Information Security in the Web3.0 Era
Author: Jackie Singh
Compilation of the original text: Baize Research Institute (authorized to reprint by the original author)
Jackie Singh is director of the nonprofit Technology Oversight Project and an active member of the Web3.0 community. A U.S. Army veteran and former defense contractor, Singh previously founded a cybersecurity consulting firm, Spyglass Security, and served as the chief cyber incident responder for Biden's presidential campaign.
Web 3.0 presents an opportunity to escape the cybersecurity mistakes of the past -- open-minded infosec professionals who realize the technology's potential have invested in it.
With the rapid development of Web3.0, as an information security practitioner, I can't help but pay more and more attention. Many in the tech industry still believe that blockchain, cryptocurrencies, and NFTs are scams, are destroying the economy, and are doomed. But the rapid adoption of these technologies, adoption by many multinational corporations, not to mention President Biden's recent executive order on digital assets - all show that Web 3.0 is more than just a buzzword.
first level title
From MP3 Sharing to Blockchain
The first time I saw decentralized innovation on this scale was Napster, a peer-to-peer audio streaming service provider founded in 1999.
Recently, "cloud" has become a buzzword like blockchain. A decade ago, my colleagues and I joked about the meaninglessness of the term: "There's no cloud, just other people's computers."
Today, cloud computing has become much bigger than we predicted. In fact, it can be difficult to understand the nuances involved in securing cloud technologies without specializing in a particular vendor's platform. I expect the same evolution to happen with Web 3.0 - from buzzwords to fundamental Internet technologies.
first level title
Information Security Stalls
Even though many companies are spending more than ever on cybersecurity these days, we hear about new, blockbuster data breaches almost every week. At the same time, innovation in information security has languished compared with other technology areas, such as cloud computing.
There is a general lack of attention to the human element in the information security field, with users falling prey to scams, such as clicking on the wrong link, or not knowing how to keep themselves safe online. Take, for example, the recent controversy over Coinbase’s Super Bowl ad, which featured a QR code to redirect to a website. Should people worry about scanning QR codes?
At the same time, the infosec community tends to continue to rely on ineffective defenses, and we have previously described defensive networks as M&M networks: a hard, brittle perimeter with a soft, melted, vulnerable interior. On the other hand, the centralization of sensitive log data, a core capability of every functional security operations center, creates monitoring-related data governance, compliance, and ethics issues that will only get worse at scale .
first level title
Enter Web3.0
Ultimately, relying on the underlying defenses of a distributed ecosystem, such as a blockchain, is more effective than trying to exploit a vulnerable network with private centralized monitoring.
A more efficient blockchain that doesn't use PoW could alleviate concerns about the energy consumption of systems like Bitcoin. Many people, myself included, are tired of waiting for Ethereum's long-term planned upgrade to a consensus mechanism that doesn't require a lot of energy usage, making using Ethereum an all-around bad choice for our Odaily at the moment. Despite Ethereum’s first-mover advantage, other blockchains have emerged with greener properties than Ethereum’s or Bitcoin’s proof-of-work mechanisms. For example, Solana is a carbon-neutral blockchain that enables developers to build security in from the ground up through smart contracts implemented using the Rust programming language. Using Rust eliminates all classes of security risks and is probably one of the best tools we have for preventing code vulnerabilities.
There's probably no better way to spot bugs than by exposing the interface to the user. When attackers and defenders have access to the same information, it levels the playing field in a more prevention-focused manner. This will allow the information security industry to address systemic weaknesses over time.
However, no blockchain today is completely decentralized. True decentralization remains a lofty goal for many Web 3.0 enthusiasts—few have attempted to explain what such a system would look like in practice. However, trustlessness and permissionlessness remain key principles actively guiding system design in Web 3.0 ecosystems. Ideally, the blockchain itself and the smart contracts deployed to it mediate transactions between users—rather than opaque code on a server that can only be seen by administrators.
The blockchain allows us to confirm certain basic facts by using cryptography, and when we need to know something, we look on the blockchain. Decentralized application (dApp) developers are incentivized to store data on-chain, avoid performing critical computations off-chain, and develop access mechanisms beyond their personal wallets. This translates into higher data integrity and more complete observability of inputs, computations and outputs.
Users need greater sovereignty over their data, while developers are interested in minimizing data collection to preserve privacy. Web 3.0 can help achieve these goals by shifting the custody of keys to users, giving people more control over their data. Personal custody of personal keys gives users the ultimate opportunity to maintain ownership of their identities on the blockchain. While this is different from how we have managed enterprise-scale networks before, we should welcome these new architectures as a way to empower users while reducing organizational risk associated with data collection and access management.
first level title
new opportunity
The world of information security in the Web 3.0 era seems to be changing, as evidenced by the growing number of information security efforts and the huge losses caused by successful exploits of blockchain and smart contract vulnerabilities.
Companies in Web 2.0 can often shrug off breaches due to mitigating factors like standardized cyber insurance and no long-term impact on the company, but Web 3.0 organizations cannot ignore security concerns, where a single mistake can cost millions of dollars, It even resulted in the disbandment of the entire organization due to the loss of all funds.
Against this backdrop, bug bounty rewards in Web 3.0 reach staggering numbers. In the guide to Immunefi, the largest Web3.0 bug bounty platform, the company stated: "Some information security personnel, white hat hackers, were treated badly and underpaid in Web2.0 before they joined Web3.0. They brought that attitude to Immunefi - they have now gained more power and respect than before."
As noted hacker Jay Freeman said recently after being awarded a $2 million bounty for finding a security flaw: “However, we’ve seen one crypto project after another try to outsource the cost of reviewing their core designs to infosec A team built around mathematicians, economists, and security experts." While policy and regulation are a work in progress, and compliance requirements will likely match those in the traditional financial space -- the Web 3.0 industry will also see These vulnerabilities must ultimately be addressed by highly technical security experts, long-term strategists, rather than the current system of external auditors and bounties.
Security firm Hacken described its outlook for the Web 3.0 industry in a recent report, predicting that the need for regular security audits will increase over the next five years.
There is also an emerging niche market of “blockchain analysis” or “blockchain investigation” companies, with names such as Chainalysis, CipherTrace (recently acquired by Mastercard), Elliptic, and TRM Labs (owned by A16z, JP Morgan, PayPal , Salesforce, etc.). These companies use specialized software and human analysts to analyze, detect and track threats to the blockchain, and they are reminiscent of early Web 2.0 cybersecurity companies like Mandiant and Foundstone, which have grown rapidly with Web 2.0 .
first level title
what is the difference?
Blockchains are transparent and open, and for those accustomed to closed databases and opaque operations, this is something that requires a fresh look. Blockchain and crypto companies tend to be less concerned with intellectual property protection than typical Web 2.0 companies. Code is often open source and based on public security audits to inspire user confidence.
Web 2.0 security practices focus on dealing with the consequences, not avoiding it in the first place; Web 3.0 information security turns to code, engineering, and architecture, focusing on prevention.
The Web3.0 ecosystem is more open in nature, and projects are usually hosted in communities on Discord, Twitter. In a recent article, two Web 3.0 project managers, Lenny Rachitsky and Jason Shah, described how their careers transitioned to Web 3.0, and called for a complete departure from the current tech work model. They see the lack of a monitoring/data collection driven ecosystem to underpin Web 3.0 and the need to ensure code is as bug-free as possible when released.
first level title
talents are flowing
It's not just people who see the potential that are already jumping into Web 3.0, some of the best hackers in the world are already working on Web 3.0 full-time. For example:
Information security professionals should be familiar with various "layer one" blockchain networks such as Bitcoin and Ethereum, privacy coins of particular relevance to the information security space such as Monero and Zcash, and learn more about cryptocurrencies, tokens , DeFi, NFT meaning.
Information security professionals need to start learning early so that they will be crypto literate in future security cases and investigations.
Here are some tips and resources for those seeking to learn more:
Check out security company blogs that write Web 3.0 research, and voices who believe Web 3.0 has the potential to empower people digitally and express themselves freely.
Try setting up a crypto wallet and making cryptocurrency transfers in and out, then look at the blockchain to see how those transactions work.
Learn about the major smart contract platforms, their execution environments and associated programming languages. Want to build a dApp? You can refer to several BuildSpace tutorials or join resource communities like Developer DAO, Surge. Check out the blockchain-specific security repositories on Github, such as awesome-ethereum-security and awesome-evm-security.
Participate in several open bounties on Immunefi.
Think about how to monitor the wallets of various blockchains, and how to obtain this data.
Learn about common vectors and methods of phishing, especially threats on Discord and Twitter. Learn about red flags like NFT wash trading and other scams. Check out previous big hacks and recent scams.
first level title
Long road ahead
There is no silver bullet for information security, and blockchain is no exception, and decentralized systems face risks similar to those of other computers. The blockchain is an inherently insecure network — but it does lay the groundwork for secure transactions at scale, a capability that is critical to the continued expansion of internet services.
It’s also worth noting that decentralized technology doesn’t automatically generate decentralized power, and Web 3.0 is still a long way off.Security experts can help by promoting a fair power structure in Web 3.0 systems, placing security and privacy at the heart of the system.
As tech strategists Scott Smith and Lina Srivastava write in the Stanford Journal of Social Innovation: "If Web 3.0 offers the opportunity to solve Web 2.0 problems, it requires an entire value system. This means that social good must Not just an integral part of a social ethos, but an integral part of the architecture of any new network or technology."
Despite the obvious potential of Web 3.0 and blockchain, these technologies do not have the inherent ability to support human rights or democracy. Information security practitioners can help them integrate positive values as an extension of their vision to protect Internet users.According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice.
risk warning:
According to the "Notice on Further Preventing and Dealing with the Risk of Hype in Virtual Currency Transactions" issued by the central bank and other departments, the content of this article is only for information sharing, and does not promote or endorse any operation and investment behavior. Participate in any illegal financial practice.
