Nicholas Percoco on Defending the Crypto Honeypot

WBD129 - Interview with Nicholas Percoco (Banner).png

Where to find the show

iTunes | Google | Spotify | Stitcher | SoundCloud | YouTube | Deezer | TuneIn | RSS Feed

Download Episode MP3 File
The file will open in a new window. Click down arrow to download the file.


When I joined Kraken, my earliest impression of the company is that, this is by far the most security-minded organisation that I have ever experienced.
— Nicholas Percoco

Interview Location: Chicago
Interview Date: Thursday 11th, July
Company: Kraken
Role: Chief Security Officer

Exchange hacks have been a constant thorn in the side of the industry. Where a physical bank robbery of $millions will make headline news, a +$100m exchange hack will barely break out of the crypto news media. Exchange hacks are now so commonplace that a recent report from Ledger’s CEO Eric Larcheveque found that the equivalent of $2.7 million a day was stolen from exchanges last year.

Almost every major exchange has experienced a hack of some kind, from Mt. Gox to Poloniex to Bitfinex, and more recently Binance and Cryptopia, the list goes on and on.

As such, security is one of the biggest challenges faced by any exchange, and there are very few that haven’t suffered from a breach, one that has managed to remain unscathed is Kraken. With attacks becoming more sophisticated and hackers working 24/7 to find vulnerabilities how is that Kraken has managed to succeed where so many others failed?

The man in charge of this roll at Kraken is Nicholas Percoco, their Chief Security Officer. In this interview, we discuss:

  • Ethical hacking

  • Finding critical vulnerabilities in iOS

  • Vulnerability brokers

  • Kraken’s company-wide security culture

  • The difficulties in disclosing vulnerabilities

  • Kraken Security Labs


TIMESTAMPS

00:04:40: Introductions 
00:05:54: Delving into Nick’s career and his early experiences hacking
00:10:30: Touching on the relationships between hackers and the hacking community
00:12:37: Discussing the blurred line between ethical and criminal hacking
00:16:17: Exploring how modern day hacking is often fronted by professional organizations=
00:19:03: Explaining zero day vulnerabilities why they are so important
00:22:40: Discussing the changes surrounding bug disclosure protocols over the past 20 years
00:28:04: Touching on the other side of discovering bugs; if the hacker wants to sell the exploit
00:30:06: Exploring state level hacking and the usefulness of zero day vulnerabilities to governments
00:33:12: Discussing how Nick came to work at Kraken and his thoughts on the company
00:39:15: Touching on Kraken’s track record regarding security
00:41:54: Delving into Kraken Security Labs and the feedback surrounding the project
00:49:22: Nick’s thoughts on security in the Bitcoin protocol and Bitcoin’s history
00:53:44: Discussing the Bitcoin revolution and drawing parallels to days of the early internet=
01:00:54: Exploring crypto security and whether it will significantly change going forward
01:05:51: Delving into personal security and some of the threats surrounding that
01:10:35: Nick explaining SIM swapping and how to protect against this threat
01:15:49: Discussing whether we need a body of standards for crypto security
01:19:18: Final comments and how to stay in touch


 

SUPPORT THE SHOW

If you enjoy The What Bitcoin Did Podcast you can help support the show my doing the following:

If you are interested in sponsoring the show, you can read more about that here or please feel free to drop me an email to discuss options.


SPONSORS



THANKS

A big thanks to my WBD Maximalist Patrons for helping support the show: JP Petit, Logan Shultz, Seb Walhain, Steve Foster, Tony, Gordon Gould, David Burlington, Jesse Powell, Bitcoin Tina, BitHyve and Wiel Menger.


TRANSCRIPTION

Peter McCormack: Glad we're finally doing this! I've been really looking forward to this interview more than most. I've been talking about it on the show relentlessly, saying "we're going to do it" and then we couldn't.

Nick Percoco: Yeah, we finally worked out the schedule and it worked out great!

Peter McCormack: Yeah, it's perfect and actually I'm glad I did the early flight now, because I'm not staying and I'm going to go straight to LA from here and I'm going to have nine days in LA, nice and chilled.

Nick Percoco: Did you just come over from the UK this morning?

Peter McCormack: Not this morning. I came over two days ago. I was in New York for two days and then I flew in from JFK at 7.30 this morning.

Nick Percoco: So you're just going to head back out to O'Hare?

Peter McCormack: Yeah, probably straight up to LA and have a little sleep. Then get there and I'm going to have a day on the beach tomorrow.

Nick Percoco: That's nice!

Peter McCormack: Yeah, but I've become quite fond of Chicago. Are you from here originally?

Nick Percoco: Yeah, I grew up here.

Peter McCormack: It's a really great city!

Nick Percoco: Yeah, it's awesome! It's awesome when it's this weather, I think 75 and sunny. It's really, really nice. In January when it's -22 Fahrenheit, it's a little different!

Peter McCormack: Yeah, so the first time I came it was raining, but it was still a great trip. Actually I was with Alex Gladstein on that trip. Me and him went to the hockey, went to see the Black Hawks.

Nick Percoco: That's awesome!

Peter McCormack: We got a great game. We got a 4-4 tie game, with overtime and penalties. So that was a good one. But I've grown fond of Chicago! Anyway, great to finally meet you.

Nick Percoco: Yeah, nice to meet you!

Peter McCormack: So your 20 year career was a dress rehearsal for your role at Kraken?

Nick Percoco: Yeah! You want to talk a little bit about that?

Peter McCormack: Yeah, tell me about it!

Nick Percoco: Sure, I've been in the security space, I would say the security industry for over 20 years. Even before that, I guess I would say professionally, for over 20 years I've been into computers and technology from when I was a very young age. I got my first computer at 6 years old, in the early 80s and taught myself to code. I got into the BBS world, you know Bulletin Board Systems, dial up precursor to Internet and chat rooms and things like that. Got a little bit into the hacker scene from that. I would read lots of hacker zines from the BBS and would learn and just absorb it as much as I could.

In college, I majored in Computer Science and also ran the IRC server, lots of folks may be familiar with IRC. I ran the IRC server, there was an EFnet IRC server. I wrote a ton of bots that would protect channels and bots that would cause problems as well, sort of wore two hats and it was a lot of fun. Then right out of school, took a job in IT and IT security. I didn't know that you can do like ethical hacking and that type of thing. Right out of school, I was doing more security architecture work and it was at Andersen Consulting, which is now Accenture.

So basically just got recruited right out of college, joined them and it sort of took a lot of the rough edges that I had, as being a little bit more of a hacker and sort of gave me some professional etiquette, but it was great. It was a great experience. From there jumped to a company that was doing ethical hacking work, penetration testing, that would get hired by banks in Chicago, we'd get hired by trading floors and I did a lot of work for the Chicago Board of Trade and places like that, testing their security back in the late 90s.

Peter McCormack: So what is your job, to try and hack it?

Nick Percoco: Yeah that was my job. So I was an individual contributor back then in the 90s. They would ship me all over the country, all over the world and they would say, "here you go, here's your target. Try to hack into." Physically even, try to social engineer, try to circumvent physical controls and get into the data center. I broke into hospitals, broke into banks, broken into all sorts of places and would write up a report, tell them how we did it. They would hopefully fix it and then I would move on to the next gig.

Peter McCormack: How old were you at that time?

Nick Percoco: It was late nineties. So 23/24?

Peter McCormack: That must've been pretty cool at 23/24 flying around the world. You're almost... Feels like a spy, like a Bond thing!

Nick Percoco: Yeah, well you had to get out of jail free card! You always had a letter in your pocket that would be from the CEO of the company, because if you did get caught and people surrounded you and they tried to call the police, you'd say, "well here, here's the letter from the CEO. Here's their cell phone number, give them a call and they can verify that I'm really doing this job."

Peter McCormack: And that happened?

Nick Percoco: Occasionally!

Peter McCormack: Is it still scary at the time?

Nick Percoco: Yeah, because you don't know what's going to happen! So that was when I was just doing that for a company and then later on, I formed an organization and ran the whole business, where I had 150 people doing this all over the world. I mean, we would do things for places like Las Vegas casinos.

Peter McCormack: Yeah, I saw about that, that sounds cool!

Nick Percoco: Yeah, they would hire us to do, essentially like Oceans 11 type engagements against some of the casinos. We would try to do social engineering, see how far we can get into the depths of the casinos. We saw some really interesting things in the back, underground, 2/3 floors below the casino and trying to get access to things like that. So yeah, I ran a whole team. We did security research.

We would find flaws in Android phones, in Apple devices and disclose those vulnerabilities to the businesses. Then also companies would hire us to test their applications. Mobile was becoming big back then and so we would test mobile applications, find flaws with that. So it was all about testing, finding flaws and then helping those organizations improve their security.

Peter McCormack: And also infiltrating hacker groups as a hacker yourself, but obviously... Is it known as a White Hat Hacker?

Nick Percoco: Yeah, so the term is called White Hat. I don't really use that, I just usually just use hacker. I would say I'm a hacker and I use it more in the positive connotation. The media will say, "oh, hackers broke into this bank" and I'm like, "well I'm a hacker. My friends didn't break into that." I would equate that to be criminals. Criminals broke into the bank, they just happened to be using hacking skills.

Peter McCormack: Interesting! But there are the underground groups of hackers that talk and work together. Do you have to infiltrate those to learn about new vulnerabilities that may exist?

Nick Percoco: No, not necessarily. So there is a hacking community and I would say I'm part of the hacking community on the planet. I run a hacker conference in Chicago, THOTCON. So we've been doing that for about 10 years. It grew from myself and a bunch of friends. We hung out in a bar and invited about a hundred people and they came in, we got onstage at a bar and gave talks.

To now, this past year, was our 10th year and we had about 1700 people. About 50 speakers from all over the world that came in and participated in. So it's all sharing of knowledge. The look and feel of THOTCON is like underground hacker conference, but there's Chief Security Officers from lots of companies. There's security consultants that come and then you have all different types that come.

Peter McCormack: I really like the website for THOTCON as well. It's simple, but kind of like, it still feels like that secretive world. It almost feels like the interface where you would be hacking from. Is there somebody behind the design on that?

Nick Percoco: Yeah, I designed it! So early on I just wanted to make THOTCON more of a throwback to the older underground hacking conferences, sort of like the BBS days that I grew up in, where I would dial into a BBS, like Temple of Pong in Chicago and I would dial in and I would go to the message boards and I would go to the download section and I would learn.

On my Commodore 64 or my early PC, I would go and I would hit "1" and I would get into the message boards and I would read what's going on and I would scroll around. There was no mouse, there was no graphical interface, it was all text.

Peter McCormack: Whenever I think of hacking, I always think back to the film "War Games." Do you remember that film?

Nick Percoco: Yeah, like Matthew Broderick dialing in! So I mean the dial up nature of that, I mean that was state of the art when I was that age. I don't remember what year that came out, probably 83/84 or something like that is when that movie came out. That was my life when I was 10/12 years old back then.

Peter McCormack: Is the line between say ethical hacking or hacking as you were talking about and criminal hacking? Is it blurred? Because I can imagine there are people who can hack things for criminal purposes and benefits, but the same people can also hack for bounties.

Nick Percoco: Yeah, I don't know necessarily if it's blurred. I think maybe in the minds of people who aren't part of the community, it's blurred. I would say there's a strong ethical difference. So growing up in this world, I've had to make a lot of choices in life. Everybody makes choices.

Could I have used my skills and my techniques, even early days when I was getting hired to break into companies, did I have access to some highly sensitive information when I hacked in? Did I have access to lots of money? I had access to bank accounts in different trading floors of Chicago exchanges and things like that. Could I have done some serious damage or made some quick money for myself by doing that. Certainly I could have.

Peter McCormack: And then you could spend 20 years in jail!

Nick Percoco: I could've. So it's an ethical choice. I had that power, I had that access. It's almost like the Spiderman, "with great power comes great responsibility". When you have those skills, you have a choice. You could choose to do good things with it, to improve the world around you from a security point of view or you can choose to do bad things. I think unfortunately I'm in a unique position and lots of people in the United States are in unique position or people who are in places like the UK are in a unique position, where they have opportunities to do legitimate work in the security industry.

Now there are places in the world where maybe jobs might be very scarce. Now, I think the bug bounty programs out there maybe are helping attract the people who, in other situations, where they didn't have an outlet to use those skills, they have to use their passion, the things that they have, to breaking things. 

They may make poor ethical decisions and it may be easier to recruit by the criminal groups, and now you have these global bug bounty programs where if you talk to folks like at HackerOne or Bugcrowd who run these programs for lots of companies, the vast majority of the researchers that participate in those programs, are from outside the United States.

Some of them are from third world countries, where they have access to internet and they have a computer. Maybe it's not a great computer, but it's good enough to hack web applications manually and they're now making a living off of that ethically. They're getting paid well.

Peter McCormack: Well the Internet is a great leveler in those times.

Nick Percoco: Yeah, it certainly is!

Peter McCormack: Is there any need for people to do the job that you do, if there aren't criminal hackers?

Nick Percoco: Well I guess if you wiped all the bad people off the planet. If everybody had good intentions, well no. You wouldn't even have to lock the doors on your house. If you go to small towns in America, people don't lock their cars, they don't lock their houses because there is no crime. No one breaks into their houses and steals all their stuff. So I would say if we lived in a perfect utopian society, where everybody trusted everybody and everybody could be trusted, well then, security wouldn't be as big of a need. But unfortunately we don't live in that world!

Peter McCormack: So it's a classic good vs evil Battle and you're trying to stay one step ahead?

Nick Percoco: Yeah and I think it's not just security, it's also privacy. Privacy comes into play there. If you want to keep your information private, you don't want people spying on you, then there's a tradeoff. So you have to protect that. Maybe you pull the blinds on your home, you don't keep your windows wide open and walk around naked in your living room with everybody to be able to see you. So you close the blinds. So there's that and I think that’s sort of the nature of humans.

Peter McCormack: And is the world of hacking these days... I've always thought of it as a guy in his bedroom, smart guy, has got access to his computer, he's on there hacking. But is it become more professionalized these days? Are the hacking groups? Are there almost professional organizations or I say professional organizations, you'll probably just say criminal gang.

Nick Percoco: No, I would say they're professional organizations. So one piece when we talked about my leading the ethical hacking efforts, so penetration testing at various companies. I also at the same time, was doing investigations into cyber crime attacks, intrusions into various companies, brand new companies all over the world were my clients. Those companies were being targeted by real organized crime groups. These were not just a couple of kids in their basement thinking that they're going to break into a bank.

These were not just one guy or one girl, who has hacking skills that wakes up and says, "I'm going to break into this global retailer and steal a bunch of credit cards." It's not that at all. I think maybe occasionally you get bits and pieces of that, but there is a real criminal enterprise that is funded 100%, by hacking into companies stealing credit cards, stealing PII, stealing bank account information, stealing cryptocurrency, stealing things they can monetize. I did a great deal of work with global law enforcement in my career.

I was invited to speak at Interpol on cyber crime and organized crime groups. So there's a lot going on there, that most people don't know about, that when you hear about a company that gets hacked into, the media will say, "hackers broke into company X and stole whatever." In your mind, you think of, "oh, it's a bunch of hackers in their basement. They're all just sort of working together." It's not really the case.

There are hierarchies in these crime groups, where there are people who run it, very professional people who have nice homes, drive nice cars, go on fancy vacations and will then have employees. They have people whose job is to find vulnerabilities in various businesses and when they find those vulnerabilities, they pass it off to the next people, who their job is to then to organize and plan to exploit that business.

Peter McCormack: Do you know what, it just sounds like whenever you watch a film, where there is a bank robbery, is the guy who provides the plan, he creates the blueprints, "this is how you're going to break in" and he sells that onto the team who have come in to commit the robbery. It sounds the same!

Nick Percoco: Oh, it is very similar. I mean these are the targeted attacks that you hear about. Those are not just done off the cuff, especially when they're utilizing things like zero days, which maybe you've heard of?

Peter McCormack: I've heard of. You should probably expand in case people haven't heard of it though.

Nick Percoco: The reality is that any software, that has ever been written, that ever will be written, has potential vulnerabilities. Humans write that software, humans make mistakes. Humans don't see all of various attack factors, all of the threats that are possible, all the ways that their software can be misused. So someone can sit down with any piece of software and say, "I'm going to try to find a vulnerability in this" and they try and they try and they try and they use different techniques.

There's fuzzing, they can do reverse engineering on that software, they may be able to find a flaw. When they find that flaw, if they're the only person that has ever discovered that flaw and the manufacturer of that software, the developer of that software, doesn't know about the flaw, it's essentially a zero day. What that means is, it's brand new, no one knows about it, it can be utilized to exploit and attack others who are using that software and they would have no defense against it. So that's why things like zero days are so powerful.

To give you a good example, a long while back, this is back when I was running Research Lab, we did some testing of SSL vulnerabilities against popular mobile applications. I collaborated with a researcher named Paul Care and in the process of doing that, we actually discovered a vulnerability in iOS, that would allow us to intercept any traffic that was flowing from that device, that was encrypted over SSL.

So essentially we had a man in the middle attack, that would be undetectable by the victim and undetectable by the other end. So if you had a banking application on your phone and you went to go log into your bank and we happen to be on the network between you and your bank, we'd be able to see everything clearly. We'd be able to decrypt that and see everything. We found that vulnerability. That was at the time, a zero day vulnerability. We were the only people on the planet that knew about this. 

Could we have sold that to a criminal group for a lot of money? We probably could have sold it for maybe a half a million dollars. It was a very, very powerful vulnerability. Instead, being the good White Hat hackers and researchers, we called up Apple and said, "there's this flaw. It's pretty nasty that we found. Here's proof of concept code. You guys should probably validate this and make sure that we're not crazy."

We actually thought we were like, "oh, this can't be really happening. This is pretty serious." We reported it to them and within 10 days they fixed the vulnerability globally. They put out a patch, it was like version 4.3.15, I don't remember the exact number. It was an early version of iOS, but they actually pushed out a patch that everybody on the planet with an iPhone or an iOS device, got a patch, which said "critical vulnerability, update your device."

But that's an example of a zero day. It's something that I know, as a criminal or a researcher, that no one else knows, that I can use against your device and it would just literally walk past any... It basically breaks that software. It breaks that barrier that's in place and I get access to something and you would have no indication that it's happening.

Peter McCormack: How did they thank you?

Nick Percoco: This is pre-bug bounty programs and so they thanked us by sending us an email that said, "thank you" basically!

Peter McCormack: Do most companies like Apple have now a kind of responsible disclosure protocol?

Nick Percoco: Yeah, I mean a lot of companies out there will engage with security researchers, in a more open dialogue. Now occasionally those things go sideways. Sometimes things will happen where a researcher reports a vulnerability, the company doesn't know what to do with it, their legal team gets involved, things get very messy. The researcher gets fed up because they've been waiting so long to get a response and then they just drop it on the Internet.

You've seen that happen where someone's like, "no, I'm done dealing with this vendor." Now that used to happen a lot. There's this world in the hacking community, it was a mailing list called "Full Disclosure", where people would just drop zero day vulnerabilities all the time on there or they would drop advisories, sometimes when vendors would have no idea how to deal with them.

So that world has evolved a little bit, to where most brand name companies, so your Apples, your Googles, your Microsofts even, your brand name software vendors out there, if you report a software vulnerability in their products, they have teams of people who know how to handle that. We have that at Kraken and we have a bug bounty program, where people can email us and let us know about a flaw that they find and if we see that and we validate that, then we turn around and we thank them.

Then we also pay them! We also will send them some Bitcoin for doing so. So lots of companies have that nowadays, which keeps that dialogue open and fluid. Where in the old days, I'm not talking like 1950s, we're talking 2000s or in the older 90s even, where that dance was not well thought out in most companies. That's not to say it's solved. There's places like medical device manufacturers, that have had all sorts of issues, where researchers have reported something and they turned around and sued the researchers for finding a flaw in their product!

There's all sorts of things that can happen. There was also, like legally in the United States, there was laws like the DCMA, the Digital and Millennium Copyright Act, which prosecutors can claim that you were violating and trying to break into different products. So even if the vendor themselves didn't care, they can then still prosecute. But now there's a carve out. So there's actually a carve out in laws, that allow for security research, which is a good thing.

Peter McCormack: Well, it's interesting you should say that. So I was with Neha Narula from MIT in Boston a couple of weeks ago and actually I released the show today. She was talking about when they found a critical vulnerability, I think it was in Bitcoin Cash and I think it was Cory Fields who found it. I might might have the example incorrect, but she was saying they took legal advice, before they disclosed the bug, because they were fearful of being potentially sued.

Also, the disclosure process itself is kind of terrifying, because who do you disclose it to? If you disclose it to the wrong person, especially in cryptocurrencies, they might exploit it and they might end up stealing some of the cryptocurrencies. So it was really unusual. I wasn't prepared for that. It hadn't crossed my mind that you could be sued for finding a bug.

Nick Percoco: Yeah, I mean vulnerability disclosures themselves, as a researcher, and this is one of the things, I did a lot of security research and I ran a security research lab. I got out of that business mainly because there was a lot of liability that would fall on my shoulders for doing that. Now I support it. We have folks even within the company that do that, but personally, previously I got out of that business for a little bit of time because it got really shaky, back like 5, 6 years ago, where people were getting sued left and right for finding vulnerabilities

So today it's a little bit better, but that being said, the open source community and open source world, where you have open source projects, there's not a clear owner. There's maybe a maintainer, but there's not a business that owns it, disclosing a critical vulnerability to an open source project has always been very difficult. How do you notify the maintainers? Do you email them? You just go on the mailing list and drop it? Do you submit a pull request to the GitHub repository? Now everybody sees the vulnerability and now it's out there! What do you do? So that can become very, very problematic.

Even in the past when I was doing security research or I was running those teams, we would submit things to open source communities. We found in some cases, they would not fix the vulnerability in the right way, some people would want to debate amongst ourselves, whether it's something that needed to be fixed, they would then downplay it or it wouldn't get fixed.

We often saw things, where they thought they fixed a vulnerability, but they really fixed it in the wrong place. So there was this whole back and forth. As a researcher, you're not getting paid to do this work. So as a security researcher, the open source community is not going to turn around and give you money for finding that vulnerability. So at some point you're like, "okay, well you guys are on your own! We gave you all the information you need.

You guys want to fight amongst yourselves or fall over yourselves in fixing this problem, eventually we have to step away." So that can happen in that case. But I would say that submitting a vulnerability to an open source cryptocurrency project, could be dicey for a researcher.

Peter McCormack: Very dicey! What about the process if you have found a vulnerability, but you want to sell it. Are there marketplaces, is it Dark Web marketplaces where this exists? Is it now ironically, because of our conversation, I guess you get would paid in Bitcoin or something?

Nick Percoco: Probably. Yeah, I don't know how you would get paid. I think cryptocurrency is probably where, most likely you would get paid. There are people and there are companies out there, that are in, what you would call the vulnerability brokering business. They will buy vulnerabilities, pay you and then possibly do something bad with them. There are governments who would like to have those! So there are governments who, having a zero day in your arsenal or having lots of zero days in your arsenal, is really important to them.

If they want to then go and infiltrate another country, if they want to go infiltrate a maybe dissident group, they have a zero day for Android phones and this dissident group are Android users. You now can get into their devices and steal stuff, get their chat logs, get their contacts, get their GPS coordinates. So there are things that you can do with vulnerabilities.

So there are people out there that buy those and that's where the arms race really takes place between the bug bounty programs and the vulnerability brokers, because there are people out there that legitimately will buy those zero days, like I mentioned, when we found that SSL zero day in Apple, we literally could have turned around and sold that to a vulnerability broker. They would have paid a lot of money for that.

But if Apple would have paid us for it, I think Apple today probably would pay maybe $100,000, $200,000 for that similar type of vulnerability. That's where the arms race goes! So Microsoft has to pay lots of money, Google pays lots of money, Apple pays lots of money and all the other vendors out there, if you go to the bug bounty programs, the prices keep going up, because they would rather the researchers sell it to them, so they can fix their stuff, rather than selling it to a vulnerability broker, who's then going to sell it maybe to an organized crime group, who's then going to use that to infiltrate their customers.

Peter McCormack: I guess the state level hacking is a interesting one, because we all hear about like an army of North Korean hackers and we think of them almost like criminals. But I imagine every Western government has a team of hackers?

Nick Percoco: Yeah, I think every government has an offensive cyber team. They have an offensive cyber team, where their job is to... If you hear from even the US government, they will say that the fifth domain is cyber. So you have land, sea, air, I don't know, there's more of those! I think it's the fifth domain or the fourth domain, I don't know what they would call it. But there is a domain that is now considered cyber in the US Department of Defense.

So they actually think of that as a method of defense. They also think of it as a method of offense. They know that they're going to get attacked by other governments or other armies using cybersecurity, that's a method of attack. Just like you can fly over a country and drop bombs, you also can hack into that country and disable their electrical systems, their power grids. So that's a method. So every first world country has to have those teams.

Peter McCormack: I guess cryptocurrencies are in some ways, perfect for the criminal hacker, because when they find a vulnerability, they potentially have the ability to move significant amounts of value instantly and it's irreversible!

Nick Percoco: Yeah and I've often thought about that, from even just cryptocurrency in general, from like a paradigm shift. A paradigm shift from most people and most consumers think of if, "I get compromised and someone hacks into my fiat bank account, in most places I have insurance or I have the ability to recover that." If someone steals my credit card, I don't care.

I just call up the credit card company and say "someone stole my credit card. They racked up a bunch of bills at restaurants and bars. Reverse it" and they reverse it. So I think the world around cryptocurrency, I think there's huge advantages of cryptocurrency versus traditional finance. But that being said, I think the risk... People just need to understand that.

If you don't protect your keys, if someone has your keys, you don't own your money anymore! You don't own your crypto. So that's a big thing that people need to understand is that, they need to protect themselves. They need to put an extra layer of security. They need to be extra aware, in this world, to where they could be sort of happy go lucky with their finances, in the non crypto world, because there was people looking out for them in that regard.

Peter McCormack: How much exposure had you had to cryptocurrencies prior to joining Kraken?

Nick Percoco: A bit. I had dabbled in mining a bit, I had played around with it quite a bit, even back, you like to try to say what year this would've been, 2012? Yes, it would have been 2012, when I was running that research team. We also had a lot of GPU power at our disposal and so we dabbled a bit in it. We had GPU power where the intent was not mining cryptocurrency. The intent was, if we got a hold of a password file that was encrypted, we would be able to crack that password file in an engagement.

So say going and we were hacking into a business, we got ahold of their domain controller and we've got access to their password file. We would then take that back and upload it into our password cracking rig and it would churn away. It would then crack and identify the passwords. That same technology can be used for mining Bitcoin and so we dabbled a little bit in that, played around a little bit of that.

Peter McCormack: Then how did the connection for Kraken come about? It sounds like, I quoted you when you said your 20 year career was a dress rehearsal for your role at Kraken, but it feels like a very genuine statement.

Nick Percoco: Yeah so all of the work that I had done previously, all the work I had done investigating compromised environments, all the work I had done running security programs, so right prior to Kraken, I ran a security program for an industrial AI company. Their threat model was more of the intellectual property theft, we didn't have currency, we didn't have client funds, but they were going after intellectual property and so that was interesting as well.

I think the jump from that organization to Kraken, for me was the fact that there was even heightened threats, that I have to... As a challenge, for me to build a program and operate a program and defend against all the bad people that want to steal stuff from us.

Peter McCormack: Well, exchange hacks are still a huge problem. Binance have been hacked, was it twice recently? I assume they have a great team there. I kind of imagine your job is terrifying in some ways because you've got people all over the world, constantly trying to find vulnerabilities and hacking and get to this honeypot of a cryptocurrency, which they can move and liquidate it, probably a lot easier, than maybe when you steal credit cards and trying to use those to steal money or from bank accounts.

Cryptocurrencies themselves, there's so much you can do to kind of hide your tracks. I can imagine that job's terrifying, because I kind of think of it like a castle and you've got people trying to dig underneath, smash through the walls, come over the top, they are trying to come through the people who live in the castle. So every possible way people can attack you, they're trying to attack you on a daily basis. When you're monitoring this, can you see a constant attack on the systems?

Nick Percoco: So there's one topic I won't go into too deep on, which is specifically how we defend against things, but I guess, sort of rewinding, I can talk to that. So the one thing that I experienced at Kraken, so when I joined Kraken, my earliest impressions of the company is that, this is by far the most security minded organization that I've ever experienced, by far. It's not where you have a couple of people, who are security people, who their job is to defend against everything, to think about everything at all times and they have this task that's impossible for them. I mean that's the state at most companies.

You have people running off doing business, doing their daily jobs and then you have a security team that just worries about everything to do with security and defends against all the attacks. Everybody else is just dropping vulnerabilities and being compromised left and right. That's not what I experience at Kraken, from top to bottom, from Jesse, everything through the entire organization, to the people who work with our customers every single day.

They're very security minded. They are very aware of the threats that we have and it really, really helps me, as the Chief Security Officer there, that people bring anything to our attention that they are concerned about. That people, if they are targeted themselves, there are attempts to get targeted themselves, just like everybody else, we get sent emails to try to phish our employees, everybody sees that. People see it on their personal emails. So people are very, very aware of the threats.

Then even beyond that, the people in our company who are developing our products, are very security aware. So it's not as if there's this world where it's security preaching about security and everybody's like, "yeah, whatever. I'm going to go do whatever I want." That's not the world that we live in here.

Peter McCormack: It's through the DNA of the company.

Nick Percoco: Yeah, it's through the DNA of the entire company, people are very aware, people are very concerned. It is not a place where we're going to put out say, "a new release of a product" and everybody's like, "hey, this is great, there's this brand new release" and the security team finds some vulnerabilities in that, through the testing of the new product.

We say, "hey, there's vulnerabilities here. We shouldn't put out the release." There isn't someone in a business level that would say, "no, we'll fix that later. Let's put it out, because we're going to make money off of this." We would hold that product or that release indefinitely, until those security vulnerabilities are 100% resolved, if we found those during the process.

So that's very different. There are lots of companies out there, that would be like, "let's ship it, while you guys are fixing these vulnerabilities over here and then we'll patch it later. We'll put out a point release later, that fixes that vulnerability."

Peter McCormack: It hard to question Kraken's track record with regards to security. I mean I do it with my ads. You've obviously heard my ads, I'm always going on about security. I'm always saying, if you're going to trust an exchange, there's no exchange you can trust more than Kraken, in terms of security.

Like you said, my experience with Jesse and getting to know him and meeting him and interviewing him, is that he's created a culture through the business of one of those things is security. I don't think I've managed to... I'm not just saying this because they're a sponsor, but I don't think there's an exchange out there, who is anyone near Kraken in terms of this.

Nick Percoco: Yeah, we set the standard there. There's independent reviews of various exchanges. I think it's CER, who recently did a review and we are ranked number one based on their criteria. I think even beyond that, looking to push beyond, just what other people think, by independent groups, we constantly want to push the envelope internally, to what we think sets the bar from a security standpoint. I see ourselves and when we think of like competitively insecurity, I see ourselves as competing against ourselves.

What's secure today, is not going to be secure in three months. Sometimes it's not secure tomorrow. If there's a new vulnerability that's identified in something, some product, some technology and you're just like anybody else, we utilize technology just like anybody else does. There could be a vulnerability identified and we have to get in front of that. We have to mitigate that and we have to have layered approaches, so that there's never a single issue that all of a sudden is like "the sky is falling!"

That can't happen, we can't put ourselves in that position. So it always has to be, let's improve our program, improve our controls, make things more efficient for the business, so it's not like giant walls that are getting put up and then the business can't operate. There's this balance there, but we always put security first and it's my job to keep trying to raise that bar, not only for ourselves internally, but also for our customers.

So our customer's experience around security, I worked hand in hand with our product teams to build a roadmap to put new security features into our products and people will see that, those things are coming. We have some really interesting things that are flowing, that are in early stages, where it'll give more control for our customers, more visibility for our customers into their account, to see things, in a way and secure their accounts in new ways.

Peter McCormack: I still would be an absolute nervous wreck doing your job every day worrying about it! I find the Kraken security Labs project very interesting. Was that spearheaded by you?

Nick Percoco: Yeah, like I mentioned where I used to do security research and then I stopped for a while because things got really dicey and then things have stabled out quite a bit, where vendors are starting to interact in a more mature way with researchers. So the idea there is that, we consume technology as a company, we know that our clients consume technology as individuals in the cryptocurrency industry.

So we are building, within my team, I have lots of people globally that do focus on security and some of those skillsets are the White Hat hacker skillsets, that are security researcher skillsets, that I have at my disposal within my team. So why not, is part of the thing that we give back to the community. When we find issues in things, why not operate as a security research lab in that regard.

So talk to vendors and say, "hey, we found this issue, you should fix this." When they fix it, go out and communicate to our customers. So we're at the early stages of that. We've been doing quite a bit of research looking at various products, looking at various technology and you'll see some things in the near future coming out from us.

Peter McCormack: What's the general feedback been about this?

Nick Percoco: Feedback from the community or...

Peter McCormack: Yeah, so I can imagine... So what I've seen recently, for example, is some of the hardware wallet manufacturers, finding faults in each other's products. I actually don't like some of the behavior. It has been a little bit, it almost feels a little bit gloaty. Little bit kind of like, "oh, we found a flaw in our competitor's products." It almost like it's some kind of battle line. In some ways if you're finding faults in other people's products, sometimes people may find it hard to accept.

Nick Percoco: Yeah and that's the piece. Would we go and target another exchange that has no bug bounty program and just find a flaw and then publish it? No! That's not the intent.

Peter McCormack: But that's not a Kraken style of behavior.

Nick Percoco: Yeah, that's not the intent. I think the intent is there are lots of products like hardware wallets or software wallet or mobile wallets, there's lots of products out there, that have popped into the scene. Actually a lot of these are startups. They may only have two employees. They don't have the security expertise that we have and we have customers, clients that may be using those products. So the intent there is for us to deploy our expertise against some of this ecosystem, to find vulnerabilities, to report that to those vendors and the idea is not tend to name and shame, that's not the intent.

The attempt is to… We wouldn't go on Twitter and say, "hey, we found this vulnerability in this product. Oh by the way, vendor, you should probably fix it." They're not going to learn about that on Twitter. They're not going to learn about it in a blog post. We would be communicating with them, helping to educate them, we would provide proof of concept code. We may even provide them some guidance on how to fix the vulnerability and certainly because the intent is for them to improve it and the intent is not to discredit other vendors. 

So I think that's where our intent is a little different than, if you're a wallet vendor and you see yourself competing against all these wallet vendors and your intent is, "well, I'm going to find vulnerabilities in my competitors, to basically discredit their technology." Maybe that works in some worlds, but I don't think that's the best for this community.

Peter McCormack: I agree, I'm with you. It sounds to me that you're looking at the one step from Kraken for your customers. The things and the products they're using that maybe interface with Kraken or they're moving their cryptocurrency from Kraken to other places. That kind of makes sense.

Nick Percoco: So it's like the whole ecosystem. We know that we're not the one stop shop. People can go, they can transfer fiat into our exchange, they can buy lots of cryptocurrency with it, but we don't want people storing loads of cryptocurrency in our exchange. That's not something we recommend. We recommend they get a hardware wallet.

Peter McCormack: Well Jesse said that recently didn't he?

Nick Percoco: We are not a wallet. People have to store cryptocurrency because they want to trade it. Active traders need to have funds there, to be able to trade that. But if you have lots of Bitcoin in Kraken, you don't have a hardware wallet, you keep it there and that's where you do your daily business from or that's where you buy things from, like someone says, "send me Bitcoin", you send it from us, it's probably not the best use! You should own your keys. You should have them in your safekeeping, so that they're in your possession, they're in your control.

Peter McCormack: Have you spent much time looking at the Bitcoin protocol yourself? Also, I'm going to load this with another question and actually I think I wrote this in my description for my show this week, but in the 10 years of the protocol, we've still never had a single counterfeit Bitcoin created, I'm almost certain about that, which is kind of amazing. We've had very few catastrophic bugs, which haven't been fixed, almost immediately. Have you taken much of a look at the history of Bitcoin, at the protocol and what do you find? Do you find that really interesting?

Nick Percoco: I think it's because the way it was designed from day one, it was meant to be that type of protocol. That's why it was designed. If it was another type of system, where you're trying to bolt on security after like, "oh, it's this open environment where you can counterfeit, where you can double spend, where you can do all these things", where that was inherent to the way it started.

Peter McCormack: But it's not going to stop people trying too.

Nick Percoco: Oh, of course it's not going to stop people and you have to imagine that the amount of value that is stored, is pretty massive. So if there was that vulnerability, that people would have found it. So I would say, not to say it's never going to happen, but you can imagine there's probably a lot of brain power beyond me. Much more brain power beyond what I have in my arsenal to apply to this and it's probably being done or I know it's being done that it's pretty brilliant that, that hasn't happened yet.

Peter McCormack: Well I almost imagine some of these people are like, "this is bullshit. We've tried for fucking years now and we can't find anything, let's give up!"

Nick Percoco: Seven years of trying and you still haven't done anything!

Peter McCormack: It's actually probably much easier and more fruitful to try and hack wallets.

Nick Percoco: Of course! If you're a criminal group or if you're someone where that's your intent, why go the hard path?

Peter McCormack: Well, the game theory isn't there anyway, because if you hack Bitcoin and you create counterfeit Bitcoins, I imagine the entire value of Bitcoin will crash.

Nick Percoco: It evaporates, right? Yeah that's the problem! So why even attempt that? You want to maintain that value. If I go and I target you, I'm a criminal and I know who you are and I go after you personally and I get access to your wallets and I steal all your Bitcoin. The Bitcoin value does not go down. Your account value, in your possession, that wallet value goes down to zero and mine increases. But there is no new supply and the news of that, if you go on Twitter and say, "my Bitcoin wallet was compromised and they stole X number of Bitcoin", the price isn't going to change, because it's a complete blip on the radar.

Peter McCormack: Do you follow any of the discussions, arguments and debates around the design of the protocol comparing say Bitcoin to other cryptocurrencies? Some won't faster block times, some want bigger blocks. A lot of the criticisms of Bitcoin is that it's slow, it's expensive, people want a faster cryptocurrency. But it seems to me that in terms of security, its slowness and its expensiveness actually is part of the value?

Nick Percoco: Yeah, I don't get involved in those debates or those discussions. That seems like a thing that could probably take up a lot of my time. I focus on protecting our employees, protecting our exchange, protecting our clients. But yeah, getting into the intricacies of that and sort of saying like, "this protocol is better than this one or this one", I stay away from that.

Peter McCormack: Are you bought into the cryptocurrency world or are you bought into the Bitcoin world? Do you see a future for this? Do you like it?

Nick Percoco: Oh certainly!

Peter McCormack: So you're fully in?

Nick Percoco: Yeah, I see it as a revolution. This is like a revolution that's sort of at the early stages. Do I think that in short term, are we going to see next week, everybody in the world, every government, everyone in the world just say, "hey, it's great, we fully support Bitcoin, we fully support cryptocurrency. Let's have a party." I don't and I think it's a little bit of a long road.

Peter McCormack: Well we had Trump tweeting about Bitcoin yesterday!

Nick Percoco: Yeah, I mean how I sort of see that is, and I have looked at things similar in my career where any type of significant revolutionary change, whether it's in technology or finance or wherever, it doesn't happen overnight. It doesn't happen immediately. The thing is the world doesn't get changed. You don't wake up one morning and all of a sudden everything's completely different. That typically doesn't happen.

For some people, that aren't in tune with this, there will be some people that will wake up one day, a decade from now and say, "oh wow, there's this Bitcoin thing!" There will be some people on the planet that that will happen too. But for lots of people, it's not brand new today, it's been going on for a while and it's going to take some time for this thing to gain momentum and it is.

You see new places to spend, you see new merchants coming online that allow you to spend, you see new expansion around the world, some governments are accepting it and maybe their own value of their fiat is just inflation's off the charts and people within that country see this as a way to store value that doesn't go crazy from an inflation standpoint. So I think, this is early stage of more of a revolutionary sort of tale, that's playing out and I'm very excited about that.

Peter McCormack: Well it must be exciting for you as well, because securities, it's almost like the fundamental key pillar stone of cyptocurrencies, is the security of the protocol, the security of users, the security of transfers. So it's perfect for you!

Nick Percoco: Yeah I mean this is what I've been working on my whole life, basically! So, yeah, that's where the security of people's personal worlds, the security of the businesses that transact cryptocurrency, the security of exchanges and the other players in this space are paramount to the success of this. That is extremely important. That's where part of that revolution, there is that security mindset paradigm shift, that I think eventually we'll get there.

I've been spending a lot of time just sort of thinking about where we sit in sort of the timeline of things. We sit in a place where there are people who are all in. There are people who love cryptocurrency, see the potential, see the future, see what it will be like a decade from now, what it will be like 50 years from now, they see that. There are people who don't see that at all. There are people who are maybe, either of any generation or even sometimes the older generation, who just don't comprehend it and that's okay.

There are people who I remember early days of the Internet, that just could not get the head around what the Internet was. My grandparents were like that. They grew up when radios were first around, they saw the first televisions and that was like magic to them when that came out. The Internet was just sort of, they just could not understand it. It was very, very foreign to them. So I think we were in a place in time, where there are people who like to be able to pull out their wallet and see paper money and change on the table and don't understand what cryptocurrency really is and the utility of that.

They may never get there. But I think with any sort of long revolution, this may sound a little bit morbid, but if you think the revolution is going to happen today and you have all these people you're up against, eventually people die off or they come out of power in decision making places and new people, with new ideas and people who are bought into these types of things, who grew up with this.

The children who are born today, are going to grow up in a world where Bitcoin exists and Bitcoin is something, cryptocurrency is something. It never did not exist in their minds. So when they're 25, 30 years old, it's everyday life for them and eventually that's where those people will be in decision making positions. When there's debates in legal circles around things, well this is not a foreign concept to them. They can wrap their head around it, because it's always been there for them.

Peter McCormack: Well, yeah, it's like the Internet with my children. I've got a 15 year old and a 9 year old. They don't realize there was a world where we didn't have a supercomputer in our pockets. We didn't have the Internet. We had encyclopedias and that if you were going to meet somebody, you have to arrive on time because there's no way of contacting them.

Whereas, these days you can be 10 minutes late, on my way whatever, I might just go and grab a coffee. That didn't happen! You had to be on time and they don't understand that world. My daughter has never lived in a world where there wasn't Bitcoin. She hasn't used it. She's aware of it now because of me, but Bitcoin existed before her.

So you're right, as she gets older, it's going to become more natural I think for them. I think the way we use Bitcoin will probably change and we have a President tweeting about it! Even if he says he doesn't like it, he says he doesn't like it because he can't control it, is what I really think he saying there. I think what a time to be alive!

Nick Percoco: Yeah, well, we have a leader of a country who is mentioning something that handful of years ago didn't even exist. There's people who didn't ask for permission. I think the other piece that excites me about cryptocurrency, is that this community doesn't ask for permission. They just did things and that's super exciting to me. I hate when I hear, I mean this happens in just technology worlds or just people in my circles where I run into security researchers or people that say, "hey, I have this idea to do something." I'm like, "well, why don't you do it?" 

They're like, "well, I have to ask this person or I have to do this. I have to jump through all these hoops." I'm like, "no, just do it!" So I think the excitement about the community, it's just pushing ahead. Now there's going to be people who are going to be like, "no, we don't like it." Leaders of a large, powerful country are going to say we don't like it. They are going to say it publicly and everybody in the world's going to see that that is the case. But who cares? Just keep moving, keep pushing.

Peter McCormack: I'll tell you what I really liked as well, is that David Marcus was hauled in front of the Senate for Libra. He had to go to Washington, I think it was this week actually. There's no one you could bring in front of the Senate for Bitcoin and tell them, "well, you need to halt development!" You can't do it and that to me is one of the most magical things about it. That's what I really like about it.

Nick Percoco: It's similar to, if you draw parallels, to the early Internet days. There were lawmakers in the US that said we need to put firewalls up and control the Internet. They just didn't understand how the Internet worked and so the whole nature of drawing a box around the United States and saying no one could access things inside our internet. They didn't understand that the Internet is owned by humanity. It's not owned by anyone government and so that's similar to cryptocurrency.

Peter McCormack: So when you look now, where we are, you've kind of got a good position where we are, and I take it from you, that you think we're still very, very early. If you start to imagine the next year, five years, 10 years, are you picturing how things will change?

Do you think security within cryptocurrency will change a lot? Do you think it be a lot easier to use our private keys and secure? Or do you think it's always going to be something that's going to be very difficult and we're always going to have to be ultra aware of our own personal security? How do you think about that?

Nick Percoco: So I think in general, people need to be more aware about their personal security. I think that is a big problem that we're up against, where people today aren't aware. I think in the future, I think that'll still have a have a role. I think being careless with private keys for example and it's always going to be a problem. If I get access to your private keys, I have your coin. So I think that'll always exist in this world.

But that being said, I think again, with sort of the progression of people like your daughter who grew up in a world with cryptocurrency, with Bitcoin, they always knows that that exists, always knows that the Internet exists. Hopefully she'll grow up in a world where you need to be more security minded, than folks who are my age or older. So I think that'll step problem solve itself in some respects, where a big part of the security problem, is actually the human element, rather than the technology element.

You talk to any criminal, you talk to any ethical hacker, where I did this for a living for a number of years, the least path of resistance, in any target has always been the human. It was far easier to social engineer to get past a human, than it is to find a vulnerability in technology X or find a vulnerability in hardware wallet Y. It's far easier to do that. That will always exist. I think it's just, how aware is the general population? If the whole general population is, on a scale of 1 to 10, is still at a 0.5.

I think 10 years from now, there'll still be struggles. But I think in general people's awareness is increasing over time. It's far more aware than it was 10 years ago. It's far more aware than it was 20 years ago. Even when you talk about awareness, it's also businesses and the people they have employed there, people who build their networks, people who build their applications, people who build their tools or install their tools, are more security aware today.

You don't see as much of, "well I installed this critical system, but I didn't change the passwords." That's something I saw as an ethical hacker, almost every time in a company. You get into their network and all the cameras have the default password still and so you can spy on all the employees and zoom in and look at the screens and all sorts of that.

It was a great tool for ethical hacking, but hopefully we're getting to a place where security is top of mind in most organizations and there's nice tools and frameworks and checklists, that you can go through that says, "when you deploy X, make sure you do these things." Now there will always be people who do bad things, you can't fix those kinds of problems, mistakes and things like that. But I think we're getting to a place where knowledge awareness is increasing and it has to.

But at the same front, I think there's a lot of innovation happening to make things more secure, to make things easier for clients and for users of cryptocurrency to make better choices. Now it shouldn't be that you need to be able to deploy your own node and compile your own Linux kernel and harden it and do all these things, in order to be a participant in the cryptocurrency community. That's too hard.

That's ridiculous to even like assume! It has to get to a place, where someone who has an iPhone or has a device or just is a consumer, can be able to do this. We're getting there, there's lots of new products that are coming out. I've seen some interesting things. There's lots of new apps and things that are out there. Now are they secure under the covers, behind the scenes? Maybe not, but are they trying to solve the usability problem for cryptocurrency? Certainly. I think eventually you'll have those two things catch up.

There'll be some apps out there that are compromised, that have flaws and a bunch of people will get hurt. But people will learn from that and just how the nature of every instrument, IT learned from that. I mean, look at a decade ago with Microsoft and all the vulnerabilities that they had and the worms and everything that were flying around. They learned and the Windows operating system is far more secure than it was a decade ago.

Peter McCormack: I've been starting to think on personal security a bit more. I don't really carry much Bitcoin with me. I have a few sats on my mobile wallet. I wouldn't carry much with me because of the role I do. But at the same time, I'm conscious that I'm traveling, I Tweet out, "well I'm going to be in LA, who wants to hang out" and I am kind of potentially putting a target on my back, because somebody might think have some Bitcoin and might think, "oh let's go and wait for Peter at the airport and let's throw him in a car and let's see if he's got some Bitcoin.

I know there's other people in the industry who definitely are very protective of their location data, where they are and some including appearance. How much do you think about that? I mean obviously it's relevant for Kraken and I don't expect you to talk about that, but is that a genuine threat?

Nick Percoco: It is. I think personally, I think about that quite a bit, more so than I did two years ago. Prior to joining Kraken, historically I was a very public person. I am still public today, it's not a secret that I work at Kraken and that I'm Chief Security Officer, but I was the type of person that would Tweet a lot, where I'm at, "hey, I'm at this event" or "hey, I am on vacation here. I'm staying at this hotel." I'd post things on Instagram in real time. That was just sort of the nature of being a public person. I didn't have the types of targets or types of threats that I do today. So I personally don't do those things anymore. My Twitter account is not as active as it used to be.

My Instagram account is not as active as it used to be. So I do think about that. Now something I took to heart, when I joined Kraken, was to develop some very, very detailed guidance for employees in the personal security realm. So essentially myself and members of my team, we essentially wrote a guidebook book, for our employees on how to secure their personal lives and their personal world. So we have plans to share some of that publicly, because we think the cryptocurrency community will benefit from that.

But it goes down a path of really, really thinking about your world in a different way. Really thinking about if someone was to target you, what information are you providing them to help them along the way? Then once they had that information, what controls do you have in place to be able to detect or prevent against those types of attacks. Some of it comes down to, the whole thing of discretion. The statement that was used in World War II in the United States, when my grandfather was fighting in World War II was "loose lips, sink ships", as a member of the navy and he told me that when I was younger.

People need to be mindful of what they talk about publicly and what they talk about in social media circles or even talk about when they're at events. It's funny, there's some cringe-worthy things that for me, where I've seen some folks on cryptocurrency Twitter, where I see people going to events. I'll see people going to Consensus or something like that, they're tweeting about it, they're taking selfies, they're boarding this private plane, they rented this fancy car, they're at this fancy restaurant and they're tweeting and posting photos about this.

It's like sort of bragging about, "I have lots of Bitcoin" and I have all this. That to me is just silly! It's just asking for trouble. You've got to imagine... Actually, I don't imagine, I think most people don't realize that there is this criminal element out there. There are these organized crime groups, they have to find their target somehow and what better way to find their targets than just troll Twitter! Look at Twitter or troll Instagram, search for the #Bitcoin on Instagram, search for the #Bitcoin on Twitter.

You'll find people that have full names, they'll have where they live, they'll have links to everything and they're out there just bragging about what they're doing. Unfortunately those people are probably on the short list of targets for those groups and then it goes beyond that. They know who you are, they find out information about you, they know what your mobile phone number is and then they go and they SIM swap you, which we've heard about.

So this is one thing that I think most people aren't aware of, is that SIM swapping is not just criminals going to a store and with some fake ID. That happens. Someone can go and they find out the information, they go and make a fake ID, they get some fake information and they look similar to you. Or maybe they're a male, "my name's Peter, here's my information."

Peter McCormack: If you took your beard a little bit shorter!

Nick Percoco: But the person at the store doesn't know what you look like, they just know that it's this guy who is around this age and it looks like okay. "Yeah, I lost my phone. It fell in the river. I need a new SIM card". You social engineer them and then they're like, "oh yeah, here's a new SIM card." Then you pop it in a phone and then you use that to go do things. That's one way, but it is also fairly known that there are people who have infiltrated the carriers. So it's not as if it's somebody having to go target the stores and things like that.

There are people inside carriers that criminal groups will say, "I want you to SIM swap Peter. Here's half a Bitcoin man." "Sure I'll do it." They know that you are someone who maybe has a lot of crypto and Bitcoin in various exchanges. The way it works, is I then go and I SIM swap you, maybe in the middle of the night when I know you're sleeping. I look at your social media stuff, I go, "yep, every day between this time he's silent, he must be sleeping. I'm going to go and I'm going to SIM swap you."

I now have your phone number. I now control your phone number. I'm now going to go, because I know what your email addresses are, I'm now going to try to go password reset all of your email addresses, get the SMS code to my phone that has Peter's SIM card in it. I then go and I log into your email accounts. I then look through your sent mail, all the different folders that you have, your inbox, your deleted stuff, "oh yeah, look, he has all this information coming from all these different exchanges."

I now go to the exchange and say, "hey, I forgot my password." All the password resets go back to your email. I now log into your all your various exchange accounts. Now I'm in your exchange accounts and I go and I add withdraw addresses, the emails for those withdraw addresses, come to your email account. I now accept all of those. I now empty all of your accounts and it happens that easy.

That's how it happens and so there's things that people need to put in place, like putting extra security in place at their carrier, putting multifactor authentication that is not SMS based. There's a very specific reason why Kraken as an exchange, we do not support SMS based two factor authentication.

Peter McCormack: I don't know why some companies still do, it's ridiculous to me.

Nick Percoco: Yeah, and unfortunately I found out there are various other companies out there, and this is what's interesting, I went through several months ago, I went through a whole world cleanup. Everybody should go, you should catalog all the various accounts that you have. What are the methods of login? Some places only use SMS two factor authentication. They don't use authenticator apps or they don't use security keys.

So you're sort of stuck, like is it better to not? You have to weigh that own own risk yourself. So I went to through a method of removing some SMS from various applications, because they now support things like security keys. I'm like, "great, I'm going to use a security key." I removed it and then I tested it myself. 

I physically removed my phone number from that account and I went to the password reset and I said, "I need to reset my password" and it said, "enter your phone number." I entered my phone number and it still worked! Somewhere in the depths of their database, my phone number still existed. So you need to test it yourself as well. So if you have critical accounts that you remove things from and you convert to higher levels of authentication, go and try to hack yourself.

Peter McCormack: There's an old really good guide, I think it was done by Notsofast or Jameson Lopp, someone did a really good guide for things like your backup phone number on new g-mail and various things like that. I think if you guys were to produce kind of like an open sourced guide to better personal security, people would love that because people will follow it.

Nick Percoco: Yeah we have plans, I think the next couple of weeks. We took some of the content from the guide that we wrote internally and flipped it more towards our clients. So there's going to be some of that coming out. But a lot of it has to do with just basic security hygiene, is what I would call it. Have strong passwords, use password managers, have non-SMS two factor authentication everywhere you can, harden your personal email account, work to try to mitigate the risk of a SIM swap or something like that from taking apart your entire life and then be very mindful of what you share online and what things you gleam.

Google yourself! That's the best way. Google yourself, see what's out there about you. See what personal information is out there. Then especially for US-based folks, that's sort of a treasure trove of information. There's so many open databases that get published now. For folks who are in Europe, they have GDPR and so it's probably a little harder to find information about you but also thanks to GDPR in the US, there are some databases out there that just implemented recently, right in the last year, really easy opt out methods.

So if you Google yourself and you find your home address and your phone number on a website, you can go and say opt out and within a couple of minutes sometimes your information has gone, which is nice! Five years ago that was impossible. It was like "nothing I can do!"

Peter McCormack: Do you think there's a need for an industry wide body to work together to create a set of standards? Is that even practical or possible?

Nick Percoco: Yeah, so I've been involved quite a bit around that, but not for cryptocurrency. So back in the early 2000s, I was doing lots of work for the credit card industry, advising security advice for credit card industry. I saw a big issue with, specifically payment payment application systems, so point of sale systems like at restaurants and hotels and places like that. By doing investigations, I drafted a standard around that. It's actually a global standard now, it's called the Payment Application Data Security Standard that every point of sale system on the planet, the manufacturer of that has to go and adhere to.

Now. I thought that was great a while ago, when I was writing it, it was going to change the trajectory of the payment industry in my mind. It was going to improve security drastically globally and I thought it was a great thing. What I learned is that when some of these standards get developed, the biggest impact that they have on the security of that ecosystem that they're trying to impart those requirements on, is the data that it's published.

After that it gets diminished over time, mainly because a body now would probably own it and those bodies typically then very slow, in keeping up with the threats. Then you get to a place where there's maybe outdated or irrelevant things that are requirements and now organizations have to waste time and money trying to satisfy those requirements, instead of defending against real threats. So I think there's a place for this.

I think best practices maybe, information sharing definitely. I have been having conversations with security folks that other exchanges and we talk, we're all security people. So there is a bit of that information sharing happening. Just like in the traditional financial world, in the United States there's something called the FS-ISAC, which is all the security people at all the major banks, all the financial firms get together and there's a Forum where they share threat intelligence. I think that's awesome.

I think the cryptocurrency industry probably needs to do more of that, because yes, another exchange getting hacked into, maybe in some remote way benefits us. Maybe some people move to us, but I don't think that's great for the industry at all. I think keeping the criminals at bay, I think is great for the industry, because someone hacking into exchange X and stealing millions of dollars, that is now millions of dollars of resources that is now at the disposal of that criminal group, that didn't previously have that money.

Peter McCormack: Of course! It's not just for boats and stuff

Nick Percoco: No! Now they can go and they can buy zero days! I had a whole team of White Hat hackers, that worked for me that were doing this vulnerability research. If I had $5 million or $10 million in cash and I was a criminal, I may be able to go and recruit 30 people, that all they do is try to find zero days in various things. So keeping that value away from the criminal groups by knowledge sharing, by maybe setting best practices and sharing best practices in the ecosystem I think is just going to accelerate the ability for us to succeed as an industry.

Peter McCormack: So this has been as fascinating as I expected. I also think at some point I'll probably just want to have a pint with you and talk about stuff where we don't record, because there's probably lots of interesting stories and anecdotes from the past that would be amazing. But this has been fascinating! It'd be good to know kind of what's coming up for you, that you can talk about and I think I want to come to THOTCON next year. But yeah, tell me what's coming up.

Nick Percoco: So personally for me, in a couple of weeks, I'm going to be at, this is publicly known as well, so it's not like I'm revealing anything, I'll be at the DEFCON hacking conference in Las Vegas, it's the world's largest. We have 25,000 people there. That is 8-11 August, I think that's it. Yeah. So it's Thursday, Friday, Saturday, Sunday.

I'm actually a goon there, which is a volunteer. I help run the network at DEFCON and so we spend about 3, 4 days prior to DEFCON wiring up and building a brand new wireless network, wired network, that spans multiple Las Vegas hotels. We then secure that, so that the attendees can communicate in a secure way.

Peter McCormack: But do the attendees also then try and hack it?

Nick Percoco: Oh, of course they do! So we have a DEFCON secured network, which uses encryption and security and authentication for you to get access to that network. There's also a DEFCON open network, which is the wild west, where you can throw a computer on there and see how long it takes to get compromised and you can throw an unpatched old Windows computer or something on there and you can just see it get taken over, because it's 25,000 hackers. I think it's coined as the most hostile network in the world!

Peter McCormack: I was going to say, it just feels like an event where everyone's just going to be trying to screw each other over, not so much for any kind of gain, more than the kind of like technical banter. Do you know what I mean? Just kind of like, if you could hack your mates, would you hack the primary system that you guys have created.

Nick Percoco: People try and they will try interesting things, but yeah, it's a lot of fun. So I've been going to DEFCON since DEFCON 8. This year's 27. I've been a speaker there a number of years and so that's a lot of fun. I also, in September, I think it's at the end of September, there is the Wyoming Cryptocurrencies Stampede.

Peter McCormack: Yeah I'm going to be there. That's Caitlin Long.

Nick Percoco: Yeah! So I'm going to be there as well. I think I'm speaking on security, I don't know the specifics yet, but I have been asked to do that.

Peter McCormack: Because Kraken are sponsoring the WyoHackathon?

Nick Percoco: We are!

Peter McCormack: So I'm going to be there.

Nick Percoco: Oh awesome! So we'll be able to get a pint there?

Peter McCormack: Yeah, one or two! Well listen, thanks for coming on, really appreciate this. Also thank you Alex for helping to facilitate this, you can say hello! This was just as fascinating as I expected. Just lastly, just tell people how to find out more about THOTCON, how they can keep an eye on you and maybe stay in touch with you? Who do you want to hear from?

Nick Percoco: So if they want to stay in touch with me, probably the best place would be Twitter. So my Twitter handle is a little bit different. It's not my name, it's @c7five, which is an old hacker handle that I use. So that's the best place. You can reply at me and if you want to have a conversation, you want to ask questions, totally cool, I like to engage with people.

If you want to find more about THOTCON and you just go to thotcon.org, check it out. It is a very plain, simple website, but you could find out more about that. Our next event is going to be May 2020, but if anybody listening wants to submit a paper, I would love to have cryptocurrency security talks at that event. Our call for papers will open on October 1st and that's also when tickets go on sale for the event, October 1st.

Peter McCormack: All right, well look, thanks for coming on. It's been great!

Nick Percoco: Yeah, thank you!