原标题:
区块链技术的发展,安全方面是硬需求。需要构建区块链安全生态,从数字货币钱包、智能合约等不同产品上着力,同时,还需要从矿池、交易所等数字货币产生的节点上实施动态防范。
The development of block-chain technology is a hard demand for security. The building of block-chain safe ecology is required to focus on different products, such as digital money wallets and smart contracts, as well as dynamic preparedness from nodes generated by digital currencies, such as mineral ponds and exchanges.
科技日报记者 张佳星
"Technology daily reporter Jang Ja Xing"
一行代码蒸发64亿人民币。这个不可思议的黑客操作发生在今年4月,仅仅因为被黑客找到了一个代码漏洞,与之相关的区块链产品的全部市值瞬间被全部转出,趋近于零。
A line of code evaporates by 6.4 billion yuan. This incredible hacker operation took place in April of this year, only because it was discovered by hackers, and the entire market value of the related block chain product was transferred out of time, close to zero.
“如果说传统意义上的货币仰仗国家信用而有价值,那么加密数字货币的存在仰仗区块链技术的信用。”9月6日,在由众享比特等合作主办的ISC2018区块链与网络安全论坛上,山东警察学院侦查系网络犯罪侦查教研室副主任张璇表示,由于区块链技术代码中漏洞相继被发现,以及对应的一些安全事件,逐步打击着人们对区块链技术的信心。
& & ldquo; if traditional currencies depend on national credit for value, the existence of encrypted digital currencies depends on the credibility of block chain technology. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & ; & & & & & & & & & ; & & & & & & & & & & &
此前认为,区块链技术由于分布存储、加密算法等技术的应用,拥有了不可篡改、可追溯等被认为是“万无一失”的特性。然而,该特性主要针对存储在区块中的信息来说,以文中开头的案例为例,区块链技术保障了可以追溯到这64亿转移到了哪里,黑客的操作也会被系统不可篡改地记录,却并不能“拒绝”黑客对底层代码的篡改,保护虚拟数字货币。
Previously, it was argued that block chain technology, because of the application of techniques such as distribution storage, encryption algorithms and the like, had properties that were considered as &ldquao; &rdquao. However, it was mainly for information stored in blocks, for example, in the case at the beginning of the text, that block chain technology ensured that the $6.4 billion could be transferred and that hacker operations could be recorded by the system in an undisguised manner, but not & & & rdquao; and that hackers tampered with the underlying code to protect virtual digital currencies.
区块链技术本身存在漏洞可以被利用。“利用区块链技术,成了犯罪分子非法获利的新手段。”张璇说,甚至有人表示,区块链技术已经了引发经济犯罪的革命。面对新手段带来的新挑战,该如何应对,以维护区块链技术的长远发展?
& & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & &, some say that the & & & & & & & & # & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & &. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & # & & & & & & & & & & & & & & & & & & & & & & & & & & & & # & & & & & & # & & & & & & & # # # # & # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
虚拟货币成偷盗新目标
Virtual currency becomes a new target for theft
不久前,一部名为《瞒天过海:美人计》的偷盗题材电影上映,讲述一众美女偷盗高手,盗取一条价值1.5亿美元的钻石项链的故事。
Not long ago, the story of a beautiful woman stealing a master's hand and stealing a diamond necklace worth $150 million was shown in a stolen film entitled “Showing the sea from the sky: the beauty of the world”.
相较于发生在币圈的偷盗事件,这条项链的价值就不那么令人咂舌了。例如今年3月30日,我国警方破获的一起虚拟货币偷盗事件中,3名供职于国内知名网络公司的黑客侵入受害人张某电脑,将价值6亿元的比特币、以太坊等虚拟货币洗劫一空。
The value of this necklace is less impressive than that of currency theft. For example, on 30 March this year, in a virtual currency theft that was uncovered by our police, three hackers working for a well-known national network broke into a computer and looted 600 million dollars worth of bitcoins and virtual currency such as the Tattoo.
过去盗贼的目标是金银珠宝、成沓钞票,如今只要稳坐电脑前,动动手指,通过虚拟货币的窃取就可能“致富”。加密数字货币,成了高科技犯罪的新目标。世界各国均备受困扰,资料显示,在价值5.3亿美元的代币被盗后,日本16家加密数字货币交易所打算成立一个自我监管小组,自省自查系统漏洞。
In the past, thieves targeted gold and silver jewels and banknotes, and today it is possible to move their fingers in front of computers and steal virtual money through & & & & & & & & ;. Encrypted digital money has become a new target for high-tech crime. The world is beset with information that 16 of Japan’s encrypted digital money exchanges intend to set up a self-regulatory team after $530 million worth of money has been stolen.
360集团信息安全部王伟波表示,目前公开的针对非个人电脑的对公链和交易所的攻击行为已公开的有57次,并造成了10亿美元的损失。但他认为这只是“冰山一角”,大量的攻击由于会对交易所的信誉造成负面影响不会被公开,损失也会被交易所自行消化。
The 360-group Information Security Department, Wang Weibo, has stated that 57 open attacks on public chains and exchanges targeting non-personal computers have been made public, resulting in losses of $1 billion. But he believes that this is only &ldquao; the tip of the iceberg & rdquao; and that a large number of attacks will not be made public because of their negative impact on the exchange’s credibility, and the losses will be absorbed by the exchange itself.
除了窃取,虚拟货币也沦为犯罪分子的工具。“比特币成为洗钱工具,并衍生出了‘专业水房’。”张璇说。她列举了一个实际发生的案件:受害人在QQ上认识了嫌疑人,他自称是在伊拉克打过仗的军人,希望受害人帮他代收邮包,代收邮包需要80万美元保证金。受害人把资金打给专门做比特币交易的王某,王某支付给嫌疑人比特币,对于嫌疑人来说并未留下收钱的诈骗证据,而比特币交易的王某处有大量的资金进入,增加排查难度。
& & ldquo; Bitcoin became an instrument of money laundering and derived ‘ professional waterhouses & rsquo; & & & & & & & & & & & & rsquo; & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & Q & & & & & & & & & & & & & & & & & & & & & & & & & Q & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & & & & & & ; & & & ; & & & & & ; & & & & & & &..... & & & & & & & & & & & & & & & & ; ; & & & & & ;.. & & & & ;
“比特币(目前黑市承认的加密数字货币大多为比特币)的参与,使得警方破案追寻资金链条的方法可能就要失效了。”张璇说,在工作中,深感案子不好查了,追查罪犯的难度大大增加。
& & ldquo; Bitcoin (most of the encrypted digital currency currently recognized by the black market is Bitcoin) involvement may render the way the police pursue the money chain ineffective. & & rdquo; Zhang Shuk said that, in the course of his work, it was deeply felt that the investigation of the case was not easy and that the difficulty of tracking criminals had increased significantly.
更有甚者,犯罪分子不在是一个人或一个团伙,而是一个正常经营的合法企业。张璇介绍,一个技术运维公司开发了一个木马病毒,安装在自己负责运维的客户机器上,机器内存占用不多时就启动挖矿程序,被发现前已挖得数字货币5000多枚。经统计,该公司非法控制了全国300多万台机器。“这种违法行为的法律定位至今仍非常模糊。”张璇说,新的犯罪态势敦促着法律、法规的健全,提醒执法人员不断更新知识储备。
Moreover, the criminal is not a person or a group, but a legitimate and well-run business. Zhang Shuk introduced that a technical carrier developed a wooden horse virus, installed on its own client machine, and that the machine started mining procedures when it had little capacity, and was found to have dug up more than 5,000 digitally. According to statistics, the company illegally controlled more than 3 million machines throughout the country. & ldquo; the legal positioning of such offences is still very vague. & & Rdquo; Zhang Shuk said that the new crime situation urges the integrity of laws and regulations and reminds law enforcement officials to keep their knowledge stock up to date.
每日三省吾身查漏补缺
Every day in the three provinces we're missing a gap
“我们可能不知道黑客怎么攻击,但是应该把每个细节的安全做好。”王伟波表示,对自身漏洞的排查,可以将安全风险降到最低,甚至提前预防问题的出现。
& & ldquo; we may not know how hackers attack, but we should make every detail safe. & & & & & & ; Wang Weibo said that screening of their loopholes can minimize security risks and even pre-empt problems.
如同一场攻防战,一旦掌握了区块链技术的“命门”,黑客分子的外部攻击将一发不可收拾。而“加固城墙”“严查堵漏”则是防守方以不变应万变的有效方法。
As in the case of a battle, once the technology of the block chain & & & & rdquao has been mastered, an external attack by hackers will be impeccable. And & & & & & & & & & & & & & & & & & & Quo; typified leaks & & rdquao; is an effective way for the defense to respond with constant change.
据王伟波介绍,黑客对区块链技术的攻击可发生在应用层、合约层、激励层、数据层等六个不同层面。对不同层面的攻击手法不同,造成的后果也不同。
According to Wang Weibo, hacker attacks on block chain technology can take place at six different levels: application, contract, incentive, and data. Attacks at different levels have different modus operandi and different consequences.
越底层的攻击,越可能“牵一发而动全身”。例如,对数据层的攻击将带来整个区块链而非一个节点的变化。今年5月份,因攻击者篡改了某区块链生成的时间,导致挖矿难度下降,劫持了整个主链,导致攻击者获取了大量的代币。
For example, the attack on the data layer will result in a change in the entire block chain rather than in a node. In May this year, the time of production of a block chain was tampered with by the attackers, which reduced the difficulty of mining, hijacked the entire chain, and resulted in the attackers acquiring large amounts of money.
因此,360安全团队就从黑客攻击的六个方面入手进行了研究,分别找出漏洞,并“开出药方”。通过对某公链和交易所进行了安全测试,360安全团队发现42个漏洞,其中可以影响到用户账户安全的高危漏洞29个。
As a result, 360 security teams have conducted research on six aspects of hacking, identifying loopholes and &ldquao, respectively; the prescription & rdquao; and by conducting security tests on a public chain and exchange, 360 security teams have identified 42 gaps, 29 of which could affect the security of user accounts.
除了排查漏洞,团队还对黑客的一些攻击进行了深入测试,并编写《公链渗透测试白皮书》。王伟波说,白皮书会不久后进行发布,其中将分析一些安全事件,以区块链攻击为切入点,深入分析黑客的攻击手法,以及针对不同的攻击,怎么做好安全防护。
In addition to checking loopholes, the team conducted in-depth testing of a number of hacker attacks and prepared a White Paper on Public Chain Infiltration Tests. Wang Weibo said that the White Paper would be released shortly and that it would analyse security incidents, use block-chain attacks as entry points, analyse in depth how hackers attack, and how to protect themselves against different attacks.
王伟波认为,区块链产业正处于发展比较前期的阶段,目前安全方面还存在很多问题。区块链技术的发展,安全方面是硬需求,需要构建区块链安全生态,从数字货币钱包、智能合约等不同产品上着力,同时,还需要从矿池、交易所等数字货币产生的节点上实施动态防范。
Wang Weibo believes that the block chain industry is in the early stages of development and that there are still many security problems. The development of block chain technology is a hard demand in terms of security.
盲目上马区块链项目不可取
Project on Blinding the Chain of Horses
“我们除了让区块链技术本身更扎实,更值得信赖之外,还面临一个区块链的链上数据与现实数据衔接的问题。”中国信息通信研究院云计算与大数据研究所部门主任魏凯表示,每个行业使用区块链时都有自己的痛点,例如溯源行业,如何确保上链的数据,对应的正是要追溯的产品,而不会被“掉包”?
& & ldquo; in addition to making block chain technology itself more robust and trusted, we are faced with the problem of linking data on a block chain to actual data. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & ; & & & & & & & & & ;
写到链上的信息是不是真实的,能够准确反映现实的。这是区块链技术解决不了的,而必须依靠链外的手段保障,例如制度体系。魏凯认为,目前配套体系是缺乏的。
Whether the information on the chain is real or not, it accurately reflects reality. It cannot be solved by block-chain technology, but by means outside the chain, for example, of a system. Wei Kai believes that the current supporting system is lacking.
“要上马区块链应用,应该先问4个问题。”魏凯说,“任务要不要记录数据?记录的数据是不是必须多方参与?参与的多方能不能互信?如果找不到可以信任的,那么,就可以考虑抛弃原有载体,使用区块链技术。最后一个问题,能够容忍它与中心化系统相比效率较低的特性吗?”
& & ldquo; to be applied to the pony block chain, four questions should be asked. ” Wei Kai says, & & & ldquo; task to record data? Must the recorded data have to be multi-participating? Can the participants trust each other? If there is no trustable, then consideration can be given to abandoning the original carrier and using block chain technology. The last question, can it be tolerated that it is less efficient than a centralised system? & & rdquo;
魏凯解释,使用区块链的成本也非常高,因为它是一个封闭式的系统,效率肯定没有中心化的系统效率高,目前,在使用时,区块链技术没有明显的效率优势。
Wei Kai explained that the cost of using the block chain was also very high, as it was a closed system that was certainly not efficient with a centralized system and that, at present, block chain technology did not have a clear efficiency advantage at the time of its use.
魏凯用“焦虑症”形容目前产业界、甚至政府对区块链的态度。“现在有二十几个省市发布了与区块链有关的激励刺激政策,很多地方盖起了区块链大厦,入驻这些大厦的企业有没有挖掘出什么非得用区块链不可的场景来呢?这个问题值得大家深思。”魏凯认为,除了区块链技术本身的完善外,政策、法规、验证等体系仍需要进一步推动建设。为此,中国信息通信研究院于4月9日,联合158家企业发起了“可信区块链推进计划”,推进技术标准、行业应用和政策法规等工作,以期逐步完善区块链发展的有利生态。
Wei Kai uses & & ldquo; anxiety & & rdquo; describing the current attitude of the industry and even the government to the block chain. & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & ; & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & ; & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & ) & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & & & & & & & & & & ; & & & & & & & & & & & & & ) ; & & & & & & & & & & ; & & & & & & & & & & & ; & & & & & & & &
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论