 Thanks everybody. I'll probably do a quick survey just to find out how many of you guys are kind of developers, how many of you have invested in cryptocurrency, Bitcoin, Zetirium, a couple of them. How many of you have kind of done something with security at all? Security, a couple of them. Okay, cool. So let's get started. Before we get started, quick disclaimer, all of the views here do not reflect the opinion of my current or past employers. It's all my opinion. You know, just putting the disclaimer out there. So the agenda will go through a quick introduction, very quick background because, you know, Nitin and Pranay have done a fantastic job. And then we'll kind of talk about wallets, mining, ICOs, ICOs, Nitin covered it in detail. So I'll kind of give my view on it and then we can move on and best practices for individuals. So, you know, the talk is mostly catered towards we as individuals whenever we are getting into cryptocurrency, you know, what are some of the things that we can do to stay safe, because it's the wild wild west right now and it's like a crazy world. So we just want to make sure that what are some of the key things that you can do to stay safe. And, you know, finally the conclusion, a quick introduction about myself, I'm Ashwat. I work as an associate principal consultant at Synopsys. So I used to work for a digital which got acquired by Synopsys and that's, you know, currently where I work in. So I started, I did my bachelor's at NIT Suratkal, then went on to do my master's from Texas A&M, worked for Microsoft for a couple of years in security, then decided to come back to India and, you know, that's when I joined digital and Synopsys. So how did I get into cryptocurrency, right? So back in late 2012, early 2013, I heard about Bitcoin mining. So I just, you know, put it on my laptop, I let it run for a while. After like, say a month or month and a half, you know, I had like 0.05 Bitcoin, then I looked up, it was like a couple of cents, I was like, okay, screw this, my laptop's just getting heated up. There's no point, it's just going to destroy my laptop, deleted the wallet, deleted the mining software, reinstalled Windows, and yeah, I lost all of it, probably if I had it not be like $400, $500, I guess. So, and then I wrote, very recently, I had to do like an architecture review from a security perspective and also did a penetration tested test on blockchain-based project. So they were trying to do something based on blockchain technology. So that's when, you know, I started getting interested again and I was like, okay, what the hell is this all about? That's when I became an investor, wrote a couple of bots, looked at some of the public and private bots to do investment on my behalf. And also, I'd written a bot where, you know, as soon as I get a signal from Slack, I go invest in a bot on a particular coin, then, you know, the bot also kind of sells based on the signal. So these were all, you know, just to experiment, see how these things work, basically to see what is out there. And while I was doing my research for the talk, I found something very interesting. So Bitcoin mining based botnet analysis. So this was a paper that came up. And it so happened that they had the first reference that they had was a paper I'd written during for my master's thesis, that is like a full circle of research. That was pretty cool, I thought. So background of cryptocurrency. So say if you're an individual who'd like to invest on cryptocurrency, then four big ways. One, you know, you can go to something like Zepay, Pay in Rupees, do an NFT transfer by Bitcoin or Ethereum. And the second way is you can go to an exchange, buy an alternate coin, using something like Bitcoin or Ethereum. And the third way is mining, where, you know, you set up a rig, you can mine, and then you get some cryptocurrency. And the last point is payments. So this is right now, you know, borderline illegal in India. So, you know, we'll talk about the regulation and the legality a little later. So what this says is you can use Bitcoin as a payment method. So Japan does it a lot, where you can go buy milk or eggs or what have you using Bitcoin. So let's kind of talk about wallet. So this is the most important slide. You know, if you kind of understand this, the rest of the talk will be a breeze. So this is the public address. So say if, you know, I want to buy Bitcoin, this is the address, this is my address, this you tell everybody. And this is the private key, this you do not tell anybody. So if you, if others get to know this, then you lose your Bitcoin irrespective of who you call. Nothing's going to happen. You lose it, you lose it. That's it. So there are different kinds of wallets. So all they're trying to do is one way or another, try to protect this private key. So I have a quick video just to show, you know, how exactly the whole public and private key works. So this is my ether wallet. I'll just let you watch it, then I'll kind of talk through it. So if you observe here, this is the address and it says this is the private key. So what this is saying is, print this piece of paper. You can give this to anybody, but please do not give this to anybody. And if you go back in time, so the first, the very first thing that you did, you gave it like a secret key, right? So this particular thing. So what this is used for is say, you know, you want to store this on email or somewhere. So this particular key store file is encrypted with the password I give that that's the 50p demo wallet creation or something of that sort, right? So that is the secret key that I gave. Make sense. Any questions here? All right. So different kinds of wallets. There's a hardware wallet. This is the most secure, but it's a little complex, you know, there's some money involved and all of those things. Then there is a software wallet where you run it on your computer. Then there is a cold storage or paper. So you just print it on a piece of paper, you store it in a locker somewhere. And finally there is the exchange. So this is the easiest one to use. So you go create an account on Z pay or bitrex or what have you and then, you know, they will handle the public private key pair for you. So all you have to do is transfer from this public key to another public key. So that's all you have to do. They will handle the private key for you. So this is the easiest, even if you, you know, lose your password, you still, you know, you can call somebody, you can say, hey, I forgot my password and you can still kind of get access to your account, but the private keys lost, you lose everything. Cool. So, you know, I kind of talk about the security risks here. So I'll kind of talk through some of them. So if you look at the latest hardware wallet hacks, right? So you pay $100 for it. And, you know, there have been a lot of hardware hacks. So the two big ones are Trezor and Ledger. So this is very recent February 3rd, maybe like, you know, five days ago, where they said you this, they run this wallet on your phone or a web browser. So what they're saying is if somebody can be a man in the metal attack. So what essentially what they're saying is say if you're sitting in Starbucks and you open this wallet up, then there's a potential that, you know, an attacker can put in their attacker address as the receiving address for the Bitcoin. So if you want to send currency bitcoins from your account to somebody else's account to a person A, instead of the Bitcoin going to person A, it can go to the attacker. So that's what they're saying here. So that's the man in the middle attack. But one way to kind of find out which address it is going to is to use this monitor button. So it'll tell you the address name. So even if an attacker does a man in the middle attack, you're still kind of see. So this is Trezor. So this was this, you know, at Defcon last year, which is like one of the biggest hacker conferences. This was kind of displayed. So this was probably like seven, eight months ago. And what happened here was so they had a wallet and so say if you're carrying this across the border, especially for US and Mexico, say if you're carrying this wallet across the border, and if they take this for an examination within like a couple of minutes, what they can do is they can read your private key out. So which kind of defeats the purpose of a hardware wallet. So essentially what they're doing is they're shorting the bits between the power and the reset through which they're able to extract the private key. And if you observe here, maybe I'll move away. You observe here, they're able to also dump the pin. That's the secret pin that you give. So it's just like a thing of your phone that is locked and you have to give it a secret pin, right? So it's like a nine digit pin that they give here. And the nine digit pin can also be pulled out using the hardware hack. And these are the exchange hacks, you know, some of the biggest hacks, you know, the coin check, which is like 530 million dollars. And the South Korean hack, UBIT was also shut down and the claim back up. So you're like, all right, what you're saying is pretty much all the wallets can be hacked, then where do I go put my money? So this is where in what we call in the security world, the risk matrix come into play. So think of it this way, right? So for a severity of a bug or a finding or a hack, there is something called impact and likelihood impact is you lose your coin. So pretty much the impact for all of them is high. Whereas the likelihood that is how likely is it to go lose your coin. So in the case of a paper wallet, somebody has to come into your house, get into your locker and steal that paper address or for a hardware hack, they have to get into your house or they have to get hold of that hardware device. That's when they can kind of hack it, right? Or you have the attacker has to somehow follow them to a coffee shop, hope that they log in, hope that they're making the transaction at that point in time. So likelihood is very low. So that's the reason you would want to kind of move towards the hardware wallet kinds if you're investing a large part of money. And also, at least this is how I do it personally, like say if I have one whole Bitcoin, I'd probably keep 20% in the exchange so that I can actively use it for exchanging coins. And say if I want to like buy, sell and all of those things, and then maybe like 60% on the hardware wallet and another 20% on paper wallet, just to kind of diversify it. So mining, I know Pranay is kind of spoken about it in detail. So essentially, there are two kinds, proof of work, proof of stake. So proof of work, there are a bunch of miners. And if you set up your rig or your machine as a part of it, you can get some coins in exchange, because you're a part of the network. So that is the long story short, I know it's super simplified. This is a very good diagram. Put up the link here. Unfortunately, it's not very visible. But it's on medium. And he does a great job at explaining it. So maybe I'll post the slides out and you can kind of take a look at it as well. So he kind of explains how exactly the mining happens and who gets the reward and all of those things in great detail. So mining process, you'll have to make a lot of decisions if you get into mining. So the first thing is you buy hardware, you buy GPUs, you buy a CPU, you put up your motherboard, and then you're like, okay, fine, I have to get into mining. So what do I do? So then you need to pick a coin, you need to pick a wallet, you spoke about wallets, then you need to pick an operating system, miners, mining pools and monitoring software. So this is kind of optional. So this is the space where at least from what I have seen, there's a lot of innovation, and there's still a lot of scope for innovation. So, you know, let me give you an example. So there's this guy called simple mining. So all he does is he's taken the Ubuntu OS, he's kind of broken it down. And, you know, there's no GUI. But there is a way where you can use a web portal to send it command, you can say, hey, use this particular, go mine on this coin, use this particular miner. And he charges like $2 a month, it doesn't look like a lot. But for the amount of work that he has put in, it's a lot of money. And also another reason that, you know, you guys might have heard of a lot of hacks and a lot of software security bugs in the crypto world. Why do you guys think so? Anybody? Why do you think that might have happened? So one of the common reasons is, you know, hackers put their mouth where the money is. So one of the biggest things for hackers is the return on investment. So say if I put in 10 hours of work, how much money am I going to get back? And cryptocurrency just by itself, the whole ecosystem is very new. And, you know, even traditional systems have software problems like think about the big banks and all of those things, even those guys have problems, but they're matured over time. And they've gone through multiple security audits and multiple penetration tests, architecture reviews and all of those things. But in crypto world, it's like, if I put my code out there first, then I kind of win is the way that a lot of people see it. And unfortunately, they don't do it the secure way. And if you look at the whole security industry, they're trying to move left. That is, you know, start from the architecture phase and then kind of work towards, you know, while the code is being developed, you know, do some security audits, then when finally the code is deployed and deployed on a web application, also then do some security audits. But unfortunately in the crypto world, you know, all of it is done and it's deployed into production. And that's when hackers come and find it instead of, you know, the white hat people or the security auditors finding issues. So that's the reason why, you know, you see a lot of hacks. And that's one of the reasons why, you know, newspapers and everywhere, the cryptocurrency is not secure. That is not true. It's just that it has to mature over time. And it has not, unfortunately. So even with mining, there have been a lot of hacks. So I use I was a personal, you know, I was personally, I went through a loss because I was using nice hash as my minor. So essentially what nice hash did was it's a pretty cool concept where they said, hey, you just set up a rig and you do not have to do anything else. Just keep our program running. We'll look for the most profitable coin and we'll transfer money in Bitcoin. So all you have to do is let this program run. And once this program runs, it'll do everything in the background and it'll just transfer Bitcoin to you. But what happened was they lost about, I think 70 or 80 million dollars because it's a 60 million, but yeah, it keeps changing. But what happened there was with nice hash, you know, they lost. So with mining, what happens is like, say if there are minor minors, one to 10, they don't want to transfer the amount till it reaches a certain threshold because the transaction fees are so high. Like say, if you're running $5 and if the transaction fee is $1, then you're losing 20%. So you'd want to accumulate till $50 and that's when you make the transfer. So all of these small amounts were taken away by the hackers and they're yet to refund my money or Bitcoin. So I think I lost about 0.005 Bitcoin, just close to like $100. So yeah, they're yet to refund my money. And you know, the small, so if we go back here, if you see here, the mining pools have a certain percentage fee, right? If you observe this guy, the noob pool. So the noob pool is just like the name. It's all a bunch of newbies getting together. They're like, Hey, let's create a mining pool. Let's have 0% mining transaction fee. They've been hacked like three or four times because they have no security controls. So even my advice to you is even if you pay a little bit of a percentage fee, make sure you go with a big minor big name so that you don't lose a lot of money. So these are a bunch of the small names and you know, they've been hacked multiple times. So mining observations. So I was doing mining and as a part of it, you know, I was doing a lot of research, right? And there's like absolute ridiculous advice on the internet. Please do not listen to this guy who's given this advice has about 70,000 followers. So and it has like 100,000 views. So I'm really hopeful that all of them have not taken his advice seriously. So his video says how to turn off Windows updates permanently and other crypto mining operations. So essentially for a minor uptime is the number one metric that they care about because for every minute that your minor is not running, you're losing money. So that's the way miners look at it. So what he was trying to say here was I want to turn off Windows update so that, you know, the uptime goes up and there's no downtime because of installing Windows update and because of the reboot. But internally what's happening is somebody else can hack into the system and, you know, they can take away all the Bitcoin or worse, what can happen is you're probably getting only 80% of what your minor or the rig is capable of. The rest 20% is probably going to an attacker. So that's kind of the way. And also there's another operating system called ETH OS, which is like an Ethereum for it's mostly for Ethereum mining. So what happened here was these guys charge about $40 or $50 for the OS. This guy's put it up on a torrent. So most likely, you know, this torrent is, you know, they're probably doing taking away some mining power from you. So how many of you are using an Ethereum or any mining on your phone? Any show of hands? Okay, let me ask you this question. Let me frame it another way. The past like six months, have you ever seen your phone heating up for no reason? Like you're not using it at all. And is it heating up? A couple of them. So what happened here was there are a lot of miners on the Play Store and the App Store. So what they say is we give you 0.0 to finish a minute. So one of the guys who works for me, he was like, Hey, Ashwath, can you try this out? I'll get a referral bonus. And if you join, you'll, you know, you will also get some Ethereum on it. I was like, okay, I did the math and it works out to about $20 a day. If you just run this particular program or app on your phone, sounds too good to be true. It's like a rig that I have that I've purchased for two lakhs is probably earning about $16, $17 a day. How can a phone, you know, with very less computation power earn so much? So then, you know, I started reading up some more on it. Essentially, what they do is till you reach a certain threshold, it's all in their virtual currency. And the only time that they will transfer it to actual Ethereum is when you reach a very high number in all probability. Once you reach the very high number, they're gone. By the way, they've just taken all your computation power. And in probably in all likelihood in the background, what's happening is you're mining for an attacker and the attacker is like happy. And he's kind of sitting on the money. So mining safety measures, you know, apply the latest security patches, do not listen to all the rubbish advice on the internet. You know, make sure your softwares are up to date. And even if you lose a small percentage, make sure you use a reputable miner. Avoid pirated and cracked versions, both of the operating system and the softwares. And the best advice, if it's too good to be true, stay away. Like, this is the best advice. If it's too good to be true, same holds with ICO, same holds with mining or anything, it's too good to be true, stay away. So ICO hacks, Nitin spoke about it in depth. So there have been a lot of hacks. Let's just put it that way on ICOs. And one of the reasons why there are a lot of hacks on ICOs are their easy targets. They're like they've not gone through a security audit. They're like a bunch of people getting together who want to get shit done. And unfortunately, it just so happens that they don't think about security a whole lot before putting up a web server or before sending out emails. And this is one of the reasons why ICOs lose a lot of money. So let me talk about a recent case or two recent cases. One of them was, you know, they'd set up a website on the website. You know, they had an address where you had to send currency, right? So what happened was an attacker went to the website all they did was they just changed the Ethereum address to the attacker address. And the ICO founders had no idea that this had happened. And all the money had gone to the attacker. And here are the poor investors who lost all their money. And also there are the ICO founders who did not get any money out of it. So their name is spoiled. And also the investors have lost their money. So just be a little careful and just make sure that, you know, while you're investing in an ICO, you're sending it to the right address. Also another, the second case was a phishing email. So a phishing email is something that looks like a legitimate email. But so what they did was they just changed the Ethereum address in this place as well. So all the money was sent to an attacker again. So validating ICOs, Nitin's given a lot of good pointers. But some of the things that I was kind of using was, you know, just look at the white paper, just do a super quick plagiarism check. While I was preparing for the talk, you know, I just went through a couple of the ICOs and I just ran a plagiarism check. So you can get it free of cost. There are a couple of free tools that do it for you. There's also Grammarly, which kind of is a paid software, but you know, they're still pretty good at it. So what I found was I looked through maybe 20 ICOs and I found like at least three of them had just tripped content of other white papers. Just like copy paste, copy paste, copy paste. And this is like it's super easy. Anybody can do it. So one of the things that I would do here, then look for grammar checks. If when you upload it on things like Grammarly, it will tell you if there are any, if the language is not good, if there are any grammar mistakes. And also look for the team. So right side is like an excellent example. So this guy is supposed to be the marketing head, but he is like on BuzzMuslim.com, which is like a dating website. So they have taken the picture from BuzzMuslim.com. They've made him the marketing head with, I don't know what its name is called. It's like, it's a Spanish sounding name. Let me see if I can read his name out. It's marked in Autis. So yeah, just make sure that you can run quick checks. So also look at the currency split and how they're raising money. So this is also an important piece. And how many of you have seen this puzzle before? One, nobody else? This is like a super interesting puzzle. So it's been around for three years. So this was done by an artist. It was like 4.75 Bitcoin as a bounty if you solve this puzzle. It's been recently solved, like say in the past month or so. So this was super interesting. There were like a bunch of people who liked solving puzzles and they were like actively looking to see, you know, how to kind of solve this puzzle. And something even more interesting happened, like some Bitcoin was transferred to this address, to this public address. And they were like, what the hell is going on? And then there was this guy who came and complained and said, I've lost 9 Bitcoin from my blockchain.info address. He said, I've done two factor Roth. I use a separate VM. I do everything possible and I'm done everything right. But how the hell did I lose 9 Bitcoin? And what had happened was the place from where he lost the 9 Bitcoin came the additional, no. The guy who stole the 9 Bitcoin sent some additional money to this puzzle so that it would create some awareness. And then he wrote like a super long blog about. So, okay. So I'll maybe, you know, post the link on. I'll put it up on my slide so that you can take a look at it. So essentially what he said was here's his conspiracy theory. His conspiracy theory is the private key that we saw initially is derived from the public addresses in the blockchain. So if you think about the blockchain, you know, there's transaction one public key one to public key two. So he says the pub. If you do a shot of 56 of the public key one, then that's how I kind of arrived at the private key for this particular address is what he says. So he says somebody has put in some malware or a back door in the whole blockchain through which I'm able to kind of get private keys or guess private keys. So he has a repository of a lot of private keys for all of the transactions that have gone on from 2009 to 2017. And he thinks that or he kind of claims that these are the private keys for some of the Bitcoin addresses. So that's how he could get the nine Bitcoin and he kind of transferred some Bitcoin to this. Then he gave it back to this guy as well. So long story short, you know, this guy got his Bitcoin back and some he donated some Bitcoin to this guy and he kind of exposed some quote unquote conspiracy theory. So kind of running towards the end of my slides, but price manipulation. How many of you have heard of pump and dump groups like pump and dump? Great. A lot of them have heard. How many of you? I'm not supposed to ask it, but if you've heard of it, you might have used it as well. But it's not always a good story or a good ending when it comes to pump and dump. So here is a pump and dump signal from a pump and dump group. They say we give you the signal here, but the profit is here. So you get a 150% profit. But if you look at what has happened in the background, now the owners behind the pump and dump group would have started investing here, then they would have predicted the signal here. So this is where all the innocent buyers buy the coin. And as soon as you buy the coin, it might have gone up a few percent, but you know, it's dropped a huge percentage after that. So this is where they start dumping the coins. So, you know, there are multiple examples for it. And here's another story from an actual hacker, or at least he claims to be an actual hacker. So he's gained like a lot of bitcoins, right? Like you see 500, 140, 100,000 dollars. I don't know if this story is true or not. I don't know if he's the actual hacker behind all of these things. So what he's kind of saying here is he started in 2013. And in 2013, when he started, he said, I was just sending phishing emails. I was looking for people who would reuse their passwords in different places. So you put in the same password in multiple places, then pull the Bitcoin out. So he was kind of successful, pull five Bitcoin out. You know, the cost of one Bitcoin was probably about 100 dollars. So made about 500, 600 dollars. But then he was like, okay, I need to look for more. So that's when he started, you know, looking at SQL injection on third party services, which would kind of support Bitcoin. So he got about 100 Bitcoin there. Then, so this is where it kind of got interesting. He said I could use the Mount Gox. And apparently this guy had like 10,000 Bitcoin at that point in time. And because there was a limit of the number of Bitcoin you could transfer per day, he could only transfer 140 is what he says. He could kind of get his password using SQL injection on one of the websites. So SQL injection is a kind of application vulnerability through which you can extract data on the database. So finally, he says I kind of put a Trojan in an infected wallet. This is where I was like, okay, maybe this guy is not the real deal. So he says I could pull out like 100,000 dollars because of this infected wallet. So general security measures. So this is for everybody. So if there's one slide that you would want to take a picture of, this is a slide. And if you want to take away key things, add two factor authentication on all of your key transactions and make sure that, you know, even if it's a little painful, do it because it's going to save you a lot of money. And, you know, IP whitelisting, some of the depends on the exchanges. Like say if you log in from a different IP, they'll say, hey, is this really you? And they'll ask you to kind of click on a link on your email. This, you know, you cannot do anything, but it's mostly the providers. Use a strong password and do not reuse your passwords between like say your email and, you know, an exchange and notifications on transactions. Like if the exchange enables it, you know, just go click it so that at least if a transaction has happened, you'll know about it. Then for PC, this is general advice. So if you have a PC, you know, set up a VM on it and have a dedicated VM where you do the bank transactions and have another VM where you do email, browse and whatever you would want to do. And do not do any actions on the host machine because it kind of defeats the purpose. And here's an excellent article to kind of set up this machine. And finally, to the legality, you know, Mr. Rarun Jaitliar, Finance Minister has said cryptocurrencies cannot be used as legal tender. But what some of the experts says gold is also not a legal tender. Does it mean it's illegal to buy gold? No. So we do not know what the regulations are going to be. So they're still figuring it out. And finally, you know, blockchain technology is here to stay. Legality let them figure it out, but we can only do so much, you know, how much we can do. So make sure you stay safe while you're operating on the cryptocurrency. That's pretty much it.