Ep. 543 Elite Blockchain Security Solutions with Halborn

In this episode of Crypto 101 we give you a sample of our Digital Currency Summit which Aaron and Bryce will host live on June 13th – 15th, so get your FREE ticket below to not miss out on the rest of the 27 amazing guests.  Today we have Rob Behnke the CEO and Co-Founder of Halborn which was founded in 2019 by renowned ethical hacker Steven Walbroehl and Rob who was a growth hacker.. The fully remote organization has since grown to over 100 of the best and brightest offensive security engineers in the world.

 

— TRANSCRIPT —

 

SPEAKERS

Aaron Malone

 

Aaron Malone  00:08

All right, everyone. Welcome back to the digital currency Summit. I’m here with CEO Hal born, Rob banky. How’re you doing?

 

00:14

I’m doing well. Thanks for having me.

 

Aaron Malone  00:16

It’s a pleasure to have you big fan of what you’re doing over at Howard Warren. And in case there’s listeners out there that don’t know what you’re doing, given this gives the high level overview.

 

00:25

How boring is a cybersecurity firm focused on the blockchain space. We’ve been out there trying to keep the industry as secure as humanly possible for the last three or four years now. We work with major organizations, whether it’s sort of layer one, Blockchain organizations, defi projects, even major banks and really consumer brands as well. So we’re working with folks like, you know, whether it’s a Solana Foundation, or major defi projects, large, you know, NFT projects like Hugo labs, or board ape and things like that. But then also, you know, major banks like being why Mellon and so on. So,

 

Aaron Malone  01:06

yeah, you have an all star team working over there. It’s not just a bunch of like Junior admins that are floating around Twitter.

 

01:13

Yeah, we got started. My co founder, you know, my background is going to be more on the marketing, sales operations and growth side. But my co founders and elite ethical hacker he built some of the he won some of the largest hackathons and pen testing sort of hackathons in the world called net wars for two years straight before we started hell born. So yeah, we have a we have a really great team.

 

Aaron Malone  01:38

Yeah. What are some of the most common issues that you’re finding that are prevalent in the blockchain space today?

 

01:47

So the reason why I think we’ve grown pretty fast at Holborn is because we started this company with a sort of a core thesis where there is a solid mix of traditional cybersecurity issues that still to this day really affect the web three industry as well as very web three centric things. So typically, people kind of immediately lump things into smart contract audits. So for those, you know, unaware, you know, you have you have your smart contract layer, that’s what you’re interacting with, when you’re touching anything on like an Aetherium chain or anything like that. And smart contract audits are certainly important, certainly part of that. But really, when you think of any technology, there is several different layers to that technology, or really like what you may refer to as like full stack, in that sense. So we focus on end to end security, which just means that we’re here to advise and not so much focus on the one layer, but focus on the whole pie, the whole picture and say, okay, out of all of these things that you’re doing, from a business perspective, so we are b2b, we can talk about, you know, the average user or cryptocurrency, what we can do to help that. But from the from the business perspective, we’re looking at all of the systemic risks that could go on, and then really prioritizing the risk, yes, and testing from there. So of course, smart contract audits, but also webapp, pen tests, you know, Dev SEC ops, getting your CI CD pipeline really set up so that as you are coding up your applications, you have secure coding practices put in place that then gets deployed. And then we have monitoring for once you’re actually on winter actually live and launched, then we actually help monitor your brand and help monitor perhaps your token that’s live as well.

 

Aaron Malone  03:47

So these are philosophies that you just don’t learn. As a junior developer on YouTube going through tutorials, you have to really be a professional to get that. And that’s so sorely needed in this space. It really is, you know, open for anyone to participate. But there is a downside of that consequence. And we see multi 100 million dollar hacks simply because someone didn’t have this experience, that I think the easiest example of that is the ronin hack $600 million out the door, not because of a smart contract failure, but they were only running six nodes. And that was six machines that had to be compromised. Yep. And someone found a way to do that. Had there been clients of how born maybe that wouldn’t have ever happened. Maybe? Maybe though. So as far as a consumer side goes, I mean, it’s a big scary world with lots of smart people out there. Some are doing amazing things, some are breaking amazing things. What can we do as consumers to try and keep ourselves and our crypto as safe as possible?

 

04:42

So step one, and I see this time and time again, is really good password hygiene. Now what’s funny about that answer is that that is a traditional cybersecurity answer that is not a crypto centric answer. So all passwords that you ever create should to always be over 20 characters, they should be a little, you know, it doesn’t really even matter the complexity, but the length is really important. So it’s

 

Aaron Malone  05:07

not enough anymore. No, no, no, it

 

05:09

should be over 20. Okay. Yeah. And and

 

Aaron Malone  05:13

wedding vows into the password,

 

05:14

yeah, whatever, whatever it is, you know, don’t use dates. Don’t use words or last names or first names that you’re used to make sure that it’s something that you’ve really never used before, make sure you’re not using the same passwords. Once you’re past that, that perspective, on the crypto side of things. Look, you know, even if you’re using like chrome wallets, or any these other wallets, make sure that anything that you see as a significant value to you, you are using what’s called a hardware Wallet. So you need to you know, and even though it might seem complex right away, you want to have what’s either called a Tresor, or a nano ledger or a ledger, they have a couple many different products there. There’s a ton of tutorials on the line about how to get these set up. And I’m telling you, it will affect a lot of the consumers that are out there, and users of either NF T’s or cryptocurrencies or anything like this. Nine times out of 10, when we hear that things are getting stolen, it’s because they do not use hardware wallets. So that can really, really help things from the start. Yeah, those are two really important things that I think if you if you knock out you’re going to be really ahead of the curve. I would also say to that what we’re seeing is, in order to stay safe in the space, you really need to be careful about really what’s called social engineering. So if you’re on Telegram, if you’re on Discord, if you are, you know, even receiving emails from folks that you don’t necessarily know, you need to be highly suspect of that. So typically, what we’re seeing now is a lot of scams going on on telegram where someone will just message you and say, Hello. And then the moment that you respond back, they start checking things with you, you know, they’re going to talk to you about different, you know, phone numbers and things, things like this. And funny enough, people are still getting scammed out there for gift cards and things like that people saying, hey, it’s so and so it’s your mom, it’s whoever I’m stuck right now, like, you know, send me gifts. Funny enough, send me gift cards, which is hilarious that these more traditional scams are still prevalent in the web three space. So it’s really just be overly cautious. Paranoia is actually an A okay thing when dealing when you’re dealing with like proper internet money. So when you’re dealing with open source, non sovereign digital currencies, the moment that you send one token, or one coin from me to you, there is no intermediary, there is no middleman that you can get that money back. So proceed with caution. And you know, a little bit of paranoia actually goes a long way when it comes to that.

 

Aaron Malone  08:05

Yeah, definitely. And there’s so many scammers out there, they’re imitating influencers, I get followed on Twitter every day by people that don’t actually follow me yet, but there’s like five, you know, crypto windows or whatever. And then there’s even impersonators with myself and Bryce that are going around, trying to trick people into sending the money and Bryce and I will never, ever, ever, message you and ask you to send us money. That’s just completely ridiculous. So don’t fall for that. be paranoid, be smart, some random guy walked up to you on the street says I got a deal for you. You probably wouldn’t take it, you shouldn’t do it over the internet, either.

 

08:42

It really does come back to the basics. Whereas if it is too good to be true, it absolutely is. Yeah. So it’s

 

Aaron Malone  08:47

100% of the time, yeah, 100% of the time, especially if some giant casino that’s promising you 12% return today. Like that’s completely a Ponzi scheme each and every time. So be smart. Manage your greed manage your risk. And one other thing to point out is seed phrase management turns something is really isn’t understood that well, either. You know, a lot of people just take a screenshot on their phone or something. What are some best practices for keeping our seed phrases safe?

 

09:17

There is I’ve heard a lot of different methodologies. And for the average user, I pretty much recommend one specific thing, which is, if it’s on a, if it’s on a connected device, like your phone, don’t put it there. So do not take a photo of this seed phrase, do not put it in a memo pad. And the seed phrase, the most secure thing that you can probably do is just take a piece of paper, write down that seed phrase, as you’re developing it, throw it into your safe, throw it somewhere, you know, nice and safe, that that there is only that there is only one and then that’s, you know, kind of leave it up there. Now this is the average user, the average user isn’t going to be, you know, a target Uh, you know, a major incident. But this is something that is a lot more practical. Just, you know, even if it’s a safety lockbox or you’re safe that’s in your home, that’s going to be your best. Your best bet for now,

 

Aaron Malone  10:15

what about the device that we’re using to trade crypto restore crypto on? Are we okay to use a Windows desktop? Or an iPhone? Or is there something better that we can be using, it’s a little bit more secured just for this one use for trading for trading or just running a desktop wallet, whatever the case is?

 

10:33

Yeah, you know, look for that, for the most part. Unless you’re dealing with a large, you know, a decent amount, you’re really not going to be like a major target to some of the more sophisticated things that we see on our end, where you have nation state actors coming after someone, you know, maybe even just, you know, with something on a smaller basis. So I think that when you’re, in order for it to be more of a cold waltz solution, for example, and if we are just talking about Bitcoin for a moment, you can, you know, buy a new laptop, have it never connected to the internet, you can, you know, take the wallet program, put it onto that laptop, again, make sure it just never touches the internet. And then you can feel free to actually move it from that one wallet to the one that you create on your own internal device that’s not connected. And I think that’ll probably get you get you there for the most part.

 

Aaron Malone  11:36

Interesting. I think it’d be a good thing to mention that the term wallet itself is kind of outdated and not even really correct. Because when people think of a wall, they think that’s where their Kryptos actually stored. Right? That’s not the case. Sure. Yeah. That’s the whole point of distributed ledger technology is these Ledger’s across the world hold balance sheets that all agree with each other. And that’s where your balances the wallet is simply more like a key chain to access that balance. Yep. Because, right. So I don’t know how we’re ever going to upgrade our lexicon here. But I think that’s one thing that’s really important to understand, is what you’re actually dealing with. Yep. So if you lose your wallet software, as long as you have your seed phrases backed up in that safe, you’re good.

 

12:24

Yeah. Yep. So that’s why and frankly, that’s actually kind of what got me into the world of cryptocurrency, Bitcoin back 10 years ago, a friend of mine told me there’s this thing called a brain wallet, I was like, What are you talking about? If you remember the same, you know, 12 or 24 words, or whatever it is, you know, like for the protocol, you can just walk around, you know, you don’t have to write it down. You have to do anything. You just remember those 12 words. And you have your you have your capital with you. Yeah, yeah. Which is wild. It’s a wild concept. It is. And that’s actually has nothing to do with cryptocurrency. It has everything to do with cryptography. So that’s, there’s the basics of of everything that we’re doing in this industry. It’s cryptocurrency of cryptography. And then you have currency, you have the actual cryptographic technology that powers this amazing thing. And then you have just economics and just economic science experiments, a lot of a lot of times with all these new protocols. So when you combine those two together, you get this industry.

 

Aaron Malone  13:24

Yeah, I remember, I was stopped once by a customs officer at the airport. He’s asking what I did. And, you know, I told him, You know, I work in crypto, he’s like, Oh, so you know, are you traveling with more than $10,000? Did you report or whatever, right? Well, no one have never bring my hardware wallet when I travel that stupid. And to even if I did, it’s no different than bringing my house keys, like my house keys or lock my house, which is worth six figures, but that has nothing to do with transferring, you know, finances across borders. So I had to explain the whole system. Like oh, okay, cool. And then of course, our next question was, what do you think about Doge? And I was like, oh, fuck, Sal, everything. Yeah, yeah. But yeah, so I think that’s really important to understand. As far as keeping, you know, our Windows Desktop safe for our Mac laptop or iPhone safe. Is there any additional software that you would recommend that we run to kind of be a watchdog for us, as far as you know, exploits or running updates, or what how should we really look at these things these days?

 

14:30

I don’t, I don’t think so. I think for the most part if you if you there are 1,000,001 ways to be overly paranoid and and do things you know, along that side of the world, and so I do think the most practical thing is just buy, you know, buy a new fresh, you know, cheap laptop that new not not pre owned or refurbished or anything like that. And kind of set it aside and just Just leave it don’t let it connect to the internet and then go ahead and kind of use it that way. As far as updates or software. No, I think just your your general software that you’re using. And you know, antivirus software, you know, actually Windows Defender is actually one of the most strong antivirus software’s on on Windows today, actually, funnily enough, so they’ve really done really well with that. That’s great. Yeah, and then Max, I think you’re gonna be fine on the max too. Cool. Yeah.

 

Aaron Malone  15:28

So speaking of paranoid, I’ve been paranoid about pretty much Aetherium defy, since, you know, over a billion dollars was stolen last year, and I’m trying to figure out from a non technical perspective, is the problem that the developers don’t know what they’re doing, or is solidity, just a shit language in general, that is not mature enough or sophisticated enough to be securing all these funds.

 

15:53

So we’ve done a lot of work in this space. In 2022 6%, of all value in Aetherium, defi was subjected to an attack. So it’s, it’s it’s substantial. So it’s billions of dollars.

 

Aaron Malone  16:08

That’s where all the funds are, or is it just solidity is not as good as something like Haskell or rust,

 

16:15

you’ve probably said it before on this podcast, there’s probably been, you know, Milly, it’s a cliche at this time, but it, we are still early in this industry. So the ronin hack, like you said, you know, even as large of an organization as x infinity and Ronan are at this point, they still aren’t large enough to have things like traditional banking, security procedures and infrastructure put into place where you have control set, where a developer would never have the ability to touch sort of, you know, the, you know, the keys to the kingdom. But in the world of web three, like, that’s the entire use case. So the reality is that we’re still in a bit of a nascent stage in, even in Aetherium, defy, where you have small teams, and those small teams are still the possessors of private keys. And so they are subject to all sorts of security issues along the way. So you can imagine, because because this is legitimately what’s been happening time and time, again, where you have, call it five people globally distributed, that start a defy protocol and Aetherium, they get funding, and people really appreciate it and start building it up and start deploying capital into it all sudden, you have whatever it is 500 million, a billion dollars of value in this protocol, that’s only really, the keys are only held by two or three people specific. So there’s even this issue, you can put all this, like bank level security into all of these things, you know, spend millions upon millions of dollars just in security protocols. But in some cases, that doesn’t, that still doesn’t even solve, for example, what we call the $5. Wrench problem. $5 wrench problem is okay, someone just comes to you with a $5 wrench and says, Give me Give me your private keys, you know, so that’s still sort of an inherent problem that even exists today. And, you know, look like, there are what’s, what I find really relieving and really brilliant about this industry is that in an Open Source Economy, you have free and open markets that breed innovation. So we’re constantly seeing new, innovative ideas coming out in this industry, one of which that we’ve seen art insurance protocols where if I am deploying $100, into this defy protocol, oh, I can, I can buy this little open source insurance policy for five $10. And, you know, if that particular protocol is subject to a hack, oh, at least there’s an insurance pool so I can get, you know, some of my money back that, I mean, and that’s just one specific thing. There is software for the actual developers and coders that are sort of coming out now as well. And then when it comes to just using d phi, in general, using Aetherium d phi, again, so long as you are using a hardware wallet attached to your computer, that, that then you’re using your Metamask or your x d phi, or your you know, or uniswap wallets or whatever you’re using, that will kind of help half the battle from the potential of clicking a bad link and then someone can kind of, you know, steal funds that way. There’s a lot going on in the space but I would say that for the most part, you’re you’re going to be more subject to the actual inherent volatility risks, more so than subject to getting your your particular money stolen. So you know, in the general engine Don’t you just need to be cautious about what you’re investing into, in general, make sure that you don’t invest any money that you can afford to lose, for example, that’s a really big lesson that I’ve learned that many have learned, right? So I’ve been in this industry for 10 years, I, when I first got started, yeah, I learned that lesson the hard way. So that your rent? That’s right, so these things just sort of happen. And so from a security perspective, we’re kind of, you know, we’re we’re looking at all of the things and kind of helping to prioritize what things should be kind of focused on from the, from the start. So yeah,

 

Aaron Malone  20:32

well, I’d love to pick your brain all day. But, uh, you know, you gotta go back to the conference. One final question for you. And it’s kind of a big one. Okay. AI is now coming out all over the place. Yeah, is this going to cause more security problems or more security solutions,

 

20:49

it’s a tool. So just like a wrench, you know, just like a computer, it is a tool. So it’s gonna be used for good or evil and evil. And so, you know, this tool is going to create problems, is this tool is going to be used to solve problems. There’s a lot of research going into AI for security use cases. You know, luckily for us, and for what we’re up to, out of all the studies, everything going on, you know, it’s not, it’s not replacing, you know, human needs for, for security audit anytime soon. But it could theoretically help with, you know, informational findings and low level findings and things that are still going to be important. So I think everybody in, you know, AI is going to affect us all and all sorts of different ways. We’re not particularly concerned about it from systemic risk issue. But there there there are a lot of things that I think, you know, true anarchist of the world can definitely use, so it’s gonna, it’s gonna be used for both of those scenarios.

 

Aaron Malone  21:57

They’ll said, And just one final piece of advice that I was thinking of, if your investments do pay off and you hit it big, shut the hell up about it. Don’t post all over social media. Don’t make yourself a target, man, the best way to stay safe. Stay out of the line of fire. Yeah, just shut up. And be quiet about it.

 

22:16

Yeah. I couldn’t agree more. You become a target the moment that you start talking about your wealth online. So yes, yes. Yeah, please beware,

 

Aaron Malone  22:26

Rob, thank you so much for spending the last you know, almost half hour with us. We really, really appreciate it now. Where can we follow you for more insights?

 

22:33

Sure, head over to alboran.com. We do have a blog on how board.com that that gets into the weeds of very specific topics. And I’m on Twitter. So to add Rob Banchi on Twitter.

 

Aaron Malone  22:44

Thank you so much. You got it. And we look forward to having you back sometime in the future. And we’ll be back with other great guests here that digital currency summit in just a bit. Thanks.

 

DCS FREE TICKET

https://www.digitalcurrencysummit.com/registration43922607

Please Support our Sponsors:

www.hellofresh.com/crypto10116

https://backblaze.com/crypto101

Get your FREE copy of “Crypto Revolution” and start making big profits from buying, selling, and trading cryptocurrency today:

https://www.cryptorevolution.com/free

Subscribe to YouTube for Exclusive Content:

https://www.youtube.com/@crypto101podcast

Follow us on social media for leading-edge crypto updates and trade alerts:

https://twitter.com/Crypto101Pod

https://instagram.com/crypto_101

Guest Links:

https://www.halborn.com/about/who-we-are

*This is NOT financial, tax, or legal advice*

Boardwalk Flock LLC. All Rights Reserved 2023.

 

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬

Fog by DIZARO https://soundcloud.com/dizarofr

Creative Commons — Attribution-NoDerivs 3.0 Unported — CC BY-ND 3.0

Free Download / Stream: http://bit.ly/Fog-DIZARO

Music promoted by Audio Library https://youtu.be/lAfbjt_rmE8