# Security and Honesty Brief (Ethereum Interactive Lecture)

Owner: instructor
Reference: ../../prd.json story D8

This document is the security baseline for the lecture. Every wallet-touching artifact (slides, lab guide, post-quiz answer key) references it by relative path. The duty of care is to leave students more security-aware than they arrived, not less.

## Irresponsible patterns to never teach

1. **Real wallet on classroom wifi**. Never instruct a student to install MetaMask and use it as anything other than a throw-away test wallet. The seed phrase generated in class will end up on a sticky note next to a monitor. Treat that as a fact and design accordingly.
2. **Seed phrase reuse across testnet and mainnet**. A test wallet is never funded with real ETH. A real wallet is never imported with a class-generated seed. The two domains never touch.
3. **Ignoring phishing in a Chrome-extension teaching context**. Telling students to install a Chrome extension without warning them about look-alike extensions trains exactly the click-through behavior phishers exploit.
4. **Treating a workshop wallet as a financial account**. The class wallet has zero monetary value, was created in class on possibly compromised infrastructure, and should never be funded with real money or used to sign anything off-class.
5. **Same seed for testnet and mainnet**. A seed phrase is the master key. One leak compromises every chain that derives addresses from it. Workshop seeds are single-use and disposed of.

## Required student-facing warning text (verbatim)

Ship this in the lab guide, on a slide, and in the post-quiz answer key:

```
TEST WALLET ONLY, NEVER REUSE THIS SEED.

The wallet you create or use in class is for learning only. It has zero monetary
value, was set up on classroom infrastructure, and may be exposed.

Never fund this wallet with real ETH. Never import this seed phrase into a real-money
wallet. Never use the same seed phrase for testnet and mainnet. When the workshop
ends, write the seed phrase down and store it offline, OR delete the wallet entirely.

If you want a real-money wallet later, install MetaMask fresh on a clean machine
and generate a NEW seed phrase. Treat that seed phrase like the keys to a safe.
```

## "This is not financial advice" boxed paragraph (slide 2 verbatim)

```
This lecture is educational. Nothing here is investment, legal, or tax advice.
Cryptocurrency markets are volatile and a meaningful share of retail investors lose
money. If you choose to participate after this class, do so with money you can
afford to lose, on a clean wallet you generated yourself, and after independent
research.
```

## Phishing playbook (mention in slide 9 and in the closing remarks)

After class, students are now wallet-aware and become phishing targets. Brief them on the four most common attack patterns so they recognise the next time they see one.

1. **Email or DM asking to "verify" or "restore" a seed phrase**. Real wallets never ask. The seed phrase is typed only into the wallet's OWN restore flow, never on any web page. If a page is asking for it, the page is hostile.
2. **Look-alike domains.** The legitimate MetaMask domain is `metamask.io`. Anything else (`metamask-security.xyz`, `metamask-help.com`, `metarnask.io` with an `rn` instead of `m`) is phishing. Bookmark `metamask.io` once and never type it again.
3. **Look-alike Chrome extensions.** Install MetaMask only from `https://metamask.io/download` or directly from the Chrome Web Store entry that has 10 million plus users and Consensys as the publisher. Look-alike extensions with similar logos and small user counts are wallet drainers.
4. **"Support" agents in Discord, Telegram, or X DMs.** Real support never DMs first. Anyone DMing about your wallet is hostile. Block and report.

A 30-second mental script before any wallet action: "What domain am I on? What is being asked of me? Has the legitimate vendor ever asked this through this channel?" If the answer to the third question is no, walk away.

## Private vs shared chain honesty pattern

At every step of the workshop, students must be told which chain they are on.

- The Remix VM in-browser chain is PRIVATE: only the student's browser tab can see it. Closing the tab erases the chain.
- The Sepolia testnet is SHARED across the world but the ETH is fake.
- The Ethereum mainnet is SHARED globally and the ETH is real money.

Never let a student leave the lecture believing the Remix VM chain is the same kind of object as Ethereum mainnet. The instructor anchor demo (D11) exists to demonstrate the shared property explicitly.

## Slide-level enforcement

- Slide 2 ships the boxed not-financial-advice paragraph above.
- A "TEST WALLET ONLY" slide appears before any wallet-themed slide.
- The "private vs shared chain" diagram slide accompanies the D11 anchor demo at minutes 35 to 38.
- The closing slide (slide 29 to 30) repeats the warning.

## Lab guide enforcement

The lab guide D4 references this brief by relative path in the "Before you start" section AND at the end. The take-home notebook section repeats the warning.

## Post-quiz answer key enforcement

The post-quiz D5 includes one question on which-chain-is-shared. The answer key links back to this brief.

## Cross-references

- Timing sheet: ./timing_sheet.md
- Fallback plan: ./fallback_plan.md
- Slides: ../slides/ethereum_interactive_lecture.tex
- Lab guide: ../lab_guide.md
- Quiz: ../quizzes/ethereum_interactive_post_quiz.md