Hashing It Out
Hashing It Out

Episode 37 · 3 years ago

Hashing It Out #37 - Base Zero - Matt Zimmerman and Ken Sedgwick

ABOUT THIS EPISODE

Managing crypto keys is difficult enough for private holders, but when managing large portfolios of cryptocurrency assets on an institutional level, the risk surface increases tremendously. Base Zero has devised a suite of tools to manage multisignature signing over an air-gapped signing device and a sharded backup system to ensure security for large organizations. This unique approach enables these institutions to mitigate risk associated with large fund transfers without any one single person being able to compromise the system and with highly secured disaster recovery.

Links

  • https://medium.com/base-zero/the-state-of-security-5667048d3923
  • Whitepaper
  • Matt Zimmerman: https://www.linkedin.com/in/mdzin/
  • Ken Sedgwick: https://www.linkedin.com/in/ken-sedgwick-83541/

Entering forecast work. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. Welcome back at Asot out, everybody. This is episode thirty seven. As always, I'm your host, Dr Corey Petty, with my cohost, calling croucher. Say what's up every body. What's up every body, and start thinking about more clever things to make. You say in the beginning of that they're getting a little boring. A No, I like it. I mean it's consistent, consistens he is King Right. Sorry, Hook, you don't consistency, just consensus. Right, yeah, they said, going with the theme of how everything works and Cyper courtesy. Consensus is the best. So our our yest today is base zero. We Have Matt and can on the phone or on the meat or on the Groogle hang out, or whatever you want to call it, and why don't you give us a quick instroduction, starting with Ken as to how you got into the space and what they see here was about, let's see, in I guess it was probably five years ago, I got real interested in Bitcoin and wanted to learn more about it, so I wrote a bitcoin wallet to learn about the technology and meet people, and in those two dimensions it was a big success. I didn't actually want to maintain a wallet for the rest of my life and went on to other things, but some of the things I learned while building the wallet were that there was a lot of trust involved and that understanding where the secret material was held and how it was maintained was super important, and that stuck with me, and so some of the people that I met, specifically urn Cupperman. Later we got together and said what the world needs is a much safer way to store crypto and thus space zero. Yeah, and I'm of the three of us who founded the company, I'm the I'm the newcomer to the Crypto I've only been more interested in a specially at a technical level, for the past couple of years and the companies about a year old now and I was I was actually working with our own our our third co founder, on a lightning network project, kind of setting up a test light network and putting it through its paces just to kind of learn more about the technology. And contact of his actually approached us and needed some help with a security system for an exchange and as we as we dove into that and understood the requirements more, it became clear that this was not a one off kind of a problem, but that lots of other institutions were going to face similar kinds of issues, and so we decided to turn it into a product. So what do we that's go a little like a crick overview of like what, what? What is based zero? What is the offering? What are Y'all doing? What are you solving that other people are quite getting right? So what we've built is a is a cold storage solution for it's design specifically for instant institutions. So it's based on on chain multi Sig we use offline key holding devices and it's from the ground up designed for institutional custody of Crypto assets and we support a range of them, Bitcoin,...

...ether, R C, Twenty Tokens, xarp and more, and it's a good combination of kind of the the best level of security that you can get with being pretty easy to use. So we've tried to be really on compromising about both of those things and be very strict about what you can and can't do with the system, but also we could be very accessible so you don't need to dig too deeply into the technical details. So, from a user standpoint, what does your system look like? Can you describe it to our audience? Yeah, so it has it has two parts. There's a software and a hardware component to it. The software component is a pretty normal looking web AP which you can use to create wallets and to make transactions, and then there's a handheld device which you use for the actual signing of the transactions, and that's where the key material lives and where it stays. And so use those two together in order to execute multisike transactions, to move funds out of cold storage. Now, in your devices that you talk about, these are these are not like. So you can use like. You have a web AP and you have you also have a mobile LAPP, but the real key here is air gap signing, and I'm hoping if maybe you could talk us a little bit about why you design it that way. And I mean it's not something something you can't technically like replicate, but it's something that you guys are doing very well and I want to I want to see if you could talk a little more about how your system actually is doing these signings of what's the advantages between these, you know, through this air gap siting. Yeah, so, by the way, some of our audience may not know what air gap means. So you know. Okay. So air gap means that the device in question is never connected to the network and in our case they don't even have radio, so there's no Wi Fi, there's no bluetooth, no nothing, not even USB. Not even USB. And the point of that is that most attacks do it come through the network. So you connect a a in approved device or go to some something on the web and the next thing you know, your device has been compromised. So by keeping the device cold, by keeping it off the network, the secrets that it's holding are protected. We don't really want to be a hardware company, but when we looked around there wasn't any hardware easily available which had the right characteristics for us, so we ended up building our own hardware. The hardware is constructed out of commodity components. This is important when you build hardware that's highly specialized for cryptographic purposes. People can see that and folks in the supply chain can say, oh, that's a treasure and it's going to hold cryptocurrency someday. So it would be worth my while to modify it so that I can attack it in the future. Our hardware is built out of completely off the shelf cut standard components. So we have a standard display, a standard CPU card and as Standard Camera. Those devices are components are used for many, many, many other things, so it's difficult to identify which ones would go into a crypto device. We put them together and build an offline signer. The signer is where we generate the keys. We should probably talk about that at length, and then the keys are held only in the offline signer. Actually, there's an exception to that. You need to create a backup, and so we have a system for creating a sharded backup where the different components...

...of the backup can be kept securely in different locations. Questions. Yes, absolutely so. First, I'm assuming that the key derivation comes from a the standard for standard methods that people use now, or you have a twelve, twenty four word seed that then provides the entropy for doing key derivation using like h hd wallets as that true. That's that's correct. So our derivations are compatible with other solutions, so that you could take the key derivation from our system and put it in a different system and use all of the keys the same way. We're against doing anything in a proprietary fashion which would prevent the user from using other components as necessary. And the other part of that which I wanted to get into the the Shard at back up, because that, in my opinion, is one of the most vulnerable points of any key management system is how the user does the back up. Typically you'll, you know, some cases you'll see users, if we're talking about like wallets that are on phones, they'll take a picture of their seed phrase and keep it in their hand. That's right, and it's like it doesn't work. And if you do something like this, and people don't quite understand this yet because the technology is new, is that if you the more you make your seed phrase vulnerable, every single guarantee of the wallet may have in terms of security is completely nullified. So it doesn't matter how secure something is if the thing that backs it all up isn't secure. What one of the things. That advantages that we have there. And what's different about what we're doing is that this is very much a product for institutions, is not for consumers. So people aren't kind of just downloading something from the Internet and trying to do it themselves. We're, you know, working hand in hand with our clients to get them set up and make sure that they follow a secure protocol for doing this. Yeah, but it you're absolutely correct, the backup is the entire foundation of your security and so if you do a bad job of it, you lose. However, it is possible to do a good job of it and it should not be prohibitively expensive. So we recommend, for example, that you use a product like Cryptotag, where you hammer the passphrase, the MNEMONIC passphrase, into metal titanium and then store in safe deposit boxes or safes or appropriate spots. Yeah, so if any one of those those shards are compromised there, you know they don't they don't reveal the key on its own, and so by storing them in seal multiple secure locations, it's it's a it's a comparatively easier problem to secure something that you virtually never use. So you only need those backups in a disaster recovery scenario, so you can lock them down, you can keep them in very secure locations. The problem comes when you actually need to use those keys to sign something, and so that's that's why we have these two parallel systems. We have the the device which you can use to sign as often as you need to, and the backup which you keep separate and almost never touch. And I'm assuming excited. There's there's, you say, sharded back up. Your the that mean that you're breaking up the word seeds in two different sections and moving them around, or you just redundantly storing out and multiple places. We're using a scheme called Shamir, secret sharing, okay, which if you're, if not only listeners are familiar with it. It's a mathematical method of dividing a key into multiple pieces,...

...which it's quite different from just take taking stay twelve words and breaking them into three groups of four. But they're they're split up such that if you have any one piece, you cannot drive any part of any information about the key, but that if you have, say, two out of the three pieces or three out of the five pieces, then you can construct the whole key. Okay, that makes sense. And so our audience does have a engineering background. The way that Shamir works, just just for some of you because we keep bringing it up, is it basically there's in order. You, if you have a complex polynomial of you know what was it called Order N, you can figure out exactly what that polynomial is if you have n plus one points. So if you have like a polynomial of size for so, that means it's like it's highest order is x to the fourth, you can actually if you had five points, you can actually figure out exactly what that polynomial is. And so the idea is behind Shumer secret sharing is that if you add a constant to that, that constant is your secret. So it's just a number and in order to find out what that number is, that makes that exact curve. All you have to have is five points on that curve and you can actually figure out exactly what that constant is. That constant will be your secret. So it's a pretty, pretty cool little little trick of math to actually divide up a share. What you do is those points would kind of be used to create the the the the secret. So you can just they're basically the the number before. So like ax times beat whatever, they'll be like the A and the B and whatever. The what's it called them? multiplier before. What is it the solent for? What's that coofficial efficient? Cofish to thank you. That's right. Word would be the kind of like the way that you actually can derive this new curve. And so are derive the curve, actually figure out where it is, and that would actually tell you what the constant is. And when you know what the constant is, and that basically is your secret. So unless you have all the coefficients for the rest of the polymial, you're not going to be able to figure out what the secret is. And it's basically basic, just behind shamire secret share. So you can actually send out the coefficients to each one of the terms of the polynomial to different people, and until you combine all those terms together, you're not going to be able to figure out what the actual coefficient is. That's me. I'm sorry that constanists and you use you said, your blastom goes into basically titanium. So you have you know, it stays there forever, because I think what a lot of people don't quite understand is that if you put a hard drive at a security vault five years lat of the ride it's part of, it may not be the same hard drive, just based on memory volatility. Yeah, and and and also, you know, technology changes. Sometime from now you might not have a have the hardware to interface with that, with that drives. It was pretty vast. But how we use this in practice with the Shumier secret sharing is that, since our system is based on Multisig, there are actually several keys and each of them need to be backed up. So people will do a scheme like you know, each each key holder will create three shares. Let's say that there are three keys and each of the three key holders creates three shares of that keys. There are nine total shares, and then they'll exchange them. So each person has one of one of their own shares, one of the second person's share as one of the third person shares, and so alone they can't construct any keys using those using those shares, but that any two people can actually construct all of the keys. That's an interesting way of doing...

...multisig. Yeah, and so it mirrors the the two of three multisig quorum in the back up okay, that's interesting way of doing it, and I assume that the multisig lives on a smart contract on atherium or some other platform. Where does that live? That depends on the on the cryptocurrency in question. So bitcoin has multisig builty into the protocol itself. Etherium we use a smart contract and in ripple they added Multisig into the protocol itself as well, but it wasn't in the original ripple protocol. A little more about the etherium smart contract. There's been a lot of etherium multisig contracts and some of them have had trouble. That was my that was my next question that was going to lead to. Yeah, so we got on board. I can't remember the guy's name, but he the name of the contract is the simple multisig Christian lunk fist. There we go. Thank you. But the philosophy is to do the absolute minimum necessary to generate multisig behavior. So we can send funds and we can make contract calls, but we don't implement the hundreds of other features that people put into various multisig contracts because we feel that the attack surface or mistake surface is too large. So this contracts quite small and it's been used by a number of people and so we feel like it is more secure than the more complicated ones. But it was it was very important to us to have the a all of the multi sake operations actually enforced by the blockchain. We there are a lot of other systems which are using, say, shmire secret sharing to manage the actual signing key, and then there's only a single key on the blockchain, but you know, each party is holding a share of it, whereas in our case it's true multi sig enforced by the block chain for for regardless of which which cryptocurrency are using. Cool. So getting a little more into the product and what the user experience of that product is like. I'M A I'm a institutional user and I'd like to send money to someone else, whatever, customer, another bank, whatever. I'm trying to transfer this I'm trying to execute a transaction. What are the steps I would take using your system and what makes them so unique? Yeah, I'll use the example of a cryptocurrency exchange, and which everyone should, everyone will be familiar with. Exchanges keep most of their their funds, around ninety five percent in in cold storage and only require about five percent to be in an operational like online wallet for distribution. And so someone in the in the exchange will determine how much of an asset needs to be withdrawn from cold storage in a given week or period of time and will log into base zero and create a transaction which transfers those funds from the cold storage wallet into their hot wallet. And that that's just an unsigned transaction at this point. You know, it specifies what the destination is and and the amountain so on, but there are no signatures on it. It can't go to the blockchain. It's just, you know, a record in our system. And then each of the authorized signers for that that cold storage wallet receive a notification that says hey, there's a new transaction that needs to be signed, and then they log in. They can see the the transaction in their browser on their phone and they when they're ready to sign, they use their offline signer device and they...

...actually scan a Qr Code from the web application that contains the unsigned transaction and then, in the sports really really crucial the the device actually displays, it fully decodes the transaction and displays all of the details on the device. So the there are a lot of more consumer grade key management solutions out there which they they'll protect the key and allow you to sign with that with that key without exposing it, but it's hard to tell what you're signing. So we display the full transaction on the the the offline device, where you can can trust that it's been that it hasn't been tampered with, and then you decide, okay, this looks good, I'm going to sign it. And once you've done that, it presents the signature again in the form of a Qr Code. You hold the device up to your phone or laptop to scan it and you're done. And yeah, it's really cool. It looks like a little game boy, like you've got like a little game console or a game gear or whatever it's got. It's like a little device actually has a screen and the interface it tells you everything it's on there. It's extremely extensible in that respect and that in the future you could totally add features to this device because of the nature of it has its own visual input and visual output, basically because you know, you can read in from the camera and you get output on the personal screen and then it can also output to another another system from the screen through the air gap. I think that's really neat in that you can add more rich features if necessary. So it is actually could technically become a development platform. Yeah, you we. We've already extended it in a number of interesting ways, including like there you can configure a like an address book, a white list of destination addresses. So in an institutional context, when you're transferring from cold storage, typically you're not sending to a million different places, but you'll transfer to an intermediate hot wallet and then manage from there. So if you're only transferring to a few places, it's we help you to make that secure by actually keeping track of what those addresses are offline and validating that and warning you if they address is not one of the expected ones. Can we talk a little maybe shift gears a bit and talk a little bit about the business case of catering to the institutional investors and like what, what is that market and who were the clack? WHO The clients? Why? Why is it so big and why did you build a business around it? Yeah, well, see, the the world of financial institutions is really taken notice of cryptocurrency in the past couple of years and a couple of things that happened. For one, there's a lot of demand from their clients to offer services related to cryptocurrency. There are opportunities from in investment and, you know, in their their regular financial operations to leverage cryptocurrency, and also there's there was been a great increase in the amount of value in cryptocurrencies. So at the same time we have we have institutions who are see a big opportunity, are working with relatively leading edge technology s that they may not yet have have deep expertise in but that it's very important to to keep it safe and secure. So we we try to enable both the what we call crypto native institutions who have kind of started out in the crypto world, but also more traditional financial intuitions who are expanding into cryptocurrency, and we see demand on both sides of that. And for institutions who have been working with Crypto for...

...a while, they've been through a couple of booms already and they may have felt comfortable keeping their assets secure using a consumer device or even something homegrown, but then it a couple of years ago at ten xt in value and now suddenly that feels a little uncomfortable and like they may want to take some stronger measures to mitigate their risk. So what is how do you sell this to them? What is so? One of the interesting things about what you guys are doing is that you actually have a product with customers that are directly it's fallowing a traditional product model. A lot of the stuff that's on the market right now doesn't follow a traditional product Mark Model, you know. I mean, yes, your typical cold salt storage, while it does, but you guys are actually building what seems like a institutional platform that requires a traditional product model. If that makes that you meet traditional product model well, as opposed to like a token sale or some sort of crowd funding kind of way or, you know, like like or even a so even a freemium model or something like that, I don't consider to be traditional. And the fact that you guys are actually going out and making something, selling that thing and then selling the services around it. This is a very, very, very classic model, business model for for for this for you know, the it space, and it really does fit well with the existing kind of way that lawyers and, you know, business managers are comfortable in interfacing with a bit an organization for bringing a product in house. If that makes it using it internally. They're not as comfortable adopting an open source platform, that is, negotiating money around in that kind of thing. They're very comfortable with purchasing a highly secure device stick you get in, you know, dealing with those kind of provision provisioning those devices, grantee access to particular entities for those devices and then having a very consistent purchasing model around that, with token sales for its. It's a like, you know, they don't know how to negotiate something that has a fluctuating value or anything like that. You guys have an actual you know, like you could cost out your your your system. You can tell them exactly how much things are. You can tell them how many they'll need. You tell me, tell them how much they'll need if they need to expand. These are things that they can plan around, whereas a lot of the existing crypto stuff doesn't really follow that very well, making it very difficult for organizations to know how to handle them. So I find that very interesting in that it's very friendly to these institutions just by default, just by the way it is, and so I was wondering what is like, the sales like, how did you? How do you interface with these people? How do you discover their you know, how do you identify potential customers, and what is their reaction to the fact that you guys can actually support their existing models, Whi should very pleasantly surprised? Yeah, yeah, that's a great point. I think there are a few reasons why we went that route. One of them is, as you as you pointed out, it's just much it's easy for them to interface with us that way. Okay, this is a software product. We buy it, we license it, we use it in the traditional fashion, and so the engagement is pretty is pretty clear and simple. Also, we or any a second oh, that we where our...

...expertises is, is in technology. You know, we don't come from from the world of finance. We're not we don't have a big compliance organization. We're engineers, and so we're building what we what we're good at, and we'll work with financial institutions who have expertise in that world to solve their problems as related to cryptocurrency. And the third reason is that we really believe in the in the transformed of potential of cryptocurrency and that in order to really realize that potential institutions need to be in control of their assets. If you are going to try to do the sophisticated types of trading, for example, and, you know, do transactions in ways that aren't possible with traditional financial instruments, you need to have your own keys. You need to be able to sign transactions, whereas if you're in trusting your assets to a third party and saying, okay, you know, please hold onto these for me and I'll come back when I need them, you may not be able to do those things. If you don't, if you don't own the keys, then the cryptocurrency isn't really in your possession. That be that you're like, because you're a non custodial solution, you not have to offer insurances or guarantees around the product or service. Well, of course we offer offer assurances and guarantees around the product of service, but they're around the the functionality of the service. So, for example, we have a service level agreement and we provide out of stations about the security of the product, that it does exactly what we say it does. But since the customers actually the practitioner, they're holding the keys, they need to store their backup to a secure location, things like this. So we're we do our part and the and the customer does their part to that end. Is it. Has the educational aspect of Teaching Best Practices to your clients been difficult easy like explain that? Yeah, there's there's a great variety and it really depends on the background of the institution we we talked to folks who know this stuff as well as we do and we but we and we also talk to those who are very new to cryptocurrency and need need a lot of education. So that that is a big part of how we help our customers to make sure that they do understand those best practices and are able to apply them. Yeah, the education part is probably the biggest part in some sense, because what we're seeing is migration of traditional financial folks who know all about finances and regulation and so and so forth, but the technology aspects of key custody is new to them and it's very different than anything they're used to. We've been see been getting some help from the smart custody folks. So this is blockchain comments. Christopher Allen is one of the principles of this group and they're doing workshops which teach people the fundamentals of custody. The first workshop just was last month and it was for personal custody, so it had a set of advice and directions and techniques and technologies for individuals to store their own crypto securely. The next set of workshops are for small trusts and then eventually institutions, and they build on each other. So you have to kind of understand the personal level custody first before you move on to institutional level custody. But we strongly encourage the folks to check out what blockchain Commons...

...is doing with the smart custody initiative, because they're really pushing the right stuff. It's important to understand all of the challenges and details of this when you're taking a solution. So we need our customers to be informed in order to understand why our system is better. If the customers aren't informed, then then snake oil man may look good, and so we're we're trying to get everybody is educated is they can be, because key management in general, it's not it is not restricted to cryptocurrency. cryptocurrency kind of brought it to the forefront, especially as the starts to become the background of how financial assets are managed, but key management and terms of holding things that are valuable that's digital, is a problem that will continue to be a problem forever, as long as we have to hear that. Yeah, and basically, the the the practice of applied cryptography is about reducing information security problems, then privacy problems and things in that sphere, reducing them to key management problems. And so at the root of all these all these solutions, there is a key still a key management issue, and that's the part that we're aiming to solve. So you have these devices, you have actually this is this is something I'm not quite sure of. You run your it's all the signings done through this website, meaning or not really it's done through this by exact vices that. Yeah, but there's a website involved in this that actually somebody can propose the transaction through. Is that a Sass service or are you guys? Could somebody can institution deployed that internally so they're full control of your system, kind of a you know, an internal only like installation of this, or do you guys keep it's kind of centralized in the fact that you have this proposing system that you own. Then you control. Yeah, so there there's a there's an online side and offline side to the system, and the the web eplical of course. As part of the the offline side, we also run a fleet of full nodes for the various networks that we connect to and all that infrastructure is is is multi tendant. So all of our customers can can use it and we get we got some economies of scale from that and so it's, you know, relatively low cost and straightforward for for them to use it that way. It is possible to license that system to to run on premise, but we've very intentionally designed this system so that the security properties are such that it's not critical for that that system to be trusted. It's basically passing messages back and forth between the offline signers and and the network. And so even if, if that system we're compromised, someone hijacked that Web ap, someone got the log and Password to your base zero account. They can't sign any transactions, they can't touch the assets on the blockchain at all. They might be able to try to trick you into something, but that there again. That's why it's important that we show you exactly what's going on. On the offline device. So let's say that someone puts a bogus transaction into your base zero account and says, Oh, I want to transfer all of your assets into my account instead, the device is going to tell you, show you right away that that's actually what's happening. And so the choice that you're presented with is not you know, yes or no, but saying here's what's about to happen, this is the exact transaction. That's that's being proposed you. Or do you want to sign it or not? So that leads me to kind...

...of something else. When you have this website that people are interacting with and you have a tendency, meaning that you know who those people are. So they're associated with a white list of addresses, or are you they have addresses and then whitelist for addresses they can send to or can sign or however you want to work that you know who is associated with a particular address, meaning that you can actually measure the flow of assets going in and out of this particular institution personally correct. Yes, the information. We do have that information. So so is there any sort of security risk or secuity protections around protecting that particular data? meaning that in institution may not want to expose the you know, it's fine if you're doing anonymous transactions somewhat on the chain, but if you guys have that kind of KYC element integrated into your system where they know where things are transferring around, is that sort of like a potential way that you that a security point that you're looking at to protect the users in that respect, which is why I thought maybe an institute would prefer an on site version of your thing where they can actually control that in house rather than having you guys be in control of that particular data. Yeah, and and that's that's why, that's one of the reasons why we why we do have that option. But again, the way, the way that systems like this are used in in practice in an institutional context, those transactions are mostly internal, so moving funds from this cold storage wallet into this hot wallet and and Vice Versa, and so they're not exposed to as much transactional information as as as you might assume based on the proportion of funds that are there. But these are these are bulk movements of funds in between institutional wallets. For the most part, like I still in a lot of in a lot of ways we're going to do much better than what's currently happening. So today, most folks know the cold storage addresses for most exchanges, so large positions moving in and out of cold storage on the exchanges are visible and announced and everyone talks about them. Based on using the key survation PAS that we have, we don't have to use addresses. So when an exchange accepts a new deposit, it won't be linked to existing exchange cold Walid addresses that we use a fresh address. So we think we're doing much better in terms of leaking information to the world. Furthermore, it's also a matter of like how much information you're holding and have access to, which creates a honey pot for people to then try and get into it and find that information. If, based on the use case, you don't have high throughput of transactions, which means that it's more difficult to create like address entities through doing forensics on on these keys in the flow of money through them. Yeah, and and our focus is really been on enstoring that you can do these transactions in a secure way. I think there's a lot of interesting developments happening, such as we as call in and we saw at the the Stanford Conference, especially around more zero knowledge proofs and constructs for doing anonymous transactions and private transactions, and we will continue to stay, say, abreast of those and will we certainly support more privacy centric chains in our product, like see cash. But that's that's not the the part of the problem that we're aiming to solve right now. That's kind of what I wanted to ask next is is where do you you built this solution and a business around it because you think it's going to be useful in a...

...broad use in a brought amount of use cases in the foreseeable future. But what do you see in the foreseeable future? They get too excited. Is there something that you're kind of planning for but isn't here yet? Is there something that is like is here but no one's talking about it, that you feel will be a larger portion of the market? Well, it may sounds a little little heretical to say that in this environment, but I'm actually really excited for the traditional financial institutions to really get more involved in crypto because I think that there's going to be a lot of interesting innovation that comes from that and there's there's already there. There regulatory frameworks that are in place for good reason, in order to protect customers and an institutional clients of these institutions, and we help them to apply those same kind of protections and even better ones, at a crypto level. And so as those institutions are kind of joining the cryptal world, we're helping them to on board and to to adopt best practices. There's more to the as the cryptocurrency world gets more sophisticated with blockchains, we're seeing the need to control your keys directly becoming more important. A good example is staking. So you know, currently there's not much staking going on, but with atherium implementing proof of steak, financial organizations are going to have to have control of their keys to decide if they want to stake some of that hypothecate there the capital that way in the staking system, and so traditional custodial solutions like coin base, where the assets are held by coin base, will not be as flexible and won't allow you to engage in smart contract activity where the the assets are doing more than just sitting there. So a lot of excitement comes as the cryptocurrencies become more sophisticated and offer more different things you can do with them. The Need to control your key securely becomes more and more important. Yeah, so we think that any institution that is going to be dealing with crypto currency will, in the future need to have control of keys and that in order to realize the the full potential of cryptocurrency and crypto assets, that has to happen. So this won't be only something that, say, banks and hedge funds and and exchanges need to do, but that regular corporate entities, which have a treasury today in the form of, say, a business bank account, will also have a crypto treasury and that Phill will want to manage that in many cases in house. So let's just say this takes off. Okay, you've already got some customers. Let's you know, let's go the Hacky Path. People really like this. You know, the people are using this right now are very impressed. Your customers are very happy. You're starting to get traction. I already see that, assaud at SBC. I know that you your aggressively going out and showing this and the what the happy path is. You suddenly have a huge book of customers that need you know their orders for fulfilled. Part of the interesting thing about your stories that you're still small, but you need to scale. What is your from what I gathered from Ken, you guys are still kind of putting...

...these things together yourself. How do you plan on Scaling the operation of actually physically developing these devices? And you see maybe transitioning more to the mobile a platform is being sort of one of the options for low cost scaling. Well, right now we're the most important priority is security and that means we have to be careful without sourcing the assembly very much. We're not by focusing on high end institutional customers. The number of units that we have to make is not overwhelming right now. So the current optimization is to build the devices where we can see them being built, no where they've been, know who's seen them and who's touched them and can guarantee that when we give a device to a customer, that we know it hasn't been in a bad place. As we scale, will have to evaluate that and figure out ways to build things securely at larger scale. However, the the focus on a high end helps us a lot there. Yeah, and I think in the in the long run this there will there will evolve other kinds of devices which are able to perform the the designing operation and have the characteristics and capabilities that we need in a device. As can mentioned earlier, we're we're building a custom device just because it's hard to find something that has a has a good size capacity of touchscreen, has a camera and doesn't have any radios in it. Basically every consumer device out there it's going to have some kind of networking in it because it makes that's what makes it useful. But in our case we're in this this strange position of actually want seeing a negative feature they're and making sure that it's not networked. I think as the general purpose computing components is actually even a harder constraint, because there are some solutions where people can build custom things, but then again, the supply chain attacks become you know, if you order a thousand of those from another country and they arrive in a month, who knows where they've been? Yeah, and I I think people don't quite realize the amount of connectivity that normal devices have and how a lot of people who deliver quote unquote secure devices that have very limited functionality mitigate or like kind of get rid of all our guarantees, because the the hard bird that they use has a tremendous amount of io associated with it, meaning that, like, yeah, they they only work through various and put it out what channels of the of the device. It actually has bluetooth and all kinds of other things you can you can access that get around all the security measures they put around the things they actually use. I mean this is this is probably a massively rampant problem in the Skat a he dunity. Yeah, this is this is we see this a lot and that there a lot of projects and they have their applications, especially, you know, for for individuals who have are not securing a large amount of funds to repurpose, say, a mobile phone to use as a as a key management device, and they can have a really nice interface. It's a good form factor, it's convenient to to use in store, but it also probably has four or five, six different types of radio transceepers in it and we just don't feel that that's appropriate for an institutional context. And yes, you can, you can not put a Sim card in it or you cannot connect it to a Wi fi network. But what, where are you placing your trust? You know, how can you be sure, especially and with with so much, so many components being able to be packed into such a small form factor? Can you really be sure...

...what's enabled and what's not and what's open to the Internet? Yeah, obviating those security problems by just never having them as an issue in the first place. It makes you not have to like, have to worry about it if you literally can't do it, and that's that's a very good way to guarantee that those things can't happen, is because the device simply can't do it. Yeah, that's the theme. The going forward is that new businesses, the most secure businesses, won't have any customer information to protect. So it's by not having something then you don't have to worry about it. Yeah, we've been through this at that interesting transition with with a lot of data privacy things to where the problem used to be how do how do you keep all the data, and how do you keep it? You know, keep it backed up and make sure that you don't lose it and, you know, collective as much of it as possible. And now a lot of institutions are saying, well, what, what information do we really need? And you know, how how how short a time can we hold on to it for in order to minimize our risk? So what's the most interesting thing you learned about the space when you started getting into this project? What is a what was kind of surprising about about not just institutions, but just building these kind of things in general? Well, it was. It was surprisingly challenging just to, I think, bootstrap a business in this space because a lot of the infrastructure isn't really there yet. As a couple of examples, like setting up a business bank account for anything to do with CRYPTO, it turns out to be kind of a hassle. They're a lot of institutions that you know you without knowing anything about what your actual product or service is. Just the fact that you're in this space is like a warning flag for them and it's very difficult to advertise your product a you know, as a as a softtware company that's working with cryptocurrency. It's things tools like Google ad words that are completely standard for all kinds of other industries and products often just are not available to you. That was a bit surprising. Cool. So what are you most excited about in the space and how do you see how do you see your wallet kind of tent are, I don't want to call it a Walllet, but your signing system, I guess, is tying into that. Well, we're continuing to see just an explosion in the number of different crypto assets and experimentation with different chains and different types of consensus algorithms and different types of financial instruments that you can build on top of these, and I'm I'm excited to see. Well, some of those are are just kind of replicating things which already existed, say, for for Fiat currencies and an other financial instruments, and doing that for Crypto. But we also start to see things that couldn't exist with with Fiat and some of the things you were talking about in your in your last episode with with payment channels and, you know, ways of moving funds around in real time with very low fees on a global basis, and I think those things are incredibly exciting and the opportunity for us as a business is to really provide a comprehensive platform for institutions to participate in that whole ecosystem. It's quite a lot of work to keep up with all of the new developments in this area and we hope that we can can make that easier for institutions to participate in, because definitely most some of the most exciting stuff is still yet to come. So, because you guys are multi currency and multi tenant, it's pretty much just exchanging one asset for like Bitcoin for Bitcoin, is sending those around. Is there any way to maybe link so you...

...can actually exchange bitcoin for Lightcoin, Bitcoin for a theium and etc. Etc. Or do you have any plans for that on the road map? So we currently don't have any plans to become an exchange, but exchanges are awfully interesting and there are primary customers, so we're very, very interested in ways that we can facilitate transactions through exchanges. Yeah, I think that's a that's a very interesting idea. Good to know, Rodger, that I got the smile like yeah, we're looking into that, but we can't talk about it. Okay, got it cool. So I guess that's a great way to wrap up the episode and trying to figure out is. Is there anything else that you'd like to talk about that we didn't ask you? Just a just to mention that our our websites got a white paper with some of the some of the details and the justifications for why we've built things the way that we've built and we've published an article to medium recently as well. So it just want to invite everybody to come and check out check out those resources at at base serocom. We'll definitely include that in the show. Links with a few other things you've mentioned. How could people get a hold of you and reach out? It on twitter or is that website the best place to go? Yeah, we're on twitter and there's a you can reach us to our throw website. You can find our our twitter feed there or send us an email, or you can find me on Linkedin. I'm Matt Sim woman. Cool, great, guys. Thanks, thanks for coming on. Thank you very much for having having us. And, as usual, you can reach me at Colin Cuche on twitter, thatt ce I, N C USCE and Corey at Core Petty CEO r petty on twitter, and you can see our podcast feed at hashing it out dotstream and also on twitter has at hashing it out pod. So yeah, thanks for coming on, guys. Appreciate it. Great episode. Thanks tw the.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (128)