Select Page

EP31: Michael Perklin – A Digital Forensic Expert’s Story of the Hack

Today on Liberty Entrepreneur Podcast: Michael Perklin: Head of Security and Investigative Services at Ledger Labs, President of C4, Board member of Bitcoin Foundation and Bitcoin Alliance of Canada, and pun lover.

@mperklin on Twitter Email:

Michael tells about the ShapeShift hack story. Find the full story at

Michael has a degree in Information Theory – tells us what that is

How should entrepreneurs go about giving trust to employees?

Michael describes what an information system is

In 12 or 13 years, Michael has never been involved in a situation where an emergency is publicized like this.

What does Michael start looking at when he arrives at the scene of a crime? What should an entrepreneur do when they have a cyber event?

1) For the entrepreneur: turn off all hardware involved – best way to do this is by turning power off, not by shutting down. 2) For the investigator: get caught up – brain dump of all relevant info to event

To construct a time line of events, Michael must ask the same questions to everyone involved, even if this gets tedious. Minds are not like hard drives, where once the data is there, it stays there. There are 2 sides to every story. Person one’s impression, person two’s impression. There is sometimes a third side – a recording of what was actually said.

What percentage of hacking / theft events have an internal component? While Michael doesn’t give a percentage, he says that of his work, the “vast majority have some form of internal component”.

In most cases where there is an internal component, the insider is acting maliciously.

Michael also sees negligence too frequently: a “Security Expert” claims skills he doesn’t have, and real security is not achieved.

What is the most important lesson other entrepreneurs can learn from the Shapeshift incident?

“There always seems to be a reason to wait before you involve a security professional. Once I finish the code, then I’ll get it security audited. Once we go online, then I’ll have someone do a penetration test on it.”

Usually the reason is financial, but this line of thinking is entirely incorrect.

When thinking about engaging a security professional, “If the primary motivation is to save money, then the best way to save money is to get a professional right at the beginning, right at the architecting phase.”

“That’s actually another thing I would recommend to your listeners: If any of them are like Michael: Enjoying your job is so much better than money.”

Michael tells about how he first became an entrepreneur, and how this shaped his forming C4, The CryptoCurrency Certification Consortium.

C4 was born out of the need for companies that need to hire bitcoin expertise, but the hiring manager doesn’t have bitcoin expertise themselves.

CBP: Certified Bitcoin Professional (akin to a driver’s license) – Over 2000 registered users CBX: Certified Bitcoin Expert (akin to a mechanic’s license) – being developed now

CCSS: CryptoCurrency Security Standard – applies to information systems

Movies and TV would imply that biometrics are the most secure security method. Michael believes this couldn’t be further from the truth.

Biometrics are definitely less secure than passwords and two factor authenticators.

Regardless of the implementation, Michael strongly believe that 2 factor authentication will be the norm.

What motivates Michael as an entrepreneur? Simple: Fun, and enjoyment.

“I became an entrepreneur because I wanted to enjoy my 9 to 5 a lot more than I was currently enjoying it. And I was successful in doing that.”

“Chose the thing that you love, and figure out a way to make that your 9 to 5.”

If you make your own decision: I am this guy, I am going to do this thing, and I don’t care what other people are saying, because this is what I want in my life. If you have the ability to say this confidently and strongly, you will make a great entrepreneur.

Michael gives us his favorite pun that he’s recently heard.

Michael talks about the difference between security and security theater.

3 reasons why biometrics are inferior security to other methods:

1) Required error thresholds 2) Every biometric identifier is inherently public – the equivalent of having your password on a post-it note on your forehead 3) There is no possibility for revocation… ever – this is the most important reason

On the importance of revocation and biometrics: “If I lose my key, I can change the lock. If I lose my password, I can change the password. But if I lose a biometric identify, like a fingerprint, I can’t revoke my finger. That means for the rest of my life, I can never use that same finger for any authenticator ever again, because I know somebody and some point copied it at some time.

Link to Liberty Entrepreneurs show with Brennan episode 23 where we discussed security and biometrics as well

What is the best way to authenticate on a system?

“I always knew that at some point in the future, after I got enough work experience, then I would go out on my own and become an entrepreneur, and I would start my own company. And it was always something that was going to happen in the future, maybe 35 or 40 years old. When I had this opportunity to start on my own, I knew I wasn’t ready. I knew that I didn’t go through that other 10 years of work experience to get what I thought what I needed in order to do it. But, I took a leap of faith. And it was tough, I definitely survived on ramen for the first couple of months. By sticking with it, I realized that the only thing that I really needed was to believe in myself.

If anyone is considering whether to do it [take the leap of becoming an entrepreneur], Michael says to jump in with both feet and never look back.

Build Freedom,