(RFC) DIP: Security Awarness Activities On-Site

This thread is a work in progress. Heavily inspired by:

Crypto conferences aren’t just about the buzz and networking. If you look a little closer, you’ll notice that they can sometimes be more intense than they appear. In these spaces, there’s more than just learning, swag, and POAPs; there are also people looking to take advantage of the unprepared. The threats are real, from subtle social engineering tactics to tampering with your devices or directly stealing your backpack.

The problem is, that we often don’t take these risks seriously until something goes wrong. It’s almost like we need to get pwned before we learn how to protect ourselves from being pwned in the first place.

But what if you could get a heads-up before that happened? Imagine someone coming close to hacking you — but stopping just short — and then showing you exactly how they did it. You’d get the experience without the painful consequences. Sounds like a safer way to learn, right?

This is why we would like to propose security awareness activities on-site. Below, you can find the draft of our first proposal. This is just a proposal, not a commitment to carry out everything we outline below in the upcoming Devcon. That’s why we don’t include a specific date. But we didn’t want to leave this space unattended given the interest the community and organizers gave to the initiative.

Summary of the proposal

The Awareness, Learning, and Education for Real-world Threats (A.L.E.R.T) campaign, led by The Red Guild (TRG), aims to raise awareness of the evolving security threats within the Ethereum ecosystem. Using the analogy of a “dark forest” from Cixin Liu’s work, our campaign highlights the dangers lurking both on-chain and off-chain at crypto events like Devcon. Through interactive and undercover ****exercises (similar to red-teaming activities), we hope attendees will gain firsthand experience of how easily they can be deceived and potentially compromised.

We aim to educate attendees on how to safeguard their private keys, avoid social engineering traps, and recognize security risks they may face. We may also include scavenger hunts or capture-the-flag challenges, just to make the campaign more immersive and fun. We hope that with your support and the active participation of attendees, the campaign will foster a proactive security culture within the Ethereum community.

Security Awareness Campaign by TRG

A.L.E.R.T. – Awareness, Learning, and Education for Real-world Threats

Acknowledging the Dark Forest inside the Infinite Garden

We must recognize the growing landscape of threats that lurk within Ethereum’s infinite garden. Deep inside the dark forest, there are plenty of attackers on the lookout for vulnerabilities and opportunities to compromise our security.

Our proposal presents a Security Awareness campaign for Devcon where participants can learn about the threats that could target them both on-chain and off-chain. The objective is to educate and engage the community through interactive, yet subtle, red-team tactics that highlight the reality of these threats.

Goals

  • Raise awareness: Make all Devcon attendees aware of the diverse and sophisticated attack vectors they may encounter, especially private key compromises, phishing, and social engineering.
  • Demonstrate vulnerabilities: in realistic scenarios, show how attackers could leverage both on-chain and off-chain situations to gather data and potentially compromise security.
  • Engage the community: foster participation with scavenger hunts or CTFs that will make attendees interact with parts of the campaign.

Key takeaways for participants

  1. Key compromises are real: The number one attack vector today involves the compromise of private keys—an issue that goes beyond web3 tech and can affect anyone. Fake sites and phishing emails can attempt to steal your keys.
  2. The real dark forest is off-chain: The “dark forest” isn’t just about on-chain transactions; it also extends to off-chain scenarios. Today, just by publicly seeking a job, you could become the target of a fake recruiter or even a state actor.
  3. Proactive security: Attendees must recognize that security isn’t just about protecting their code—it’s about safeguarding their entire digital presence. This campaign will highlight how attackers use various methods to compromise sensitive information.

Campaign activities

We will deploy simulated threats designed to raise awareness without causing real harm.

Supporting the campaign

To execute this campaign effectively, we seek both the support of Devcon’s organizers and the active participation of the community. While much of the setup can be managed by our team of volunteers, there will be a need for specific resources:

  • Hardware & Physical elements.
  • Volunteers: To help with the planning, execution, and monitoring of the campaign activities.
  • Travel expenses: Depending on the scope of the campaign, we may require travel support for our team to attend Devcon.
  • Discretion: We don’t intend to be THAT secret about this. So if you happen to detect us, don’t spoil the experience for others :slight_smile:

Conclusion

This Security Awareness campaign is designed to open the eyes of Devcon attendees to the realities of today’s security landscape. Off-chain can be riskier than on-chain. By weaving the “dark forest” analogy into the narrative, we aim to make the community more vigilant and better prepared to defend against the real threats.

We believe that with the support of Devcon and the participation of the community, a campaign like this would not only enhance security awareness but also foster a culture of proactive security within the Ethereum ecosystem.

We look forward to your feedback and hope to collaborate with Devcon organizers and the community to bring this initiative to life :rocket:

Please let us know what else you would like to see, and how would you collaborate if you were to!

6 Likes

Thanks for submitting this DIP! Can you make it a formal one under GitHub - efdevcon/DIPs: The Devcon Improvement Proposal repository? We should also have a call to align what can be done and what not without disclosing it in the public DIP to not spoil participants.

Sure! Yeah, it makes sense :), thanks for understanding. I see many DIPs pending process, what number should I assign it to? Or it doesn’t matter since I can edit it afterward.

EDIT: The DIP has been successfully pushed to main. I can’t edit the main topic in order to avoid spoilers. Is there a way we can troubleshoot this?

Can you try editing the main topic again?

There! Proof read it if you want, I think I took out the most explicit activities!

1 Like