Johnathon Claudius

So an example like that, I would feel more comfortable going faster.

But if we're talking about something that could have billions of dollars in it, then I think we need to slow down a little bit.

We need to take it much greater care.

And I think a lot of these like defense in depth conversations are often conversations that have already happened by the time auditors get the snapshot of code that you want to have reviewed.

The opportunity to fix that as much earlier.

So for me, it really comes down to the design and that design sort of like cements the threat model that you're operating in.

And obviously you can add stuff afterwards, but adding stuff afterwards is sometimes more expensive or slow.

But our goal is to basically help clients get to a place where they've got really good, strong defense in depth and they can move as fast as they want or as the protocol wants to go.

Yeah, definitely.

Yeah, I can tell you, it reminds me a lot of a universe that we entered into when we started doing lots of continuous integration and continuous deployment with software, right?

Back in the day, you would generate a tarball, but in modern systems, you're using CIACD to produce this.

And in a lot of ways, the reality and the scary reality from the security side is that you have remote code execution as a service, right?

And now we're taking that remote code execution as a service with some of these agents that are potentially running on our laptops and just sort of saying like, hey, Claude, go, go nuts, right?

um don't make any mistakes right but yeah i think that there is some real risk there i think we've you know at least a lot of crypto projects don't have good laptops like laptop security hygiene so i think one of the first things we can do is consider whether or not you have like an mdm solution or you have an edr solution that's on the laptop that's there to defend the sovereignty of the laptop the other thing we can do is we could potentially run these

lms or agents in isolated environments where they don't have access to the sort of the all the secrets of your laptop like for example session data or gpg signing keys or things like that it's a delicate balance because i think the same thing happens in the cicd universe which is like okay

Well, if I want the CCICD universe as I'm like pushing my pull request up and I want them to sort of build and auto deploy and I want to see the website change or I want to see my product change.

The danger is that if you put too much trust from a secrets and sort of like underlying part and you don't separate those duties in any way, if that system ever gets compromised, then you can just sort of walk away with all the secrets and capabilities.

And

I did a bunch of research on this 10 years ago, probably well before CICD stuff was really interesting.

But I think we're definitely approaching that on the agent side of the house where it's like, I have an agent that's running on my system.