Select Page

Both my parents worked at a job they apparently hated for most of their career. My dad was a top researcher at Defence Canada for many years when I was a toddler but developed a new college-level class and became a teacher when he divorced my mother. He could no longer spend his time between Ottawa and Washington, D.C. cavorting with other developers of today’s biggest war machines. Me, I consider my whole life a big laboratory. As such I have be running through life since I left home at 16 trying out the most ballsy and out there work I could get, always a few years before people could understand what the fuck I was up to and what it meant in the long run. What I discovered recently is that my father doesn’t get that I am doing the same thing he used to do with lasers and missiles in a top secret lab, I am just doing it like an anarchist without spending other people’s money. My father, who is currently quite ill, doesn’t get that living below the poverty line is the price I am paying to win at this whole living thing. I want to try out all the technology and craft through life like a mash-up of my dad and Martha Stewart on steroids. I will die having lived the most out of all my peers, and I cannot foresee ever regretting not being able to afford cable or a car or fancy clothes. Ever since I was a teenager, I have never held the same job for more than two years. Heck, I even studied travel and tourism which rarely leads to job security! And that continues to freak out the elders who were fortunate to be born when people could expect job security. I tend to forget this as I spend most of my time with brilliant 25 year old entrepreneurs who have no expectation of security and who also run through life inventing the future they want to see.

However, this also creates interesting challenges…

My first bitcoin client is now in the state penn in Penn State with 425+ other men in a similar situation. Did they also accept a plea deal and forfeit all their hard earned money over an administrative crime that claimed no victim? Probably. So I think that a lot of these people are incredibly lucky to be in prison with Charlie, a swell guy and one of bitcoin’s most active and knowledgeable activist. I predict that this stint will spawn dozens of new bitcoin ventures in all kinds of industries ! Charlie touched on this in his last interview with Breaking Bank’s Brett King. Now that he has two years (if he serves his whole sentence) to read and write, I will be publishing his essays on his blog and tweeting for him (I am one of 3 people doing so.) He should also publishing articles via VICE.

As an aside, I am overjoyed that VICE has signed a deal with HBO to produce news on a daily basis ! I would much rather John Oliver had a daily show but VICE is awesome.

I have been working hard to earn some coin recently to make up for my lack of paid contracts over the past few years. This whole delving into InfoSec and crypto-currency has left us quite dry. I have begun planning my wedding !

What is most interesting is that I doubled-down on crypto in the past year only to wind up doing more practical InfoSec than I have ever done in my life. You see I used to work on very institutional websites for NGOs or huge businesses, most of which were intranets. And I never really had to deal with hackers. Of course working with WordPress puts one in the mire of automated spam bots, but this menace is predictable and relatively easy to guard against. In crypto-currency however, there is a very active community of “patient hackers” (a term used by some developers in the space). A patient hacker is someone who attacks a website to steal Bitcoins in a very focussed way. In a sense, every crypto-currency website offers the biggest bug bounty in history. Every week, a few websites are victims of theft and, subsequently, go out of business. So when I developed a website to conduct a fundraising that displayed the total raised on the homepage, I knew that it would attract hackers. And since WordPress is a stack of open-source shareware, it is guaranteed that there will be an exploit available for your site at least some of the time. With this in mind, I created a system that would safeguard the Bitcoins raised. However, my hackers (I counted 5 patient hackers) did not know this. And so for 3-4 weeks they tried to steal our client’s funds. I get that. Stealing bitcoins must be the best paid job right now and that endangers all crypto-currency related endeavors. I also woke up to the fact that every bitcoin-related user database has been stolen at one point or another making most systems truly as vulnerable as the least secured account.

As the counter grew to about three times what we were expecting to raise, our patient hackers lost their shit and started to try to deface the website, or send out phishing e-mails pretending to be us. I don’t really get why someone would waste their time and skills doing this but I admit it’s fun to watch hackers as they fail or succeed in their efforts to hack a website. However, impersonation is the most annoying security issue because it can’t be prevented. I published the news that phishers were preparing to send out a fake piece of software called cryptoclient.exe during a phishing attack a day ahead of time. It seems to have helped keep our clients stay safe. It also helps that our clients are smart and very security minded.

Another vexing external risk is crypto-currency exchange theft. The recent BTER hack claimed 10% of our funds. We are expecting to recoup most of these but whe cannot know when. It is not the first time we see our crypto-currency stolen. Twice, our funds were stolen (once returned) at Mintpal. Each unfortunate event requires a lot of administrative work. Exchanges are a vital part of the crypto-currency ecosystem but they are also the biggest victims of theft. Without exchanges, most crypto-currencies will die.

One of the systems I implemented for is an audit-friendly blockchain-based accounting system. I created a river of funds that could be examined by everyone who became a client (as tehy entered the river). The blockchain makes it impossible for me to deny a client’s stake because her transactions are forever etched in stone inside the blockchain. The inability to void or reverse transactions in the super transparent bitcoin blockchain freaks out a lot of traditional money managers but I love it. By judiciously directing transactions in a clear way, I made it possible for people to verify that we did have the funds raised. Even as I discontinued my web-based CRM, I was able to continue to conduct business securely through e-mail. On the other hand, I also wanted to build a beautiful interface that would display fund performance in real time. I ran into issues with reporting tools which sometimes displayed inaccurate information… I settled on a simpler system that I updated manually with information I audited by hand. This, perhaps, was the least successful part of this experiment. This kind of OCD doesn’t scale, but I believe you have to explore and test a system meticulously and manually BEFORE automating it.

For the past 6 months, I have been doing a lot more security work on WordPress blogs, both preventive and corrective. But I can honestly say that I have gathered more intelligence about WordPress exploits from PCAPing my crypto-currency hacker’s activities than I ever did un-hacking websites of mom and pop blogs. Would I ever use WordPress in the context of crypto again? Maybe, but only for publishing news. My decision to use WordPress as a CRM (including using S2Member) caused a bit of a support cascade and more headaches than I care to have. But it was incredibly fast and cheap to deploy, WordPress always is…

Today our efforts at are on MUTE. Never in my life have I exploited a window of opportunity so narrow on the Internet ! Our jurisdiction’s regulations are changing fast and we need to study what kind of services we can offer within this environment. Straight-up consulting is always a possibility, but everything beyond that looks like an expensive regulatory nightmare. I have also calculated that we are seriously underfunded to provide the services our clients are clamoring for. Of course, volounteering to explore this area of business yielded tremendous insight and experience, but going beyond this would require serious bank.

So now is time to focus on other endeavors (like getting back to working on awesome websites) get some popcorn and watch what happens THIS summer ! I also look forward to chronicling my crypto-adventures on !