►
From YouTube: Status Core Devs Meeting - August 20, 2018
Description
Agenda and meeting notes from the call can be found here: https://hackmd.io/VN4rIR3mTxiUfujlDRNYhA
A
Thank
you,
Andy
for
taking
notes
and
just
briefly
lesson
learned
from
last
time
that
we
want
to
try
to
focus
discussion
on
stuff
things
that
are
future
oriented
and
not
to
give
updates
about
the
past,
but
more
things
that
require
people
to
be
here
and
and
we'll
also
try
to
squeeze
out
some
sort
of
decisions
about
things
that
we
want
to
do
as
outcomes.
And
if
anyone
said
something
we
can
add
it
at
the
very
end
and
so
I
guess
do
we
have
any
any
I
mean
any
specific
things.
A
Right
cool
so
first
one
like
clients,
less
and
ulc,
and
so
the
context
is
that
right
now,
there's
a
bit
of
a
disarray
with
respect
to
these
efforts
and
it's
not
clear
what
team
is
opening
it.
Then
what
deliverables
are,
and
it's
one
of
our
it's
the
top
procure
that
we
have
to
have
10%
of
users
using
this,
so
we
should
be
clear
about
so
what
we're
doing
here,
though,
for
most
of
short
and
long
terms,
longer
timescale,
so
I
guess
the
some
wanna
start
talking
about
it.
B
C
C
We
need
to
fix
the
most
annoying
issues
with
less
than
reach
also
make
a
you'll
see
an
option
in
the
UI,
and
then
we
need
to
polish
this
and
then
yeah,
and
then
we
might
only
be
a
work
in
progress.
Yes,
functions
in
service,
so
before
actually
I
mean
like
until
we
reintroduce
less
and
there's
not
that
much
to
to
talk
about
something
specific,
because
there
are
other
things
that
might
be
wrong,
that
we
need
to
fix.
A
D
C
A
C
Thoughts
again
initial,
they
might
change
right
now
is
to
use
the
same
cluster,
and
there
is
one
performance
related
notes
that
why
I
want
to
do
this,
because,
right
now,
we
already
have
all
these
connections
because
of
the
whisper
nodes.
So
if
we
use
less
on
the
same
note
as
we
use
whisper,
then
it
won't
be
like
additional
network
connection
and
that
might
save
battery
and
things
like
this,
because
if
we
go
like
later,
we
need
to
switch
the
proper
discovery
and
yellow,
but
right
now
just
to
reduce
the
scope
of
light
regression.
C
Telescope,
like
especially
like
performance
issues,
would
probably
should
we
use
the
same
connections
that
we
already
have.
I'm
gonna
do
have
power
status
cluster,
so
essentially
the
first
step
would
just
remove
impure
equation
right.
We'll
still
have
a
we'll
still
have
our
cluster,
but
we'll
also
need
to
run
less
notes
on
the
cluster.
On
the
same,
like
on
the
same
addresses
that
we
have
for
bit
notes
right
now,
so
that
that's
my
initial
idea.
E
So
so
also
Dimitri
started
working
from
looking
in
a
bit
node
because
yeah,
the
other
alternative
is
that
we
will
run
Ali
as
servers
on
our
site
and
that's
I
mean
that's
not
a
long-term
solution.
This
is
just
we
are
not
I
mean
we
are
not.
We
don't
want
to
become
like
another
source
of
lillius
servers.
Servers
that
it
sounds
are
lies
and
so
on.
So
we
can
run
their
budgets.
That's
a
lot
of
maintaining
work
and
that's
we
have
just
one
DevOps
guy.
It
is
just
gonna,
add
more
name
and
yeah.
E
So
I
I
don't
know
how
looks
how
it
looks
like
we're
hiring.
But
if
you
want
to
put
more
pressure
on
on
that
team,
so
they
have
up
steamed,
then
this
integral
right.
Now,
it's
just
like
crazy,
so
another
one.
Another
thing
is
that
we
will
try
to.
We
can
try
to
integrate
with
with
node
and
that's
kind
of
being
research
for
Dimitri,
but
that's
still
not
really
clear.
Yet
how
we
could
do
this.
C
C
E
B
E
Thing
is
that
we
could
potentially
get
Ali
s
servers
from
the
3m
cluster
I
was
looking
into
that,
but
the
problem
with
that
is
is
you
need
to
wait
like
at
least
10
minutes
to
find
something,
so
it
can
find
something
but
yeah
it's
like
there's
a
lot
of
time
to
get
even
one
working,
alias
server.
So
I
guess
that's
just
not
gonna
be
an
option.
F
E
C
F
E
C
Was
thinking
that
we
have
this
option
any
releases,
but
it's
not
on
by
default,
so
it's
somebody
wants
to
test
it
and
we'll
give
a
warning
to
him.
That's
okay,
if
your
enable
is
everything,
oh
great,
so
it's
so
while
it's
like
a
work
in
progress
feature,
we
might
use
it
but
like
to
claim
that
it
works.
We
with
definite
issues
which
the.
G
Impact
associated
like
I,
like
with
the
additional
risk
of
adding
distance
for
the
cluster
we
already
have,
is
it?
Is
it
that
much
more
because,
in
terms
of
like
a
additional
risk
on
our
side
for
testing
purposes,
if
you
already
have
the
cluster
running,
what
what
else
are
we
exposing
by
adding
this
functionality.
F
G
F
F
No,
it's
just
like
one
more
one,
more
partition
right
that
that's
the
thing
and
we'd
be
an
equal
participant
amongst
many
right,
but
if,
if
we
start
building
too
much
functionality,
which
is
status
specific,
such
that
only
we
can
run
the
nodes
and
only
we
do
run
the
nodes,
it's
there.
Where
we
become
that
single
point
of
failure
and
at
that
point.
A
A
C
C
I
think
one
one
thing
that
we
need
to
the
second
one.
The
discovery
probably
should
start
a
bit
later
because
it's
still
nice
to
know
so
what
I
like,
if
we
want
to
avoid
this
in,
like
it
anyway,
but
we
start
over
optimizing
control
the
optimization
problems
that
we
don't
have
like.
Okay,
we
only
seen
we
decided
that
out
of
a
sudden,
we
only
think
on
Wi-Fi
one.
We
don't
have
problems
if
you
don't
like
3G
and
start
developing
something
like
this,
that
we
don't
really
need
to
develop.
C
So
unless
this
like
premature
optimizations
are
because
there
are
a
lot
of
cool
ideas,
how
can
we
optimize
that?
But
we
don't
really
know
what
we
need
to
talk
to
my
son
unless
we
start
really
working
with
it.
So
as
long
as
this
one
is
addressed
and
yeah,
it's,
it
surely
should
be
paralyzed,
because
it's
like
two
different
tracks,
one
is
how
to
discover,
and
also
how
to
be
one
among
many
and
another
one
how
to
make
the
protocol
itself
work
and
work
on
on
a
mobile
device
and
how
to
consume
this,
like
whatever.
E
I
just
want
to
say
that
it's
gonna
be
a
bit
more
work.
If
you
want
to
even
have
like
a
few
Elias
servers
on
our
site,
so
yeah
I
think
yeah
I,
just
I
guess
we
need
them
to
at
least
for
testing
purposes,
so
we
should
start
earlier.
The
case
is
that,
even
if
you
run
them
and
just
make
them
a
part
of
a
dream
network,
it's
gonna
be
like
all
the
slots
gonna
be
taken
by
some
like
other
peers,
because
it's
just
like
that
area
network
is
just
running
to
you.
E
Ids
servers,
so
there
were
gonna,
be
need
some
mechanism
that
just
make
sure
that
there
are
slots
for
our
for
status,
apps
like
basically
to
connect
to
because
otherwise
it
just
it's
just
not
gonna
change
anything.
So,
there's
little
more
things
on
this
side.
If
you
want
to
run
those
notes
but
I
think
it's
it's
okay,
I
mean
in
my
opinion
we
should
never
go
with
that
to
release,
but
just
to
have
something
to
start
looking
at
well,
yes,
mobile
and
generally,
like
general,
it
has
the
whole
solution.
That's
just
that's
needed
pretty
much.
You.
E
F
A
F
So
we
trust
in
Fuhrer
nodes,
just
as
we
would
trust
any
other,
less
node
right
and
then
we
can
also
play
with
things
like
when
we're
about
to
make
transactions.
We'd
beef
beef
it
up
when
we're
not
making
transactions
and
just
looking,
we
wait
to
tone
it
down.
We
can
look
at
options
like
I,
don't
know
if
in
Fuhrer
goes
down
and
then
the
app
just
keeps
working
because
of
the
nature
of
how
it
switches
between
reasons
yeah.
E
I
like
the
idea,
because,
for
example,
with
note
integration,
you
need
to
pay
for
that,
so
you
need
to
have
first,
some
channel
to
pay
for
product
service
and
there's
a
couple
of
options.
I
guess
that
the
guys
behind
people
are
considering,
but
I
will
have
I
believe
that
in
the
future
it's
gonna
be
work.
This
way
that
you
actually
need
to
pay
for
the
service
like
alias
servers,
because
no
it
just
it's
currently
visible
that
it's
not
possible
to
just
have
like
a
enough
number
of
alias
service
running.
A
I
think
it's
in
there
idea,
but
whatever
it's
an
idea,
they've
got
point
being
mostly
that
it's
one
that
that
swarm
is
responsible
for
it
and
that's
most
of
what
I
want
to
get
at.
So
it's
not
like
three
different
teams,
still
kind
of
like
looking
at
each
other.
That's
this
form!
That's
in
graph
right
now
to
eight
you
know
whatever
it's
called
tweet
nine
I,
don't
remember.
B
A
To
nitrate,
yeah
yeah,
all
right,
cool,
okay,
next
one,
a
desktop
mobile
mobile,
app
code
sharing
and
automated
testing
and
the
context
for
this
is
that
we
recently
started
sharing
code
base
between
desktop
and
mobile
and
your
some
childhood
illnesses.
Issues
relate
to
this
just
the
goal.
Just
general
discussion
and
outline
next
steps.
I
believe
max
was
due
to
at
least.
D
D
It
looks
like
that
for
ecosystem,
how
how
similar
platforms
are
working
for
others.
Software
products
desktop
is
pretty
essential,
also
like
mobile,
and
can
do
things
and
have
such
features.
That
can
cannot
be
done
on
mobile
and
this,
why
pretty
important
of
users
and
such
more
movement
also
can
be
like
start
steps
to
have
a
code
base
that
once
we
will
need
to
be
able
to
port
for
others,
platforms
like
embedded
platforms
or
anything
else
which
we
will
have
in
mind
in
future.
D
But
at
the
moment,
once
we
have
started
to
share
the
same
codebase
desktop
builds.
They
started
pretty
often
to
face
mostly,
we
believe,
because
currently
we
don't
have
any
kind
of
unit
testing
and
any
kind
of
end-to-end
testing
for
functionality
which
we
share.
These
mobile
builds
so
you'll
be
great.
If
we
can,
mobile
team
can
suggest
based
on
their
experience.
D
Functionality
or
most
of
functionality,
if
for
desktop,
builds,
we
will
implement
and
run
on
every
github
PR
unit
tests
for
closure
script
code,
or
maybe
only
a
closure
script
code
is
not
enough
to
cover
all
possible
issues:
runtime
loader
script
issues
and
additionally,
additionally
to
Z,
we
will
need
to
have
separate
end
to
end
tests
for
desktop
also.
So
it's
like
the
question
for
suggestion
to
mobile
team.
B
So
I
can't
answer
for
desktop
and
turn
test.
Automation,
I
already
started
research
and
for
now
for
as
the
main
goal
just
to
replace
our
mobile
driver,
which
called
coach
named
IBM
driver,
V's
destined
driver,
so
we
will
be
able
to
reuse
the
same
logics
as
we
using
contest's
for
mobile
in
desktop
and
so
far
we
tried
three
drivers
of
them,
not
acceptable
solution
and
I.
B
Don't
want
to
share
why
technical
issues
but
I
can,
if
somebody
interest,
so
it
was
like
I.
Don't
drive
Urfa
mark
by
Adam
and
securely
securely,
basically,
is
a
magic
ignition
based
tool
and
we
are
not
going
to
keep
a
screenshot
of
each
element.
It's
a
really
heavy
and
it's
not
possible
this.
Our
actual
test
design
I,
was
a
racial
automation
framework.
So
all
other
projects
seems
to
be
dead,
but
with
some
contribution
we
can
make
them
alive
and
so
far
we
are
going
to
try
a
couple
of
other
drivers
and
I
believe.
B
B
A
B
Yet
not
sin
in
web
related
to
platform
is
it
was
more
dotnet
and
desktop?
Okay
was
it
window,
so
it
was
to
dot,
coordinate,
I,
believe
Windows,
not
not
yet
dotnet
core,
no
okay!
So
yes,
but
from
my
perspective,
we
really
should
take
care
about
running
unit
tests.
First
of
all,
we
have
them.
We
have
them
and
we
can
catch
that
errors
on
before
uncanny
intent
test
and
we
have
that
massless
builds
when
the
market
is
green
and
github,
but
actually
they
failed.
A
D
A
A
A
A
All
right,
cool
next
up,
Hardware
wallet
and
the
light
question
context
is
we
want
to
support
hot
wallet
for
calm
and,
if
possible,
this
requires
a
lot
of
coordination
across
hardware
development,
security
UX.
It
was
not
captured
in
current
goals
or
priorities
among
teams
and,
additionally,
was
to
have
to
sort
of
hardware
products.
I
I
Speaking
last
week
and
I'm
going
to
product
manage
these
hard
words,
so
I'm,
together
with
miquellee
today.
So
what
we
have
for
today
is
a
light
version
of
this
hardware
that
they
blocked
by
me.
Kelly.
It's
avocado
applet,
that
by
the
way
we
are
starting
a
security
audit
of
the
applet
code
by
an
external
company.
I
It's
starting
right
now,
so
this
Java
con
is
pretty
simple.
So
I
have
a
card
with
no
MMI
its
contactless
running
on
NFC,
so
we
will
focus
the
clients
integration
on
first,
maybe
or
so
with
the
PC.
If
we
source
us
beat
who
smart
card
reader
and
so
the
the
applet
is
called
complete,
it's
documented
on
github
or
the
api's,
and
so
what's
at
stake
now
is
to
start
the
integration
in
the
client.
I
What
we
started
to
do
is
to
write
some
of
the
basic
user
stories
we
want
to
enable,
and
there
are
actually
quite
simple.
There
are
three
things:
setup
of
the
art
were
dead,
signing
transaction
and
lagina
setup,
meaning
we
want
to
enabled
a
user
to
create
a
new
status
account
on
his
hard
wallet
or
import
an
existing
account
on
the
other
at
signing
transaction,
meaning
that
to
sign
a
transaction.
The
user
we'd
have
to
tap
his
card
on
the
back
of
his
Android
phone
and
enter
the
pin
code.
I
The
card
instead
of
entering
the
the
current
password
and
something
is
enabled
login
into
statute
account
with
the
hard
wallet.
So
instead
of
selecting
an
account
and
input,
the
password,
the
user
on
the
login
screen
would
just
have
to
tap
his
card
and
enter
the
pin
code.
So
these
are
basically
the
three
user
facing
scenarios
attacked
when
able
and
integrating
the
client
there's.
Another
thing
at
stake
on
which
we
have
to
decide
quite
quick
is
how
the
applet
is
noted.
I
On
the
have
occurred,
there
are
two
options:
a
first
option
where
the
manufacturer,
when
we
solve
these
records
with
load
applets
directly
on
the
card
and
the
second
option
where
the
clients
would
take
care
of
this
at
first
setup.
In
this
case,
the
client
would
upload
through
NFC
applet
on
the
Java
code.
I
So
there
are
different
user
interface
security
and
feature
consideration
regarding
this
choice
of
how
the
applet
is.
Did
we
win
discussion
that
with
Micheli,
and
we
will
share
by
tomorrow
a
document
with
some
of
the
conservation
to
take
her
into
account
to
share
with
you
so
that
we
decide
on
which
path
will
go
since
impact,
of
course,
on
the
train
situation?
I
I
What
we're
trying
to
do
there
are
some
application
on
the
client
side
for
me
to
discuss.
I,
don't
know.
If
that's
the
moment
right
now,
like
one
I
have
in
mind,
is
the
fact
that
the
user
would
not
have
any
password
to
mean
to
define
and
remember
any
password
how
we
will
manage
that
the
client
I
imagine
the
password
is
used
to
store
some
secret
that
has
on
the
client
and
does
that
need
to
remain
at
once.
I
I
There's
a
document
with
the
user
user
scenario:
that's
been
shared,
then
that's
open
for
discussion
and
when
I
guess
we
we
need
to
set
up
a
team
working
on
that
with
some
contributors
from
the
client
side
and
from
the
user
user
experience
team
and
with
the
McCleary
myself
at
least
so,
let's
open
for
discussion,
and
so
this
is
the
other
one
like.
Maybe
we
can
discuss
that
before
before
we
briefed
about
the
hardware?
J
J
So
I
I
started
working
on
this
couple
weeks
ago,
just
some
hours
and
then
I
stopped,
because
we
had
some
security
bug
to
fix
or
follow.
But
the
first
thing
I've
done
was
checking
a
PR
that
is
already
opening
the
go,
etherium
repository
and
changing
some
parts,
especially
in
the
Association
and
the
pairing
code,
and
then
after
these
I
would
like
to
understand.
J
K
I
I
The
user
chooses
if
he
wants
to
set
up
an
account
with
a
the
regular
way
with
the
best
or
if
he
has
a
card,
then
he
can
set
up
his
account
on
the
card.
But
in
this
case
it's
would
be
much
better
not
to
have
a
password
anymore.
Otherwise
it's
going
to
make
too
many
things
for
him
to
remember.
I
forget.
G
Who
made
it,
but
someone
made
really
good
flow
diagrams
of
the
user
experience
for
both
options
depending
on
and
when
you'd
make
those
options
and
what
what
part
goes
away,
based
on
which
part
of
the
step
you're
in
I
think
that'd
be
they'd,
be
useful
to
put
in
the
notes.
So
people
can
look
over
that.
Yes,.
I
G
Think
it
would
be
important
if
you
get
rid
of
the
password
to
have
to
push
forward
on
the
the
biometric
data
for
unlocking
yeah
the
terms
of
a
usability
standpoint
having
the
card
out
every
time
you
want
to
use,
the
application
may
be
a
bit
annoying.
So
if
we
have,
if
we
get
rid
of
the
password
having
something
like
facial,
recognition
or
or
fingerprinting,
could
unlock
these
types
of
things,
while
using
the
pin
plus
a
hardware
wallet
to
do
any
type
of
value
exchange.
J
E
G
But,
depending
on
what
you're
doing,
if
I
guess
it's
it,
what
are
we
separating
valuable
right?
Is
unlocking
the
app
value
in
itself
or
sending
a
transaction
value
so
we're
at
what
point
do
we
have
to
enforce
hard
security
versus
just
getting
into
the
app?
Because
you
know
you're
either
biometrics
can
open
up
your
phone.
Your
biometrics
can
do
a
lot
of
things
already.
G
If
it
is,
is
sending
chat
messages,
the
the
buck
stops
there
in
terms
of
security,
or
is
that
it's
a
fingerprint
enough?
If
you
have
all
three
that
should
be
enough
to
send
value
or
do
anything
with
the
wallet?
No
access
in
the
wallet
should
have
access.
You
should
need
all
three,
or
at
least
the
pin,
plus
Hardware
wallet,
but
maybe
sending
a
public
chat
may
not
need
that
much.
That's
open
for
discussion
on
what
we,
because
most
important.
K
E
A
The
interest
of
time
do
we
do
we
want
to
decide
on
roughly
how
we
want
to
proceed,
because
it's
all
security
considerations
and
things
we
come
into
detail,
but
just
I
guess
from
Arabs
or
people
perspective
like
what
do
we?
What
do
we
need
to
move
this
forward
if
andreas
looking
into
it
from
the
go
side
and
agora?
How
does
it
look
from
the
closer
side
and
also
chad
from
the
you
excite.
K
Yeah
all
right,
basically,
what
we
need
to
is
a
timeline.
The
timeline
with
you
know
realistic
expectations
with
realistic
resource
plan,
and
you
know
so.
The
only
way
we
can
find
this
is
with
a
timeline
timeline.
For
example,
when
do
we
get
the
cards?
I
know
that
the
prototype
cards
have
been
already
mailed,
so
I
expected
they
would
be
around.
For
you
know,
in
a
couple
of
days
you
tried
you
had
you
had
some
question
about
the
delivery
of
the
of
the
promotional
cards.
K
I
K
I
I
K
So
basically,
the
only
way
you
can
see
this
to
be
done
in
a
timely
manner
on
a
thousand
scale
is
with
a
bootstrapped
loading.
Yes,
okay,
so
we
have
okay,
the
first
decision
on
the
on
the
UI
side
on
the
mobile
their
side,
the
majority
of
the
the
major
dependency
that
defines
the
timelines
is
actually
the
selection
of
the
use
cases.
So
I,
guess
that
that
you
know
kind
of
depends
on
this
decision
as
well.
J
Also
thinking
in
general
that
we
were,
we
started
discussing
about
the
coupling
the
the
keys,
the
wallet
key
and
the
whisper
key
and
I
think
we.
We
need
it
for
this
because
we're
talking
about
having,
like
the
the
whisper
key,
only
memory
on
the
client,
but
for
now,
since
the
the
key
is
the
same,
it
would
be
basically
the
main
key,
which
is
also
the
wallet
key
in
memory,
because
you
need
to
sign
the
messages
when
you
chat
so
I.
Think
one
Dependencies
finish
in
the
starting
and
finishing
the
decoupling.
J
The
the
keys
and
I
know
that
I
think
there's
a
lot
of
work,
also
in
the
protocol
and
in
the
chart,
because
we
need
to
like
add
some
features
like
asking
the
like.
The
wallet
address
request,
because
it's
not
derived
from
the
whisper
key
anymore
and
and
then
also
compatibility
between
different
versions.
So
I
think
also.
This
part
will
be
long
and
I.
Think
it's
me
that
if
I
am
just
directly
like
the
way
way,
yeah.
K
J
A
A
A
K
K
A
A
D
G
So
if
I
haven't
talked
to
you
already
I'm
Corey
I'm,
the
new
security
guy,
which
means
I'll,
probably
be
bugging
everyone
about
what
you're
doing
and
why
you're
doing
it.
I
think
I've
been
trying
to
do
a
lot
of
like
polling
around
the
company
to
see
what
people
are
working
on,
what
they,
how
they've
used
security
in
general,
because
I
was
brought
on
with
the
assumption
that
there
isn't
a
lot
of
security
practices
in
place
amongst
the
company.
G
I
I'd
say
that
there's
no
like
formal
protocols
and
checklists
and
methodology
for
doing
traditional,
quote
unquote
security,
but
the
backdrop
of
security
amongst
the
company
is
really
high.
It's
like
I'm
really
happy
that
I
didn't
walk
into
a
bunch
of
landmines
and
I
think
that
everyone
has
the
basis
of
what
security
is.
They
just
don't
have
the
confidence
to
say
they
have
it.
G
I'm
gonna
be
working
on
trying
to
put
forth
a
lot
of
stant
like
checklists
that
go
in
place
of
what
you're
currently
doing
so
you
can
feel
more
confident
about
taking
off
all
the
boxes
that
respect
security
and
whatever
aspect.
That
is
because
it's
a
pretty
broad
concept
and
I
hope
that
y'all
can
help
me
do
that
in
a
lot
of
ways,
because
I
can't
do
it
myself
and
that's
going
to
be.
Basically,
if
you
have
any
concerns
comments,
questions
send
them
to
me
or
if
something
happens
online
you
can
always
send
it.
G
An
email
to
security
add
status
that
I
am
for
any
type
of
like
quick
response.
I'd
say
see:
I
wanted
to
bring
up
the
concept.
This
is
kind
of
a
I
say
a
mind
frame
when
thinking
about
security,
that
I
don't
think
people
have
ever
been
exposed
to
as
the
packs,
the
pyramid
of
pain
and
that's
when
looking
at
potential
threats
with
an
accompanying.
G
This
is
built
for
I,
guess:
traditions
like
looking
at
traditional,
centralized
infrastructure
and
looking
you're
looking
for
things
that
to
see
if
people
are
attacking
you
or
not,
but
it
could
be
easy
for
me
to
easier
to
share
my
screen
or
I.
Put
the
link
in
the
in
the
agenda
notes
to
slack.
If
you
want
to
bring
it
up
yourselves,
what
do
you
think
is
easier
if.
A
D
G
Great
Pyramid
of
pain
was
brought
up
from
our
security
research
or
a
long
time
ago.
I
think
our
on
2013
or
so,
and
the
concept
is
relatively
simple.
If
you
look
at
the
graphic
here,
you
have
the
types
of
things
that
you
can.
You
can
see
indicators
upon
in
your
network
or
or
your
infrastructure
that
show
that
someone's
someone's
doing
something
malicious
and
at
the
very
bottom.
You
have
something
you
have
things
that
are
everywhere
yet
easy
to
change
and
at
the
top
you
have
TPP's.
G
It
stands
for
tactics,
techniques
and
procedures,
and,
as
you
move
up
this,
this
pyramid,
you
increase
the
difficulty
to
change
that
type
of
indicator,
which
means
that
you
make
it
more
and
more
and
more
difficult
for.
If
you
can
find
these
indicators
and
and
remove
them
from
your
network,
you
make
it
more
difficult
for
the
attacker
to
change
what
he
does
so,
for
instance,
hash
values
say:
you'd,
find
a
moshus
file
in
your
in
your
network
and
you
didn't
make
let
everyone
know
that
hash
file
exists
across
the
network
and
you
get
it
out.
G
So
you
can
find
these
things
easy,
but
the
attacker
just
changes
it
and
keeps
going
about
whatever
he's
doing
and
then,
as
you
move
up
to
this,
this
pyramid,
you
continue
along
that
that
same
type
of
thing,
so
at
the
very
top,
which
is
where
you
want
to
be
finding
things,
is
your
you're
identifying
the
tactics,
techniques
and
procedures
and
attacker
uses
to
attack
whatever
you're
doing?
And
you
know,
if
you
ever
to
mitigate
these
types
of
things,
then
you're
able
to
you're.
G
You
force
the
attacker
to
change
his
behavior,
which
is
the
most
difficult
thing
to
change,
and
what
I
the
reason
I
bring.
This
up
is
a
mindset
of
if
you're,
building,
something
or
making
a
change.
You
want
to
look
at
the
types
of
vulnerabilities
that
are
introduced
or
are
already
there
and
think
about
what
what
gets
left
over
what
you
can
look
for
to
find
in
a
Vegas
misuse
of
whatever
you're
doing
and
I
try
to
be.
As
general
in
term
here,
because
that,
although
this
is
a
developer
call,
this
applies
to
UX.
G
Do
it
from
a
security
perspective
and
how
can
I
find
those
types
of
artifacts
and
where,
on
this
pyramid,
would
they
would
they
lie
not
necessarily
specifically
in
terms
of
domain
names,
IP
addresses,
etc,
like,
although
that
may
may
be
appropriate
for
what
you're
doing
more
along
the
lines
of
if
I
can
detect
these
things?
How
difficult
is
it
for
the
attacker
to
change
that?
G
Does
it
lie
on
the
bottom
in
terms
of
hash
values,
or
is
it
up
to
the
very
top
in
terms
of
behavior,
and
we
wanted
to
try
and
always
do
things
slash,
be
able
to
see
things
and
change
things
that
are
at
the
very
top
here?
Because
that's
what
keeps
people
from
if
you
change
an
attackers
behavior
more
often
than
not
they're
just
going
to
leave
you
alone,
because
they're
lazy
and
they
don't
want
to
change
their
tooling
I'll.
Stop
there
and
kind
of
ask
question
or
answer
questions
or
get
comments.
G
That's
actually
the
next.
The
next
point
that
I
wanted
to
bring
up.
This
is
a
traditional
way
of
looking
at
things,
and
there
isn't
a
lot
of
stuff
out
there
that
points
towards
how
this
changes
for
the
type
of
development
that
we
do
and
I
want
to
I'm
writing
about
this
I'm
trying
to
put
it
on
a
framework
that
makes
sense
for
people,
so
that
I
have
hard
concrete
examples
of
how
to
apply
this
same
type
of
concept
to
decentralize.
G
That
building,
because
it's
very
different
and
the
attack
service
is
very
different
and
it's
a
it's.
It's
kind
of
a
new
thing.
There
isn't
a
lot
of
stuff
out
there
that
I
found
at
least
that
that
explains
this
type
of
stuff,
so
I
think
it'd
be
worth
while
to
even
brainstorm
on
the
types
of
things
that
we
do,
that
I
want
I
want
to
rebuild
the
pyramid
for
what
we
do
in
general.
G
If
that
makes
sense,
this
is
something
I've
been
talking
with
the
other
security
folks
in
the
community
to
try
and
to
try
and
help
do
so
as
I
as
I
build
this
out.
I
hope
with.
If
any.
If
you
have
any
ideas
or
ways
of
doing
that,
to
send
them
my
way
to
help
me
kind
of
build
that
out
more
robustly,
I
I
want
to
push
forth
this
idea
and
in
our
community.
A
H
G
Trying
I'm
taking
over
a
lot
of
that
security
champion
stuff,
so
that
Igor
doesn't
have
to
wear
that
hat,
as
least
as
heavily
as
he
used
to
I'm,
still
trying
to
figure
out
a
way
to
build
that
in
so
that
it's
not
in
an
incredible
amount
of
time
for
the
participants
of
security
champions.
I
want
to
build.
I
would
like
that
to
be
something
that
we
do
and
I'm
continuing,
building
the
framework
of
how
what
that
looks
like
they
went
through
a
a
threat,
modeling
exercise
with
incorporating
the
ENS
name.
G
They
actually
came
up
with
some
good
results
and
I
was
really
happy
with
it,
and
I
want
to
make
sure
that
we
can
get
do
things
like
that
and
I'll
be
building
on
the
framework
they
don't.
That's
a
good
part
of
what
I
think
I'll
be
doing,
is
building
framework
or
tool
sets
that
allow
everyone
to
make
better
decisions
about
what
they're
doing
and
that's
gonna
be
done
through
the
initiative
that
you
are
started
with
security
champions.
G
M
G
G
Right
right
below
the
TTP's,
you
see
tools
right,
and
so
this
is
what,
if
you
were
to
find
the
fingerprint
of
a
various
tool
and
able
to
stop
that
the
attack.
The
underlying
attack
could
possibly
still
be
happening
in
your
in
your
network,
but
you've
only
mitigated
a
specific
tool
that
does
that
attack.
G
That's
a
good
music,
that's
the
I
think
a
better
way
to
put
it
it's
and
it's
it's
more
along
the
lines
of
a
behavior
for
an
attacker
which
corresponds
to
an
underlying
attacks
like
some
people
are
really
good
at
X
type
of
attack
and
use
a
various
amount
of
tools
to
do
that
type
of
attack,
and
so
that's
a
behavior
slash
underlying
vulnerability
in
the
inner
system.
Gotcha.
F
D
G
No
one
can
see
it,
so
that's
really
good
cool.
So
another
thing
that
I
wanted
to
bring
up
I've
had
a
conversation
with
a
company
called
frets
tack
which
looks
at
cloud
cloud
infrastructure
monitoring,
because
we
don't
have
a
large
security
team
looking
at
the
infrastructure
that
we
currently
have,
because
we
do
rely
on
some
type
of
centralization
at
the
moment
and
always
will
have
some
form
of
infrastructure.
B
B
G
B
G
Okay,
yeah
I
think
you
definitely
are,
should
be
on
the
call,
because
you're,
the
infrastructure,
guy
and
I
want
and
you'd
be
you'd
have
more
of
an
opinion
as
to
whether
or
not
this
is
useful
useful
for
us
and
whether
or
not
we
can
just
roll
our
own,
because
there's
certain
things
that
I
can
do
that
do
some
type
of
this.
But
it's
it
takes
me
away
from
it
takes
it
takes
my
time
away
from
other
things.
G
I
should
be
doing
if
that
makes
sense,
like
I'd,
say
the
entire,
offering
that
this
company
has
is
equivalent
to
about
a
full
time
employee,
with
infrastructure,
as
we
currently
have
and
I
want
to
make
I
want
to
see
if
that's
reasonable,
for
something
we
need,
because
over
time
time
goes
on,
that
reliance
on
infrastructure
should
go
down
based
on
the
principles
we
have
as
a
company
and
what
we're
trying
to
do
as
an
application.
That's.
G
Given
him
a
rough
outline
of
what
our
infrastructure
is,
so
that
they
can
create
a
demo
tailored
towards
what
we
would
expect
from
their
company
on
what
we
have,
and
so
this
is,
the
compass
is
the
see
you
can
look
at
a
kind
of
a
an
idea
of
what
an
attack
is,
and
this
is
like
an
AWS
attack.
Someone
gained
something
gaining
access
to
credentials
across
eight
of
Atos
infrastructure.
A
G
Lot
of
this
stuff
that
may
not
be
it
may
not
work
well
for
what
we
do.
We
don't
do
traditional
app
development
or
at
least
at
production,
and
things
like
that,
but
we'd
also
have
credentials
that
we
care
about
and
I
would
encourage
you
to
go
to
the
website
and
then
look
at
the
video
that
shows
you
this
stuff
and
then
for
the
demo
we'll
discuss
whether
or
not
it's
appropriate
for
us.
D
About
parameter
pane,
interesting
if
to
replace
a
attacker,
for
example,
developer
of
a
service.
Other
part
of
pyramid
will
still
look
the
same,
for
example,
because
developers
select
tools,
select
some
procedures
to
implement
the
rest
of
system
part.
So
from
that
point
of
view,
developers
should
aware
of
attackers
can
behave,
and
this
will
enhance
selection
of
those
procedures
and
overall
security
of
the
system.
D
G
That's
a
that's
a
really!
That's
a
really
good
point:
it's
a
nice!
Something
I
want
to
reiterate:
I'm,
not
the
domain
expert
of
what
you
guys
do
and
so
I
need
your
help,
because
you
understand
how
things
work
better
than
I
do
for
whatever
specialty
you
have,
which
means
that
you
understand
the
types
of
tools
someone
can
use
or
the
types
of
vulnerabilities
that
exists
with
what
you
specialize
in,
which
helps
me
understand.
G
D
G
G
So
you
can
be
aware
of
it,
so
it's
actually
happening
this
is
that
hurt
Kenneth
status,
that
I
am
and
there's
somehow
and
other
people
are
getting
into
that
at
least
the
protocol
in
which
we
create
emails
for
the
company,
which
is
basically
first
name
at
status.
That
I
am
and
then
broad,
spanning
out
these
types
of
things
just
see
if
they
can
get
access
to
some
of
our
underlying
credentials
through
social
engineering
attacks.
G
So
be
weary
of
those
things
you
might
find
them
in
your
spam
folder.
You
might
not
I
think
we
should
also
look
to
put
in
places
like
certain
amount
of
procedures
or
or
general
guidelines
of
things
we
will
ask
for
and
the
official
channels
in
which
we
asked
for
them
like
for
what
like,
for
instance,
Jared,
will
never
ask
you
for
your
personal
cell
phone
number
through
your
email.
G
If
that
happens
report
it
it's
not
something
we
should
ever
do,
and
so
I
don't
know
if
there's
basic
guidelines
or
rules
on
these
types
of
official
channels
for
certain
things,
if
there's
not
I
want
to
make
them
so
that
everyone
at
least
knows
where
to
go
to
find
out.
If
something
like
this
happens,
and
it's
more
questionable
than
this.
A
All
right,
moving
on
so
first
step
towards
the
Dow
I
guess:
there's
some
work
around
there,
belting
it
up
and
there's
also
one
okay
are
around
liquid
touching
and
then
there's
also
been
some
conversations
and
experiments
around
get
coin,
and
so
on,
I'm,
not
quite
sure
exactly
what
we
want
to
get
out
of
you
this,
but
maybe
stop
it
spreading
some
context.
I
think
and
you
might
have
some
and
then
a
grape
is
a
grain.
M
Yeah
so
initial
investigation
into
the
voting
that,
basically
it's
not
so
much
about
features
or
doing
anything
new,
it's
it's
really
about
trying
to
discover
like
what
is
the
reason
that
people
would
feel
compelled
to
vote.
So
that's
what's
currently
happening
now.
There's
a
survey,
that's
been
created
by
Patrick
from
user
experience,
design
and
that's
gonna,
be
going
around
the
community.
I've
got
a
meeting
with
hutch
tomorrow
to
send
it
up,
asked
to
you
to
basically
try
to
figure
out.
You
know
why
would
someone
pay
gas
fees
in
order
to
vote?
M
My
suspicion
is
probably
around
the
allocation
of
funds,
but
one
about
the
date
that,
through
a
three-hour
survey,
yeah
and
then
I
was
investigating
how
to
create
kind
of
unchained
consequences
that
the
idea
being
that
certain
having
an
untrained
vote
is
very
expensive
and
if
it
is
only
a
signal
to
the
to
the
research
foundation,
it's
a
very
expensive
way
to
signal
whether
there's
other
channels
such
as
reddit
or,
in
fact,
the
the
feature
nomination
with
the
feature
voting
kind
of
app
with
inside
of
status.
Looking
at
it
as
well
yeah,
not
not
a
written.
A
M
Conversations
are
happening.
What
I'm,
what
I'm,
looking
at
I
think
what
I'm
trying
to
avoid
is
building.
You
know
adding
on
complexity
onto
the
initial
voting
float
before
understanding.
You
know
what
is
the
things
that's
that
people
will
vote
on,
but
yeah
I
do
believe.
Ricardo's
investigated,
there's
a
state's
discussed
and
there
is
a
understanding.
Work
is
gonna
start
happening
on
the
Dow
when
Jared
gets
back
from
from
holiday.
A
M
Yeah
that's
my
conclusion.
Just
if
we
Const
I
mean
first
things
first
to
try
finds
you
know
what
is
the
reason
that
people
will
will
vote
or
walk
what
topics
I.
The
reason
for
that
is
low.
Voter
participation
is
I
mean
not
just
amongst
the
status
voting
that
it's
low
amongst
pretty
much
every
single
carbon
voting
or
on
chain
voting.
That.
H
There's
no
particular
effort
that
I
want
to
give
just
right
now,
there's
some
other
people
that
I
need
to
speak
to
before
we
speak
publicly
and
just
on
the
voting
stuff.
You
know
I
tend
to
agree
with
Graham
I.
Think
that
he's
approaching
this
in
quite
a
sensible
way.
It's
it's
it's
a
really
difficult
topic.
A
lot
of
people
have
taken
it
on
and
I
think
that
he's
caught
inside.
H
That's
if
you
are
gonna
require
people
to
go
through
the
pain
of
voting
on
chain
and
sure
there
are
ux
things
that
we
can
do
to
make
that
easier
and
more
smooth.
But
it's
always
gonna
be
a
little
bit
of
like
added
extra
effort
for
the
user.
Then
you
really
need
to
have
unchained
consequences
and
deciding
what
those
untrain
consequences
are
is
quite
difficult
to
do.
H
Graham
I
think
that
ask
is
righted,
but
probably
the
best
kind
of
an
Train
consequences
are
likely
to
be
found
in
some
of
the
democracy
work
that
Ricardo's
doing
and
perhaps
liquid
pledging
you
know
so
there's
some
kind
of
financial
results
on
chained,
even
if
the
actual
results
of
the
votes
is
not
necessarily
reflected
in
the
decision
that
gets
made
on
chain.
If
you
see
the
the
distinction
that
I'm
drawing
there,
the
get
coin
update
Oscar
will
come
next
week
or
two
weeks
from
now
or
other
I.
L
L
That's
going
to
fill
that
gap,
and
so
I
guess
one
one
question
I've
been
asking
is
like:
if
you
could
build
one
feature
in
60
days
or
less,
that
moves
a
multi-sig
wallet
towards
being
a
Dow
or
a
Dow
component.
What
would
it
be
and
there's
very
little
feedback
on
that
right
because
it
turns
out
very
few
people
if
have
ever
even
used
the
multi-sig
wallet
or
use
one
on
a
regular
basis,
so
something
we
started
doing?
L
F
L
H
Yeah
I
mean
I
think
that
yet
six
point
is
a
good
one,
then,
like
first
of
all,
the
bloom
guys
very
good
at
what
they
do,
and
you
know
it's.
It's
interesting
that
they're
using
whiskey
and
the
way
that
it
was
originally
intended,
which
is
to
gossip
information
about
various
different
aspects
of
your
identity
around
their
provider
network,
so
that
they
can
sort
of
do
kyc
and
only
have
to
submit
one
transaction
on
to
the
chain
to
confirm
that
you
are
who
you're
claiming
to
be
and
barry.
A
In
my
toes
respected
a
multiset
like
it
might
be
training
thing,
so
maybe
we
can
host
some
super
basic
tutorial
session
or
whatever
people
can
join
just
in
terms
of
actually
using
it.
I
know
if
that
would
help,
maybe
explaining
sort
of
the
connection
with
governors
and
so
on
in
terms
of
getting
more
people
to
play
on
with
this
thing,
in
terms
of
you
are
like
about
about
what
the
conditional
bit
of
time
I
agree
with
what
Dan
said.
A
I
also
think
that
getting
some
kind
of
integrating
sort
of
ideas
in
swarms
and
having
some
kind
proposal
based
around
that,
even
if
it's
like
so,
if
you
remember
dad's
presentation
before,
would
like
request
for
information
requests
of
procurement,
and
he
said
two
things
I
think
having
like
a
very
basic
kind
of
thing.
There
will
be
very
useful.
It's
something
that
we
we
barely
started
doing
back
when
there
was
like
an
open
bounty
team,
but
we
didn't
really
do
it
seriously.
So
I'm
revisiting
roughly
those
ideas,
but
doing
it
right
could
be
interesting
as
well.
A
A
A
L
Maybe
something
sorry
Oscar
to
come
back
in
I
got
it
something
that
actually
I
did
just
see.
I.
Think
like
was
the
discuss.
There
was
like
an
update
in
discuss
and
I.
Think
I
didn't
see
it
initially,
but
I,
just
like
just
soared,
is
Jared
posted
a
kind
of
reply
and
I
something
he
mentioned,
that
I
guess
I
didn't
think
about
was
I,
guess
it
eventually
there
will
be
an
actual
smart
contract
that
validates
the
signature
and
that
someone
signed
right
so
right
now
we're
all
just
submitting
it
into
slack.
I
A
A
few
set
of
people
pushed
out,
and
it
was
like
a
marketing,
so-called
marketing
message
that
was
double
sort
of
the
main
thing
and
but
but
in
terms
of
actual
consequences,
there
are
no
specific
consequences
associated
because
it's
not
part
of
a
greater
design
right
now,
but
we
can
still
reuse
a
signature.
So
we
can.
We
can
redo
it
as
well,
easily
I
think
there's.
G
A
A
Want
one
point
would
would
be
that
if
you
to
be
sued
an
ominous
with
respect
to
inject
weeded
out,
so
you
wouldn't
be
able
to
get
any
funds
unless
you
do
sort
of
things.
That's
one
one
idea,
whether
that's
the
right
path
or
not.
This
remains
to
be
seen,
but
that's
an
example
of
how
that
will
be
able
to
go.
A
A
Okay,
I
guess
time:
is
there
something
that
people?
It
is
something
that
people
feel
like
it
missed,
especially
from
sort
of
the
part
to
which
is
more
sort
of
general
through
specific
teams
as
on?
Is
it
something
that
someone
thinks
is
they
want
to
talk
about?
They'll,
bring
up
or
get
some
kind
of
decision
or
discussion
about.
F
I'll
just
briefly
mentioned
that
the
next
is
there
a
hard
Fork
is
coming
up
for
those
that
have
missed
it.
I,
don't
think
that
should
be
anybody
on
this
call,
but
in
case
anybody's
good,
so
there's
a
couple
of
VIPs
going
in
there.
There's
an
aetherium
death
call
meeting
soon
check
those
out
because
they
won't
be
perfect.
This.
A
All
right
cool,
so
I,
guess
with
that.
You
finish
up
this
meeting,
recording
on
YouTube
hasn't
been
like
here,
I'm,
not
sure,
and
also,
if
you
want
to
add
things
to
notes
thanks
too
much
time
before
taking
ups,
and
thank
you
Johnny
for
recording.
That's
it
for
this
time,
I'll
put
up
a
github
issue
for
next
one
in
two
weeks
as
well.