S16 E33: Liz Steininger on Least Authority & Auditing Open Source Software

Liz Steininger is the CEO of Least Authority: a company which specializes in auditing open source software since 2014. Originally founded by Zooko Wilcox, Least Authority has conducted more than 100 security audits in the space. Some of the best known contractors who requested an expert review include the Ethereum Foundation, the Electric Coin Company, Metamask, the KeyStone hardware wallet, and Avalanche. Least Authority also builds products that make use of Zero Knowledge Proofs: PrivateStorage (a cloud storage system that's designed to make the host unaware of the files being stored), ZKAPs (Zero Knowledge Access Passes, an authorization system that separates the payer from the data on the items being bought), and Winden (a file-sharing service that's encrypted and requires no identity from the sender and receiver). In a space which often defers to "check the code, it's open source", companies such as Least Authority offer high quality verification which makes it easier for the average non-technical person to trust that something is safe. Also, it helps builder have the peace of mind that what they're working on will not bring any unforeseen consequences. Time stamps: 00:00 - Intro and Sponsor Mentions 
Introduction to the podcast and sponsors: Sideshift, Bitcoin.com News, EdgeWallet, LayerTwo Labs, Citrea, NoOnes.com, and HODLING.ch. 01:17 - Guest Introduction: Liz Steininger 
Liz Steininger, CEO of Least Authority, is introduced. Discussion begins about the company’s focus on security, privacy, and auditing in the crypto space. 1:57 - Irony of "Least Authority" Having a CEO 
Liz addresses the irony of a company named Least Authority having a CEO, explaining their non-hierarchical approach and balance of leadership. 03:04 - Least Authority Philosophy and Nick Szabo’s Influence 
Discussion on the principle of least authority, referencing Nick Szabo’s 2005 paper and its connection to Zooko, founder of Least Authority. 05:19 - Liz’s Tech Background 
Liz shares her journey into tech, from early internet experiences to open-source and privacy-focused technologies. 09:36 - Role of Auditing Firms in Open-Source 
Exploration of why auditing firms like Least Authority are necessary despite open-source code being publicly verifiable. 11:45 - Surprising Audit Findings 
Liz discusses instances where Least Authority found unexpected issues during audits and the value of helping clients fix them. 12:16 - Notable Clients and Audits 
Overview of Least Authority’s clients, including Zcash, MetaMask, Ethereum Foundation, Filecoin, Polygon, and Keystone hardware wallet. 14:35 - Predicting the Ethereum DAO Hack 
Liz reflects on Least Authority’s 2015 Ethereum audit, which identified vulnerabilities that later contributed to the 2016 DAO hack. 17:43 - When to Conduct Audits 
Discussion on the optimal timing for audits, depending on project roadmaps and feature development. 19:51 - Auditor Liability and Security Guarantees 
Liz explains that no system can be 100% secure and discusses the limitations of auditor liability. 22:25 - Social Engineering and Security 
Exploration of how social engineering can bypass even the most secure systems, with examples like SIM swapping and Pfizer leaks. 29:55 - Least Authority’s Products: Private Storage, ZKAPs, Winden 
Overview of Least Authority’s products: Private Storage (client-side encrypted storage), ZKAPs (zero-knowledge access passes), and Winden (anonymous file transfer). 36:45 - ZKAPs Applications Beyond Storage 
Liz discusses potential uses of ZKAPs for other services requiring privacy in payments, like VPNs or electricity. 43:53 - Winden’s Features and Use Cases 
Detailed explanation of Winden’s end-to-end encrypted, identity-free file transfer, ideal for secure peer-to-peer sharing. 46:21 - Destiny: Mobile Version of Winden 
Introduction to Destiny, a mobile app version of Winden using the same magic wormhole protocol. 50:00 - HRO Cloud for Human Rights Organizations 
Discussion of HRO Cloud, a free version of Private Storage for qualified human rights organizations. 51:00 - Moon Math Manual 
Overview of the Moon Math Manual, a resource for learning about ZK-SNARKs, inspired by the term “moon math” from Vitalik Buterin. 57:38 - Privacy, Law Enforcement, and Zero-Knowledge Proofs 
Liz discusses how Least Authority minimizes data collection to avoid sharing with law enforcement, emphasizing privacy design. 1:01:59 - Privacy Market and Big Tech Adoption 
Reflections on the growing demand for privacy tech and potential adoption of zero-knowledge proofs by major tech companies. 1:05:00 - Auditing Non-Crypto Projects 
Liz notes that while most clients are crypto-related, they also audit non-crypto open-source projects, though funding is a challenge. 1:07:17 - Vibe Coding and Auditing Demand 
Discussion on the rise of vibe coding (AI-generated code) and its potential to increase demand for audits, especially for smart contracts. 1:11:07 - Zcash Audit and Bitcoin Codebase 
Liz considers whether their Zcash audit indirectly audited Bitcoin’s codebase, noting it’s an interesting question for further review. 1:13:05 - Publishing Audit Reports 
Liz advocates for more industry-wide publication of audit reports to improve transparency and user education. 1:18:01 - Competing Auditing Firms 
Liz discusses competition in the auditing space, varying by project type (e.g., smart contracts vs. protocols). 1:21:12 - Future of Privacy and Zcash Integration 
Liz expresses hope for Zcash’s privacy tech to be integrated into Bitcoin, emphasizing its potential to drive mass adoption. 1:24:00 - Liz’s First Computer and Early Tech Memories 
Liz shares nostalgic memories of using an Atari, Commodore 64, and AOL, encouraging listeners to comment “AOL” to prove they watched to the end. 1:28:37 - Closing and Winden Recommendation 
Liz thanks the host and encourages listeners to try Winden, an open-source, free file transfer tool.