Conversation

SBF
@SBF_FTX
Replying to
@SBF_FTX
5) d) "that would be really fucking bad": username + secure password + authenticator 2FA, plus all the fixin's: --IP whitelisting --withdrawal address whitelisting --separate withdrawal password --whatever else is available Yubikey can replace authenticator for 2FA
1
19
SBF
@SBF_FTX
6) and for all of the above: Above all, MAKE SURE TO SECURE YOUR EMAIL ACCOUNT. No matter what else you do, if someone gets into your email they'll often be able to get anything. SMS 2FA is generally bad: coverage is spotty and some countries make it trivial to sim swap.
1
20
SBF
@SBF_FTX
7) Ok, but how about ledgers/other physical security? a) if the amount at stake is HUGE then these make sense (think 8-10 figures) b) if you really like them, then go for it the operative things here: --it's hard to not lose them --they're more secure
2
9
SBF
@SBF_FTX
8) so the question, really, is: how hard is it to break through version (d) above? It's really hard, and most approaches just circumvent these entirely. E.g. get into email and reset everthing.
1
9
SBF
@SBF_FTX
9) But there are some that don't: there are some attacks that only physical security can prevent. Those are *really* hard and only happen if there's a ton at stake, because that's when they become economical. That's when the gains outweigh the chance of losing the ledger.
1
8
SBF
@SBF_FTX
10) Or, if it's what feels natural to you and what you'll do a good job maintaining. Some other random notes: a) what's up with 2FA instead of just a 2nd password? Basically: you only pass a hash of your true 2nd password, so intercepting it doesn't give permanent access.
1
6
SBF
@SBF_FTX
11) b) no matter what you do, the most likely failure scenario is that you let your friend use your account and they take the money. Seriously. Most FTX account breaches aren't insecure passwords: A let B use their account and then B took the funds.
1
17
SBF
@SBF_FTX
12) Also, phishing is real. Don't get phished. The real defenses against this: a) use a password manager that warns if the URL doesn't match b) be on the lookout for things that look weird. If anything seems off, check to confirm.
2
13
SBF
@SBF_FTX
13) and finally: practice good hygine. It's ok to use shitty security for things that don't matter, but watch out for whether it's making you put your guard down too much.
2
17
Alex Conway .eth ⟠🍊
@alxcnwy
Replying to
@SBF_FTX
and
@SBF_Alameda
@SBF_Alameda
you should add some pointers on storing seed phrases Most “I lost my crypto” posts on reddit took a photo or typed their phrase into Evernote or something Never storing them digitally is best but switching words / order helps reduce risk if you do store digitally
1