11 month 28 days, the daily planet by Odaily combined with 36kr’s 2018 P.O.D New BlockTrend potential new blockchain summit held in Beijing.
At the meeting, 360 block chain security senior expert Dr. Peng Zhiniang published a “talk” speech block chain security. In his speech, he cited a set of data: 2013 to 2018 years of the first half of the year, there were 54 cases of serious security incidents caused by the chain block, 2018 years on the first half of security incidents has reached $2 billion 700 million. Give an example: 4 2014 Mx Gox exchange robbery, dark net silk road, Wannacry virus, EOS compiler asset template for vulnerability.
Based on the above data and case, Peng Zhi Niang pointed out that due to the center of the world has become a digital currency money laundering law to appear; anonymous currency and criminal intelligence contracts is further contributed to the black market; at the same time the blockchain project itself also has some security problems, summed up the above 3, Peng Zhi stuffed said the current block chain security is still in a very early stage, it still has many opportunities and challenges.
The following is the text of a lecture with Zhi peng:
Good afternoon, my name is Peng Zhi make my career 360 from the core security department.
As a security practitioner, in fact, we usually go to the main job is to study all kinds of network software is some security vulnerabilities, hackers to use this before then in some loopholes, to protect our users. In the past six months I spent in the main block chain security, very pleased to have this opportunity to come here and share with you about the block chain security, some of my views.
First throws a problem, block chain security is to follow suit? Because my friends said, Peng Zhi wine you do not block the chain, is to follow suit? Is not a lie? Is not the blockchain are pyramid schemes and the like. I often asked the question, is also very embarrassing. At the same time I itself is safe, I also have some friends will ask you to do security is love with a hot fire, artificial intelligence do artificial intelligence security, fire safety IOT IOT, now a fire block chain do block chain security now. For this problem, my own view is not so, I think the blockchain security is absolutely a very large business needs.
I talk about my view on some arguments.
In fact, we can see the block chain itself is actually light technology, from the technical point of view, I’m not sure the blockchain end can not solve all the tall problem. But we look back on the past ten years, actually appeared in digital currency has changed our life. The time from 2008 bitcoin just appeared to have No one shows any interest in the hundreds of billions of dollars, now the assets deposited in the network, mine pool, exchange, wallet, so many users choose to invest in a digital currency or the use of digital currency transactions directly, so the fact that digital currency has changed our life, the security of digital currency it is a very urgent demand rather than a suit.
Here is a string of data: 2013 to 2018 in the first half of this time there were 54 serious block chain security incidents, including only the first half of 2018 the security incidents caused by the loss amount has reached $2 billion 700 million. Came to a favorite case, this case is in 2014 when the world the largest digital currency exchange MT.gox, the occurrence of a hacking case, a total of 850 thousand U.S. stolen bitcoins, then this event will lead to the Mt.gox exchange filed for bankruptcy, they CEO jail, very many users lose everything. This is why I love the case, because I am one of the users. In 2014 when I was still a PhD, I basically is to have all the assets are used to buy bitcoin. Everything is good, except for one thing, I put the coin there on the platform.
According to the highest price at that time to count, 850 thousand bitcoin has been close to 1 billion dollars, if the current value is more incalculable. Like this case it is not to say that in 2014, but from 2014 to 2018, similar cases occur each year. This year we see from the 360 threat intelligence information digital exchange very much in fact have been hacked, but some cases may not reach hackers able to digital currency turn away this step. We have a joke about internal argument: there are only two kinds of digital currency transactions, a know their invasion, another is not aware of its own invasion.
The next is second, digital currency of the world has become outside the law. Because it is not regulated as a decentralized payment system, no third party to provide services, and no third party to all transactions audit, which will lead to the black market or the like money laundering transactions.
This is a picture of a few years ago Dark online very famous website, this website called silk road.
We can see that on this site can buy drugs, arms, fake documents or even fake credit cards etc.. Of course, this website will not general users to choose currency transactions, we can see that it is a price traded bitcoin. This site in 2013 years has been the United States off the FBI, then the site administrator was arrested when his computer found inside the 14 million coins, in the opening two years provided more than 12 billion dollars in payment channels this site for the global drug trade, so it is a thing very scary.
The Silk Road, now the site has been closed, but if we usually go to the dark net, will see there are many similar sites such as. It is just the tip of the iceberg, in recent years include Monroe Zcash coins, such coins are anonymous, further strengthen the black market. For example, Monroe money, where the money comes from how much money to who, you do not know, but this whole system can still run down completely, you do an illegal trading in the above, no one can get to you, so that the government and regulators to bring great difficulties.
Similarly, intelligent Ethernet provides a square contract economic model programmable and technology are two sides, I also heard that there are a lot of people use smart contract crime. For example, an employer wants to obtain employment hacked a company’s website, the hacker does not need to meet with employers do not need to set up a trust, only need to put all the write operation will be completed in the contract, you can see the technology is a double-edged sword.
Then a case, we have seen, this picture is WannaCry, it is a worm, broke out in May last year in the world, it is a bug in the windows operating system of communication. After the user computer is infected, the virus will encrypt important files in the user’s computer, and pop it pop, now you said all the files have been encrypted, you need to pay 300 dollars in bitcoins to my address, I will give you your payment of the decryption.
The spread of this virus was very crazy, including hospitals, schools, banks or some government departments, because the virus is unable to work, the essence of the hacker is to blackmail the world through this virus. Imagine if there is no digital currency back to make it do blackmail things, he is certainly not.
This virus there is another story, this may be the network security practitioners know. Is this virus is actually a Windows online by an anonymous hacker organization disclosed vulnerabilities to spread. This vulnerability is actually a tool of the NSA cyber weapons in the library. The hacker organization before the promulgation of this loophole, is published online in the first part of the arsenal of information. And then tell everyone to pay their anonymous digital currency, they will regularly give pay for the number of the National Cyber weapons library sender. You can see for digital currency, hackers or other criminals even NSA are not afraid, so digital currency is the presence of a very big problem in the above regulation.
It is also a digital currency project itself, there are many loopholes, this year we launched the company internal digital currency security research. We spent about half the time, some of the popular digital currency project carried out some safety research, within six months, we found security vulnerabilities including digital currency project 20 square, EOS, Ethernet NEO, ONT and Monroe coins, the top of the. Even some serious vulnerabilities can easily complete the direct double attack, a digital money I can spend two times, when the two money. In less than half the time, we take the digital currency project bonus has exceeded 30 million dollars. As can be imagined, if hackers use this loophole ahead of time to do some damage, it will cause very serious impact on the entire ecosystem.
This is a specific case, but because it has been relatively late, so the details I do not speak about the meaning of technology, EOS has a very important module, its five lines of code there are three vulnerabilities, the vulnerability we were submitted to the EOS official, a week after the official EOS to repair the vulnerability, but within a week the vulnerabilities exploited by hackers to steal a lot of EOS tokens. The more we study on the blockchain safety related, we can go to look at our technology blog. Http://blogs.360.cn/
The following is the conclusion, we can see from the above three points, the current block chain security incidents are frequent, as the birth of the block chain technology to the whole society, it also brings some security risks; at the same time the blockchain project itself also has some security problems. I think the blockchain security is still in a very early stage, it has a lot of opportunities and challenges, thank you.