On November 9th, at the “2019 World Blockchain Conference·Wuzhen” sub-forum sponsored by Babbitt – “Blockchain Events: New Hotspots and Explorers”, Slow Mist Technology Partner and Safety Product Manager Keywolf, founder and CEO of Chengdu Chainan Technology, Yang Meng, the head of Matrixport's custody business, Wu Mengxia, BigONE COO Cheng Jun, and the bite partner Wang Chao, have a roundtable discussion on “Insecure, why is the world?” CMO Chen Xiaohai also supported.
With the continuous development of the blockchain ecology, the places where security incidents occurred also ranged from the initial exchanges and wallets to the various Dapp and DeFi platforms. Attacks emerge in an endless stream, ranging from hacking, phishing attacks, and malicious code embedding. Around the security of user assets, the blockchain world is playing an alarming security attack and defense battle all the time.
In the roundtable discussion, representatives from blockchain security companies, exchanges, wallet vendors, and custodians discussed in depth the security of the blockchain. The following is the round table discussion, Babbitt finishing:
- Wuzhen • Tencent Blockchain Cai Weige: Application into the outbreak period, how to achieve the link from the chain to the chain?
- Wuzhen·ChainNode (chain node) CEO Qu Zhaoxiang: Popular science + cultural creativity, making the blockchain popular
- Wuzhen·Zhu Xi, Da Yu, Zhang Li, Dominic on Wuzhen, who is the future of POW and POS?
- Wu Zhenqun, CEO of Wuzhen·Zhi block network: Formulate an equality mechanism to improve the high availability of blockchain and make everyone mine at home
- Wuzhen·Bai Shuo: To compete with Libra, we need to establish a legal digital currency system.
- Wuzhen • Quark Chain Yang Yaodong: High-performance heterogeneous alliance chain Pratt & Whitney, serving the real economy
Blockchain security is taken to new heights
Chen Xiaohai: As everyone knows, at the 18th collective study meeting of the Central Political Bureau on October 24, the national leaders made a lot of guidance on the blockchain theme, especially in the field of blockchain security, emphasizing the promotion. Blockchain security and orderly development (full text link: https://www.8btc.com/article/501634 ).
Please let the guests stand in your industry's perspective, how to understand the blockchain security? When this wind vane is marked, what security layout will you make in your own industry?
Keywolf: The Blockchain Learning Conference mentioned a lot about how the blockchain develops safely and orderly. I think this is inseparable from the introduction of relevant policies or norms. We have also discussed with many institutions and government departments before. We entered the first batch of industrial development white papers of the Ministry of Industry and Information Technology in 2018. After that, we also cooperated with Chongqing Netan Corps, China Telecom Group, National Defense Science and Technology University, Fujian. The Provincial Blockchain Development Foundation and other exchanges, and we are one of the five security units of the Blockchain and Network Security Technology Joint Laboratory of Dawan District, Guangdong, Hong Kong and Macau. We also handed over many of the practitioners' opinions to many blockchain practitioners, including the status quo of the entire industry and the direction of the entire development.
I think that the corresponding policies in this area will definitely be announced at the appropriate time, which will guide the ecological project parties in the entire blockchain industry, so that we can continue to develop healthily and safely, in accordance with our corresponding standards. Moving forward, the blockchain industry will usher in a better spring.
Yang Xia : Blockchain is a very important infrastructure. Security is a very important part because it involves a lot of assets and data transactions. How to establish a self-controllable and independent innovation security system? Our company has made a lot of efforts in this regard:
First, the one-stop blockchain security platform we have made is all independent innovation, and has applied for more than ten patents. In companies that specialize in blockchains, we should rank first.
Secondly, in terms of standard setting, we participate in the writing of the national blockchain safety standards of the Ministry of Industry and Information Technology. As a security company, it is also a very important obligation for us to do.
Third, in the industry, because this study mentioned promoting the healthy development of the industry and reducing the risk of the industry. The security inside is not only the security of the technology itself, but the wider social security. In this regard, we have established a strong chain asset tracking system that can assist the public security department in investigating cases of digital currency extortion or theft, and sound positive energy for the healthy development of the government and industry.
Wu Mengxia: The main message I read in this speech is that the state will certainly manage the blockchain through technical means and legal framework. I think the blockchain itself is a very powerful tool. First of all, it is a decentralized or absolutely centralized governance structure. It establishes a consensus mechanism or incentive mechanism to complete decentralized governance. This in itself is a good tool, but I think the state conveys a very important spirit in this article, that is, regulation will occupy a very important role in the governance structure.
Cheng Jun: In fact, this study mentioned promoting the safe and orderly development of the blockchain. It is about top-down unified thinking. It is bound to have policies of various departments, including system design and legal compliance design. There must be some innovation in government services. So for us, we have to think about what to do from the bottom up. We should do long-term and valuable things, do not do short-term behavior, do not do things that cut users, do not do fake money. The development of any industry and the regulation of the policy are mutually influential, that is to say, if the industry is very radical, the employees are very excited and very stimulating, and may have a one-size-fits-all supervision; on the contrary, if the practitioners in this industry compare If you are safe and able to combine your personal interests with the long-term interests of the industry, you may be able to usher in a more relaxed environment and policies. Therefore, I feel that it is not appropriate to throw the compliance issue to the government, but to start from itself. This is my understanding of the industry.
Wang Chao: I think that the first thing that should be the most important thing to watch is not safety. Instead, there is a saying called "Exploring the Law of Future Development." Since we have to explore, there must be a right place to go, and there is also a wrong place to go. Safety is behind. We must first explore, but we must set security boundaries in our exploration, including financial security, regulatory security, foreign exchange security, including the security of financial competition in the future international market. As practitioners, we must do what we do well and work with the documents to promote the development of the industry.
The 8 months loss amount exceeds $3.3 billion. How does a security company build a protection network?
Chen Xiaohai: Next, ask questions for each person about the industry. From January to August this year, the blockchain industry lost as much as $3.3 billion in assets due to security incidents. This number is shocking in the industry of small digital asset encryption. So from the perspective of blockchain security industry companies, why are there so many security vulnerabilities? What do you do in these areas from your own industry?
Keywolf: In the early days of the blockchain , the ecological development was a bit fast. Many project parties pay more attention to the growth of their platform's business volume, user volume, transaction volume, etc., but in fact, in many underlying basic functions or platforms. Some of the modules that didn't keep up with the development of the business would lead to fake recharge vulnerabilities or Ethereum black Valentine's Day vulnerabilities. When we released these vulnerabilities, we included very detailed bug fixes and best security practices.
At the same time, for the EOS ecosystem, we also released a lot of security vulnerability documents about EOS smart contracts, explaining in detail the principles of the vulnerability and how the code should be written so that there are no loopholes in the best security practices, and we also provide a chain Smart contract firewall.
We also continue to build a secure infrastructure to provide security for the entire blockchain ecological project, not only for exchanges, wallets, public chains, mines, mining pools, etc., we have accumulated a lot of jobs. Safety experience, and constantly turn the experience into a standard product, giving back to the entire industry customers with a lower threshold.
Yang Xia: Every month we have a monthly security report for the blockchain, such as what security vulnerabilities, security incidents, and how many security losses occur this month.
For the protection of security vulnerabilities, it is not for anyone who wants to do it. I have been doing it for more than ten years, but I still have not done it because the scope of security is too wide. We are building a one-stop, all-ecological, life-cycle security platform for blockchain applications. From blockchain application development, we develop IDEs for multiple block platforms, and are the first to develop products for smart contracts. The detection of the code, coupled with the perception of the eagle eye we made, enables safe monitoring during operation. For the exchange, we have established a comprehensive security defense system. The topic of security is very long-term. For security companies, in addition to the technical level, what we still have to do is to help the industry develop healthily and to make more positive energy sounds, so that everyone realizes that the security of this industry is not only technical security itself. Also be self-disciplined.
Safety investment accounts for more than 20% of IT expenses. Is the asset foolproof?
Chen Xiaohai: Due to its relationship with Bitcoin, Matrixport is a very popular project. We have also seen the security solutions announced by Matrixport. Similar to corporate online banking, hot storage and cold storage, these security defense solutions should be extremely safe. So please ask Mr. Wu to explain how to treat extremes, extreme and absolutely. A long distance?
Wu Mengxia: Extreme security does not mean absolute safety. From our point of view, it is extremely reflected in several aspects: On one side, everyone knows that Matrixport was first distributed from Bitland. Now, the Matrixport hosting solution is the first to do its own asset management within Bitland. At the peak, Bittland itself has billions of dollars in digital asset custody, which is very challenging. We have seen some programs in the industry, but we are not satisfied, so we are going to build a solution. Therefore, we are based on the emphasis on our own funds at that time, and invested in such a set of infrastructure construction regardless of cost. Now, we hope that we can export this infrastructure to other employees. We don’t need to repeat the construction. Because we build it ourselves, we also know the investment in this, whether it is money investment, more time and How much is the investment in professional ability.
The other piece is that the company attaches great importance to safety. Our company's investment in security accounts for nearly 25% of the total IT investment. We have the highest level of encryption in the industry, using multi-signature technology. At the same time, we have a cold storage center on three continents. Its computer room is anti-electronic attack. There are security personnel at 7×24 hours. The general earthquake or flood will not affect the operation of large data centers.
There is another piece. Safety is often a consciousness, and a lot of time is a cultural construction. Our company has a sample demonstration based on real security incidents every two weeks and conducts safety training for employees.
In general, from device security, operational security, and information security, we have designed the entire end-to-end security process for our products.
Chen Xiaohai: The exchange is considered to be a safe and hard-hit area, such as the disclosure of stolen money and user information, which will frequently appear in the public's field of vision. Including some time ago, Mr. Yang mentioned that a well-known large office still has not escaped the attack of hackers. So from the perspective of the exchange, how do you guard against the safe operation of the exchange?
Cheng Jun: In fact, for the exchange, security is a lifeline. It is the bottom-level technology for us to settle down. It is a bottom line. Therefore, we have been cautious about the safety of the exchange, such as thin ice. Our investment in security accounts for more than 20% of the total IT cost.
The exchange encounters a lot of security attacks, including hackers using contract code for attacks, fake recharge attacks, and attacks using Trojan horses from staff members' mailboxes or staff devices.
What we have to do is eight words: internal and external combination, both the symptoms and the root causes. “Inside” means that we have a very complete risk risk control system. This set of risk control system is strictly promoted and implemented from personnel training to the entire equipment to the entire business process.
We will cooperate with many external third-party cooperation agencies. For example, we have been cooperating with slow fog. Slow fog has tested the safety of BigONE a while ago, and issued a monitoring report involving six major items. 29 types of services, including DNS, DOS attacks, cloud databases, etc., all of our 29 items are excellent, which is also an endorsement of our own attitude towards safety for such a long time.
Chen Xiaohai: The Bitup has declared that there has never been any security incident. I wonder if it has never happened before, or has it happened but it has been hidden?
Wang Chao: We announced a 6-year security incident, keyword: 6 years. There are not a few homes that have been living in the wallet for six years. There have been no safety incidents in the past six years, and there is almost no worldwide.
A bitt wallet is a decentralized wallet or an unmanaged wallet. If it is attacked, there is no possibility of being covered. There is a user volume. There is a wallet user in the world. The number of users is very large. When the code was updated in December 2014, there was a bug. The two-and-a-half-hour bug was fixed, but there were more than 1,000 in just two and a half hours. The bitcoin address was affected, the private key was cracked, and more than 200 coins were lost. We have a very high investment in wallet security, which has both our internal investment and cooperation with some top security companies. There is no end to security, and the industry is developing rapidly. First, we must strengthen our study and investment, and then follow the trend and cooperate more. There is nothing small here.
Funds are frequently issued, how to establish a security mechanism?
Chen Xiaohai : 2019 is a year of accumulation of funds, especially in the first half of the year. There are security areas in the room, there are also asset custody, there are also exchanges, wallets, if you encounter such problems, what are the corresponding strategies?
Keywolf: This one, we and Yang have also tracked accordingly. As a security company, it also has such duties and obligations. For such social funds or similar malicious acts, we will conduct security robbery. We did a slow fog AML system, and through the cooperation with the exchange, the system also collected the exchange's wallet address. Because of the interception of this matter, the exchange is a financial channel for the conversion of digital currency into legal currency. Through our cooperation with a system and an exchange, we are able to track asset transfers and we can accurately identify whether he has gone to an exchange or a centralized wallet. We will also work with law enforcement agencies to help users recover the fraudulent Ethereum assets.
Yang Xia : Our AML system has been in operation for a very long time. It has cooperated with dozens of exchanges around the world, and they have formed a linkage with us. For example, we have assisted the public security to do a lot of things to assist in the investigation. There are probably nearly 20 things, including BTC, USDT, and Ethereum mainstream currency tracking. What we can do is that they tell us the address, we find out where the funds are through the system, and finally trace back to which exchange, and then the exchange cooperates with us and cooperates with the public security to obtain evidence, which can directly locate an individual. In fact, the difficulty here is BTC, but our data analysis ability can finally locate the final capital export, and through the investigation and evidence collection with the public security, our accuracy is very high.
Wu Mengxia : What kind of customers a company chooses to receive? First, it may be a commercial profit-seeking behavior in the short term. In the medium term, it is the expression of the company's risk appetite. In the long run, it is the company's own values. So we also encountered similar projects to find us to do hosting, we will basically euphemistically refuse, fortunately, the company has been doing this in the circle for many years, before the project can do better screening and prevention, to avoid such customers .
Cheng Jun: To sum up, there are three points: before, during and after the event. In advance, such as our access to slow fog systems, we monitor unusual addresses and addresses that we judge are at risk. In our case, we use our own risk control system to accurately locate the user's portrait and judge whether he is at risk in this process. Afterwards, we have the KYC information system. We access the face++ system and keep all the real names of the users. Convenient for the future to cooperate with the police's final investigation.
Wang Chao: I think that the entire industry, whether it is a practitioner or a user, pays much attention to safety, and calls on everyone to pay attention.
Chen Xiaohai: Security is a permanent topic. Based on security, the blockchain world is constantly playing a war without a smoke. There is still a long way to go on the road to safety.