VIDEO TRANSCRIPTION
No description has been generated for this video.
Well, hello and welcome to the panel on self-custody. Today we're going to take this panel to a bit more technical approach. But before we dive into the technical details and the tools, we can't overlap our main question, why self-custody when today we have so many other tools? Kevin? Why self-custody? All right. That's a tough one to start with. No, but basically Bitcoin, to me at least, is an asset that you're supposed to hold yourself. It's equivalent to cash. It's not equivalent to some kind of, you know, bank account money or whatever like this. So it's not something you should want to give someone else to hold for you, to custody for you.
So as simple as that, in my opinion, you should do self-custody and that's it, because that's the way the asset is designed and that's how it should work. Simple answer, I guess, but that's how I see it. I'd also point out self-custody enables all of the amazing things that make Bitcoin the extraordinary tool for financial freedom that it is. So if you want to hold your money in a way that makes it extremely difficult for. . . an adversary or a government to take it from you, that begins with self-custody and holding your private keys. If you want to be able to send any amount of money to whomever you want, whenever you want, that also starts with self-custody.
If you would like to use Bitcoin in a more privacy-preserving way, where you take more control over your UTXOs and try to maintain your privacy, that also begins with self-custody. In general, I believe self-custody also keeps a check on platforms that custody Bitcoin on behalf of others in terms of maintaining Bitcoin's scarcity value proposition. So if we have too much Bitcoin in the hands of third-party custodians, I think there's an increased likelihood that they'll play rehypothecation games, and that diminishes the value proposition of Bitcoin's scarcity, I think. Yeah, I totally agree with that.
Now, after we just tell the audience why it's so important to hold your coins by yourself, let's start to talk what a person should do, a non-tech person should do to start, actually to start. What are the steps? You know, we always talk around it, but let's give some pointers for the audience to learn about. What is the first step for a person to start self-custody? So I would say custody and security, people should view it as a process, not as a destination. So the very first step in terms of self-custody is downloading some sort of self-custody wallet on your mobile phone. It's going to be a hot wallet where the keys reside on your phone.
And just create the wallet, write down your seed words, and withdraw some small amount of Bitcoin to that wallet. Then, of course, it's great practice to delete the wallet and make sure that you can recover it using your seed words just to give yourself more confidence and to confirm that if something happens to that device that you can still have access to your funds. And then beyond that, we can get into. . . cold storage and hardware wallets and multi-sig and other approaches. But really, that first step is just taking control of your private keys and experiencing what that feels like. Aled, Kevin. Absolutely. Yeah, great answer.
And I really think it's important to show to people that if you like Google or go on Twitter and try to figure out what's the best tool for self-custody out there. There is no such thing as like the best. And no matter what kind of answers you will get, it's usually overkill for like most people. And so if you are just a normal user that's just starting into Bitcoin, you probably don't need to start with a crazy large multi-sig geo-distributed keys if it's to put like a few hundred bucks on it. So there is also this like part of this journey is also just acceptance.
in the fact that if you consider Bitcoin as cash, right? just a bunch of cash money, you wouldn't put all of your saving in cash in your pocket. You would separate some for your daily spending in your pockets, in your wallet. And of course, your savings would be in a safe somewhere in a much more secure location. So you don't want to have the hardcore security that's also going to be a pain in your ass to spend when. . .
Maybe for spending, you just need a hundred bucks to go buy beer here at the event or buy a hardware wallet or buy some things or some things online that you can have probably in a hot wallet on your phone. It's just an app. You download it, you know, write down the 12, 24 words on a piece of paper and that's it. You know, it's kind of OK, even if you lose it, kind of like you would be kind of OK to lose your wallet that you have in your pocket right now. It's not your life savings. Right. And then, of course, for your life savings, don't keep them on your phone. Just use a more secure approach. So, yeah, it's really the journey thing.
And to start, it's extremely simple. Self-custody is not difficult. But then, of course, the more secure you want to go, the more learning and the more efforts you will need to put. But that's not necessary to start. Okay. So my next question is, let's talk about. . . the risks and the attack vectors and give some to-dos and not to-dos for the novice user, right? Like, for example, I've seen cases that people just wrote their mnemonic, they saved them in Gmail. Of course, it was gone after a few days. And usually people just, they do mistakes, but. . .
the mistakes are usually they think just don't lose the backup code but there's a lot of other mistakes so can you please expand a bit about the attack vectors the huge mistake like fishing like you know don't put it online and etc yeah absolutely um let me let me start with this one uh there is a lot of mistakes that people can make um You just have to kind of think of what you're doing. But it's not difficult. But it's just a little bit of common sense, I would say. But then, yes, there is new things, right? These 12 words or 24 words backup, people have never seen that before outside of Bitcoin. So, yeah, maybe they want to take a picture of it.
Maybe they want to type it on the computer. Then, yeah, that they should not. Never put your backup.
on an electronic device basically it's like keep it on paper or keep it on a metal sheet or something but don't type it on a computer that's connected to the internet so probably that's the main risk out there for beginners if they put their seed their mnemonic online yeah the phones are going to be gone but then you have so many other things that i'm sure like more than 50 in the room are already you know falling into one of them is that you might buy a super secure hardware wallet, even maybe do a multi-sig of multiple hardware wallets of multiple brands. And then your pin code is your birthday.
You know, you need to be secure on the whole thing. And a pin code, we've been using pin codes forever. And most of the things we use the pin code for is not that critical. We've never had something as critical to keep as our Bitcoin. So for sure, the pin code to unlock your phone. is not the same thing as the pin code for your hardware wallet. And for many of you, it probably is, because it's annoying to memorize multiple pin codes. But again, probably spying you when you type your pin code on your phone every day is very easy. There is cameras everywhere. Maybe it's a very simple pin code.
And again, having the best hardware security and the best backups in volts around the world, but you just use a normal pin code. you're not going to be resilient against anything or everything. Storing your mnemonic is another one. So this piece of paper with the 12 or 24 words, if you just leave it on your bedside table at home and everyone knows you use Bitcoin because you're on Twitter talking about it, you're not going to keep your coins very long. If anyone breaks into your house, they'll get access to your coins. So again, a lot of common sense there, but it's not that obvious. because we've never had something like Bitcoin before, I guess.
Yeah, I'd add the fundamental question of cold storage is, can you keep a secret? It's a very simple question. Can you keep a secret? We have problems with all verbiage in Bitcoin because we call it a private key when actually, to be accurate, we should call it a secret key. Because we want that secret to be something that is a unique little bit of information that is only known to you and that is not predictable or reproducible or known to anyone else. And that little bit of secret information, the game is to make sure that no one else finds that out or that's not disclosed to anyone else.
So there are some basic ground rules like you never would store that on any sort of device that connects to the Internet. As Kevin mentioned, you don't take photographs of that. If you write down the seed words, which are really the seed words are really just a human understandable version of that little bit of private key data. If you write those seed words down, a common mistake that a lot of people will make not understanding what those seed words represent is they will store the little card that comes with your hardware wallet that you've written your seed words down right with the hardware wallet. So this.
sophisticated device that is designed to provide a certain level of access control to keep your private key secret, they'll keep literally the keys right next to it. And that's a very common mistake that if someone enters your home or acquires that packet where you keep your hardware wallet, they have what they need. So I think the challenge is really understanding and people understanding because as you know, this is something that we've never had before. the need to keep a secret that protects our wealth. So it's going to take us a while to develop best practices and even to just communicate those best practices to people because the risks aren't always fully apparent to them.
And it's not, information security is not necessarily most people's intuitive tool set. Yeah, well, yeah, I totally agree. And just want to add that there's. . . Also, some kind of special attack vectors, like, for example, the thing that we see in the hack in Electrum, if you remember that, when the update brought a malicious version of the software. So I think people should also be aware of updates. Do not update if you understand what you are doing. And the other thing, always check your address. Again and again and again, we've seen OGs that lost a lot of money just because, you know, sometimes when you do use Bitcoin a lot, you stop being careful. So it's always crucial to check on your hardwood wallet the address that you're sending to.
And that brings me to the next question. To you, Sitzainer, how can we defend ourselves from supply chain attacks? Because, you know, it's like when we work with multisigs. It's recommended to work with different products. But when you work, you know, just starting and, for example, in your product, how do we know where to order the stuff from, for example? Right. The supply chain issue is a very real and challenging issue. And really the only fail-safe way of avoiding a supply chain issue. is really multi-sig and incorporating a variety of different devices into a multi-sig quorum. So when you set up multi-sig, you might choose a Trezor or a Ledger or a cold card, and you incorporate those into your setup.
I would also posit that projects similar to the one that I'm working on with SeedSigner presents a unique opportunity to incorporate a Bitcoin security tool into your multi-sig. quorum that has a little bit different threat model, and that might be able to sidestep some of the supply chain attack vectors. But it's also, it introduces new challenges, because if someone's going to use a DIY device like SeedSigner or like a Spectre DIY or like a Crux device, it requires them to take on a little bit more personal responsibility to understand how to use that device to understand the high importance of verifying the software that you load onto the device. So it's tradeoffs all the way down.
Hardware wallet companies deliver value to users by letting users offload some of the learning curve, but users are also placing trust in the supply chain, in that company, not to make any critical errors. in the documentation that the company provides and other things like that. To get back to your original question, incorporating an array of different devices with different security models, I think, helps us sidestep some of the supply chain risks. Yeah. Okay. My next question will be, I really want to be practical today. So the audience will take something.
So what would you recommend the best way to back up your mnemonic code? You know, we always say to the novice, okay, save it, don't save it on your computer, but they don't know, okay, how to save it? How to split it? Will I go Shamir backup? Maybe I will add passphrase. Do I need to split them? Not in my home. Three copies on still plate. So, Kevin, would you like to take that? Yeah. That's a very tough one, and I think it's very much personal as well. So I'm not sure we are going to agree on this one, actually. So what's the best way to back up your mnemonic? In security, you always try to avoid complexity for many reasons. But the main one is that the user makes mistakes.
And one thing you really want your mnemonic to be is. . . to be there for you to recover your own money if your hardware wallet fail or if your software wallet if it was a hotkey fails so you have to choose your priorities quite with quite a bit of importance like is it to be protected against theft or is it to be protected against loss and your mnemonic your backup the first job of it is really the protection against loss because otherwise you don't get a backup But at the same time, you don't want any random person finding this backup to be emptying your wallet.
So this is why there is other way to keep it instead of just writing down your 12 or 24 words like the ledger or whatever hardware or software wallet is going to give you. Instead of just copying that, you could use what we call a passphrase. A passphrase is basically like a password kind of thing that you put on top of it. And that's basically. . .
changing the well you still have 12 24 words but you need the passphrase as well to be able to access the funds right that's cool but where are you going to back up this passphrase you should back up this passphrase because otherwise you might forget it etc another issue is that when we are talking to the normal average person and we ask them to choose a passphrase they are going to choose something extremely simple So they're actually going to have a false sense of security that, you know, oh, I have a passphrase, nobody can steal my coins, but they are going to pick the name of their dog, right? And this is a problem again, because this is very easy to brute force.
So it's actually probably worse, because the person would think that their mnemonic is now secure when anyone getting access to that could easily break it. Shamir, secret sharing scheme, SSSS.
is another scheme that lets you kind of split your mnemonic into multiple shards and you would safe keep these shards in different places again this different places is an issue because the average user doesn't have multiple secure place where they can store their secret and so you always have things or they might do a mistake when doing the process etc etc short answer just back up your mnemonic clear text 12 24 words no passphrase no shamir if you are a beginner that's the way i would go and keep it somewhere secure in the safe maybe even in a safe in the bank i don't know try to find one that doesn't have kyc so it's not associated to your name that's like the simple option i'm also just going to take another 10 seconds to shield my product so i'm working on a wallet called liana and we actually solved this issue by actually letting you add a time dimension on top of this.
So you could make that your backup mnemonic can only be accessed if you stop using your wallet for a year. So if anyone finds these 12 or 24 words, the key is not valid as long as you keep using your hardware wallet, for example. And so you have time to detect that somebody got access to it and then rotate your funds. And if you lose your hardware, well, then you have to wait one year and you can recover your funds from your mnemonic.
so that's called liana it's a new thing on bitcoin uh it's another way of doing the the things you were talking about like passphrase or shamir now you can just have a clear text that becomes valid but only in the future I would also add, when people think about security and safeguarding their private keys, a lot of times it conjures up an image of an evil maid or a burglar sneaking into their house. When really a big part of self-custody is protecting our Bitcoin from ourselves, from us doing stupid things or us doing emotional things or us just making errors because we don't entirely understand the tools that we're working with. I think that's an important factor.
It requires some education, but I think it's also very important with cold storage to know yourself and know what is going to help you sleep at night. If you lay down and right before you drift off to sleep, you have anxiety about your cold storage setup being too complex. And what if I had to reconstitute my wallet? from just my seed phrases or from a wallet backup. If you're not comfortable doing that, it might be time to dial back your setup and make it a little simpler.
Or if you really have real concerns about what if someone sneaks into my house tonight and runs off with my private key, then what's going to help you sleep at night is some sort of Shamir's secret sharing setup, or my opinion, even better, a multi-stick setup. But I say, know thyself.
as a part of your cold storage journey and know what is uh what what makes you worry and what your concerns are yeah well well i think that there's a balance between you know saving your money is so good that you will not able to to get it when when you want it let's say you need to run away for your life you know and then you need to to travel for three locations to to get your backups and if it's multi-sig it's even more complicated because you know we used to say do it in multiple backups now you have to multiple pick up each wallet and you need to save the description the x-fab and stuff like that so that that's bringing me to another question which is not so technical do you see any restrictions on self-custody in the future from the government? Do you think we're going to see that? I might pass this one off.
So secret about myself, I'm American. That's probably obvious from my voice. And I would anticipate possibly seeing restrictions around self-custody in Europe before America. So that's why, at least initially, I'll pass this off to Kevin, because I think he might have some interesting perspectives on that. Okay, I don't know. I think like basically restrictions on self-custody, depending on what you mean by that, right? If it's like forbidden to do self-custody, then it's pretty much Bitcoin is forbidden, right? If it's about putting restrictions in the sense of identifying users when they withdraw from an exchange, for example, these kind of regulations are already pretty much in place. So you might have to basically sign an address when you want to withdraw money from an exchange.
That's like to prove you control the withdrawal address as well. That's a form of KYC, right? You are basically extending the KYC from the exchange to your personal address. And then people can try to track these funds, etc. So let's say it already exists in part. And then if we're trying to talk about complete ban, I would say I don't mind because you cannot ban Bitcoin. You can ban it legally, right? But you can ban a lot of things that doesn't make them disappear. You cannot uninvent Bitcoin. So people, some people are still going to use it. Everyone in the room, I don't know if you are all in Bitcoin for the same reasons. Probably not.
The reason why I'm into Bitcoin and I think Sitzhiner as well, it's for freedom. So it's very politically oriented in the sense that we don't want someone else to take control of our finance. We want to be in control. But of course, I suppose a lot of you in the room are here for the number go up. And obviously, you could just buy stocks like Nvidia stocks or something instead of Bitcoin. And of course, if Bitcoin become illegal. . . Some of you might just be like, OK, I'm out of that and I'm going to buy stocks instead. And that's perfectly fair, right? Everyone use Bitcoin for their own for their own game.
But for the people like us, I mean, if it's illegal, sure, I'm officially going to stop using it. But you have no way to prove that. We're going to see a lot of botox events, right? It's going to be. . . So that brings me to another thought. What if I like to move on with my funds? What is the best way to take my funds away with me while I'm running for my life? Let's say I'm a refugee for a war zone and I can't take anything with me. What would be your advice for that? I think it's important to realize that that is a very unique temporary cold storage situation.
So you have different considerations that may require bending the rules with regard to some of the norms when it comes to cold storage. Kevin mentioned, like, say if you use a passphrase, if you use that long term, who knows when you're going to fall and bump your head or if you might have some sort of. you know, aneurysm or some sort of medical condition that might impact your ability to remember that passphrase. So in normal circumstances, remembering a passphrase is something that could be a challenge. But in these kind of extreme circumstances where you're forced to leave a location or something, suddenly you become a refugee.
The beautiful thing about Bitcoin is those 12 words via mnemonic tools and clever ways to remember them. They can live in your head. Now, most people will probably want to write them in the pages of a book in a very secret way that only they will remember and recognize. And most people aren't going to be challenged too strongly if they're going through a checkpoint or a secure area and they're carrying a book with them. But if I was personally forced to leave with my savings and travel a significant distance through unknown circumstances, I would probably do both. I would have the seed words hidden.
on my person somewhere or in some sort of clever way in a book. And I would additionally attempt to memorize them for sure, just in case something happens and that item is taken from you or something similar. It's unique. And that's one of the powers of Bitcoin is this being able to transplant your wealth through time and space to a very different location when you need to. Yeah, I agree. It also depends on the risk. So if you're trying to flee a place and like your risk is just like, oh, I don't want to lose my coin. I want them to arrive with me at destination.
And maybe there will be like, I don't know, border control or things like that going through my stuff. Maybe even just a passphrase is enough, right? As long as you don't write it down in that case. If the risk is much bigger, like you're trying to flee a country with capital control. and you're pretty much known and moving is going to be really difficult with anything on you. Yeah, memorizing the seed phrases, you can try that. You can also potentially use a trusted third party for this very short amount of time of your travel. Trusted third parties, we don't want to use them as banks, but that doesn't mean you can't trust them in a very short amount of time.
I mean, you shouldn't, but you can. It's a possibility. Okay. Let's go. We're just running out of time. I just want to do to our last question. You're the future of self-custody for your opinion. Two things that you see that's coming real briefly. I think it's the element of time and self-custody, which is very relevant to what Kevin's working on. I think it's spend conditions that change over time that help provide backstops so that people ultimately have less risk of losing their money. Yeah, absolutely. So this kind of stuff, everything related to time locks for changing condition over times. Things like MuSIG and Frost are going to also help.
It's a technical thing, but hiding multi-sig into something that looks like a single-sig. So it's very useful in terms of privacy. So a lot of privacy things are going to help. And yeah, I guess that's it. Okay. Thank you, guys. Thank you very much. Welcome back, everybody. We are here at the Bitcoin Magazine news desk, and I am joined by Shinobi, the technical and opinion editor at Bitcoin Magazine, and Alex McShane, director of programming for this very conference, Bitcoin Amsterdam 2024. Alex, we just heard a panel on the importance of self-custody.
Is the average person going to take self-custody of their Bitcoin in a hyper-Bitcoinized world, or just as we move forward? I would love to see it, but I think we're going to need to do a lot of work on abstracting away some of the more complicated concepts of Bitcoin. Because right now, the proof of work required to do this safely is pretty large. Not to discourage anyone from doing it. I think everyone should take a shot. There's no one-size-fits-all, so find a solution that works for you. But we're going to have to see some development on that space to simplify things. Appreciate that. Shinobi, we're going to come back to you with that afterwards.
We do have to actually kick it back to the main stage. We're going live again. We're coming to you here from the news desk. We'll be back right after this. I know that you're here to speak to me, but I know you're here to talk to me. I don't think I can talk to you like I would if you were here. I'm not here to talk to you. I'm here to talk to .