index fund. The Bitwise HOLD 10, which holds the top 10 cryptocurrencies and rebalances monthly. The fund has several hundred LPs and is currently accepting accredited investors. To learn more and invest in the Bitwise cryptocurrency index fund, visit www.bitwiseinvestments.com/unchained.
Today’s episode is brought to you by Keepkey. The easy, safe, and simple way to protect your bitcoin, ether, litecoin and many other digital assets. There’s no time like the present to protect yourself from hackers, malware and viruses. Rest easy, knowing that your digital assets are protected. Visit keepkey.com to order your secure hardware wallet today.
Laura Shin: 00:01:26
Today’s guest is Paul Walsh, the founder and CEO of crypto security company, Metacert. Should I call it a crypto security company?
Paul Walsh: 00:01:36
That’s okay. Security company in the crypto world, security company, it’s all good.
Laura Shin: 00:01:40
Well, welcome to the show, Paul.
Paul Walsh: 00:01:42
Thank you. Pleasure to be here.
Laura Shin: 00:01:44
So what is the problem in crypto that you’re trying to solve?
Paul Walsh: 00:01:50
Cybersecurity, in its widest sense, but very specifically… I see a world where you feel safe opening a link. So how do you know that bot is not a malicious bot? How do you know the application is not malware? How do you know the website is not a phishing site? And how do you know that the website really is owned by Laura Shin? How do you know the Twitter account is not a fake account or a malicious bot also? How do you know the website is not going to mine Monero cryptocurrency by hijacking your CPU through your computer or your mobile device? So these are all the kinds of questions that people ask themselves every day before opening a link or unfortunately for some people after they’ve opened the link and so what Metacert does is it has a cyber threat intelligence system, which is basically a massive database of the worldwide web split into 65 categories. And the categories that we care most about are websites and URI’s to Twitter accounts and other social media accounts. We care about whether they’re classified as malware, phishing, XXX, crypto mining and so on.
Laura Shin: 00:03:00
And what’s a URI? I know what a URL is. But, not a URI.
Paul Walsh: 00:03:17
A URI is a link and a URL is a type of URI. So the last “I” stands for identifier. So URI could be, when you’re inside a Twitter application, you click on the link and it opens up the Facebook application. So that’s called a deep link in the IOS world, but it’s also called a URI. A URI could also be a MAC address or an IP address or other type of link that you would open up without thinking about it. So, URLs goes to a webpage. Whereas, other types of URIs could go to other kinds of applications and bots or IoT devices or an API. Sorry, I get used to using the term URI. We could use URL to keep things simple, even if it does mean it restricts the kind of links that we talk about.
Laura Shin: 00:03:56
No, that’s fine. Now that we’ve defined it. And keep going. You were saying something more about how you divide and categorize these URIs, et cetera.
Paul Walsh: 00:04:07
Not all security companies have their own threat intelligence system. Only a few of the security companies have them. The other security companies would license the data owned by the security companies that do have them. Metacert just happens to be the world’s most advanced classification platform. With the world’s biggest database of classified content. And to put the numbers into perspective, Open DNS, which is a very respectable DNS service which protects people from malicious links, they’ve categorized just over 2,000,000 domain names into 65 categories. And Metacert has categorized over 7,000,000 unique domain names just for pornography alone. And then, more than 60 categories on top of that. So that’s at the heart of Metacert as a security company is that cyber threat intelligence system. And then we have a number of security products that people use to protect themselves or their communities from malicious attacks.
Paul Walsh: 00:05:09
So one good example, specifically within the crypto world is we have a security application for Slack. We recently launched a security bot for Telegram and we have a number of browser extensions. So in 2017, phishing inside Slack was an extremely serious problem for most crypto communities. And very quickly they installed our security application and it was almost like turning off a tap. In that it significantly reduced the number of phishing right across the industry. In fact, for the communities that install the application, it was like turning off a tap, literally. But at the time before some communities got a chance to install our application, they started to migrate to telegram where there were no phishing scams. And at the time, I predicted and said, “Look guys either stay inside Slack and install Metacert or when you go to Telegram at some point, you will become a phishing target because the bad guys will move to the platform of least resistance.
Paul Walsh: 00:06:14
And now in 2018, we’re finding that we don’t read about phishing inside Slack anymore and now we’re reading about it inside Telegram and other platforms. So more recently we launched a bot for Telegram and what it does is it takes about three seconds to install for a group administrator and then it listens in the background to every link posted to the group and it doesn’t do anything until it finds a phishing link. And then as soon as it spots that it sends an alert to the group to say, “Hey, beware. Don’t click on the link. That’s a phishing link.” And then people are less likely to fall for a phishing scam.
Paul Walsh: 00:06:52
And in the browser extensions are actually twofold. One is to add a utility and the second was a social experiment. And the utility is you install the extension for Firefox or Chrome and it does two things. It blocks phishing websites and also fake social media accounts. But then the most important thing is it actually turns our shield from black to green whenever you visit a verified crypto website or social media account, because the problem is that consumers are looking for the green padlock in the toolbar of the browser and unfortunately they’re falling for phishing scams because there are certain companies that issue those SSL certificates for free and the processes is automated and there’s one company in particular that is issued over 20,000 SSL certificates to domain names with the term Paypal in it. And so consumers are falling for phishing scams because they’re looking out for the green padlock. That is only a measure of encryption. It’s not a measure for trust or authenticity or domain name ownership. And so by installing our browser extension cryptonite. Whenever you visit a crypto website, the shield will turn from black to green. So even if there are new phishing websites out, you’ll know that you’re on the safe website or even a safe social media account, whether it’s Twitter, LinkedIn, Facebook, GitHub, you know when it’s green, you’re safe. And the reason that was a social experiment was because we wanted to see if people would really rely on that shield instead of certificates and they are. Not only are our users coming to us asking about specific websites that are not verified. We now also have exchanges and wallets from around the world coming to us asking to be verified because their community members are not logging into their website because of the shield staying black. And that kind of leads me onto where Metacert is heading, which is we’re moving that entire cyber threat intelligence system to the blockchain. And that was a decision we didn’t make lightly. It took us probably at least six months to make that decision.
Paul Walsh: 00:09:17
In 2017, people would come to us and say, why don’t you decentralize Metacert? Why don’t you decentralize your database? Why is it centralized? Why should we trust Metacert as a security company? Why should we trust McAfee or Symantec, or Verisign? And some people were nice about it, helpful, saying, “Hey dude, we think this is an amazing idea. What do you think?” And then other people who are kind of more right-wing and open source extremists, who think everything should be free and everybody should use open source no matter what the repercussions are. And so we thought about it over a period of about six months. We engaged with community critics and got their feedback and then we came to the conclusion that actually we need to move this entire system and open it up on a new kind of protocol, decentralized trust and reputation for the web.
Paul Walsh: 00:10:09
And the reason we thought it was a good idea was because we couldn’t possibly scale the verification of every cryptos site and social media accounts and then scale that to the web beyond crypto. There’s no way we could. And Verisign and Symantec couldn’t possibly scale that either. And so by opening it up on the blockchain. Introducing a reputation score and a token that incentivizes good behavior. It’s actually possible because, I’ve been around the web since the nineties when I worked at AOL. And, I was part of the team that launched technologies like AOL Instant Messenger, 56k modem speed and a bunch of other technologies. And I built my first website in 1996 and between then and now it hasn’t really been possible to crowd source trust and reputation. Particularly, if you want to classify websites for phishing because how do I know Laura Shin isn’t submitting this website as a phishing site when in fact it could be a competitor of hers. So to kind of get that right has been difficult to impossible. There are some open source lists out there that do OK, but they’re not fantastic. And by being able to use the Ethereum blockchain and a reputation score, which is based on, how many websites or accounts have you submitted. How many of those were accepted. How many were not accepted by the community? And then by offering a token, we can then incentivize and reward people to add to that database and kind of just finish off on that point. Imagine a world where you’re using either cryptonite or parental control application or an extension that highlights fake news. Imagine if you could submit or validate websites or social media accounts or bots or applications that end up being used by those tools to improve the protection that you’re looking for and then at the same time you get paid in tokens. So we have a self contained economy.
Laura Shin: 00:12:19
This whole thing is extremely fascinating and you just said so many things and I have so many additional questions. I actually want to go back a little bit because I started asking what problem it is in crypto that you’re trying to solve. Then you listed a whole bunch of problems. You know, it’s like the phishing links, the fake accounts on social media, whether or not URLs for wallets and exchanges are legit and things like that. Do you have any stats on how big the problem in general of security is in crypto or fake accounts in crypto is, or fake URIs?
Paul Walsh: 00:12:56
I should’ve written this down because I’ve written about it so many times on Medium. I believe the latest report from Ernst and Young was about $150 million a month being lost through phishing, but it would have to double check on that. So it is significant. We hear about hacks in the industry all the time because they’re big ticket items, they’re big headline items. But actually, the number one problem within the crypto world is phishing scams because it’s less money but more people losing it and some of the hacks actually start with a phishing scam, but you don’t hear about the phishing scam. So one example is, it’s not just the crypto teams themselves that are now a target. It’s the suppliers that they use and now hosting providers find themselves on the end of that attack, where a staff member at a hosting provider has had their account compromised through a phishing scam so that the bad actor can access the DNS records of a specific crypto company and then change the DNS records so that they can actually send people directly to the legitimate website. Where when the input, the wallet address, it’s actually gone to the wrong place.
Laura Shin: 00:14:12
Oh wow. So you mean like the web hosting company? Like if I’m a crypto company and have a website hosted somewhere, then the attacker goes to that company and changes the website through someone who works there?
Paul Walsh: 00:14:26
Exactly. I mean, I could summarize the problem that we solve in the crypto world is we help prevent people from losing their money and we also help crypto teams from reducing the risk of their end users, their communities from losing money also. Unfortunately, some crypto teams are better than others. I spoke on a panel recently and then attended a panel after that and I listened to a couple of people who launched crypto last year and they just seemed to be very a laissez faire about the fact that their communities lost some money. And they didn’t refer to investors or enthusiasts losing their hard earned money and their savings. They actually refer to those circumstances as lost investment, lost opportunity. And that’s not how I look at it. But most companies aren’t like that. So we work with a lot of crypto teams to first of all help them understand how they can reduce the risk of themselves being compromised through social engineering. How they can improve their own personal security and so that they become less likely to be hacked or social engineered and then also help them understand how to protect their communities.
Laura Shin: 00:15:46
Social engineering is sort of like this way of hacking without actually using fancy computer skills. It’s just getting somebody to believe that you are someone that you are not or something like that. It’s like calling up a customer service agent and being like, “I’m Paul Walsh,” but it’s actually me and convincing them that I am Paul Walsh and then getting them to do something that gives me your access to your funds.
Paul Walsh: 00:16:14
Exactly. You actually wrote one of the best articles I’ve ever read on this subject, and actually you may or may not have realized it, but social engineering is the technical term given to one example of your SIM card being hijacked or SIM splitting as it’s called. So NITS importing to a different network, but it’s where somebody pretends to be you. Calls your cell network provider like T-mobile and then gets a new SIM card with your phone number and then they’ll go to gmail or another account and do a password reset and of course the password reset code is not going to you because your phone number doesn’t work anymore and it goes to them.
Laura Shin: 00:16:56
Yeah, I wrote a huge article on that. And the sad thing is it’s still going on.
Paul Walsh: 00:17:02
It is. But T-mobile is doing a lot in that space right now, thankfully with AT&T, but not before being taken to court by an individual who believes that they’re responsible for it.
Laura Shin: 00:17:15
Interesting. I know a lot of the victims were thinking about doing a class action lawsuit and I said to them, ” Hey, if you ever file this, like you should reach out to me.” But they never did. So I don’t know who that individual is. Somebody who wasn’t in that group.
Paul Walsh: 00:17:34 We actually got a call from the T-mobile CEO’s office, shortly after that because we actually put out a call also just like you, we wrote a Medium post after that legal case started and said, “If anybody wants financial aid to take T-mobile to court, Metacert will actually help fund your legal aid and that was the result. I’m not saying that resulted in them working with AT&T to do a new campaign and change their practices, but hopefully it would have contributed a little bit.
Laura Shin: 00:18:03
Well, interesting. I don’t know if… has that been written about? I feel like somebody should chronicle this.
Paul Walsh: 00:18:11
Some obscure publication somewhere wrote about it I believe. Maybe other mainstream did, but I got it through Google alert.
Laura Shin: 00:18:17
Oh, interesting. Yeah. If I were still writing, I would jump on that because back when I wrote that story, it was a little bit amazing. It was completely clear that they had gotten these calls for months from desperate crypto people and like totally ignored them. And then the second a reporter called, then they like… When I wrote the story, the person who had most recently had their phone hijacked. Who was the first person I found out about. Because I named that person in my first query to them, that person got their phone number back faster than anybody else ever had. There were people who had been trying to get their phone numbers back for months. Months had been completely ignored. Suddenly everybody’s cases were going like to the president’s office and like they were being told to call the president directly if you ever have this problem and stuff like that. They were just scrambling when I wrote that story. It was really kind of crazy to watch.
Laura Shin: 00:19:15
But anyway, I actually wanted to just make a comment earlier, which is that I think that what you are describing here in terms of the problem and how you’re going about solving it. I sort of feel like what the phishers and these scammers are taking advantage of is that there’s this moment in time where this phenomenon of crypto or just the interest in crypto has taken off. But it really requires a shift in how people treat their money, right? In terms of security, because normally we’re used to thinking, “Oh, the bank is going to keep it secure.” But in this case, obviously, especially if you’re working with this in a decentralized manner, then you are responsible for your private keys and it really requires that change in behavior and a lot of people may have gotten in because they want to get rich quick and whatever and they may not be thinking about their security practices. And I feel like, you know, just while we’re making this transition to this new form of money that does require a different mindset. I feel like they know that probably the window is going to be open a few years before people realize like, “Oh, I need to do different things.” Or, before there are good solutions to preventing these sort of attacks from succeeding. And Metacert is a great example of a company that now has pivoted and is helping to fill that need. But actually then, that’s the perfect segue to my next question, because you guys did not start out as a crypto focused company. So how did you get into this business?
Paul Walsh: 00:20:53
In 2017, Matt from SingularDTV reached out to me and said, “We have this phishing problem in the crypto world. Is there something that you can help us address?” At that point in time, we were simply the number one security company for messaging platforms because a number of years ago we predicted that if people are reducing their reliance on email, in favor of messaging platforms such as Slack and hipchat and Skype and Messenger, then it stands to reason that the cyber attacks will migrate from email to messaging platforms. So we focused on that. Then we doubled down on that and we had customers and still have like a Entity Security, F5, IBM, Sage, SAP. Lot of companies install Metacert to protect their companies. When using platforms like Slack and Hipchat. And, when we looked at the crypto world, I thought, “Oh my word. We’ve gone from predicting this is going to be a problem at some point to the house is on fire.” Literally, because up to that point, I knew what blockchain and Bitcoin was of course, but I was not. I will be totally honest with you. I was not a cryptocurrency enthusiast. I didn’t even know what Ethereum was. Truth be told and I was absolutely blown away.
Laura Shin: 00:22:09
This was last summer? The summer 2017?
Paul Walsh: 00:22:14
Yep. 2017 just before the summer. And at this point, for example, inside Slack when you install our security app, it listened to all of the links inside the public channels because we didn’t think for a second that an attacker would think about or use the incoming Webhook, API or direct messages or the Slack Bot reminder system and that’s what was happening. So even though we had a great product. We didn’t have a product fit for the crypto world. So we doubled downed on that for three months because, what happened was, I remember very specifically one night, late at night, I was inside a community that invited me in by the team and I witnessed a number of scams happening live in the channels where people literally were complaining that they just lost all of their life savings. And then I started to get direct messages when they realized that I was in the security world, but Metacert wasn’t installed in there. And, I had conversations with one particular guy in Mexico who just lost $20,000 and it was his entire life savings that he invested in this cryptocurrency.
Paul Walsh: 00:23:18
And I knew then at that minute that I wanted to address this issue because you know, solving the problem for IBM or Sage from a compliance perspective, wasn’t the same as solving the problem for a real individual in real time. And then when they started to install Metacert, I could literally see people say in the channel, ” Oh my word. I was about to click on that link until I saw the alert from Metacert.” And then we knew, “OK, this is definitely going to a bigger problem moving forward as crypto evolves and grows over time.” And we just have to try and solve this issue. And that’s how we got involved in crypto.
Laura Shin: 00:23:55
And so what do these attacks look like? You sort of glossed over this, you said something about like using the Slack Bot reminder and then something about APIs. So what are these attackers doing?
Paul Walsh: 00:24:08
So they would set up, it’s technically impossible for the community administrator or owner to disable the Slack Bot inside Slack. And, an attacker would set up an account and then they would set up a reminder to send a reminder to every single person in the community to say, “Don’t forget about our magic air drop or special offer or whatever it is.” And they would hyperlink the text to a phishing site, which is a website impersonating the cryptocurrency. And then when they logged in, they’re asked for their private key and then they lose all of their crypto assets. And that was happening literally every five minutes.
Laura Shin: 00:24:08
What triggers the Slack Bot reminder?
Paul Walsh: 00:25:00
It takes five seconds. You can go into a Slack community right now and you do like a /Slack Bot reminder, 5 minutes and 10 seconds and put it on repeat and then it’ll send a message to everybody that you’ve directed it to. You’ve said, “Do this in a channel.” Then it’ll send it to the channel and keeps sending it. Or, You could pinpoint specific people by direct message.
Laura Shin: 00:25:24
And the way that they would entice people to click on the links was sort of, like saying, “You’re going to get free money if you do this and you have to do it now.” Or, “There’s this time window before which you won’t be able to get these free coins.” Stuff like that?
Paul Walsh: 00:25:40
Exactly, and one of the things that I say to crypto teams, and I don’t know how much they listen to this, I empathize with the need for marketing a time-sensitive promotion in order to get the momentum going in your project, but it needs to be balanced with the fact that we’re creating this world where we’re encouraging people to quickly click links, log into websites to get the special offer that they need to get now. And they’re not thinking straight. Especially when it’s on a mobile phone. They just happened to, I don’t know why, but people just happened to trust links more than if it’s sent by email on your computer. You’re less likely to believe that if it’s coming from your bank. But when it’s coming from a crypto team, they’re used to them saying, “Get it now.” And so they’re just used to opening links very quickly without thinking. And it’s not dumb people falling for these as a lot of people say. A lot of smart people fall for phishing scams because they could be not thinking about it or whatever the circumstances are. I would never make fun of anybody falling for a phishing scam.
Laura Shin: 00:26:56
I’ve interviewed a few of these people and I agree with you. In fact, they are people who know the rules, but one of them was like, “Oh, I did it on a morning when I was a little bit hung over.” I’m going to discuss more around your customers. Who the scammers are. And also, how you plan to decentralize this solution. But first I’d like to take a quick break to tell the listeners about our fabulous sponsor starting with Preciate.
Today, Preciate is recognizing Jamie Smith for her outstanding leadership as CEO of the Global Blockchain Business Council. During her tenure, which recently concluded with a hand off to Sandra Ro, Jamie was a tireless advocate worldwide to advance the understanding of blockchain technology. We appreciate you, Jamie. Preciate welcomes Unchained listeners to nominate a friend like Jamie to get props on a future episode of Unchained. Just go to preciate.org/recognize. And for those listeners who have been listening to this podcast for a while, you may remember Jamie from a previous episode. She was on the how to explain blockchains and cryptocurrencies to the average person episode. Which was super popular. Anyway, continuing with the ad. Looking for a new job? Preciate is hiring a senior product lead, IOS developers and UX designers. If you believe in design thinking, love the idea of building the most valuable relationships on earth and are located in Dallas or San Francisco, join Preciate. Learn more at preciate.org/careers.
Cryptocurrency is vibrant and exciting, but it’s not without its share of bad actors. Exchanges and personal accounts can get hacked. Computers can be infected with malware. Left unprotected, your digital wealth is up for grabs. Don’t let yourself be a victim. Keepkey is the safest and simplest way to protect your bitcoin, ether litecoin, and other tokenized assets. This hardware wallet is a separate device that you control. Brought to you by the pioneering team at ShapeShift. Keepkey works with the wallet software on your computer to manage your private keys and transactions. Your device is pin protected, which renders it useless even if it falls into the wrong hands. Its large display let’s you carefully view and approve every transaction, and if your Keepkey is ever lost or stolen, you can safely recover your device without compromising its private keys. The bottom line, you’ll sleep easier knowing that your digital wealth is safe and secure. Visit Keepkey.com to order yours today. Works on PC, Mac, Linux and android.
Bitwise is the creator of the world’s first cryptocurrency index fund. The Bitwise HOLD 10. The fund holds the top 10 cryptocurrencies by five year diluted market cap, rebalances monthly and takes care of secure storage and taxes. It’s an easy, secure way for long term investors to get diversified exposure. Bitwise is backed by Khosla Ventures, General Catalysts, Blockchain Capital, Naval Ravikant and several others. They’re a trusted partner to individual investors, wealth managers, family offices, and large institutions who are navigating the crypto space. The fund has several hundred LPs and is currently accepting accredited investors. To learn more about the Bitwise cryptocurrency index fund or download research, visit www.bitwiseinvestments.com/unchained.
Laura Shin: 00:30:14
So let us talk about your customers. Who are they? How many teams are you working with? And, how many everyday users do you have signed up for Metacert?
Paul Walsh: 00:30:28
Within the crypto world specifically, some customers include BigchainDB, Ocean Protocol, Mercury Protocol Coss, Raven Protocol, Enigma, HelloGold. And, quite a lot of communities actually would install our software either for Slack and more recently Telegram. And the number of people that we protect in the crypto community specifically would be over 250,000.
Laura Shin: 00:30:57
Meaning those are people who have downloaded the extension or that’s the number of people across all those communities?
Paul Walsh: 00:31:05
Well, first of all, I would say over 200,000 people across the communities who’ve installed either Slack or the Telegram Bot. The Telegram Bot was released end of March. And after about a week, it’s been installed in at least 15 communities that we know about. And some of those communities would have over 30,000 members.
Laura Shin: 00:31:34
Just so I understand how this works. You are just putting all the sketchy URLs in a database? Isn’t it a little bit more like whack-a-mole where the scammer gets a link out there and somebody may fall victim to it and then you add it to your database and prevent others from falling victim to it. Or can you be more preventative than that?
Paul Walsh: 00:32:00
All of the above actually. Phishing is like playing whack-a-mole. But, going back to it, it’s not just a simple blacklist. We have an extraordinarily advanced threat intelligence system. I’m one of the two people that co-instigated the creation of the W3C standard for URL categorization and the W3C is the standards body for the worldwide web that was started and still run by Tim Berners-Lee. And I did that in 2004, and it became a ratified standard in 2009 and replaced an old standard called “picks” [?], which is still used in part by apple parental controls and internet explorer. So I’ve been working on the whole content labeling, URI categorization since 2004. And that platform, that costs about a million dollars in about two and a half to three years to build and tweak to get it to where it is today, which is why it’s very easy and quick for us to build applications on top, like a Telegram Bot or, a Skype Bot because of the back end technology.
Paul Walsh: 00:33:08
With phishing specifically, we take a feed from nine different open source lists. We put that into our database in machine-readable format and then we add to that all of the suspicious links that are reported and validated by all of the people across all of the communities. And then inside our own Slack, we actually have data scientists from some of the biggest security companies in the world reporting to us on a daily basis. Many dozens of new crypto phishing websites. So there are a number of different ways for us to add specifically phishing websites and fake social media accounts to our database. So that adds a lot of value to the Telegram and Slack Bots.
Paul Walsh: 00:33:56
But that’s why we also encourage people to install cryptonite for their browser because even if we don’t catch the phishing side, then at least if it’s not green, you know that you should go look for more information before you can trust the website or social media account. That’s where we think the future is. It’s not just necessarily creating black lists, but just providing more information about the content and providing better visual indicators. So I would like to see Brave, Chrome, Firefox, Safari and Opera provide a different visual indicator, provide a different icon on the toolbar so that they can read the information from the Metacert protocol or other protocols that are created in the future so that they can actually provide users with more information about the content before they open it.
Laura Shin: 00:34:45
So this would be the perfect segue to finding out how you decentralize. But before we get to that, I’m just so curious to know, have the scams changed? You’ve been working in this for almost a year now. So I’m just curious to know, have the scams changed in any way or is it kind of just the same thing over and over again and just in different applications?
Paul Walsh: 00:35:05
I would say yes and they’re getting a little bit more sophisticated. They move from platform to platform. In 2017, it really was almost like turning off the top for phishing inside Slack because so many communities installed our security app that we just didn’t read about it anymore. And in fact, actually, do you remember when you and I had a conversation you said, “But Paul, I’m not really hearing about too many scams anymore.” And that’s because we were installed in so many communities and then those communities that weren’t installing Metacert, they’d already migrated to a different platform and I predicted back then that the scams would move to whatever platform didn’t have security and low and behold, now we’re seeing more scams on Telegram because nobody had built a bot designed for the crypto world to protect them from phishing.
Laura Shin: 00:35:53
But is there any change other than just moving from platform to platform?
Paul Walsh: 00:35:58
Well, they’re doing that, but then I guess the change is to they’re a little bit more sophisticated. They’re spending more time… As these attacks on crypto get more media attention. As crypto gets more media attention through news about regulation and companies raising large sums of money. Then the cybercriminals spend more time. If they know that there’s a housing estate going up and they don’t yet have alarms installed or they’ve never actually bought a house before, so don’t don’t have to protect them, then the cyber criminals will go directly to that housing estate and attack the houses that have the least amount of security. And, we’re hearing about kidnappings. We’re hearing about blackmail. I think blackmail is going to be a big problem. Where crypto team members or high profile enthusiasts will be targeted through spyware and malware through applications or bots or websites, and then either their video or their sound will be compromised and this all sounds like 007 stuff, but it’s really not. This is stuff that’s happening and will happen more. Their sound or video will be compromised. They’ll be recorded saying or doing things that they’d rather not be recorded about and then they’ll be blackmailed through a cryptocurrency that can’t be tracked. So the attacks are becoming a little bit more sophisticated. The social engineering is on the rise. That’s becoming a little bit more sophisticated and I think, 2018, 2019. It’s just going to get more advanced and more prevalent. It’s going to become exponential as I predicted in 2017.
Laura Shin: 00:37:36
Yeah. Well definitely the physical attacks have been increasing, even if it’s it kind of sporadically. And a lot of it is abroad. Nathaniel Popper wrote an article about that for the New York Times and Mike Belshe and I discussed it in a recent episode. So people should listen to that. But now, let’s get to how you plan to decentralize your network. This is very interesting to me. How will that work? Will users just add to the database and then get paid every time they spot a phishing link or how does that work?
Paul Walsh: 00:38:12
Think if our threat intelligence system as not just a list of phishing sites, but as a WHOIS look up, because we’ve categorized over 10 Billion URIs into between 60 and 65 categories where phishing is one of those. So when we pick that up and put it on the blockchain and we create a smart contract, we’re working in partnership with consensus. So we’re supported by consensus. They’re helping with the token economics and other mechanisms and other areas of the token economy. So imagine a world where through cryptonite or one of the bots or somebody else’s application, you can submit a website or submit information about a website, whether it’s phishing, XXX, sports, religion. If it hasn’t previously been classified, you can submit it and then other people will validate that. And through the reputation score of each of the individuals, the URI will be classified.
Paul Walsh: 00:39:16
So let’s take a eSports website for example. When one person submits that, then it might take two people to validate it or three people to get the consensus and then once it’s validated, each person gets paid in tokens. If it’s something like XXX or phishing or malware or another link that adds a little bit more utility to society then it may require more people to do the validation work. And in the case of phishing it may require one or two experts to actually evaluate and validate the submission. And we just happened to have people who are passionate about different types of data sets and when it comes to submitting and validating XXX, for example, we have a number of parental controls. We have safe browsers for Ipad and Chrome, but we haven’t updated them in many years because we focused on messaging platforms and they have probably about 100,000 active users. And throughout the years, we’ve had parents submit websites to us, but the technology can automatically identify XXX and if it doesn’t identify it automatically then it puts it into review queue. So we have about a million domain names in our review queue. There’s no way Metacert could actually go through that and evaluate what category website each one is. So by putting it out onto the blockchain, everybody can come, pick domain names to validate and then you get that consensus algorithm going on and people get rewarded in tokens.
Laura Shin: 00:40:53
How do you prevent what we’re seeing with these pump and dump groups where maybe I’m a scammer and I create a phishing link and then I get all my buddies who are in on the same scam to then validate it as legitimate on your site and then we all earn tokens from Metacert plus we earn all the tokens that get sent to that phishing link and then I divvy it up amongst everyone. How do you prevent something like that?
Paul Walsh: 00:41:19
Well, first of all, it’s not easy, but let me tell you a story to demonstrate the history that we have and the experience that we have, not just with categorization on the web, but actually human behavior from many different facets. Imagine where we have parental controls where kids are submitting… when you try to access a XXX website using the safe Ipod browser for example. You get a block site saying that you’re not permitted to access that website, but you can report it as a false positive. Imagine the amount of kids that would continuously report the same websites as false positives when clearly they’re not. Clearly they’re trying to unblock websites they’d like to visit, and so as a team we got together and said, “OK, how can we reduce the number of times that our databases opening up these false positives? So he put in some business logic and checking so that if you try to submit a website that was previously validated after it was reported as a false positive, you then get a message to say. “Thank you very much, but we’ve already evaluated this and we really believe it really is pornography.” If you still think it’s a false positive for it or website that shouldn’t be classified, then please open a ticket so you still leave it possible for them to get in touch, but you make it a little bit more difficult. So we’re used to that kind of human behavior. Trying to be a little bit malicious or coy. When it comes to phishing, there are number of different things that I can’t go into detail on, obviously for security reasons, but we do want to open it up and as much as possible so that the community participates in what that validation looks like.
Laura Shin: 00:43:05
Cause it doesn’t sound very decentralized and it sounds like the ultimate kind of backstop will be this centralized service. It’s like just a portion of the process will be decentralized?
Paul Walsh: 00:43:21
No. So if you ask me how do we handle security and privacy, I’ll give you some vague answers. I can’t go into detail obviously for security reasons. So the service is decentralized, the trust and reputation is decentralized, but just parts of the cogs and wheels, you don’t necessarily have to open source every piece of the code to let people understand how the intricacies work. So for example, to answer your question very directly, if you submit a website, the websites that are reviewed by the community are randomized. So you can’t get 10 friends to validate the same link because when they log into their dashboard, they may or may not get the websites that you’ve submitted for evaluation and validation. They may get an entirely different set of URIs to validate and then there will also be the ability for us to record the historical data. So there will be a ledger, an audit trail of who submitted what, who validated what, what is the relationship between submitters and validators. And there will be ways to see patterns.
Laura Shin: 00:44:35
And how will you know the relationships between the first group and then the validators?
Paul Walsh: 00:44:41
The Metadata, not the physical relationship between you and somebody that you might know, but if there’s a pattern where every single link that you submit is validated by a guy called “Chris” and he happens to say that you’re correct in every one of your validations, but other people end up disputing those. Because once something is validated, other people can still dispute those. And that’s where the token comes in. In order for you to submit, validate or dispute, you have to stake some token. You have to put in some skin in the game. And so, you’ve got an added incentive to not try to be malicious because if other people dispute and then their disputes are validated, then you lose that token. But when everybody agrees, then everybody gets paid in token.
Laura Shin: 00:45:33
OK, so the scammer would basically lose money in order to try to make the scam work and then it might sort of defeat the purpose of the scam entirely.
Paul Walsh: 00:45:47
Exactly, and then also, we just happened to have people who are passionate about different data. So one example to demonstrate a point about the data. Imagine a world where advertisers and platforms could use the Metacert protocol to avoid placing ads on fake news websites and undesirable websites while at the same time targeting websites by category type on a granular level. That’s one use case of the Metacert protocol. That’s not one that we’re particularly passionate about, but that’s an application that may or may not be built in the future. The areas of concern that we’re really interested in are the following: protecting people from phishing. We happened to have hundreds of thousands of people who are using products that protect them from phishing. So imagine Metacert with the products, they’re just a customer of the protocol. So Metacert protocol is a new entity that for the purpose of building the Metacert protocol. Metacert with those security products is just one customer.
Paul Walsh: 00:46:55
We will encourage other people to build competing products, other security bots and applications or other applications we haven’t thought about. We just happened to have good use cases to demonstrate how the protocol can be used through applications. And so, we already have people within three days of opening up our own telegram group. We had 3000 people come into the telegram group. All very enthusiastic because they all came from our products. They all came in knowing that, “Oh, if I submit links for phishing, that means I’m going to get paid in Meta token, and then the same phishing links are going to be used to protect me from phishing links. So I’m going to get paid to protect myself and it’s in my best interest not to try and submit bad links because then I’m not going to be protected or I’m going to be blocking myself from innocent websites.” Now copy and paste that to brand protection when it comes to verified accounts and then also parental controls or news reputation. We happen to have products for each of those areas of concern with enough end users and customers to know that there’s a real need to solve those problems and people who will be able to get involved on day one.
Laura Shin: 00:48:11
So I get how I can earn tokens. I don’t know about submitting, but definitely validating. And then how do I spend them? Like, what would I spend these tokens on?
Paul Walsh: 00:48:24
First of all, you’ll be able to unlock or subscribe to Metacert services in a way that wouldn’t have been possible in the past. Also, we’re working in partnership with a number of companies. I can mention one of those. And that’s Rocket Chat. Rocket Chat is the biggest open source messaging platform that’s a competitor to Slack. And they are going to integrate the Metacert protocol. Together, we’re going to build an open source security module so all of their customers get the option to click a button and then get anti-phishing security or security against other malicious links. And they’ve also agreed to adopt our token to incentivize people in their world to submit and validate links, that they care about. And there’s a couple of other platforms that are more abstract than that, that will adopt the protocol and the token, but I can’t mention those at this time. But, we envisage a world where it’s not just people who use tools on top of the protocol built by Metacert but, tools and applications built by other companies that will use the token to incentivize their economy. And, there’s many different ways to use the token within a household if they’re using, whether it’s parental controls or in news credibility software or anti-phishing add on.
Laura Shin: 00:49:51
So basically I can either use it within the system maybe… I don’t know what you mean by parental controls… I still don’t fully understand how I would spend it within the system. I can see earning it and then just converting it to ETH or something, but I don’t understand…
Paul Walsh: 00:50:16
OK, so you’re a parent and you pay $12.99 a month for parental controls. Whether it’s a browser add-on or a DNS service. And, in order to offset the cost of that, you get a choice to pay in tokens, our tokens. And, to offset the cost of that you may want to submit or validate links that are used to improve the software while at the same time reducing or negating the cost of the software. But then maybe, and I’m not sure, you know, maybe you’ll be able to give your kids tokens that they can then use for accessing the web, for certain number of minutes in the day.
Laura Shin: 00:51:00
Now I see. That makes sense. And one other thing I wanted to ask you about is just so I understand. This is going to be a decentralized protocol that is for detecting false links or scammy or phishing links. And different companies can build services on top of that and then charge or have their users earn tokens through that. But, no one company will control this protocol, is that correct?
Paul Walsh: 00:51:34
Yeah, but not just phishing. People will be able to submit and validate information about websites, bots, applications and social media accounts. It’s any web resource. So you may want to submit or validate ownership of a particular Twitter account or a particular Facebook account or LinkedIn or Bot or application and that goes into one big database. So it’s not necessarily just phishing or pornography or other categories. It’s basically a big WHOIS database with more information than what you would get in the WHOIS database and information that’s validated. Or an IMDB for the web. Where you can find out information about the website owner. The social media account owner. Is this suitable for children? Is this suitable for mobile phones? Is it phishing? And then, other companies, you could be an ISP, a public wifi hotspot provider, a router, a browser company. You would want to use that Metacert protocol in order to be able to protect people or highlight information on the web when people use your products and services.
Laura Shin: 00:52:48
This is pretty all encompassing. One other thing I just realized is it sounds like this can also be used for what we’re currently seeing in the crypto space which is that a lot of the social media accounts for various, I guess crypto personalities are being imitated. And then, they’re popping up and saying, “If you send me 0.1 ETH you will get back a full ETH.” Things like that. It sounds like this would be useful for that as well.
Paul Walsh: 00:53:21
It would be very useful for that. I mean, Civic is working on a verification of identity. For me, identity is something new. When we’re moving everything to the blockchain. We’re not just copying and pasting what we’ve learned in the past. We’re actually asking ourselves, “If we were to invent what it means to get a green shield for a website or social media account, what does that actually mean?” And actually the answer to that question has been opened up to the community. We will create the baseline, but the community will answer it. For example, a Twitter account. You don’t necessarily want to prove you really are Laura Shin by demonstrating evidence by way of your passport or your license, your driver’s license. In fact, you may not even hold either of those credentials. You may actually want to have an alias. So we have a great guy on our team who just joined our administrators. His name is Virtual Growth and nobody on the team and nobody in the crypto world actually knows his real name. He is just known as Virtual Growth.
Laura Shin: 00:53:21
I just hope that is not his real name. [laughing]
Paul Walsh: 00:54:31
Yeah, that would be funny. So, he shouldn’t have to prove his real name. So identity is more about personas. You may trust a particular Twitter account that you’ve been following for a considerable period of time talking about crypto without actually knowing who the identity of the person that is. They may be linked to a GitHub account or some other type of account. Maybe you want additional information. But the verified symbol may just mean, in some instances, you’re just not going to be scammed. It doesn’t mean it’s a legitimate token or a legitimate whatever. It just means that they’re not going to scam you. It really is what they say it is. You know, if they tell you they’re going to scam you and then you can verify that. Metacert doesn’t have an opinion about what’s good or bad on the Internet. We simply open it up to the community to classify the entire of the worldwide web and then other companies can do what they want with that information. Not everybody thinks pornography is bad or should be excluded. Some people may want to look for that information. So it’s not for us to decide and when it comes to decentralization. I am so excited by the fact that Metacert and other security companies can be removed from the equation of trust. Because why should you trust Metacert to verify all the crypto exchanges and wallets, aside from the fact that we couldn’t possibly scale it globally. We need help from the community. But, why not have a Metacert protocol that actually is owned by the people so that if Metacert was attacked and brought down or whatever happened, then you still have that network. You still have that self contained economy of people who just constantly submit, validate, dispute links that have a lifespan of maybe six or 12 months. And then people evaluate it again. And it’s constantly evolving and constantly growing.
Paul Walsh: 00:56:39
Now the database itself can’t be decentralized because we don’t have a technology. We don’t have a block chain solution that could give the performance that’s needed. But, we’re talking with a number of companies like Ocean Protocol, for example, who are working on that decentralized marketplace of data. So we do want to decentralize as much as possible. I think it’s really important to demonstrate intent. So I’ve contributed to 8 technical specifications at the W3C. I mentioned my URL categorization background. I’m also one of the 7 original founders of the mobile web initiative at the W3C and I was the first person ever to rewrite Tim Berners-Lee’s vision of the one web whilst we were drafting the first Best Practices Charter for the mobile web initiative. And, my COO in Hayward, he was one of the first 25 contributors to the Mozilla Foundation and started and fostered the growth of the entire Mozilla evangelists community, which contributed to the success of Firefox. So we really care about open source and open standards and an open web and decentralization. We will open source the products owned by Metacert when we get the time and effort, the time and resource to do so. And we will decentralize as much as we technically, possibly can.
Laura Shin: 00:58:01
Great. So we’re running out of time, but I actually want to ask you just a few more questions. One is, do you have any sense of who the scammers are?
Paul Walsh: 00:58:08
We see a lot of attacks coming in from Ukraine, China and Romania, but we don’t really know who they are. They could be anybody because, I gave a talk at a blockchain conference in LA last year and one of my main points was don’t use your phone number as a password backup and recovery mechanism, otherwise known as we’ve discussed as two factor authentication. And an hour after that my own phone number was compromised. I got a text message from T-mobile. I can’t wait to give a talk at the same conference in San Francisco this week because it’s going to be a screenshot of what happened the night after my last talk, which is mine was compromised. Everybody can be hacked. The good thing is I don’t have core access to anything meaningful. So I knew I would be a target so I don’t have access to anything that would compromise Metacert or any customer data because I don’t have root access to anything. And I knew that would happen. So it’s easier to attack than it is to defend.
Laura Shin: 00:59:10
And when do you plan to launch your decentralized network?
Paul Walsh: 00:59:14
We plan to have a basic token functionality working on a test net by mid to late April. And so, we would be able to distribute tokens to all of the end users of the products that sit on the protocol. So for example, Cryptonite, the browser extension I told you about. Each user is going to get 360 tokens, which will then effectively allow them to use that software for free for another year.
Laura Shin: 00:59:44
OK. So you plan to do some air drop strategy?
Paul Walsh: 00:59:48
That’s right. It will be possible. It will have a small wallet built into the extension, not big enough to hold a lot of tokens for security purposes. And so they’ll be able to unlock those tokens as soon as they’re available. And we will be selling tokens privately around end of April and publicly about six to eight weeks after that.
Laura Shin: 01:00:10
OK. And it sounds like you’re offering them as a security, when you say privately?
Paul Walsh: 01:00:17
No, there’s a private sale to big participants. So there’s no discount or bonus for purchasing the tokens for future use within the network. So you will be able to buy the tokens privately, but you have to buy a certain amount and then you assert how you’re going to use the service in the future. So it’s not a security token. It absolutely is a utility token. We’re doing a number of things to demonstrate best practices within the industry for the longevity of the project. So, the first one I mentioned was no bonuses or discounts for people who want to purchase the tokens privately. The tokens will already be in use by then as well to demonstrate that there is real utility for the tokens and real demand for the token. The team will have a 75% lock up. So after the platform is live, 75% of Metacert’s tokens will be vested monthly over a three year period.
Laura Shin: 01:01:21
And this is maybe the most important question for the listeners. What are your tips for users so they don’t fall victim to any of these crypto scams?
Paul Walsh: 01:01:33
Install 1password. There are other applications that are great. If you’re using one that’s brilliant, but just install 1password if you’re not. Use that to automatically generate very long, difficult passwords, it’s a fantastic solution. Remove your phone number as a backup and recovery to passwords. Call your cell network provider and ask them to put a double opt-in to changing the Sim card, which reduces the risk of that happening. If you’re a crypto team, take the time and the money and resource to hire security personnel instead of just community managers, sales and marketing people when you’ve got the funding. Security is very important. Not just for your own team, but for the purpose of protecting your communities. Install all of our free software, particularly for Telegram and Slack. And just be mindful that it’s not 007 scenarios. Don’t leave your computer on the table at Starbucks and ask the person next to you to look after it while, you go to the bathroom. They could be sitting there because they’re spying on you because they know that you’re a high profile target within the crypto world. The higher the profile you are in the industry, the more of a target you will become and they will go to any degree to access and compromise yourself or your company or your family. I’m constantly getting password email saying my password’s attempted changes on Facebook and other social media accounts. So everybody’s a target and just be mindful of that.
Laura Shin: 01:03:08
Great. It’s been so wonderful having you on the show. Where can people learn more about you and Metacert?
Paul Walsh: 01:03:19
Go to metacertprotocol.com for the project. Metacert.com is the seperate company if you want to install one of those apps. And, come join the Telegram group, which is where all of the conversations happening, which is t.me/metacert
Laura Shin: 01:03:34
Thank you so much for coming on Unchained.
Paul Walsh: 01:03:37
It was a pleasure. Thank you so much, Laura.
Laura Shin: 01:03:39
Thanks so much for joining us today. To learn more about Paul, check out the show notes inside your podcast episode. New episodes of Unchained come out every Tuesday. If you haven’t already, rate, review and subscribe on Apple podcasts. If you like this episode, share it with your friends on Facebook, Twitter, or LinkedIn. Unchained is produced by me, Laura Shin. With help from Elaine Zelby, Fractal Recordings, Jennie Josephson and Daniel Nuss. Thanks for listening.