Michael Perklin - Bitcoin Security Standards
Crypto Currency Certification Consortium President Michael Perklin discusses certification of trusted professionals with trustless technologies. He is a cybersecurity expert who has worked for over a decade in the information security space. In the past he has held positions as a cyber investigator, a digital-forensic investigator, a reverse engineer, an application tester, and a computer programmer.
PODCAST INTERVIEW TRANSCRIPT
Interview with Michael Perklin on Bitcoin Security Standards
Trace Mayer: Welcome back to the next episode. We have Michael Perklin from Bitcoin Sultans, president of that and also the director of the Bitcoin Alliance of Canada and the cryptocurrency certification consortium which you can find at cryptoconsortium.org.
For those who might have seen the panel that I was on at Coin Summit where Steve Waterhouse of Pantera moderated. I mentioned that it would be very important for us as an industry to develop new standards much like information systems standards, traditional accounting, auditing standards. We're going to have to mix a lot of these things and create some of our new standards for this new cryptocurrency industry. And that's exactly what Michael Perklin has been doing at this cryptocurrency certification consortium. He's come up with three different certifications and so we're going to be talking about those. So Michael, first welcome to the show and.
Michael Perklin: Thanks for having me, Trace.
Trace Mayer: Yeah. And can you give us a little bit of your background.
Michael Perklin: Sure. So I've been involved in the information security for the last decade of my life. I was previously employed as a digital forensic investigator and a cyber-security investigator. I left all of that to follow bitcoin full time because as a cryptocurrency and with my passion for cryptography and information security it is just a perfect match.
Bitcoin Sultans perform security audits for a variety of different companies in the cryptocurrency space. We've worked with Ethereum. We've worked with exchanges. We've worked with gambling sites. Anybody who needs to secure large volumes of bitcoin.
It was through my work with Bitcoin Sultans, when we were trying to hire a new staff we realize that while some candidates would say, "Yes, I know bitcoin and I understand bitcoin." After asking a couple of questions it became clear that they didn't truly understand bitcoin as well as they thought they did. For example, they'd say things like, "Oh yeah, it's that anonymous untraceable currency, isn't it?" And I'm sure your listeners know bitcoin is definitely not untraceable. It's a highly traceable and while it can be used anonymously, bitcoin itself is not anonymous.
So rather than making a test for these candidates to prove their knowledge, we've realize that we weren't alone in this. We're not the only company in the cryptocurrency space who has a problem identifying true talent in bitcoin. So we decided to create a nonprofit organization, C4, the cryptocurrency certification consortium. It's just a lot easier to say C4 and this non-profit organization, we gave it the mission statement to build a common measuring sticks against which the cryptocurrency space can measure standards.
Our first project was personnel standards and to that end, we created two exams. One is the certified bitcoin professional exam or the CBP. The other one is the certified bitcoin expert exam or CBX.
Bitcoin Security Standards Certification
Trace Mayer: So Capital One, for example, they did a job posting, looking for someone who's familiar with virtual currencies and bitcoin. Overstock has been wanting to hire people familiar with bitcoin. When I was at Money 2020, I made sure that the panel I moderated an entire section of that was on the difficulty of finding the human capital.
Because all these payments companies, all these financial companies, anybody who's going to want to be coming into this space for the most part has been just very hobbyist. Everybody just brewing their own thing and there haven't been a lot of standards for it and so everyone's a bitcoin expert these days which is kind of scary and, you know, as long as you know a little bit more than next guy you are an expert to them, right? And not a lot of people know anything about bitcoin.
What are these two different bitcoin security standards certifications and how can the people who are running businesses that might be listening to the podcast really apply. Because when I think of the audience, you know, we have people in bitcoin land but we also got, you know, CEO's or other C-suite executives at whichever company they want to learn about bitcoins so they're listening to the podcast and they decide you know we're going to take the plunge. They're always taking bitcoin. They're eating our market share. We got to do something about it or whatever company.
But they're not technical, they're not CTO's, they’re not coders. Like how can these two certifications help everybody in this space who's thinking of moving into bitcoin related stuff?
Michael Perklin: Great questions. So what's important to realize is that every industry so far has some kind of a certification. If you're dealing with networking, there are a variety of networking-related certifications. If you're dealing with security auditing, there are security auditing certifications. Accounting, there are accounting certification.
Trace Mayer: Pass the bar, to be a lawyer.
Michael Perklin: Exactly.
Trace Mayer: Pass the boards, to be a doctor. Get your pilot certificate, to be a pilot. I mean we've got a lot of these things to make sure that we don't crash the plane or cut the wrong artery or whatever it is.
Michael Perklin: Exactly. Now I'm not going to lie here. There are a lot of very strong professionals out there who know far more than anybody who holds any kind of a certification. Then again there are a lot of people who hold certifications, who may not necessarily know as much as somebody who doesn't. Just because you have some letters after your name doesn't immediately make you an expert. But what it does do is that it shows that you have the minimum level of knowledge to attain that.
And also you have the drive and the will to pass an exam, to study for an exam to pass it so that you can show that to your hiring manager. The reason for this is, in most cases hiring managers don't necessarily understand the subject matter when they're hiring someone. If someone is hiring an accountant usually it's not another accountant that is making that call. It's an H.R. person. When you map that on to bitcoin, most of these companies that you mentioned whether it's --.
Trace Mayer: Capital One or Overstock or Amazon.
Michael Perklin: Exactly.
Trace Mayer: Like whoever is going to need to hire a bitcoin expert.
Michael Perklin: The reason why they're hiring a bitcoin expert is because --.
Trace Mayer: They don't have one.
Michael Perklin: They don't have that knowledge in-house. So they have no idea how to differentiate between somebody who truly knows bitcoin or somebody who doesn't know bitcoin security standards. Other than Satoshi himself walking in and saying 'Yes, I've wrote bitcoin'. The best anybody else can say is I've studied it a little bit.
So what the certified bitcoin professional exam does is it measures people against a minimum amount of knowledge to use bitcoin. It's equivalent of a driver's license for a car. This applies to accountants, to lawyers, to sales professionals, to anybody who needs to work with bitcoin in their daily lives.
It covers knowledge points such as what is a confirmation and why do you need to wait for a few of them when you're accepting a payment. How many Satoshi's are there in a bitcoin? What is the difference between an address and a key? How do I back up a wallet? How do I restore a wallet? These are all concepts that you and I take for granted because we've been in the cryptocurrency space for a long time.
Bitcoin Security Standards Certification Examination
Trace Mayer: What is a private key?
Michael Perklin: Exactly. Many people who are new to cryptocurrencies, these are completely foreign terms. These definitions are meaningless to them because they don't know how it all fits together. So a certified bitcoin professional knows how to use bitcoin.
By contrast, a certified bitcoin security standards expert is somebody who has a very high level knowledge of the internals of bitcoin. These are the equivalent to the mechanics of a car instead of the drivers of the car. Certified bitcoin experts can create a transaction manually. They can apply digital signature manually. They can customize the scripts in bitcoin. They can interact with the A.P.I. calls and integrate bitcoin technology in other programs that they're coding.
So with these two certifications it covers all the areas of bitcoin knowledge whether you just need to use it in your day to day job or you need to program with it. The difference between the two exams is one is online and one is in person. The C.B.P. exam is a 20-minute online exam, where you have to answer 75 multiple choice questions.
The reason why it's a 20-minute exam for 75 questions is because through a lot of trial and error we found that the 20 mark for 75 questions is the perfect mark where if you know the answers to the questions, if you know the content already you're able to answer each of these questions with no problem. Most people finish the exam with an average of about fourteen minutes. Whereas if you don't know the content and you have to use your favorite search engine to look at the answers to each question you will run out of time and you will not attain the minimum 70% to pass.
That's how the certified bitcoin professional exam is structured. And the exam itself was built with collaboration from a lot of already recognized professionals and experts in the field. Names such as the Vitalik Buterin, Peter Todd, I myself of course helped in it. Andreas Antonopoulos reviewed the exams. All of us sort of came together to build this exam to make sure that it accurately measured the difference between someone who does know and doesn't know.
Trace Mayer: Well, how about the certified bitcoin expert then. Is it online test also or are we just kind of handing these out to anyone who can use Google?
Michael Perklin: No, it's not an online exam. The certified bitcoin expert exam, we hope to release it by the end of winter. That is going to be an in-person exams where you have 250 questions that need to be answered on paper. We're partnering with Bitcoin Centers and testing centers around the world where if you have interest in taking this exam will identify the nearest testing center to you, arrange with them a time for you to go in and write the exam in a proctored environment in person. You'll have no access to online material for searching. You'll have no access to any exam mates.
Trace Mayer: What's the expected time to take this test? 250 questions and about three hours or so?
Michael Perklin: We're still finalizing the exam, but we want to make it equivalent to some of the other higher --.
Trace Mayer: Higher education.
Michael Perklin: Exactly. So, I think two to three hours would be reasonable. It would be equivalent in difficulty to becoming a CA or to earning your CISA or your CISSP certification, if your listeners are familiar with those certifications.
Trace Mayer: Now you mention, go to like the closest bitcoin center.
- MP. Or testing center.
Trace Mayer: A lot of people might not be familiar that we have these bitcoins centers. Like you have Decentral up in Toronto. We've got the Bitcoin Centre in New York City. What are some of the other ones? We got what Denver, San Francisco, Australia?
Michael Perklin: Denver has some. You're right. There's one in Australia. We're partnering with a gentleman who's interested in proctoring these exams in Australia. In Montreal, there's a bitcoin embassy. In France, there's the La Maison du Bitcoin. These are popping up all over the world as co-working spaces, as bitcoin information centers. It's important for your listeners to know that we're not only partnering with bitcoin centers. That is ideal. If there's a bitcoin center in your local country or your local neighborhood. That's the best place to go with.
Trace Mayer: Well, because you might have find a tutor.
Michael Perklin: Exactly, absolutely. But where there is no bitcoin friendly building in a localized area, we're partnering with classical testing centers. Most certifications partner with these types of testing centers where all they do is allow people to come in and write a test. They proctor exams for dozens upon dozens of certifications. So we'll be leveraging these institutions where bitcoins centers aren't available.
Trace Mayer: Man, that sounds really, really helpful to screen resumes for people who have these certification and then you don't have to weed through a bunch of people who can't even pass the coding test that you might give them. Say, you're looking for someone to work on a wallet. We've had that problem at Armory. We look at the resumes, "Oh, they look like a good candidate." So we send out the coding test and we never get an answer back three weeks later and it's completely open book. It's that hard.
Michael Perklin: We'd also like to bring certification classes to conferences. So for example, if there's a developer centre conference coming up we'd like to get a room in the conference center where we can close the doors for two hours and any of the developers who are attending this conference at the end of the conference if they want to try their hand at earning certification they can do so right there.
Trace Mayer: Yes. See, all this is just great at helping to professionalize the industry. Helping it to really become much more kind of standardized, predictable and really, you know, get the work done that needs to get done because we got so much potential and so much work that's needs to get done with this.
Now what is this cryptocurrency security standard? It's the last thing on the list to kind of talk about. I mean what is it and why is it important?
Michael Perklin: Well, as I mention, C4 is a non-profit body that is developing standards and developing measuring sticks against these standards. Our first project was personnel certification. Our second project is security certification.
There are so many companies in this space who are all taking completely different approaches to security and some are quite successful, some of them are not as successful. And the only easy way that you can compare one company to another is if you're familiar with all the various features and services from that company so that you're able to compare an apple to an orange as a fruit, but not everybody is a security professional like myself. Most people who just need to use bitcoin all they see is a bunch of bullet points on Mt. Gox's website that says we're secure, we're fast and trade at high speed.
Trace Mayer: Yeah. They're all nuts to me.
Michael Perklin: That's right. So because everybody is implementing security in a different way, it's difficult to compare one company's security offerings from another company's security offering. And that's where the cryptocurrency security standard comes in.
We have broken down all the things that make a secure cryptocurrency system into a discrete list of aspects. For example, an aspect could be how a key is created, how the key is stored.
Trace Mayer: Make sure there's proper entropy.
Michael Perklin: Exactly.
Trace Mayer: Make sure that there's proper key stretching. All these things, right?
Michael Perklin: Exactly. And for your less technical in the audience it's really just about how you make a key, how you store a key, how you use a key and when you're done how you decommission a key. Those are the four steps in the lifecycle of a cryptocurrency key. And every company has a different approach when they are performing these four tasks.
So by breaking it down into these common steps and all the common risks associated with each of these steps now you can easily compare with accuracy the offering from one company to an offering from another company because you're looking at all of the common ways that they're doing these things.
And you no longer need to get confused when this company has two factor authentication with phone or with SMS, but this one has it with Google authenticator and are those the same, are they not. We break it down to --.
Trace Mayer: When in reality they might both be able to serve a man in the middle attack and so they have control over all of the keys or could potentially have control over all the keys. Like some of our "multi-sig wallets" out there like BitGo or Coinbase, for example, as opposed to being able to generate all of your own private keys and storing them yourself with something like Armory. They are completely different types of wallets in terms of the security profile, but for people that are just reading the sales page --
Michael Perklin: They can't compare.
Trace Mayer: They can't compare. They have no idea that one is steak and the others like an apple. I mean, they have no idea that they're not anywhere comparable.
Michael Perklin: Exactly. So C4's mission statement of making these common measuring sticks that were, it makes it easy for someone who doesn't quite know the space to know if this person knows bitcoin or doesn't know bitcoin security standards or if this is a level one secure system or level two secure system or level three secure system with simple numbers like this or simple certificate letters like this person is a CDPU, this person is not a CDP. People who don't know are now able to make informed decisions about hiring and informed decisions about which wallet to choose.
Bitcoin Security Standards: Setting the standards for Bitcoin Industry
Trace Mayer: Yeah. Because a lot of times it's oh, bitcoin's open source, just read the code. You know, and the best wallet are they have to be open source so you can read the code. But how many people actually can read the code and then of that how many people actually do read the code. And in this case, if most of our security professionals building the wallets and whatnot have this certification and they can go and begin certifying their competitors, really.
And as long as it's done openly and objectively and their competitors are going to be the one certifying them and you're going to be able to point to the code and I'm sure all the experts who are certifying and that there are, you know, if you're not doing it objectively and you have some type of bias you're going to be called out on it. We have a security working group already in a Google Group where we have lots of the CEO's of all the wallet companies. And we're already collaborating on a lot of these best practices.
So I really think that this is going to be exciting for helping the community as a whole really raise the security game that they're bringing to the court. Because we need to help people secure their private keys and we need to make sure that we as an industry if we're in possession of private keys of other people as custodians that we're securing them to a very high standard.
Michael Perklin: Absolutely. Standards and certifications have made all the other industries that we deal with in our daily lives a lot --.
Trace Mayer: More predictable.
Michael Perklin: Thank you.
Trace Mayer: I mean, all the way from cutting hair. We have certifications for hair stylists. We have certifications for lawyers, accountants, doctors, pilots, security professionals, cooks, like all across the board.
Michael Perklin: And by having these certifications it opens up many doors for the next level of services. For example, if there are insurance companies that want to provide insurance for a wallet service or for foreign exchange. They may not know if that exchange is --.
Trace Mayer: Level one or level two or level three or level four and being able to do the risk assessment, maintaining profile and everything.
Michael Perklin: If there are level one, two, three, four it makes it easy for them but without a common system to know that there is a level one, two, three or four. All they can really do is say, "Well, my developer says that we're secure therefore you should provide insurance for us". So this common standard of measuring level one, two, three, four makes it easy for the insurance companies to get in. Makes it's easy for the large auditing firms to come in. I guess it bring bitcoin security standards to the next level so that the rest of the enterprise players can jump in.
Trace Mayer: Well, this has been a great interview. We've had Michael Perklin, a director at Global Alliance of Bitcoin Canada also the cryptocurrency certification consortium, C4. You can find it at cryptoconsortium.org.
Thanks so much for coming and helping build out this bitcoin knowledge podcast which is raining bitcoin knowledge on us. And then helping us understand who else out there really knows and understands bitcoin security standards enough that they can also have this expertise and share it with us.
Michael Perklin: Thanks for having me, Trace.