Joe Stewart (aka Hal0x2328 in the NEO community) is well-known by those who held NEO early in the blockchain’s life cycle. Stewart’s Redeemable HashPuppy Token (RHT) airdrop had a wide reach, as every NEO address holding between 1 and 99 NEO got their very own HashPuppy on New Year’s Eve of 2017. Stewart’s other asset, the Master Contract Token (MCT), was also distributed by surprise airdrop; in May of 2018, all NEO addresses with a transaction history of NEP-5 assets received MCT.

The airdrops were the only way that Stewart’s assets were distributed to the general public. Because there was no associated ICO or public token sale, Stewart’s projects hit the ground running, with minimum hype and maximum distribution. Both assets are currently traded against the NEO token on the Switcheo decentralized exchange.

A blockchain game featuring unique, tradeable virtual puppies also requires unique, tradeable tokens. Because of this, Stewart is also the author of NEO Enhancement Proposal #11 (NEP-11), an approved proposal for a non-fungible (unique) token standard on the NEO blockchain. Additionally, his Safe Remote Purchase dApp is a decentralized “self-escrow” service which looks to use MCT as its currency. Safe Remote Purchase, which requires the nOS dApp to use, is undergoing final polishing by running on the NEO TestNet.

NEO News Today’s Colin Closser recently caught up with Stewart from South Carolina.

NNT – Colin: So to start off, what’s new with HashPuppies? I know there’s been some news about exchanging the RHT tokens to a more non-fungible implementation.

Joe Stewart: Yeah, we released our non-fungible token contract on the MainNet about a month or so ago. And shortly after that, we released a redemption mini-game. So now, everybody that has been holding on to these redeemable HashPuppy tokens since the airdrop, in the beginning of 2018, they can trade these now for the non-fungible token.

The mini-game allows you to go and do the redemption. There’s a fun claw game where you have to try and catch one of the puppies out of the machine. Really, it’s just a way to entertain you while it’s waiting for the blockchain to process your transaction.

NNT – Colin: [Laughs] Okay. Is there a skill component, or do you end up with the puppy you end up with?

Joe: It’s just random chance. You know, the claw machine will drop a few, but after the timer expires, it checks the blockchain. And the transaction should’ve happened, and you should have a new non-fungible token assigned to your address. And then after you pass that, then you can view all of the puppies you’ve redeemed. There’s an interface called the PuppyDEX where you can bring up all the puppies that you own. And then you can go outside this little adoption center, and there’s a little fenced-in yard where they come out there to play and bump into each other. You can call them and kind of interact with them in a limited way.

It’s a mini-game, it’s not the full game release. We’re going to be releasing the game in stages, most likely. From a financial standpoint, we didn’t have an ICO; we had a tiny bit of funding from NEO Global Capital back in the day, and most of it was funded just from me personally.

So we’re trying to keep going, we believe in the game, and we think the blockchain is ready for a real game–that’s not just pictures on a smart contract, with no real gameplay element. We’re not able to hire a ton of developers like we’d like to, so we’ll make one new area of the game — interactions you can do, different stages, training where you can teach your puppy some tricks and level them up a little bit, there’ll be breeding that comes along because they each have a genetic code. We’re going to keep dropping these releases, and keep increasing the game world over time.

NNT – Colin: Right. I’ve been around since before the first airdrop, and the nice thing about your development schedule, is you’re doing things incrementally. But with no ICO, you don’t have a high-strung Telegram group to manage, so you can develop at your own pace.

From researching MCT, I recall reading that NEO Global Capital funded you with 10,000 GAS, or something like that, back in the day.

Joe: Yeah, they basically approached us about funding, since they were looking into different projects. We asked them to fund HashPuppies, or invest in us in some way. What they decided to do was to buy a large chunk of MCT holdings. We didn’t really have that much, only about 2% of total supply, not a lot. So we gave them 90 percent of what we had in exchange for 15,000 GAS. Unfortunately, the price of GAS dropped like a rock right after that, and ended up only really funding us for a few months at the level we were at, where we had multiple team members in different areas.

But, MCT is not dead by any means —

NNT – Colin: — I understand that. I’ve been keeping an eye on it since the airdrop. It’s going to be the currency for the new HashPuppies game, is that correct?

Joe: Yeah. We’re going to use that, and we’re going to get the puppy auction, and then a marketplace where you can buy accessories and things like that, it’ll all be done in MCT. On top of that, I’m still working on dApps that use the unique properties of MCT, because it does expedite the process of dApp development, and also helps save on contract deployment costs.

Recently, I’ve developed a “Safe Remote Purchase” dApp, completely using MCT. It’s a self-escrow smart contract in the cloud, where two people can do a transaction with each other and let the smart contract handle the funds. I don’t know how much you know about safe remote purchase, where it’s an idea that two people can act as escrow for themselves if both of them put a deposit down, to ensure both parties act in good faith.

NNT – Colin: Oh, so if the buyer reports that the item was not received, both parties lose the deposit. That sounds like something Vitalik would post in his blog. Did that come from Vitalik, or someone else?

Joe: I’m not sure where it came from, really. Someone just stumbled in to the NEO Discord, asking, “Hey, is there a safe remote purchase smart contract for NEO?” I looked around and I didn’t see anything. And I thought, “That would be a perfect use case for MCT.” I made a demonstration smart contract, and it worked, so I thought, “Let me put a front end on it.” And I made a fully working dApp on TestNet, where you can come and do a sale, and like you were saying, if the parties don’t perform as agreed, then they both lose money, they’ve both got something at stake. It’s a neat way to perform a transaction, where you are working with someone that you don’t know, and you don’t trust. But they’ve got something for sale, and you want to buy it.

NNT – Colin: That’s cool. Anybody that’s used eBay has some real-world experience with the concept of escrow and escrow agents, even if they haven’t dove into the game theory behind it.

Joe: Yeah. And we’ve seen people trying to do escrow for tokens, and token purchases.If you have some of these hard-to-obtain NEP-5 tokens, you go into a chat group where an admin will act as an escrow agent. Unfortunately, there have been scam groups that try to imitate the real escrow groups, and people have gotten caught up in that. Or, there was just a case where an admin in a legitimate OTC group was doing escrow 100 percent of the time–until he wasn’t, and he just took the funds.

Putting that functionality into a smart contract is a good use case for MCT, and because it does use MCT it can be deployed for only 90 GAS.

NNT – Colin: So the role of MCT would be as the currency and then the smart contract is the escrow agent? Both sides put up a certain amount of MCT?

Joe: Yeah, so you’d list your price in MCT. And the contract requires that you put two times that price in as a deposit.

NNT – Colin: I see!

Let me backtrack a little bit. When you started developing, and even at the time of the airdrop, HashPuppies was a dream. And, there was really nothing implemented on NEO in terms of non-fungible technology, that could make it a reality yet. And now, we have an NEP – I believe it’s been approved but not finalized–

Joe: Yes, it’s very close to being finalized. NEP-11–

NNT – Colin: –NEP-11, with your name on it, is now a reality. So, how is that progress coming along? You say you’re a few days away from going final. Are you waiting for Erik [Zhang] to do a final review?

Joe: Yeah, I think it’s just the implementations to be done that Erik needs to look at. And everybody should have another round to say, “We did an implementation, and because of what we discovered specifically about how NEO works versus other smart contract blockchains, we need to do some things different.”

For example, enumerators, it’s something that’s a very different idea on NEO. It’s a really great thing that makes smart contracts very flexible when it comes to getting information out of them efficiently. It’s just a question of how to implement those, as the feature is new and was only added six months ago. So, everybody’s got to work through these implementations, and say, like, “Aha! Actually, just getting the token IDs back in a big list is not as useful as getting all the token data back in a big list.” So we’ll have a back-and-forth about the mechanics of the most efficient way that dApps will be able to make use of NFTs. And after that, hopefully all the decisions will be made, and it’ll be finalized.

NNT – Colin: These NFTs contain data that’s unique to the token. Where is this data stored–and is data management an issue with large amounts of NFTs, or is it just trivial?

Joe: Well, you shouldn’t have to store a ton of data in the contract. It’s using contract storage, if you either paid the extra 400 GAS to use storage in your smart contract, or you’re renting storage from the MCT contract by staking MCT, for any key and value pair that you want in the contract.

For a regular NEP-5 token, you’ve got a key, which is the address that owns the token, and then you have a value, which is the actual quantity of tokens they own. It’s very minimal in terms of storage.

The NFT is really, ‘here’s the owner” and then the properties, that could be a DNA string, it could be a URL to find more information about it–you don’t want to put everything in the blockchain. The purpose of the blockchain is to make the information immutable, so the information doesn’t change after you purchase it. So, it’s best to store the things that will need to be changed off-chain in a database, and just have pointers to that information in a smart contract.

Overall, it’s not that much more data. If you have NFTs that are single-use and not divisible, it shouldn’t be that much of a problem to store the data. It might be more tricky if divisible non-fungible tokens are introduced.

NNT – Colin: I was reading the conversation about that in the GitHub. Where’s the consensus going on that, has it been sorted out? I understand that people were looking at this, for example, for tokenization of real-world assets, which of course was one of the original goals of AntShares.

Joe: Yeah, they want to be able to have it so you can have multiple owners of a real-world asset. Which is not something you can do with an NFT unless you use a multi-signature wallet, which would not work for larger groups of people–a hundred thousand people owning a fraction of an asset.

I think that it’s going to happen, but I don’t know when. We require someone to have the need for, the use case, where someone needs their business model to depend on it. And they’re basically the ones that are going to push that standard forward. The NEO core development team has their hands full with NEO 3.0, so they’re looking for the community to come in and propose these standards, to let the people who are actually writing the dApps that need this functionality decide what they need. And then, we’ll all talk about it and decide on it.

We need a venture that’s going to base their business model on divisible non-fungible tokens, and then we’ll see a proposal [a new NEP]. There’s a little bit of information in NEP-11 about divisibility–specifying whether an NFT is divisible or not. But I don’t think divisibility standards should be part of NEP-11. I think there should be two NEPs for those two types of applications.

NNT – Colin: It’s been nice to see everything that people were dreaming about in the bull market, the actual products are starting to roll back around.

Oh, and one other thing about MCT–the original issue it addressed was that smart contracts couldn’t send native assets (NEO and GAS). That’s going to be addressed in NEO 3.0, as I understand, with NEO and GAS moving to the NEP-5 standard. But, the other use cases of MCT will stay live?

Joe: The benefits of MCT in terms of direct transfer of assets, that will be mitigated somewhat by design changes of NEO 3.0. The thing we are still uncertain about is: What are the storage costs of NEO 3.0 going to be? There’s been talk about deployment costs being reduced. But some of the pricing models that have been proposed early on–the price of storage is still pretty high.

So, I think MCT is going to exist in some form or another on NEO 3.0. There should be some form of token swap. We’re going to need a currency, an in-game token that we are going to use. It’s logically the right choice to move from NEO 2.0 to NEO 3.0. And then, take all the knowledge we gained after its release, and say, “What are the things that we can enhance about it? What can we add to this token now on this new platform that will have a benefit? Even if there’s nothing–NEO 3.0 is perfect and there’s nothing we need to solve–MCT is still just as valuable as any other project’s utility token. It still has that inherent value of being the currency of the dApps we make using it.

It’s too early to tell right now how we are going to adapt to the new ecosystem.

NNT – Colin: You know, at this point, despite being one of the longer-tenured members of the NEO ecosystem in one form or another, I cannot contribute in a meaningful way to the official #support Discord channel for NEO because my level of technical understanding isn’t deep enough. I noticed you’re all over that channel. I have to give you credit–NEO is my home blockchain, and I can’t keep up.

Joe: You have to stay immersed, because it changes so fast. If you’re not writing code for multiple different projects, or loading every single wallet and trying to do weird things with them, it’s going to be hard to come up with an answer when somebody walks into the #support channel with a weird question.

NNT – Colin: Dean [Jeffs] said that you enjoy troubleshooting, solving problems, and tinkering with code. Is that one of the ways you give back to the NEO community, like an official job? Or did you figure out that if that if you’re not doing it, nobody else can?

Joe: Well, it started out being, you know, if no one else was doing it, I would do it because I had the information from the things I was working on, to help people. But then it turned into a job. I get paid by City of Zion through the grant that they got through NEO. I’m doing not just support now, but also overseeing some of the GitHub repositories. Making sure that contributions are paid, and prioritizing the issues that come in and marking them. So if someone comes in and wants to contribute a patch to fix an issue, they’ll know in advance how much it’s worth to City of Zion, and how much they’ll get paid as a result of successfully getting it merged.

So that’s my job, besides doing this work for Splyse and HashPuppies and other dApps using MCT, I’m also doing those things for City of Zion.

I don’t see myself as a software engineer; although I write a lot of code, it’s more the problem I solved through writing the code that’s satisfying to me. I come from a reverse-engineering background. I spent a lot of time in the information security industry doing malware analysis. I liked taking a “black box” piece of code and understanding how it’s being malicious on your system, or just taking something that I don’t have the source code to, maybe, but I can figure out why it’s breaking, and have ideas on how to fix it.

NNT – Colin: Dean told me a couple of amusing anecdotes about how you were researching Nigerians who were using malware to extort people and also directly steal funds. And they were purposely or accidentally infecting themselves, and then you were able to use their own software to remotely view their activity?

Joe: That’s basically it. They have these huge enterprises that spend all their time trying to send malware to businesses, trying to get account credentials to their email inboxes. And they’ll look for transactions that are occurring where a high dollar amount is about to be transacted, and they’ll see, “Here’s the wire transfer instructions.” They’ll position themselves where they can control the conversation, and then put their bank account on that wire input.

We saw that a particular sample running in a sandbox was trying to send screenshots and email credentials from the infected sample, and it was sending it to an open directory with all the other screenshots of all the victims. We figured we should probably grab those and notify the companies they’ve been hacked, and what we saw was people talking about the crime in progress in the screenshots themselves.

We figured it had to be incredible luck that we found this. So we started getting all the malware we could with the same signature, and running it all on our sandboxes. Figuring out how much of it is doing the same thing — it turns out a lot. It’s their normal mode of operation to infect themselves with the malware to test it, and they just forget to remove it, because they think nobody’s watching the web servers that they’re uploading to.

Every ten minutes we would hit their server and scrape their conversations. And we would see, “They’re about to intercept a million-dollar transfer, let’s see if we can sabotage that.” We would do something to try and disrupt that transaction without tipping off the hacker that we were watching them.

NNT – Colin: [Laughs] That is pretty interesting!

Joe: It’s pretty fun, but after a while, you get kind of bored of it. I was looking for newer things to do, and blockchain smart contract programming came onto our radar, and NEO looked really promising. So I jumped over from that world, into blockchain.

NNT – Colin: Even though your security background isn’t necessarily from blockchain, I’d imagine you have a pretty good overview of blockchain security at this point.

It’s my personal opinion that the hardware wallet is the single biggest step that a retail cryptocurrency investor can take to secure their currency. Do you agree or disagree with that?

Joe: I definitely agree with that. I’d be highly paranoid about having a significant amount of funds not in a hardware wallet, just because of what I’ve seen with malware. How clever malware can be to steal cryptocurrency, and how much of it there is that’s written specifically to steal cryptocurrency.

This is something I did a paper on back in 2014, and [the industry] is even bigger now. It’s crazy that someone would trust their personal computer to store their private keys if they’ve got significant funds, because it’s incredibly scary how many people have come and said, “There’s just no way I could have gotten hacked because I had my antivirus running.” Malwarebytes or something.

I’m like, “Are you kidding?” Hackers have that, too. They know before they send something to infect you that it’s not going to be detected. They’re not going to give you something that’s going to be detected already. So it’s definitely about hardware wallets– and if you can’t do that, then we’ve got the offline signing capability now into Neon Wallet, which is great. I’ve actually gotten Neon to run on a Raspberry Pi. So people can take that hardware wallet concept and just make it work from an offline-standing Raspberry Pi. It’s a little bit cheaper than a Ledger, and a Raspberry Pi you can do more than just that with, so it might be more fun.

NNT – Colin: The thing about having antivirus, is that it’s impossible to prove a negative, as you probably know from an engineering standpoint, and they’re telling you that you don’t see something. But if there’s custom code or custom malware that no one’s complained about, or hasn’t been detected yet, it’s going to report a negative. But it’s hard to take a negative as Gospel, only a positive can be confirmed.

Joe: Right. The hackers are always depending on that. And they always have a lead time of one or two weeks. While eventually that sample will make its way up and enough antiviruses will detect it so you’ll have reasonable assurance that it’s not going to run on most machines, during that gap, that’s where they operate. That’s where they live and make their money.

NNT – Colin: Is there anything we didn’t cover that you’d like to air out?

Joe: There’s so much knowledge to have about every single player in the NEO ecosystem, it’s just huge. Even though people say “NEO’s not getting widespread adoption,” it’s still a lot to know and take in. There’s a lot of activity that people just don’t see.

I think people need to be patient, I think adoption will come. We need to get more real-world use cases out there, and people will see what a superior technology NEO is. With .NET and Python built in, it’s very easy to get up to speed. We need just keep working on the tools, and making everything more user-friendly. All the progress that I see in this direction is pretty positive.

NNT – Colin: I hate to take a “Field of Dreams”-type approach, “If you build it, they will come.” But if you don’t build it, this will never happen. Building is a requirement, not an option. If you’re going to have a token that’s viable in the long-term that’s not pure marketing, there needs to be significant construction.

Joe: People may complain that “NEO doesn’t have enough marketing,” but I’m more concerned about the technology and how that’s developing. As long as that’s going to plan, and everything’s getting better, the rest of it will come later.

NNT – Colin: You said you were overlooking contributions in GitHub. Did you want to give any specific shoutouts and encourage people to contribute?

Joe: I’m overseeing neon-js, neo-go, and neo-storm [a Go compiler], neo-debugger-tools, and neo-scan–not the website, just the source code repository. I think we would really love to have more people working on neo-scan, specifically, we need Elixir developers. That’s an eligible CoZ project, so you can get paid for your pull request to get merged. If anybody has that background, they should definitely check that out.

NNT – Colin: I’ve noticed NEOScan has become the default block explorer for Binance and other large corporations. It’s become viewed as the most reliable block explorer.

Joe: It’s a good, fast explorer, but we could do so much more. Interacting with smart contracts, getting more information about invocations and transactions. I would definitely like to see that get enhanced.

NNT – Colin: Let’s say someone or their brother is an Elixir developer. Should they show up in the NEO Discord?

Joe: They don’t even have to do that. Just go to GitHub and check out the issues. They’ve all been tagged by priority. There’s a reward matrix…once they get their code merged, somebody from City of Zion will reach out to them, and say, “What’s your NEO address?”

Joe Stewart is CEO of Splyse, Inc.