InfoSec Team Season 8 Budget Proposal

Project Champion: BogDrakonov#1337
Author(s): stackthat.eth#5136 and BogDrakonov#1337

Season 7 Summary

Our primary role and responsibilities is to collaborate heavily with every guild and project to provide security consultation and infrastructure automation whenever they may be needed. The InfoSec team stays on top of attack vectors being used to target members and the web3 ecosystem and report them and if possible how to mitigate them.

The InfoSec team continues to oversee and provide the following services:

  • Management of infrastructure via automation with strict access policies.
  • Gatekeeping, auditing and providing least privilege on web2 platforms
    • Google Cloud
    • Google Workspace
    • CloudFlare
    • GitHub
  • Prevention of anti-spam, phishing scams on Discord and other communication platforms
  • Monitoring and alerting of critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, secret leaks etc…)
  • Securing the bankless.community DNS with strict access policies, auditing for Route53 and Cloudflare
  • Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: Bankless Academy lessons, First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
  • Collaborate with various projects during their design/incubation stages to help keep a “Security First’’ mindset without getting in the way of work. As well as speed to acquiring proper resources to host the project for any architecture requirement without having to hire an expert
  • Continue collaboration with the Writers Guild and EPA to develop and publish content on the DAO’s weekly Rollup

Over season 4-7:

  • We’ve seen the amount of phishing scams and attacks on DAO members decrease dramatically with the implementation and continuous management of the Wickbot.
  • The InfoSec Team worked with @twoeggs on an InfoSec Web3 User Safety Survey. Users of the survey gained a shiny new POAP for aiding in making Web3 safer for all!
    • Objective: survey Bankless community members to understand prevalence of crypto scams, factors that increase scam risks and features that crypto users want to improve Web3 safety.
    • Method: conducted survey of Bankless community (with ~35,000 members) December 14 to 30, 2022
    • Results: 354 survey responses from active crypto users (average 37 transactions per year) 66% of users have experienced a crypto scam and 39% lost money. Crypto scams cost victims an average of $2,900. Users would pay on average $6/month for crypto scam protection.
    • This has led to multiple Product offerings that can be built within the bankless community to protect users.
    • Full Report here Crypto Scams Survey.pptx - Google Slides
  • We’ve fully migrated AWS Route53 to Cloudflare as well as the bankless.community domain registration.

The InfoSec Department continues to stay on top of security and fine tune our measures and best practices to ensure all members, guilds and projects needs are met.

Season 7 Budget Summary

  • S7 total budget was 734,000 BANK
  • Extra BANK identified in the multisig from previous seasons: 0 BANK
  • S7 total allocated as of 17 Jan 2023 was 734,000 BANK
  • S7 Anticipated Rollover = 0 BANK

Season 8

Season 8 Forecast

Season 8 Anticipated Spend 923,000 BANK
BanklessDAO Treasury Ask: 923,000 BANK

Season 7 Role Budget

Line Item Budget S7 Role Holder
InfoSec Team Coordinator 120,000 BANK BogDrakonov
InfoSec Technical Writer 40,000 BANK d0wnlore
InfoSec POAP Manager 10,000 BANK Dysan

Season 8 Budgets

Line Item Budget S7 Role Holder(s)
Infrastructure 253,000 BANK
* Automation 65,000 BANK stackthat.eth / BogDrakonov
* Education 38,000 BANK stackthat.eth
* Project Incubation Buffer 150,000 BANK buffer for projects without funding or PoC
Discord 110,000 BANK
* Administration / Moderation 50,000 BANK BogDrakonov / Dysan
* Permissions Auditing / Cleanup 60,000 BANK stackthat.eth / BogDrakonov to assist with role definitions
Google Cloud / Workspace 52,000 BANK
* Administration 13,000 BANK BogDrakonov / Dysan
* User Account Payment 39,000 BANK $234 fiat payment to Google Workspace for InfoSec admins
VaultWarden 98,000 BANK
* Automated Infrastructure (terraform) 60,000 BANK stackthat.eth
* Documentation 38,000 BANK downl0re
InfoSec Website 230,000 BANK
* InfoSec Website Redesign 60,000 BANK tony.stark
* bDAO Kapture Crawler (golang) 50,000 BANK stackthat.eth / tony.stark
* Machine Learning (BigQuery ML) 120,000 BANK stackthat.eth / tony.stark

Season 8 Miscellaneous Budget

Line Item Budget
Scribe Incentive 10,000 BANK

Season 8 Plans and Goals

In Season 8 we plan to increase awareness of the attacks being committed within the crypto community with millions of assets stolen from users each day. We plan to be an integral part of the DAO in continuing to keep members and users safe online.

Infrastructure

In Season 7 we’ve revamped the infrastructure automation and created a secretless environment. This season we plan on expanding further with the migration of the primary DNS services from Route53 to CloudFlare. We also plan on investigating the migration of infrastructure to a decentralized vendor such as Akash.network / Edge.network. This in turn reduces the amount of BANK → USDC → Fiat swaps for web2 payments as well as provides a way to pay with BANK and remove the requirement of having a DAO Members personal credit card information.

We also plan on investigating the use of Cloudflare’s Ethereum Gateway within the DAO ecosystem which gives you read and write access to the Ethereum network without installing any software in your infrastructure…

In particular, users can read all information that has been agreed upon by the consensus of existing nodes in the network. In addition, they can write their own transactions and smart contracts to be stored by these nodes in a distributed manner. Anyone else on the network will be able to view these transactions, and even run your smart contracts using their own supply of the Ethereum currency.

Discord

  • Bot integrations and security management
  • Permissions management and auditing
  • Documentation in Notion of Admin processes for level 2 guidance of decentralized expansion
  • Spam / Fraud mitigation
  • Moderation and violations of community standards enforcement (Bans)
  • Role management and auditing

In Season 8 we plan to continue on reducing some overlap in roles and responsibilities regarding Discord by reducing the permissions of Level 2 users, and creating a new role of a subset of Level 2s. This will reduce the issues we’ve seen with contributors that try to help out but end up causing damage.

Google Cloud / Workspace

This season we plan on migrating SSO/SAML (Identity Management) from JumpCloud to Google Workspace. Accounts will be stored as code and maintaining such accounts is as simple as a Pull Request. This reduces administration overhead and provides abstraction from the platforms themselves.

VaultWarden

This season we plan to coordinate the VaultWarden password management system to be managed under the InfoSec team using automation and to ensure strict security policies are in place as well as updates and patches to the platform itself.

  • VaultWarden Hosting and Maintenance
    • Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
      • Potentially pass hosting from Ops → Infosec
    • Create maintenance documentation to make it easy to maintain

InfoSec Website

The InfoSec website uses a microservice “codename: kapture” to automatically crawl news articles, blog posts and other media to collect and store specific content (recent hacks, attacks and scams within the web3 ecosystem) in a BigQuery Database. Using machine learning to sort and catalog these assets and make them displayable on the website. This will provide a single location for reviewing the recent information on the sector.

Furthermore we can use the information collected to create new Bankless Academy content/quizzes, as well as the Bankless newsletter / weekly rollups.

Do we fund InfoSec for Season 8?

  • Yes
  • No (Comment Below)

0 voters

3 Likes

Thank you for keeping us safe infosec!

3 Likes

Thank you for your service! This is topic should not be underestimated!

2 Likes

Awesome work InfoSec Team! Wen InfoSec Dept? Seems like it’s too core to be a project and subject to seasonal funding whims.

2 Likes

Hi @BogDrakonov Thanks for this well put together proposal. I don’t see the retrospective portion of the template reflected here - although I could be missing it.
I do have a few questions:

I would like to open and view this - and though it says “google slides” I am not familiar with a .pptx file and am unsure if this type of file is safe to open or not. (Not saying that this particular file is unsafe, just the type of file)
This actually brings me to my next question.
Are there any plans for general guidance for everyone in the DAO on best practices when it comes to files, bots wallets, sites etc…
For instance:
—A list of infosec (and possibly ops) approved bots/integrations
—Guidance on files that would include -don’t ever open -open with caution -should be okay but use your own judgement

pptx is a Microsoft PowerPoint document and is typically safe to open unless it asks you to enable macros. (Our document should not)

As for guidance on bots, we do only permit bots to be added by a select group of admins (right now just InfoSec and @AboveAverageJoe) and this is enforced by Wick.
We can expand on the typical guidance of files and make something more DAO-specific

Season 9 we plan to migrate to being a department.

3 Likes

Hi @BogDrakonov
This says Department.

I know that you all are planning this for season 8. I also found



One says project one says guild. Not a huge difference with wording, but something I would think someone editing it would pick up if not all of the infosec people that reviewed it.

Can you please show how you are distributing bank at the rate of 1,000 BANK/hr please. That is how the GC can fund

re:Department
Socially we’ve called ourselves a department before “departments” existed as an official funding model. If you see that terminology, it’s just a mistake from habit. However, we are moving towards becoming a department for Season 9.

We’ve discussed department vs team vs project at length, and at this point any further discussion on it (unrelated to aiding our move to become a department in Season 9) is just arguing over semantics for the sake of argument.

re:Survey
As for the twoeggs screenshots you and I discussed that last night in #infosec-general on Discord. As I stated to you then, we are considering it a false report unless you specifically point out what you see wrong with it instead of continuing to make us guess.

In the future please link to messages as well as screenshot so we can properly review them.

@Sprinklesforwinners see the message I just tagged you in in our team’s discord channel. This forum is not the appropriate avenue to discuss the survey considering the convo history around it.