Crypto Self-Custody 101 (with Austin Federa) 01:08:59

Hello, Acquired LPs. Welcome back to the Acquired LP Show. We are joined today by Austin Federa, friend and longtime Acquired community member who is the head of communications at the Solana Foundation. Hello, Austin. Hey, how you doing? Welcome back. Are you hanging in there? Yeah, it's been a long, been a long few weeks, but hanging in there, getting through, making progress, you know, all we can do these days. I bet. I bet.

For listeners who are wondering what Austin's referring to, we were out with Austin at Solana Breakpoint in Lisbon, which was a awesome developer conference, which of course, as everyone's flying out the next day, the FTX news breaks into the mainstream. And so nothing like a head of communications job to have to work with during this.

And you basically organized the whole conference too. Yeah, I was pretty tired at the end of Breakpoint. And then this happened. And there was a moment, I think three days in, this would have been like the evening of the 9th or the 10th of November, where I basically delayed my flight because I was like, I can't afford to get on a plane for 12 hours. I gotta be...

available. And of course, every single participant in the crypto community is glued to this news and scandal that's going down in real time with FTX. Yeah, the explosion of a centralized exchange, that doesn't necessarily mean that someone in my role who works for the Solana Foundation or any blockchain foundation is going to be on calls intricately involved in this process. But

FTX and Alameda Research had both been investing in companies on the Solana ecosystem. They'd participated in token rounds, private token sales from the Solana Foundation and Solana Labs.

So there was, you know, concern about assets that they held, were they secure projects that had been building on Solana? A few of them had their treasuries or pieces of their treasuries with FTX, because a lot of folks keep money in a centralized exchange to do things like payroll, right? All those sorts of things, especially when you're paying international contractors. And so there was just a lot of stuff to help the ecosystem try and navigate in the wake of this kind of explosion of FTX and Alameda.

And then at the same time, just a lot of folks, you know, anytime multiple billions of dollars of customers' funds go missing or disappear or get tied up in Chapter 11 bankruptcy like everything is now, there's just a lot of people who are hurting from that. Especially, you know, folks who maybe don't live in the United States or they don't live in areas where they have banking systems that they can trust.

They may have used something like FTX as basically their bank account. And so there's a lot of folks who are just in trouble, not just the salon ecosystem, you know, folks in all blockchain ecosystems. It's a lot.

Yeah. Well, listeners, we've gathered you here today. In light of all that, David and I are putting our heads together on sort of what would make sense with all this going on right now to sort of do for the acquired community. And we asked Austin to do something with us to explain how does one stay safe?

in a time where you're not really sure like what organizations to trust, what are safe places to keep things. There is nowhere to put anything, any sort of asset that is 100% guaranteed safe from everything ever. You know, aliens invade and blow up all of our central banks. Like we've got problems then too. I've seen Die Hard 3. Yeah.

But at least to like talk through the upsides and associated risks with a whole bunch of places that one could keep crypto and to keep fiat. Because I think it's interesting to compare this stuff to the traditional banking system. Of course, we should say this is not financial advice. This is not investment advice. You should do your own research and you should figure out what risk level you are comfortable taking for whatever level of convenience with your funds, no matter where you keep it. Makes sense for you.

And we also would totally understand if, you know, you have a baby bathwater approach and you see what happened to FTX. Well, I don't want to say to FTX, you see what FTX caused and did, and it scares you away from a lot of this stuff entirely. Nobody holds anything against anyone. But if you're like, you know what, I still believe that there's a bright future in a decentralized technology that has a monetary value baked into a token that can be used to pay for compute

that happens in a decentralized way all across the world, then like, what do you do if you still want to do stuff here? So that is what we are here today to talk about. Yeah. And we should say quickly too, before we jump in, the original seed of this idea came from the digital assets channel that Austin runs in the Slack community, where you did a teach in the other day about how to do self-custody. So we're going to do

Part of that here, but also a broader discussion, literally came out of the community. It's great. Thank you, Austin. Yeah, thanks, guys.

All right, so why should one self-custody, Austin, and what does self-custody actually mean? Yeah, so self-custody is strange, especially in the modern world. If you think about it, almost nothing in your life is truly self-custodied. You don't actually own the books on your bookshelf. You don't actually own the music that you've even bought from iTunes, let alone the stuff you stream from

Spotify or title or something along those lines. Certainly not the money in your bank account. Are you self-custodying? That is not. Wait, wait, wait. I own the books on the shelf, right? Don't I? You don't own the words. Even most artwork nowadays is sold with a different right structure for display in a gallery and in commercial usage versus personal ownership. Almost everything in our world has been

Lawyered up, one might say. But there's been various licensing agreements or other forms of structures created. And even if the terms of service says you own something, which usually it does not say, the FTX terms of service said that the title stayed with the customer, the actual act of physically owning something is pretty rare nowadays. The most basic version of this is you can't put an app on your iPhone.

if Apple doesn't want you to, right? You don't have self-custody of your iPhone. You may have your physical phone, right? But like at the end of the day, like there's someone telling you- None of us own any software. All software is this way, right? Except like Linux, right?

The book analogy is a really good one. I own on my bookshelf over here with all of the books I've read for acquired research over the years, I own those physical objects there, but the ideas within them, I most certainly do not. Nice. Austin is holding up, who is Michael Ovitz? Did you read that before or after our episode? After. Nice. Glad we inspired you. In the traditional money ecosystem, I keep...

a very small amount of money at my house and keep the vast, vast majority of my funds either at a bank or other financial institutions where, and I probably, the case for most listeners listening to this, the vast majority of your net worth is not in money or in any sort of currency, but it's probably in assets that currently have a value that, you know, you own the title to and the ability to get liquid on that whenever the asset is available to become liquid. Yeah.

So it's even weirder than that. Great. Right. If you roll back to the original sort of like, let's stick with the U.S. because the U.S. is easy because it's not actually that old. Right. Money in the U.S. was a proxy for federally custodied gold.

I am not one of those gold guys. Like, please don't take this the wrong way. I'm not a gold guy. But what the gold guys will say is that, you know, even in that system where we had a gold standard, that was also not a self-custody relationship. That was like, there's a gold in the vault somewhere.

The government owns the gold in the vault, and I have a piece of paper that in theory I can redeem for it. Even back in those days, money was not a self-custody activity. Is it now? Like, when I own dollar bills, do I own the dollar bills since they're not backed by anything? No, because the government can take them out of circulation. The government can add the serial number of your dollar to a blacklist serial thing, and if you try and deposit it in a bank, it gets flagged by a system. Huh. Fascinating.

Even right now, dollar bills are a licensing system. I would be really curious if someone actually tried to run the Howey test on a US dollar and see what happens. I'm pretty sure it would fail. Listeners, you're wondering probably like, why are we getting so esoteric in this? I think it's important because a lot of the debate around self-custody and the merits of self-custody, there's sort of a practical reality and then there's a technical reality.

And so like the technical definition is, well, you don't really own your dollars because the US government can pull your dollars out of circulation, whether they are currently touching them or you are currently touching them. But in reality, the practical matter is when I've got a stack of ones or hundreds or whatever in a little strong box in my house, like I can use that cash and I own that cash and there's...

There's all the upside that comes with that. And of course, there's also the downside of if somebody breaks into my house and says, open the safe, I'm going to open the safe, and then they just get the cash. Yeah. And so one of the really important sort of mental transitions that happen, right, is like there was the physical custody where like,

You have a safe in your basement. It's got a bit of gold. It's got some emeralds, whatever. There are physical things in a box which you control that someone somewhere in the world has said, I'll give you some good money for this thing. Or, you know, you can trade this bar of gold for a boat or a horse or whatever. We have never had something that was both digital and valuable and sovereign before Bitcoin.

Those three things had never been combined. Everything that existed digitally was a licensing regime or it wasn't actually held by you. Okay.

Oh, that's fascinating, because you had no mechanism to do digital scarcity before Bitcoin. Yeah, I mean, setting scarcity aside, though, like the only one that can verify that my bank account says what the numbers say in my bank account are my bank. There's no independent way to prove or verify or defend that number in that database somewhere. That is a not only a centralized activity, it is a monopoly, whatever, like you'd call a monopoly of economic violence, right? That is what the bank has.

The bank is the only one who can sign the piece of paper in their letterhead.

when somebody who is a customer of that bank says, I own this bank account with this number and this amount of funds is actually in the bank account. The bank is really the only one who can sort of vouch for me and say, yes, that's true. Yep, exactly. So that was sort of that initial innovation of both digital scarcity and Bitcoin. And you guys have done all the episodes on sort of some of that stuff before, so you don't have to go into it in too big of detail. But a key component of that is that

A user can provably and objectively say that they own something that is digital. That's a really, really important concept here. And the follow on from that, right? When I can say to the world, this account, this Bitcoin wallet, this Ethereum wallet, the Solana wallet, I have the keys to it, which means I control it. And all of you can see that like,

The money is in this account, right? The Bitcoin is in this wallet address. The tokens are in this place. This USDC is on Solana, on this account that I control. And it's not even saying that I control it. It's that this key pair controls it. So how did we end up with like FTX tokens?

losing a bunch of money, right? Like this is like, we start with this really... A whole bunch of people wired money to an institution that had a bank account somewhere or some way to keep all of our money...

And then they represented some numbers in a browser. That's going to come out in the coming years in bankruptcy courts, whether that was true or not. Who knows exactly how the system happened and what money went where, but we can all sort of agree at this point there's a multiple billion dollar hole in FTX and they filed for Chapter 11 bankruptcy.

Getting from this idea of like, finally, I can actually prove to the world that I own something that's just under my sovereign control to a multi billion dollar hole that people are calling like a collapse of crypto. There's a lot of steps between where we started and where we are today. And truly, the only way to protect yourself from something like that is to do self custody.

And self-custody means you are holding your digital assets, your crypto, yourself. And you're not relying on someone else to do that.

We want to thank our longtime friend of the show, Vanta, the leading trust management platform. Vanta, of course, automates your security reviews and compliance efforts. So frameworks like SOC 2, ISO 27001, GDPR, and HIPAA compliance and monitoring, Vanta takes care of these otherwise incredibly time and resource draining efforts for your organization and makes them fast and simple.

Yeah, Vanta is the perfect example of the quote that we talk about all the time here on Acquired. Jeff Bezos, his idea that a company should only focus on what actually makes your beer taste better, i.e. spend your time and resources only on what's actually going to move the needle for your product and your customers and outsource everything else that doesn't. Every company needs compliance and trust with their vendors and customers.

It plays a major role in enabling revenue because customers and partners demand it, but yet it adds zero flavor to your actual product. Vanta takes care of all of it for you. No more spreadsheets, no fragmented tools, no manual reviews to cobble together your security and compliance requirements. It is one single software pane of glass.

that connects to all of your services via APIs and eliminates countless hours of work for your organization. There are now AI capabilities to make this even more powerful, and they even integrate with over 300 external tools. Plus, they let customers build private integrations with their internal systems.

And perhaps most importantly, your security reviews are now real-time instead of static, so you can monitor and share with your customers and partners to give them added confidence. So whether you're a startup or a large enterprise, and your company is ready to automate compliance and streamline security reviews like

Like Vanta's 7,000 customers around the globe. And go back to making your beer taste better. Head on over to vanta.com slash acquired and just tell them that Ben and David sent you. And thanks to friend of the show, Christina, Vanta's CEO, all acquired listeners get $1,000 of free credit. Vanta.com slash acquired.

Can you give us the technical definition of self-custody? And then we can get into the practical definitions and ways that you might do it. So the technical definition is not your keys, not your crypto, right? Which is a thing you hear on Twitter all the time. It is you hold your keys. Yep. And there are practically many ways to do that. The more technical version is that only one entity in true self-sovereign custody, that could be me, that could be you, that could be my company, whatever, is

has the keys to sign a message against an on-chain address. And what that message could be, I own this thing. That message could be,

So it's self-custody technically, but it's also a way of saying, well, I'm going to send one Bitcoin to David.

Practically, these days, it's associated with having a hardware wallet. But technically, it doesn't mean that you have to have a hardware wallet. It just means you hold your own keys. In fact, even when you have a hardware wallet, it's not like the Bitcoin are on there. I mean, it's like you hold...

the right to sign a transaction to send Bitcoin from a certain address to anyone else in the world. But that is the crazy thing to think about is like, even though it's a bearer asset, even though it's self-custody, even though I own my Bitcoin on a ledger that's under my pillow and under my mattress or something, and I don't, by the way, it's not like the crypto is on there.

My private key to sign transactions is on there and the value exists on the blockchain observable by everyone. Yes. And this is why like there's a whole range of what self-custody means, right? If you download MetaMask or a Glow or Phantom or SoulFlare or TrustWallet or even the Coinbase wallet app,

on your phone, you can store keys to crypto on your phone. And that is still self custody. That is you being the only person who has a copy of those keys, right? And the reason you know, you're the only person with a copy of those keys is you generated a seed phrase. And that seed phrase is, you know, you hopefully save that some we'll get into some of the practical stuff later. But that

That key only exists on that device, or it only exists on devices that I control and have approved and authorized. It's not backed up on some cloud server somewhere. It's not in my iCloud backup file. It's set aside in its own special place. And contrast that with what we...

are pretty sure we know happened at FTX, which is that customer deposits at FTX, someone somehow at FTX was able to move those funds. Yeah, I mean, there's two things we know to be true at this point. The first is that there was a cash hole and there was this weird unauthorized transaction where about $600 million of digital assets moved out of FTX as well.

And so it's entirely possible that I don't want to get anyone's hopes up, but like it is technically possible that everyone's digital assets are still in storage at FTX.

And what's actually the problem is that there's a loan that they owe money to that they can't repay. This is one of those things that like Sam tweeted. And like, again, I don't trust anything that he has said or says. And no one should you should only rely on court filings and the new CEO of FTX, who I think also took Enron through their bankruptcy procedures. If you haven't read that initial filing, it is a it is a doozy. But what we know is that

FTX is what's called a custodial platform. Coinbase is a custodial platform. Binance is a custodial platform. These are places where you do not control the keys to your crypto.

In fact, there's companies like Fireblocks, right? Fireblocks' entire business is to build large, well, they do a lot of stuff, but one of their core businesses is to build signing infrastructure so that an exchange like FTX can actually sign thousands of messages per second from their private key storage to

to authorize when I want to send some USDC from my FTX account to my ledger. Again, the reason companies use decentralized exchanges is sometimes it's easy to run things like payroll from it. So if you have to pay, you know, 100 contractors all around the world in USDC or something like that, you can do that on a centralized exchange. And you don't have to

type in your ledger password and click approve 100 times, you can just do a batch transaction like you would from ADP or some large payroll provider, specifically because they control the keys and they can automate a bunch of that process for you. So you just touched on a very important high level concept, which is the trade-off between

that comes from not self-custying your crypto. So it might be much more convenient for you to keep it somewhere else. And this is a classic thing in security generally. I mean, even think about how much easier it would be for you if you didn't have a lock on your front door. Well, there is always a trade-off to be made when you have less security that you get more convenience.

I suppose not always. I suppose you could find some scenario where you get the double negative, but you have to sort of decide on any given risk spectrum where you are comfortable giving yourself inconveniences in order to get security. Yeah, and there's a lot of reasons people don't do self-custody, and some of them are pretty reasonable. And there are various levels of non-self-custody solutions that accomplish different goals.

For example, let's say that you have a lot of crypto assets, but you have a partner, a spouse who is not particularly crypto savvy at all.

If you get hit by a bus, do you have confidence that that individual is going to be able to figure out what your ledger is, where it is, get the seed phrase, restore the thing, like that they're not going to ask someone for help in that process who's then going to just steal the crypto assets, right? There's a huge amount of like the true self-sovereignty that exists nowadays is very much like

man in the woods in a castle with a shotgun, right? Like it's not friendly for inheritance or for setting up things like trusts or for doing sort of anything like that. There's reasons that you may want to have a custodian. Now, there are things that are called custodians, right, which are not your FTX account and not your Coinbase account. Coinbase has a product that is called Coinbase Custody.

which is like, I'm pretty sure it's insured up to a certain amount against like loss, but also it is like deep cold storage. It takes you 24 hours to get a withdrawal from it because I don't actually know exactly how Coinbase custody works, but like presumably someone has to go into a secure room and get a piece of paper that has some information on it, right? Or a piece of metal or something along those lines. It's much more akin to like a Swiss bank vault that has a gold bar in it than it is like your bank account you can log into online.

Anchorage is another one who does something like that. Which is this intermediary step between that is a different place on the risk convenience spectrum, where if I don't want to play it fast and loose and put my whole life savings onto some centralized exchange that might be run by dubious actors, then

But I also don't want to necessarily put it all onto a USB stick that, you know, I might lose or something that there's downsides to that too. This is sort of a nice intermediary where you're like, I'm literally trusting a custodian. My user interface to it is easy. It's something I understand. It's using a phone like to make a call or maybe it's using a username and password, something I'm very familiar with. But that intermediary takes care of all the sort of tricky stuff for me, almost like a safety deposit box.

Yeah. And, you know, I think things like Coinbase custody and Anchorage and those sorts of like true custody solution providers, they're very attractive to like a hedge fund or a VC, right? Like I'm sure that a 16 Z or multi coin probably doesn't personally custody all of that crypto because they're managing for a different risk there, right? They're managing for disgruntled employee risk, right?

Or, you know, wrench attack risk. Well, also just the simple fact that they have multiple people within an organization that need to be able to access and transact with crypto, which in the man in woods with shotgun scenario is not possible. Right. And so this kind of gets back to like, why doesn't everyone self-custody? I think there's a few reasons for this. And some of them are technology.

So we should talk about Ledger a bit. Ledger is the dominant hardware wallet provider. They have the most broad-based support for different networks. There's also Trezor, which is sort of still in development. It's kind of more of an open source type of hardware wallet. There's a few new companies that have popped up too that are doing really cool things. It's really nice to see there being more competition. But Ledger is like the industry dominant player at this point. They will sell you a piece of hardware that has...

the ability to type a pin code in it. It's got a USB connector on it. They have another version of Bluetooth. One of them is 80 bucks. One of them is 150 bucks. Looks like a thumb drive. Looks like a thumb drive. For all practical purposes is a thumb drive. Yes. Except there's a little bit of compute power inside of it. And that's super key. So what happens when you sign a message in any sort of self-custody situation is we have this idea of a wallet, right? And MetaMask or Phantom or SoulFlare is

They're really interfaces more than they are truly wallets, right? So a transaction request will be generated. You say, I would like to send Ben 100 USDC, and it will create an instruction set that'll do that. And then it will basically go,

Someone has to sign this message. Oh, like an instruction set in the sort of native language of whatever the blockchain is. So in Solidity for Ethereum or, I don't know, a Rust program on Solana? Yeah, I mean, it's actually called SBF. It's Solana bytecode format. Oh my God. Austin, it's time for a rebranding. Who is in charge of comms at Solana? Yeah.

But it writes out like a program. It lists out a program that's going to execute the, you know, transfer or whatever transaction that I want to make that it's about to sign. Totally. And then the wallet does something called a transaction simulator where it basically shows you like, hey, here's the instruction set. Here are the balances that are going to change as part of this.

If you're paranoid, you can go in and actually copy that code. You can put it into a different transaction simulator to make sure the wallet isn't lying to you. And you can verify exactly what's going to happen once that message is signed and broadcast out to the network. Then the ledger comes in. All the ledger's job is to do is say like, here's this stream of data the wallet has handed me.

I have a private key on it for Solana, Ethereum, Bitcoin, whatever. And then once the user authenticates and allows me to sign, I'm going to take this message and sign it with my private key. The instructions are not generated on the ledger. Those are generated in what generates that code. So it depends. It's either the dApp or it's the wallet.

In something like Solana, the dApp does most of the generation of instruction sets for you. And then the wallet tells you exactly what that instruction set is, right? So there's sort of a check and balance there. On Ethereum, the wallets are actually, I believe, creating most of the transaction requests themselves. So they're basically looking at the contract and being like, we want to do this thing. Here's how we do that thing. The transaction builder is on the wallet side, whereas on Solana, it's usually on the dApp side.

a Dapp being the distributed app. So for anyone who is listening, who is like bought half a Bitcoin, they just keep it on Coinbase. They're not familiar with Dapps. This is like kind of the purpose of Solana or Ethereum, which is the actual web application that uses crypto. So you can think an Orca or I don't know, what are some popular? I mean, even an NFT marketplace. Oh, okay. So yeah, SoRare or OpenSea or anything like that. Yeah. Yeah.

Exactly. So in those situations... So that's going to generate the instructions. All that happens on the ledger itself is just signing that document.

Yes, that and stream of data ledger, it can't deconstruct like something as complicated as an NFT transaction. But if like you're trying to send David some USDC, it'll actually show you a little ledger display like, hey, this is a really simple transaction, we can parse it and we can tell you exactly what is going to happen when this transaction occurs. So for really simple stuff like that ledger will actually give you a third point of verification to say like, yep, this is what you're about to approve.

The really important part here is that signing all takes place inside of the ledger. At no point do your private keys or even a request to sign transaction or something like that leave the ledger itself. What comes off the ledger is a fully formatted, fully signed message ready to be broadcast out to the network. Which is totally fine if that's publicly viewed. Yeah, because you want it to be. Basically, once you've signed a transaction...

You could not broadcast it, I guess. You could pull the plug to your computer and rip your Wi-Fi router out. A signed message, all it needs to be done is being processed by the network. This is cool. I actually didn't realize this. On a ledger or a similar device, the private key and what the private key is used for...

never hits any sort of networked environment. It's all within the physical confines of the little stick. Which is why that little stick has a tiny bit of compute power on it. Because it needs to do some simple math to sign a transaction. Which, for keeping the keys safe, not having the key hit any sort of networked environment is important. It's not like I plug it into my computer, it transfers my private key temporarily to the computer which does the transaction. It's like, no, no, no, no, no. It just sends out...

a fully signed message. It really gets to the thing that we talked about in our Bitcoin episode, David, which is the like one way math idea that, you know, when you have the private key, it's super easy to sign a transaction with it. You don't need a lot of compute, but you need like a whole data center of compute for a thousand years to try and sort of brute force and figure out what the private key was. Yeah. And the other way to think about this is like, this is the same way that air gap signing works,

So in an air gap environment, this is not a crypto thing, right? Air gap signing is how, I'll take a fun little detour. If you remember Stuxnet? Yeah. Yes, yes, yes. Yeah, the virus that destroyed the Iranian centrifuges. So what they actually did is someone broke into, I think it was Realtek.

in Taiwan, their server signing room, and they signed malicious code with the signature that Windows had issued Realtek to be able to install drivers in Windows. And so they signed this malicious code. When the code went to execute on these Windows machines, Windows said, look, it's been signed by like a company that we've done intensive security audits on. So like if they signed it, it's good. And the code ran.

And these are literally like, if you've seen Mr. Robot 2, there's this amazing scene where they break into a bank signing vault, right? And that's exactly the same thing. It's an air-gapped machine past multiple levels of security. A ledger is basically doing that, except there is a USB connector between it.

But in an air-gapped environment, you take a fully formatted message, you move it into the clean room or whatever, you sign it, you take the output of that, and you bring it back to the other computer. Do I have to trust the Ledger company? When you do a firmware update, you're trusting Ledger. But short of a firmware update, you're not actually having to trust Ledger at all.

And why is that? Is there like some auditability on it? Or is it how do I know that they're not taking my private keys and sending them back to themselves? There's no way they could do that from a technical standpoint, right? The way that the signing and messaging works is like those keys are on the ledger, and you can't export them out of it. Now, ledger, I think,

has good enough engineers that, you know, gun to their head enough months, they could build a version of firmware that you could extract a private key. I'm sure that's technically possible, right? This is where kind of what I was saying is like, when you do a firmware update in your ledger, that's an act of trust.

Because you're hitting their servers and saying, give me whatever firmware. Exactly. And Ledger is not without its own security incidents. They've never had anything that has compromised digital asset security. But like a database of customer addresses got leaked. That's not great because... That seems like a bad thing, right? I mean, what we say, like what we tell all our employees, like what I tell people is like, if you order a Ledger, send it to your work.

If the databases get leaked, at least your home address isn't in there. That has nothing to do with crypto. Right. That could be literally any, like when I order shampoo off the internet, send it to work so that my... Except, you know, I could make an argument that like... Well, except when you order shampoo, nobody cares if you have shampoo at your house. People probably care if you have a ledger at your house. Right, it makes you, yeah. Yeah, and this sort of gets back to like, why would someone use FTX or Binance or Coinbase, right? And...

There's professional traders who they're doing it because they want to be in the execution environment that they can hit a lot of liquidity on. For most users, like if I'm doing something like traveling to breakpoint, I'm probably not bringing a ledger with me, right? It just it feels like it kind of makes me a little bit of a target of what we call a wrench attack.

Like physically getting attacked with a wrench? Yeah, it's a very sophisticated attack where they hit you with a wrench until you give up your private key. But you don't want to be a victim of a wrench attack. Yeah, you really don't want to be a victim of a wrench attack. And if you have a ledger and someone sees that you have a ledger, they know you have a pin code you can type in, right? So we're not even talking about like, how do I get a seed phrase revenge attack? We're talking about like,

well, it's an eight digit code. He probably knows it, you know, that kind of thing. It's pretty interesting how the amount of security can get reduced from an unguessable hexadecimal massive private key to just a two factor authentication. One, having the physical device. Two, knowing a very short pin code to that device. So when you carry it around with you by eliminating the first factor, then like

You're super vulnerable to it just needs to have the very short pin code typed in. Yeah. I mean, the only problem with crypto has ever been people. It's like the problem with any perfect system. Yeah, it's the people. But the thing here is like this makes self-custody sound scary. And like, I want to be clear, it's actually very easy to

But it's sort of the same thing as like, if you think too much about democracy, you'd never start one. If you think too much about starting a company. Yeah, starting a company, having kids, like any of that. Yeah, like if you think about having kids, why would anyone ever have a kid? What an insane idea. Or to make it a more direct comparison, it's like,

absent 100 years of trust of the JP Morgan Chase company being built up over all the years. And you could argue they've lost a lot of trust or all big banks have lost a lot of trust by having executives that embezzled or whatever or screwed over customers and took federal bailouts and blah, blah, blah. But it's that like Lindy effect of, well, they've been around for a long time and they've been trustworthy for a long time. But if you just stood up a brand new company, you know, David decided to start some company

you know, Nuco Inc. And that place had a storefront and a vault in the back. And they're like, hey, I promise that like if you bring your life savings to me, I'm going to throw it in this vault. Like anytime you want, you can come grab it. You'd be like, I am not doing that.

that there's a zero percent chance i am doing that and so to the extent that you are going to start from scratch the idea of like you actually own the only means to transfer money away from yourself sounds much more reasonable than i'm gonna go and let you keep it in your vault and hold me you know effectively hostage to when i can and can't access things that are mine totally

AIG was also founded in 1919. Right. The Lindy effect is not always a valid reason to trust. It is just a very human... For folks who don't know, it's like, I think the Lindy rule is if something's been around for a long time, we're inclined to believe it's going to be around for at least that much longer. There's sort of like a weird bias that we have. Come here. But I believe the name actually comes from a restaurant in New York City called...

Oh, Lindy's like near Broadway. Yeah. Yeah. Yeah. Because it had been around so long, people assumed it was good. It wasn't necessarily that it was good, but I love that. So Austin, you were, you're telling us the point, this system sounds terrible and so do all the others. Oh yeah, exactly. Right. And so, um,

Look, the early days of crypto were not created by people who wanted to make money. They were created by people who had deep philosophical and ideological views on the world who had been pretty heavily burned in the 2008-2009 financial crisis, and they were looking for something different. And idealistic engineers who care more about philosophy than product generally don't

make particularly user-friendly systems. And I think that's a blanket statement that is pretty defensible. Yeah.

And I would go as far as to say is until maybe two to three years ago, Ledger was a pretty hard product to use. All of these self-custody solutions either required you to download a key store file and keep it safe somewhere on your computer, or it required you to write down 24 words of a seed phrase on a piece of metal and like figure out, all right, where do I keep this piece of metal now? Do I put it in my wall? The physical security thing,

when you start thinking about it is overwhelming. The same way that like, if you really think about like your digital security, it's also overwhelming. And so because all these systems were designed by people who were already like thinking about them and using them, they weren't thought to be like user-friendly systems. But nowadays, like using a ledger is really easy and keeping the stuff safe is actually pretty easy as well. And this idea that like,

If I can't figure out my underground bunker where I can back up my seed phrase, I might as well just use FTX. Like, I think that's the place where the industry really let people down. Okay, so it's probably wrong for me to take all my crypto off of everywhere that I have it because it's sprinkled all over the place and put it onto my ledger and then bury that in the bunker and say, that's it. What are reasonable trade-offs to make, right?

Rather than not investment advice and everybody should decide on their own how they should. Yeah. Maybe phrase differently. What are reasonable trade-offs you've seen other people make? Or maybe that is the right answer. No, I mean, I think there's like the trade-offs that people make are around in some ways, the biggest question is how much money are you willing to lose? I don't have concerns keeping a thousand dollars in software wallet.

I would be sad if I lost that, but I trust Glow pretty well on a software wallet side or Phantom. And especially in the early days of Solana when Ledger support for software wallets wasn't particularly good or prevalent yet.

That was okay. And to be clear, this is still self-custody. It's just not self-custody on a hardware wallet. Yeah, that's a good clarification. Yeah, we're talking about software wallets. The problem with software wallets is they're software, and software is often broken. We just don't know how yet. It runs on the very same CPU that the malware on your computer does. Yeah, or like...

The privacy and sandboxing between Chrome extensions is actually really poor, right? So like it's possible a malicious Chrome extension could try and extract data from your Chrome extension. I think the safest software wallets by far are the ones that are on phones because Apple and Google do a pretty good job of sandboxing between iOS apps or between Android apps. If you're running a pure software self-custody solution, I would highly recommend doing it on a phone as opposed to a desktop.

Is this why like Google Authenticator or Authy, most people run it on their phone versus it being a common thing to have in like a browser plugin or a desktop app or something? Yeah, like the internet was never built for security.

And so like a web browser is like a really, really weird place to try and put stuff that needs to be secure. You remember the internet before Chrome? What a mess. And even now Chrome is like, still, there's stuff all the time that happens with these things because they're massive code bases that are built to do hundreds of thousands of different things with multiple languages they have to interpret. Like it's not a system that's built for security. Like the security in Chrome is like,

Chrome can eat itself and it can't touch the OS or each tab on Chrome can eat itself and not touch the other tabs. It's not like can one piece operate in an isolated safe environment within your entire browser? The answer is like, not really. Right, right.

Right. So these are canonically referred to as hot wallets, since it's self-custody. The keys only exist right there in a place where you own them, but they're optimized for convenience. You don't need to plug anything into your computer. You can sign a transaction. You can send Bitcoin, Ethereum, Sol, whatever, right out of your browser tab. You generally just need to type in a password to access it. And so sure, it's self-custody, but it is riskier than keeping it on a USB stick that's a separate device.

Yeah. And you know, the irony is like, if you'd polled me and said, like, is it safer to keep it in a hot wallet as a Chrome extension, or Coinbase or FTX, I probably would have told you FTX or Coinbase was was a safer place to keep it. Six months ago, you would have trusted those institutions more than you would have trusted the browser security. Yeah, I mean, as I was saying, the only problem with crypto is people. Like that was a values judgment that I had made that

Coinbase is a large publicly traded company with audited financials and shareholders and fiduciary. You can make a very convincing argument about why an organization like Coinbase, its existence revolves around not imploding. And you can make the same thing with FTX as well. Turned out to be wrong with FTX, right? But publicly traded companies also do explode. Enron is a great example of something like that. Right, right. Exactly, exactly. Exactly.

Not investment advice or risk advice, and everybody should do their own research, come to their conclusions about what makes sense for their scenarios. But it seems to me, especially learning all this from you, one reasonable approach is not to be a quote-unquote maximalist about any of these things, to have some assets in a cold wallet, hardware wallet.

Some in a software wallet, hot wallet, some on a centralized exchange. Is that reasonable? What is a reasonable thing to do? Yeah, so a very common thing, one thing I want to add to this is like,

your physical situation determines a lot of your security apparatus. I think that's really important to kind of keep in mind. If you live in an apartment full of roommates with doors that don't lock, keeping your seed phrase anywhere in that situation is pretty risky. The chances of one of your roommates or one of your roommates' random hookups like coming in and finding your seed phrase...

Your physical situation governs a lot of this, but I will keep the majority of my stuff on a hardware wallet because I think that's the thing that I trust the most. I am not at a level of wealth where I feel like I want something like a Coinbase custody or an Anchorage as like an additional level of security on top of that because like for whatever reason, that's kind of the place I'm at.

Or like, what's the thing that the Winklevoss twins do? They've like sharded up their private key into several pieces and spread it across a variety of security deposit boxes, I think all over the U.S.?

Yeah, they're a little they're a little extreme. But there's there's there's actually better versions of that nowadays that are just starting to come online. I would keep some in an exchange to, you know, if I had to pay someone for something and they wanted USDC or something like that, like, let's say it's an artist who did, you know, something for the NFT projects that were released at breakpoint or something like that. I might move those funds preemptively into Coinbase.

And then when the person's like, great, job's done, like, can I get paid? I would log into my Coinbase account and I would send them USDC. Because it's sort of like, even if you are afraid of flying on airplanes because you think they might crash, the chance of the airplane you are on crashing on the flight that you happen to be on is astronomically low to zero. And so it's like, even if I don't trust centralized exchanges, the chance that it's going to explode is

in that three-day period where I have funds in it is quite low. And it's that particular exchange. Yeah. There is one thing that's worth sort of critiquing on. Well, any public company could implode. There is a difference. I sort of brought up the idea of David founding a new bank down the street. If that bank is FDIC-insured...

then up to whatever amount, is it $250,000? There's some amount of assets in a checking account that's FDIC insured. It's like even if that company goes under and even if that company had a run on the bank and had loaned out a bunch of the money and bought speculative assets that went to zero and they couldn't make their customers whole, there is an additional government backstop on that financial institution collapsing as a corporation. There is a level of risk, I think, unless I'm misunderstanding something,

if I keep something in Coinbase, which many people do, that if something bad happens at Coinbase, which again, it seems like the safest of the centralized exchanges, and it's a public company with audited financials that doesn't trade leverage, blah, blah, blah. But if something did go wrong, that's not an FDIC-insured bank account the way that JPMorgan Chase's are.

Right, exactly. FDIC insurance is a very weird, innovative product that only is possible with like massive subsidies. And I think it's a nonprofit and a government entity. Oh, really? It's not just tax dollars? No. So FDIC, there's a membership fee to be a part of it. So it's an independent agency created by Congress, but it's like the post office or Amtrak, where it's not actually technically a government department. Right.

I believe. We should fact check. I didn't know that Amtrak was that either. I thought they just stole the am from America's name, but like Bank of America. It's not created by the federal government. It costs money to be FDIC insured. And part of that is you really don't want to create incentive structures where

oh, let me just create a bank and I'll just FDIC it. It'll be a giant money-sucking loophole. But Coinbase One, the Coinbase subscription service, it includes a certain amount of liability protection even for unauthorized account access nowadays. So we're starting to see products that more closely mirror some of the safeguards you get in traditional banking coming to centralized crypto providers.

Now, that fund has to still be solvent. And that fund has to be administered by people you trust. All problems are human problems. So if we didn't trust the administrator of the FDIC, or we didn't trust the US federal government to backstop it, like all of these things have some level of trust in some person at some point. And you just have to decide like, what level of risk you are comfortable with, assuming you don't want to live in the cabin in the woods with your shotgun.

Exactly. Well, even that's a level of risk. So one question, Austin, for you back to hardware, while it's for a moment, because I have this question, thinking about it, I assume many people listening would too.

Let's assume you buy into hardware wallets. You want to keep at least some portion of your crypto assets on, say, a ledger. Where should you then keep your ledger? With you somewhere else? Does it matter? What's the right way to think through that set of trade-offs? So let's go through a little bit of ledger practicality. So when you buy a ledger and you set it up, you will have a 24-word seed phrase, unlock.

Now, what's interesting about Ledger is you don't actually get a different 24 words for every network you support. So that 24 word seed phrase, when you imprint that onto your Ledger, it will always generate the same private key for Ethereum, Bitcoin, Solana, whatever, because it's all derived from that same piece of cryptography, which comes off your 24 word seed phrase. That's pretty cool. What that also means is your Ledger is not inherently unique.

You can take that same seed phrase, you can put it onto 45 ledgers if you wanted to. 400 million ledgers if you wanted to. It's not like the wires in my ledger are connected in some unique way that only my ledger can sign. And all the ledgers are the same. And when you imprint these 24 words on it, you write down on a piece of paper that ledger sends you when you take your ledger out of the box, that works on any ledger.

Yeah, you know, a lot of people think about like, oh, a ledger, it's just like a YubiKey or a hardware security key that you might have for like accessing a system at work. It's actually the opposite of that, right? Each YubiKey generates a different signature and that can't be faked. Part of the point of ledger is if you lose your ledger, if it gets destroyed, if it stops working, you're not safe.

You can actually take that 24-word seed phrase and you can restore it onto a different ledger. You drop your ledger in the bathtub, right? I don't know what you're doing in the bathtub with your ledger, but like, you know, you're not... Some people love crypto. Well, I asked where you should keep your ledger. You should definitely keep it in the bathtub. Yes. Yeah. So this gets to, like, now we've already taken one step into the convenience camp away from the pure security camp because...

If I was SOL, you know, that would actually be much more secure because I didn't have this piece of paper floating around that could, you know, turn anybody's ledger into my ledger. Yeah, I mean, I could argue that the other way too, though, right? Is like if what you actually care about is the sovereignty of your assets, having it tied to something that could go poof is scary. So where do you keep your ledger? Somewhere fairly safe, but it's not mission critical safe. And you need to be able to access it to sign...

transactions with it, assuming that you want to do stuff in crypto. We didn't talk about the idea that you might not want to just own a bunch of crypto and then bury it in the ground forever. You might want to participate in the crypto ecosystem, do DeFi stuff, trade NFTs. Stake and earn staking rewards, right? All of that stuff. Exactly. Play games using crypto assets. Yeah. Yeah.

Again, because a lot of this stuff was created before smart contracts existed or before the idea of commonly used smart contracts that everyone would be interacting with, let alone like I need to show my bored ape to get into this party. There's all sorts of like self-custody runs into a bunch of practicality problems, which is cool. And like there's folks doing really cool stuff to solve that. One of the pieces here to think about is like,

The security of that ledger is medium important. The security of that 24 word seed phrase is paramount.

That is the thing that like, maybe it's backed up in a safety deposit box. Maybe 12 of the 24 words are in one safety deposit box and 12 of the 24 words are in another one. Maybe you have 12 of them at your mom's house in the attic and she doesn't even know they're there, right? There's a lot of those kind of situations where you probably want to have it backed up in more than one location. And then you probably want to have it

If you want to do that thing where you shard, you have some piece of that seed phrase in some different locations, you can do something like that too. You pick 24 friends you really trust and you bury it in their mattresses. But there's all sorts of other approaches to that too, which get really interesting. The reason you say the physical security of the Ledger device itself is only of medium importance is that

You need a pin code to unlock that ledger. Whereas the seed phrase being maximally important is that all you need is the seed phrase. You don't need anything else. If you got that, you're in. Whereas if you, somebody steals your ledger, uh,

they'd still have to guess the pin code. Yeah, and there's all sorts of tamper-proofing and you enter the pin wrong too many times, the ledger locks itself out. Basically, ledger's done the math and be like, you can't really brute force this thing. And you have to trust that they've built it in such a way that if someone actually disassembles the thing, they can't bypass a lot of that security stuff too.

I think Ledger actually has like audit reports and all this stuff too, which are cool. You can go see there's like videos on YouTube about people trying to crack into Ledgers and stuff. And it's, it's, it's cool to see how much security there actually is there. Which is good. Like you want a bunch of white hat people trying to break this system. If we're going to trust it and for our self sovereignty, like,

Again, you're always taking a dependency on some set of humans. So if these are the set of humans we're going to take a dependency on, it's really nice to have a free market for their trust emerge of white hat hackers trying to break it. Yeah, which is really cool. It's also really interesting thinking through all this. For me, at least, it's forcing me to think about like, what are the security trade-offs in...

the rest of our you know financial world like on the one hand like oh man that's weird like if i were carrying my ledger with me somebody could like wrench attack me and like make me put the pin code in like but anytime you're carrying your phone it's the same thing our phones have access to our bank accounts oh and they can face id you while you're unconscious yeah totally yeah but like i love this analogy because like one of my favorites is credit cards

Why do credit cards charge 2.75 to... Because they can reverse any transaction. So it is worth paying the middleman a VIG on every single one of my transactions. Or more appropriately, it's worth the merchant paying the middleman a VIG on every single one of my transactions. Because if anything goes wrong, they will figure it out and make me whole. Yes. But part two of that is it's an insurance fund. They could make credit cards basically fraud proof, but it would hurt the UX.

So some accountant somewhere in some modeling person has made a decision that Chips are not a big enough burden on the user that we won't put them on the card like in Europe You also have to put in a pin code to use your credit card right in the US They decided that customers would not remember them and that they would lose more money from people not using their credit card then they would save on the fraud claims and

So it's worth just expanding the take rate a little bit, make it 3.1% instead of 2.9%. But so there's going to be more fraud and we'll just cover it because it's worth it. Yep, exactly. And then you invest in fraud tech and that fraud tech becomes an exponential return investment. Because if you can reduce your fraud by 1%, you've increased your take rate.

by more than 1%. Right, there's scale economies to fraud tech. Yes, which is cool. But sort of going back to the kind of the crypto version of this, right, is like, it's really is a choose your own adventure of security when you're talking about self custody, and you really should do self custody. It's the difference between using AOL to like, click on some keywords and explore a few web pages and actually downloading Netscape and getting on the internet yourself.

I would argue there's an even better analogy in podcasting where when you're using a podcast client like Apple Podcasts that is literally directly subscribed to the RSS feed produced by David and I, you're not taking a dependency on a centralized middleman.

But when the only way that you find out about acquired episodes is you follow us on Twitter, you're trusting that Twitter is going to always make sure that you know of the most recent acquired episode because it will surface that tweet to you. Your destiny is not in your own hands. Your destiny is in Twitter's hands and it might have different interests. Yeah, or Spotify, right? Spotify does not expose the RSS feed directly to a user. They cache it and then they give it to you. So they might be

pulling an episode of your podcast out and you wouldn't even know. In practice, actually, Apple's the bigger risk for that because they have almost no one working on the product and so random episodes will go missing by pure happenstance. Austin, I think we should expand your truism of crypto to all of technology and software. The only problem with technology and software is people. Yeah, sounds about right.

I think by this point, people are realizing, okay, if I have a meaningful amount of funds in cryptocurrencies and those are sitting on exchanges, I should consider self-sovereignty in some form, either hot wallet or cold wallet. There's benefits to both. There's probably even more of a benefit to putting most of it in some kind of cold hardware storage and having some in a hot wallet. There's probably lots of other benefits

reasonable reasons to pick a very, very reputable exchange to keep this on. So then the question is like, where do you think this all goes? Because this is kind of complicated. And to the extent that there are big Web3 use cases in the future, we will need much better user experiences for people to participate in those.

Undoubtedly. We are still in the stage where self-custody feels like taking the phone off the phone hook and sitting it on top of a modem, right? Like the old desktop grade modems. And eventually we move to a place where you just plug a phone line into the back of your computer. And that's what the modem is, let alone where we are today.

So there's a lot of cool stuff that's happening around the wallet security front that I think is like really worth talking about from a self-custody standpoint. So there's companies like Magic. Magic creates you a wallet that only you can access. So this is not entirely self-custody in the traditional sense. You don't have a key file stored on a piece of device. But basically what it does is it texts you a pin code.

And that pin code, then they use Intel SGX security tech to verify that that pin code comes from that device and that web browser and everything like that. But when that code is entered, it now lets you access and decrypt a wallet. That's what something like Cupcake runs on, right? And so those type of systems are not software wallets in the traditional sense. The attack vector of a malicious Chrome extension doesn't exist anymore.

And so it's closer to a full self-custody. It's not technically full self-custody, but it's much closer to it. There are also systems like Web3Off has an ability to do a sign-in with Google. Same idea as the text message code, but it's basically like you sign in with your Google account, your Google account decrypts a wallet in the cloud. They don't have access to it. The same way that iCloud backups, like Apple can't decrypt an iCloud backup.

Unless you've set up like some recovery system for it, right? All these sorts of things are not on device custody, but they're incredibly access controlled where the company can't break into the wallet either, which is cool. There's also a lot of interesting work being done on social recovery systems. Think about it from like,

If you distributed some of your words to all of your friends, well, that works. But what if you had a system where you had to sign in with your Google account, you had to get a text message authentication code, you had to have someone else that you know, a test for this. And then you had to enter like a password backup, and you need three out of four of those things.

There's these, these sharded recovery systems that require three out of five or something like that systems. And you can create an area pretty well. Like you could see someone like Apple doing this, right? Where it's like, oh, if you press okay on your Apple watch,

And then you have to do all this other thing and then you have to scan something on your Apple TV and suddenly that gets you into the thing. Oh, they kind of already do this in a rudimentary way. If I'm wearing my watch and I've typed in the pin code on my watch, then I don't need to face ID on my phone because it's already been secured so they can just pass that security along to the next device that they know is, you know, mine. Yeah, exactly. That's a great example of this. So there are a lot of folks trying to bring that level of security

security and authentication to the problem of self custody as well. There's also some fun, like public access data problems, right? Which is like, the idea right now is you have to keep these words really, really, really safe. But what if you didn't? What if you were actually referencing things that just exist in incredibly available data sets all over the world, and you're basically hiding this in plain sight?

So what if there were seven books and five paintings? And that's my 12-word seed phrase.

There's ways that you can basically hide data in data that's so ubiquitous in public that it isn't perceived as being a way to unlock something. Like there's that really cool project like What3Words. Oh my gosh, this is so cool. Yeah. Yeah. So if you're not familiar with What3Words, they've basically taken like one meter by one meter squares. And there's enough words in the English language that you can represent every single location on the globe with three words.

Is it one meter? I think it might be three meters. But either way, it's like quite granular. And so the problem that this solves is most of the time an address is fine for a delivery. Like you give someone your home address, they know where to deliver something. If you're in Lisbon or somewhere with a bunch of crazy back alleys where it's like quite difficult to figure out what address maps to what door of what building, it actually would be much nicer to have some user-friendly map

lat long coordinates. And Austin, to your point, because combinatorially, when you have n words in the English language, well, n times n times n gives you a massive addressable space very quickly. And so you actually can give someone a very memorable set of three words that maps to a pretty precise location on the globe. Yes, you are correct. It's three meters squares. Yes. I was literally just looking into this the other day. Yeah.

But it's so cool, right? And so you could think of that being a similar system that unlocks something in a crypto wallet, right? You could literally have, you know, there's three words in each of these location squares. You only need eight location squares to get 24 words. You just have eight places to you that are important to you that you have those squares. Now,

There's problems with the square analogy, right? Like, is it the right square? That is like, you know, the grid move over time, whatever. But like, you can see how systems like that in an end state would result in something that is easier for people to remember and secure than a 24 words that they have to make sure never to touch or leave or move. But that also brings high levels of security to the whole ecosystem as well.

Awesome. Any parting words as people consider their custody solutions going forward? I think it's worth saying at the end of this episode, there's probably a lot of people that are trying to figure out, are Web3 applications going to be a thing before too much trust is lost in the crypto ecosystem? And I'm sure this is something you wrestle with a lot because there's a lot of like,

cool early applications that people have developed. But like, we're not in Amazon level traffic or use cases or customer love for crypto products, you know, call it five years into Amazon's journey. How are you thinking about the current state of the crypto landscape in terms of like,

the applications that have utility today, the stuff that's most exciting, and where you think there is sort of like ecosystem risk caused by both the whole FTX things, but like the macro changing and interest rates going up and other things other than crypto being attractive places to put capital these days.

Yeah, you know, it's a tough question. Because it feels to me like a lot of the crypto cycles have been driven by asset appreciation, they haven't been driven by real underlying product development yet. And what we saw in the last this last cycle, but the sort of the 2021 into sort of the end of 2022 is like, NFTs were like a real thing.

that people got excited about, got interested in, started using for something beyond just financial means. There were communities being formed. There were all these really interesting kind of use cases and applications coming out of that. And we should be clear, like lots of it's still for financial means or lots of interest in owning an NFT because you will speculate that it will go up, but at least it's more than there is utility component because nobody owns a fungible token because they're super excited about the intrinsic characteristics of the

hash code the way that they are with a non fungible token that they can have affinity for and community with. Yeah, but like, there's a lot of folks who maybe bought NFTs at the top. And if they were just financial investments, they would have sold them. You see people having emotional attachment to

these images. And because it's not just that, like, oh, I have a picture of a monkey. It's like, I'm part of a community and this community means something to me. Yeah, it's the images and then the communities around. Exactly. Right. And so that community is not financial based. The thing about crypto is like, it strips everything down to its most bare base capitalist versions, or like, at the end of the day, the New England Patriots are a business.

But you don't think about it that way because it's not like you buy shares of the New England Patriots. It's a very different relationship there. But like, or to your point, the last time we talked, Spotify is a fintech app. Everything is ultimately a fintech app because it connects individuals to money in some very indirect chain. Yes, very much so. So this is kind of like similar to that where it's like what we saw in this cycle, this adoption curve was like,

Non-financial stuff started taking off. Like non-overtly financial stuff started. DeFi is an unabashed financial investment instrument. NFTs aren't. There are a little bit of that. There are a little bit of other things. Gaming as well comes together in these areas. And we're starting to see that like the adoption of this stuff isn't going to be driven just by people expecting to have an opportunity to trade.

And I think that's the real, like, the internet sucked for a very long time. It was like objectively worse than listening to the radio or watching TV or getting a newspaper. And eventually it crossed a curve where it became just slightly better. And that's where you start to see the exponential compounding effects of product. I think we're just getting there with crypto now.

And I've often seen the argument, in fact, I've made the argument that, you know, we're now 12 years into crypto. By the time we were 12 years into the web, you know, there was mass adoption, clear, obvious utility, consumer love for it. Of course, you had companies exploding because they were valued on crazy multiples or had upside down unit economics. But, you know, there was clear use cases that users loved and real intrinsic value. The pushback on that, that I'm sort of like the crypto optimist in me is that

It is super unfair to start that clock when the web started. It is much more fair to start that clock when ARPANET started. So like, I don't remember when that was, early 80s, maybe late 70s. It took 20 years from the beginning of ARPANET to the founding of Amazon. Oh, it was, we talked about it on the Qualcomm episode. I think it was 1969. See, even longer than that.

that. And so from the founding of the Bitcoin white paper, I'm not sure we should think about that as it's time to start the timer on the web. That's not the 1993 moment. I think you could also make an argument in a sympathetic to crypto and Web3 argument that you also shouldn't really count the founding of Bitcoin as the beginning of the web. Bitcoin is a financial instrument. You should probably instead count the founding of Ethereum.

Yeah, the first like decentralized application platform. Yeah, I think that's a fair way to look at it. I mean, hopefully it doesn't take us that long. Well, that's the counter argument too is like, hey, things should be faster these days. Yeah, every cycle seems to be faster these days. Ben, to your first question, Austin, any parting thoughts on custody for listeners? Any PSAs you want to give? If you know a friend and if that friend has crypto and that crypto is not on a ledger,

Christmas is coming up. Hanukkah is coming up. Kwanzaa is coming up. What's the website? You may as well show for him. Actually, we should talk about this piece a little bit as well. So buying a ledger, just go to ledger.com. Buy it from ledger.com if they ship to your country. Don't buy it on Amazon. It's just one of these things where it's very easy to just buy it from the company's website. And there's a

infinitesimally small chance that someone sends you a fraudulent ledger if you buy it on Amazon or eBay or something. So just buy it from ledger.com. They're a French company, so they ship pretty much everywhere in the world. Great. Austin, thank you. Thank you. Listeners, we'll see you next time. We'll see you next time.