?
日前,日本最大比特币交易所之一Coincheck发布声明,称Coincheck服务器遭到黑客入侵,当时价值5.23亿美元NEM代币被盗。当天,Coincheck宣布暂停所有虚拟货币提现,同时暂停除了比特币之外所有的代币交易。
The day before, Coincheck, one of Japan’s largest bitcoin exchanges, issued a statement stating that Coincheck’s server had been hacked and that $523 million worth of NEM’s tokens had been stolen. On the same day, Coincheck announced a moratorium on all virtual currency withdrawals and on all currency transactions with the exception of Bitcoins.
?
【热钱包与冷钱包】
?
实际上,这并不是虚拟货币交易所第一次出事了。四年前,当时世界上最大的比特币交易所Mt. Gox曾被黑客攻击,按照当时的比特币价格计算,损失的金额达到4.5亿美元,Mt.Gox也由于无法弥补客户损失而申请破产保护。2017年12月,韩国虚拟货币交易所Youbit遭黑客攻击导致大约17%的资产丢失,不得不申请破产。
Four years ago, the world’s largest bitcoin exchange, Mt. Gox, was hacked, with losses amounting to $450 million at the price of the bitcoin at the time, and Mt. Gox applied for bankruptcy protection because he could not make up for his clients’ losses. In December 2017, the South Korean virtual currency exchange, Youbit, was hacked and lost about 17% of its assets and had to apply for bankruptcy.
?
很多人都在疑惑:不管是比特币还是代币,无一不是基于区块链技术。而区块链技术之前所宣称的特点之一就是安全,既然安全,为什么还会被盗呢?
Many wonder that neither bitcoins nor tokens are based on block chain technology. One of the characteristics previously claimed by block chain technology is that it is safe, and why is it stolen?
?
对此,分布科技智能合约核心开发工程师谈元解释称,这种交易所被盗与区块链本身关系不大。虚拟货币交易所一般是中心化的交易所,也就是用户充值到交易所后在交易所内部进行交易,但交易的中间过程不会上链,这本身和区块链的安全性是没有关系的,只和不同交易所自身服务器的安全级别有关。
In response, the core development engineer of the Distributed Science and Technology Smart Contract explained that the theft of such an exchange did not have much to do with the block chain itself. Virtual money exchanges are typically centralized exchanges, in which users do business inside the exchange after the exchange is filled, but the intermediate process of the transaction is not linked, which in itself has nothing to do with the safety of the block chain, but only with the security level of the different exchanges’ own servers.
?
真相很快大白——据了解,在一般情况下,Coincheck客户的虚拟货币会存在交易所的“冷钱包”当中,也就是进行加密离线保存,用物理隔绝保证资金安全。但Coincheck联合创始人大塚雄介表示,由于“系统性困难”,遭盗窃的NEM代币当时被保存在连接互联网的“热钱包”中,让黑客有机可乘。
The truth quickly came to light – it is understood that, in general, Coincheck’s virtual currency would be stored in the exchange’s “cold wallet” – i.e., secure by encryption offline and physical isolation. But the co-founder of Coincheck’s co-founder, Mr. Kensaku, said that, because of “systematic difficulties”, the stolen NEM token was kept in a “hot wallet” connected to the Internet, allowing hackers to take advantage of it.
?
简单来说,就是本来应该存在线下的代币被放到了线上,于是被黑客给偷了。
Simply put, the tokens that should have existed under the line were put on the line and were stolen by hackers.
?
这里有必要进一步解释下“冷钱包”和“热钱包”的概念。通俗的理解,钱包就是存储和使用虚拟货币的工具或软件。那么所谓冷钱包就是不连接互联网的钱包,也叫离线钱包,一般是不联网的电脑、手机、硬盘或者写着私钥的纸张等。所谓热钱包就是保持联网在线的钱包,也叫在线钱包。目前的普遍观点是,冷钱包比热钱包更安全,因为切断了互联网,黑客鞭长莫及,而一旦联网,就少不了风险。但是,冷钱包也存在硬件损坏导致数据丢失的情况。
There is a need to further explain the concepts of “cold wallets” and “hot wallets” here. The common understanding is that wallets are tools or software for storing and using virtual money. So cold wallets are wallets that do not connect to the Internet, or offline wallets, usually unconnected computers, mobile phones, hard drives, or paper with private keys. Hot wallets are wallets that keep online, or online wallets.
?
【没有绝对安全】
?
一位业内人士表示,任何强大的安全机制都不是绝对的。区块链网络虽然在数据不可伪造篡改方面堪称安全,但也不能完全杜绝泄密、盗窃、欺诈、数据隐私泄漏等问题。
According to one industry source, any strong security mechanism is not absolute. The block chain network, while safe in terms of data non-forgery, does not completely eliminate leaks, thefts, frauds, and data privacy leaks.
?
首先,比特币现有的安全设计,在私钥、公钥及地址的相关运算中,用到了基于secp256k1椭圆曲线乘法的签名算法、SHA-256、RIPEMD-160,和Base58编码等。你不用明白这些算法是什么,只需要知道这些算法目前被认为很安全,但问题在于,万一在区块链这种非中心化的金融系统中,以上任何一个环节被攻破,那么整个体系就会面临崩溃。因为,以往中心化的系统可以在短时间内升级改变算法,但在去中心化的网络,想要升级一次,可就太难了。至于比特币私钥的算法到底会不会被破解,可能就需要看看量子计算机产业化的速度了。
First, bitcoin's existing security designs, in the context of private key, public key and address-related calculations, have used signature algorithms based on the secp 256k1 elliptical multipliers, SHA-256, RIPEMD-160, and Base58 codes. You don't have to understand what these algorithms are, just know whether they are currently considered safe, but the problem is that the whole system is going to collapse if any of these links are broken in a non-centralized financial system such as a block chain. Because, while previously centralized systems can upgrade algorithms in a short period of time, it is too difficult to upgrade them once in a centralized network.
?
此外,刚才提到的私钥保存也是一个大问题,区块链技术上的私钥是否容易窃取的问题仍待进一步的探索与解决。私钥看起来是一串数字,你可以把它想象成你的银行账户密码,虚拟货币用户很少会直接看到私钥,一般私钥会被存储在钱包文件里,由钱包软件进行管理。只是,无论是使用冷钱包还是热钱包,只要其他人知道了你的私钥,就能转走你的虚拟货币。如果你是个虚拟货币的持有者,一定要小心保护好你的帐户私钥,这是唯一可以证明这笔钱属于你的印鉴。过去,像银行一样的传统中心化机构,还可以通过实名认证等手段,实现相关账户的冻结,并一定程度上恢复资产。但在比特币的世界,丢失了私钥,你只会一无所有。
Moreover, the issue of private key preservation mentioned earlier is also a big one, and the technical vulnerability of block chains to theft remains to be further explored and resolved. The private key appears to be a string of numbers that you can imagine as your bank account password. Virtual currency users rarely see private keys directly, usually stored in wallet files and managed by wallet software. It is just, whether with cold or hot wallets, if others know your private key, they can move away from your virtual currency. If you are a virtual currency holder, you must be careful to protect your account key, which is the only way to prove that it belongs to you. In the past, traditional centralized institutions like banks can also freeze related accounts, including by means of real name certification, and restore assets to some extent.
?
所以,数次虚拟货币交易所被盗事件也明确了一点——现在的虚拟货币交易环境还远谈不上安全。无论是开发者、交易平台,还是持有虚拟货币的投资者,都需要提高安全意识与安全措施。
So it is clear in several cases that the virtual money exchange has been stolen – a virtual money trading environment that is far from safe. Both developers, trading platforms, and investors holding virtual money need to improve security awareness and security measures.
?
至于如何更安全地保管自己的虚拟货币,有专家建议,对于大额的虚拟货币,一定要存放在离线的冷钱包中,小额或者需要实时交易的虚拟货币可以选取一个可靠的在线钱包。
As to how to secure the safe custody of their virtual currencies, it was suggested that large virtual currencies must be stored in offline cold wallets and that small or real-time virtual currencies could choose a reliable online wallet.
?
那么,在线钱包的安全性有保障吗?谈元表示,如果在线钱包供应商所编写的代码是正规的(不存在留有上传用户私钥的接口),那么这款钱包就是安全的。所有关于钱包的数据信息是缓存在本地的浏览器缓存中,交易的发送是使用私钥对交易签名,整个过程不涉及私钥的传输,所有不存在用户私钥泄露的情况。只不过,代码是否正规可靠,一样需要时间来考验。
So, is the security of the online wallet secure? It says that if the code written by the online wallet provider is formal (there is no interface for uploading the user's private key), the wallet is secure. All data information about the wallet is a buffer from the local browser cache, the transaction is sent with a private-key signature, the entire process does not involve the transmission of the private key, and there is no disclosure of the user's private key.
?
由于私钥很容易和公钥甚至地址混淆,专家特意提醒,虚拟货币用户要学习有关知识,不要在任何网站、邮件、聊天软件中暴露自己的私钥,否则黑客通过这些渠道可以轻而易举地掠走你的财富。
Since private keys can easily be confused with public keys or even addresses, experts have deliberately cautioned that virtual currency users need to learn about them and do not expose their private keys in any website, mail, chat software, otherwise hackers can easily steal your wealth through these channels.
?
?
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论