Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Ep 20: Blockchain Security Featuring John Neufeld
210 Plays1 year ago
John Neufeld, General Counsel at Open Zeppelin and Charter Member at TechGC, joins Sylvia Sanchez for an in-depth discussion on the enhanced security features of blockchain technology compared to traditional databases in our latest Owl Explains podcast. We delve into why security is crucial in blockchain development, and how cutting-edge technologies like AI and machine learning are being integrated to fortify blockchain security.
Recommended
Transcript
Introduction to Hootenanny Podcast Series
00:00:06
Speaker
Hello and welcome to this Owl Explains Hootenanny, our podcast series where you can wise up on blockchain and web3 as we talk to the people seeking to build a better internet. Owl Explains is powered by Avalabs, a blockchain software company and participant in the avalanche ecosystem.
Discussion on Blockchain Security with John Neufeld
00:00:24
Speaker
My name is Silvia Sanchez, project manager of Owl Explains and with that I'll hand it over to today's amazing speakers.
00:00:34
Speaker
Okay. Hi, everybody. Welcome to this episode. I am so excited to be hosting you today with John Neufeld from Open Zeppelin. He is a GC, and we're going to be talking about blockchain security today. So, John, why don't you please introduce yourself, introduce Open Zeppelin, and we can get started. Sure. Thanks for having me. Exciting to be here.
00:00:53
Speaker
long time listener, first time caller. So yeah, excited to talk about security. On the GC it opens up when we're a security solutions company. Prior to that, I was a securities lawyer. And being in capital markets got me super interested in blockchain and smart contracts.
00:01:13
Speaker
especially around 2017 and the big ICO boom at that time.
Open Zeppelin's Role in Decentralized Security
00:01:19
Speaker
So I've been here at Open Zeppelin for five years. I think it's helpful to explain a bit more about what we do. I think that really will inform how I talk about security today. So we provide end-to-end security solutions for builders of all types of decentralized technology and at every stage of their development process. Some of what folks might know us for
00:01:42
Speaker
If they're out there building decentralized tech is our public goods. We have a game that's open source where you can learn about how to build secure applications. We have open source contract libraries which really form the building blocks or the Legos.
00:01:58
Speaker
of the vast majority of what's out there on chain right now. And then we have professional services teams, we do security audits, things like incident response training. And this kind of all ties together in our defender platform. So that allows developers to bake in security best practices at every stage of their development process. And then once their system is live on the blockchain. So yeah, I really think about security based on where I sit at Open Zeppelin,
00:02:28
Speaker
from the perspective of developing decentralized protocols or applications, not as much about how individual users are out there interacting with these protocols. So I just thought I'd make that point in the outset here.
00:02:42
Speaker
That's perfect. Great. And thanks for that clarification.
How Blockchain Enhances Security
00:02:45
Speaker
And just to get started, how does blockchain enhance security compared to traditional databases? Yeah. So I think it's interesting to zoom out and just think generally what does security mean in software applications, whether that's web one, two, three, four, whatever you want to put on it. And I think at a high level, you could just define security as
00:03:08
Speaker
the protection of digital information? Does the application work as intended? Is the information within that application safe from theft, damage, disruption, unauthorized access? Does that application have integrity? Is the data available when it's needed?
00:03:30
Speaker
you know, do the people having access to that data or application or permissions actually have the right authorization? And so I think blockchain clearly has the ability to improve all these aspects of security generally. So if done right, a blockchain application should actually be more secure than
00:03:49
Speaker
another application that requires centralized hosting. So a traditional database is usually one, two, a limited number of parties that are kind of agreeing to the entries. And that requires trusting those small group of people to review and accept transactions and then maintain that database of transactions.
00:04:10
Speaker
accurately over time. So a for-profit corporation, maybe it's AWS, a government with the social security number database. It could be anyone, right? But you're trusting that person maintaining the database to make that information available, to keep the data accurate, and to accept transactions, not censor them over time.
00:04:37
Speaker
And that makes it less resilient because the trusted party could go bankrupt. They could be subject to a power outage, something as simple as that. Or if it's a government, it could undergo a regime change.
00:04:51
Speaker
And you know, in the political turmoil we see now, I mean, that is a reality still, right? So all of these centralized systems, because they're subject to those centralized points of failure or control, it actually makes it less secure. Maybe a topical example is
00:05:12
Speaker
You know, your Twitter or now X profile if Elon Musk doesn't like your tweet, there's a possibility your tweet gets deleted or you're no longer on the platform. I don't know. You don't have a blue checkmark. So I think that's a just maybe a topical example of a centralization problem.
Benefits of Blockchain in Transaction Integrity
00:05:32
Speaker
Um, and so then when we think about a blockchain database compared to more traditional databases or computing applications, you know, there's some agreed number of validators usually called nodes. So long as, uh, an agreed number of them, let's say a majority are honest. And that does usually require having the right economic incentives in place for them to be honest. Uh, then if your transactions, your behavior, your activities on chain, comply with the rules of the protocol.
00:06:01
Speaker
those transactions will be affected. They will not be reversed. And if there's a high enough number of validators, they're diverse geographically around the world. And that means that even if some of those notes go offline, many of those notes, hundreds, thousands,
00:06:18
Speaker
Your information will still be there still be available still be accurate. So, you know blockchains another thing is blockchains don't even require the users to trust each other and This is because of asymmetric cryptography something I would not be able to explain to you very clearly and simply I am a lawyer not an expert in cryptography, but this effectively means that
00:06:46
Speaker
users don't have to rely on an intermediary between them to affect that transaction. So at a basic level, that can make transactions more quick, secure. You don't have to wait for the intermediary to approve it. So micropayments, innovative financial products become possible, folks who historically couldn't access big, intermediated capital markets.
00:07:10
Speaker
Selling equity on the NASDAQ may be able to raise micro financing whatever for a farm and and sorry, I'm Going long here, but I do think it's a lot to unpack and like I think intermediaries when they're in systems often extract value from transactions and networks and
00:07:33
Speaker
even after that intermediate is not really providing value. And so blockchain networks have the ability to have that value instead accrue to the actual participants in the network. Maybe it's just eliminate transaction fees altogether or make them smaller or have that accrue to the users and participants in the network for public goods funding to improve that network. And so I think
00:07:58
Speaker
This is really exciting we see native tokens that allow people to govern the actual systems that they're using and affect their future versus just being at the mercy of you know whatever. Maybe for profit motivations a centralized you know what property may have so.
00:08:18
Speaker
Yeah, and then I guess last also that intermediary in a traditional software system or database also could censor behavior and I touched on that before with the example. So maybe I won't give another example.
00:08:33
Speaker
based on me trying to place a bet on the France football team going to the FIFA World Cup final ahead of our trip to Paris. I'm super excited. We're going to be in Paris. We can be amongst the local fans in a bar watching the game. I wanted to put money on them earlier. Well, MasterCard didn't want me to. And so, you know, I didn't get to do that.
00:08:55
Speaker
It was perfectly legal. They use a sports betting website and MasterCard didn't agree. So I didn't get to add that to a little bit of excitement, but they ended up losing in the end. Oh, the loss. Yeah, but I totally see what you mean about eliminating those intermediaries. And also when it comes to protecting information and ensuring that freedom, not just of the transfer of information, but of value, which is what we see as a huge value proposition on the blockchain.
00:09:24
Speaker
And just following that thought, if you could elaborate why security is so important in the development process of blockchain technology itself.
Challenges in Blockchain Security
00:09:33
Speaker
Yeah. So I think, you know, there's two sides to the coin. Blockchain can be.
00:09:40
Speaker
produce more secure computing applications, decentralized applications, at the same time, because the rules are so strict and rigid, because they're embodied by code, that means that if that code has logical flaws,
00:09:56
Speaker
It can be exploited and so long as someone makes a transaction that complies with the strict rules, even if the developers or the ecosystem didn't intend for the software to be used that way, the code's going to execute. And so it can lead and still leads to losses.
00:10:19
Speaker
know, applications being exploited for vulnerabilities. And so I think this is still a big issue and something, you know, we're solely focused on it at Open Zeppelin. If you look, for example, the rec leaderboard, tens, hundreds of million dollars, almost on a weekly basis, are lost where
00:10:39
Speaker
you know, malicious actors. Sometimes these funds get returned. Sometimes maybe it's an intellectual experiment. Hey, if you say code is law, I'm going to try and break it. I'll give the funds back. But, you know, there's also a lot of, I would say, unscrupulous actors out there just trying to take advantage of the fact that this computing is nascent and folks are moving quickly and building quickly.
00:11:06
Speaker
Once those transactions get affected according to the rules, they're irreversible. It's often very difficult to get those funds back. And so I think it just really raises the stakes on making sure to build those secure blockchain applications, teams are baking in security best practices as they're developing to make sure, hey, this can't be exploited in a way that wasn't intended, that puts folks, you know,
00:11:33
Speaker
whether it's funds, whether it's their personal data, access to files, maybe it's digital identity, you know, clearly that needs to maintain those fundamental aspects of security, right? Integrity, availability, authorization. And yeah, so I think that makes security extra important in blockchain.
00:11:56
Speaker
Of course, no. And I think it's essential to get it right from the beginning. And this is like a sub-question within that. If you could maybe go a little bit deeper on the fundamental security principles in developing the blockchain itself, like looking at it at the very core, how would you summarize that? Or what are those key principles to look out for?
00:12:18
Speaker
Yeah. And so there's some different considerations. Uh, if someone's building a blockchain itself, like a layer one, maybe you'd call it, um, versus an application built on top of that blockchain, um, like a decentralized application and a protocol. Um, but really from a security perspective, you're, you're doing the same thing, right? Like does the code operate as intended? And so.
00:12:48
Speaker
I think the main point, honestly, is there's no silver bullet in security. It's not a one point in time thing you can do that will guarantee you're safe. And I think teams really just need to take a security first mentality when they're building their organization, their ecosystem, if it's decentralized, really needs to think about security best practices and security control
00:13:16
Speaker
And, you know, OpenZep1 was founded in 2015. One of our first projects was at the very start of a developer lifecycle. So we developed the open source libraries for Ethereum called OpenZep1 contracts. Those are just open source building blocks. And so, you know, starting with things like that to make sure you're baking in hardened code. It's been out there. It's been exposed to, you know, people trying to exploit it over many years.
00:13:45
Speaker
And so, yeah, I think we really think we started there, but now we see the whole life cycle, which has been, I think, acknowledged or adopted for sure in Web 2 and more traditional development in the past. Folks call it the software development life cycle, often abbreviated SDLC.
00:14:09
Speaker
DevSecOps. But this is basically just an acknowledgement that, hey, the development process for any piece of software is going to be iterative, ongoing, and there's stages. You're going to plan it.
00:14:24
Speaker
You're going to map it out. You're going to code it. You're going to have dependencies. You're going to build tests for it. You're going to audit the code before it goes live. You've got to deploy it onto the blockchain. Once it lives there, people still interact with it. There's different functions that can be called. It can be upgraded. So I think often in blockchain, the word immutable gets used, which is appropriate in some contexts, like past data recorded in a blockchain will be immutable.
00:14:54
Speaker
For sure, however i think to think that a application and how it operates it that it will be static forever it is not true right i mean any product person is going to tell you well you gotta talk to your users understand their needs.
00:15:12
Speaker
that bright idea, light bulb in your head that you went and built and shipped. You know, you're going to get feedback and you want to incorporate that feedback and evolve your product over time, of course. So I mean, the vast majority of applications built on top of blockchains now are upgradable. They do evolve. I think what would be really helpful is to have clear regulations around the technology. And so teams can understand, hey, or individual developers or dev shops or whoever
00:15:44
Speaker
how much of an involvement in the ongoing development of this and improvement of this for users. If we do an upgrade, it's going to be subject to decentralized governance. It's not like someone's arbitrarily building something there and taking on ownership of it.
00:16:03
Speaker
If it's clear that folks are allowed to evolve protocols and improve them and have roadmaps, I think that would even more unlock
00:16:17
Speaker
kind of product development and the ability for protocols to iterate more quickly, fail fast maybe is a buzz term there. But all that to say, I think we need to acknowledge the development life cycle of applications, decentralized or otherwise is ongoing. And so as you're going through that process, you've got to focus on security at all of those stages I mentioned.
00:16:41
Speaker
Yeah, we've broken it down into eight distinct stages for Web3. I'm not going to go through all those in detail and put folks to sleep. But I do think there's a general trend in software. Generally, a lot of folks call it shifting left on security. So if that was a timeline, earlier in the process, you're baking in security considerations. And I do think
00:17:09
Speaker
Blockchain technology has kind of been stuck on one stage, which is the security code audit and still you're seeing folks deploy applications protocols, even without audits. I mean, if you look at the rec leaderboard, a lot of those weren't audited.
00:17:26
Speaker
But, you know, although a big aspect of our business is helping folks with audits, I think it's really important for us to acknowledge and to educate folks that, hey, you know, it's not a one point in time silver bullet. I mean, there's a lot more you need to be doing pre and post deployment to make sure these things are secure for your users.
00:17:47
Speaker
Absolutely. And I like that key distinction you made when you mentioned the word immutability, because oftentimes it gets confused as the blockchain being static or dead. But I think that's something that we cannot forget. And I just wanted to
00:18:05
Speaker
highlight that aspect of that.
Adapting Blockchain to Changing Ecosystems
00:18:07
Speaker
As a blockchain developer, as a blockchain security developer, and all of those players, they need to be aware of, okay, how is the ecosystem evolving? How can we adapt to it? And going back to Open Zeppelin, to the things that you guys are working on developing, I wanted us to mention and just talk a little bit more about Defender 2.0, if you could just tell our listeners about some of its new developments and
00:18:31
Speaker
how it's adapting you know like as you mentioned it's been around open supplement has been around for some years but what is the the breakthrough or just this um big new thing with the fender 2.0
00:18:44
Speaker
Yeah, so I think Defender 2.0 really synthesizes our thinking around this software development lifecycle and applying it to Web3. In the past, we may have been seen as an audit firm or the firm that offers the OpenSEP1 contract software library.
00:19:07
Speaker
We want to make sure folks know security is more than that, and we're there to help them at every stage. And so Defender is a way to kind of bake in right into the developer workflow security best practices through the whole life cycle. So I mentioned pre-deployment and post-deployment. So deployment is basically you make your code live in production on the blockchain. So folks can interact with it.
00:19:37
Speaker
folks could exploit it, they can use it. And so that's a maybe pivotal kind of point in time. You could draw a line and stand there. Again, I won't go through the eight stages of the life cycle, but please folks, reach out to me if you want to chat about it. But yeah, so in terms of Defender, what it can offer, let's just give some examples like pre-deployment. So when you start, you're incorporating open source libraries,
00:20:06
Speaker
For example, we do work with Polkadot, with Starkware, Ethereum, and the Solidity libraries were our main foray here.
00:20:23
Speaker
What that means is like you're incorporating. Community vetted code because that's all open source folks are looking at it using it it's live in production and so it becomes hard and overtime you know it adopts the bet the standards.
00:20:41
Speaker
And so you can take these building blocks, start with something you know is secure, make your adjustments. And then when you're using that kind of common framework to build later in the life cycle, it makes it a lot easier to understand, you know, are you using the most
00:20:57
Speaker
up-to-date versions. Did those past versions you're using, did someone find a bug and you can upgrade? And it allows testing and more standard monitoring once things are live because it's common pieces of code, right? And then we also have tools that kind of look as you code
00:21:18
Speaker
And scan you know some of it's now being done with a i am l which is pretty cool but also just based on you know. Are kind of at our expertise in house you know writing rules about where they've seen over the last eight years.
00:21:37
Speaker
Common issues are rising and you know having warnings pop up as you're going So that allows you to really develop securely and then you know when it comes to deploying and post deployment Defender has some interesting tools like I'm not a technical person. So I really hesitate to start to try and speak technically but you know someone writes a
00:22:02
Speaker
source code, it's in human readable format, but the blockchain can't read that. So it's got to compile it into bytecode. So if you're a governance council member, let's say, or token voters, and you see a piece of code that is to be approved to go to the blockchain,
00:22:20
Speaker
it can be very hard to see that bike code what does this mean what's here and so defender can run some checks to make sure hey this compiled bike code would put on the blockchain that folks can actually interact with with real value matches what we think we coded in the back and what we got audited.
00:22:40
Speaker
you can add context for the folks signing that transaction. Maybe it's a multi-sig of VPs at a bank. Maybe it is token holders, you know, voting in a decentralized vote about, you know, we should make this live. So I think, you know, that's super important. And then, I mean, maybe the last thing to touch on, which I think is a really fast progressing area of security is real-time monitoring. And okay, you've got this code live on the blockchain,
00:23:09
Speaker
folks are interacting with your protocol, are you looking for suspicious activity taking place in your protocol or potential risks? I mean, maybe it's not even a security risk, but financial risk, liquidations, upstream downstream activity. And so I think monitoring is playing a really cool role these days where, hey, even though once this transaction is mined or is solidified in the blockchain,
00:23:38
Speaker
There's still things you can do. I mean, many hacks don't take place in one block like that. In fact, it's over a period of time, days, hours, sometimes weeks. And so there's a possibility to stop hacks before they happen as the person is preparing. There's a number of stages of attacks that folks go through.
00:23:58
Speaker
Or at least mitigate losses, right? I mean, don't let them drain a contract over multiple blocks. And so I think there's a lot of problems.
Vigilance Against Blockchain Hacks
00:24:09
Speaker
And really interesting how I touched up on the hacks that oftentimes I think it can be
00:24:16
Speaker
underestimated you know like the the way that you can prevent it essentially that is not like oh this happened by surprise and it was just you know destroyed in a couple seconds but how it can span out over a longer time i think that this is an area that doesn't get talked about that much and i'm glad you touched up on that um and now going back to your
00:24:35
Speaker
I will acknowledge, sir, to interrupt you. There is, because I'm sure, well, I'm not that active on Twitter and more watch rather than tweet, but.
00:24:46
Speaker
I don't want to get a bunch of security experts pinging me. I will say flash loans and certain attacks are able to be executed instantly. So it's not like every hack takes place over time. But when you just look at the dollar figures and the number of hacks, I mean, this is real value that's getting taken often from real users and people, right? So I think any mitigation is better.
00:25:14
Speaker
Of course, yeah. And the thing is that since I think that just as we have so many diverse products, also the way that the hacks happen can be super diverse. So it's not to say that all of them are over a long time or in a second. But it's about just
00:25:29
Speaker
raising the awareness that these hacks happen in a multiple array of forms and of timings. So it's just a different take on it. But going back to regulatory requirements, because earlier you touched upon having this more harmonized regulation, especially when we're talking about the cycle, the different stages that we are. So I wanted you to
00:25:54
Speaker
Let us know a bit more about how does OpenStaplen approach compliance with regulatory requirements while maintaining that blockchain security for clients in highly regulated industry? How do you reconcile those two forces?
00:26:07
Speaker
Yeah, for sure. I mean, it's a really interesting area. There's so much interest from regulated entities, a lot of financial institutions. But we just don't have regulations in many jurisdictions yet that are tailored to blockchain technology. I mean, generally speaking, regulations, especially around finance, are expecting or assuming that there's going to be
00:26:37
Speaker
one, two, three, a vast number of intermediaries there to play certain roles. We talked earlier about the costs, the risks that these intermediaries bring to the systems. Like I said, I was a securities lawyer doing public capital markets. I saw all the intermediaries, I was arguably a part of them, and the millions of dollars that it cost to sell any amount of equity into a public market in the US.
00:27:05
Speaker
There aren't intermediaries in blockchain technology. And so if you try and apply those regimes to this technology, it just doesn't fit. And so I think these institutions are super excited to apply this. They see the benefits, right?
00:27:24
Speaker
Like, we want this. It's just super hard. So for them to be able to comply with current regulations, often they do need certain centralized points of control. And, you know, part of our job is to acknowledge
00:27:41
Speaker
okay, that is going to have to exist for where they're at now. Ultimately, it presents some centralization risk, but it's just something we have to acknowledge so that their users aren't getting the full benefit of decentralization. I think ultimately when regulations come that will
00:28:02
Speaker
Acknowledge this technology will allow these companies to go even more decentralized, pass those benefits on to their consumers, their users.
00:28:15
Speaker
time will tell how fast and how clear and how tailored those regulations will be. I think the work you folks are doing in this podcast is a great step in that direction. I think one of the, is it a branch of wisdom or the tree of wisdom? Wisdom, yes, exactly. Thank you. It is sensible regulations that
00:28:40
Speaker
And I think the first one is you got to understand the technology first, right, to roll out this regulation. So yeah, I think we're in the right direction. And then, you know, Defender 2.0, because it really does kind of
00:28:58
Speaker
help folks bake in security best practices along the whole software development life cycle also caters to regulated institutions. For example, it helps compartmentalize access privileges to certain aspects of interacting with your protocol. So I think that brings more traditional software security to the blockchain where
00:29:25
Speaker
Someone else might just be literally going in the command line and interacting one-on-one with a protocol. Now folks need to log on through a more traditional SaaS platform, have the right credentials to then get to a point where they could maybe interact, change a parameter, something like that.
00:29:45
Speaker
And then the platform logs all activity. We pipe that data into whatever Datadog Splunk compliance platforms that these institutions need to have, right? Logging all their activity when it comes to technology. And it just makes them easy for them to do that. Then they have record keeping. They can meet those requirements. They could ever do forensics if they needed to, looking back. But the cool thing is Defender does still respect the decentralized nature of the underlying technology.
00:30:13
Speaker
It's not going to retain any custody over their assets. It has no private keys. Ultimately, they're going to have to sign those transactions.
00:30:24
Speaker
within the platform. So it's kind of a balance of both the web two, web three worlds, if you want to use those terms. Right. No, that definitely makes sense. And just following that train of thought, I think that a lot of people are talking about artificial intelligence,
AI and Machine Learning in Blockchain Security
00:30:41
Speaker
machine learning. We've seen that is a very interesting branch, even if people are not directly in this space.
00:30:48
Speaker
I think that by now there can be a lot of misunderstandings and also just fear in general. But I think that these emerging technologies are actually being leveraged to enhance blockchain security. So if you could elaborate on how, for example, artificial intelligence is helping
00:31:09
Speaker
this whole process of blockchain security may be in a different way that it would be originally thought. You could just share with us your insight on that. Yeah, sure. I think everyone is super excited about AI, ML right now. That's the hype cycle we're in. Blockchain one's in the past for a bit now.
00:31:32
Speaker
And everyone is playing with chat GPT as are we. And, you know, including myself every day when it comes to my work. But yeah, I think like, as happens in hype cycles, folks leap to conclusions about what could happen pretty quickly. But yeah, we just started playing around with it, testing it. We do have an AI ML team dedicated to working on this stuff.
00:32:02
Speaker
We did a fun experiment that folks might like to hear about. We have Ethernet. It's basically a game where you're trying to break decentralized applications. So you're trying to hack it. You pass the levels by finding the security vulnerability. And this is to help White Hat security researchers improve their skills, learn about blockchain security.
00:32:24
Speaker
So we let chatgbt4, I think it was, go at these levels, pass 19 out of 23 levels, which maybe sounds impressive, but if you look at the date of the training data for chatgbt, it started failing as soon as the data cut off from releases of the levels. So what people do is write solutions to passing the Ethernet levels,
00:32:53
Speaker
chat GPT was trained on some of them and was able to kind of repeat those solutions. And it makes sense. It's a large language model. It was meant to have human-like conversations, not detect security vulnerabilities.
00:33:11
Speaker
But when you build a model that is actually trained on high quality vulnerability detection datasets, which is something we've been doing since 2015, it can yield a lot superior results. So we have had success training kind of a more customized model on re-entrancy attacks, which is a pretty common type of vulnerability found in blockchain code.
00:33:40
Speaker
and other code. And they have seen the ability to pick out these more complex vulnerabilities on the zone. So I think that's super exciting. And I think as our team expands and others expand, I'm sure there's other folks out there doing
00:34:01
Speaker
really cool stuff. There's promise there. It's not a reality yet and I mean I see it as I play with Chad GPT as a lawyer.
00:34:12
Speaker
It can be super helpful at certain tasks at the end of the day. You need to apply your own judgment and kind of assess if what you've come up with is accurate and you have to kind of take responsibility for that. And I think for the foreseeable future, we need human security auditors.
00:34:36
Speaker
But one area where I think AIML has excelled in blockchain security is on the monitoring side. I mean, the beauty of blockchain is a public blockchain at least.
00:34:49
Speaker
All this data is available to anyone and it's constantly being generated on a block by block basis. And I mean, big data is a beautiful place to be for AI ML, right? It's able to ingest and make sense of it much more efficiently than in the past now. So I think AI ML is recognizing patterns that lead to malicious activity on chain and then detecting them in real time.
00:35:18
Speaker
On the on the for the network which is actually a decentralized. Security monitoring network we helped initially build it's now actually fully decentralized super cool anyone can deploy a bot that scans for malicious transactions anyone can just go subscribe and basically pay their.
00:35:38
Speaker
their fees on chain and get access to that security data. And I think in Florida, you know, a number of bots have started to incorporate AI ML, where, yeah, it's looking on a block by block basis every couple of seconds, what's going on, and it can recognize patterns, like, for example, in a
00:36:02
Speaker
an account was created and that address had previously been connected with an account that was funded from tornado cache. There's one red flag and it's one step or two steps removed from that address.
00:36:21
Speaker
when you look back on past hacks that's often where hackers are funding their attacks from so well this could be a suspicious transaction if it is a user you might not assign this transaction and these bots can kind of pop up an alert in your wallet going whoa triple check
00:36:43
Speaker
all of the information in this transaction and don't sign blindly. And so I think that's a really cool aspect of security that's advancing very rapidly right now. That's fascinating. And just to wrap up, because we could go on, but just one last question.
Choosing the Right Security Partner
00:37:01
Speaker
And just what advice do you have for organizations that are looking to strengthen their blockchain security posture and choose the right security partner or solution? What are those key things to look out for? Yeah, I don't want to sound like a broken record here, but I think it's just teams need to embed a security first mindset at all
00:37:26
Speaker
when they start are smaller, and they should find, I think, a security partner that can help them at every step of the way. And sometimes that doesn't even require hiring anyone, right? A lot of those early stages, things we offer out there, like opens up on contracts, they're open source, they're free to use. And so I think just finding a security partner that can, yeah, really help you with all aspects, and it allows you to not, hopefully,
00:37:56
Speaker
Get up to a release deadline. You want to launch your product. You're out there shopping and haggling with different audit firms subject to whatever the pricing is at that time.
00:38:06
Speaker
And, you know, availability can be super tough when it's booking an audit. And I think, you know, finding that partner early, we've had most success where we enter into kind of a year relationship with folks. We help them even as they're building kind of map out the best way to build with security in mind, maybe building tests and then coding to your tests.
00:38:27
Speaker
And then you know when it comes to their audit, well, we know that code we help kind of guide them in its creation. Our teams able to do that audit a lot faster. That means lower costs, it doesn't affect their release schedules.
00:38:43
Speaker
and then when it comes to the next iteration of that protocol, the V2 let's say, our team again knows the code base, how it's supposed to operate, they can kind of jump right in and even in a worst case scenario where they have to pick up the red phone and they have an incident they need to respond to, well,
00:39:06
Speaker
we have a team of experts that know their system inside and out and can react very quickly and hopefully help with anything. I would just think about or encourage folks to think about finding the right partner over time and there's a lot of great security companies out there.
00:39:26
Speaker
So yeah, think holistically, I think about security. Of course, I like that phrase, think holistically. And well, thank you so much, John, for such an insightful discussion, for covering different areas of such an important topic that I think is relevant now more than ever with everything that we're seeing. And yeah, I just wanted to thank you for your time and for being on the OWL Excellence podcast. And if there's anything you'd like to say just to close, where people can contact you, can reach out to you.
00:39:56
Speaker
Yeah, for sure. I mean, thanks again for having me. This was fun chatting about security. Like you said, we could probably go on and on. But yeah, I mean, look me up on LinkedIn. I'm John Neufeld, general counsel at Open Zeppelin. You can email me, legal at Open Zeppelin. Happy to chat, happy to collaborate. And yeah, really enjoyed it. Thanks again for having me. Awesome. Thank you, John.
00:40:24
Speaker
We hope you enjoyed our Hootenanny. Thank you for listening. For more Hootful and hype-free resources, visit www.owlexplanes.com. There, you will find articles, quizzes, practical explainers, suggested reading materials, and lots more. Also, follow us on Twitter and LinkedIn to continue wising up on Blockchain and Web3. That's all for now on Owl Explains. Until next time!