Web3 Social Club Vol. 2: Running Naked in Web3? A Discussion on How to Protect User’s Privacy & Assets
Recently, a mysterious Twitter user claimed to have information that would expose shocking crimes within crypto and claimed to have the data including discussions pertaining to financial frauds, racism talks, scams, and other scandals through the security loopholes of Telegram. While the allegation turned out to be false in the end, it has sparked a broader discussion on Web3 cyber security.
On June 14th, 2022, Mask Network together with SlowMist co-hosted a Twitter Space (Web3 Social Club Vol. 2) and invited founders, co-founders, and team members from leading Web3 projects and top safety projects to discuss their reactions to the implications of the alleged Telegram security loopholes, the security concerns in Web3 communities, alternatives, and what projects and users can do to make Web3 social & communications more secure.
Web3 Social Club is a Twitter Space series by Mask Network where Web3 projects and builders gather and exchange ideas on building cutting-edge social networks and infrastructures.
Speakers invited include:
- Jing from SlowMist (@SlowMist_Team)
- Darren from Project Galaxy (@ProjectGalaxyHQ)
- Turan from Go+ Security (@GoplusSecurity)
- Luke from SwapChat (@SwapChatNFT)
- Anjali Young from Collab.Land (@Collab_Land_)
- James Young from Collab.Land (@Collab_Land_)
For anyone who missed it, we compiled this recap for you to read through. Please note only some dialogues were selected and the text has been edited for length and clarity reasons.
Feel free to listen to the full dialogue here or on YouTube.
Please make sure you check out Blockchain Dark Forest Self-Guard Handbook by SlowMist on how to master the security of your cryptocurrency.
- Telegram news provides people an opportunity to look back and take a breath to see how secure they’ve gone in protecting their crypto assets and in social safety.
- Projects and teams have taken various actions on the product side and on the developers’ side to protect users. And raising awareness should always be important.
- Advice to Web3 users: 1. Don’t click on any links unless you can verify the source and safety of the website. 2. Lots of fake Discord servers, Discord admin impersonators, and Telegram bots out there. Don’t trust, verify. 3. Use different wallets for different purposes to reduce of risk of losing all of your valuables with one attack.
- Decentralized digital identities (DIDs) are on the rise and can help people get a credible database while maintaining users’ privacy, empowering the ownership of their digital footprints.
Selected Parts of the Transcript
Q1: What are your thoughts on the Telegram news drop?
SlowMist (Jian): Only time will tell. It’s kind of like a witch hunt because it doesn’t look good for any company to be publicly called out like that. Especially one that has such a big presence. And then nobody knows if it’s actually true or not. We shouldn’t assume anything right now.
Go + (Turan): It’s a good chance for everyone to actually look into the tools that they’re using and to see how secure they are. With everything that Telegram has been saying in there, it’s like what else would they say. They’re going to say we’re hyper encrypted. You can go and look at their own documentation that’s open on their website for anyone to read. It’s one thing to look at the PR campaign and another thing to look at their actual documentation and see what the discrepancies are here.
SwapChat (Luke): It’s actually way more possible than people think. We’re making a messaging protocol. We’re really aware of how hard it is to build certain different functionalities and features into the protocol. The truth is, group messages are actually very unsafe today. In terms of the social experience, ideally, you’d want to be able to moderate who comes in and who comes out. But in practice, it’s actually really hard to do these things, especially if it’s a decentralized or a federated messaging protocol.
There’s a good ton of work around making the end-to-end communications very secure. But group messages and chat rooms are actually still very unsafe. But Signal is probably the best solution out there today since SwapChat is not launching yet. I can’t say for sure, but do be careful, group chats are not very good today.
Project Galaxy (Darren): If you study, Telegram mentioned that all the messages are encrypted. It is fair to mention that the messages are only encrypted while in transit from a particular device to Telegram servers, right? Once your data arrives on Telegram servers, it is decrypted and could be seen by Telegram, although they are an end-to-end encryption tool.
I don’t think that it is automatically being used on messages sent in Telegram. It is only feasible when you’re using secret chat. I would agree that it’s not as secure as privacy-focused tools such as Signal.
Collab.Land (Anjali): That’s the same thought I had, which is this is someone with zero Twitter followers. We’re entering a bear market. There is a lot of fear and fud already. We’re not getting any evidence right now but just a claim. And I think that was enough to get it kind of going. It would have been nice if we got a little teaser at least to validate the claim. But all we got was the link and I hope nobody clicks on it. Let’s save that.
Go + (Turan): Thanks for bringing up the link security, Angali. Not long ago, there was a vulnerability found in Discord. If you clicked a link you can access the Discord and whatever is sensitive in there. What if this was completely all fake but then because everyone clicks on this link, and then it gets compromised, all of a sudden, it’s a self-fulfilling prophecy or has the potential to be.
SwapChat (Luke): It’s kind of the right kind of bullshit on the right side. People are mad at crypto right now. Six months ago, everyone was like, “let’s go with Luna to the moon”. And now they are like fuck crypto. I kind of doubt if he can actually get the messages of the widespread insiders without having been in as an insider himself. I do think it’s actually possible that he could have been dropping in on groups that he used to be in. This is actually a very common plugin list in group chats.
Now, you can actually just tweak certain amounts of code, and drop in the groups that you used to be in. Certain messaging protocols allow you to subscribe to messages from groups. That might be a possible way. He could have gotten certain messages. I’m kind of agreeing that it’s kind of the right sentiment right now. Maybe half of it is fake, let’s hope it is because we’re all using Telegram.
Q2: What kind of security concerns you’ve seen and what are some of the measures that you’ve taken on the Discord side to enhance users’ security?
Collab.Land (Anjali): When Collab.Land first started we were using DMs. I know that sounds crazy right now, but we were using DMs to interact with each member that wanted to verify. We first got one initial response into our support tickets like these bots were not working.
Then we moved from the DM flow into a button flow. Now Collab.Land creates a channel in your Discord server. With that button that’s only visible to people who are joining the channel, they can click it and it goes to a specific Collab.Land flow.
Another one was with message signing. Message signing started becoming something that people were afraid to do. With bad links, some organizations were having some impersonalization happening with message signing. We limited our message signing to only the first time when you add a wallet.
Other than that, we’ve added transaction ID, server ID, Discord user ID. When you do sign the message, it must match the message that you see in our Collab.Land created channels. But all of that is irrelevant if people are brand new to crypto and join a fake server.
That’s why Spaces like this are so incredibly important. Because we can all keep adding security features but scammers are still going to be able to impersonate with whatever they want. If this education is done properly, people can actually benefit from it.
Collab.Land (James): To be fair, Discord was never meant to be initially, when it was written, a banking App. We work with their trust safety team and their API team actually quite often.
I think for them it’s kind of a balance between having to serve their gamer community and I think that’s what has given them at least a leg up. When it comes to what does chat looks like in the Byzantine environment, when it comes to security, new users come in. They can go to fake servers that lead to a fake MetaMask.
It does come down to user education. Ultimately there will be products to serve the Web3 native interests. Scammers are creative. It’s hard to anticipate all attack vectors.
SwapChat (Luke): It’s really hard to make things secure. Discord links are pretty secure, to be honest. The link itself is secure, but it’s not secure when users use it. It’s about raising awareness.
Q3: (Go +) Follow-up questions to Collab.Land, why would Discord not be up to snuff to host these kinds of communities? Why should there be a technical difference between the two?
Second, you also mentioned the Byzantine environment, and I’d love to hear you elaborate on that more as well.
Collab.Land (James): To answer your first question, think about it from a product perspective. It’s little cues where you can see a bot has been verified and how pronounced is that like verification or how obvious is it to a user. You have to look for what you’re looking for in Discord.
It really is just a product flow perspective in terms of queuing the user from a UI and UX perspective and how you package the product up to help prevent these attacks. There are trust assumptions that happen in Discord. The Discord is like they’re all your friends and you can trust them.
And this goes into this Byzantine environment aspect. Even though you’re on a Discord server, you have to be careful about who you interact with. So I think from a product side of Discord’s assumption as I read into their product as a user, once you’re on a server you’re going to trust everyone on the server. We’re in a Byzantine environment, you don’t automatically trust someone you don’t know. And it’s kind of hostile as a smart contract developer.
Creating a smart contract works well in the happy path but doesn’t work if people are trying to attack it. And it doesn’t work even if I go rogue as an adversarial owner of the contract.
There is this zero-trust environment where you need to not just trust someone just because you’re in the same Discord server, but you have zero trust with everyone and you accumulate this trust over time whether it’s a track record.
The work that Mask is doing with Next.ID is the way out here. We’re seeing that happening at scale on the Internet as well as Microsoft and Azure adopting verifiable credentials. I think we’re going to be able to solve this with cryptography, but it’s not just the lower level. When it comes to the user experience, that’s going to happen over time. We’ll be able to understand this as second nature. That’s where the learning is right now.
Collab.Land (Anjali): Either the support channel being impersonated or individuals being impersonated like that on Telegram has been our major issue. Make sure the person you’re talking to is actually from our team. Get whatever information you can before you choose to start interacting.
SlowMist (Jian): I would even more cautious. Scammers are getting so smart at social engineering all these things.
Q4: What are the security solutions and measures your project has taken?
Project Galaxy (Darren): As some of you may know we were once a victim of a Discord compromise, what we did after that is that we make sure that all of the admins have set up their 2FAs. We did create another channel to post our official links so that our community members can double verify. We also announced to our community members saying that, for big news or any big updates, we will be sharing it not just on our Discord, but also on our other social accounts as well. If something is too good to be true, usually it’s a scam. Never let greed take over your rationale.
Collab.Land (James): At the App level, we had to actually turn off the DMing from the bot. In the case of Mask and Collab.Land using Web2 Apps and blending them with Web3, I need to be really careful about the platforms and the interactions. We’ve done things on the App side to make it more difficult so there’s more user-identifying information.
So not only do we need to make sure that we update our UI & UX so that we minimize attack vectors or scammers intruding into that flow. And we customize our wallet connection page by putting in specific user icons.
We’re working with this feature so that you can verify who a user is. If they have not accumulated enough track records, maybe they’re not legitimate. 2FA is definitely a must from a user security side.
SlowMist (Jian): From the developer side, the first thing we recommend is to get an audit.
Most security firms keep tracking different exploits in this space. So as a developer, you’re not going to know all the exploits going on, especially the new ones that are happening.
We, as a security firm, study these events and then we find solutions to these flaws to prevent projects from falling into the same exploits.
For users, we actually recently released the Blockchain Dark Forest Self-Guard Handbook on our GitHub. It talks about how to keep your wallet safe to deal with your crypto assets and best practices. It’s also a summary of the experience we have had over the years. If you’re new to this space, give it a read.
Go + (Turan): I think one of the biggest ironies in this space is that Web3 has so many amazing society-shifting technologies to offer and it’s kind of being capped out the knees by all of these Web2 exploits. Web3 is amazing because of the community that’s around it and the openness here.
We have our API. We’ve done all the data upgrades and handed everything over to you that you need to know if something is secure or not in a nice little package with a bow on top. Anyone can use it.
Check out this NFT you’re going to buy and see if it has our stamp of approval, and just go on from there. For builders, collaborate with us.
There’s a rich ecosystem out there. If you’re signing a contract, you can read the code and see exactly what you’re signing. Of course the barrier to entry there is you have to actually understand it, but once we get to that point, that leaves space for security companies like us to help you out there and be like hey, this is the code that you need to be wary of. This is the code that’s going to steal all your assets.
Q5: What are some of the most vulnerable areas that you’ve identified? For builders, how are you making protocols more secure?
SlowMist (Jian): It’s been going on for years. But people are still getting exploited because of that. Recently there was a project which locked up their funds forever. They had warnings from people but they decided not to listen. 21 million dollars in ETH was locked up forever.
They have no access to it. And also there are a lot of flash loans. Those are incidents that are happening again and again. We should be keeping up to date with everyone so it doesn’t happen anymore.
Q6: What are the opportunities in this space to make communication more secure and privacy-focused?
SwapChat (Luke): Group chats nowadays are really hard to do well in terms of performance and security. Many communication protocols out there today don’t really support group chat yet and there’s a reason why. It’s really hard to build federated messaging protocols that scale. And especially when it comes to security. Putting in a really not technical way, imagine there are 100 people in this space right now. The easiest way to encrypt something is to share a certain kind of secret between us. The thing is that secret, the moment someone leaves this room, that secret leaves with that person. In reality, just have to change everything within the room. And then from a systems perspective. That means you just have to synchronize all the changes with every single node and every single client. It’s theoretically right. In practice, there are things that we try to do to make that a little more efficient. But that’s kind of the bare-bones model where if you want to encrypt things within a group, we’ll share things within a group and have everyone still be able to see things in a group? There’s always this kind of a shared secret problem where if people leave, then they take that secret with them.
So you have to update everything. Make sure it’s like if you had an old employee and he or she had the password, some of your important things, you just have to change the company password. Why? So there are challenges like that and designs that people are working on. We’re also working on things like threshold cryptography and some BTC proposals that used to be around to make the cryptography more secure.
So I think at the end of the day, it comes back to what social-technical academics nowadays, I’d like to call social-technical design. How does the social part go along with the technology parts? A lot of the link hacks or more UI and design issues, right? How can we design it so that the user knows this is a good link to click on, or this should not be clicked on. That is more of a less official link, kind of thinking about how to build that trust around content and propagate that trust through a decentralized infrastructure. It’s certainly hard and in its infancy, but I think there are a lot of good promises around in the future. Nowadays say Soul-Bound Tokens (SBTs) and what was not to build a robust, I said profiles around people and content.
I hope with the whole industry kind of maturing and with data and certain forms of machine learning that can be done. The good thing nowadays is, at least these few months, a lot of projects around have been making machine learning for Web3 and not making it as invasive. So as those things come around, I think a lot of these link hacks can be mitigated kind of like fake news on Twitter. It’s still around, but it was a huge problem back in 2015 and 2016. Twitter was horrible back then, they didn’t have fact-checking and will not hold the measures that are around today. It’s a lot easier to get away with the fake news and try to pass it away as something legitimate.
I’ve been digressing a little too much, but looping back, I think on the messaging side, it’s for us. It’s about doing really, really good social-technical design. Being aware of how people like to use chat, how people like to communicate with each other via DMs and group chat, and trying to support that with a great cryptography design around the protocol so that we’re able to serve users across the Web3 landscape.
Collab.Land (Anjali): One thing we’re working on with Collab.Land, and a lot of other new projects are coming up around this. And James mentioned earlier, Verifiable Credentials (VCs). So you’re building up your crypto reputation with verifiable credentials in which now it’s not just your name or maybe even your verified tick. But you can actually see a little bit about what verifiable credentials the individual has received from different providers. And that can build up a reputation. Things like that are gonna come with time, in the early days of the internet, if you got an email from Bank of America, you assume that it was a real email and you just submitted all your information. Fishing scams still continue to this day using email or even texting. As an ecosystem, we’re going to become more sophisticated as time goes by as well. It’s just very, very early right now, and we’re just needing to move and congregate and communicate faster.
The relationships that we make are similar to the ones with Mask Network where we can all work together. We’re actually working with one wallet coming up. That is a security crypto-focused wallet. And they are verifying that when a message comes from the actual Collab.Land. But it’s verified on the wallet side. So if we even had that situation where wallets were starting to say: (for example) wait a minute, this is not an actual Cool Cats mint site, or this isn’t a message that’s coming exactly from OpenSea for example, if we can find safeguards along the way with all of the different actors in the space, then we’ll be able to work closely together to save, at least provides some kind of backstop for new people coming in. So it’s happening. People are already starting to move in this direction and it’s gonna happen with relationships.
Go + (Turan): I think decentralized identities and identity web through is gonna be one of the most exciting things. What comes up in the future, especially as long as financial markets go up and down. The merit of the technology is something that’s going to be just a really staple rise, but especially on what you’re saying with the backstep on the wallets. That’s actually something that we’re doing with. At Go+ we have our own native Go Pocket Wallet and we’re partnering with other wallets to use. Our APIs to have things like that. So your wallet can even take all the open-source information out there from our APIs and be like. This is not a good contract or this is not a good actor that you’re dealing with and give you those things. Bring it back to the discussion at the beginning of this question to new developers out there, or people kind of getting interested in the technical space, I’d say get good at Web2 security, especially since there are so many application security methodologies and just tools out there.
The Rise of Decentralized Digital Identities
Mask Network (Hehe): Also echoing the rise and seeing the necessity of Verifiable Credentials and DID. On Mask’s side, we’ve been pretty actively developing Next.ID, our self-sovereign identity protocol comes with two layers.
First, we want to use Next.ID’s Persona to make verifiable connections between your Web2 and Web3 accounts, like your Twitter with your wallets. And that can be one source of truth that is using cryptography to verify the identity that we call the cyber-persona of a user. In that case, users can verify instead of trusting any random people on the internet.
And another layer. I think it’s great that a lot of different wallets, like Collab.Land, different solutions are taking this very seriously. We see this as the foundation where before building their Web3 credentials that you need trustworthy DID solutions out there. So we’re aggregating different DID information and connections to make it even more holistic, and publicly a credible database for more projects to use. And hopefully we can build a vast identity graph, a database that can solve a lot of the security challenges that we heard today together.
Collab.Land (James): When we talk about security, we often give responsibility to the user. Ultimately, it’s their responsibility. It is interesting because now in Web3, with the ability to align incentives correctly, if we do it right, we can all help one another and build upon one another. And we have with crypto, Web3, we have programmable money or composable money.
Now, together, what we can do is work together and have this, I think this starts with Twitter spaces where different projects can collaborate with each other, get this network effect, and while we are all working together, incentives are aligned to help protect users. We are very bullish on VCs and DIDs, but that might not be something that Collab.Land — that might not be our core competency, but it’s something that we really want to embrace because ultimately it’s about trust and safety for us.
And so with that, can we integrate with Next.ID? Or can we integrate with other projects that are solving different dimensions of user security? We can tackle this together. I think this is the positive, some kind of abundance mindset that we have and going into Web3, so that we can protect the next hundred million, the next billion users that are coming in.
SwapChat (Luke): Personally I’m a huge fan of how verifiable credentials, and so on, so-called Soul-Bound Tokens are developing today. I would kind of say it helps bridge the trust between Web2, right? If you have a big Twitter profile with 5k or 10k followers, apparently it’s gonna be legit to some level, right? And I think a lot of people are building these bridges in a Web3 native way so that some of that trust and verifiability can be poured over to these Web3 scenarios.
So we’re benefiting a lot from how that’s being made possible by Next.ID because obviously, for messaging, we’re responsible for connecting people and who we are connecting. So in that sense. Personally, I think Next.ID shows us this very bright glimpse of the future where the Web3 verifiability and Web3 identities are a lot more solid and a lot more user-friendly for the people who are still in Web2 right now and hoping to jump into Web3.
Mask Network (Hehe): We’re really excited to have SwapChat as the first chat dApp that uses Next.ID as its identity layer. I think this goes beyond the development of Next.ID, as James and a lot of other speakers have mentioned, is an open kind of collaborative space. That’s really the beauty of Web3, that is not really related to how the financial incentives are. There’s like more additional user value being created because there’s more variability and also there’s more transparency and ability for users to own these data and hopefully be able to protect your privacy and understand how your data has been accessed in the future compared to the current Web2 paradigm. We’re seeing that there’s a true paradigm shift and advancement in terms of how the internet kind of user rights and the infrastructure are shifting for the better.
Q7: What are some of the common advice that you can give to Web3 users to better protect themselves today and to make sure that their communications are secure?
SlowMist (Jian): For the credentials, this just came to my mind. For anybody who’s used Reddit. It was a lot easier for someone to if you want to listen to some device and click on their name and you can see all the other accounts or subreddits that they’re active in. So usually you wouldn’t take advice from somebody that’s brand new. So I feel like that’s a way where Discord can, because you only see how they’re active in that Discord channel, you don’t see any other channels out they are active in. So you’re not really sure how long they’ve been around. But Reddit has a history that has all the rewards they got in everything. And also for new users coming into the crypto space, I just want to let them know to understand that, whenever you’re signing a transaction, think of it like you’re using your debit card. So that way, every time your sign a transaction, you’re handing over that information on your debit card. So maybe now people will be more cautious of where they wanna sign their transactions.
Mask Network (Hehe): That’s a good analogy for those that are relatively new to the space. We had a lot of internal discussions on signing with the wallet and having more of a proxy kind of a persona, separating the identity layer with the wallet layer right now, the common practice is like when you give access, make verifications, you sign with the wallet. Our internal take is we think it’s actually a bit risky for the exact reason that you were saying, you don’t use your debit card to verify for a lot of things in the real world right now.
Right now the wallet is taking on a lot of responsibilities for verification. So one possible path forward, or maybe a more optimal or secure path for users is to have an identity layer, and also kind of separate the financial assets and where their debit card number, apart from their social security number, or public-facing keys, or user names that they can use as a proxy to verify their reputation without exposing themselves to potential financial scams and vulnerabilities.
SlowMist (Jian): Right. Because you can make multiple wallets, and then you’re not just gonna hand your debit card over to any new website. You see, you’re not just here take this like this. People have to get into that mentality where it goes back to we can make an App as secure as possible, but it’s only as secure as the person using it.
So a lot of it still comes back to user education, where we have to raise awareness to like, listen, these are all like the scams going on. These are some of the exploits, be careful, just because it’s getting so smart, who would have thought, hey, listen, I’m gonna hack into somebody that’s verified. And then because before and Web2, when people did that, you can get scams, but then you can always track where the money is going because still going through a bank account or your credit card company.
But now it’s Web3, everything is held in your wallet. And there’s no centralized store where it’s hey, we’re not gonna refund you for this.
Mask Network (Hehe): Hopefully it’s basic like this and also how the future is like. I think at the Web3, dApps are designed where the protocols are communicating with the users, which will help them understand that they do bear more responsibility. But what comes with it is more autonomy compared to the current digital space that we’re in.
Project Galaxy (Darren): This is a double-edged sword. Don’t you think? When you have control over your wallet you have to be responsible and accountable for reactions?
SlowMist (Jian): It is, but at the same time it’s like we have to trust the users now. The users have to want to learn. You can’t just always be like, hey, I’m gonna have somebody else take care of this because this is not really Web3, the whole point of Web3, the whole decentralization aspect of it. You want to have users be notified of what exactly they’re doing?
Project Galaxy (Darren): Totally agree. Events like this and also as a community manager as well, I do think that part of our job is to educate the new users, especially users that are new to Web3, right? To teach them the narrative and also the context of Web3, to help them to better understand what are the most common scammed tactics, etc. Yeah. So I do think that for projects, we should also take up social responsibility. I’m not too sure this is an old exaggeration. But I do think that educating new users on the technical side and also at the same time on social engineering as well, especially with what action would bring, what come the importance of double verifying these the news that you’ve gotten to some of the socials or even fake tweets, right? I do think that this is very important for us to implant that mindset into the new users.
Mask Network (Hehe): That’s why we’re doing a Twitter space. And we have a lot of community builders here, if you have any recommendations or sources that can help further amplify these messages, definitely feel free to share them here or just tweet them. Our listeners today can all follow you on Twitter.
SlowMist (Jian): I was thinking like maybe like in the future, we can do like collaboration because not everybody, it’s like everybody has pieces of the puzzle. For example, we actually recently had a partnership with, Go+ Security, and then where we’re sharing our malicious data, malicious address database. Because they have some addresses, and then we have some, when we combine them, we know which contract not to interact with, and which addresses not to interact with. So I think having someplace where everybody can share the information allows us to make this place a better, more secure place.
SwapChat (Luke): For us, we’re more of a place where data kind of gets born social interaction. They have been on social and what would not. But we’re all for definitely quoting together and sharing with other people to build more of a verifiable and kind of a reputable ecosystem within Web3 where users can have some sense of safety while using services and clicking on contracts. I definitely think it’s an exciting direction of development for the whole ecosystem.
Questions from the Audience
Niko (@0xNikoBit): Do you have any suggestions for people like me? I don’t know how to protect my wallet. Do you have any best practice or have you heard of any kind of applications or extensions that I can use to protect me from being scammed? Is there an easier way to distinguish the website from its domain? Is it possible for the Web3 field?
SlowMist (Jian): We actually have to go to our website. In our Github, we actually create the Blockchain Dark Forest Selfguard Handbook. In it, you’ll see a lot of things about how to protect your wallets, how to spot scams, how to keep your fund safe, and all the other best security practices in it, too.
Project Galaxy (Darren): To be honest, I don’t think websites are the most vulnerable places, but if you get a stranger’s DM telling you that you’re listed on their whitelists, those types of links, right? Those are the most dangerous, always double verify your new sources. And I do think that in terms of protecting your wallets, I do think that never share a private key. Never forget your private key. Apart from that, I would say that never click on sketchy links that you may see on Discord, on Telegram. Apart from that always do your own research. And always double verify your news. If you do that, I would say that you’ll be fine. If you don’t own your private key, you don’t own your fund. That is the most important thing I think for Web3 users to bear in mind.
Go+ (Turan): Agree with all that. The SlowMist guide is actually really good. It’s also perfectly normal to use multiple wallets. So if one gets compromised, not all of your funds are gone. I think especially for beginners, there might be cases where the ease of a managed wallet might be better. But we’re in this chat because of the Telegram thing. Just educate yourself on what exactly your wallet is. Again that’s in SlowMists’ guide.
Niko (@0xNikoBit): I would like to know if there is any kind of application or Chrome extension. Because I think it’s very easy for me, not to click those fake links, but actually some kinds of websites are too good to be true, you cannot tell just from their interface. So how can I know? I’m actually signing a wrong message. So that’s my question.
SlowMist (Jian): This is me personally. If I have questions, I just don’t touch them, and then always do your research, because there’s so much information out there.
Collab.Land (Anjali): Also one thing that I do and this is just personally is I have a whole other login situation with my wallet. So I have one login that I use on my computer that doesn’t have anything with crypto on it. Then I have a second, I have to log in completely separately and that has my wallet like my MetaMask, and my Phantom, or Opera, whatever I’m using is on a completely separate login.
So if I see something on my one that has all my socials connected to it. And I think I really want to meet this link or I want to meet this or I wanna claim this or whatever, it forces me to do all my research log out and then log back in, and then put in the information manually.
That’s how I protect myself against making any kind of click something inadvertently and having my wallet drained. That’s something I personally do to try to keep my social separate from where I keep my wallets.
Go+ (Turan): Anyone who wants to develop that can come reach out to us. We love collaborating, use our API that does some of the things. Anyone can build the rest, the restful URL but we’re not quite in the business of making a fancy UI for that yet. This area is so big. Other people doing the same thing, that’s why all of us security people collaborate.
Mask Network (Hehe): Just want to quickly share one project that I was personally very excited about in the past ETH Shanghai Hackathon. We had a developer build something called Scam Sniffer (@scamsniffer_). It’s still in the early stage, but once merged into the Mask Twitter extension, it will be able to identify some possible scams and impersonators. So to avoid a lot of the fake accounts and then the fake mint links. We’re seeing similar projects popping up and you’re definitely rising awareness of the rampant scamming situation out there.
Discussion from Audience
crypTurkey (@Tales4mdacrypto): Yesterday, a group called FrostyWeb3. And yesterday in our Discord, we were showing some of the people that are wanting to onboard. How to onboard new people and be as safe as possible. Right? So we kind of talked a little bit about setting up multiple wallets at the beginning. Maybe the first six. When the first six wallets, you don’t touch them. Because typically I and you guys can get more experience in the field of security. But typically, whenever somebody sees the first couple of wallets, they got zero. There’s nothing in them. They are probably thinking, this person is inactive or they probably don’t even really know what they’re doing, so they move on to the next person, unfortunately. So we create the first few wallets with nothing in them and then by the 7th or 8th wallet. That’s where we start having a little bit of activity. So create different wallets for different things that you’re doing. So if you’re getting into DeFi, you have a DeFi wallet. If you’re doing free mints then you have a free mint wallet. And like you guys said, create user education, and help them be aware of the potential downside to be in this field.
Definitely need to help educate them at the very beginning as much as possible. And somebody mentioned that it’s also dependent on the user as well. But just give those educational resources out, they will definitely help keep people as safe as possible.
SwapChat (Luke): Yeah, I’m actually kind of a fan of the practice, just keeping different wallets. If you just have a free mint wallet and you don’t really have money in it, even if there’s a malicious contract, the worst they can do is crapped out your free mint wallet. I definitely think it’s a great practice, and I recommend it here.
Mask Network (Hehe): This has been super fruitful and educational and inspiring for me personally.
There are multiple layers that you need to be aware of, from privacy to scams, suspicious links, and impersonators. But I think what’s really optimistic and inspiring is we’re building towards a better future with a lot of these alliances and just recognizing these problems and collaborating together to find solutions.
Collab.Land (Anjali): That’s what the bear market is. If you provide a little bit for new people joining in instead of having FOMO and that quick finger, it’ll give people an opportunity to do this type of research. Listen and follow along with the Twitter accounts of the people that are here, speaking here, learning, and educating themselves before making any rush decisions. The advice I would give to people moving forward is before you click anything before you install anything, just take a moment, take a breath, do some research and then move forward, because there’s so much to learn and so much good stuff happening here.
Mask Network (Hehe): For sure, for builders, given the market condition, I think this is the time to really think about what users need, what the ecosystem needs, and keep building.
And hopefully, a lot of our speakers and the resources here can be helpful and excited to also see collaborations among our different projects. Thank you so much for our great speakers for sharing all these important insights for builders and for Web3 users.
Thank you to all the friends for tuning in. For anyone who is interested in future Twitter Spaces, please follow Mask Network @realMaskNetwork. We will be hosting more events of this kind, and continue to invite more industry leaders and emerging Web3 builders to talk with us.
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force.
Project Galaxy is a collaborative credential infrastructure that empowers brands to build better communities and products in Web3.
RSS3 is an open protocol designed for content and social networks in the Web 3.0 era.
Go+ Secutiry is an open, permissionless, user-driven security service platform for all types of blockchain users.
Collab.Land leverages the power of identity through cryptocurrency to create a social space unique to a specific network of humans.
SwapChat is a decentralized social trading tool, unlocking experiences only a Web3-native cross-platform messenger can bring.
Mask Network brings privacy and benefits from Web3 to social media like Facebook & Twitter — with an open-sourced browser extension.