WBD609 Audio Transcription
Bitcoin Security + the Future of AI with Jameson Lopp
Release date: Monday 23rd January
Note: the following is a transcription of my interview with Jameson Lopp. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.
Jameson Lopp is the co-founder & CTO of Casa. In this interview, we discuss why Casa has extended custody support to Ethereum, important security lessons from the Luke Dashir hack, Bitcoin security & inheritance planning, and how AI came of age in 2022 with the release of ChatGPT.
“Every species that becomes sentient and develops technology that is sufficient to start creating signals that propagate through the universe, eventually also hits this inflexion point, which we may be close to, wherein the power of the technology becomes uncontrollable, and they destroy themselves for one of a million different reasons.”
— Jameson Lopp
Interview Transcription
Peter McCormack: Morning, Jameson.
Jameson Lopp: Good morning.
Peter McCormack: Good to see you again. How many times have we recorded in person; is this the third one?
Jameson Lopp: That sounds about right. We might have done a few remote interviews as well.
Peter McCormack: Yeah, it's a very different setup from the first time where it was just me and my little trolley.
Jameson Lopp: Yeah, to be fair, you were the first person that ever actually brought professional equipment, and I was like, "Who is this guy who's flying thousands of miles to set up like a professional studio in my home?"
Peter McCormack: Well, it wasn't as professional as this, and we didn't have producer, Danny, we didn't have Jeremy, I did it all on my own. We should tell that story; I think we've told it before but I'll tell it again for people that don't know. So, that was my third ever show; when was it, Danny?
Danny Knowles: December 2017.
Peter McCormack: So, it was five years ago, my third episode. So, I was inspired to make the podcast by this guy, Rich Roll, who did all his interviews in person, so I was like, "I'm going to do them all in person". So, I did my first one when I was in LA with Luke Martin, then I was in the UK and I did it with @cointradernik, and then, it's a famous picture of you, you know the picture, we'll have to flash that up, I see this dude on Twitter with this huge beard and a massive gun and a Make Bitcoin Great Again hat, and I was like, "I need to interview this guy". So, I just went on your website and I emailed you, and I can't remember the email; I wonder if we could find it.
Jameson Lopp: I'm sure I can find it; I have everything.
Peter McCormack: Really?
Jameson Lopp: Yeah.
Peter McCormack: We should dig that out, but I'm sure it was something along the lines of, "Hi, I've launched a podcast. Can I come and interview you? I'll fly from the UK and can you take me to shoot a gun?" and I turn up at your house and there are fucking guns everywhere! How many guns would there have been?
Jameson Lopp: Oh, dozens.
Peter McCormack: Yeah, and bear in mind I'd never seen a gun before, and so you took me shooting, we made a podcast, got some barbeque; I should tell that story as well. It's only me talking about it, sorry, I know I'm interviewing Jameson. I was a vegan at the time because my mum, I've got to get the dates right, but anyway I went vegan and you took me to this barbeque place and I was sitting there thinking, "Fucking hell, I don't want to turn round to this guy with big guns and Bitcoin and say, 'I'm a vegan. Can I have some potato without --'" God, I couldn't even have the salad.
Jameson Lopp: I'm sure there were a couple of options, but I had to take you to a real authentic hole-in-the-wall barbeque shack in North Carolina.
Peter McCormack: Well, that was the day I stopped being a vegan because I was like, "Well, I can't do this", and I was like, "Actually, this tastes good". Actually, do you know really what I remember from that? Do you remember there was an old guy in there I was talking to?
Danny Knowles: I can't find the full picture but it was this one, wasn't it?
Peter McCormack: Yeah, you've got to find the one with the gun though.
Jameson Lopp: Yeah, you can definitely find the one -- Peter Thiel actually put me and Vitalik in his presentation at Bitcoin 2022.
Peter McCormack: So you don't remember the old guy in there?
Jameson Lopp: Vaguely, not really.
Peter McCormack: So, I was chatting to this old guy in there and he was like, "Where are you from, boy?" I was like, "I'm from Bedford, it's near London", and he was chatting away and I remember saying to him, "Oh, have you ever been?" and he said something along of the lines of, "I've never left the county".
Jameson Lopp: It sounds about right.
Peter McCormack: It's not, "I haven't left the state", he'd never left the county. Oh, there we go, look at that, man, what a fucking badass, although you do look like somebody who would have gone to the Capitol Building on 6 January!
Jameson Lopp: A funny story how that all worked out, is that things take a life of their own and the fact that I did this as a satirical video on request for someone, nobody knows that anymore, even you probably don't know that.
Peter McCormack: I didn't know that.
Jameson Lopp: No, I did this for Bitcoin Car Talk way back in the day.
Peter McCormack: I remember that, yeah; was that Mike in Space?
Jameson Lopp: Yeah, Mike in Space. So, I did this way over the top, hilarious, sort of gunned up Bitcoin maximalist video and he put it in the intro to Bitcoin Car Talk, one of those episodes, and of course people took screenshots of it, and then my favourite, of course, is the people who transposed this against Vitalik wearing his unicorn pyjama onesie thing. But these things are all just memes, and that's one of the hilarious things about this space is the memetics of it.
Peter McCormack: Have you seen this picture before?
Jeremy: Yeah.
Peter McCormack: You look like a fucking badass! The glasses, the hat, the gun, you're looking hench.
Jameson Lopp: The body armour.
Peter McCormack: Have you got --
Jameson Lopp: Yeah, it's kind of hard to tell because I'm wearing so much black.
Peter McCormack: But you also do look like a 6 January -- I love that picture. That was a very early show we made and I came to ask you technical stuff, and honestly I had no fucking idea what you were talking about.
Jameson Lopp: Well, hopefully you've learned a little since then.
Peter McCormack: A little bit, I learned what an xPub is, I know what an extended public key is. Anyway, dude, welcome back. Oh, we recorded another time in person, in New York in that little studio.
Jameson Lopp: Was that around one of the Consensus conferences?
Peter McCormack: Yes, that was one of my first in-person interviews with the camera, we went to the studio and then we went and got burgers, yeah, a long time ago, man. Well listen, thank you very much for doing that interview because you said yes, and that essentially kickstarted getting known and credible Bitcoin people, because all right, it was Litecoin, but you got me then Charlie Lee and then Charlie Lee got me so-and-so, and that started the whole journey.
Jameson Lopp: Well, you did the hard work.
Peter McCormack: Yeah, but you said yes.
Jameson Lopp: That was the easy part.
Peter McCormack: Yeah, but it isn't really, because I imagine in various times you've had lots of requests.
Jameson Lopp: I very rarely say no.
Peter McCormack: Oh, I don't feel special! A lot of people said no early on, or a lot of people didn't reply, but getting that yes was a big deal; that show was a credible show that went out and gave me credibility, so I owe you a debt of gratitude for that and various things, so thank you, Jameson. Yeah, welcome back. How are things at Casa?
Jameson Lopp: Typical bear market shenanigans but people are hodling and so that's good. From a business perspective, Casa, compared to a lot of the other businesses in the space, we're a subscription service, so that has pros and cons. The pros are you have some fairly reliable annual revenue and so we don't get hit as hard as the people who are doing BIPS or basically taking a cut of some other activity; that's good during the bear market. So the downside is that we don't see the same straight-up-a-wall type of revenue increases during the crazy hype circles, so give and take.
Peter McCormack: Yeah, like on the subscription model, it's not cheap; the package I have, you have a Gold, a Platinum and a Diamond.
Jameson Lopp: Yeah, we have a couple of premium tiers that are thousands of dollars a year and then our baseline Gold tier is about $120 a year.
Peter McCormack: Yeah, it's a big jump for some people to make that step, and I found with Casa, I had it for a while before I used it; that first step of going through the process of setting up your multisig, it's actually really easy, but once you've done it, it's super easy.
Jameson Lopp: Yeah, but people are afraid.
Peter McCormack: Yeah, because for people like me who are non-technical, a wallet is a big step, like a hardware wallet. The word "multi-signature" -- actually, is that two words?
Danny Knowles: Yeah.
Peter McCormack: But it's one word as multisig?
Jameson Lopp: You can hyphenate it.
Danny Knowles: It's hyphenated, I think.
Jameson Lopp: You can do one word.
Peter McCormack: This fluid term, it's kind of intimidating, "So, what do you mean? I have to sign with multiple keys and I have to hide multiple keys?" and that logic of where you put your keys, so we'll get into that. I am going to talk about the Ethereum thing.
Jameson Lopp: Sure.
Peter McCormack: I'm not critical, but I am interested in the motivations, the impact of that. I saw the criticism obviously, died down, whatever; I have sponsors who support multiple coins, there are some shitcoins, doesn't bother me; we do know there's a section of the community who will react.
Jameson Lopp: Oh yeah, completely predictable.
Peter McCormack: Yeah, but I do have an important question, which I'll come to, but do you want to talk about why you did it, any of the challenges, impact?
Jameson Lopp: Yeah, well actually the challenges, there's nothing really new on the challenges side in comparison to what I wrote in 2017 when I was working at BitGo and we developed a multi-signature Ethereum wallet. There were a lot of challenges then, they're pretty much the same today. The main difference is that we have another five years of experience to look at standards and best practices of doing multisig in Ethereum. We didn't want to roll our own anything, we didn't want to become smart contract developers, so we're using a well-vetted smart contract that's already securing untold billions of dollars' worth of Ether and other tokens and stuff. But why did we do it? Well, it's all about markets, right.
So, some people find this very hard to believe, but there are a lot of people out there who own both Bitcoin and Ethereum, and of course a lot of other things. There's a longtail distribution, and you start to get into challenging business questions of deciding where the threshold is of what makes sense to support. But suffice to say, over the past few years we started losing more and more deals because we didn't support Ethereum, and it hurts as a business to lose deals. And from a self-custody perspective, the thing that really irks me is when I see, and I've seen a lot of people do this, they end up choosing a trusted third-party custodian because that's the easiest way for them to secure many different assets; that just makes me cringe and it makes me angry.
So from my perspective, everything that I've ever said about Ethereum I completely stand by. Feel free to go back through any of my blog posts or podcasts or whatever, my personal beliefs about Ethereum and its issues are still there, but I recognise that there are people who don't agree with that and they have this need, and I would rather see them self-custody their Ethereum if that means that they're also going to be self-custodying their Bitcoin.
Peter McCormack: So, I haven't seen the Ethereum interface because I don't own any or any tokens, but is it just Ethereum or does it support the tokens as well?
Jameson Lopp: The smart contract that we're using could support definitely any ERC-20 token, possibly other stuff, but that's further down the line. We start out with the Ethereum token because that's what people are demanding.
Peter McCormack: Yeah, the only scenario I could imagine I was using it, is if I wanted to store some stablecoin dollar on it.
Jameson Lopp: Yes, and I think that that is a logical next step. I would say stablecoins are probably our next greatest thing that we have received demand for; and once again, there are people in the space who will say stablecoins are terrible and you're essentially bringing fiat into this space which we don't need, but on the other hand, there are plenty of examples of utility and stablecoins helping people.
Peter McCormack: I know, it's fucking ludicrous, like the world runs on fiat, yes, we want to move to Bitcoin, but if I lived on a Bitcoin standard entirely, my net worth would have been crushed this last eight months and I would have struggled to pay my team, I'm a business, so I just think that's fucking ludicrous.
Jameson Lopp: Oh yeah, we could do a whole episode about stablecoins and all the problems with them. They have, of course, all the problems inherent with fiat, and then they usually have a lot of centralisation and security model problems too, but nonetheless, people have use for them.
Peter McCormack: Well, I have to balance between the amount of Bitcoin and fiat I hold. Again, it's a fluid kind of balance I have of both. But I know in the UK, I'm only protected up to £85,000. I can imagine a scenario where I want to de-risk some of that and maybe hold some in a stablecoin on a multisig, there's a logical reason to do that. I don't do it at the moment, but I can certainly see a stronger requirement for that in more challenging markets, challenging countries, so it makes a logical sense. There are a lot of people in South America who absolutely love, need, rely, depend on stablecoins, and so I think the logic's there.
The important question really is, it's the thing me and Danny were talking about this morning, as a bitcoiner using Casa for both my football club and personally, can the introduction of Ethereum present any risk to my Bitcoin or is there a separation within the stack of the code?
Jameson Lopp: Right, so as with anything, it depends on the implementation.
Peter McCormack: Okay.
Jameson Lopp: I would say, with a lot of the wallets out there that support a long list of assets, most of them tend to be software-based wallets. Now, there are hardware wallets of course that support many different things, but it really comes down to what is managing the keys themselves. So, with Casa, of course, we have a separation of many different concerns, and we use diversity of different software and hardware, and the main sticking point of why does introducing other code into the Casa app not degrade your security with your Bitcoin, that's because whenever you're having to make a transaction, you're having to go to these different hardware devices and actually verify the details of exactly what you're signing.
So, of course anything is possible if enough things go wrong, but it's like if you have both a Trezor and a Ledger as part of your setup, how would it be that you would go to sign a Bitcoin transaction and those signature operations would create some other thing that you're not anticipating? Both of those companies and their whole software stacks and firmware and upgrade process would all have to be compromised. At the end of the day, anything can be compromised, we're just trying to make it as difficult as possible for that to happen. So, the short version is that you're verifying what you're doing and you're not trusting the Casa software.
Peter McCormack: Yeah, I'm staying with Casa, love the product, I've always loved the app, but even early on, when it was Jeremy Welch running the company, I said to him, "Your UX is incredible; it's not like a Bitcoin company, it's like a Silicon Valley company. For a moron like me, it makes it super-easy to manage a multisig", so I love it, I'm staying with the product.
But what I really wanted to ask is there has to be a decision there, you knew what you were going to face. There is this ideology around Bitcoin only; I've ignored that myself in what we do in that we're a Bitcoin-only podcast, but we will discuss Ethereum if it brings something relevant to the conversation with Bitcoin; or we've discussed Monero if it brings something relevant to the conversation with Bitcoin; or I'll have sponsors who support alternative coins, because if that enables us to be able to deliver this message and grow Bitcoin, we do, we accept that, but I've lost listeners because of it.
Jameson Lopp: Sure.
Peter McCormack: There are people who will not listen to my podcast because of that. I don't know if you can tell me, but my expectation is you lost some customers because I saw some people saying online, "Well, I've quit, I will no longer use it"; was that a negligible amount, can you talk about that?
Jameson Lopp: Probably won't go into numbers but I will say that what you see and hear on Twitter is greatly magnified versus reality. Most of the people who were outraged on Twitter, assuming they're actually people, I have some evidence that there are some bots and civil stuff going on, I'm not of course saying that all of these Twitter accounts are bots, a number of them are real people; but trying to remember actually, I think Nic Carter described them as, "Perpetually outraged grievous mob", or something. I know I'm screwing up his definition there, but it's the people who want to complain about stuff all the time. Perhaps they're doing it for clout, perhaps it's just part of their tribalism.
Peter McCormack: It could also be honest held beliefs.
Jameson Lopp: Oh, definitely, and I understand the whole toxic Twitter tribe stuff, I've played a toxic Bitcoin maximalist on several occasions myself.
Peter McCormack: Partaken into the…
Jameson Lopp: Yeah, and I get it, and we of course expected to lose some customers. From a business perspective, we of course are operating under the thesis that we are growing the umbrella, growing our total addressable market, and that the hardliners who have the ideological considerations, we wish them the best, and they're going to go support the Bitcoin-only companies. The only thing that kind of irked me was some of the discussions around people saying that this was degrading the security model for Casa clients, and it's very hard to offend me, but that is one of the things that I do get offended by is when people say that I am putting other people's funds at risk.
Peter McCormack: Of course.
Jameson Lopp: Casa eats its own dog food, we use Casa for our own corporate treasury, our employees use Casa; this is a friends and family operation. So, the claim that I would degrade the security of bitcoiners just as a sort of cash grab to try to get Ethereum market share is offensive to me. Some people are going to believe that, they're going to say that, and there's nothing I can do to stop that, but we are going forward with this, there's no arguing against it at this point.
We've been committed to it for over six months, probably nine months of research and development, and maybe it's a bad idea, maybe we won't get significant amount of business from it and maybe it goes so terribly that we decide, some years in the future, that we drop support for it; anything is possible, this is a fluid environment. Actually, I think Wire just announced that they were shutting down operations.
Peter McCormack: Are they?
Jameson Lopp: Their future is definitely in peril and we use Wire for our Buy Bitcoin stuff on the app, and so most likely that's going to be going away. I don't know whether or not we're going to be replacing them with someone else, it's hard to say.
Peter McCormack: I didn't know Wire were in trouble.
Jameson Lopp: Yeah, well I think they had a $1.5 billion buyout that was supposed to happen and then that fell through and now apparently everything seems to be falling apart, but the nature of the space is that --
Peter McCormack: Are you worth $1.5 billion or are you worth shit?!
Jameson Lopp: 2022 was a terrible year to be an investor in this space, but 2022 was a great year to be a technologist, and so that is the optimist take that I'm walking away from last year with is, thankfully I consider myself a technologist first, all of the other stuff is kind of tangential and a result of my interests in different technology. But that also comes full circle to the fact that, by many people's definition, I am shitcoiner, and I have been called a shitcoiner, probably two outrage incidents a year for the past, I don't know, four or five years, and this is because --
Peter McCormack: You are a shitcoiner!
Jameson Lopp: -- I play around with any technology that interests me.
Peter McCormack: Yeah.
Jameson Lopp: Due to my audience, whenever I talk about any technology, if there's any kind of even possible financial incentive there, if I even talk about it, then I'm considered as shilling that technology.
Peter McCormack: You're a shitcoiner! You're a shitcoiner since Grin.
Jameson Lopp: Oh, yeah. So, that was an outrage incident three or four years ago where I was running a Grin node and apparently that meant that I was shilling it and saying that people should be buying and selling it, but I never bought or sold it, I don't even know where I would have; none of the exchanges I had accounts on even had Grin support.
Peter McCormack: No, never got listed I don't think.
Jameson Lopp: I don't think so.
Peter McCormack: No.
Jameson Lopp: It had terrible economics; no one who looked into the economics would have invested in it.
Peter McCormack: Remind me, was it like they had a different way of approaching privacy?
Jameson Lopp: It was a privacy coin, it was using MimbleWimble, and I have been talking about MimbleWimble as a protocol since probably 2015 when the first white paper for MimbleWimble came out. I guess the short version is that anyone out there should expect that I will be interested in almost anything that is going to increase privacy. So, if there's a new shitcoin that comes out and that it claims to have the best privacy ever in the world, you can bet that I'm going to be looking into it and playing around with it and might be talking about it; that doesn't mean it's investment advice.
Peter McCormack: Yeah, listen, look, I think it's fine. Also, if you laid out your criticisms of Ethereum, I'd probably agree with them. I think it has been a platform which has been used to spread a lot of shitty projects and shitty ideas, I'm not a fan of NFTs, I am not a fan of ICOs anymore, just mainly because I lost loads of money on them, I'm just not really a fan of it; but I do find it hard to argue against stablecoins and their usage.
I don't believe we have a useable, decent stablecoin on Bitcoin, and it's very hard to argue against that, especially when you talk to Alex Gladstein, he talks about how people in these countries are using stablecoins. And even when bitcoiners are like, "Well, no, they should be using Bitcoin", I actually just think it's a moronic statement because these people are already challenged maybe by high inflation or capital controls, this is an option for them, and people will refer to the tool that's available. So it doesn't bother me; shouting at people about Ethereum is not making it go away.
Jameson Lopp: And we will be seeing stablecoins on Bitcoin, on Lightning, and we will be seeing the same crowd of people then decrying the fact that people are using Bitcoin for fiat operations.
Peter McCormack: Well, I think that would be a subset because I think people who criticise stablecoins on any platform, my expectation is they live a privileged life and don't understand the difficulties that other people have. I think people will always find a tool that helps them. B,ut my analogy for this is, people don't really like it, but my analogy for you guys supporting Ethereum, it's kind of like cigarettes in that you can absolutely hate Ethereum and still use Casa just as you can absolutely hate cigarettes and still go to the liquor store and buy a bottle of whiskey. It is just something you don't like, you don't agree with, a market that's lied about what it is, what it represents, that has some kind of negative connotations attached with it, but you can just not buy it.
Jameson Lopp: Yeah.
Peter McCormack: You can go and buy your bottle of whiskey and leave and not buy any cigarettes. You can go and multisig with Casa and store your Bitcoin and not buy Ethereum.
Jameson Lopp: Yeah, I think the short version is that I will never apologise for and I will never feel bad about helping people improve their security, regardless of what that is, even if it's security for an asset that I'm not interested in and that a lot of people hate.
Peter McCormack: The YouTube's going to be on fire about this! Okay, can we talk about Luke Dashjr and what happened this week?
Jameson Lopp: We can try.
Peter McCormack: We can try, okay. Big outrage on Twitter, also some horrible dunking, which I didn't like at all, but my main issue with it was I had no idea what the fuck he was talking about. Storing Bitcoin for me is very simple; some people do it on an exchange, some people do it on a software wallet on their phones, some people do it on hardware wallet, some people have multisig; when he explained the scenario of what went wrong, I just fundamentally didn't understand it. He talked about PGP; I've tried to use PGP, it's not moron-friendly.
Jameson Lopp: Right.
Peter McCormack: It's a very tricky tool to use, so I didn't understand it, so I'm just going to throw it to you; talk me through what happened.
Jameson Lopp: Well, to kind of set the stage, our information is incomplete, so even anything that I'm going to say is somewhat speculative and based upon partial information and tweets and a few conversations that I've seen, so take anything that I say with a grain of salt because it could be wrong. But my understanding is that Luke had a setup that actually dated back ten years, he said that he had generated these keys in 2012, so that means this is pre-hierarchical deterministic wallet, pre-seed phrase, it's just a bunch of keys.
Peter McCormack: Hierarchical deterministic wallets are seed phrases?
Jameson Lopp: Yes. So, most likely he had a Bitcoin Core wallet.dat file that had just a bunch of private keys in it, and it sounds like what he was doing was he was securing that by encrypting it with PGP. So, at rest, he had this big data blob which, if anybody got a hold of that data blob, they couldn't do anything with it because you have to have the decryption key to actually be able to get the data and then use the private keys related to it.
Now, at some point a few months ago, he started talked about one or more of his servers being compromised, what we don't know is how the servers got compromised. Some theories are that there was an insider employee attack at his data-hosting provider who physically accessed his server, some people are speculating that it could have been some sort of software exploit, some sort of vulnerability. But the speculation is that that most likely was sort of the entry point into what eventually turned into the compromise of his coins. What we don't know is exactly where he was keeping that wallet file. Most likely, I think it was on one or more of his computers at his home, not on his server, from what I've seen him talk about.
Peter McCormack: That's still a hot environment.
Jameson Lopp: Yeah, it's still an internet-connected computer, which generally we would call that a hot wallet even though the keys were encrypted at rest. So, what we don't know is how that attacker, assuming it's the same attacker, which seems likely, how that attacker got from compromising his server to compromising his home machines or whatever machines the actual keys were kept on.
Peter McCormack: The PGP key.
Jameson Lopp: And the wallet itself, but he did say, at some point, his PGP key got compromised; presumably, that was not on the server and that was also on his home machines. If that was the key that he was also using to encrypt the wallet file, that would have been game over, or if he had some other really long decryption phrase for the wallet file, if his machine that he was using to access it had a keylogger, then eventually, once he decided to open up and decrypt that wallet, then the attacker would have had everything.
Peter McCormack: So, let's go into the Jameson Lopp world, my expectation is you have something that scans your computer to look for keyloggers and things like that. Is that possible; does that exist?
Jameson Lopp: Well, it depends. So, I actually don't have any antivirus that I run; all of my machines are Linux machines, they're generally fairly hardened, but also I don't keep any key material on them. So, even my PGP keys, for example, I don't actually have those on my laptops or my other machines, I keep those on a YubiKey which is just another dedicated device that does nothing except hold secrets.
So this is another thing, getting back to Luke, it sounds to me like he was not using dedicated hardware devices for any of his key material, his PGP key material, his wallet key material. I think most people would agree that had he been using dedicated devices that are not internet-connected devices, then that would have mitigated this attack. But for various reasons, I won't speak for him, Luke does not believe in using hardware devices for his key material.
Peter McCormack: I would love to ask him that question and find out what the answer is. So, if you're storing a PGP key on a YubiKey, at some point if you want to transfer some Bitcoin in a hot environment, you have to either type it out or paste it; they're the two options?
Jameson Lopp: Well, if we try to apply using a YubiKey for what we believe Luke's setup was, if he had his wallet file encrypted with his PGP key, then he would run an operation or he would run a command to decrypt those keys; instead of pasting in a passphrase to decrypt them, his YubiKey, he would have to insert that into the computer and then it would start blinking and you have to physically tap it in order to access it and do that decryption op.
Peter McCormack: I'm thinking if his machine is compromised, a keylogger would be able to note the keys that are being pressed; can they also note, copy and paste, this is what has been pasted?
Jameson Lopp: Oh yeah, anything that's copy and pasted, anything that is input or output from the computer could potentially be sucked up by that malware. So, even if you kept your PGP key on a YubiKey, as soon as you decrypted the file on that compromised machine, it would load the contents and the memory.
Peter McCormack: Yeah, that was my next question.
Jameson Lopp: And any good malware would also be looking at what is currently in memory and siphoning that off.
Peter McCormack: So, even in that environment, it sounds to me like it doesn't matter even if he has the YubiKey, keeping that wallet file in a hot environment, it's just massive risk.
Jameson Lopp: Yeah, it creates an incredibly large attack surface. This is why it's really frustrating to see all of the FUD of course, everybody attacking self-custody.
Peter McCormack: Udi.
Jameson Lopp: A lot of people out there who have vested interests, I think, against self-custody saying, "Oh look, even if this prominent protocol developer can't do it, then why should you believe you can?" I think that this is an interesting case of actually being so deep into Bitcoin. I think Luke, once again I don't want to speak for him, but I think on various occasions he has said that he's not a security guy, he's a protocol and a software guy. So, he had this very unique setup with a lot of custom attributes and also I believe that he revealed a lot of that to the world, which in and of itself shouldn't be bad if your setup is secure, you should be able to be reveal the architecture of your key management if it's secure.
Peter McCormack: Yeah, I could tell you my multisig.
Jameson Lopp: Yeah, security through obscurity is not a thing. However, he had so many custom attributes that it seems there were vulnerabilities. And this is one of those things where I think people should keep in mind the Bitcoin motto, Vires in Numeris, strength in numbers.
Peter McCormack: Yeah.
Jameson Lopp: Now, this applies to many different things in this space. Usually people are talking about here the cryptographic security of public/private keys and the fact that there are so many of them, that's why they're secure, just through entropy; but it's also applicable to your security setup, your architecture for managing your keys. If you're using an architecture that you created yourself from scratch and nobody else uses it and no one has ever vetted it, it hasn't been stress tested, it hasn't been adopted by other people, then it's highly likely that there are some holes and you have some blind spots. Even myself, I'm not omniscient, I can't see everything; having good security, it's kind of a community problem.
It's the same thing with open source; why does open source work? It's because you have many different sets of eyes, many different perspectives who are all looking at the same thing and attacking it from different ways. So, if you decide to go out on your own in Bitcoin and whatever you're doing, if no one else has done that, it's a lot riskier.
Peter McCormack: Yeah, by the way, Danny's just brought this up, "They got my cold wallet too"; that doesn't make sense.
Jameson Lopp: Yeah, I mean I think that when he talks about his cold wallet, he's talking about these keys that he may have generated them offline ten years ago, but I think it's pretty clear that they have been touching the internet at some point since then.
Peter McCormack: Has he tweeted anything else about it since?
Danny Knowles: No, not really, the Samurai Guy has though; I don't actually fully understand what he's saying here.
Peter McCormack: See, one of the interesting things is updating or modernising your security protocols. When I first got in 2017, I bought a Ledger straightaway and I operated with a single hardware wallet, actually no I had two; I had a Ledger which had the majority of my -- it was crypto back then, not just Bitcoin, and I backed up my private key, but that was written and that was stored somewhere in the house; I didn't have a lot back then, we're talking say £25,000. Then I had a Trezor, which was like my day-to-day, and I memorised the PIN, okay. And then what happened is, during that year, that became a meaningful amount of value all on a single hardware wallet with a written -- like I knew I eventually was in a scenario, but I didn't deal with that for a long time.
Jameson Lopp: If your house burnt down, you'd have a problem, right?
Peter McCormack: Yeah, it'll be gone, yeah, I'd be screwed. So, what happened is I eventually got to the point where I needed to sort this out, so the first thing was a metal device, I did that, but that still could have been found in my house by somebody. So, eventually got to multisig just because of Casa, but when I went back to the Trezor, I couldn't remember the PIN.
Jameson Lopp: Uh-oh!
Peter McCormack: Yeah! I hadn't written it down; I knew kind of what it was. I was telling Danny this story earlier because I wanted to transfer it out into my Casa multisig; every time I attempted it, the amount of times I could have another go would go up.
Jameson Lopp: Exponential backup.
Peter McCormack: Yeah, so I can't remember what it was, say it was like 30 secs, then a minute, then like 3 minutes, then like 8 minutes, maybe it was that Pythagoras theorem and whatever. So, it was about the fifth try I got it because I knew the four numbers-ish, I think maybe five numbers, and then eventually figured it out, so I got there. But that was a meaningful amount of Bitcoin but not a meaningful amount of my stack, but fuck, I didn't want to lose it over time. But I'm now at that point where I've been very comfortable with Casa but I probably need to test my keys.
Jameson Lopp: You should be getting reminders to do health checks.
Peter McCormack: I do get my reminders for health checks, but to do a full health check -- this is another thing. I've discussed, I maybe even discussed it with you, the idea of publicly stating parts of my security. Like one of those things where I'm happy to say is that, to fully test my multisig, I have to get on a plane, and I'm happy to say that and so that's why I haven't got round to it because I have to get on a plane. So, yeah, I can empathise a little bit with Luke in that he's had something, it's worked for ten years.
Jameson Lopp: It works until it doesn't.
Peter McCormack: Yeah, exactly, but you do need to keep updating.
Danny Knowles: This is just following the coins since then, and I think they've actually now, overnight, gone into ChipMixer, which I'd never even heard of before.
Peter McCormack: What's ChipMixer?
Danny Knowles: Just a mixing service; I don't know much about, or anything about it.
Peter McCormack: So, "Luke", they've put Luke-jr, "Luke Dashjr's stolen coins on the move. Started a peel chain"; what's a peel chain?
Jameson Lopp: Well, it just means that they're peeling off amounts in multiple transactions.
Peter McCormack: "The bulk of the continuing to p2pkh address and a smaller amount peeled off to p2sh address remaining unspent. The last two peel address types changed to…" Okay, can they keep following this?
Jameson Lopp: Yeah, the OXT guys are pretty good at what they do. There are a number of folks who are pretty good at on-chain analytics. Of course eventually, over a long enough period of time, the coins just sort of become part of the rest of the ecosystem, they get dispersed throughout many different wallets and services, and it just depends on what the attacker does with them and whether or not they make any mistakes where they could get caught and identified.
Danny Knowles: Presumably, now it's in with ChipMixer, it's over in terms of tracking it though?
Jameson Lopp: It's definitely a lot harder.
Peter McCormack: I hope he's okay. Luke's obviously been a very important person for Bitcoin and done some amazing things, that's why I didn't like the dunking on him.
Jameson Lopp: Yeah, he's a controversial figure for a variety of reasons, but I don't think that that's good reason to wish harm upon him.
Peter McCormack: Yeah, I hope he's okay. Well, yeah, we just have to reiterate to people they have to take their security seriously, they have to keep updating their security, testing their security. So, it's probably a good time then to talk about security planning.
Obviously, we get a lot of emails in the show, some people asking me about security, people bought maybe a Ledger and say, "What should I do?" People get very, very nervous about using their Ledger, say, for the first time, and I have, it's almost a copy and paste email now, it's, "Set it up, back up your private key, buy a metal C-storage device, transfer $10 in, wipe it, restore it, check it's still there, then send 10%, send another 15%, and then build up --"
Jameson Lopp: That's really one of the most important parts that I'm actually kind of disappointed, as far as I'm aware, none of the hardware manufacturers out there say, "Hey, you should set this all up and then you should wipe it, and then you should reload it"; that wiping and reloading is one of the most important things. And one of the ways that I think a lot of people lose their coins is they just don't test the recovery, and then the first time they go to test it, they find out something's wrong.
Peter McCormack: Yeah, they make a mistake writing down the recovery keywords.
Jameson Lopp: Yeah.
Peter McCormack: Yeah, it's the same set of instructions. So, I'm kind of looking to you more for your advice; what are the logical steps you would say to somebody brand new to Bitcoin, not technically competent, what would you say the first steps are?
Jameson Lopp: Well, it depends on what value we're talking about; if someone's dealing with $10 or $100 then I don't think they really need to put a lot of effort into thinking about security, if it's a trivial amount that you would not really care about losing. The flipside is, I think that whatever amount you do have, you should multiply it by ten and that should be the amount that you are thinking about needs to be secured, because of course it's a very volatile space and you can very easily, like you said, go from having $1,000 to $10,000 or whatever, 10X the amount that you had and your security level is really only appropriate for one tenth of that.
So I see it as, if you're dealing with pocket money, then you're fine just using a software wallet on your mobile phone or your desktop or whatever because you're probably not going to lose any sleep if something catastrophic happens to that. If you're dealing with a level that is thousands of dollars, if you're talking about a month's wages or more, non-trivial amounts, then you should at least spend $50 or $100 and buy a dedicated hardware device for those private keys.
Peter McCormack: Look, the hardware devices, the main players are obviously Ledger, Trezor, COLDCARD are the main ones; are there any newer ones and do you support any other ones?
Jameson Lopp: Yeah, there are a lot of newer ones and it's actually hard to even keep track of them all.
Peter McCormack: Are there any ones that you, as a company, rate?
Jameson Lopp: Yeah, so from COLDCARD, based off of the COLDCARD platform, there's the Foundation Passport.
Peter McCormack: Can you look that up?
Jameson Lopp: That and I believe it's Cobo. We've started to add some of these devices that support the, it's called the UR2.0 spec; basically it's animated QR codes for sending the data back and forth, and we really like those. Actually, I think Blockstream Jade just added support for this animated QR spec. The reason I like that is that it drastically simplifies the user experience, you don't have these USB cables, you don't have to be plugging stuff in; it's literally point and shoot to transfer the data back and forth for the signing operations.
Peter McCormack: That's a cool-looking device.
Danny Knowles: Yeah.
Jameson Lopp: Yeah, it's not cheap though. I think Trezor still has the most economical, but it doesn't have that animated QR code support, so it's a little less user friendly.
Peter McCormack: Every time I use Trezor it asks me to install a bridge; I don't know what it means.
Jameson Lopp: Yeah, basically drivers so they can talk to your operating system.
Peter McCormack: Yeah, I just trust it and install it, but I don't like going via a browser.
Jameson Lopp: Yeah.
Peter McCormack: I just don't like that. Is Trezor still a browser or have they got software interface yet?
Jameson Lopp: Well, they have the Trezor Suite that I think they rolled out last year.
Peter McCormack: Okay. Have you seen the new Ledger Stax?
Jameson Lopp: I haven't got my hands on it. I think I said at the time, once again, I was disappointed that they haven't added a camera, because if they had a camera, they could then have the animated QR codes for it. So, my understanding is it's still mostly going to be USB-based. Maybe they'll have Bluetooth again like they did with the Nano X, but I'm not a fan of the Bluetooth stuff either because I think, for most people, just the process you have to go through for pairing Bluetooth stuff is beyond a lot of people's capability.
Peter McCormack: Yeah.
Danny Knowles: They do look cool, these, though.
Peter McCormack: They do look cool.
Jameson Lopp: Yeah.
Peter McCormack: I've seen them in person; they are very cool. I don't know, this is me being an aesthetic person, I have multiple wallets for day-to-day things, they're not cheap as well, but having three or four like that is actually useful. But also I travel with Bitcoin, not a lot, but I travel with a small amount of Bitcoin just in case I have to do any transactions while we're away. This feels like an easier thing to carry around with me; it feels like something that goes like wallet, phone, that.
Jameson Lopp: Yeah.
Peter McCormack: Yeah, very cool, okay. And then, when you get into the world of a meaningful amount of Bitcoin, you're obviously going to recommend multisig.
Jameson Lopp: Well yeah. So, when you get to what I would call generational wealth, an amount that is a significant portion of your life savings and that you're probably wanting to hold on to and pass on, that's when you start to want to make sure that you don't have any single points of failure. You don't want one thing to go wrong that could then be catastrophic.
So, there are many different ways to eliminate single points of failure, and obviously we're a big fan of multisig because I think that generally makes it easier. Now, multisig is more complicated than a single-signature wallet, you're dealing with more pieces, you're dealing with more data, but also if you do it right, you can end up with a much more robust setup. But once again, this kind of actually goes back to the discussion with Luke, if you're rolling your own multisig setup, you need to be really, really careful about how you do it because there are many different ways that you can screw it up and still introduce single points of failure.
So, if you're going to go with multisig, then I highly advise using what would be considered a standard architecture, you know, 2-of-3, 3-of-5, not doing anything crazy with scripts or derivation paths or whatever. But the big thing is, of course, make sure you can wipe it all and recreate it, and that's what we're definitely going for if we're talking about something that can go through an inheritance process; it needs to be simple, not just for you, but for your non-technical family and heirs.
Peter McCormack: I think I asked this last time I spoke to you, you've talked then about people rolling their own multisigs, something I'm never going to do ever in my entire life on this planet.
Danny Knowles: You've kind of done it.
Peter McCormack: Have I?
Danny Knowles: With HODL and Phil Geiger.
Peter McCormack: When I lost my key?
Danny Knowles: Yeah.
Peter McCormack: Yeah, exactly! I'm never going to do that shit. At the same time, I trust Casa to roll my multisig for me. In the scenario where you guys are doing big tech upgrades, how much sleep do you lose when you publish the new code?
Jameson Lopp: Actually, I sleep very well at night because I know that we don't have a threshold of keys that could be used against our customers; even if Casa got completely compromised, then no one's going to lose their money. It's the very simple act of each of our clients having to verify their spending operations on hardware and software that Casa has no control over, that's what helps me sleep at night.
Now, that creates challenges for us because it means that we have all these other vendors out there who are changing their software, and we need to keep all of these pieces moving and in play and making sure that there aren't breaking changes, which happen. We actually had one happen a few weeks ago, and thankfully the vendor got it fixed very quickly, but that's part of what you're paying for, is for Casa to be handling all of that technical minutiae to make sure that everything is still operating as expected.
Peter McCormack: Man, I couldn't do it; I would still lose sleep. You mentioned inheritance planning there, so, on a personal level, that's the one thing I haven't solved in probably the best way possible. Now, look, I know Casa has a plan for that, but just say you can't afford that Casa solution, maybe it's a bit too high for you, but you do want to make a plan, do you have personal recommendations for planning?
I have some, it puts trust in certain things, which I don't want to explain here, and I've tried to put a scenario in that doesn't put me in a scenario where anything would be stolen, but in a scenario where something happens, things can be brought together. And maybe, when you explain it, it's similar to what I'm doing, but are there certain recommendations for death planning? Didn't that dude, that old, crazy, Romanian Bitcoin guy who drowned --
Jameson Lopp: Yeah, Mircea.
Peter McCormack: Yeah, he didn't have inheritance planning set up, supposedly.
Jameson Lopp: That we know of.
Peter McCormack: That we know of, yeah.
Danny Knowles: Did he really drown?
Peter McCormack: Did he really have Bitcoin? Was he really Romanian? By the way, he was crazy, right?
Jameson Lopp: He was one of the most eccentric figures in the space, for sure.
Peter McCormack: Who did he death threat; Pieter Wuille?
Jameson Lopp: Andreas.
Peter McCormack: Didn't he death threat Pieter Wuille as well?
Jameson Lopp: Yes, and I think that was for SegWit.
Peter McCormack: Interesting; it's a conversation for another day. Okay, so what kind of advice, recommendations would you have for people?
Jameson Lopp: So, inheritance planning for these bare assets is a really interesting tightrope to walk; if you keep all your money with a third party then you can just give them inheritance instructions and assume that they'll follow that, but if you're self-custodying, then presumably you want to retain control of your assets as long as you're alive, but then you somehow want this switch to flip when you pass that transitions control to some predetermined entity or set of people or whatever.
Of course, this is not something that you can do within the Bitcoin protocol, or really any protocol, it's the oracle problem; none of these protocols or blockchains have any understanding of "real-world events", so you have to get other humans involved, humans who are going to be doing things like authenticating your death certificate or whatever proof of death there is. There are a million different ways to do it, you can roll your own setup essentially, and some of them may be more trusted than others. I mean, the very naïve thing to do would be to have a trusted friend, family or attorney or someone who has like a fiduciary duty to you, and you just give them the keys to the kingdom and pray that they will be honourable and not access anything.
The more common thing that we see happen is people create what I would call treasure hunts. You distribute keys or you distribute different pieces of keys or passwords or whatever around, across different locations, different people, and presumably they will come together and help reconstitute that. And I should know because that's the type of setup that I had back in the day. I have a lengthy blog post where I went into describing how I did that, but it was very technical and never actually --
Peter McCormack: You never actually died!
Jameson Lopp: Well, I never even actually tested it from the sense of making my executors try to follow my instructions, so I kind of broke one of the cardinal rules there, that it was not well-tested and it very well may not have worked, or it may have been too technical for some of them to understand because they had to run this special Shamir's Secret Sharing software and they had to get the pieces of the decryption keys from different places.
At Casa, we have a couple of different ways that you can do the inheritance, but essentially you're distributing keys so that you retain access and control and custody while you're alive, and then Casa can facilitate essentially verifying proof of death and signing with the Casa key, and then you may involve your attorney or another entrusted entity who would have one key and be able to do the same.
Peter McCormack: So, you have a key, they have a key, where's the third key come from?
Jameson Lopp: So, there's also a Casa mobile key, basically your account key, it's on your phone.
Peter McCormack: So, you give someone access to the phone?
Jameson Lopp: Yes.
Peter McCormack: Interesting. Mine's kind of a treasure hunt, I can't explain what it is, I'll tell you offline, but mine's kind of a treasure hunt. Probably should just get the Casa one, probably ask Nick to give them to me; "Nick, give it to me". Cool, brilliant, okay. Anything else on security we've not touched because I do want to get into tech with you?
Jameson Lopp: I think that's enough for now. Security, it's another rabbit hole and it's a never-ending battle, so there's always stuff to talk about, but it can get a bit repetitive.
Peter McCormack: So, you said it's been a good year in tech, what's the thing you've enjoyed most in tech?
Jameson Lopp: Definitely AI.
Peter McCormack: Okay.
Jameson Lopp: That's what I've spent the most time playing around with, and AI seems to have gone through a bit of a renaissance in 2022. Part of that of course is the software, but also there have been hardware advancements that have gotten us orders of magnitude improvement. So, I was playing around with the image generation stuff, obviously the ChatGPT and other language text-based stuff. Actually, I published an article in Bitcoin Magazine that I don't think I've even told anyone this yet, but the majority of it was actually written with AI; it was this dystopian future CBDC piece.
Peter McCormack: On my God!
Jameson Lopp: Yeah!
Peter McCormack: That's an exclusive, What Bitcoin Did exclusive; you've got to dig that one out.
Danny Knowles: Yeah, I'm having a look; is that the San Francisco…?
Jameson Lopp: Yes.
Danny Knowles: Okay.
Jameson Lopp: San Francisco in 2033 or something like that.
Peter McCormack: Okay, let's just read the first couple of paragraphs. "This is a science-fiction piece by Jameson Lopp", okay. "'Good morning'. I'm gently awoken by my smartwatch's soothing female voice. It's a bit robotic but does have a touch of personality and charm. 'Today is Monday'", it's my birthday, "'Today is Monday, 31 October 2033', it continues. 'Your weekly basic income is $3,400 --'" what the fuck?! "Your weekly basic income of $3,432 has been deposited in your account. $1,049 was withheld to pay your student loan. $2,300 was withheld for your landlord, Blackstone Hathaway'. Shit. That's a bit more than last week; there must have been another inflation adjustment". So, what did you do; did you do it bit by bit?
Jameson Lopp: Yeah, I forget which service I even used; it was a prompt generation tool where I could write a basic outline of the story and it would just start filling in pieces. Then I could sort of roll the dice and get different paragraphs and then chose a paragraph and then say, "Okay, now take this and ingest it and do the next paragraph", or I could even say, "Now, delve deeper into this character's back story", and so on.
Peter McCormack: Look, I love ChatGPT, I think it's amazing; Danny, we're using it now, tell Jameson.
Danny Knowles: Well, we kind of used it as a joke first because it came up on the interview with Danny Scott. So, when I first played with it, I typed in some prompts to get a podcast description, and it was pretty good but we didn't use it, and so then, after the Danny Scott show, we did actually use it in his description.
Peter McCormack: Do you want to bring it up?
Danny Knowles: Yeah, I will. I don't think they're good enough all the time, but they give you a really good structure, at least, to work from.
Peter McCormack: It's a bit like with Real Bedford, I do the match reports but actually what happens is the commentator writes a match report and then I go through it and update it, just get it in the style we want, but it saves me hours because he's done the majority of the work.
Jameson Lopp: Yeah, and that's really what I think AI is going to be doing. It's not going to be completely displacing jobs, it's going to be another tool that gives people an order of magnitude performance improvement with what they're doing.
Danny Knowles: So, this was 100% written by AI.
Peter McCormack: Okay, "In this episode of this podcast, I sit down with Danny Scott, the CEO of CoinCorner, a Bitcoin exchange based in the UK. Danny has built CoinCorner into a successful business without relying on VC funding, and he shares his insights on the challenges and opportunities of doing so in the highly competitive world of Bitcoin.
"During our conversation, we discuss the current state of Bitcoin adoption and the importance of making cryptocurrency accessible and user-friendly for those who are new to the space. Danny shares his thoughts on the role of the Lightning Network in driving adoption, and how it …"; do you know what, I haven't actually read this, it's pretty good.
Danny Knowles: Yeah.
Peter McCormack: As I read it, there are a couple of bits I'd change, so like, "Making cryptocurrency accessible".
Danny Knowles: Yeah.
Peter McCormack: It would be either, "Making the cryptocurrency or Bitcoin accessible". "Overall, it's a fascinating --"; well, that's a bit self-indulgent!
Danny Knowles: Yeah.
Peter McCormack: "Overall, it's a fascinating conversation with a true industry leader. Tune in to hear Danny's insights on building a Bitcoin business, driving adoption, and the future of the Bitcoin industry". Do you know what I do like about it, but maybe I don't like about it, it feels more polished, it feels something like maybe the BBC would do.
Danny Knowles: Well, maybe they're using AI. But there are bits that are a bit cringe, but you could use that and then build out off it very easily.
Peter McCormack: Well, if I was writing a description, I reckon something like that, you'd spend 15, 20 minutes, but with ChatGPT, you can do it in 2 minutes.
Danny Knowles: Yeah.
Peter McCormack: You just read through it and edit yet.
Jameson Lopp: Yeah, I much prefer to edit something than have to write the whole thing from scratch.
Peter McCormack: And you are testing it for something else?
Danny Knowles: Well, after the show with David Zell, someone got in touch and said we could input the audio from the podcast and use it to generate show notes, which would definitely save time.
Jameson Lopp: Yeah, and I've been doing that myself. I just wrapped up a month-long archival project where -- my problem is pretty much every interview I've ever done is hosted by other people, and over the past ten years, link rot sets in, people take their sites offline, we lose content, and so I got tired of that happening. So, I wrote some scripts to basically suck down every video and MP3 that I've ever been in over the past ten years, and once I had them all, this is 45 GB of files, I then wrote some other scripts to extract the audio, and then yet another script, and doing this all in bulk of course, to take those audio files and transcribe them with OpenAI, Whisper.
Peter McCormack: Okay, but is the finding bit, is that AI or is that just Google search?
Jameson Lopp: Well, the finding bit was easy as a result of my OCD because I already have all of them linked on my website, so I wrote a script to basically parse through all the URLs on that website.
Peter McCormack: Can you bring up ChatGPT?
Danny Knowles: Yeah.
Peter McCormack: I just want to try something here. Try this one, "Tell the story of Jameson Lopp", because this is what it's going to do, "and Peter McCormack's day of fun shooting guns". This is what I love; I've done so many of these just like stupid little things.
Jameson Lopp: Oh, it's sad.
Peter McCormack: Oh, so it's looking for a story. See, that's weird because we used to have it writing stories.
Danny Knowles: Maybe if we say, "Tell me a fictional story".
Peter McCormack: Yeah, so that's weird because it used to do that, I was getting it to write stories.
Jameson Lopp: This actually goes back to censorship, they've really been clamping down on what the AI can do, all of these different AI services, because people are abusing them.
Peter McCormack: Yeah, but hold on, but then what's the point in having it? Are they worried about university kids having their coursework written on it?
Jameson Lopp: There are so many different things that people are worried about, whether it's just like low-level biases that are inherent in this stuff, because all of this stuff is being trained off of data, and all of the data is being generated by humans, and humans have biases and so it's going to be representative of some subset of humanity.
Peter McCormack: It's like the internet or Bitcoin can be used for good or bad, right?
Jameson Lopp: Yeah.
Peter McCormack: We know that, with Bitcoin, and I always go back to Peter Van Valkenburgh Senate testimony where he said, "For every person you talk about using Bitcoin for money laundering, I'm going to tell you about somebody using Bitcoin in Nigeria to campaign against police violence"; I always think that is a great way of telling the story of technology. AI, we can use this to write descriptions and save us time, to do show notes, I'm going to come back to that as well by the way, but also kids are going to be able to use it to not have to do coursework; the cat's out of the bag.
Jameson Lopp: Well, this is kind of like security, this is going to be a never-ending battle. So, I've already seen stories of professors and teachers saying that they're suspecting certain students of using these AI text generators to do their essays for them; and then, just in the past week or so, we saw one university student create an "AI detector".
Peter McCormack: I heard about this.
Jameson Lopp: But this is going to go back and forth, then the AI's going to be modified or people are going to basically be "hacking". With this, it's really more about trying different prompts to work their way around the filters. That's what I would say these AI hackers have been doing, is we're understanding that the people who are running the servers for this stuff, they're filtering things, especially on the image generators because of course there's a lot of crazy stuff you could do there.
Peter McCormack: Yeah!
Jameson Lopp: But there are always ways to work your way around it. This prompt generation is a new sphere of programming language, it's just not a very well-defined programming language, and so people are trying to really push the limits of what's possible with it, and as they do that, the folks that are running these services are then saying, "Oh, we need to stop that", and so it's just the same old issue of censorship.
Peter McCormack: So, interestingly, Danny's just doing a test on an AI content detector.
Danny Knowles: This is the description from that Danny Scott show that was 100% AI.
Peter McCormack: It thinks it's 2% human generated.
Jameson Lopp: It's pretty good.
Peter McCormack: Yeah, interesting. Go and get one of our other descriptions.
Danny Knowles: All right.
Peter McCormack: Just see what happens with that. Going back to the show notes, Danny, what I don't know is, if it can read the content, how does it know what is something we would want as a show note?
Danny Knowles: Again, I think it would probably give you a massive list and you would then have to just cut it.
Peter McCormack: Yeah, same with the timestamps, how does it know what a section is?
Danny Knowles: I don't know if it could do a timestamp.
Peter McCormack: No, it can.
Jameson Lopp: Yeah, it can.
Peter McCormack: The email I forwarded you this morning, he said it can do timestamps. If it gets to the point where it can do show notes, timestamps and transcriptions, it puts people out of work for us.
Danny Knowles: Here you go, I've just put another description in that was human generated and it's got it 100%.
Peter McCormack: That's fascinating, that is fascinating. So, I wonder how it's doing that, what the rules are. But look, whatever, the cat is out of the bag with this.
Jameson Lopp: Yeah.
Peter McCormack: People use it for good and people use it for bad. I think, in this scenario, there's a lot of good that you can use it for, efficiencies; the downside of that is people potentially losing jobs; you could identify that in our world. I struggle to see too much evil it can be used for on text generation yet, but it feels like we're now in this very early stage of this AI thing that might move quickly; the robots are coming!
Jameson Lopp: Yeah, well I think the very first thing I would look at is what do a lot of scammers do and why couldn't you have an AI bot that basically follows the rules for some particular scam that people perpetrate over the internet?
Peter McCormack: Yeah, that's very true, yeah.
Danny Knowles: Can you ask them to write code?
Jameson Lopp: Yeah.
Peter McCormack: I saw somebody who said they put some code in, I can't remember what the language was, and it wanted to convert it to Python, and it converted it to Python and executed and worked instantly.
Danny Knowles: Wow!
Peter McCormack: Can you think of a language you would convert from something to Python?
Jeremy: It'll save them two days of work.
Peter McCormack: So that's Jeremy who's saying it. So, you've seen that tweet?
Jeremy: Yeah.
Peter McCormack: Do you remember what code it was?
Jeremy: I told you it was a function, I don't remember which kind of function. I don't know if it was JavaScript or...
Peter McCormack: So, two days of work was saved converting from one programming language to another. Again, fascinating and great, puts people out of work potentially, but drives efficiencies.
Jameson Lopp: Well, if you think about it, as a programmer, I've always found it to be incredibly inefficient, basically with the interface of how I talk to the machine and how I instruct the machine of what I want it to do. This is why programming pays so well and why it's so difficult, is because the machine does exactly what we tell it to, and the vast majority of time, what we're telling it is not actually what we want, and that's because of the limitations of programming languages and just the complexity of software.
So, my ideal future is a Star Trek future, computer creates a simulation that does this thing, and then a few hours go by and it gives you the results or whatever. Even past that, right now, we have text-based AI; we're prompting it now with instead of having to learn the syntax and semantics of some foreign computer programming language, you're able to use English and probably other languages. I'm not familiar with what they've done with regard to other foreign languages, but there's no reason why you couldn't use any human language, and even that, that's a huge leap forward, but that is only the beginning.
I actually wrote an article about Elon Musk and Twitter and stuff earlier last year where I said, "What I'm really looking forward to is direct neural interface with the machines". Now, of course there are pros and cons, but if you think about it from an efficiency standpoint, of course there are huge security ramifications, but from an efficiency standpoint, even what we're doing right now, me having to think something then having to translate it into English and then it has to get transferred through the air and interpreted by your ears and turned into signals in your brain, that is incredibly inefficient; there's no reason why we couldn't have a direct neural electrical signal to neural electrical signal interface.
Peter McCormack: Yeah, but do you want that?
Jameson Lopp: Well, yes, I'm sure this will create more dystopian outcomes as well.
Peter McCormack: So, Danny's found the tweet, "I just gave ChatGPT 200 lines of JavaScript code and asked it to translate the code into Python. The code parses text using regular expressions. It was complex. Two minutes later, I had Python code that worked flawlessly. The thing just saved me a couple of days of work"; that's fucking insane. So, firstly, I think Twitter is going to get damaged by this. I think there are nefarious actors, as well as just some morons, who are going to spin up accounts with ChatGPT and start arguing --
Jameson Lopp: I've seen them already, and I've run Turing Test questions against some of them, and it's been obvious that they're not human.
Peter McCormack: Mad, but it's just going to get to a stage where talking to people you don't know is going to be pointless. I'm almost going to get to a point with my Twitter, I just only want to see people I know, that's going to become pointless. But I'm also looking forward towards, not looking forward as excited, but just looking forward considering the singularity of all these technologies coming together, quantum, AI, Neuralink. I think it's a bit shit, I think I'm going to want to go and live in a cabin and only speak to humans and have no tech.
I can see a scenario where people start to reject technology and want to live without it. I can see a scenario where I get a bit older and I'm like, "Do you know what, I don't want a phone, maybe an old dial-up, a handphone, and go and live in a cabin somewhere with a dog, Danny pops round occasionally".
Jameson Lopp: Well yeah, especially if you're being bombarded with noise all day long. I'm an optimist so I think that there will be solutions to all of this; one solution, for example, to the issue of noise and reputation on social networks is actually something I've talked about a few times, Hive, they're essentially mapping social networks. They're starting with Twitter, but they've mapped something like 400 different "communities" or call them interest groups or specialities on Twitter, and they're just using the connection graphs to show where are people focusing their attention, and it's a very hard thing to fake. You could spin up a million bots, but you can't convince a million people to follow them.
Peter McCormack: Unless you're a really good bot.
Jameson Lopp: Yeah, unless you're actually creating real valuable content, in which case maybe it's a signal bot, not a noise bot.
Peter McCormack: What's that film where the guy falls in love with an AI bot? Is it Him, She?
Jeremy: Her.
Peter McCormack: Her, yeah; have you see that film?
Jameson Lopp: Yeah.
Peter McCormack: A brilliant film. She was pretty convincing; he fell in love.
Jameson Lopp: Yeah, I'm sure that will happen.
Peter McCormack: Yeah. It's when they combine it with a real doll; have you ever seen that film, Lars and the Real Girl? Yeah, it's a good film. Yeah, I don't know, man, it's just like all going a bit too far.
Jameson Lopp: Look, this is the thing, this is why it's great to be a technologist because technology is not just going forward linearly, it's accelerating, and so it is very exciting to keep track of, it's also very scary because humans generally don't like change, or at least we like to say that we don't like change; we're very adaptive, humans.
So, in hindsight, you look back over the past few years or decades or whatever and change has been crazy and yet we somehow keep adapting to it, and so we will keep adapting, it will keep creating more and more weirdness. If someone from today was looking ten years in the future, I can guarantee you their mind will be blown by the people who are living in the present day, and the future will be like, "Yeah, this is how things are now".
Peter McCormack: What about combining AI with CRISPR and just saying, like some fucking crazy kid in his dorm, "Yeah, create me something that is as dangerous as Ebola but spreads like COVID, map it out".
Jameson Lopp: Yeah, there are definitely a lot of ramifications when it comes to biotechnology; I'm especially afraid of nanotechnology. There is this one dystopian apocalypse, it's called the grey goo scenario, but essentially that's a scenario where nanobots go out of control replicating and there's no way for us to stop them, and they turn the entire Earth into nanorobots, and there's no way to escape them.
Peter McCormack: Man, see, I just want to go and live in a cabin. I don't know, it's too far. I kind of feel like we've got to live through this golden age of technology and then we might also, because of the exponential nature of technology, live through the start of the dystopian era. You're an optimist --
Jameson Lopp: Yeah, well there's also the Great Filter question, which this is more of an astrophysics question of why don't we hear signals from other species?
Peter McCormack: Fermi Paradox?
Jameson Lopp: Yeah. So, the simple explanation is that every species that becomes sentient and develops technology that is sufficient to start creating signals that propagate through the universe eventually also hits this inflection point, which we may be close to, wherein the power of the technology becomes uncontrollable and they destroy themselves for one of a million different reasons.
Peter McCormack: Yeah, Jesus Christ, man. All right, what about Nostr?
Jameson Lopp: Yes, that's an interesting new protocol. Now what is it? I think it's Notes and Other Stuff Transmitted by Relays is what actually the acronym stands for, and a lot of people are looking at it and saying, "Oh, it's the new Twitter", but it's not a social network, it's literally just a protocol for passing messages around a peer-to-peer network. And these messages are cryptographically signed and they have some interesting attributes, but there are a lot of pros of what you can build on top of a network like that, there are also a lot of challenges that are going to be overcome if Nostr is going to become a globally adopted network.
Peter McCormack: So, it is a protocol, but you can build a Twitter on top of it?
Jameson Lopp: Yes.
Peter McCormack: So, what are its main challenges? Look, most people listening to this will have heard of it, a lot of people will have signed up and checked it out.
Jameson Lopp: Yeah, there are some scaling challenges, there are some security challenges. One of the problems right now is that you have a single public/private key pair and you're reusing that for everything. So, if that every gets compromised you're screwed, there's no way to revoke that and change to another key; I think that's going to be addressed, of course.
You would want perhaps some sort of hierarchal deterministic wallet where you can migrate what key you're using. There are also ways to do that with decentralised identifiers, of which there are a number of different projects out there which would allow you to have your identity that is then separate from the actual keys that you're using for this. And also, right now, most people who are using Nostr clients are literally pasting their private key into an internet-connected device. There are a few ways around that as well, and hopefully you'll eventually just have your dedicated hardware device that you'll use for that.
On the scaling standpoint, it's kind of like Bitcoin in the sense that it's kind of like a flood-fill network, all of the relays are essentially listening to each other. You can filter things out, but in general right now, if you broadcast a message and it's correctly signed, it's generally going to go all of the other relays out there. So, there's a question of how much can that scale because we start to see some limitations, whether it's bandwidth limitations, disc storage limitations? What are the incentives; what is the game theory of the network; is it denial-of-service protected?
So, when you run a Bitcoin node, Bitcoin node software has a ton of different denial-of-service checks that it's running whenever it's receiving new data, and if you do something to violate any of those, it considers you a bad peer and it basically cuts you off and it stops talking to you. I don't know the Nostr relays well enough to say if they have enough denial-of-service checks built in; if they don't, then there are going to be some growing pains, and I expect more tools and rules are going to be built around that.
Then there's also just the incentive question of who's running the nodes; why or how are you going to let other random third parties connect to your node; are you going to require some sort of small fee? I know there is an improvement proposal that would allow you to actually attach some proof of work to your Nostr messages, I don't know how widely that's been implemented, but they're just at high level.
There are open issues that are going to need to be resolved, but I expect that the network is going to continue to grow, it's going to have growing pains, and as long as there is sufficient interest in development around it, then people are going to find solutions to these issues.
Peter McCormack: Okay, it's something we need to play a little bit more with, so we'll check that out. Is there anything else that excites you?
Jameson Lopp: Good question. Most of the stuff that I've been doing has been around AI and combining different aspects of AI. I think people see these tools and they don't really extrapolate what the tool's going to be able to do in several years. So, we see people creating images, and right now, all they're thinking about is, "Oh, I can type in a prompt and I can get a cool two-dimensional image", or whatever, but obviously that's only the beginning.
The next steps we're going to see, you know, three-dimensional models; I think this is already starting to happen. We should expect that architects and designers, game designers and whatever, are going to be able to us AI to start generating entire virtual worlds. I've already seen AI image generation added as a plug-in to 3D modelling tools –
Peter McCormack: Wow!
Jameson Lopp: -- so that you can say, "I've created this landscape or this cityscape or whatever, and I don't want to have to spend days finding and applying textures; I'm just going to type in a prompt and I will say, 'Make this building look like Gothic architecture from the 1500s or whatever', boom!". So this is why I say, sure, AI may get rid of some jobs, but in general it's going to accelerate our productivity and be a new set of tools that, much like how computing and the internet in general has affected every industry, I think AI's going to have a similar reach.
Peter McCormack: Yeah, well, until we replace ourselves with robots who are more efficient, there will be that transitionary stage, which is Neuralink.
Jameson Lopp: Yeah.
Peter McCormack: And then we'll just replace the bits of it, like we won't need the body because the body's fucking useless, we can probably make a better body, and then we'll all be gone.
Jameson Lopp: Yeah, but then, kind of getting back to Bitcoin and stuff, the Lightning Network has definitely been interesting to see all of the new developments that have been going on there.
Peter McCormack: Yeah.
Jameson Lopp: I think in my annual report that I put out recently, I showed that the actual capacity of the Lightning Network, it's gone up in Bitcoin terms over the past year, I think it's gone down a little in dollar terms of course, due to the exchange rate.
Peter McCormack: But up in Bitcoin terms is a better measure.
Jameson Lopp: If you're using it as your unit of account, yeah. But in general, we're seeing more and more businesses that are building on top of it, and who knows what's going to happen once we have other assets and other tokens on Lightning? But I also think that this is going to supercharge a number of just other networks and services in the ecosystem.
Kind of getting back to Nostr again, I had a tweet where I said, "It's actually quite appropriate that Nostr was invented by a Lightning developer", because I think that's going to be a very important integration in order to get the incentives right for a network like this. If we can get to a point where we really have these decentralised peer-to-peer networks where the incentives are such that you can access them and use them by actually paying for what you're using, and doing all of this without AML, KYC and privacy ramifications, this is getting us towards more of the anarcho-capitalistic cyberpunk future that I've been trying to build for a decade.
Peter McCormack: Yeah. It's very exciting. I'm with you on the AI; the AI is very exciting. But I think it's really cool that Lightning's growing. I think the different use cases people are discovering for Lightning, I love this idea of moving fiat money around the world on the Lightning Network and bypassing banks, I think that's a super cool idea. So, I think there are lots of cool things happening. I can't believe, after five years, we're actually sat here doing this again; I wonder if we'll be here in five more years doing this, who knows?
Jameson Lopp: If we are, then once again, it's going to be another order of magnitude of weirdness that has transpired since then.
Peter McCormack: Yeah, we might record it in the metaverse and Danny might have been replaced by AI, we might have generated all the surroundings using AI.
Danny Knowles: We can generate it to look just like this.
Peter McCormack: Yeah, it'll be pretty cool.
Jameson Lopp: Yeah, I was really interested in VR, especially at the beginning of the pandemic; there were a number of VR-related meetups and stuff. That seems to have plateaued over the past couple of years, but I'm hopeful that something like Neuralink will actually be like the next step. It's still very clunky to actually put on a headset and there are a number of things you have to configure. If you want a good VR setup where it's driven by a PC, the standalone ones just don't have enough processing power to do the same level of video graphics, etc.
Peter McCormack: Well, there's competition coming into that market because Apple have just announced theirs, kind of.
Jameson Lopp: Kind of.
Peter McCormack: Kind of leaked.
Jameson Lopp: Yeah, we'll see.
Peter McCormack: I've got the first Oculus Rift. When I've used it for what I've use it for, I've loved it, not for gaming; the gaming, there are just not decent games, but the more exercise side of gaming I have liked. So, there's like a thing where these discs fly at you, you either punch them or duck under them; it's a good workout. There's the boxing game, which is an unbelievable workout where you feel like you're in the ring. You need that feedback, so if you hit, it feels like you're being hit, or it pushes your head back, but as a workout, it's fucking insane and it's fun. That's the only stuff I've really liked on it, and I also like getting people to walk the plank and then pushing them over, but that's it.
I'm interested in it, it just feels like there isn't enough money in it for the developers to make the games. Like the boxing game I like, it was made by one dude on his own. It's not like you've got Square Enix, is it Square Enix; is that the company?
Jameson Lopp: Yeah.
Peter McCormack: Yeah, it's not like they've got hundreds of people working on single games yet, so I think maybe if we get to that point, I think it'll be interesting. Have you got a VR?
Danny Knowles: No, never done it, never tried it.
Peter McCormack: Next time we're in the UK, I'll show you it.
Danny Knowles: All right.
Peter McCormack: Have you done the walk the plank?
Jameson Lopp: Oh yeah. The funny thing is I did the walk the plank in 2002.
Peter McCormack: What?!
Jameson Lopp: Yeah, I know, right. This is actually not a new thing.
Danny Knowles: Were you just walking on a plank then?!
Jameson Lopp: So, it was when I was hunting for universities to go to when I was in high school, I went to the University of North Carolina at Chapel Hill and they had one of the pre-eminent graphics departments and they had a room about the size of the house that we're in right now that was their VR lab. This was multimillion-dollar equipment back then, but they let me go through a simulation which it was a plank simulation. The one that you did was probably at the top of a building in a city.
Peter McCormack: It was at the top of the skyscraper, yeah.
Jameson Lopp: The one that they did was literally just over a pit; it was much more simple but it was the same type of effect where you would feel like you would fall off.
Peter McCormack: Do you know this walk the plank thing?
Danny Knowles: Yeah, I've heard you talk about it.
Peter McCormack: Yeah, I'm telling you, I'm not somebody who loves heights, like you feel it, you believe you're up there. I can do it, I can look under my goggles, I can see my floor, and then I can look up and there's no way I'm jumping off the end of that plank, fuck that, I just can't do it.
I like the idea of VR, I quite like the idea of VR in a world where we can make the podcast. We do this in person because you cannot replicate this conversation we're having over Zoom, it just doesn't work, it's different, it's a different conversation, the latency's different, you have different emotional connection, everything about it's different. I think that gap can be closed with VR, I believe it can be, so that's maybe. I'll tell you what, if it's ever available, we'll do that one first, you and I.
Jameson Lopp: Absolutely.
Peter McCormack: Jameson, good to see you, thank you for coming in. Appreciate everything you do; I appreciate you from episode 3 of What Bitcoin Did. Where do you want to send people to?
Jameson Lopp: Well, the easiest way to find me is at lopp.net, and from there you can find all my resources and Twitter account and so on and so forth. But I think the short version, takeaway of a lot of this stuff, you seem to focus a lot on the dystopian aspects, I'm the techno optimist. I think that humanity is going to continue to keep stumbling forward, and there's not really too much use worrying about the million different apocalyptic scenarios that may or may not happen.
Peter McCormack: I will try and be more of an optimist. Thank you for everything you've done, not just for me, but in Bitcoin and just being a general badass. I appreciate you so much, man.