I’m not sure what it is about the “cryptos”, but I keep getting pulled back in… one way or another…
Over the last six years, I’ve cultivated an interest in emerging technology, keeping tabs on the next cool thing. Back In 2016 one of the first newer pieces of tech that caught my eye was “blockchain”, more specifically Bitcoin.
An old video (2016) of me explaining The B-chain to a friend
This excitement led me to read and listen to all things decentralization and its implications for society in the coming decades. This burning excitement continued throughout 2017, and into 2018, which led me to meet two lifelong friends obsessed with similar topics. Together we built a community in London of crypto heads, eventually speaking at large corporations and conferences around the world (Oxford presentation).
Near the end of 2018, I began to divert my attention toward work and other areas of interest, eventually removing the whole “crypto obsession” from my mental regimen. During this hiatus from the crypto realm, I dove into climate tech, deep learning, cybersecurity, and many other areas. But… For some reason here I am… Falling back in love with the cryptos.
This time around I have a renewed perspective on the space, specifically, my intent with revisiting crypto is to merge my interest in cybersecurity and blockchain together.
Before talking through my plan of attack for learning, I want to ask “why”… Why have I decided to divert my attention back to the “cryptos” after a three-year hiatus.
Short answer, I have no f****** idea… The longer answer is a bit more nuanced.
Over the last 8 – 10 months, I’ve begun to unexpectedly run into content and people interested in or talking about crypto. As these unexpected encounters increased in frequency, I began to ask myself, “What the h**** is going on?”.
The cultural bubbles I spent my time in were slowly being invaded by crypto-related topics, thanks to the current hype cycle the crypto world is going through (e.g. NFTs). This crypto mind virus took over completely in the last two months, especially during my annual 2-week holiday. Christmas and New Year are the time of year I reflect on the past year and plan for the upcoming year, but this year it quickly turned into a crypto marathon.
I spent two weeks consuming as broad a buffet of crypto as possible, making up for my three-year hiatus. This consisted of reading through the “Messari – Crypto Theses for 2022”, listening to too many crypto podcasts (Modern Finance and ZK podcast to name a few), watching many different lectures (including Multicoin conference series), completing Crypto Zombies, reading Mastering Ethereum, and now reflecting on this 2-week obsessive sprint.
The story I’m telling myself
We humans, we’re good at retrospectively convincing ourselves that we made the right decision, no matter what decision is made. The story I’ve made up for this shift in my attention towards crypto is simple, but it resonates.
Let me first take a step back and explain my thinking around trade-offs.
When spending my time on almost anything (it’s an issue), I’m constantly weighing the trade-offs made for each decision. What am I losing and what am I gaining?
There are only 24hrs in a day and I’m only capable of “focusing” for roughly 4 – 6 hours of that day, so when I decide to put that attention towards a specific topic, I’m saying f**** you to all other topics.
For example, with this shift towards learning Web3 security (e.g. cryptos), I’m taking away from the time I could spend learning alternative security topics (e.g. malware analysis, cloud security, etc.). Here’s where my intrinsic storytelling comes into play.
Throughout my entire career, I’ve always attempted to “follow the puck” for the industry and function I’ve worked within, which means this decision is no different. To “follow the puck”, means we’re going to learn skills for a growing industry now, so in 5 – 10 years down the road we’re in hot demand.
Let’s take that “follow the puck” ethos and apply it to our storytelling.
If you take the time to understand what specific skills are needed for Web3 security, you’ll quickly realize it’s mainly AppSec applied towards Solidity (Ethereum) and Rust (Alt. layer 1’s) programming languages. In traditional InfoSec, AppSec is only a small sliver of the industry, but it’s in high demand, with that demand accelerating and the definition of AppSec morphing (merging with CloudSec and DevSecOps).
The trade-offs here are simple…
- Succeed – If I succeed in learning more about Web3 Sec (e.g. AppSec), sharing those learnings, and building my community, there’s a chance I establish myself early on in a growing industry. This early success and acknowledgment could lead to many crypto job opportunities that are flexible in location and pay well for many years to come. Plus, I’ll be contributing to the Internet’s next evolution (read > read/write > read/write/own).
- Fail – But there’s always a chance of failure. If I fail in staying committed to this learning journey, get discouraged on the way, or life circumstances point me down another path… I still “win”. Throughout this process I’ll learn skills relevant to AppSec, reading a ridiculous amount of code, writing a bit of my own, and potentially meeting great people along the way. These experiences will undoubtedly lead to non-crypto-related job opportunities due to the in-demand skills I capture on the way.
In my head, this is a win-win situation.
The path forward
Luckily, I’m not starting from scratch and have a few years of foundational blockchain knowledge packed away in my brain. With that being said, it feels as if I’m starting from scratch due to all the new projects and adoption in the previous three years.
This time around I’m going to mainly focus on the intersection between crypto and security (Web3 Sec), wedging myself firmly into this niche. Surprisingly, there’s plenty of free quality content in existence today, so I’ve created a starter curriculum. As with everything else, I plan on learning in public, so you’re able to watch the journey unfold and even join me.
If the Tasmanian devil in my mind doesn’t run off to other Web3 Sec resources I plan to knock out the below and return to this blog post to check off those that I’ve completed.
- Crypto Zombies – Learn basic Solidity
- MIT Research Paper: Systematic Approach to Analyzing Security and Vulnerabilities of Blockchain Systems – Learn more about historical blockchain attacks
- Hacking the Blockchain: An Ultimate Guide – Steal resources and recommended progression
- Solidity, Blockchain, and Smart Contract Course – Learn Solidity, testing, and a bit of security
- Mastering Ethereum – Understand the fundamentals of Ethereum
- Secureum Bootcamp (YouTube) – Partake in both the completed and live boot camp sessions on smart contract security auditing. Summarize and replay publicly what I’ve learned for each section.
- Samczsun – Read most of Sam’s writing, summarizing what I’ve taken away from each in my own words for others to learn
- Smart Contract Programmer (YouTube) – Complete many of the security-related playlists and memic some of the ideas, with my own spin of course
- CTFs – Publicly complete the barrage of CTFs available for Web3 Sec: Ethernaut (helper video playlist), Capture the Ether, Damn Vulnerable DeFi, paradigm CTF 2021, and many many more.
- SWC Registry – Read through all the different SWCs available and make a video series summarizing each into chunks of 3 – 4 SWCs per video
- Security audit reports – Read through many and I mean many different audit reports from the more prestigious security auditing firms. Create videos reviewing the reports, finding commonalities amongst them, and tips/tricks on how to read them effectively (OpenZeppelin, Trial of Bits, ConsenSys Diligence, Quantstamp, and more I learn about on the journey…)
- Bug bounties – Possibly in the far-off distant future consider partaking in a series of Web3 bug bounties, starting with Immunefi
This list isn’t exhaustive and will change over time, but it’s a start.
Now, let the games begin!