InfoSec Team Season 6 Funding Proposal

BogDrakonov · October 15, 2022, 1:05am

Author: stackthat.eth#5136 and BogDrakonov#1337
Date Created: October 12, 2022
Date Posted: October 14, 2022

Season 5 Summary

Our primary role and responsibilities is to collaborate heavily with every guild and project to provide security consultation and infrastructure automation whenever they may be needed. The InfoSec team stays on top of attack vectors being used to target members and the web3 ecosystem and report them and if possible how to mitigate them.

The following services include:

Management of infrastructure via automation with strict access policies.
Gatekeeping, auditing and providing least privilege on web2 platforms
- JumpCloud
- Google Cloud
- Google Workspace
- AWS
- CloudFlare
- GitHub
Prevention of anti-spam, phishing scams on Discord and other communication platforms
Monitoring and alerting of critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, secret leaks etc…)
Securing the bankless.community DNS with strict access policies, auditing for Route53 and Cloudflare
Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: Bankless Academy lessons, First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
Collaborate with various projects during their design/incubation stages to help keep a “Security First’’ mindset without getting in the way of work. As well as speed to acquiring proper resources to host the project for any architecture requirement without having to hire an expert
Continue collaboration with the Writers Guild and EPA to develop and publish content on the DAO’s weekly Rollup

Since Season 4 & 5 we’ve seen the amount of phishing scams and attacks on DAO members decrease dramatically with the implementation of the Wickbot.

The InfoSec Department continues to stay on top of security and fine tune our measures and best practices to ensure all members, guilds and projects needs are met.

Season 5 Budget Summary

S5 total budget was 390,000 BANK
Extra BANK identified in the multisig from previous seasons: 30,000 BANK
Extra DAI identified in the multisig from previous seasons:
S5 total allocated as of 14 Oct 2022 was 420,000 BANK
S5 Anticipated Rollover = 0 BANK

Season 6

Season 6 Forecast

Season 6 Anticipated Spend 737,657 BANK + 250,000 BANK buffer

BanklessDAO Treasury Ask: 987,657 BANK

Season 6 Role Budget

Line Item	Budget	S5 Role Holder
InfoSec Team Coordinator	120,000 BANK	BogDrakonov
InfoSec Technical Writer	40,000 BANK	d0wnlore
InfoSec POAP Manager	10,000 BANK	Dysan

Season 6 Budgets

Line Item	Budget	S5 Role Holder(s)
Infrastructure	153,000 BANK
* Automation	65,000 BANK	stackthat.eth / BogDrakonov
* Education	38,000 BANK	stackthat.eth
* Project Incubation Buffer	50,000 BANK	buffer for projects without funding or PoC
Discord	110,000 BANK
* Administration / Moderation	50,000 BANK	BogDrakonov / Dysan
* Permissions Auditing / Cleanup	60,000 BANK	stackthat.eth / BogDrakonov to assist with role definitions
Google Cloud / Workspace	21,657 BANK
* Administration	13,000 BANK	BogDrakonov / Dysan
* Account Registration	8,657 BANK	stackthat,eth
VaultWarden	108,000 BANK
* Coordination Security Assets	10,000 BANK	stackthat.eth / links from ops
* Automated Infrastructure (terraform)	60,000 BANK	stackthat.eth
* Documentation	38,000 BANK	downl0re
bDAO InfoSec t-shirt branding	45,000 BANK	downl0re / stackthat.eth
InfoSec Website	170,000 BANK
* bDAO Kapture Crawler (golang)	50,000 BANK	stackthat.eth / tony.stark
* Machine Learning (BigQuery ML)	120,000 BANK	stackthat.eth / tony.stark / Dysan
InfoSec Consulting	N/A
* bDAO Asset Recovery Project (MEV)	N/A	N/A - new for S6
* Mitigation as a Service (MaaS)	N/A	N/A - new for S6
Matrix	75,000 BANK	From Buffer
* Security Review	25,000 BANK	N/A - new for S6
* Moderation Bot	25,000 BANK	N/A - new for S6
* Architecture	25,000 BANK	N/A - new for S6

Season 6 Miscellaneous Budget

Line Item	Budget
Scribe Incentive	10,000 BANK
Buffer	200,000 BANK

Season 6 Plans and Goals

In Season 6 we plan to increase awareness of the attacks being committed within the crypto community with millions of assets stolen from users each day. We plan to be an intrical part of the DAO in continuing to keep members and users safe online.

Infrastructure

In Season 5 we’ve revamped the infrastructure automation and created a secretless environment. This season we plan on expanding further with the migration of the primary DNS services from Route53 to CloudFlare. We also plan on investigating the migration of infrastructure to a decentralized vendor such as Akash.network / Edge.network. This in turn reduces the amount of BANK → DAI → Fiat swaps for web2 payments as well as provides a way to pay with BANK and remove the requirement of having a DAO Members personal credit card information.

We also plan on investigating the use of Cloudflare’s Ethereum Gateway within the DAO ecosystem which gives you read and write access to the Ethereum network without installing any software in your infrastructure…

In particular, users can read all information that has been agreed upon by the consensus of existing nodes in the network. In addition, they can write their own transactions and smart contracts to be stored by these nodes in a distributed manner. Anyone else on the network will be able to view these transactions, and even run your smart contracts using their own supply of the Ethereum currency.

Discord

Bot integrations and security management
Permissions management and auditing
Documentation in Notion of Admin processes for level 2 guidance of decentralized expansion
Spam / Fraud mitigation
Moderation and violations of community standards enforcement (Bans)
Role management and auditing

In Season 6 we plan on coordinating with the Operations Department and reducing some overlap in roles and responsibilities regarding Discord

Google Cloud / Workspace

This season we plan on migrating SSO/SAML (Identity Management) from JumpCloud to Google Workspace. Accounts will be stored as code and maintaining such accounts is as simple as a Pull Request. This reduces administration overhead and provides abstraction from the platforms themselves.

VaultWarden

This season we plan to coordinate the VaultWarden password management system to be managed under the InfoSec team using automation and to ensure strict security policies are in place as well as updates and patches to the platform itself.

VaultWarden Hosting and Maintenance
- Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
  - Potentially pass hosting from Ops → Infosec
- Create maintenance documentation to make it easy to maintain

bDAO Branded T-Shirt

An effort to create exposure of the DAO’s InfoSec team when attending events and conferences within the InfoSec and Web3 communities. The next event that an InfoSec member is attending is the Taiwan Blockchain Week and we’d like to have the Bankless Brand be in attendance thanks to downl0re.

InfoSec Website

The InfoSec website uses a microservice “codename: kapture” to automatically crawl news articles, blog posts and other media to collect and store specific content (recent hacks, attacks and scams within the web3 ecosystem) in a BigQuery Database. Using machine learning to sort and catalog these assets and make them displayable on the website. This will provide a single location for reviewing the recent information on the sector.

InfoSec Consulting

Using the information gathered from the InfoSec Kapture Project we can analyze how people in the space are being hacked, falling for phishing scams, how to avoid scams etc. and provide that as a Mitigation as a Service offering for InfoSec Consulting Services.

Furthermore we can use the information collected to create new Bankless Academy content/quizzes, as well as the Bankless newsletter / weekly rollups.

Matrix

This item came up for discussion during Season 5 from AustinFoss (UTC-6)#7340 and while watching the Tornado Cash fallout, we observed their Discord server, Github Repositories and other assets wiped from web2 platforms.

Fund InfoSec for Season 6?

Yes
No

0 voters

jameswmontgomery.eth · October 16, 2022, 6:56pm

It seems prudent to pursue the re-categorization of InfoSec Team to be an internal Department. My best understanding is this would be a bdip / snapshot.

Thoughts?

stackthat.eth · October 16, 2022, 11:43pm

We originally thought the same but bdip is for changing / revising the constitution. Our proposal is not to change or amend the bDAO constitution.

We’ve acted as a department since season 3, 4 & 5. We currently manage the infrastructure / technology deployment automation / configuration, as well as ensure security best practice is configured for the DAO web2 assets.

Not all systems are under the InfoSec realm but we’re trying to close that gap in Season 6.

Our proposal is to increase the awareness, mitigate, educate and provide security services. Just yesterday another bDAO contributor Tundeeey#9140 was compromised loosing all of their BANK. Tundeeey#9140 was not the first, countless members have lost their assets and it certainly won’t be the last. Even some very skilled technical people have fallen victims to hacks, scams and fraud.

Feedback is welcomed and encouraged!!!

jameswmontgomery.eth · October 18, 2022, 1:29pm

This is my primary point. With Season 6 we are seeing the specific development of internal “Departments” and I think InfoSec should take steps to enshrine itself in this way.

BogDrakonov · October 18, 2022, 2:03pm

InfoSec should definitely be an internal department. We focus on internal DAO security and projects, and our outward facing initiatives (other than education) are funneled through Bankless Consulting already.

I don’t see any documentation on the process to become a formalized internal department though, since, as stackthat.eth mentioned, the bdip process seems to refer to updating the constitution. If there is an example of a previous snapshot we can probably work pretty well off that.

jameswmontgomery.eth · October 18, 2022, 2:26pm

Hmm, perhaps the external consulting precludes the idea entirely, but no there is no example. We have only recently established this concept and given Guilds a one-time pass to transform themselves into the Department style of funding, vs member funding. See: Member-Based Guild Funding

Likely there is not much difference in funding mechanics: Departments must give an accounting of roles & expenses, but the label does help defer any type of “self sufficiency” KPIs in favor of ones that orient the group towards simply serving the internal needs of the DAO.

Since there is no example of a project turning into a Department - or the creation of one on its own - we can chart this course on our own using classic proposal consensus. Forum > Snapshot.

cc @links for insight and possibly the procurement of specific documentation the effect of “How to Create a New Guild or Department”

links · October 18, 2022, 3:18pm

Personally I feel that Infosec SHOULD be a department, but also feel that the current guild/department choice should not be extended to projects at this time (we can talk about that on Discord if you feel strongly about it).

In my head, new Departments and Guilds (what the GSEs have called recurring cost centers) should be ratified by the DAO via Snapshot (after having gone through consensus on the forums and potentially through Grants Committee, too).

There’s no precedent for this. @jameswmontgomery.eth and @stackthat.eth and @BogDrakonov , you would be doing the DAO a great service if you would pursue this route for Infosec and in doing so create a precedent.

stackthat.eth · October 18, 2022, 4:05pm

Absolutely agree, we’ll certainly pursue this during Season 6 for InfoSec!

BogDrakonov · October 18, 2022, 6:39pm

as @stackthat.eth said, we will pursue this during Season 6. We’d definitely love to get our team recognized as a department and reduce some friction in the seasonal budgeting process as well.

Trewkat · October 22, 2022, 10:40am

Maybe I am oversimplifying this, but I see this team as an essential workstream in the Ops Department, which could therefore be funded under that (revised) budget.
If the team wanted to pursue activities externally, that work could be put in a proposal for project funding from GC.

BogDrakonov · October 22, 2022, 4:06pm

Not a bad idea but ultimately we should be our own full department in order to remain impartial when investigating incidents involving DAO members. We’ll end up reporting only to the DAO as a whole, and not other individual members/guilds.

BogDrakonov · October 25, 2022, 12:18am

@jameswmontgomery.eth we’re going to cut the budget down to 562,657 for now by pausing the t-shirt and Matrix projects for now. We’re also excluding the buffer from the proposal.

In the future we might do a temp check and see if they are worth pursuing additional funding for.

Topic		Replies	Views
InfoSec Team Season 7 Budget Proposal Grants/Funding	6	1540	February 7, 2023
InfoSec Team Season 8 Budget Proposal Season 8 Proposals	9	1105	April 19, 2023
InfoSec Season 5 Budget Proposal Grants/Funding	0	1527	July 19, 2022
InfoSec Team Season 9 Budget Proposal Season 9 Proposals	4	544	August 2, 2023
InfoSec Team Season 4 Budget Proposal Season 4 Project Proposals	2	1830	April 18, 2022