InfoSec Team Season 6 Funding Proposal

Author: stackthat.eth#5136 and BogDrakonov#1337
Date Created: October 12, 2022
Date Posted: October 14, 2022

Season 5 Summary

Our primary role and responsibilities is to collaborate heavily with every guild and project to provide security consultation and infrastructure automation whenever they may be needed. The InfoSec team stays on top of attack vectors being used to target members and the web3 ecosystem and report them and if possible how to mitigate them.

The following services include:

  • Management of infrastructure via automation with strict access policies.
  • Gatekeeping, auditing and providing least privilege on web2 platforms
    • JumpCloud
    • Google Cloud
    • Google Workspace
    • AWS
    • CloudFlare
    • GitHub
  • Prevention of anti-spam, phishing scams on Discord and other communication platforms
  • Monitoring and alerting of critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, secret leaks etc…)
  • Securing the bankless.community DNS with strict access policies, auditing for Route53 and Cloudflare
  • Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: Bankless Academy lessons, First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
  • Collaborate with various projects during their design/incubation stages to help keep a “Security First’’ mindset without getting in the way of work. As well as speed to acquiring proper resources to host the project for any architecture requirement without having to hire an expert
  • Continue collaboration with the Writers Guild and EPA to develop and publish content on the DAO’s weekly Rollup

Since Season 4 & 5 we’ve seen the amount of phishing scams and attacks on DAO members decrease dramatically with the implementation of the Wickbot.

The InfoSec Department continues to stay on top of security and fine tune our measures and best practices to ensure all members, guilds and projects needs are met.

Season 5 Budget Summary

  • S5 total budget was 390,000 BANK
  • Extra BANK identified in the multisig from previous seasons: 30,000 BANK
  • Extra DAI identified in the multisig from previous seasons:
  • S5 total allocated as of 14 Oct 2022 was 420,000 BANK
  • S5 Anticipated Rollover = 0 BANK

Season 6

Season 6 Forecast

Season 6 Anticipated Spend 737,657 BANK + 250,000 BANK buffer

BanklessDAO Treasury Ask: 987,657 BANK

Season 6 Role Budget

Line Item Budget S5 Role Holder
InfoSec Team Coordinator 120,000 BANK BogDrakonov
InfoSec Technical Writer 40,000 BANK d0wnlore
InfoSec POAP Manager 10,000 BANK Dysan

Season 6 Budgets

Line Item Budget S5 Role Holder(s)
Infrastructure 153,000 BANK
* Automation 65,000 BANK stackthat.eth / BogDrakonov
* Education 38,000 BANK stackthat.eth
* Project Incubation Buffer 50,000 BANK buffer for projects without funding or PoC
Discord 110,000 BANK
* Administration / Moderation 50,000 BANK BogDrakonov / Dysan
* Permissions Auditing / Cleanup 60,000 BANK stackthat.eth / BogDrakonov to assist with role definitions
Google Cloud / Workspace 21,657 BANK
* Administration 13,000 BANK BogDrakonov / Dysan
* Account Registration 8,657 BANK stackthat,eth
VaultWarden 108,000 BANK
* Coordination Security Assets 10,000 BANK stackthat.eth / links from ops
* Automated Infrastructure (terraform) 60,000 BANK stackthat.eth
* Documentation 38,000 BANK downl0re
bDAO InfoSec t-shirt branding 45,000 BANK downl0re / stackthat.eth
InfoSec Website 170,000 BANK
* bDAO Kapture Crawler (golang) 50,000 BANK stackthat.eth / tony.stark
* Machine Learning (BigQuery ML) 120,000 BANK stackthat.eth / tony.stark / Dysan
InfoSec Consulting N/A
* bDAO Asset Recovery Project (MEV) N/A N/A - new for S6
* Mitigation as a Service (MaaS) N/A N/A - new for S6
Matrix 75,000 BANK From Buffer
* Security Review 25,000 BANK N/A - new for S6
* Moderation Bot 25,000 BANK N/A - new for S6
* Architecture 25,000 BANK N/A - new for S6

Season 6 Miscellaneous Budget

Line Item Budget
Scribe Incentive 10,000 BANK
Buffer 200,000 BANK

Season 6 Plans and Goals

In Season 6 we plan to increase awareness of the attacks being committed within the crypto community with millions of assets stolen from users each day. We plan to be an intrical part of the DAO in continuing to keep members and users safe online.

Infrastructure

In Season 5 we’ve revamped the infrastructure automation and created a secretless environment. This season we plan on expanding further with the migration of the primary DNS services from Route53 to CloudFlare. We also plan on investigating the migration of infrastructure to a decentralized vendor such as Akash.network / Edge.network. This in turn reduces the amount of BANK → DAI → Fiat swaps for web2 payments as well as provides a way to pay with BANK and remove the requirement of having a DAO Members personal credit card information.

We also plan on investigating the use of Cloudflare’s Ethereum Gateway within the DAO ecosystem which gives you read and write access to the Ethereum network without installing any software in your infrastructure…

In particular, users can read all information that has been agreed upon by the consensus of existing nodes in the network. In addition, they can write their own transactions and smart contracts to be stored by these nodes in a distributed manner. Anyone else on the network will be able to view these transactions, and even run your smart contracts using their own supply of the Ethereum currency.

Discord

  • Bot integrations and security management
  • Permissions management and auditing
  • Documentation in Notion of Admin processes for level 2 guidance of decentralized expansion
  • Spam / Fraud mitigation
  • Moderation and violations of community standards enforcement (Bans)
  • Role management and auditing

In Season 6 we plan on coordinating with the Operations Department and reducing some overlap in roles and responsibilities regarding Discord

Google Cloud / Workspace

This season we plan on migrating SSO/SAML (Identity Management) from JumpCloud to Google Workspace. Accounts will be stored as code and maintaining such accounts is as simple as a Pull Request. This reduces administration overhead and provides abstraction from the platforms themselves.

VaultWarden

This season we plan to coordinate the VaultWarden password management system to be managed under the InfoSec team using automation and to ensure strict security policies are in place as well as updates and patches to the platform itself.

  • VaultWarden Hosting and Maintenance
    • Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
      • Potentially pass hosting from Ops → Infosec
    • Create maintenance documentation to make it easy to maintain

bDAO Branded T-Shirt

An effort to create exposure of the DAO’s InfoSec team when attending events and conferences within the InfoSec and Web3 communities. The next event that an InfoSec member is attending is the Taiwan Blockchain Week and we’d like to have the Bankless Brand be in attendance thanks to downl0re.

InfoSec Website

The InfoSec website uses a microservice “codename: kapture” to automatically crawl news articles, blog posts and other media to collect and store specific content (recent hacks, attacks and scams within the web3 ecosystem) in a BigQuery Database. Using machine learning to sort and catalog these assets and make them displayable on the website. This will provide a single location for reviewing the recent information on the sector.

InfoSec Consulting

Using the information gathered from the InfoSec Kapture Project we can analyze how people in the space are being hacked, falling for phishing scams, how to avoid scams etc. and provide that as a Mitigation as a Service offering for InfoSec Consulting Services.

Furthermore we can use the information collected to create new Bankless Academy content/quizzes, as well as the Bankless newsletter / weekly rollups.

Matrix

This item came up for discussion during Season 5 from AustinFoss (UTC-6)#7340 and while watching the Tornado Cash fallout, we observed their Discord server, Github Repositories and other assets wiped from web2 platforms.

Fund InfoSec for Season 6?

  • Yes
  • No

0 voters

3 Likes

It seems prudent to pursue the re-categorization of InfoSec Team to be an internal Department. My best understanding is this would be a bdip / snapshot.

Thoughts?

We originally thought the same but bdip is for changing / revising the constitution. Our proposal is not to change or amend the bDAO constitution.

We’ve acted as a department since season 3, 4 & 5. We currently manage the infrastructure / technology deployment automation / configuration, as well as ensure security best practice is configured for the DAO web2 assets.

Not all systems are under the InfoSec realm but we’re trying to close that gap in Season 6.

Our proposal is to increase the awareness, mitigate, educate and provide security services. Just yesterday another bDAO contributor Tundeeey#9140 was compromised loosing all of their BANK. Tundeeey#9140 was not the first, countless members have lost their assets and it certainly won’t be the last. Even some very skilled technical people have fallen victims to hacks, scams and fraud.

Feedback is welcomed and encouraged!!!

2 Likes

This is my primary point. With Season 6 we are seeing the specific development of internal “Departments” and I think InfoSec should take steps to enshrine itself in this way.

InfoSec should definitely be an internal department. We focus on internal DAO security and projects, and our outward facing initiatives (other than education) are funneled through Bankless Consulting already.

I don’t see any documentation on the process to become a formalized internal department though, since, as stackthat.eth mentioned, the bdip process seems to refer to updating the constitution. If there is an example of a previous snapshot we can probably work pretty well off that.

1 Like

Hmm, perhaps the external consulting precludes the idea entirely, but no there is no example. We have only recently established this concept and given Guilds a one-time pass to transform themselves into the Department style of funding, vs member funding. See: Member-Based Guild Funding

Likely there is not much difference in funding mechanics: Departments must give an accounting of roles & expenses, but the label does help defer any type of “self sufficiency” KPIs in favor of ones that orient the group towards simply serving the internal needs of the DAO.

Since there is no example of a project turning into a Department - or the creation of one on its own - we can chart this course on our own using classic proposal consensus. Forum > Snapshot.

cc @links for insight and possibly the procurement of specific documentation the effect of “How to Create a New Guild or Department”

1 Like

Personally I feel that Infosec SHOULD be a department, but also feel that the current guild/department choice should not be extended to projects at this time (we can talk about that on Discord if you feel strongly about it).

In my head, new Departments and Guilds (what the GSEs have called recurring cost centers) should be ratified by the DAO via Snapshot (after having gone through consensus on the forums and potentially through Grants Committee, too).

There’s no precedent for this. @jameswmontgomery.eth and @stackthat.eth and @BogDrakonov , you would be doing the DAO a great service if you would pursue this route for Infosec and in doing so create a precedent.

3 Likes

Absolutely agree, we’ll certainly pursue this during Season 6 for InfoSec!

3 Likes

as @stackthat.eth said, we will pursue this during Season 6. We’d definitely love to get our team recognized as a department and reduce some friction in the seasonal budgeting process as well.

2 Likes

Maybe I am oversimplifying this, but I see this team as an essential workstream in the Ops Department, which could therefore be funded under that (revised) budget.
If the team wanted to pursue activities externally, that work could be put in a proposal for project funding from GC.

1 Like

Not a bad idea but ultimately we should be our own full department in order to remain impartial when investigating incidents involving DAO members. We’ll end up reporting only to the DAO as a whole, and not other individual members/guilds.

2 Likes

@jameswmontgomery.eth we’re going to cut the budget down to 562,657 for now by pausing the t-shirt and Matrix projects for now. We’re also excluding the buffer from the proposal.

In the future we might do a temp check and see if they are worth pursuing additional funding for.

1 Like