A Mechanical Engineer's Guide to Become a BOSS

This guide is for people with a technical background (e.g. mechanical engineering) who want to get serious about Computer Science and Bitcoin. The program is un-timed: you go at your own pace. The structure follows Plan, Create, Assert: you have a plan (this curriculum), you create (you study and build), and you assert (you check yourself against milestones). Opsec and security come first—they protect your identity, devices, and funds before you touch Bitcoin or sensitive topics. Then you build foundations in CS, then Bitcoin. Culture (books about how software and open source work) runs in parallel as ongoing reading.

Disclaimer: I don’t usually use AI for my blog posts, but I used it here to craft the explanatory paragraph for each part. The structure, the guide, and the choice of topics are my own—or based on what I learned at Vinteum.

Preface: Opsec and Security

Treat this as your foundation. Before you go deep into Bitcoin or anything sensitive, lock in the habits below. They protect your identity, your devices, and your funds. Each section has links so you can go deeper when you’re ready.

PGP

PGP lets you sign and encrypt messages and prove that you wrote something. For code, that means signing git commits so others can verify your work. Use a strong primary key with an expiration (e.g. under two years) and set a calendar reminder. Generate a revocation certificate when you create the key—if you lose it or it’s compromised, you can publish that cert so people stop trusting the key. Always verify key fingerprints out-of-band before trusting someone; don’t rely on keyservers alone. Prefer RSA-3072 unless you need compatibility with older setups. If a contact has multiple devices, encrypt to all of their subkeys so they can read the message on any of them. And yes: sign your commits.

References: GnuPG FAQ.

Nyms (pseudonyms)

One identity tied to everything is a single point of failure. Use distinct personas for different contexts: work, public writing, nym projects, high-risk activity. Compartmentalization means that if one identity is doxxed or compromised, the others stay separate. The hard part is discipline. OPSEC is as much behavioral as technical—avoid patterns that link your personas (posting times, phrasing, interests). Decide the rules for each nym and stick to them.

No single official source; the ideas above are standard OPSEC practice.

Lockdown Mode (Apple)

If you’re in a high-risk category—journalists, activists, or anyone who might be targeted by mercenary spyware—Apple’s Lockdown Mode is worth turning on. It sharply reduces attack surface: most message attachments are blocked, complex web tech is limited, FaceTime is restricted, configuration profiles and MDM are disabled, and so on. Phone calls and plain SMS still work. Many people assume the phone becomes unusable; in practice, day-to-day UX often stays acceptable.

References: About Lockdown Mode, Lockdown Mode security (Apple).

2FA and Yubikey

Two-factor authentication stops most account takeovers—but SMS-based 2FA is weak. Your phone number can be hijacked via SIM swap, and then the attacker gets your codes. Use an authenticator app or, better, a hardware key. A YubiKey stores passkeys and second factors on the device; they can’t be phished or copied. Buy two: use one daily and keep the other as a backup (or in a safe place). Register both with critical accounts so you don’t lose access if one is lost.

References: Yubico Best Practices, Getting Started with YubiKey.

Proton Mail

Email is a giant leak: providers can read it, and one breach can expose years of correspondence. Proton Mail encrypts mail end-to-end by default and uses zero-access encryption on their side, so they can’t read your inbox even if asked. It’s a solid choice for your main identity and for reducing exposure when you don’t want a big tech mailbox tied to everything you do.

References: Proton: End-to-end encryption, How encrypted email works.

MyNymBox

When you host a site, run a server, or register a domain for a nym, you don’t want it tied to your real name or payment history. MyNymBox is built for that: shared hosting, KVM VPS, domains, and email, with anonymous ordering. Sign up with an email alias only; no KYC. Pay in Bitcoin or Monero via their gateway. Servers sit in privacy-friendly jurisdictions (Netherlands, Germany, Finland). Shared hosting can serve Tor (.onion) and I2P (.i2p); VPS gives you root and a dedicated IP. Use it to keep nym projects and contact points off your main identity and off infrastructure that knows who you are.

References: MyNymBox, Shared hosting, VPS, About MyNymBox.

WireGuard or Tailscale

You need to reach your own machines from anywhere—SSH to a home server, hit a self-hosted app, or manage a node—without opening ports to the world or trusting sketchy Wi‑Fi. WireGuard is a lean VPN: tiny codebase, modern crypto, fast. You manage peers and keys; each device gets a virtual IP and they talk as if on the same LAN. You can build a mesh, a hub-and-spoke, or site-to-site. Full control, more setup. Tailscale is WireGuard with a coordination layer: sign in (e.g. Google or GitHub), and your devices join a private “tailnet” with almost no config. No port forwarding, no dynamic DNS; traffic is encrypted point-to-point. For full self-hosting, run Headscale as the open-source control server. Either way, you get secure remote access without exposing services to the whole internet.

References: WireGuard, What is Tailscale?, Tailscale remote access.

Signal

For day-to-day chat, use something that doesn’t hand your messages to a central server. Signal encrypts messages, voice, and video end-to-end by default; the service can’t read them. Set a strong Signal PIN (store it in your password manager), turn on Registration Lock so your number can’t be re-registered without it, and verify safety numbers with people you care about. Use usernames so you don’t have to hand out your phone number; turn on disappearing messages for sensitive threads. In settings, disable “find me by phone number” and disable showing message content in push notifications.

References: How to protect yourself on Signal, Signal privacy policy.

eSIM and SIMs without KYC

A mobile plan that requires ID ties your number to your identity and to the carrier’s database—handy for SIM swap and data requests. Silent Link (silent.link) offers global eSIMs in 160+ countries with no KYC: pay-as-you-go, no mandatory data caps, pay with Bitcoin or Lightning. Data-only plans (e.g. DATA.PLUS) and, where available, a US number with inbound SMS (e.g. US.PLUS) for activations. Funds and account don’t expire. Pair this with hardware 2FA (no SMS) and Signal and you’ve reduced both the value of stealing your number and the link between that number and your real identity.

Reference: Silent Link – Stay connected privately with global eSIM.

Bitcoin wallets and Lightning

Self-custody means you hold the keys—no exchange or custodian can freeze or lose them for you. Back up your seed phrase in a safe, offline way; never in a password manager or the cloud. Use a hardware wallet for any amount you care about; for larger stacks, look at multisig. Don’t advertise balances or setups. Run your own Bitcoin node so your wallet doesn’t leak addresses and balances to someone else’s server. The references below go into seed hygiene, hardware wallets, and the dos and don’ts of self-custody.

References: How to keep your Bitcoin safe (Bitcoin Magazine), The infosec basics: how to keep your Bitcoin seed phrase secure (Bitcoin Magazine), The dos and don’ts of Bitcoin self-custody (Bitcoin Magazine).

Mullvad VPN

When you need a VPN—public Wi‑Fi, travel, or hiding your IP from the site you’re visiting—pick one that doesn’t log. Mullvad doesn’t collect user data and has a public no-logging policy; they’ve said they’d shut down before spying on users. The app ships with a kill switch and DNS leak protection; they don’t offer dedicated IPs, so your traffic isn’t tied to a single address. The app has been independently audited. Use Lightning to pay; no email required to sign up. Use the Lockdown mode to avoid leaking VPN usage.

References: How we handle government requests, Mullvad privacy, 2024 security audit.

GrapheneOS

Stock Android ships with Google and carrier code that you don’t control. GrapheneOS is a privacy- and security-focused Android build: no Google apps by default, optional sandboxed Play services if you need them, hardened kernel, verified boot, and strict app permissions. It only runs on Pixel devices, which get solid security updates. If your threat model includes device compromise or you want to minimize what your phone leaks, it’s a strong option.

References: GrapheneOS, Features.

Supply chain attacks, bad USB, links, JavaScript, AI agents

Habits that add up. Dependencies and installers can be compromised—prefer verified or reproducible builds when they exist, and keep stacks updated. Don’t plug random USB devices into a machine that holds keys or sensitive data; in public, use a charge-only cable or a USB data blocker. Before clicking, hover links to see the real URL and treat short links with suspicion. Disabling JavaScript (or using a strict browser profile) on sensitive or one-off sites shrinks the attack surface. When using AI coding tools, never paste secrets, keys, or credentials into prompts, and treat generated code as untrusted: review and test before you run it. Know the risks of using AI agents such as OpenClaw.

Layers, not silver bullets. No single measure is enough, but together they limit how far one compromise goes. Combine these with strong 2FA, compartmentalization, secure messaging, and self-custody hygiene so one mistake doesn’t cascade.

Separation of concerns

Don’t mix risk levels on the same device or account. Use different machines or identities for work, for nyms, and for high-value Bitcoin. If one context is compromised, the others stay behind a wall. Compartmentalization is the theme running through this whole preface: separate identities, separate devices, separate keys.

Part 1: Computer Science intro

Work through in this order. Take your time.

Intro to CS (YouTube playlist 1)
Playlist — First pass at how computers and programming work.
Intro to CS (YouTube playlist 2)
Playlist — Second leg of foundations.
OSTEP — Operating Systems: Three Easy Pieces
ostep.org — Free online. Virtual memory, threads, filesystems, concurrency. Essential OS concepts.
Structure and Interpretation of Computer Programs (SICP)
Classic book on abstraction, recursion, and how to think in programs.
Grokking Algorithms
Accessible algorithms and data structures.

Part 2: Bitcoin

After (or overlapping with) CS foundations, do Bitcoin in this order.

Bitcoin Whitepaper — Satoshi’s original paper. Start here.
Bitcoin (YouTube playlist 1)
Playlist.
Bitcoin (YouTube playlist 2)
Playlist.
Bitcoin Development Philosophy (book)
Culture and values of Bitcoin development.
Mastering Bitcoin (book)
Protocol, keys, addresses, and usage in depth.
Mastering Lightning (book)
Lightning Network: channels, routing, and operation.

Ongoing: Culture

Read in parallel with the rest. One book at a time is enough.

CODE by Charles Petzold — How hardware and code connect; great for engineers.
The Cathedral and the Bazaar by Eric S. Raymond — Open source, collaboration, and bazaar-style development.
Just for Fun by Linus Torvalds — The story of Linux and open development.
Clean Code by Robert Cecil Martin - Readable, maintainable code and practices that scale.
Bitcoin Explained by Aaron van Wirdum and Sjors - Podcast with conceptual and technical overview.

Deeper: Criptography and Security

Slot in after CS intro (or in parallel with Bitcoin) when you want more depth.

Real World Cryptography by David Wong — Applied crypto: what’s used in practice and why.
Hacking: The Art of Exploitation — Low-level exploitation and security from first principles.

Assert: How to know you’re on track

Use these as checkpoints, not deadlines.

Opsec: PGP key created and revocation cert stored; at least one nym separated from main identity; 2FA (prefer hardware) on important accounts; understanding of when Lockdown Mode / GrapheneOS / Mullvad make sense for you; Bitcoin wallet and backup procedure in place if you hold.

CS: You can explain what an OS does (processes, memory, files); you’ve done meaningful chunks of OSTEP and SICP (or equivalent); you write cleaner code and can discuss tradeoffs; you can reason about simple algorithms (e.g. from Grokking).

Bitcoin: You can explain why “not your keys, not your coins”; you’ve read (or listened to) at least one of the philosophy/explained resources and one of the technical books (Mastering Bitcoin or Lightning); you can describe what Lightning is and when you’d use it.

Culture: At least one of CODE, Cathedral and the Bazaar, or Just for Fun read.

If you can’t explain something in your own words or do a small task (e.g. verify a PGP key, run a node, open a channel), go back and close that gap. The program is un-timed so you can iterate until the Assert step holds.

Exercises

Once you have some CS and Bitcoin basics, put them to work. These three exercises are ordered by dependency: the first is protocol and sockets; the second is Bitcoin’s P2P layer; the third is about joining a real project.

Exercise #1: SMTP client (no SMTP libraries)

Task: Implement a minimal SMTP client in C, Go, or Rust without using any existing SMTP library. Your program should connect to a mail server (e.g. on port 25 or 587), perform the handshake, and send one email: you issue the raw SMTP commands (EHLO, MAIL FROM, RCPT TO, DATA, body, .).

Why: You learn how a text-based protocol works over the wire—TCP, line-oriented dialogue, and status codes. You’ll also deal with encoding (e.g. base64 for auth if you add it), timeouts, and error handling. Reading the SMTP RFC (or a summary) is part of the exercise. Use C if you want to go low-level with sockets; Go or Rust if you want to focus on the protocol with a bit more safety and structure.

Exercise #2: Bitcoin seeder

Task: Build a Bitcoin seeder. A seeder is not a full node: it doesn’t validate blocks or store the chain. It only talks the Bitcoin P2P protocol enough to connect to real nodes, request and receive addr (peer addresses), and store them. Then it serves that list to other clients (e.g. via DNS or HTTP) so new nodes can bootstrap and find peers. You’re mimicking the discovery side of a node without the heavy lifting.

Why: You get hands-on with the Bitcoin P2P protocol: version handshake, getaddr / addr, and the rules of the wire format. You’ll see how peers find each other in the wild. For reference, Pieter Wuille’s bitcoin-seeder is the canonical implementation; study it for design and protocol details, then implement your own version (or a minimal one) in the language of your choice.

Exercise #3: Find a BOSS project and start with PR review

Task: Pick a Bitcoin Open Source Software project that excites you (e.g. Bitcoin Core, LND, Core Lightning, BDK, a wallet or tool). Don’t rush to write code. Start by reading and reviewing open pull requests: read the code diff, the discussion, and the review comments. Understand why changes are requested, how the project’s style and rules work, and what “good” looks like. Once you’re comfortable, try a small contribution: a doc fix, a test, or a tiny code change. Your first goal is to be a useful reviewer and a familiar name in the project.

Why: Real BOSS work is collaborative and review-heavy. Reading PRs teaches you the codebase, the conventions, and the maintainers’ expectations without the pressure of writing the perfect patch. You learn how patches get refined and what gets rejected. That foundation makes your first contributions more likely to land and helps you become someone the project trusts. Never open a PR full of vibecoded stuff without actually knowing what you are doing.

Be informed

Learning from a curriculum is one thing; staying current is another. Once you’re in the ecosystem, follow what’s actually happening: protocol changes, soft forks, new tooling, and how the community argues and decides. The resources below help you do that without relying on algorithm-driven feeds or low-signal social media.

Bitcoin Optech — Weekly newsletter and guides on Bitcoin and Lightning. Covers upgrades, best practices, and operator-focused summaries. One of the best ways to keep up with protocol and ecosystem news.
Delving Bitcoin — Research and deep dives: papers, discussions, and technical write-ups on Bitcoin protocol and related topics. Good when you want to go beyond intros.
bitcoin-dev mailing list — Where protocol changes and design decisions are proposed and debated. Read threads to see how Bitcoin evolves; lurk before posting.
Satoshi’s emails (Bitcoin list) — The original Bitcoin list archive. Historical context and the ideas that shaped the protocol.
Bitcoin Magazine — News, culture, and guides. Broader coverage; use it alongside the more technical sources above.
Bitcoinheiros — Quality Bitcoin content in Portuguese (YouTube).

Good luck. Do Opsec first, then CS, then Bitcoin. Keep culture as ongoing reading, do the exercises when you’re ready, stay informed, and revisit this list when you need the next thing.