►
Description
Status July 2018 Security Meetup (Day 1 Morning session)
00:00:00 Introduction
00:07:37 Security
00:09:56 Coercion resistance
00:14:04 Privacy
00:21:05 Short history about security at Status
00:27:55 Wall of Shame
00:47:20 Audit Process
01:07:46 Bug Bounty Program
01:12:20 Hiring
01:15:34 Security at Status
C
A
A
B
A
A
B
E
C
Top
of
it,
you
can
also
build
like
institutions
on
top
of
it,
which
is
old
for
sites,
it's
not
contracts
and
that's
what
the
crypto
tokens
and
sex
network
cooking
hints.
So
it's
like
this
fundamental
layer.
The
way
we
are
solidifying
and
giving
these
these
rights
to
regardless
of
the
environment
they're
in.
A
A
B
E
B
A
A
A
A
A
A
A
A
A
C
A
C
B
A
A
C
And
I
mean
also
it's
like
you
mentioned
it's
like
a
film
in
Anacostia
on
the
percent
of
the
time
as
long
I'm
kind
of
at
least.
Maybe
this
is
personal
opinion,
but
I'm
kind
of
comfortable
if
we're
educating
the
user
and
they
voluntarily
do
these
things
to
a
certain
extent
but
like
guaranteeing
that
they're
well
educated
and
they're,
guaranteeing
that
they
absolutely
know
that
like
say
opting
into
tracking,
for
example.
They
don't
really
understand
what
that
means
right,
but
if
they
can
bring
topic
discussions,
are
we
going
to
it?
But
you.
C
I
guess
six
or
so
months
ago
we
had
this
thing
where
our
slap
is
open
and
we
had
lots
of
phishing
attempts.
So
people
were
pretending
to
be
call
or
Jared.
They
sent
like
a
missive
saying,
like
Oh
simp,
isn't
heed
to
this
address,
and
then
you
get
some
freebies
new
stuff,
and
this
was
like
untenable.
Like
was
a
huge
problem
and
slack
was
completely
useful
and
people
lost
three
money
and
I
guess
Oh
someone
lost
like
ten
grand
is
something
this.
C
So
so
it
wasn't
trivial
yeah
I
mean
the
fishing
account
was
multiple
states,
so
they
got
like
a
hundred
grand
every
time.
They
did
it
right
yeah.
So
so
it
was
able
to
be
program
and
we
were
trying
to
find
a
way
to
solve
it.
That
what
we
end
up.
Having
is
that
we
moved
to
riot.
But
then
the
reason
for
moody
to
riot
is
because
then
you
could
do
this
thing
with
links.
We
could
control
control
the
links.
C
C
Think,
generally
speaking,
is
totally.
We
have
done
security
decisions
in
a
curve
half-assedly
way
and
I.
Think
that's
what
we
want
to
change
and
Twitter's
like
how?
How
do
you
go
about
it?
One
one
approach
of
this
is
just
coming
to
some
kind
of
shared
agreement
on
what
sort
of
currently
broken
right
and
I
think
this
has
been
floated
a
few
times
and
I
started.
Writing
it
myself,
but
I
thought
we
could
do
it
together,
which
is
a
kind
of
wall
of
shame.
C
If
you
will,
where
essentially
we
list
things
that
we
think
are
currently
broken,
and
it
can
be
anything
no
specific
sort
of
constraints
on
it.
But
it's
a
brain
stem
around
it
and
I
was
thinking.
We
could
just
very
roughly
a
photography
had
sort
of
categorize
it
from.
This
is
like
a
complete
blockers.
If
you
man
escape
from
one
to
five
or
one,
it's
like
this
is
a
complete
Locker.
We
should
pull
that
from
the
app
store
and
find
us
like.
This
is
okay.
We
don't
have
to
solve
this
within
the
next
two
years.
C
Deepika
will
just
be
interesting
to
get
ear
on
this
room
on
the
same
page,
because
it
gives
us
at
least
some
direction
with
a
small
structure
in
terms
of
attacking
sort
of
the
biggest
problems
and
I.
Think
it
also
maybe
seed
discussions
over
the
next
coming
days,
so
I
know
which
I
think.
But
my
idea
was.
We
can
just
have
a
hack,
MB
surf
session
of
share
link
and
then
we
can
have
like
maybe
five
minutes
where
everyone
does
writes
phase
five.
Ten
minutes
people
just
write
free.
C
G
B
A
C
F
B
B
G
C
C
H
Usually
I
mean
we
might
protect
something
by
something,
you
know
something
you
have
and
something
we
essentially
it's
usually
for
financial
stuff.
You
need
to
prove
to
of
this
differently,
so
it
should
be
like
something
you
know
like
your
password,
plus
something
you
have
like
a
mobile
phone
with
with
Google
Authenticator
or
something
on
it.
So
it's.
H
H
H
I
H
C
I
A
I
C
E
C
I
guess
people
does
I.
Think
one
thing,
though
we
did
something
we
can
do
nature
doing
this,
but
what
I
also
want
together
this
in
terms
of
writing
things
and
things
that
we
wanna
block
on
now,
like
we
shouldn't
do
development.
This
is
fixed
kind
of
thing
versus
things
that
okay
with
you
solves
in
three
years,
because
right
now,
I
think
it's
kind
of
this
old
generally
ideal
weather
than
have
this,
but
I
feel
like
that's
lacking.
C
C
C
C
D
H
H
H
With
them
is
pretty
good,
so
they
are
responsive,
they
are
the
big
stuff
in
law
and
the
first
engagement
that's
pretty
successful.
They
found
excuse
to
the
major
stuff
and
they
all
like
elongated
professional
from
their
sites.
So
so
that
was
a
good
experience.
That's
why
we
decided
to
follow
and
sign
up
for
the
next
engagement.
H
However,
this
whole
process
of
it
and
kind
of
not
really
meeting
our
needs,
as
we
are
developing
very
rapidly
and
changing
adding
features
every
every
week,
improving
stuff
and
the
whole
process,
they
work
and
the
kind
of
aquatic
engagement,
skills
and
wonderful,
wonderful
principle.
So
what
happens?
Is
that
pretty
much
be
quite
Scott?
First
and
habit.
E
D
H
Half
months
two
months
before
the
art
starts,
so
so
you
know
this
is
already
like
two
months
period
where
there
should
be
no
new
things,
then
they've
got
it.
They're
gonna
eat
it.
So
that's
already
when
they
finished
out
it.
It's
it's
already
two
months
of
work
that
we
could
deliver
restock
and
they
probably
are
not
gonna
need
it
or
they
are
just
just
think
big
audience
just
a
little
bit,
not
really
deeply
checked
so
so
the
whole
model
does
not
really
work
and
that's
not
really
excuse
our
our
needs.
H
H
H
C
H
A
C
E
H
H
So
so
yeah
so
regarded
did
this
space.
Would
they
actually
start
working
that
there's
like
a
kind
of
initial
place
where
they
are
looking
into
code
and
maybe
drugs
from
general
check
out
so
like,
for
example,
there
are
like
they're
trying
to
see
the
opposite
of
network
traffic
when
you
do
not
use
it
like
something
suspicious
networks,
or
so
it's
like
kind
of
basic
stuff
they're
trying
to
look
into
the
files.
H
H
H
It
is
quite
cool
because
it's
gonna
be
published
to
the
community
and
it's
also
which
somewhere
for
us
think
about
everybody
all
the
PDS
about
it
out.
They
also
include
some
recommendations,
so
maybe,
like
Megan,
mentioned
a
track
star
in
Irving's.
This
recommendations
are
not
necessarily
issues
that
that
effects
applications
now,
but
should
they
are
good
things
that
that
we
should
consider
in
the
future
how
we
can
improve
them?
H
C
C
H
C
H
H
E
H
C
Yeah
yeah,
let
me
drop
this
right
now.
We
don't
have
enough
security
expertise
right,
so
that's
sort
of
the
thing
we
could
do,
which
would
at
least
give
us
some
experts
looking
at
what
there's
no
way
or
not
like.
Ideally,
we
have
multiple
security
at
first.
You
want
to
have
dedicated
sort
of
experts
working
on
that
and
also
just
general
what
we
do
now
we're
getting
more
people
to
think
about
this
in
creative
culture
and
security
chapters,
and
so
on.
H
H
And
also
we
put
really
emphasize
don't
in
the
first
one
gauge
mean
that
really
important
for
us:
the
key
management,
the
same
transactions,
this
kind
of
stuff.
So
they
really
do
really
look
into
that.
First
late,
early
start
and
other
things
like
this
trailing
in
order
that
were
not
as
much
because
yet
the
personal
management
was
also
kind
of
support.
They
were
not
doing.
E
H
H
H
So
that's
that's
not
the
idea
for
us
for
two
months
we
are
doing
stuff,
so
so
the
the
cover
they're
looking
into
this
already.
We
know
that
it
how
they
did
changing
this
postcard.
So
we
did
it
during
the
person
Beach
with
that,
but
tapping
for
microscopy
or
a
week
for
them
to
analyze
in
years
ago
and
extended
the
audit
by
a
week
or
two
to
actually
the
changes
so
and
yeah.
So
that
was
not
actually
it's
not
very
efficient
to.
H
And
the
most
it's
not,
they
are
not
very
thoughtful
innovative.
So
during
the
I'll
give
you,
of
course,
can
we
have
to
close
with
this
weekend.
You
can
ask
Barry,
stop
and
they're
sort
of,
but
yeah
they
are
not
really
colorful
daily
basis.
So,
whatever
teams
working
on
some
feature
and
like
to
get
some
insight
from
the
expert,
it's
not
really
possible.
H
Yeah
so
I
said
yeah
we
have
this
false,
like
with
P
bucks.
Music's
more
often
make
every
today
direct
map
stand
up,
so
they
are.
They
are
informing
us
what
they
are
working
right
now,
the
next
thing,
and
we
can
ask
them
some
questions
about
secure
in
their
answer.
But
you
know
what
that
all
depends
it
just.
You
know
it's
not
possible,
because
the
earth,
water,
peace
and
they're
not
really.
H
H
F
H
H
B
C
That
was
kind
of
interesting
right.
The
bug
bounties
that
we
did
have
come
in
were
essentially
a
hidden
they
they
could
use
against
us
and
something
in
like
a
few
bits
accessing
things
kind
of
interesting
and
those
nice
and
people
that
were
trying
to
hold
the
reputation
of
status
against
them.
Sonique
nine
things
yeah.
C
D
C
C
This
medium
things
like
it's
really
not
like
it's
smoking,
very
suppressed,
but
it's
a
great
example,
so
small
horse
fires
and
things
early
in
the
course
like,
if
you
have
small
fires
and
then
the
course
actually
gets
more
bust
and
stronger
we're
together.
If
you
don't
have
any
fights,
if
you
could
down
all
four
Slice,
then
you
have
a
fire
and-
and
the
horses
appears
right.
C
So
this
is
a
great
example
that,
where
we
are
not
accused
of
wrapped
these
things
by
saying,
okay,
we're
not
really
together,
but
not
going
to
use
these
mix
to
make
partial
systems
stronger.
So
this
is
really
a
blessing
in
disguise
like
this
is
not
a
bad
thing.
It's
really
good
thing.
It
would
be
better.
The
more
of
these
things
that
we
see
I
think
just.
H
H
H
E
D
We
naturally
can't
know
we
did
a
couple
things,
but
we
haven't
like
run
out
now.
Well
also,
the
numbers:
are
there
hi
good,
like
yeah
minutes
between
two
thousand
and
fifty
thousand,
if
she
doesn't
feel
like
the
worst
vulnerability
reason.
So
far,
our
parents
have
been
paid
out,
I.
Think
it's
out
I
think
it's
out
the
notes
for
each
of
them.
Yes
least
three
of
them
mm
yeah.
H
But
the
early
yeah
they
were
not
related
to
themselves,
so
I
imagined
that,
first
of
all,
also
the
candidates
that
we
reached
so
far
through
hiring,
so
when
we
have
liked
it
exercise
for
them
after
day
it's
free
and
they're
kind
of
most
voices
are
saying
that
it's
just
too
much
to
dive
into
that.
So
one
of
our
try
to
analyze
the
up
and
try
to
point
Social
Security
calls
and
people
are
like
it's
too
much.
It's
you
know.
I
would
need
someone
to
dig
into
that.
So
that
might
be
complexity
of
the.
C
Drops
of
this
dedicated
community
into
there
are
these
dedicated
the
communities
to
penetration
testing
all
these
things
in
the
air
and
then
push
the
drills.
So
it
might
be
that
if
you
are
in
excess,
the
counter
right
like
we
just
look
in
these
forums,
you
just
that
for
you,
that's
your
human
world
vacuumed,
yes,
resound
and
literal
meaning.