 Vincent asks, I have some difficulty visualizing how the public and private key pair is stored in or by a wallet. How is it done technically? In a full client wallet, for example, cannot a private key that is stored there be hacked? Yes, Vincent, first of all, in most modern wallets, as I said, what is actually stored is not a private public key, but instead the mnemonic phrase. Now, often a mnemonic phrase is protected by an additional passphrase and an additional pin, and that makes it much more secure. I recommend using a passphrase, especially on a hardware wallet and, of course, setting up a pin. In these cases, both on a smartphone and on a hardware wallet, what happens is the software that's running on these devices has certain capabilities to store private information into an area of memory that is somewhat protected, and the degree of protection varies. There are some specialized security chips, for example, such as the secure element that's used on Apple phones, as well as the equivalent on the Android operating system on most modern phones, whereby an application that is using that device can store cryptographic material inside a special area of memory that cannot be accessed by other applications, or that requires additional authentication, such as pin or biometric, and this secure element is protected from all of the other applications on the device, including the operating system, and is encrypted so that it can't be accessed when the device is booted up. That's how keys are stored on these kinds of devices. Some hardware wallets have the equivalent of a secure element made by a variety of chip manufacturers. Some don't have a secure element, have various other techniques for protecting the information that is on the device itself, and these are varying degrees of security, but in general, any such specialized hardware wallet or a well-designed application that uses a secure element of a smartphone is secure. When you go to a laptop or desktop, however, because of the variety of hardware the generic operating system has to use, it is often the case that there is no secure storage capability on the device. What happens then is that the wallet that's operating on your laptop or desktop keeps the information encrypted, and when you try to access it, it will require password, passphrase, or PIN that it will use to decrypt the information that's on the hard drive. Of course, once it's decrypted, it's then sitting in the application memory, which, if the operating system is correctly configured, should be protected from other applications. However, if your operating system has been compromised, and that's a lot easier to do with a generic operating system such as the Apple operating system that runs on Mac computers or the Windows operating system, or even generic versions of Linux such as Ubuntu, in that case, if your device has been compromised and someone has been able to take over root access or administrator access on that device, then they can use the operating system to see the data stored by an application when it's in memory, and therefore they can compromise and extract your mnemonic phrase, which means you now have a big problem. Mnemonic phrases should use passphrases for extra security, but it's very difficult to secure on a laptop or desktop operating system, which is why I recommend using a hardware wallet or a smartphone device. They're more secure in terms of the hardware compatibility. Arwa asks, what is the difference between a mobile wallet and a web wallet that uses a mobile app if they're similar to each other? Why are there two categories? So, this is a very, very important question, and the most important aspect of this is understanding who controls the keys. There are some wallets in which you control the keys, and how do you know you control the keys? Well, if the first thing your wallet does when you generate a new wallet is ask you to write down 12 to 24 words as a mnemonic phrase to create a backup, that is your keys, and therefore you control those keys. They're generated locally on your mobile device. They're not communicated to any type of server. They're not stored by someone else like an exchange or service. You have them on your own mobile device, and you have to back them up, and if you don't back them up properly, no one can help you if your device is lost or you forget your pen or something else happens. So, control over keys is critical in cryptocurrency. I have a slogan that I use to express that called not your keys, not your coins. Remember, your keys, your coins is the fundamental principle of control and ownership in the decentralized cryptocurrency economy. So, the real category isn't mobile versus web. It's where the keys are stored. If the keys are stored on a remote service, even if they are encrypted by your own password, and that remote service doesn't have control of them, there's a very big risk that they can be phished by redirecting you to a fake copy of that website, persuading you to put in your keys and then or put in your password and then stealing your money, which is why a mobile wallet that generates the keys locally where you can restore and backup your own mnemonic phrase is the most secure option. Of course, if you do generate a backup of your mnemonic phrase, you must remember to never ever enter that mnemonic phrase into any application you're not sure is a properly constructed, popular, secure, well-reviewed mobile wallet that keeps the keys locally on your device. You don't enter them into websites. You don't enter them into test sites. You don't enter that mnemonic phrase into an online document. You don't take a screenshot of it. You don't put it on Google Drive or Dropbox. You write it down with pen and paper and you store it as a physical copy in a secure location like a locked drawer or a small fireproof safe or some other thing like that. Web wallets in general mean that somebody else has custody of your keys. They should be avoided as much as possible. Exchanges almost always are custodial and they keep control of your funds and the keys that control those funds and therefore you should never leave money on an exchange. If it's sitting on the exchange, it's not your money. It is a promise from the exchange and you shouldn't just leave it there. When I use an exchange, I will move crypto onto the exchange or fiat onto the exchange, do a trade, sale, buy whatever. Within 15 minutes, I will then move that money out. If I'm selling crypto, I move crypto in, sell it, convert it to fiat and move the fiat out into my own bank account. If I'm buying crypto, I move fiat in, I exchange it for crypto and I move the crypto out. For those 15 minutes, I am sitting like this going, please don't get hacked now. Please don't crash now. Please don't do an exit scam now. Give me my 15 minutes so I can get my money out. There's always that risk of a third-party custodial service. You can minimize that risk as much as possible by doing small trades and never leaving a balance. Exchanges are not wallets. They're not safe unless you are unable to maintain your own keys and maintain your own security. Maybe your parents, for example, the only way they can use crypto is through a custodial exchange. It's not a good model and you should try to encourage people to use a hardware wallet and to learn how to do backups of them, mnemonic phrases themselves. What is the relationship between wallets and IP addresses? There is no correlation between wallets and IP addresses. IP addresses do not appear anywhere in the Bitcoin blockchain or most other blockchains, in fact. While it is possible under certain circumstances for an attacker to monitor your IP traffic in order to try and see if you're generating Bitcoin transactions, that is not possible if you use a VPN. There are a number of other techniques to obfuscate the origin of transactions within the Bitcoin system. We can talk about some of those in subsequent lessons, but the bottom line is IP addresses are not related to wallets. It's not possible to look at a transaction on the blockchain and see where it originated from. You can't see the IP address it came from. That's one of the features that make Bitcoin more private than traditional financial systems. What is your view on the recent discussions between samurai and wasabi wallet developers? I'd like to know the advantages or disadvantages of both regarding privacy. I understand both use coin join transactions, but with different implementations. Could you explain those differences? Unfortunately, I haven't studied the details of the different coin join implementations to be able to offer a well-informed opinion. I think a lot of the arguments happening between developers of different implementations are a healthy competition to a certain degree, but at the same time, the biggest problem we have in privacy is not the subtle differences between implementations such as samurai and wasabi, but instead it's the fact that the vast majority of transactions first of all happen on custodial exchanges where not your keys, not your coins applies, as well as surveillance companies that are using analytics, as they call them, to monitor the use of the Bitcoin blockchain are collecting all of your information. The problem we have right now is not the 5% difference or 10% difference in the implementations between two very privacy-focused wallets like samurai and wasabi, but rather the fact that the vast majority of users on the Bitcoin network do not use any privacy-enhancing technology and don't even use wallets that allow them to have custody of their own keys. So if you're trying to decide which of these two wallets to use, the answer is really simple, both. One is a mobile wallet for smartphones, the other one's a desktop wallet for your laptop, and both are far, far, far, far better at privacy than using a custodial exchange where you don't control your keys or even using any wallet that doesn't really make any attempt to improve your privacy. Privacy is a layered thing. It's not about a single implementation of CoinJoin and the esoteric differences in academic arguments about this are really only at the surface level. In terms of how privacy is achieved, it requires an effort to control many different aspects of the way transactions are constructed and expressed on the network, including protecting against tracing of your IP address with technologies like Ricochet and Dandelion, protecting information about the construction of change addresses and the structuring of transactions, the reuse of UTXOs, and reuse of addresses, and various other things that can create statistical correlation between outputs that can severely damage your long-term privacy. All of these techniques, as well as CoinJoin. Now, CoinJoin is not really a technology, it's a class of technologies, it's really a methodology. CoinJoin simply means creating transactions with more than one participant so as to make it difficult to trace which participant is paying which output for what purpose and removing the ability to do statistical correlation. Different implementations of CoinJoin really can look at this in a variety of different ways. There are implementations that use, for example, a centralized server, which are much, much weaker than ones that use various decentralized technologies to do this. There are the first implementation of CoinJoin required placing some trust in the server. There are CoinJoin implementations that are trustless, etc., etc., but I would say both Samurai and Wasabi today represent the leading edge of privacy technologies and privacy implementations, and so don't worry too much about the arguments about which one is better than the other and use both.