SLP106 Diogo Monica – Glacier Protocol and Anchorage

Posted in: bitcoin Posted on

Glacier Protocol is widely regarded as one of the best ways for an individual to secure their bitcoins. Who better to join me than the Project Lead and Maintainer of Glacier Protocol? Diogo Monica, Co Founder and President of Anchorage and Project Lead of Glacier Protocol joins me in this episode to talk about: 

  • Diogo’s background on computer security
  • Glacier Protocol design decisions
  • Glacier Protocol overview and step through
  • Key features
  • Taking security to the next level with Anchorage for institutional clients

Diogo Monica, Glacier Protocol and Anchorage Links: 

SLP Bitcoin Custody Series:

Sponsor links:

Stephan Livera links:

Podcast Transcript by Givebitcoin.io:

Stephan Livera: Diogo, welcome to the show.

Diogo Monica: Thank you for having me.

Stephan Livera: So Diogo, I know you are working on … So you’re a computer security expert. You’re working on both Glacier Protocol and also working at Anchorage. Let’s get a little bit of background on you. So how did you get started in computer security?

Diogo Monica: So the interest really came when I was young, and my dad just taught me how to program, I think I was 12 at the time. And I immediately got interested in creating software that opened and closed CD-ROMs, and allowed access to remote computers. And a lot of that was my first passion and interest.

Diogo Monica: So immediately that led me to think about information security as a career. And so it was in that field, computer science and information security that I did my master’s, my bachelor’s and my PhD. So PhD focused on distributed systems, information security in general. So I think the interest really comes from those early days of programming and installing cool software on my parents’ computers.

Stephan Livera: Where was the Bitcoin angle? Where did that come in for you?

Diogo Monica: I think the Bitcoin is a pretty interesting overlap of skillset. If you see my background, early on academic experience, I was publishing academic papers in Hashcash in 2008, and publishing academic papers in quorum security and Byzantine fault tolerance. So all of these aspects of Bitcoin, they’re just a core way that Bitcoin solves against the civil attack. I was publishing in the exact same field, just not focused on money and sound money and stores of value or really payment systems.

Diogo Monica: And so when Bitcoin became popular and started becoming popular, at the time I was the platform security lead at a company called Square. It was effectively just all of the elements of my academic background brought onto the information security world with a really interesting payments angle. So that’s how the Bitcoin really came into my life and was discovered, and I was obviously immediately curious about it, because I had been working, and in fact using Hashcash for sybil proofing some protocols and distributed systems in the past.

Stephan Livera: So then let’s say a little bit about your role with Anchorage, and then also the role with Glacier Protocol.

Diogo Monica: Absolutely. So the Glacier Protocol at the time was being led by two other folks that created the original protocol, and they were looking for somebody to take it on and take it to the next level. And so at the time I was very interested in this aspect of custody. In fact when I was still at Docker, so after Square I joined a company called Docker, and I led the security team over there. And while I was at Docker, a lot of these funds and crypto funds that were being created in the run up of prices in 2017 started reaching out to me for consulting and for helping them effectively with cold storage, operational security, management of keys, investing in all of these cryptographic assets that they didn’t really have a lot of knowledge on how to protect.

Diogo Monica: And so it was as part of that that I involved myself with the Glacier Protocol and I took over the maintainership of it, and have pushed on that what is today the golden standard for self custody of Bitcoin.

Diogo Monica: And so at the same time that I was contributing to Glacier, I saw the need for an institutional solution that could actually provide it to institutions for the same exact problem. Because it was very clear to me at that point that cold storage was not enough for institutional custody. And there’s a lot of drawbacks that cold storage has, and all of these new protocols that require active participation just weren’t made to be held in a safety deposit box, stored in a mountain somewhere. And so that’s when I started Anchorage and me and my co-founder, Nathan McCauley decided to create a platform that allowed us to have the better parts of cold storage, and really security and safety that is better than cold storage, but allowed us to have accessibility. So there were no compromises for the funds in terms of fast access to funds and active participation.

Stephan Livera: Fantastic. So it’s like you’re trying to balance the different needs there, right. So obviously they would try to keep most of the big clients in cold storage, but there may need to be a portion that is available readily for their transactional usage. Is that the main goal there?

Diogo Monica: The goal was actually to break this concept of hot and cold storage. So somehow we’d gotten it into our heads that the same principle that applies to caching in latency, by the way, hot and cold comes from caching, right? It’s hot if it’s under 100 milliseconds or 10 milliseconds, and you asked for a web page, and the web page is immediately available. And it’s cold if it takes a round trip to the database, or if it has to be stored in Amazon glacier and it’s like deep cold storage of data. That’s where hot and cold comes from.

Diogo Monica: But the reality is that if you think about it, this is storage, and hot and cold does not apply to security. Imagine for example, that I have a protocol that takes 24 hours to access your Bitcoin, and I create another protocol that takes 48 hours. And now I ask you which one is the safest protocol? You can’t tell me the difference. You don’t know what happens in those 24 hours that adds more safety to either one. And so the reality is that hot and cold and this dimensional slider between security and temperature is just not a good way of describing security at all.

Diogo Monica: And so we just broke away from that model and said, no, all of your assets should be available, not just a small percentage of them, and all of your assets should be safer than cold storage and should have that level of security. So there should be no compromise where a small percentage of your assets are vulnerable in an online system, and a large percentage of them are inaccessible.

Stephan Livera: Right. Okay. That’s a very different way of thinking about it. I’d be curious to also just dig a little bit into the Glacier Protocol as well to understand what was the history around that? Why was it created? Was it essentially that the value of Bitcoin was rising, and then there was a need to store that safely?

Diogo Monica: That’s exactly right. So the value of Bitcoin was rising pretty fast. There were a lot of individuals that have significant amounts of Bitcoin, and Bitcoin cold storage and be your own bank is one of the fundamental ethos of Bitcoin. Not your keys, not your Bitcoin, there’s a lot of this thought process around Bitcoin storage itself. And for individuals in retail, in this space, I think that makes a lot of sense. And so there was a need for a very paranoid version of a cold storage solution.

Diogo Monica: The Glacier Protocol is the golden standard. If you did the best at every single step of the way, at every single point of decision making around custodying your Bitcoin, if you selected the safest solution, effectively Glacier Protocol is what you get when you make every single decision by just considering security.

Diogo Monica: And so it is a very bulky process. It’s a PDF and a website that you can follow. I think the PDF form has over a 100 pages, and describes exactly how to use eternally quarantined hardware, how to do entropy, secure generation of random data for key generation, how to safe keep these keys, how to use them in a safe manner, what the devices that you need, how to maintain them, how to do multisig. So all of these different aspects, there was no single reference of the most safe version of every single decision for Bitcoin custody. And so that was the goal of Glacier Protocol and the reason why it was created.

Stephan Livera: That’s fantastic. And I was having a read through some of the documents obviously, and there were some different design decisions or principles that are being followed. So one was this idea of very low risk tolerance, and it’s saying what does it mean to just take something from say low risk tolerance, down to the very low level and what’s what does it need to take you from that to that? And part of that is, as you’re mentioning this quarantined hardware, there’s another key one I was interested to discuss with you. It’s preferring risk elimination over risk reduction. So there are certain risks that you would try to entirely just blow those away.

Diogo Monica: That’s right. And so it’s core decisions such as having eternally quarantined hardware. There’s hardware that never communicates to the internet it’s existence. In fact, you would buy a laptop, you would drill or open the laptop, and effectively take the cards away that allow for Wifi communication, ensuring that this laptop is never connected to the intranet. And so this air gapping of the laptop and the quarantine of the laptop from the intranet is one of those things that are effectively a categorical solution against some kinds of attacks, and really eliminates risk instead of just being a mitigation.

Diogo Monica: And of course at the end of the day, it’s always a set of trade-offs, and one of the trade-offs that obviously Glacier Protocol has is usability. Not only usability, it was designed originally for individuals and it does not encompass a lot of these other requirements that institutions have. Things like anti coercion, things like business continuity, things like fast access, things like different policies for different companies and different stashes of Bitcoin, auditability, so all of these things are just things that are not considered because it was created for individuals, but for individuals it is a fantastic way to actually store your Bitcoin.

Stephan Livera: Yeah, that’s fantastic. There’s also a component here around being more paranoid around key generation. So there’s a combination, not just dev random, but also using dice rolling for entropy generation. So the actual document or the guide says to get some casino dice and literally do 62 dice rolls, incorporate that, and I believe it’s an XOR function to sort of combine the randomness to make sure that we’re getting sufficient quality of randomness.

Diogo Monica: That’s right. So there’s PRNG, there’s a pseudo random generator from which the keys of Bitcoin are actually generated, that includes not only randomness from the computer, but in case the computer has some kind of faulty randomness from generator, or backdoor random number generator. It also includes this die and casino dice rolls that allows you to effectively add more input and more entropy into the randomness itself, ensuring that there’s no maliciously generated Bitcoin keys.

Stephan Livera: Yeah. And then there’s another feature around, or function, I guess feature of it is around no hardware wallets, no printers, no network connections. So everything is, well, most things are literally hand transcribed, or in the case of certain components that are less security crucial, they would be done with a USB stick transfer.

Diogo Monica: That’s right. And so in one way it’s one of its major advantages, but also one of its major weaknesses. It is one of the major advantages in the sense that you do not need to trust a lot of third parties, so you limit the number of third parties that you need to trust. And by doing everything manually, you are removing again, eliminating aspects around printers and around internet connectivity and so on and so forth that you would have to care otherwise.

Diogo Monica: However, it’s also its biggest weakness, because it’s inherently a manual process. And it turns out that it’s a lot more likely for you to incorrectly right a Bitcoin private key, or incorrectly store a Bitcoin private key, or manually do an error while following your checklist than it is for a machine. And so this is part of the reason why institutions can’t really rely on cold storage like Glacier, and manual processes like Glacier, because humans make a lot of mistakes.

Diogo Monica: In fact, if you think about the profession in the United States whose job is to follow checklists and that lives depend on it, are surgeons, and surgeons constantly make mistakes. And we have hundreds of thousands of deaths in the United States because of surgical mistakes, where the surgeon simply skips one of the steps on the checklist or believes that they actually have done the step and just before without actually doing it. And that’s the same thing for Bitcoin or any kind of key generation. There should be no humans that are depended on for the protocol to be successful.

Stephan Livera: Fantastic. And Glacier also has a very clearly defined software stack, and it is trying to use well known, well audited hardware or sorry, software in this case, and it’s limited to Ubuntu, Bitcoin core and then its own custom thing called Glacier script. Can you tell us a little bit about that?

Diogo Monica: Absolutely. So the idea is to try to depend on the software stack that is known, that is audited, that is very frequently updated and for which all of these patches and for potential vulnerabilities are back ported, in that the majority or a lot of people use, and therefore there’s a little bit of a safety en mass there, because if it’s a consumer product that a lot of people use, such as an iPhone, there’s a lot of attention into breaking in, and there’s also a lot of attention into patching it.

Diogo Monica: And so the minimal software stack was an operating system, was the actual Bitcoin code. So key generation, tracking, signing, so on and so forth, to which we use Bitcoin Core. And then Glacier script, think of it as the glue that connects all of these things together. That generates QR codes to be scanned because these laptops never connect to the Internet. So to communicate any transaction, to an online computer, you scan a QR code that your offline laptop generates. So all of these things are just a part of Glacier script, and Glacier script really combines the glue to call the signing functions to ensure that transactions are being correctly formatted, that calls the Bitcoin Core with the right parameters, that does estimation fees, etc, etc, etc.

Stephan Livera: Right. And the other component I found really interesting, and this might be something for listeners to take away as well, is this idea of correctness verification using duplicate environments. And so can you talk us through what is that risk and how is Glacier helping an individual get around that?

Diogo Monica: The idea is that you would obtain the same information from multiple sources, and by doing so, you’re not vulnerable to a single source being compromised. So a good example of it is, imagine that you’re downloading Bitcoin Core. If you’re downloading it from one central repository and you’re verifying just the hash that Bitcoin Core has to validate that the package that you’ve received locally is the same package, it has the same integrity and it has the same secure hash function that the Bitcoin Core package that would start on the server, then you obtain that hash from two different sources.

Diogo Monica: The advantage there is that even if the website from which you’re consuming this hash was compromised and changed, both websites now would have to be compromised for you to fall victim to something like this. And so that’s part of the concept is always, as much as we can, never depend on a single source of information.

Stephan Livera: Right, yeah. And, it’s also very much that consideration around things like, so for example, there’s that Ian Coleman website where you can generate the BIP39 seed and so on. So the idea is that you would try to verify that source, copy it down, and then generate it on the offline computer that is then quarantined and never again touches the Internet component to it.

Stephan Livera: So I think it might be good to just maybe talk through just at a high level, obviously we can’t talk through every little step in detail, but if we could just sort of talk through at a high level, what are the broad steps for Glacier Protocol? At the start you’re prepping the hardware, what does that entail?

Diogo Monica: So at a very high level, the protocol takes you through the preconditions that you need to be successful at generating keys and doing cold storage, using Glacier protocol. And that means buying different computers, buying USB keys, buying the dice, all of these different aspects that you need to be set up and all the things that you need to purchase, sort of ready to execute the protocol.

Diogo Monica: Then you’r walked through all of the different aspects and security considerations of how to obtain the operating system, how to obtain the code, how do you check signatures, and the validation that the code that you’re deploying on this laptop is a correct one. How to prepare the hardware itself, so taking the cards and making sure that it’s always disconnected from the Internet, and how to move operating systems, how to boot the operating systems, so on and so forth.

Diogo Monica: And then at high level, then there’s three big components. One of them is, how do you generate new keys and how do you deposit Bitcoin into those keys? And then there’s the withdrawal process, which is, how do you securely bring information from the blockchain to the eternally quarantined hardware? Do you use Glacier script to sign UTXOs and move Bitcoin? And then finally the maintenance protocol of how are you actually constantly verify if all these protocols are being followed, your backups, updating codes, so on and so forth.

Diogo Monica: So at this high level, preparation, generation, the deposit aspects, the withdrawal aspects, and then the ongoing maintenance of the cold storage solution.

Stephan Livera: Fantastic. And it also, I think another interesting part is around in the setup process or just in general though, there is this whole concept of trying to block side channels. So can you tell us a little bit about that?

Diogo Monica: A side channel attack is an attack in which an attacker that has the ability of seeing the electromagnetic waves, or just the computation of keys of a computer. So when you are computing an RSA key or doing a signature operation, for example, your computer does very distinct operations, some of which actually require more energy than others. And the fact that it requires more energy actually emits electromagnetic radiation that an attacker with very specific hardware might be able to pick up and then deduce what the private key is.

Diogo Monica: So imagine that there’s a key that is a zero, the computer will do less of a calculus with that zero, but then there’s a one, and the computer would generate and consume any electricity because it would have more computation to do, and therefore an attacker could actually discern that the pattern was 01. And so that’s effectively the high level view of what a side channel attack could look like.

Diogo Monica: So the idea here is that you have to mitigate as many side channels as you can. And a lot of them are already mitigated from the fact that you have eternally quarantined hardware completely disconnected from the Internet, you’re in a room that nobody knows that you’re about to generate, or nobody knows that you are about to sign or do a signature at that time and therefore they can’t be there to actually do the recording of the electromagnetic radiation that would allow them to recompute the key. So it’s a little bit of an extreme thought, but we wanted to make sure that it was there for people to have that as a consideration.

Diogo Monica: Because there’s all these sorts of aspects around computation, around private keys and cryptography that are not usually focused on, but that could actually have disastrous outcomes such as private key leakage.

Diogo Monica: In fact, a fun story was before they become a client of Anchorage, there was a client of ours that was doing self custody. And so what they had was this process where every time they wanted to do a Bitcoin transaction, they flew around the United States. They collected different USB keys from different banks, and then they convened on a random hotel that was randomly chosen. They would actually book a room and then when they checked in, they would actually switch the room that was booked to make sure that it could not be pre-bugged, and then they actually had this portable Faraday tent that they would do transactions inside of. And that Faraday tent and all of this was exactly because they wanted to be protected against potential side channels and against the potential bugging of the actual hotel rooms where they were going to be doing transactions, because they were afraid of these attacks.

Diogo Monica: So that’s an interesting consideration, it’s a very extreme consideration, at least at the level of that client in the amounts of assets that they had. But it’s a thought and it’s a real issue. And so it’s something that definitely has to be considered and should be taken into account.

Stephan Livera: Yeah, that’s a really good story actually. And that brings to mind this other idea that, typically for the higher level security, we’re looking at multisignature, and one component around multisignature depends on the way it’s constructed, right? So if they are using a PSBT and they’re doing it in such a way that not all signatories need to be in the same place at the same time. It may be taking a PSBT, and partially signing it until it’s ready for broadcasting. What’s the thought there?

Diogo Monica: In general, multisig is obviously the ability of having different keys, having to collaborate for a transaction to be valid. That’s the overall purpose. In Glacier itself, it’s supported, there’s a multisig support that would allow you to effectively have different keys stored in different locations. And the idea there is that if your home is compromised and the key is inside of USB key in a way that it’s unencrypted, or inside of a safety deposit box, the theft of that private key does not actually compromise your funds, because they would also have to guess or have to steal from the other remaining two or three safety deposit boxes to actually get a quorum to be able to move the assets themselves.

Diogo Monica: So that’s by and large, obviously what multisig is providing. I guess the idea there is that what you’re trading off is you’re trading off the difficulty and the time that it takes for someone to go through this process, especially if you consider Glacier Protocol targeted towards individuals for security. And so it’s a very extreme version of it and also has downsides, especially if you can’t follow the maintenance protocol, and you’re not constantly validating that multi multisig keys are still all available. Just because you have a USB key inside of a safety deposit box, doesn’t mean that the key is still usable, right? And so the USB key might have died, the key might not be usable, there’s a lot of reasons as to why this would not be the case.

Diogo Monica: And so it really adds a lot of burden in maintenance, that is too much for an individual, but that is required for institutions. So institutions definitely require effectively quorum approvals. So the goal is that when you are an individual, you want, by definition of being an individual, you want by yourself to be able to move your funds. And some people want to actually be locked out of the access of their own funds, but individuals usually don’t want that.

Diogo Monica: But institutions on the other hand have that as a requirement. There should be no single point of failure. There should be no single human that can abscond with funds, or whose loss or disappearance would actually cause data loss or loss of cryptocurrencies. And we’ve actually seen this in the media where the CEO of a company that was an exchange actually passed away or has been claimed to pass away, and he had all of the keys and therefore the keys were no longer available. So not only business continuity is important, but you also have to consider a quorum in the fact that no individual should have single access to the assets themselves.

Stephan Livera: Fantastic. And so just going back to the process then of Glacier Protocol and when we are doing the setup, so let’s say the person is doing a deposit and first they are doing a test deposit and a withdrawal. And so this is one of those interesting points where the Glacier Protocol actually does use address re-use, but it’s a privacy trade-off made for the sake of giving comfort that you really can spend from this address. Can you talk to that a little bit?

Diogo Monica: Absolutely. So it’s a privacy trade-off in the sense that if somebody knows the pattern, then they can identify what your address is, or what protocol you’ve been following. If there’s a pattern of actually microtransactions, people know that that is actually an address that is about to be funded and that is stored in a certain way.

Diogo Monica: In terms of the assurance that it gives you it obviously gives you the assurance that you’ve been able to both deposit and withdraw from that address. And so from a cryptographic perspective, there’s obviously, especially for Bitcoin, this idea that you should always generate new keys and your TXOs should never actually come back, they should never reuse the keys themselves. So there’s a little bit of an aspect there from cryptographic guarantee. The fact if a key is only used once is better because of potential nonce reuses and side channel attacks and all of these issues, it’s ideal that you don’t operate on the same key many, many times. But in that case, I do feel like the majority of the goal is to know that you have not done anything wrong.

Diogo Monica: Because again, it’s a human following a checklist. And if it’s a human following the checklist, we know that humans make a lot of mistakes on checklists, and so it really gives you higher confidence that you haven’t done any mistakes on the deposit and on the key generation side because you’ve been able to successfully use that key. And so after you do the micro deposits and the micro withdrawals, then you can trust the process and hopefully that you’ve actually generated something that will be able to be used.

Diogo Monica: One interesting thing though is that again, this is a non-sophisticated individual. So a sophisticated individual in a company like Anchorage can actually verify that the keys have incorrectly generated, without actually having to do micro deposits and without actually having to do on chain transactions that require a key reuse and require obviously paying fees and require this kind of like back and forth of the key generation itself. Because if you know that the private key has been correctly generated and you’ve been actually able to do a signature and verify that the signature was correct, then you’d know that the key material was correctly generated, that the keys have valid ECDSA key, all of these different aspects. You don’t necessarily need to send it to the blockchain as a transaction to know that it’ll be accepted at a later date.

Diogo Monica: And so there’s again, a yet another between being an individual and being an institution in an individual custody solution and a institutional custody solution.

Stephan Livera: Fantastic. And with, for example, with a withdrawal, as I was reading through the process, I saw essentially Glacier Protocol requires you just use your one address, and what you would do is go and search that address on a block explorer such as say, blockchain.info or blockstream.info, and going from that, you would include, I think the Txid and then Glacier script would automatically include all UTXOs associated to that TX Id. Can you talk through that process a little bit?

Diogo Monica: So the idea is that when you want to sign a Bitcoin transaction, you need information from the blockchain, right? Because you need to actually, number one, you need to know the fees, but there’s all this information that you need to have from the blockchain to actually be able to compute the transaction itself. And so this is basically a way, and it’s part of the protocol, a very non-usable part of the protocol is the fact that you always have to go from an online computer and have to actually go to the block explorer, and you have to actually access this information on your own, and then you have to put it on the Glacier script that is on the offline computer. And you have to move this information over and type it in into your computer itself to inform what it should be signing and what are the parameters that it should be signing itself.

Diogo Monica: And so that’s kind of like the high level view over what is happening in that step.

Stephan Livera: Got it. And also there’s a different considerations here around multisignature in terms of the distributed custody considerations for Glacier. So it’s saying that in the self custody case you might have one key at home and three in safe deposits or private vaults or et cetera, but in a distributed custody case, you might go for a five keys set up, and you might have just in case another person that you’re trusting with one of your keys maybe they’re not protecting it well enough against theft or loss. So can you talk to that around deciding how many keys that you should use?

Diogo Monica: In general, the tradeoff is pretty interesting, because if you’re an individual, you have two competing priorities. One is safety, but the other one really is estate planning, right? It is, if you pass away, can somebody else access your keys? And so these two things are a little bit at odds in terms of safety in the fact that you have other individuals that are on their own, actually can access your devices. So the easiest way is obviously, imagine that you leave an encrypted private key with all of your Bitcoins and a USB key, and you tell your partner that, hey, if I pass away, this is the thing that you need to access, right? So in this moment, anyone can access it. Anyone that compromises your house can steal your private key. But it’s also very easy to do estate planning, and for your partner to actually access this key to be able to sell it, or in case you no longer remember the passphrase or anything like that.

Diogo Monica: And so now unfortunately, the safety of this protocol is not sufficient. And so now you go down to the path of selecting multiple holders of the actual distributed custody setup. So instead of doing multisig for yourself, so two different keys that have to be compromised, but both of them are accessible by you. Now you’re in a multisig setting where you’re actually creating it from a system. So, that it requires, for example, two out of three. Two individuals out of three individuals, or two keys out of three keys have to collaborate to actually allow access to the private key itself.

Diogo Monica: But the problem in, the tradeoff that you’re describing is really how many keys do you have access to? And do you want to lock yourself from accessing your own Bitcoin? Because you can do it right? Imagine that you have a two out of three, and you have three parties that have each have their own key. So that’s great, because if you pass away then two other parties on their own can actually move over your Bitcoin.

Diogo Monica: The unfortunate nature of that is that now you’re vulnerable to thefts or loss of the two keys independently of your own security mechanisms and your own protocol. Now it’s actually going to cause Bitcoin loss because you yourself don’t have the ability of going back on chain and recovering your Bitcoin key.

Diogo Monica: So this is something that has to be very tailored for each individual and each situation, and really tailored for each organization. So part of what we do is we obviously help our clients make sure that they’re doing the right trade-offs and they’re having the right quorums. Is it a five out of seven? Is it a three out of five, depending on the amount of assets that they, depending on the company size, depending on the situation. Is it an internal person that has, or internal employees that have all the keys, or is it an external law firm that has access to a few of them and has a quorum? So all of these things are trade-offs and they’re really depending on the individual situation, and it’s one of the things that we advise our clients doing.

Diogo Monica: And so that’s kind of like the general tradeoff space of the safety aspect of having multiple holders of the keys and obviously the business continuity, or in the case of the individual estate planning of, do you see a lot of access to your keys with somebody else’s incompetence?

Stephan Livera: Excellent. And now let’s talk a little bit around the maintenance protocol aspects of it. So part of this, keeping your keys secure is also periodically checking them and periodically just making sure that there haven’t been any updates or whatever to either Glacier Protocol, or maybe updates on Bitcoin. Can you talk to that maintenance process a little bit?

Diogo Monica: Yeah, so at a core, the maintenance protocol is twofold. One of them is the maintenance of the actual operating system, the software and all of these different components that are required for you to make sure that you still have access to your Bitcoin, and you could still operate on it. So that’s like the elements of hardware. Is the laptops that are working, are the USB keys still functional, so on and so forth. So that’s like the update mechanism, software operating system and kind of like the operational component of it.

Diogo Monica: The second thing, and it’s actually the most critical one, is the private keys themselves. Are they still accessible? Are they still usable? And in fact this is the biggest issue with all of these protocols, is the fact that people get lazy and people don’t really follow their own maintenance protocols. Because they are painful to follow. These requirements every quarter or every month or for institutions that have large amounts, even every day, you should be able to validate that the keys are still there and that they still exist.

Diogo Monica: And so the problem with that is that if you have a process that requires human intervention, if you have a process that to validate the private keys are usable, requires a human to go and do an operation and access their private key, then you’re in trouble, because a large majority of the advantage of having one of these self custody protocols and having Glacier Protocol is the fact that 99% of the time these things are not accessible by humans. And so it’s really interesting because people don’t want to expose their keys, but they want to make sure that the keys are still usable.

Diogo Monica: And again, if you’re doing self custody and if the way that you’re testing this is just loading the keys in a laptop and testing them out, then again, you go back into the situation where there’s manual error, you have to access the keys and therefore in a way you’re compromising the cold storage component itself.

Diogo Monica: So that’s actually the place where people fail the most, is this aspect of business continuity, and not really the operational maintenance protocol, but really the private key access protocol where they don’t follow regular scheduled audits every quarter or so that allows them to know that they still have access to all these keys.

Diogo Monica: And then, these things are just hard. There’s bit rot, there’s bit rot on the computers, that’s bit rot on the USB keys on the private keys themselves. And so it’s really hard to keep on top of this, and it’s why you have people that are specialized in doing. This is enough for an individual, but it’s really not usually enough for an institution.

Stephan Livera: Fantastic. I think we’ve spoken through I guess Glacier Protocol more for an individual or maybe for like a small family, and maybe it makes sense for them. What does it take to take it to that next level? Like, how do you go above Glacier, to the level that an institution needs, and what are some of the key differences between Glacier for individuals versus institutions?

Diogo Monica: Absolutely. The first one is the requirements. I think Bitcoin grew up in a mostly retail world, individuals holding Bitcoin. And the necessity of an individual, especially in a world where Bitcoin was the only unique cryptocurrency in town were very low. People were essentially buying large, buying and holding. And when they were trading, they were trading on the very few exchanges that existed. But institutions are just different animals altogether.

Diogo Monica: The institutions have this competing priority, where they have to meet their fiduciary obligations and several of them wants to take advantage of the high volatility of the space. But the current protocols that they have and the cold storage itself is not conducive to doing so. Because the goal of cold storage just to never have a human access the key or do it as infrequently as possible. But if you have to access it every day, because you’re doing transactions every day, then that just defeats the whole purpose of it.

Diogo Monica: So the first things that are different are, an institution needs fast access to their funds. And some institutions don’t want to trade frequently, but even them, when they do trade, imagine that you trade say in six months because Bitcoin goes up 15%, or we’re down 15%, and you want to take advantage of that, it can’t take you 48 hours, 24 to 48 hours to access your funds. Because at that point, Bitcoin might be down 50% more, or hopefully is up 50% more, and then in which case it helped you. But by and large, you want to trade on your instincts when you want to access them.

Diogo Monica: And so that’s something that institution will. They want fast access to their funds. And this is not only true for institutions that require many transactions that are doing daily transactions that are actively traders. This is also true for buy and hold institutions that sell once in a while. That’s held once a year because when they do want access, they want fast access.

Diogo Monica: The second component is this component that we talked about around quorums, and around no single point of failure. Institutions cannot tolerate the unknown around are my keys still there? Are my keys still available? Do my keys still exist? Is the custodian or the exchange running a fractional reserve? So there’s the need from institutions to really have very high confidence from a perspective of the existence of the keys, and whether the keys are still usable or not. Plus, there’s also issues with having an institution, which is, institutions have a lot more turnover in employee base. And if what we are doing is a cold storage process where specific humans are necessary to actually run these protocols, then every time one of them leaves you effectively have to redo the whole thing again.

Diogo Monica: And so Anchorage solves a lot of these issues and allows institutions to have the best of both worlds. Best of cold storage, so they’ve got in component and no accessibility, but also the fast access to funds that they require.

Diogo Monica: And then the final thing that I would say is that in a non Bitcoin maximalist world, so in a world where Bitcoin is not the only cryptocurrency in the world, we’re actually seeing that all of these new protocols are coming out, such as Cosmos, and Tezos, and Maker, all of them require you to use these keys actively. Even if you’re not withdrawing or depositing Maker, you still have to do governance decisions. You have to vote on Maker.

Diogo Monica: In Tezos you actually have to have a baker which actively participates with keys to claim rewards. Or Cosmos. Cosmos also is a proof of stake network, where it’s no longer a proof of work, the keys are being used, and the validators are doing active participation. And if they actually do something wrong on the online use of this key, there’s actually asset loss and clients lose a percentage of their assets because they get tombstoned and malicious things can happen that cause them asset loss.

Diogo Monica: And so we just changed dramatically what institutions need, and what individuals need. And so an institutional solution has to account for all these issues.

Stephan Livera: Right. And what about other things like internal controls that a corporate or an institution might want to put in place? And I think you were getting to some of this with this idea of no single point of failure, but what are some examples that they could look at using or perhaps that Anchorage is using? Obviously only those things you are willing to share obviously.

Diogo Monica: Yeah, so internal policies are definitely having the ability of doing different policies for different assets for different amounts subdividing them, and very quickly be able to edit these policies in a safe manner is incredibly important for our clients.

Diogo Monica: If you think about multisig, it’s multisig withdrawal for the use of a Bitcoin key, but your custodian should also have the same kind of abilities and the same kind of quorum for adding a user or removing a user. So all of these operations need to be secure operations. And so what you end up having, is there are some custodians out there that allow you or force you to have multiple approvers for withdrawals, but then anyone can add new users. And so it ends up being this nonsense security model where you can actually add new users with a single user administrator permission, but then the transfer of value needs multiple approvers. But if you can add as many approvers as you want, it ends up being useless. So there’s aspects like that that are very much necessary around the policy generation in controls.

Diogo Monica: And then obviously the other thing that I didn’t mention is the actual aspects around regulatory clarity and governance. So Anchorage is a qualified custodian. We have South Dakota Trust Charter, and Anchorage is also going through the process of having audits and Anchorage has insurance. So there’s all of these different things and different checkboxes that institutions want to see that for an individual is not as important or not important at all.

Stephan Livera: Yep. And how much of that has been an educational journey as well for your clients as well? So they may be coming from a world where they’re used to a typical ERP software system where you can easily provision access and de-provision access from a staff member. But now they’ve got to come and change that into now we’re living in a Bitcoin world, it’s not so easy to just give access in this kind of multisignature set up.

Diogo Monica: It’s been interesting because the people that come to us already come to us because Anchorage has the best reputation from a technology and security perspective, and really is the safest custodian. And so in a way, they’re already pre-selecting themselves for caring about the security of their assets. But you’re right that in Bitcoin, it’s very different to come from a traditional asset class to a bearer instrument, where there’s 100% loss and there’s no claw back if a key gets stolen or compromised. And so it’s a very different world.

Diogo Monica: We don’t typically do that much education because it turns out that the investors are already sophisticated. If you’re looking for a custodian, you already know they invest in cryptocurrencies and you’ve already at least heard that the custodian is the first thing you have to choose, and that the first thing you have to care about is security. And so it’s a little bit of a self-selecting process where people that talk to us are already familiar with the issues, and then they’re just a matter of us explaining how we’re solving these issues and how we go above and beyond, then everything else that is out there in terms of security features, and in terms of the product features that we provide to ensure said security.

Stephan Livera: Got it. And with the way the Anchorage solution is set up, how do the customers, so let’s say I’ve got some listeners who are thinking about whether they want to go with Anchorage. What are some of the ways that they would interact with Anchorage? Is it through like a web interface or what are the main ways that they would interact with it while still having their own control over the system but still leveraging Anchorage security?

Diogo Monica: Absolutely. So they would interact through their mobile devices and through the web portal exactly how you’d expect to interact with in a traditional system. However, the things that are happening in those applications are just fundamentally different. And in fact what Anchorage prides itself on doing is we have this security model where we require hardware on the client’s side and hardware keys, keys that never leave hardware on the client’s side, to sign transactions. And then those transactions are only unlocked inside of hardware on the actual Anchorage side.

Diogo Monica: So Anchorage runs these hardware security modules, which are purposely built devices that are made to create keys and safe keep them. And what we further do is we run the policy engine, the thing that verifies the policies, whether Joe and Jane actually signed this transaction, they also run inside of this protected hardware. And so the surface of attack is from hardware on our side to hardware on the client. And even though we have this kind of security model, then this kind of security, clients would interact with their normal devices and it would be a very usable experience. And then they will use those devices to get to quorum and to give as many endorsements as are necessary, and then as they’ve configured to be able to move transactions or do any operation in the system.

Stephan Livera: Got it. So look, we’re sort of coming to time, I want to make sure, obviously respectful of your time. If you’ve got any closing thoughts, any advice for listeners? Maybe you could give us some advice for individuals and then some advice for institutions on how they can protect their Bitcoins.

Diogo Monica: Absolutely. So in terms of individuals, if you have large amounts of Bitcoin and you are paranoid about your security and rightly so, I think the Glacier Protocol, if you go to glacierprotocol.org is a really good resource for, even if nothing else, for you to think about a very high end attacker model, an attacker model that really considers all the aspects that you should consider.

Diogo Monica: If what you’re doing is you’re a normal consumer and you don’t have that much Bitcoin, but you still want to have a safe mechanism of storing them, one thing that I usually tell people is an iPhone is a very secure device. They could actually buy a cheap iPhone or a secondhand iPhone, and ensure that they have it offline and they have it kept somewhere safe, use the biometric aspects of it, use the actual pin pads of it, and the fact that Apple has really good security to be able to download a really usable consumer wallet where they would keep their assets themselves.

Diogo Monica: They also have good mechanisms to back up. So that’s really the two options that I usually tell people depending on the amount of assets in their custody, depending on their technical competence and their paranoia. Very paranoid, very technical competent, Glacier Protocol is the right thing. And then, low technical competence and not as much Bitcoin, I do think that an offline mode device might be the actual right thing to do for an individual.

Diogo Monica: In terms of institutions the answer is pretty easy for an institution. I think anchorage.com is really the best solution there. And obviously having a usable mechanism that allows you to have accessible ability to use your assets, allows you to do active participation, participate in baking and generating yield at Tezos, voting on Maker, all of these other aspects that people aren’t really considering with Bitcoin, but they’re already a necessity, and something that investors care about, meeting their fiduciary obligations, I think Anchorage really is your best option.

Stephan Livera: Fantastic. So look, where can listeners find you online?

Diogo Monica: So @diogomonica on Twitter, pretty easy. And in terms of Anchorage, find us at anchorage.com.

Stephan Livera: Fantastic. Well, thank you again for joining me Diogo.

Diogo Monica: Thank you so much for having me.

Leave a Reply