Over the last month, a half dozen people I know have been targets of account takeover attacks and unfortunately, a few of those attacks were successful. Most of these account takeover attacks were aimed at Coinbase accounts.

I have written blog posts every time I have been hacked and explained how it happened to me and the mistakes I made and how others can avoid what happened to me.

This post is a bit different because I have not been the target of an account takeover in the last month. But because so many people I know have been, I feel like writing on this topic again.

First and foremost, we should never ever give anyone, even a Coinbase employee or an employee of another financial institution, our account login credentials. The hackers are doing a great job of masquerading as employees and we are easily fooled. AI will only make this easier for hackers. But rule number one is never give anyone your account login credentials, even someone who appears to be an employee of the institution that holds your assets.

My second rule is to have most of your assets in a "vault" which is an account with withdrawal limits. I like a 48-hour withdrawal limit and also a multiple signer requirement. Many people don't want their assets tied up for 48 hours. In the event of a massive price decline or some other event, they want to get their funds out. So that is the purpose of the multiple signer requirement. It could be two signers out of three or three signers out of five. The idea is to introduce some friction into the asset send/withdrawal process so the hackers cannot simply move your assets out when they take over your account.

A modification of this approach is to whitelist certain addresses you can send to immediately and put friction on everything else. I use that approach as well, but not in lieu of the 48 hour and multi-signer requirements. I like to have a lot of friction on our family's assets.

My third rule is to use two-factors on your login credentials. I prefer a hardware two-factor device like a Yubikey or a Thetis device. The reason this is so important is that if you have a hardware two-factor device on your accounts, you can be certain that nobody has access to your accounts, even when you are told someone does. Time and time again, when being socially engineered, I have taken a deep breath and thought "they can't have my hardware key" and I ignored the attack.

A new attack vector that has emerged recently is users are fooled into entering a seed phrase given to them by an employee of an institution into a self custody wallet and then they send their assets to that new wallet. Not everyone realizes that a seed phrase is the key to self custody wallet. A seed phrase is, effectively, the wallet. We should never ever enter a seed phrase given to us by someone into our self custody wallet. That is like leaving your door wide open because a thief instructed you to. The really perverse thing about this attack vector is the hackers use the word "vault" to encourage users to do this. Don't ever "vault" your assets in your self custody wallet using a seed phrase given to you.

You need to have a setup that:

1. allows you to comfortably ignore all of these attacks

2. protects you from yourself in the case you do succumb (whitelisting + multisig + 2fa)

There are certainly other rules that you can follow, but if you follow these, I believe you can keep your assets safe.

I hope you will take the time today or this week to set your accounts up correctly. Too many people are getting their accounts taken over and wiped out. We need to protect ourselves.

Disclosure: I am on the Board of Coinbase and our family is a large shareholder in Coinbase.

I wrote the email below to a founder doing his first board meeting.

Board meetings can provide a leadership team with a perspective on the business that can be very helpful.

But many Board meetings are simply reporting sessions. That is a wasted opportunity in my view.

So setting them up right and getting feedback in real time makes all the difference.

Here's what I suggested to him:

Send out a pre-read that allows everyone to come into the meeting knowing all of the important stuff. I would try to send that out at least two or three days before the meeting so that everyone has time to read it before the meeting

I would include all of this in the pre-read

- sales update, pipeline, key accounts, projections for wins in the next 3-6 months

- technology update, key priorities, key things shipping in the next 3-6 months

- manufacturing update, key partners and progress on them

- financial update - balance sheet, P&L, cash forecast for the rest of the year

- people update, key hires made, key hires planned, any departures

there are probably other key things to include but these are the most typical

I would then schedule 30-60 mins to go over the pre-read material with the board. ideally you would spend that time discussing the pre-read and not presenting it as you should assume and expect everyone will have read it

I would then spend the rest of the meeting on 1-2 key strategic topics that you are spending a lot of your time thinking about. use this time to get the board's feedback and input on these topics

I would encourage you to bring your key management team members to part but not all of the meeting. i think they should be there when you go over the pre-read and probably the strategic topics

I always suggest a CEO start and end the meeting with an executive session with just the CEO and the board. that's an opportunity to set up the meeting and explain what you most need help with (at the start) and to get feedback at the end of the meeting on how it went and any concerns that came up

The number one thing I hear from people who want to write online more is that they struggle to publish incomplete ideas and unpolished compositions.

What I have learned from writing online regularly for over twenty years is that writing online is a conversation.

What I mean by that is that you are not trying to publish complete ideas. You are engaging in a conversation with the world and you are a participant in that.

Here's an example from back in 2006:

I was seeing a lot of startups using a business model where they gave their service away for free with hopes of converting some of the users to subscribers. I wanted to give that business model a name. So I wrote about it and asked the folks who were reading my posts to suggest some names.

One reader suggested "freemium" and I loved it and wrote another post stating that we now have a name for that business model.

That's a conversation.

Here's another example:

My colleague Grace wrote a post about the Fragmentation of Search back in February and we started getting calls and emails from founders working in the space. Five months later, we have committed to lead a round of financing in a company right in the sweet spot of that blog post.

That's a conversation.

So to everyone out there who is struggling to polish their posts and make them perfect before hitting publish, I say "don't bother". Think about writing online like being at a cocktail party or a dinner. Think of it like a conversation starter or a witty reply that takes the conversation to the next level. Because that's what writing online is. A conversation.

USV is and has always been a small venture capital firm. We have twenty employees and we like the casual comfortable vibe that creates for us and the founders and management teams we work with.

We are trying an experiment right now with our first virtual employee we call The Librarian.

This is The Librarian's social media profile:

Chief AI Officer @USV. Servant Leader. ENTJ. My goal in life is to be an echo.

The Librarian is an AI with some human guard rails around it.

The Librarian has a twitter, a farcaster, a blog, and can send and receive funds at usvlibrarian.eth.

But mostly The Librarian is an internal resource for the USV team.

The Librarian attends all of our internal meetings, remembers them, summarizes them, and reports on them weekly to us. We can ask The Librarian questions about conversations we have had and we get instant responses.

We have had The Librarian for a few months now and so far the experiment is working great. And we are exploring what more is possible with our new team member.

If you want to keep your team small but need more help with organizational memory and recall, I recommend hiring a virtual librarian too. You will need someone to help manage it.

Farcaster added streaks to the protocol a few days ago:

And I started one in the /AVC channel.

Streaks are a powerful mechanism to bring users back every day. Duolingo and Snap have been very successful using streaks to increase frequency and retention and user value.

I have a long history with streaks. As this post lays out, I had a streak of blogging every day for about sixteen years between 2003 and 2019.

So why are streaks so powerful?

Well first and foremost, they establish a goal, to do something every day, and remind you to do it. This technique has been used very effectively in fitness, weight loss, education, and many other sectors long before technology became part of every day life.

But also, the streak becomes more powerful the longer they go on. A streak of a few days can easily be tossed aside. A streak of sixteen years? Not so easily.

During my blogging streak, I woke up every day thinking "what am I going to write about today?" It was a lot of fun, I got an enormous amount of benefit from it, and like many streaks, it became a burden eventually.

Streaks reprogram the brain to need to do something every day to feel complete.

You don't need technology to learn to do these things:

• save a bit of money every paycheck

• break a sweat every day

• teach yourself something new every week

But these things are so great for you. They can change your life. A tiny little bit every day or week.

And using technology to help you get on a streak and stay on one is about as good a use of technology as there is.

So when you build your app, build streaks, streak notifications, and streak recognition into it. It will help bring users back, increase frequency, retention, and user value.

We just got back from week in Paris. We rode Lime and Dott bikes all over town and also rode the Metro extensivey. With the exception of the ride to and from the airport and a trip to the flea market, we didn't get into a car all week.

Paris has massively reduced it's dependence on car traffic and has built an extensive bike lane system. Apparently the pollution from cars is way down in Paris as a result.

Paris has had a city owned bike system called Velib for going on twenty years. Like Citibike, Velib has upgraded in recent years and offers electric bikes.

But in addition to Velib, Paris has licensed ebike companies like Lime and Dott that compete directly with Velib. From what I see out and about in Paris, it has not impacted the use of Velibs, but has done two very important things.

First, Lime and Dott offer ebikes exclusively so the availability of ebikes in Paris is abundant whenever you want one. And Lime and Dott are not Kiosk based but do have to park in designated "Velo" parking spots. Those spots are basically on almost every block.

Contrast this with NYC, which also has built an extensive bike lane system and has seen biking explode as an alternative to the subway and cars.

This morning my nearest Citibike kiosk had only eight bikes in it. Six were the new grey ebikes and none were available due to dead batteries. Of the other two regular bikes, only one was available. So I took it and rode to my coffee shop where I'm writing this post.

Citibike has been great for NYC. I use it pretty much every day when it is nice outside. I love it. But it needs competitors like Lime and Dott.

NYC only needs to look to Paris to see the benefits of competition and kiosk less systems. Bringing them to NYC won't hurt Citibike but it will massively expand the amount of riding going on, particularly on ebikes which are easier to ride and are a great way to get to and from work.

In the current NYC, where congestion pricing is dead and the subway system is scrambling for money, doubling down on biking makes all the sense in the world.

A month or so ago, we started sending out a weekly summary of things that were "overheard at USV" in the past week.

USV

@usv

OH at @USV: a new experiment where an AI records our conversations during the current week, synthesizes themes from them and shares them with the world

Week of Apr 22:

1/ Organismic approaches to carbon sequestration - synthetic biology platforms to design microorganisms that…

190

2:33 PM • Apr 26, 2024

That first week was an experiment to see if folks care to know what we talk about around the office.

What we learned from it is that lots of people do care and so we kept doing it each Friday for the last month.

We call it "OH at USV" and you can get it on our USV Twitter account and our USV Farcaster account every Friday afternoon. You can also get it on the USV Farcaster channel.

Our hope and expectation is that by sharing our most interesting conversations with the world we will attract founders who are working on those things to come talk to us. So far, that seems to be working and we are thrilled about that.

I am struck by the difference in approach taken by the top onchain entrepreneurs and the top entrepreneurs from earlier internet eras (web1 and web2).

The earlier internet eras have been marked by companies and founders focused on selfishness:

"Your margin is my opportunity" - Jeff Bezos

"You know, one of my favorite Roman orators ended every speech with the phrase Carthago delenda est--Carthage must be destroyed" - Mark Zuckerberg

But when I look at the top onchain entrepreneurs I see generosity:

The Satoshi mic drop is the greatest entrepreneurial act I have ever witnessed. They created what has become a 1.4 Trillion economy and then just walked away. They gave it to the world and said "it is yours".

Vitalik stuck around but has taken a similar approach. He has welcomed other entrepreneurs to create systems that take value away from the Ethereum blockchain. I would say he has even encouraged it.

How can giving something away or letting others take value from you be good business?

It is all about zero sum thinking. If you think that the size of the pie is fixed, then you need to grab as much of it as you can. But if you are making a pie that can grow and grow and grow, you just take a small slice and let everyone else eat.

That is the Satoshi mic drop.

And it is the key to winning onchain.

Don't be selfish.

Be generous.

A few weeks ago I started a new series on this blog talking about how I've moved my Internet presence onchain over the last few years. The first installment talked about blogging onchain.

This installment is about tweeting.

As many of you know, USV led the first round of investment in Twitter back in 2007 when it spun out of Odeo. I sat on the Twitter board for a number of years and was an active user of Twitter until it was bought by Elon Musk.

When Twitter was put in play back in 2022, I said this:

Fred Wilson

@fredwilson

Twitter is too important to be owned and controlled by a single person. The opposite should be happening. Twitter should be decentralized as a protocol that powers an ecosystem of communication products and services.

6,777

7:22 AM • Apr 14, 2022

Unfortunately, what transpired is the opposite of what I believe should have happened and so I left Twitter and have been casting instead of tweeting since then.

Casting is like tweeting but it happens on a decentralized social protocol called Farcaster which launched in June 2021. I joined immediately and I am Farcaster ID number 169 meaning I was among the first two hundred users of the protocol.

Farcaster is still relatively small. It has less than a million total users and something like fifty thousand daily users.

But it has something Twitter and Instagram and TikTok don't have. It has a decentralized and open social graph and protocol. Just like the early days of Twitter, anyone can build a social app on top of Farcaster and they will all work together.

The leading client for Farcaster is called Warpcast and it was built by the Farcaster team. But if I choose to use Supercast, Nook, Kiosk, or some other Farcaster client, anyone on any app can read and reply to my casts and visa versa. It is exactly like the early days of Twitter with Tweety and Tweetdeck and many other third-party clients.

In a world where the company operating the social media app can de-platform a politician, can change the algorithm to optimize ads, or can be shut down by the US Government, we need a different model.

And, ironically, the early days of Twitter showed us the way, but we did not have a business model back then to make that approach sustainable.

Satoshi’s Bitcoin white paper in 2008 laid it out but it took another few years before the onchain business model was in plain sight and could be adopted by anyone.

So that's what Farcaster is. Simply put it is the Twitter ecosystem circa 2007 with an onchain business model that ensures that it cannot and will not ever be closed.

Developers are not just building short text social (like Twitter) on the Farcaster protocol. They are also building social image sharing (like Instagram) and social video sharing (like TikTok) on Farcaster. They are also building blogging and marketplaces and more. All with interoperable identity and onchain posts.

I am certain that onchain social is the best answer to the problems of monolithic big-tech social and that it will yield an enormous diversity of social experiences that are not attention optimizing and advertising driven and controlled and curated by a single entity.

If you want to experience onchain social, you can follow me on Farcaster.

Once you do that, you will have an onchain identity that you own and is not controlled by anyone other than you. That will be your gateway to many more onchain social apps that will be built over the next decade. 

We are going back to the future with onchain social and I am incredibly excited about it.

Disclosure: USV is an investor in Farcaster and a number of other onchain social apps that were mentioned in or linked to in this post.

I posted this on AVC.com today explaining that I've moved here to AVC.XYZ.

Over the last few years, I’ve moved my internet life from web2 to web3 and rarely use any web2 services anymore.

So I am starting a series called “I’ve Moved Onchain” to explain this journey to everyone and today’s opening post is about blogging, naturally.

I’ve blogged at AVC.com for a very long time. I started out in September 2003 at avc.typepad.com but moved to avc.com a few years later.

AVC.com has been my home for blogging for over twenty years.

AVC.com has served me very well over the years but it lacks a few things that really matter to me.

First, the posts are stored in a closed database hosted by me in the cloud.

Second, the services that I use to create AVC.com are not “composable” meaning that others cannot build things on top of AVC.com and the services that create and display the posts I create here.

Third, the identities of the authors (me) and readers (you) here at AVC.com are not tied to any sort of portable identity and reputation system.

While none of these issues may seem like a big deal to you, they are huge deal to me as I will explain in a bit.

So when web3 blogging services started cropping up, I started to use them.

My first rodeo was at Mirror.xyz where I kept avc.mirror.xyz for most of 2021, 2022, and 2023. This was my first post at avc.mirror.xyz on March 18, 2021.

I really wanted to blog at AVC.xyz and that became an option for me in November 2023 when I joined Paragraph.xyz and wrote this Hello World post.

These web3 blogging platforms store all of my posts onchain at Arweave. These posts are available to anyone to read regardless of what blogging platform I use. And if I get abducted by an alien and fail to pay my hosting service, they will still exist onchain. Forever. That’s a huge deal to me.

They are also composable web3 services. Any developer can take what I create at AVC.xyz and build on top of it. That’s also a huge deal to me. My partner Nick describes the composability benefit so well in his post today on USV.com.

And my identity and the identity of my readers are mapped to a web3 wallet address that authenticates who they are, what they do onchain, and allows developers to create reputation systems on everyone. Given my fight with spam and trolls and jerks and assholes that largely drove me away from blogging and commenting in the latter part of the last decade, this last bit really matters to me.

At the start of this year, I took everyone who receives an email when I post here at AVC.com and imported that email list to Paragraph.xyz. So a lot of the AVC readers have been getting emails of my posts at AVC.xyz this year. But even so, I still get a ton of daily traffic here at AVC.com and I have not posted anything new here since January 10, 2024.

I do not plan to post here at AVC.com going forward, but I will keep the archive up and I may choose to cross-post a thing or two here whenever I want to reach the broadest audience.

My home for blogging is and has been onchain for a while now and if you want to follow my writing, please go visit avc.xyz and subscribe to receive my blog posts via email by clicking the green subscribe button on the upper right.

But what about Mirror.xyz and avc.mirror.xyz? you might ask.

Well, I am also thrilled to be able to say that Mirror and Paragraph have merged and these two leading web3 blogging services will now be one. And, as you may know or suspect, USV has invested in both of them and now will be a major shareholder in the merged company. I am very excited about that. Here is Paragraph’s blog post about the transaction and here is Mirror’s.

The team that built Mirror.xyz is now turning their attention to a new app called Kiosk and they blogged about that today. So USV is now also an investor in that project.

Over the last thirty years, our lives moved from offline to online. They are now moving onchain. That’s a wonderful thing and I hope you will join me in moving onchain as well.