Securing Discord Admins
Cold Admin Setup (For the Account That Owns the Server)
Jon_HQ Cold Discord Admin Protocol v.1
Something I've been having troubles with explaining to teams is both the setup and usage of Cold Discord Admins for an NFT project. So here is my guide on both setup, and usage, for free, as always.
First, a nicely formatted image version, I'll also include a thread below covering all the info. Also sorry for the annoying watermark, but certain bad actors in the space copy my work and release it as their own. You can ALWAYS share my work, but at least credit me please.
Concept:
If the only accounts with dangerous permissions on the server do not talk to anyone/are stored on a different device, they fundamentally cannot be phished. So the solution? We transfer dangerous perms from team members' daily use Discord accounts to new ones. These new accounts are more secure and only used to modify server settings, bot settings, or deal with a team member compromise. So let's hop into how we set up these new secure accounts...
Setup:
The goal is to have 5 different Cold Admin accounts owned by different team members. Having multiple Cold Admins gives the project flexibility and helps if an attack occurs in the middle of the night. Here are the setup steps:
i. Identify who the 5 team members will be that will need to create Cold Admin accounts.
ii. Each selected team member needs to find an old or unused device, this can be an old phone, or an old laptop, or a newly purchased chromebook.
iii. Each device used by a team member should be wiped clean to avoid any lingering threats of malware.
iv. Each selected team member needs to create a new gmail account on that clean device. Write down username/password and store it somewhere safe.
v. Create a brand new Discord account with that new email account. Write down the username/password and store it somewhere safe.
vi. Set up 2FA using google authenticator. Then join the Discord server on that account and get the cold admin role.
vii. If you are transferring server owner to a Cold account, it is recommended to verify a phone number on that account just to ensure you won’t get flagged by Discord as a suspicious account (which locks the account until you verify a phone number).
Usage:
When an announcement needs to be made, go onto your Cold Admin account, and assign the “Announcer” role to your hot account temporarily. Post the announcement, and then from your Cold Admin, remove the “Announcer” role. Always remove the Announcer role when done.
To add bots, access bot dashboards, or modify the server, simply use your Cold Admin account to make changes. That's it. Don't talk to people on your cold account, and only use it for the above tasks. Once this is all set up your server is infinitely more secured.
Thank you for reading all the way through, and please, share this guide with any projects you are involved in. If a project doesn't use cold admins, it's pretty much just a question of time before they get compromised. This should be an industry standard at this point.
How to Set Up Announcement Accounts (Every Project Should Do This)
Updates to how I handle Cold Admins
With a lot of feedback from the teams I work with I've identified some issues with both understanding Cold Admins as well as their use. So I've decided to rebrand...
Introducing Announcement Accounts instead.
First, the name change: Cold Admin is just confusing if you're not well versed in cold wallets/hot wallets. So I'm changing it to better fit what they actually do for the majority of the time, make announcements. This should make it much more apparent what they are for.
Secondly, an issue with the old Cold Admin setup was requiring folks to add a role, then remove a role. This means you need to access your cold device twice for each announcement, this is pretty inconvenient. Instead, we'll just use the cold account to post announcements now.
This feels like a good compromise between security and convenience. It is easier to explain to team members to turn off DMs on that account, and never use it for anything but announcements, than to expect them to remember to remove a role every announcement. One less role too.
So here is my updated guide for teams on how to set up the accounts, sorry again for the watermark! Let me know what you guys think about the changes, I'm going to be trialing it out and seeing how teams feel about it this week.
The Role of Cold Admins / Announcement Accounts
Discord Security Tip - Cold Admins
I've spent the last month or so talking with NFT project owners and trying to explain cold admin accounts, how they work with a Discord... and at this point, I think I need to extrapolate even more.
Here is the Cold Admin Protocol.
A lot of preliminary knowledge is located in my previous thread here: https://twitter.com/Jon_HQ/status/1507538209110069249
We'll start from the basics and go step by step through what you need to do to lock down your Discord and actually sleep well at night as a project owner.
i. Trust no one.
We have to operate from an assumption that every single member of your team will get compromised. Under that assumption we are forced to ask, what can we do? The simple answer is the same as wallet security. Use a different account, different device
ii. The $250k wallet.
If I told you a team member was storing $250k of company funds in their metamask on their main computer where they browse porn, play games, and spend all day on...
You'd probably fire them.
That wallet is their Discord account and what it is worth rn.
iii. The Cold Admin
A cold admin is a brand new Discord account, not used for anything else, housed on a separate device. This can be an old phone, an old laptop. Think of this new device as a hardware wallet. You will ONLY use it with your second Discord account.
iv. Attack vector?
Now, if my cold Discord account with elevated permissions is on an old phone, turned off... how would you phish me? (You really can't) This is the fundamental principle of the Cold Admin Protocol. ONLY USE THIS ACCOUNT TO CHANGE DISCORD SETTINGS..
v. The Role of a Cold Admin
A cold admin does a total of two things, and only two things. 1. Change Discord settings or grant temporary permissions to individuals to modify channels or roles. 2. Stop an attack from occurring. That is it. Don't chat on your cold account.
vi. Distributed Cold Admins
Having a single account in the Cold Admin role is not enough. To satisfy the second duty of the Cold Admin Protocol mentioned above, you need many (5+) people with cold admin accounts to cover 24 hours in the day. People from different timezones.
vii. Responsibility
Each person who agrees to become a cold admin for your project needs to view it in the same way as accepting the duty to be a multisig signer for a DAO. They need to understand the risk and follow the above protocol.
If they fuck up it can be $250k+ lost.
ix. Once implemented...
The next big thing here, is once you have migrated to cold admin accounts... make sure no existing roles have Administrator permissions. This also means checking your bots with admin perms (Mee6) and ensuring no roles have 'Bot Master' roles.
x. And now...?
There are more nuanced details around this (doing Mention All pings securely).. but if you implement this protocol today, your server will be drastically more secure than it was yesterday.
Stay safe. If you want to get more Discord security tips daily, follow me on Twitter at Jon_HQ for more.
Member discussion