Matt Odell | Citadel Dispatch E43: Bitcoin for Beginners with @BitcoinQ_A
Link to the YouTube (the timestamps are based on this): https://www.youtube.com/watch?v=OxdgmDxOMRY
I. Buying Bitcoin with KYC [5:19]
II. Buying Bitcoin with No-KYC [13:39]
III. Self-Custody your Bitcoin [26:16]
IV. Software Wallets [29:31]
V. Hardware Wallets [37:15]
VI. Full Nodes [45:56]
VII. Transaction Fees [59:06]
VIII. UTXO Management [1:07:31]
IX. CoinJoins [1:16:02]
X. Lightning Network Wallets [1:19:39]
XI. Multisig [1:28:02]
XII. Common Mistakes [1:44:12]
XIII. Common Questions [2:07:56]
Matt Odell [4:06]: How’s it going, BitcoinQ_A?
BitcoinQ_A: Hey Matt. It’s going good! Thank you for having me back on. It’s been a while — I think episode number two with ErgoBTC — so yeah, looking forward to getting back to it and running through some of the beginner-focused stuff that seems to be missing from some of the podcasts floating around. We to tend to get jump into the weeds pretty quickly sometimes, don’t we?
Matt Odell [4:28]: Yeah I have a feeling we are going to also be jumping into the weeds, but we’re going to try and do it in a nice constructive path into the weeds.
BitcoinQ_A [4:35]: Yeah I need you to keep me in check on that one.
Matt Odell [4:39]: But yeah you are a Dispatch OG — it’s been a minute, and we’ve both been through a lot. I like to think that we’ve been through it together, and I just love that you’re back joining us. I hope it’s not just the second time — it’ll be many more times in the future. So with all that said, freaks, we have a bit of a structure that we set up for this episode — which is unusual for Dispatch — but I think it’ll keep us more focused. We’re going to start with actually getting Bitcoin for the first time. So do you want to start with that, BitcoinQ_A?
I. Buying Bitcoin with KYC
BitcoinQ_A [5:19]: Yeah, so buying Bitcoin has never been easier than it is today: there’s exchanges popping up all over the place, every man and his dog seems to be giving you the opportunity to be able to buy Bitcoin from within their ecosystem or their app. The elephant in the room, unfortunately, is the Know Your Customer — or KYC, as it’s lovingly called within the space. KYC is a regulation that essentially any business entity that has a banking relationship has to abide by dictates that they must collect certain pieces of information from anybody that they give a service to. Obviously, in the context of Bitcoin, that’s an exchange that sells you Bitcoin for dollars, pounds, yen — whatever your jurisdiction is.
Matt Odell [6:15]: So in practice that looks like: if you go on to Cash App and you try and sign up to Cash App to buy Bitcoin, they require you to upload your ID, your address — some services require a selfie — that’s what we’re talking about right here, which is this identification information that’s required when you sign up to one of these regulated services.
BitcoinQ_A [6:36]: Right. And some of these exchanges now are even doing videos where they take a 3D scan of your face, which is kind of scary, really! With all that said: why is that a bad thing that people like Matt and myself try and warn people away from? Or at least paint the dangers clearly for everybody? So when you supply this information to be able to buy Bitcoin in a really easy and stress-free way — Cash App’s a good example where you can just, in a couple of clicks, get some Bitcoin into a wallet that you control — one of the main problems is that all of this information gets rounded up into a centralized database that’s controlled by the entity that you’re doing business with. Unfortunately, these entities — or some of these entities, I won’t tar everybody with the same brush — don’t have a great track record of securing it effectively. Talk about perfect timing: we heard about a hack with Robinhood yesterday, was it?
Matt Odell: It was 7 million users.
BitcoinQ_A [7:46]: 7 million users’ information has been leaked. Now there’s varying degrees of the severity of the leak — some of it’s just e-mail addresses, some of it’s more personal information like banking details, etc. To name a few others: Equifax, Facebook, T-Mobile, Clubhouse, LinkedIn, Coinbase, Ledger — all of those companies require some form of your personal information to do business with them, and they’ve all had hacks where, again, with varying degrees of severity that somebody that shouldn’t have got their hands on your information did so. We’re not talking small fry here: some of these hacks were to the tune of millions and millions of people. Now if that’s something like Facebook and your e-mail address gets leaked, it’s not really the end of the world — it might piss you off a little bit. When you tie that into something like Bitcoin where, hopefully — especially after you’ve listened to this podcast and you’re securing your own wealth, that might be in your house, that might be in a loved one’s house, or a combination of those — if the wrong person was to get hold of this information: your selfie, your home address, and in the case of Coinbase how much Bitcoin you’ve actually bought, that is essentially painting a very large cross on your front door that might make it inviting to the wrong type of people to come and pay you a visit to see if they can relieve you of those sats. So that’s one of the main reasons that I personally try to make people aware that, Yes, going on to Cash App or Coinbase or whatever — they make it really really simple, they’ve got really nice, polished UIs to be able to go and get your hands on some sats within a couple of clicks — but one of the big big risks is that this information is leaked on a regular basis. And there are companies in the space that — to their credit — have never fallen prey to one of these attacks, but unfortunately they do seem to be becoming more and more frequent. So yeah, that’s one of the main risks with KYC.
Matt Odell [10:12]: Yeah, I would add a couple things here: first of all, even if a company hasn’t been compromised yet, we should basically operate under the assumption that they will be compromised in the future. This information — once it is taken — is often sold to other people as well, and it can be combined with other information that was leaked from other databases. So for instance: if you have the Facebook leak and the Facebook leak has your mailing address in it, and then you have the Ledger leak and your Ledger leak has your e-mail address in it — but the Facebook leak also had your e-mail address in it — they can combine those two leaks to get your full e-mail address and your actual in-person address. Second of all, we’ve seen physical attacks happen to people who were known Bitcoiners, and how much Bitcoin they had. Sometimes it was because of these leaks — it’s hard to tell for sure. Sometimes it’s because people just talk about their Bitcoin and how much Bitcoin they own, which you also shouldn’t do. Third of all, this information can obviously be used against you by your own government. It can also be used against you by foreign governments in the future. Obviously, it is painting a target as: you are someone who owns Bitcoin and uses Bitcoin and exactly how much Bitcoin you have. And then fourth of all — in the Coinbase leak specifically — all of your withdrawal history was also leaked, so it can be used to track your future Bitcoin transactions based on that information. And we will go further in on Bitcoin privacy and trade-offs of Bitcoin when using Bitcoin, trying to use it privately, how to go about that later on in this episode, but these are just things to keep in mind.
BitcoinQ_A [12:02]: Right. So all of which is incredibly scary. And the final thing I’ll talk about before we look into the alternatives is that something that I like to keep in mind and remind people is: being here for Number Go Up is great — I’m not going to sit here and say that I don’t like to see us hit all-time highs all the time — but Bitcoin is also created to be able to make the transactions that they don’t want you to make. Now if you’re tying all of your Bitcoin to your personal identity, you’re putting a chink in your armor before you’ve even started, that if you do want to make those purchases that Bitcoin allows you to make due to its pseudonymity, then you’re starting two steps back by tying your your Bitcoin holdings to your personal identity. Which is where buying from a no-KYC source comes in, so that you can have some — or hopefully in a perfect situation — all of the Bitcoin that you own.
Matt Odell [13:05]: So before we get there — just one more thing: KYC, these records are forever. Once once you do these records, you have to assume they’re forever. Is it best practice to delete an account if you’re no longer using it? Yes, but you should assume that actual database record hasn’t been deleted, and it might be used against you in the future. So these are things to keep in mind. Now let’s move to: if you’re trying to avoid KYC and you don’t want to use one of these regulated services, what are your options?
II. Buying Bitcoin with No-KYC
BitcoinQ_A [13:39]: Right. So the two most common ones that get bandied around in terms of actually purchasing Bitcoin is BISQ — which is a peer-to-peer decentralized exchange where essentially it’s a maker-taker model where somebody will want to sell some Bitcoin and they will go on to BISQ and they’ll say, I want to sell x amount of Bitcoin for this much — $500, whatever — and then you as a buyer can go on to that peer-to-peer marketplace and look for these offers to see one that fits your bill that is within your price range and the amount that you want to buy. You can go on completely and anonymously and take their their sell offer so that you can buy that amount of Bitcoin from them. So it’s an application that you just download onto your computer, basically. You run it all locally — there’s no personal information, you don’t need to show any IDs to sign up. The only person — again, depending on the payment method that you use, there’s many many payment methods, some are better from a privacy perspective than others — but let’s say most people are going to go on and if they want to be able to take a wider range of offers from more people across the world, they’re going to want to use the banking system. Which might ring some alarm bells to some other people listening, but what I also say is: What’s worse? Sharing your banking information with one person who is very likely to be a privacy-preserving individual — because they probably wouldn’t be using BISQ otherwise — versus the regulated entities that throw all of your information into a centralized honeypot that we’ve just explained. So that’s one way — some of the more private options that are available on BISQ are postal money orders, which I don’t really know great deal about because it’s a US-centric thing, but you’ve also got cash in the mail, and then there’s various other options that are relevant to their jurisdictions. Another option as well is HodlHodl, which works quite similarly to the way I’ve just described with BISQ, the difference being is that HodlHodl is a centralized company that hosts the buy and sell locations for you. It’s a website hodlhodl.com, where you can go and make offers or you can take offers, again, in the same fashion. So there may be some other alarm bells ringing there thinking: Well, what happens if I go on to BISQ or to HodlHodl and I take this buy offer and I send somebody some US dollars — what’s to stop them from just never sending me the Bitcoin? So both of these services work on what’s called an escrow system where the seller will have to deposit the Bitcoin first into a multisig wallet that is controlled by the buyer, the seller, and the centralized entity, so that basically they can’t run off once they’ve got hold of your dollars because they have to deposit the Bitcoin first, and you’ll be notified to wait until you send any of the payments so that they’ve proved that they’ve deposited the Bitcoin into that account.
Matt Odell: There is still some risk there, but it’s a reduced risk.
BitcoinQ_A [17:16]: Yeah, absolutely. I would say it’s more of a griefing attack: you’re not really at risk of losing funds — it’s more a going through the arbitration process to prove that you’ve sent the dollars so that you get the Bitcoin back in the end. So it’s gonna be more of a headache than a risk to actually lose any cash. So some of the other options: you can buy from Bitcoin ATMs. There’s a really great website called coinatmradar.com where you can go on and punch in your physical location — I would recommend doing so using a VPN — and it will tell you all of the Bitcoin ATMs that are in your local area. The general premise of these is that you walk up, you can deposit some cash, give it a Bitcoin address — hopefully from a wallet that you control, which we’re going to come on to later — and the Bitcoin will be deposited directly into that wallet that you control. There are, again — as is always the case with Bitcoin — some caveats: just because you’re depositing cash doesn’t immediately make Bitcoin ATMs super private. Depending on the brand of ATM machine that you use, some of them do still ask for ID, but that is distinguished on the website I’ve just said, which is coinatmradar.com.
Matt Odell [18:51]: Some ask for ID and then some ask for just a phone number — some ask for both.
BitcoinQ_A [18:58]: Yeah, and obviously the ones that just ask for the phone number are the better ones because you can spoof that with services like textverified.com where you can just get a burner number to satisfy the ATM’s phone number requirements, but obviously that’s not tied to your personal identity.
Matt Odell [19:19]: Before we continue, since we’re still early in the episode and I should have mentioned it in the beginning: BitcoinQ_A has my favorite guides in the space. So if you want to look up something specifically or if you prefer reading: if you go to bitcoiner.guide, he has all of his guides listed there — so just keep that in mind.
BitcoinQ_A [19:41]: Yeah pretty much everything that we’re talking about I’ve got some form of information on it. So yeah, moving on to other no-KYC opportunities — we’ve covered peer-to-peer exchanges, we’ve covered ATMs — the next option is to earn it, which might sound a bit outlandish to some people who are new and are entering the space but all I’ll say is that: everybody has some form of a unique skill and there’s always going to be somebody who needs what you can offer them. It’s just about trying to build up a bit of a reputation — whether that’s in your local area or online — so that you can sell your time or your skills and knowledge and receive sats in repayment for them. And the other option — again, probably not as much of a beginner option as I would like it to be, but — the other option is to mine it, although home mining does seem to be going through somewhat of a renaissance, which is really really great to see. And so the general premise of that is that you can buy a Bitcoin miner, you can plug that into your outlet at home, plug in an ethernet port, connect up to a mining pool, and stream yourself some secret sats or some private no-KYC sats directly, again, into your wallet that you control. There’s been a fair bit of FUD bandied around that home mining is too difficult or it’s too expensive — the thing I will say is that: yeah it’s very much dependent on your electricity prices, but again this show is fairly US-centric and there’s a lot of places in the US where I think you’re profitable to mine at the moment anywhere below 0.13 per kWh.
Matt Odell [21:43]: Yeah so with all of these techniques you might be spending a little bit more money than you would be if you went through one of these regulated services. The way I justify it is: you’re paying a little bit of a premium for privacy, and you’re paying that for privacy going forward too, so it keeps paying dividends. With mining specifically, home mining is a fantastic way, in my opinion, of accumulating KYC-free sats. It’s really nice because once you have it plugged in it’s just constantly going — you don’t even have to really think about it — it’s just constantly bringing in more sats. We already have two whole mining Citadel Dispatches, so if you go back to citadeldispatch.com or if you go through the podcast feed or if you go to bitcointv.com and our playlist over there, you can find those episodes. And we’re about to have a third one, too — I think November 30th there’s gonna be a third home mining episode. So if that’s something that interests you should go check those out starting with the first one, because we literally spent like 3 hours on all the different trade-offs there.
BitcoinQ_A [22:50]: Yeah, just to come back on something that you said: generally speaking, you’re absolutely right that you’re gonna pay a little bit more for no-KYC sats, especially if you go to the peer-to-peer exchanges. But I like to try and reframe it as: it’s not a no-KYC premium — the price that you see on a KYC exchange I like to call it the discount that you get given for giving up your personal information and putting yourself a little bit more at risk than versus getting some sats that are not tied to your identity, so I think that’s useful framing.
Matt Odell [23:29]: I like that framing: the real price is the private way and then you get a discount if you sacrifice your privacy. And then one method that you didn’t mention which is probably the most accessible to newcoiners is: if you have a friend or a couple friends that are interested in Bitcoin and they’ve been in Bitcoin for a while, obviously if you can pay them cash for some of their Bitcoin — I wouldn’t say it’s the most private, but it’s definitely the most accessible private way for a newcoiner. And if they don’t want to sell you any, they might know someone who wants to sell some, so that’s always something to keep in mind: cash in person gives you very good privacy guarantees, period. Also, to the Bitcoiners out there listening to this show: guide your newcoiner friends through that method. And whether or not you want to actually explicitly sell it to them — that’s one thing, but if you go out to dinner, have them pay for dinner with their cash or their credit card and then pay them back in Bitcoin. Or give them birthday gifts in Bitcoin, and get them started in a peer-to-peer fashion rather than just throwing them to the wolves and sending them to a regulated exchange.
BitcoinQ_A: Yeah there’s a couple of people in the chat that have just rightfully shouted out Azteco vouchers as well, which is essentially: you’ll get stores that sign up to become an Azteco vendor and you can go in, hand over some cash, and you’ll get a voucher where you can go and claim the equivalent amount of sats from that, again, directly into a wallet that you control. The only caveat with Azteco is that the KYC responsibility, if any, is put onto the specific vendor, so don’t just presume that because there’s an Azteco vendor near you that it won’t be no-KYC — each one is left to come up with their own interpretation of whether they need to do it or not, basically.
Matt Odell [25:52]: And you have that major chain in the UK that’s an Azteco vendor, right? What’s the name of that?
BitcoinQ_A [25:58]: It was Poundland but then it stopped a couple of months ago and it’s showing no signs of coming back, unfortunately.
Matt Odell [26:03]: Ah, okay. They realized what was going on and they’re like, Ah we can’t — too much liability.
BitcoinQ_A [26:08]: Which was a shame because they have a store in literally every town — there was hundreds of them and it was massive for the UK, but yeah unfortunately it’s no more.
III. Self-Custody your Bitcoin
Matt Odell [26:16]: Okay well that’s a shame. If you want to read more about the dangers of KYC you can go to BitcoinQ_A’s website nokyconly.com. However you decide to proceed with obtaining Bitcoin and accumulating Bitcoin, the next step is trying to secure it well and secure it in a way that you don’t have to trust a third party who can seize your funds. So how should newcoiners go about that, BitcoinQ_A? What are their options?
BitcoinQ_A [26:51]: So the natural first step for most people — unfortunately, like we’ve just said — is a centralized exchange. Again, like Coinbase, Cash App or something like that, where you will go on and deposit dollars or your local currency, they will credit your account with the equivalent amount of sats. What you have there is an IOU where you’ve got an account with them where they say that you’ve got this much Bitcoin. Essentially what you actually have in real terms is an IOU and you don’t actually hold any Bitcoin. The very essence of Bitcoin is as the saying goes: Not your Keys, Not your Coins, which is bandied around a hell of a lot and for good reason! It essentially means that if you’re not holding the keys for your Bitcoin, you don’t actually have any Bitcoin. So you’ve bought some on an exchange — the next step would be to get yourself a mobile wallet where you can generate the keys within that wallet so that you and only you are in control of any of the Bitcoin that you send to that wallet.
Matt Odell [28:02]: So before we move on — and I’m sorry that I keep cutting you off, I hope it’s fine with you — the risk is: if you’re holding it in one of these custodial wallets, which is what the exchanges default to, and there’s some other services that also are custodial wallets, basically the telltale sign of that is the way you access it is through a username and password — you don’t have any backup yourself. What happens there is there’s a high likelihood that your account could get frozen. We’ve seen that with PayPal in the past with fiat with just US dollars, where PayPal will freeze your account and you’re not able to get your money. It could be stolen if the exchange gets compromised or the custodial wallet gets compromised. And obviously, you’re trusting your privacy completely with the custodian because they know all of your transactions and your current balances. So it’s not ideal, and you want to learn how to hold Bitcoin yourself because one of the revolutionary things about Bitcoin is that you can hold it yourself in a way that someone has to physically compromise you to take your Bitcoin. So you were about to start with mobile wallets — I think mobile wallets are the most accessible way — getting a wallet on your phone, basically, to hold your Bitcoin for you, right?
IV. Software Wallets
BitcoinQ_A [29:31]: Yeah, just before I get down to the mobile wallet — it comes back to the point I made earlier about censorship resistance, or being able to make the payments that you want to make, not that they give you permission to make. If you’ve got to ask for permission from an exchange to be able to send Bitcoin to your desired destination, you’re asking for permission, and that’s not why we’re here — we want to be able to spend our money to whoever we want, whenever we want. So first step — and the easiest step — is to get a phone wallet. They’re free, they’re easy to access, you can download from any popular app store, or quite a lot of them offer direct downloads so that you can download from the chosen team’s website or GitHub. A lot of people tend to rush in and try and buy the next best hardware wallet straight away when they’ve just bought $100 of Bitcoin to dip their toes in a little bit. Well, if you’re just dipping your toes in to see if this thing’s working for you, then it doesn’t make any sense to go out and buy a hardware wallet — and this is coming from somebody who works for a hardware wallet company! It doesn’t make any sense to rush out and spend a couple hundred dollars on a hardware wallet when you own less than that in Bitcoin.
Matt Odell [30:52]: You already have a perfectly good phone that you carry around with you — it’s very easy to spend and receive from. But the important thing here is that you use a reputable mobile wallet — there’s a lot of scammy mobile wallets. Don’t just open up the app store and search for Bitcoin wallet — you will get a lot of bad options there.
BitcoinQ_A [31:09]: Yeah, unfortunately the Top 10 results for that sort of search in most of the app stores are quite abysmal. My personal recommendations would be: Samourai Wallet if you’re an Android user, or BlueWallet if you’re an iOS user. Muun Wallet is also another one that I know you’re pretty bullish on, Matt, as well.
Matt Odell [31:30]: Yeah both BlueWallet and Muun Wallet are available on both Android and iOS. They’re very easy to use for beginners. I would say they’re not very intimidating, so don’t be intimidated. You should download one and just try it.
BitcoinQ_A [31:53]: So the general premise of these — and unfortunately I mentioned Muun Wallet there, it’s gonna buck the trend of what I’m about to say, but — the general premise is: you’ll download the app from your chosen location, when you set up a new wallet the app will show you a list of 12 or 24 words which is your master secret, which is the master backup to your Bitcoin wallet. Anybody that gets their hands on that — be that physically or digitally — is going to be able to take all of your funds, so make sure that you write that down and secure it somewhere safe.
Matt Odell [32:30]: Yeah, so Muun Wallet has a different backup method: it’ll prompt you and explain how to back up that, but we will focus on this standard which is something we call seed words. They’re basically these words — it’s a phrase — and the wallet generates it for you and you need to keep them secret. You absolutely need to keep them secret. So you don’t want to put them on an Internet connected device — you don’t want to like save them in your iCloud notes folder, you don’t want to take a screenshot and upload it to iCloud — what you want to do is, at the bare minimum, you want to write it down on a piece of paper, double check that you wrote it down correctly, and store it somewhere securely. Because if someone gets access to it, they have access to your funds. But as long as you have those words — your phone could drop in the toilet, it could fall and crack and break, or some phones just completely stop working sometimes — as long as you have those seed words, you can reinstall the app on a new device and just put in that phrase of words and you will have access to your funds.
BitcoinQ_A [33:36]: Yeah and the beauty of that is — like you said — 99% of the wallets in the space all work to that same standard so you wouldn’t necessarily have to even download the exact same mobile wallet. As long as the mobile wallet that you choose it abides by the rules — which again, most of them do — then you can put that seed phrase into any other wallet. And there’s a quick question in the chat which I think is probably good to touch on before we move on to hardware wallets: How much would you need to own to get a hardware wallet? Now obviously I’m not going to be able to answer that for everybody that’s watching — it’s quite an individual question. All I would say is: if the only mobile wallet you’ve got is on your daily phone, I would use the equivalent of how much physical cash would you carry around with you, and what’s your limit at which it’s gonna start affecting your life if you were to lose that balance.
Matt Odell [34:38]: Right, the mobile wallet should be almost considered as like your spending wallet — what you would have in your back pocket. But going further, when we go into more methods of storing your Bitcoin, that would be more like a savings account. Except — you were about to say a caveat — I have my own caveat: Especially if you’re using a reputable one, I think people can feel a little bit more comfortable than the amount of cash they would carry in their pocket. I know I wouldn’t feel that comfortable carrying more than like $400 in my pocket, but a mobile wallet [is stronger] — especially if it’s your first wallet, you’re just getting started, you’re getting comfortable, you have your seed words backed up, your phone’s up to date. We don’t see hacks. Hacks are theoretically possible — obviously phones get compromised all the time — but if I had to pick a number I’d be in like the $5,000-$10,000 range. That’s where you start having to really consider securing it more. And you should also operate under the assumption — because Bitcoin tends to go up fast — you should be prepared ahead of time, because it could be $1,000 in there and then in 6 months it could be worth $8,000.
BitcoinQ_A [36:03]: Yeah, the other thing I would say as well is that almost everybody has got a spare phone lying around at their house that you could use that as your dedicated Bitcoin phone where you could be slightly more comfortable storing maybe larger amounts — relative to the individual — and then you could decant off into your daily phone what you might want to spend on a day-to-day basis. There’s absolutely nothing wrong with that approach as well, if you didn’t want to shell out quickly for a hardware wallet, which we can come on to now.
Matt Odell [36:42]: Well, before we get to hardware wallets: there’s also software wallets on the computer that you can have, right? So you have mobile wallets, you have software wallets on your computer where you install an app on your computer. I would say: unless you’re an advanced user and you have a dedicated computer — and this episode isn’t for advanced users — they should probably shy away from that in the beginning. I think the mobile security model is a stronger security model. As long as you’re not worried about the NSA or the Chinese intelligence services or the Israeli intelligence services or something.
V. Hardware Wallets
BitcoinQ_A [37:15]: Yeah I’d agree with that. Most of the population are not great at securing their computer. Unless you’re a bit of a hacker, then this a far more vulnerable device than your mobile phone is, which is why — like you said, and I completely agree — I don’t recommend them, especially for larger amounts. I tend to skip straight to the hardware wallet after the mobile wallet stage. So hardware wallets are essentially a dedicated physical device designed to manage the keys that control your Bitcoin. So, with them being a physical, dedicated device, their one purpose is to secure your Bitcoin. Whereas your phone is essentially a computer in your pocket and — with all of that extra functionality that your phone has compared to a hardware wallet — this increases the theoretical attack vectors where hackers or the NSA, whoever, can try and attempt to get their hands on your Bitcoin. So these devices are very focused at securing your Bitcoin from physical attack, and also from digital attack i.e. somebody stealing your keys over the Internet if you were to connect one of these devices to your very likely highly-insecure computer. So the way most of the good ones work — their primary way of keeping things secure — is that they operate with what’s known as an air gap, where they can operate without being connected physically to any other device, because it’s that physical connection that sometimes can introduce extra threat vectors.
Matt Odell [39:18]: So just to distill it here: the idea of a hardware wallet is that you have a device that’s built to securely hold your Bitcoin — well, technically it’s holding the keys to your Bitcoin, but for all intents and purposes you can think of it as holding your Bitcoin. It interacts with either your computer or your phone in a way that those keys — the keys are what protect your Bitcoin, gives you access to Bitcoin, and you don’t want someone else to have access to those keys — it keeps those keys off that computer or off that phone. So it stays on the device, and that device is never connected to the Internet. So the basic concept behind securing your stash with a hardware wallet is that: for someone to compromise you, they need to physically have access to you and the device — or if they can compromise the device, just the device. But they have to come into your home or come into your office and get that device, rather than hacking you through the Internet.
BitcoinQ_A [40:25]: Right. And even if a generic attacker was to gain physical access to most of these devices, they’re still going to need a fair bit of time and a hell of a lot of equipment to be able to crack the protections on the device to be able to access the keys and to be able to steal your Bitcoin. So it’s not just a case of protecting you from a malware-infested computer: if somebody was to break in, there’s still PIN protection on the device, and so it’s not just the case that if you lose the device, you lose access to your Bitcoin. Again: the premise that Matt spoke about before about writing down your seed words is exactly the same with a hardware wallet. The difference here is that when you generate those 12 or 24 words, it’s done in an offline environment that’s never been connected to the Internet. It just removes that extra threat vector where you’re not connected to any Internet connected devices. It’s just that extra layer or wrapper of security.
Matt Odell [41:39]: Perfect. What is your favorite hardware wallet?
BitcoinQ_A [41:50]: I saw that one coming a mile off! So, full disclosure: I work for a hardware wallet manufacturer called Foundation Devices. And obvious biases aside, I genuinely believe that we make the best option for a beginner entering the space. It’s incredibly secure, but also very easy to operate. The device is called Passport. And another great device is the ColdCard, which probably looks a little bit scarier to the newcomer, I would say, but has some extra features that might be more beneficial for more advanced users that they could leverage. So those would be my two favorites.
Matt Odell [42:34]: Yeah, I would say my favorite is ColdCard. I’ve used multiple versions of ColdCards — I highly recommend them. And then — we’re not really going to go into shitcoins here, but — if you absolutely need to gamble on other coins in the space rather than just Bitcoin, both Foundation and ColdCard are Bitcoin-only, so I would say either use a Ledger or a Trezor hardware wallet if you want shitcoin support. But even in that situation, you probably should go with a Bitcoin-only hardware wallet for your Bitcoin and then use the other ones for your shitcoins. And just like the mobile wallets, there are lots of really bad hardware wallets out there, so don’t just google “best hardware wallet” because a lot of influencers are paid to promote them. So you’ll see YouTube videos with 500,000 views saying to use a horrible hardware wallet, so consider that.
BitcoinQ_A [43:43]: Yeah what I would say just to back that up again is that — the likelihood is: if you’re listening to this that you’re at least aware of Bitcoin Twitter and the people that are around and popular on there, and most of those people have been around for a good number of years and they’ve probably tried all of these devices — so look to what most of those people are using or at least are recommended when you’re doing your own research to see which device is going to be best for you.
Matt Odell [44:15]: Perfect. When they’re using their hardware wallet, they need to use it with software — they need to use it with an app. So what are your recommendations for which apps they should use with their hardware wallet?
BitcoinQ_A [44:31]: The best two for me — if you want to stay on desktop, which generally gives you a little bit more extra functionality — number one would be Sparrow Wallet, hands down my favorite. Or if you like a little bit of an easier to operate interface with less advanced features, Specter Desktop is also a great one.
Matt Odell [44:55]: Two great recommendations. Specter used to be my favorite — now Sparrow’s my favorite. You can also use both the ColdCard and the Foundation Passport with BlueWallet on mobile. So if you are going through the steps and you got comfortable with BlueWallet already — because you started with the mobile wallet — you can then use BlueWallet with both of those hardware wallets, which is nice. Especially since I think some people listening to this probably don’t have computers, they just have the computer in their pocket.
BitcoinQ_A [45:38]: Yeah we’re heading towards a mobile-first world, aren’t we? If we’re not already there! And BlueWallet does offer a great interface, especially with the Passport with the QR interfaces — very very slick and very easy to wrap your head around as a beginner.
Matt Odell: Awesome. Okay so do you want to go to the next topic?
VI. Full Nodes
BitcoinQ_A [45:56]: Yeah, let’s hit nodes. So I talked about Specter Desktop, and one of the great features about Specter Desktop is it actually has a built-in Bitcoin node. So the next step along your journey, hopefully, will be to look to run your own Bitcoin node. A Bitcoin node, you can look at it as your interface into the Bitcoin world and it’s going to be that next step along the sovereignty journey so that you can — and again, one of the buzz phrases that you hear in the space is to verify your own transactions — so when you receive any Bitcoin transaction, that will have been passed to you via a whole network of nodes, and the wallet that you choose to use will be connected to a node. Now that node could be a centralized node operated by an exchange, it could be a node that you don’t know exists that might actually be a chain surveillance company, or hopefully it could be your own node that you can run in your house relatively cheaply. Now the benefit of running your own node, like I said, is you can verify your own transactions so that you can be sure, when somebody’s sending you a transaction, that the transaction abides by the rule set of the network that you’ve chosen to join that we all agree on. To put that a little bit simpler: it’s so that you can be sure that nobody’s trying to cheat you and send you some fake Bitcoin or a transaction that’s not valid, and so that you might be selling goods or services and they might be paying you in Bitcoin for that, and if you weren’t verifying your own transactions, they might be able to send you that.
Matt Odell [47:47]: The way I like to frame it is: to interact with the Bitcoin network, you have to use a node, and if you don’t use your own node you don’t have counterfeit detection. Someone can trick you into thinking you have Bitcoin when you don’t have Bitcoin — so you want to use your own node for that purpose. That’s more of a theoretical attack and we haven’t really seen it play out. It could still play out in the future and you should assume it will, so you’ll want to use your own node for counterfeit detection. But second of all — and this is almost more tangible to people — if you don’t use your own node, you’re trusting your privacy with whoever’s node you’re using. So you want to use your own node so that you don’t have to trust, potentially, a stranger or a company with that private transaction information and balance information.
BitcoinQ_A [48:47]: Yeah it’s about removing trust, essentially, and by running your own node you’re putting the trust in the hardware and/or the software that you are choosing to run. not the one that’s been given to you if you’re operating with an exchange or a centralized node runner. And so there’s a massive — we’re awash with choice, and with varying degrees of technical ability. The easiest way to get running with your own node is to download a piece of software called Bitcoin Core. This is the de facto software built by the Bitcoin Core developers. It’s a piece of software that you can — in a couple of clicks — download onto your laptop or desktop, and it will start to download your own copy of the blockchain so that you can transact with the built-in wallet just to get started and verify your own transactions that way. That’s absolutely the easiest way. And as I touched on earlier: Specter Desktop actually has that built in as well, just packaged in a slightly different way for you. And so they’re absolutely free, and within a couple of clicks you’ll be on the way to downloading your own copy of the blockchain and having your own node set up. The problem with a setup like that is that you can’t really — generally speaking — connect any mobile wallets to it. So if you were to want to transact when you’re out and about and you run Bitcoin Core on your laptop and you wanted to send a transaction, the likelihood is you’re not gonna have your laptop with you, so you won’t be able to spend as easily as some of the node options that we’re going to come on to in a second.
Matt Odell [50:33]: Yeah so if you’re using Bitcoin Core or if you’re using the built-in Bitcoin Core in Specter — correct: the main negative is you can’t use it with a mobile wallet. The other negative is: your transaction and balance info will be on your computer. So if it’s a computer you use for work or a computer you use to play games or look at porn or something like that — your social media habit — it might be easily compromised and mostly it becomes a privacy issue, because all your transaction history will be there and all of your balance history will be there — but also you can’t use it with mobile wallets, which is a key component as well.
BitcoinQ_A [51:24]: Yeah so the next best option — and unfortunately the most expensive option — is what’s known as a plug and play node. So this is where you’ll buy a small box from one of the various teams — to name a few we’ve got: Ronin Dojo, RaspiBlitz, Start9, Umbrel, MyNode — there’s loads of different companies popping up all with different feature sets. But essentially they sell you a box that you plug in at home, you plug it into your router, you plug it into the power outlet, and then within a couple of clicks you’re off and running, again, to get your own copy of the blockchain and have your own node up and running.
Matt Odell [52:09]: Before we move on: Citadel Dispatch E26, I had all the major node teams on for a conversation on their node projects. So if you’re interested in having one of these purpose-built boxes — or a lot of those projects that were just named allow you to actually buy the hardware separately and then install their software on it — consider listening to that Citadel Dispatch.
BitcoinQ_A [52:40]: Right, so the final option is the DIY approach, like Matt’s just touched on, where all of the projects that we just said will have a parts list you can go away and buy, spend a couple hundred dollars buying a hard drive and a single board computer and a couple of other cables and build your own node and put the software that these teams provide onto that hardware. The end result is that you get the same node with all the same features. Obviously the caveat is that you’ve got to go through the process of buying the hardware yourself, flashing the software onto a microSD card — which might cause you some trouble if you’re a less technical user and you’re less comfortable with taking that approach. And that’s why the teams offer the plug-and-play node.
Matt Odell [53:28]: It does sound more intimidating than it actually is, so I encourage new users to get their feet wet. Also, just to go back a little bit about Bitcoin Core: you can also use Bitcoin Core if you’re running Bitcoin Core on the same computer you’re running Specter or Sparrow on — they both can connect to it. If you do that process, you really should be using it on a dedicated computer. I know I touched on that earlier when I said: if you’re using it for playing games or social media, it could get compromised easier because you’re using it for all these other general purposes — you’re downloading software on it that you definitely haven’t verified and have no idea what’s really running there. So if you are going to go that approach, you should have a dedicated device: you should consider a dedicated computer, a dedicated phone that you are using with it. In general, dedicated devices are going to be more secure and more private. When we talk about security in Bitcoinland: don’t let perfect be the enemy of good. Don’t get overwhelmed because your setup’s not perfect. But at the same time, you’re just trying to reduce your threats so that you’re not the lowest hanging fruit. Most of the time — when we see these hacks — it’s targeted at the people that are most vulnerable.
BitcoinQ_A [54:56]: Yeah and just to go back to the DIY approach that I was outlining: all of these different projects that we’ve spoken about have got really really good documentation and quite vibrant communities as well on Twitter, Telegram, or their own dedicated forum. So don’t be afraid to go and have a browse at the documentation — like Matt said, it’s not actually as scary as I made it sound. And also: go and ask some questions in the Telegram chat or in the Slack or whatever chat room that the project has got — you’ll definitely find that all of the people that are in these communities are really welcoming, and they’ve definitely been in your position before now, and they found the thought of this really scary a couple of years ago and now they might be running several DIY nodes. So don’t be off-put by it.
Matt Odell [55:51]: 100% — I will echo that sentiment! I would just add a slight caveat that there are scammers in these Telegram groups and these chat rooms: they will often try and impersonate people that are involved with the project or other notable figures to try and get you to feel comfortable. Never give anybody your seed words — those secret backup words — never give them your secret backup words, and always be skeptical if someone in one of those groups tries to DM you separately and tries to go into a private chat. Sometimes it is legit, but you need to be extra cautious in that type of situation.
BitcoinQ_A [56:31]: Yeah and if somebody does, don’t be afraid to ask in the main room: tag the person who you think might have DMed you and say, Is this you? But always just err on the side of caution and keep that adversarial mindset. To think: Why is this person reaching out to me completely out of the blue after I just asked my first question entering the room?
Matt Odell [56:55]: 100%. So all those node projects support something called Electrum server, and Electrum server is a standard way to interact with your own node. You can use those Electrum server details and then you can put them into Sparrow, you can put them into many of the mobile wallets that we mentioned earlier — you can put them into BlueWallet. With Samourai, specifically, they don’t use Electrum server — they use something called Dojo. And with that pairing, it’s as simple as: there’s a QR code, and you just scan the QR code with your Samourai Wallet on your phone, and it’ll pair up with your node.
BitcoinQ_A [57:43]: Yeah the good thing is with Dojo as well is it’s implemented in the vast majority of the node packages now: there’s more that have Dojo than don’t, which is really great to see. Should we hit on CoinJoins?
Matt Odell [57:58]: Okay so we’re an hour in: if you’re a newcomer and you just listened to this hour and you’re intimidated as fuck, don’t be intimidated! Start with step one where we talked about acquiring your Bitcoin, then learn how to hold your own keys, and slowly move through the process. Don’t freak yourself out that, Now I gotta run a node too — now I’m really intimidated! Step-by-step: get your feet wet, get comfortable, send transactions, receive transactions, back up your wallet, restore your wallet — just get comfortable with it! Get used to it! It’s not something to be scared of — it’s something that you learn by doing.
BitcoinQ_A [58:42]: Yeah I put a tweet a couple of weeks ago actually that echoes that: if sending a transaction makes you feel a little bit uneasy, then you haven’t sent enough transactions! You can see on screen there that the mempool is a little bit busier than what it was, but a couple of sats per vByte is going to get your transaction confirmed very quickly, and that’s going to cost you less than a dollar to send a transaction.
VII. Transaction Fees
Matt Odell [59:06]: Before we move on to CoinJoin, on-chain privacy, UTXO management — how does a newcomer choose what fee to pay? They open up their wallet, they go to send a transaction: how do Bitcoin transaction fees work? I feel like that is something we tend to gloss over.
BitcoinQ_A [59:31]: Well fortunately, most of the good mobile wallets — especially the ones that we’ve mentioned — will give you a couple of options. They’ll either have three options — low priority, medium priority, and high priority — or there might be a slider where you can manually adjust the fee. The higher that the fee you pay, the more likely that your transaction is going to be confirmed or processed quicker. Again: a caveat with that one — we’ve got a lot of caveats tonight — is that some of the fee estimations, these wallets all use different algorithms as to how they calculate or estimate the fee that would be required to get you confirmed in the displayed priority. So Matt’s got on screen here a really great website called mempool.space which shows you the priority fee selections or what it would advise and based on what’s currently in the mempool, as well as historical data as well. So it’s always a really good, accurate look at if you want to get your transaction processed within the next block. Right now it would take an estimate of 13 sats per vByte, but again there’s a little caveat here that there’s still transactions with much lower transaction fees than 13 sats per vByte that will also get confirmed — so it’s not an exact science, I will say that. But multiple sources is always a good one if you want to try and get it nailed.
Matt Odell: So Bitcoin isn’t a run by a company — Bitcoin is a distributed network. And so as a result, how Bitcoin transactions work is we have this chain of transactions, and the transactions are within blocks — we call them blocks. Roughly every 10 minutes there’ll be a new Bitcoin block and it will have finalized transactions included in that block. Until you get into a block, you sit in a waiting list. That waiting list — we call that a mempool. Technically, every node has their own mempool, but if your Internet connection is solid, in most situations those mempools should all look the same. So when you go to mempool.space you’re looking at their mempool — that will look very similar to if you looked at the same thing on your own node, which a lot of these node projects, by the way, allow you to run mempool.space natively with your own node. So basically you have this free market that’s constantly going on where people are choosing which fee they’re willing to spend, and miners are going to usually include you in a block based on your order in that waiting list, based on how much you want to spend. So if it’s a transaction between someone you trust and you’re willing to wait a longer period of time, you can pay a lower fee. If you’re sending just to yourself you can pay the lowest fee — 1 sat per vByte is the lowest fee, because you’re just sending it to yourself. If in some crazy situation where 1 sat per vByte never gets confirmed ever — which we’ve never been through — you can always resend that transaction. So you’re gonna want to choose your transaction fee based on the urgency you want that transaction finalized on the network. And most good wallets will basically give you a low, medium, and high. Low being, I can wait. Medium being, I’m in the middle ground because it’s medium. And high being, I don’t want to wait — I want it finalized as soon as possible.
BitcoinQ_A [1:03:38]: Yeah, and it’s very much a dynamic thing! It’s like a queue that’s always evolving every single second because there’s more and more transactions being sent every second, and it’s not outside the realms of possibility that the fee that you put up right this second might not be enough to get you immediately processed into the next block in 5 minute’s time. So it’s very very dynamic, and that’s why I said it’s not an exact science. So generally speaking, for most people, the wallet estimators are pretty good, especially if it’s an urgent transaction that you need to be processed immediately.
Matt Odell [1:04:18]: 100% — I’m glad we covered that topic. Also, just to jump back: with hardware wallets, the backup to that hardware wallet are those words you wrote down. You have the option of putting them into steel. These steel plates are available — many different vendors offer the steel plates. The idea there is if you put it into steel, obviously it’s going to be water resistant and fire resistant — it’s going to be more sturdy than paper. You might also consider making duplicates of those seed words and having them in different places, so if your office burns down or your house burns down it’s still in the other location. With the caveat that: it means it could be more likely that someone else finds it because it’s in more locations, so you need to think about that very carefully. And then third of all with hardware wallets: one thing I like to tell newcoiners is it’s a good idea to buy two of whatever you decide to buy, because if you have a second one, you can you can have the same backup words initialized on both devices. So then if something happens to your device, not only do you have the seed words available — those secret backup words available to restore your device — you also have the second device that still has access to your funds, so you’re not in a panic situation. I tend to recommend to people that they should buy two of the same device — whichever they choose — so that they can have two initialized, and you can keep those in separate locations as well if you want. So when you’re opening up a Bitcoin wallet, it shows a balance. A common misconception is that it shows your Bitcoin balance — that’s what’s in your wallet. But in reality, what’s in your wallet is basically a bunch of different Bitcoin transactions that all add up to that balance — we call those UTXOs. Those are Unspent Transaction Outputs — UTXOs is what we call them. You can think of them like bills in your wallet. Like, maybe your cash wallet has $50 in it, but in reality it has two $20s and a $10. And that’s how Bitcoin wallets work: so you have all these small UTXOs in there that add up to your balance. And that has privacy implications, because if two of those UTXOs come together in a single transaction, they’re obviously linked on this chain forever, right? We call it the blockchain — it’s this ledger of transactions — they’ll be linked together because they were both spent in the same transaction. So that brings us to this idea of UTXO management and coin control — the idea of trying to manage those Bitcoin transactions in a privacy and cost effective way. You want to go into that a little bit?
BitcoinQ_A [1:07:31]: Yeah, definitely. The two wallets that we keep mentioning — BlueWallet and Samourai — offer all the features that I’m just about to cover that help when it comes to UTXO management.
Matt Odell: And Sparrow and Specter.
VIII. UTXO Management
BitcoinQ_A [1:07:47]: Sorry, yeah — I keep referring to mobile wallets but yeah: all of the good desktop wallets that we’ve spoken about have all got UTXO management features as well. So there’s a couple of facets to it: the first one is the ability to label the UTXOs or the pieces of Bitcoin that you’ve got in your wallet. So what would be an example of a label might be that if Matt was to pay me back for dinner, when I receive that transaction into my wallet, I could put a label on that to say that that’s come from Matt, and it was for dinner. I could then receive my wages from my employer and I could put the relevant label on that just to know the origin of where that UTXO is from. So once I’ve labeled them, when I’m making future transactions — there’s two ways you can make a transaction: you can let the wallet construct it for you automatically, which they might choose any random UTXOs and merge them together, again, like Matt said, which will show common ownership. That might not be a problem. However, if you want to preserve your privacy — and I might not want my employer to know that I’m friends with Matt because he’s a bad person — because I’ve labeled those UTXOs when I received them at the time, in two weeks down the line when I’m going to make a transaction, I can then consider the person that I’m paying — do I want them to know that I know Matt? Or do I want them to know that I work for the company that paid me with this UTXO? — I can make that informed decision then to say, 1) Well actually I’m just going to spend from one of those pieces of Bitcoin. Or, 2) Actually it’s not a bad thing — Matt’s not really a bad person — I’m gonna combine the two because for the value that I want to send, I need to combine the two. So those are the two main facets to it, but obviously you can’t make an informed decision when you come to spend if you don’t know the origins of all of the UTXOs that you’ve got. And so they go hand-in-hand, really: you need to label so that when you go to spend, you can make the informed decision as to whether you should merge or not.
Matt Odell [1:10:08]: Yeah, so a key aspect of Bitcoin is: if someone sends you Bitcoin, they can see where that Bitcoin goes in the future. And if you receive Bitcoin, you can see where that Bitcoin came from in the past. So this is why labeling is important, because you want to know where that transaction came from or where it goes to, because that’s who you’re exposing your privacy to in that situation.
BitcoinQ_A [1:10:42]: Yeah. The person that I’m paying might not be clever enough to use blockchain analysis, but the other adversary that we need to consider here is chain analysis firms that might be trying to cluster or monitor your on-chain activity — who you’re spending to, who you’re getting change back from — to monitor your habits to try and piece together the identity, because the blockchain doesn’t have any identities at the blockchain layer, but these companies work to tie all the pieces together so that they can deanonymize people. So it’s not just a case of hiding how much you earn from your friend — it’s also these more sophisticated actors that have got a lot more resources to throw at this, that you’ve also got to bear in mind as well, unfortunately.
Matt Odell [1:11:44]: Yeah, you don’t want your employer to know what you’re spending things on, and you don’t want the guy who sells you a sandwich to know how much money you make. But on top of that, we also have these professional surveillance mercenaries that work for governments, dictators, and companies, and they are just out there constantly trying to track Bitcoin transactions — so you also have that as a concern.
BitcoinQ_A: Which leads us nicely onto CoinJoin. So CoinJoin is a coordinated or collaborative transaction where you and at least one other person will collaborate to construct a transaction that casts some doubt as to the origin and the output of the transaction to make sure somebody watching the blockchain — again, a chain surveillance firm, your employer, your friend, whoever — that they can’t deterministically or with good probability be able to track the people on the input side of the transaction to the output side of the transaction. So it effectively attempts to put up a brick wall in the UTXO’s history so that anybody looking on-chain can’t be sure 100%: is there one person involved in this transaction? Is there 10 people involved in this transaction? It just casts doubt on the path that the Bitcoin has taken and has the Bitcoin change hands or hasn’t it — we’re not really sure!
Matt Odell [1:13:50]: So tracking Bitcoin is a probability game: these surveillance companies and their tools — or just someone who’s curious and trying to spy on you — will basically assign a probability to every transaction if ownership has changed, because one of the things about Bitcoin is: I could send Bitcoin to myself or I could send it to BitcoinQ_A and the chain doesn’t delineate between that. So a key aspect of tracking Bitcoin transactions is determining some kind of probability that Bitcoin actually changed hands. And then from there, trying to see which hands it went from: from who to who? So CoinJoin is this idea of a collaborative transaction — and just for an example: if you have five people that are doing a CoinJoin together, instead of having a simple path that you’re following on-chain and deciding if ownership has changed, all of a sudden there’s five different potential paths it could go down. You don’t know which of the five people that participated — which of their five outputs are them — so it breaks that probability chain and it’s a useful tool in terms of trying to have forward privacy. So someone who sent you Bitcoin doesn’t necessarily know which path your Bitcoin took going forward.
BitcoinQ_A [1:15:22]: Yeah and specifically with implementations of CoinJoin like Whirlpool — which are known as equal output CoinJoins — the notion is that all of the UTXOs on the output side of the transaction look absolutely identical. I always like to use the analogy of V for Vendetta where you’ve got the million mask march — it’s essentially the same thing but on the blockchain, where all of these UTXOs are indistinguishable from one another, and so, like Matt said, you’ve got some forward privacy.
Matt Odell [1:16:02]: The three major CoinJoin projects are Samourai Whirlpool, JoinMarket, and Wasabi. Citadel Dispatch E15 was with the Wasabi team, Citadel Dispatch E16 was with the JoinMarket team, and Dispatch E30 was with the Samourai team. So if you’re interested in this, consider going back and listening to those three. Me and BitcoinQ_A like Samourai Whirlpool the best. You don’t have to use Samourai Wallet with it — you can use Sparrow Wallet with it as well.
BitcoinQ_A [1:17:10]: Yeah, co-sign that: Samourai or Sparrow are hands-down winners for me. Especially from a beginner’s perspective: definitely the easiest ones to get started with, in my opinion. Somebody asked: What’s the difference between CoinJoin — that we’ve just spoken about — and a coin tumbler? So, unfortunately, the meanings have been whitewashed somewhat over the years. But generally speaking, a coin tumbler is a centralized service where you will have to send in your Bitcoin and give up custody of it to whoever’s running the tumbler, and they will send you somebody else’s Bitcoin back. I absolutely would not recommend anybody use these, because you’re putting yourself completely in the hands of whoever’s running the tumbler, and whether they’re going to send you your Bitcoin back or not.
Matt Odell [1:18:18]: And not only are you trusting them with your Bitcoin if you use a custodial mixer — it’s the same ideas as custodial risks with wallets — you’re also you’re trusting them with your privacy and your funds. So the key aspect of CoinJoin is the idea that you are reducing trust in any centralized third party. Wasabi and Samourai have a centralized server that they use to coordinate the CoinJoins to give them better UX and more reliable — those coordinators are blinded. With Samourai, specifically, you can use it without your own node — and then you’re trusting Samourai’s node — so that goes back to our earlier conversation about using your own node: you should use your own node when you use Samourai. Otherwise, you are trusting them with your transaction and balance information, as is the case with all light wallets.
X. Lightning Network Wallets
BitcoinQ_A [1:19:39]: So now a quick high level on what the Lightning Network is: it is a scaling solution for Bitcoin that allows you to transact with actual real Bitcoin, but you don’t do so with what’s known as an on-chain footprint, and so it allows you to lock up as much Bitcoin as you want onto this second layer solution known as the Lightning Network so that you can you essentially just defer the overall settlement of any number of transactions from going on-chain to reduce fees and also to allow you to transact much quicker. So whereas one on-chain transaction might cost you a couple hundred sats — depending on the fees — you might be able to send 10 or even 100 Lightning Network transactions for the same amount of fees. Now there is, unfortunately, lots of caveats with the Lightning Network, again, in terms of being able to do it properly: the best way to do so be with one of the node packages that we’ve spoken about before, which will dictate that you need to manage your own your own channels, which is essentially where you lock up this Bitcoin to be able to transact on this second layer. So it’s a little bit more of a hurdle to get on board with, but you can save yourself a fair bit on fees — especially if we ever see a fee spike again, which I think is inevitable.
Matt Odell [1:21:23]: Ah, so you do think it’s inevitable! So, first of all: there’s been a lot of Dispatches on Lightning, if you go through the feed. Consider listening to those — there’s a lot of different caveats and nuances when using Lightning, specifically with privacy. I did a full privacy episode with @openoms and Anthony — that’s Citadel Dispatch E21: that’s on Lightning privacy, so consider checking that out. But the main differentiation that you as a new user should think about with Lightning is going back to our transaction fee conversation earlier, which is: when you use a regular Bitcoin transaction, your transaction fee is not based on the amount you send — it could be weird for you — it’s actually based on the amount of UTXOs that you use for the transaction. It’s based on the data size, not the amount of money that is sent. So you could end up sending a $5 transaction with Bitcoin on-chain — a regular Bitcoin transaction — and it could cost the same as sending a $5,000,000 transaction. Now with Lightning, it’s different: the way fees are calculated on Lightning is based on the amount you’re sending, so that’ll be more comparable to something that you’re used to in the traditional finance world, where if you send more money, you’re going to pay a higher fee — you send less money, you’re going to pay a lower fee. Now, Muun Wallet supports Lightning and BlueWallet supports Lightning. If you use BlueWallet in its default state with Lightning, it’s going to be a custodial wallet — which I don’t love. If you insist on using it, use it with a small amount because they can take your funds and you are trusting them with your privacy. You can also use BlueWallet with something called LndHUB, which some of these node projects offer. I think Umbrel and MyNode offer it — I don’t know who else offers it. But if you use it with LndHUB or your friend’s LndHUB, then it’s not custodial with BlueWallet — it’s custodial with whoever is running the LndHUB. So if you run the LndHUB yourself then it’s not custodial Other Lightning specific wallets on mobile that you can use — so Muun does both, BlueWallet does both, then there’s Lightning specific mobile wallets that are very good: there’s Phoenix Wallet, there’s Breez Wallet, continuing the Bitcoin naming scheme of using words and spelling them differently. Forget Eclair if you’re a newcoiner, because you have to manage your own channels — you can use Phoenix Wallet. And then you have Breez Wallet, or you can use Muun or BlueWallet. And rather than for savings, you should think of that more as: Okay this is like my spending wallet — my transaction fees are based on the amount I send — I’m going to be sending smaller amounts, so I might use Lightning.
BitcoinQ_A [1:24:47]: Yeah I agree. I’m quite a big fan of Phoenix, especially from a perspective of a wallet that manages the channels for you. And I might get a lot of shit for this in the chat, but I’m a firm believer that most new users shouldn’t strive to dive head-first into Lightning with their own channels because it’s not easy, it’s not approachable, and everything that we’ve already discussed in terms of holding your own keys using CoinJoin and not using KYC are far more important than striving to get your own channels up and running quickly. I don’t know what you think about that, Matt? And I’m waiting for the shit in the chat!
Matt Odell [1:25:26]: No I think Lightning on mobile, with the wallets we just mentioned — Muun, Blue, Breez, Phoenix — for smaller spending amounts is very accessible. If you actually want to do Lightning in a proper, sovereign way, that I would say is a more advanced thing. Don’t get intimidated by it, but I think it’s important for our all-encompassing getting started guide that we do mention it exists, and what are the different trade-offs. Basically the trade-off there is: you’re getting less security, you’re getting less reliability with Lightning, but you’re getting lower fees, faster transactions, all else equal. And it could be very useful in a mobile spending type of situation.
BitcoinQ_A [1:26:32]: Yeah, agreed. Phoenix and Breez are really great ways to get started with Lightning that have their own unique trade-offs that give the best of both worlds from a new user perspective when you compare them with custodial solutions like the default BlueWallet or running your own channels.
Matt Odell [1:26:53]: And that’s one of the reasons why I like Muun so much. Muun has different tradeoffs — it doesn’t have a standardized backup process. A lot of Bitcoiners will say it’s not a Lightning wallet because you store all your funds on-chain, you’re not storing it in a proper Lightning wallet. But what’s cool about Muun is: if you scan a QR code, it could be a Lightning QR code or it could be a regular Bitcoin QR code and it just automatically figures that out for you, and vice versa. So you can just have some spending cash in your Muun Wallet, and whatever Bitcoin QR code you scan, it will send. But it doesn’t have power user features, it doesn’t have that coin selection that we were talking about with UTXO management, it doesn’t have labeling, it doesn’t have a standard backup process, so these are all things to keep in mind.
BitcoinQ_A [1:28:02]: All of the wallets that we’ve spoken about — the desktop wallets, the mobile wallets — all operate on what we colloquially call a single sig setup, where they have a single secret or backup which is required when you want to spend your Bitcoin. A multisig wallet is where you combine two or more of these separate wallets together to create a brand new wallet. When you set up this multisig wallet, you can dictate the minimum amount of keys required to be able to sign or authorize a send transaction. So that could be two from a possible three keys, is a popular one, all the way up to something elaborate like 11 of 15, which might be used in a business setting perhaps. But two of three is where you need two signers from a possible three that were used to create the wallet to sign off on any transactions from that wallet. So why would you want to do that? Well with a single sig wallet, some of the three theoretical attack vectors — if somebody was to steal your device, if they snatch your phone while it’s out of your hand and you’ve got your wallet unlocked, they can steal your Bitcoin. If that was one of the keys in a multisig wallet where you needed two to spend from, then they can’t steal anything from you. Another one of the attacks that multisig protects from is known as a retirement attack, where there might be a malicious hardware wallet vendor that doesn’t publish their source code and they have some malware baked into the device and that actually has the ability to steal your Bitcoin. Again, correct me if I’m wrong, but that has never happened — it’s a theoretical attack — but if you were to use a multisig setup where you’ve got different hardware wallet manufacturers: if one of those is malicious, they can’t get access to your funds because if it’s just one key out of two that are required, they don’t have the minimum number of keys required to steal anything.
Matt Odell [1:30:34]: Right. So all the good hardware wallets are open source, so — theoretically — open source means that the code is available for you to verify, and you can read the code line by line. Now if you’re a newcoiner, you’re probably up to here — you’re already really intimidated — you’re like, Matt, I can’t read code! I’m aware — okay? So at the end of the day, it is very good that you’re able to technically verify the code, but most people will be updating their hardware wallets and they will not be verifying the code. So you’re trusting that hardware wallet manufacturer to not ship malicious code to you, and you’re also trusting them that the actual device wasn’t compromised when it was first sent to you. So with multisig — but specifically in hardware wallet multisig — the idea is you can have multiple vendors that are multiple different hardware wallets that come together to form your wallet. And you need a combination of them — as BitcoinQ_A was saying: a common one is two of three — you need two of them to spend the funds. This reduces trust in any specific hardware wallet manufacturer. You also have the added benefit that — instead of those backup words being a one and done situation if someone finds those secret backup words or seed words, if someone finds those words they have access to your funds — in a multisig setup you have multiple sets of backup words, and they have to find the required threshold of backup words in order to spend your funds. So if you’re using a two of three: you’re gonna have three sets of backup words, you’re gonna have three hardware wallets. Those backup words obviously can be on steel, as we said earlier, and you can have them in different locations. So Bitcoin with multisig gives you this unique situation where you can have a geographically distributed security setup where you’re holding your own coin but the keys to access it can be located in different places, they can be duplicated, you can keep copies of them in different places, and for someone to actually compromise you and take your funds they’re gonna need to have access to a combination of secrets. So that is the main benefit of multisig. Once again: do not get intimidated here! Plenty of people store Bitcoin in single sig setups — it is the normal way of setting it up. This is something you might graduate to: the way you interface with the multisig wallet is a relatively new thing in Bitcoin, so it has a little bit more of a learning curve. It is a little bit more rough around the edges. So you want to get really comfortable with it — as I said earlier: you want to be backing up, restoring, spending, receiving, getting comfortable with it, separately of your single sig setup. Now one cool aspect of multisig is that you can actually have a single sig wallet — so you can be using a hardware wallet that is single sig — and then you can take that single sig and you can actually also use it in a multisig environment. It can be one signer of, for instance, the two of three in the multisig, but it could also be a separate wallet. And there’s two main advantages there: first of all, if someone finds your single sig back up — your secret words — it might have some small amount of funds on it and they think that’s all your funds. They can’t tell that it’s in a multisig setup, so they might just take those funds and think they took all your Bitcoin. The secondary benefit is that you can repurpose these these hardware wallets and use them for multiple wallets. Now one other caveat here is: with multisig, you do want to back up additional information besides just your seed words. The popular multisig software — Sparrow, Specter supports it, BlueWallet supports it — they will tell you what you need to back up and make sure you save all that information. Now, that additional information that’s not your seed words? They will have terms like derivation path, descriptor, a list of something called xPubs — you don’t necessarily have to know what all of that means, you just have to save it and you just have to realize that, while seed words are a security risk if someone gets your seed words, that separate information that you have to back up with a multisig wallet is a privacy risk. So if someone finds that, they can see how much you’re holding in the multisig, but they can’t necessarily spend it. But you need that information plus your backup words in order to spend your funds.
BitcoinQ_A: Did you cover the alternatives to doing it yourself with the multisig approach?
Matt Odell: No I didn’t! That’s great — why don’t you go into that?
BitcoinQ_A [1:37:20]: Yeah so obviously Matt’s just outlined some of the potential pitfalls with doing it yourself. So one of the other options is known as collaborative custody alternatives where there will be a centralized service — some examples are Unchained Capital and Casa — where they will help you coordinate a multisig quorum where they hold one of the keys. I’ll give you an example: you’d have a key on your mobile phone, you’d have a key on a hardware wallet, and one of these services will hold a key as well. So they only have one key so they can’t steal from you, which is great. But if you were to lose, say, your phone or the key on your hardware wallet and you didn’t have it backed up, they will be able to step in as a third party to help you move your Bitcoin, so that in a doomsday scenario you don’t lose your life savings, which is really great. You will pay for this service — I’m not sure how much each charge at the bottom tier, I think is just over $100 per year the last time I checked — and one of the trade-offs with this is that, unless you sign up without your personal information — which I believe is quite difficult to do — these centralized entities that hold the key and part of your multisig quorum, they know who you are, they know how much Bitcoin you hold in that wallet because they hold one of the keys, and they also hold the wallet file, to put it simply, and so they can — just as a KYC exchange can — be able to tie you to your Bitcoin identity. So it’s worth pointing out the trade-offs.
Matt Odell [1:39:10]: And you’re using their node. So the assumption is: if you do use one of these providers, you’re trusting them with your privacy, but they will hold your hand, and they will have a spare key for you as well, and they will help you onboard into the process, they will help you get hardware wallets, they will go through that whole process, but you are trusting them with your privacy, they know your transactions, they know your balances, and in 99% of situations they know who you are as well, they’ll know the IP address of your of your devices that you connect from — this is all getting a little bit too much into the weeds, but the key is that you’re trusting them with your privacy. I was explaining earlier just basically doing it yourself so you could use your own node and you aren’t trusting someone — in that situation, you can still have other people hold keys for you! So BitcoinQ_A started with a two of three setup because that’s a very common setup, but another common setup is a three of five setup. And if you do a three of five setup, you have five total keys and you need three to spend. So if you need three to spend, you can hold three keys yourself, put them in different locations, and you know you have enough to spend it yourself, but then you can also have a family member, a friend, a lawyer, hold a key — you can have different combinations of people hold a key. So it can be very useful specifically in like inheritance situations where, if you pass away and you have large Bitcoin savings, maybe a lawyer is holding one in a trust, maybe a couple family members are holding individual ones, and they basically all need to collaborate together in order to spend your funds — if you have three keys with other people. But you can also do it in a way where they never have the threshold — they need to compromise you plus combine together.
BitcoinQ_A [1:41:14]: Yeah I think just one final thing before we move on to the next topic: inheritance is a big one for me that I like to drive home to people who seem keen to jump into the DIY approaches that: you might have spent some time listening to some podcasts, watching some tutorials, or reading some guides and feel comfortable in setting up a multisig setup, but what happens if you’re not around tomorrow unexpectedly? Is your spouse, your next of kin — are they going to be able to coordinate a spend from a two or three or a three or five? Do they know where to find the keys? Do they know how to recover it? And if the answer is No to any of those questions, then all of your life savings disappears when you disappear. So it’s something to bear in mind, especially if you’re going to take the DIY approach.
Matt Odell [1:42:05]: 100%. I’d also add that there’s a middle ground here specifically supported by ColdCard called Seed XOR. And basically, in that situation: instead of having one seed — it’s not multisig — but instead of having one seed, you have two seeds, and you need both of them in order to spend your funds. So it’s a little bit different than multisig — it can be more accessible to people because you don’t have these additional complications that we were just discussing with multisig, but it gives you that benefit of not having a single seed backup words that can be compromised by someone. There’s also something that’s supported by pretty much every wallet out there called a passphrase. The backup words are usually 12-word phrases or 24-word phrases — the passphrase is the 13th word or the 25th word, and you pick that yourself. So if you do that method, then you can keep the passphrase separate from your backup words — if someone wants to compromise you they need access to both. And if it’s a weak passphrase they might just take your backup words and keep trying passphrases, but it adds an additional burden on them to try and compromise you without going through a multisig setup. Another interesting thing about passphrases is you can store money on the bare backup words, and then when you use a passphrase it’s a separate wallet. So in that situation you can actually keep funds on your basic backup words, and then if someone finds that they’ll just steal that money and they might not know you have a passphrase with the majority of your savings in it. So that’s just something to keep in mind.
XII. Common Mistakes
BitcoinQ_A [1:44:12]: So I’ve got quite a lengthy list here, and the first one of which, unfortunately, I fell prey to a little bit, and it comes back to our very first point of providing KYC at multiple exchanges without any real need to, really. So I would just expose myself: I put my name on loads of different databases, and so it’s an unfortunate one that you can’t really undo, like we spoke about before. And if you were to listen to this podcast and decide that you still want to go for a KYC exchange because you think it’s a hassle going no-KYC, try and limit your your exposure to this by just signing up with one reputable exchange. I think that’s a good one to start.
Matt Odell [1:45:11]: I think that’s very good advice. If you are going to use a KYC service where you’re providing your identity information, you should choose it carefully: you should choose someone you trust the most. A lot of people just sign up for a ton of different services — you should sign up only for the bare minimum. Ideally, if you’re gonna do it: you sign up for one, you use it solely just to buy Bitcoin, and then send it to your own wallets and you don’t use any other additional KYC services — you want to limit that as much as possible. Another common mistake that I see people make is gambling on shitcoins. So, a lot of people will think that Bitcoin is too expensive and I’ve missed the boat and I’m too late to Bitcoin — literally every single person who has entered Bitcoin at any time in Bitcoin history has thought they were too late. There’s a famous screenshot of someone on one of the Bitcoin forums lamenting that they didn’t get in at five cents and instead they got in at a dollar and they were too late and they missed the bus. So everyone feels that way — you’re not alone in that — it’s important to realize that you can transact in smaller units of account: we call them sats. So you don’t have to have a full Bitcoin. Like, right now Bitcoin’s at almost $70,000 — you don’t need to put $70,000 in to use Bitcoin. Sats are the smallest unit of Bitcoin: there’s 100,000,000 of them per Bitcoin, and right now you can get 1,500 sats for a dollar. So you can send any amount of sats you want to send — you can send $2 worth, you can send 25 cents worth — it doesn’t matter. Don’t get caught up in thinking that Bitcoin is too expensive. A common thing that these other coins will do is they make it so they have so many units that it seems like it’s cheaper than it is just to try and get you in the door — it’s a marketing tactic. So just keep that in mind. Do you have more common mistakes?
BitcoinQ_A [1:48:08]: Yeah a common one is just not practicing enough with transacting, testing my backups for my hardware wallets, testing different wallets, even using testnet — just practice practice practice and getting comfortable using the various tools that we’ve spoken about. Getting comfortable with it either using testnet — which is basically a carbon copy of Bitcoin that holds no value — you can get it for free on websites called faucets where you can go on and just mimic the normal behavior of a wallet without the fear of losing any real value. And so you can send some testnet Bitcoin to your hardware wallet and you can wipe it, recover it, and just get really really comfortable with that process so that if the worst was happening and something was to happen to your house where you store Bitcoin — or wherever you store your Bitcoin — and when you’re in that panicked state, it’s not like the first time you’ve touched your hardware wallet in 5 years, because you need to move your Bitcoin quickly. The last thing you want to be doing is doing it in an unfamiliar situation, because that’s when mistakes happen and you could muck something up.
Matt Odell [1:49:50]: Yeah so we see that happen a lot. So, especially for newcomers: I actually don’t know if you need to use testnet — it adds just another complication to your process. But what happens a lot is: people will buy Bitcoin they’ll send it to a hardware wallet, they never really get comfortable with it, then Bitcoin goes up in value significantly, and like four years later they’re trying to spend it and they’re just not comfortable at all. So you really want to get comfortable with it: you want to practice sending, receiving, backing up, and restoring. And I don’t think testnet is necessary in that situation because you should just do it with small amounts: send $5 back and forth, erase the wallet, restore it from your backup, see that your $5 are still there. One nice thing about my earlier approach that I mentioned of having two of the same hardware wallets is — without putting funds at risk at all — you can load up one hardware wallet with some Bitcoin and then you can restore it on your second hardware wallet. You can load up those secret words onto that second hardware wallet, and if your funds are there and you can spend them, then you know you did the backup and restore process correctly without actually wiping the original wallet. So that’s another benefit — you’re basically verifying your backup and restore process. You don’t want to be in a situation where you have a lot of money on the line and you’ve never done a restore process and you’re just freaking out, and maybe you wrote down the words wrong — I’ve had that happen to friends where we’ve had to guess the word that they wrote down wrong or wrote down in bad handwriting — so you don’t want to be in that situation. You want to practice practice practice.
BitcoinQ_A [1:51:50]: I think just to add to that backup process as well is that the hardware wallets that we’ve talked about this evening have multiple different types of backups as well. So I think it’s worth noting that you should practice using both of them as well. So we’ve got the seed words, and both ColdCard and Passport also offer physical backups as well where you can store a backup onto a microSD card, which is a little bit easier to store. And so I would urge people to practice restoring from both methods as well because, at the end of the day, in a doomsday scenario you don’t know which method of backup you’re actually going to have access to or which has survived whatever doomsday scenario has actually happened.
Matt Odell [1:52:39]: 100%. Before we move on to more common mistakes, we have Alex MccCuskey in the chat asking about 401k IRA funds. If you’re trying to hold Bitcoin in a tax beneficial way in your retirement account, I would just keep this very simple: if you do have a 401k or an IRA where you already have funds in it and you want to move them into Bitcoin, just consider using the service offered by Unchained Capital, that’s unchained.com. Disclosure: they are a sponsor of my other show Rabbit Hole Recap — this show does not have sponsors. But they’re a sponsor because they’re a good team, it’s a good product, I have friends there that are working there. My buddy Jeff Vandrew runs their retirement division. And they will hold your hand — they will help you through it, obviously, as we said earlier. The caveat is: you’re trusting them with your privacy, but pretty much in all situations with retirement funds — if you’re using a tax beneficial retirement method — you’re going to have to trust someone because it’s all getting reported to the government as well. The nice thing about what Unchained does is you hold your own keys. So you get that tax benefit but you’re holding your own keys — they can’t spend your funds. A lot of the other programs that are out there can spend your funds at will and you have to trust them completely with the security of your funds and your privacy, so just something to keep in mind.
BitcoinQ_A [1:54:16]: Yeah the next one from me is a little bit more outside of the box: I lurked around on Bitcoin Twitter and in some other communities for a lot longer than I really should have. When I started to interact with people in the wallet chat rooms or the node chat rooms — to use a few examples — my knowledge grew exponentially from then onwards from having those interactions, versus me just sitting on the sidelines and liking a few tweets every now and then. So if I was to go back and have my time again, I’d absolutely start getting involved and start contributing to the conversation much much earlier because — personally speaking, anyway — my knowledge just skyrocketed compared to where I was just a couple of years ago. And so: a big one for me — that one.
Matt Odell [1:55:12]: Yeah. And just learn by doing, right? Practice with small amounts and get your feet wet rather than feel intimidated and feel like you have to read everything and listen to everything and watch everything before you even get your feet wet.
BitcoinQ_A [1:55:32]: Yeah. Another one as well is — and Matt might roll his eyes at this one — is going public. There there’s a lot of value in in staying in the proverbial shadow, so to speak. I would urge people not to start shouting from the rooftops that they own Bitcoin — again, because we talked earlier about KYC and how we can paint a red cross on your back a little bit. Well, shouting from the rooftops when Bitcoin hits an all-time high to all your friends might inadvertently do the same thing one day. You never know who’s going to get jealous and tell somebody else who tells somebody else who’s an individual that might want to try and get their hands on it. So I would be candid about who you’re speaking to Bitcoin about. And it’s a bit of a double-edged sword — that one — because I think we’ve all got a little bit of a personal responsibility to try and help on board others as well. Also to say: just be selective about who you speak to on it and what you say.
Matt Odell [1:56:40]: Yeah, it might sound a little hypocritical coming from me as a public Bitcoin figure, but definitely in the beginning you should try and reduce how much you talk about Bitcoin. Don’t make it obvious that you own Bitcoin. Don’t post on social media. Consider using a Nym like BitcoinQ_A does. It might surprise you, but he wasn’t born with that name — he decided on that name himself for the Internet for his Bitcoin work. In the future, if you do want to become more public about it, you can do so in a more responsible way rather than doing it right in the beginning. You can never come back from it once you do it, so it’s something to keep in mind. You should never talk about your own Bitcoin — you should never talk about how much Bitcoin you have. These are best practices. Even if it’s a friend or a family member, it might seem like a small amount today, but in the future it could be a large amount — and they will not forget it — they tend to remember. One of the first questions most friends and family will ask you is how much Bitcoin you own — they love asking that question. Do not answer it. Explain why you don’t want to answer it for them. If people do know you own Bitcoin, this is where that multisig setup really shines, because you can have it geographically distributed, you can have your keys in different locations that are far away from each other that make you getting compromised more difficult, even in a physical attack situation. And obviously it is more ideal to live in a place where you have proper gun rights and you can defend yourself. So these are things to consider. If I was to do it again, I probably would not be as public as I am about Bitcoin. I made a judgment call later on in my Bitcoin journey that I felt we needed more public Bitcoin figures that were talking about real issues — and specifically, privacy — so I made that judgment call, but there are some mornings that I wake up and regret it. But there are precautions you can take, and there are benefits though to being semi-public about your Bitcoin usage: meeting people. I’ve met some of the best people. Basically I have family now that wouldn’t exist otherwise, but these are all things that you should consider as part of your Bitcoin journey. But in the beginning I very very very strongly would say keep it as discreet as possible — you never know. You don’t want to expose yourself to a malicious actor. Your government could turn on Bitcoin, a foreign government can use that information against you if you’re traveling across a border or something like that, so you want to keep this in mind.
BitcoinQ_A [1:59:58]: Yeah the final sign off one for me would be: if you decide that no-KYC is not for you and you want to sign up for an exchange, a lot of these exchanges will prompt you to use SMS-based two-factor authentication to “secure” your account — this is where, when you try and log into the to the exchange, they’ll send you a text message to authorize that login. There have been multiple instances where this has been exploited — people have had their information and their accounts hacked on these exchanges, which, if you unfortunately have got funds on that account, can be withdrawn to whoever’s got access to your account. They can withdraw it to their own wallet. A better alternative would be to use an app-based two-factor authentication. So an example would be: there’s one called andOTP. There’s one called Aegis.
Matt Odell [2:01:35]: Aegis is my favorite. Aegis is open source, and the backup process is very easy. You’ve got to remember when you use these authenticator apps: if your phone dies, you want to make sure you have a backup of them. The most popular one is Google Authenticator — and I haven’t used it in maybe six years or something like that — but previously it wasn’t easy to back up, so make sure you’re using one that is easy to back up and back it up and keep multiple copies.
BitcoinQ_A [2:02:20]: Yeah or the other alternative is you can get a physical device that acts as your the second factor authentication — looks like a bit of a USB key that provides the additional authorization, but less services tend to offer compatibility with those.
Matt Odell [2:02:35]: 100%. I would say I think for most people the physical device is overkill. Can a sophisticated attacker compromise a phone-based two factor? Yes. Have we seen any widespread cases of that? No. Do they still need your e-mail and your password? Yes. On that note, you shouldn’t be using the same e-mails and the same passwords in different places. If you go to haveibeenpwned.com you can put your e-mail address in and it’ll tell you whenever a database gets leaked with your e-mail or your password or your personal information, so that’s a very important resource. But what we see a lot of times is there’ll be a leak — maybe Facebook will get hacked — and those e-mails and passwords will then be used at all the other services to try and get into your account. So that two-factor code gives you an additional protection on top of that, but you really should be trying to limit reuse of e-mail addresses and never reuse passwords.
BitcoinQ_A [2:03:37]: Scooby snacks is asking is a password manager a good idea? Yes, definitely — would recommend it to anybody — my personal favorite is Bitwarden. Again, another free and open source software. They do offer a paid version as well but the freemium option is perfectly good enough for 99% of users, I would say.
Matt Odell [2:04:08]: Yeah Bitwarden’s great. If you’re using a password manager, there’s some nuance there, because if you’re not self-hosting your password manager — people love LastPass: it’s closed source, you’re putting all your eggs in one basket, so there’s some concern there if you have all your passwords in this password manager and that password manager gets compromised then all of your accounts are compromised. What I think is a very easy accessible thing for new users or people that are concerned is — your really important passwords — you can just write them in a notebook. You write them in a notebook, someone’s going to need to get access to that notebook physically in order to compromise you. You might not want to write it out completely clear — maybe some things you remember versus some things are on the paper — you can develop your own code system. Don’t overcomplicate it — you’ll probably forget the password. But paper and pen is a tried and true method. Just don’t put it on a Post-It note on your computer monitor.
BitcoinQ_A [2:05:31]: Yeah absolutely. There was a lot of information the past couple of hours — don’t try and do everything in the space of a week, especially if you are literally at step one. I would pick one of these topics — we spoke about them in a specific order for a reason — and I would urge people to start from step one and try and master each step before they move on, or at least not try to do too many of them at the same time. Depending on the approach that you take for the different tools that we’ve spoken about: to do it properly and to do it justice and to understand it and practice it like we’ve been reiterating, it’s gonna take you a good bit of time. You’re gonna have to dedicate some time to do this and to master some of these tools, so trying to do too much too soon is setting yourself up to fail. So take your time, be deliberate about it, and master something then move on.
Matt Odell [2:06:41]: Yeah that’s great advice. And as BitcoinQ_A said: our order in this episode was intentional, so don’t feel like you have to go through all the steps at once, but we chose that order specifically because we think it’s a very efficient, effective, managing trade-offs and stuff balance of what order you should be coming into this. We also have some person in the chat — who uses the Nym some person, so every time I call him out in the chat I sound like I’m just don’t care about his name — asking for the best a two-factor app for iOS. I really like Authenticator Plus for iOS users. I think it’s available on Android as well, but if you’re on Android I really just like Aegis. BitcoinQ_A, do you have common questions that you have in mind?
XIII. Common Questions
BitcoinQ_A [2:07:56]: Off the top of my head a common one that I get is: Is this setup good for me or is this wallet the one I should use? [insert service or tool here] — is this good? The thing with Bitcoin and using the tools properly that we’ve been speaking about is that: what Matt or I might recommend from our own personal experiences might not be perfectly applicable to your own personal threat models or skill set. But just try things out — I’m not saying don’t come to the people like Matt or myself and ask for advice, we’re always more than happy to help out — but the best thing to do is to get your hands dirty and try these tools. You can do it for for free or for a very low fees at the moment, just testing out wallets or different devices or multisig setups if you want to go that far. CoinJoin implementations. Best thing to do is get your hands dirty, get amongst the communities, and what’s perfect for one person might not be perfect for another, so it’s a bit of a DYOR do your own research and get comfortable with what’s going to work for you, really.
Matt Odell [2:09:16]: 100%. Just to reiterate: BitcoinQ_A has all of his guides atbBitcoiner.guide I have a list of resources and tools at citadeldispatch.com/help. At the top of citadeldispatch.com/help I also I have links to both BitcoinQ_A, myself, and our buddy Ketan from Australia who runs Ministry of Nodes — we offer private one-on-ones and there’s links to all of that at the top of citadeldispatch.com/help so if you do feel that you have the need for a one-on-one at a specific time to jump on a call, that is available to you as well. I highly recommend both BitcoinQ_A and Ketan for that, and that’s why they are at the top of that page. Narwhal tacos is asking: Have you explained that no one actually holds their sats in a wallet — just the key? It took me a while to wrap my head around that? That is absolutely correct: you’re not actually storing your Bitcoin — you’re storing the key that allows you to access and spend your Bitcoin. So when we talk about all these wallets, when we talk about hardware wallets and mobile wallets, it’s really either a piece of software or a piece of hardware that is storing that secret key for you and allowing you to easily access that so you can access your Bitcoin. I think that’s an important point but I would say that that’s almost more of an advanced thing. For all intents and purposes, you can operate under the assumption that you’re holding your Bitcoin in the wallet, but it is a good point. Thank you narwhal tacos. Obviously this is Citadel Dispatch 43 — there’s been 42 other episodes filled with content that’s a lot more advanced than this, so if you want to dive into that after listening to this, obviously feel free to do that — it’s all available for free without ads or sponsors. BitcoinQ_A, you have any additional thoughts here before we wrap up?
BitcoinQ_A [2:11:49]: I just want to reiterate: just get amongst the communities use the tools, get your hands dirty, don’t be afraid to try things out, come to myself or Matt for any help and advice. We’ve mentioned Ketan — one other prominent educator in the space is BTC Sessions: he’s got a fantastic YouTube page that’s got video guides on using literally everything to do with Bitcoin. So if you’re more of a visual learner, check out his YouTube channel — it’s a fantastic resource as well.
Matt Odell: 100%. That is also linked at citadeldispatch.com/help or you can just search BTC Sessions on YouTube. I made him a channel on bitcointv.com. I don’t think he has uploaded anything there, but there’s also a ton of great content at bitcointv.com that is curated. One of the issues and the pitfalls you should keep in mind when you’re on YouTube: especially the high view count videos are filled with scams and bad advice, so you need to be very careful. If you’re watching a BTC Sessions video, it might recommend another video that looks like it’s reputable and that a lot of people have watched and recommended it — you need to be very careful. At the end of the day, Bitcoin’s about personal responsibility, so no one’s gonna be there if you lose your Bitcoin — there’s no getting it back. And there’s a lot of money to be made giving bad advice and showing bad product, so you really really need to be skeptical all the time, think for yourself make your own decisions, and constantly keep learning. And I want to be very clear here that I’m not asking you to trust me, either, or BitcoinQ_A, or Ketan, or anything else we’ve mentioned in this video or any of the other Citadel Dispatch episodes — you need to constantly figure out things for yourself and make your own judgment calls. If anyone’s asking you to trust them, be very very careful and just be very careful in general. BTC Pins wants all the newcomers to know that they could buy they could buy merch from him at btcpins.com so there you go BTC Pins — I love you bro. BitcoinQ_A, you got any final thoughts before we wrap it up? Or are we good?
BitcoinQ_A: No I think it was a great episode, and one I’ll be bookmarking on my homepage as well. I just want to say thanks for having me back on and I look forward to doing it again sometime.
Matt Odell: Thank you dude. I appreciate you. Everyone can follow @BitcoinQ_A on Twitter. I hope to have you back on again. Thank you for coming on. I appreciate you tremendously. And thank you to all the ride-or-die freaks that joined us in the live chat and joined us and continue to support the show and keep it ad free and sponsor free — I really do appreciate you and cheers to you all. Thank you BitcoinQ_A.
BitcoinQ_A: Thanks Matt.