jakiro
Author: Vtalik, the co -founder of Ethereum; Translation: 0xjs@作 作 作 作 作
In the past week, an article about a company’s loss of $ 25 million is widely circulated because a financial staff was persuaded to send bank telegraphs to the scammer who posted CFO … and this seems to be a very convincing deep forgery videoTelephone.
Deepfakes, that is, fake audio and videos generated by artificial intelligence) appear more and more frequently in the field of cryptocurrencies and elsewhere.In the past few months, my deep falsification has been used to promote various scams and dog coins.The quality of deep forgery is rapidly improving: Although the depth of 2020 is obvious and bad, it is embarrassing, but in the past few months, the depth forgery has become increasingly difficult to distinguish.Those who are familiar with me can still recognize my recent depth for falsification of my video because it makes me say “Let’s F *** ing Go”, and I only use “LFG” to represent “LOOOKING for Group”, but only he has heard a few more a few timesThose who voice my voice are easily convinced.
The above -mentioned security experts of the 25 million US dollar theft have unanimously confirmed that this is a rare and embarrassing failure of the operational safety of enterprises at multiple levels: the standard method is to go through more before any transfers that are close to the scale to get more than the formal approval.Sign in a level.But even so, the fact is still that by 2024, a person’s audio and even video streams are no longer a safe way to verify its identity.
This raises a question: What is the way to be safe?
The separate encryption method does not solve the problem
It can safely verify that people’s identity is valuable for various people in various situations: individuals who recover or sign for business transactions, and individuals approved business transactions, and individuals who approve large transactions (such as, such asInvestment startups, purchasing products) houses, remittances), whether cryptocurrencies or legal currencies, and even family members need to verify their identity in emergency situations.Therefore, it is important to have a good solution that can survive in a relatively easy deep forgery in the upcoming era.
One of the answers I often hear in the encryption circle is: “You can verify your identity by providing an encrypted signature by providing an encrypted signature by adding addresses to your ENS/Human Protection/Public PGP key.”This is an attractive answer.However, it completely ignores why let others participate when signing a transaction is useful.Suppose you are an individual who has multiple personal signature wallets, and you are sending you a transaction approved by some co -signatures.Under what circumstances will they approve?If they are convinced you are the person who really wants to transfer.If the hacker steals your key or kidnappers, they will not approve it.In the corporate environment, you usually have more defense layers; but even so, attackers may be impersonated, not only for final requests, but also for early stages of approval process.They may even hijack the legal requests by providing wrong addresses.
Therefore, in many cases, if you use a key signature, other signatures will accept you as you, which destroys the entire point: it turns the entire contract into 1-OF-1 multiple signatures, and some of them only need to controlYour single key can steal funds!
This is a place where we get a actually meaningful answer: security question.
Security Question
Suppose someone sends you a text message, claiming to be your friend.They send text messages with an account you have never seen before and claim to lose all the equipment.How do you determine whether they are what they call?
There is an obvious answer: ask them something about their lives that they only know.These things should be:
-
You know
-
You want them to remember
-
I don’t know online
-
It’s hard to guess
-
Ideally, even those who hackers have invaded enterprises and government databases do not know
-
When the two of us met for the last time, which restaurant did we eat dinner and what food did you eat?
-
Which of our friends have a joke about ancient politicians?Which politician is that?
-
Which movie we have watched recently, do you not like?
-
You suggested last week to discuss the possibility of helping us to help us conduct ____?
-
Pre -agreed password: When you are together, you will deliberately agreed a shared password, and you can use it to verify each other in the future.
-
It may even be reached by the coercion: you can accidentally insert a word into the sentence, so as to quietly send a signal to the other party, indicating that you are being coerced or threatened.This word should be common enough to make you feel natural when using it, but it is rare enough to insert it into your speech unexpectedly.
-
When someone sends you an ETH address, please confirm through multiple channels (such as Signal and Twitter DM, company website, and even common acquaintances)
-
Preventing intermediate people attack: signal “security number”, Telegram emoticons, and similar functions are easy to understand and prevent.
-
Daily restrictions and delay: Simply delay the consequences and irreversible action.This can be completed at the level of strategy (pre -signature, they will wait for n hours or days before signature) or at the code level (appropriate restrictions and delay in smart contract code) to complete
Naturally, what they want to ask them are common experiences.Possible examples include:
Some people have recently used practical examples to verify my identity.
The more unique your problem is, the better.The question that people must think about the edge of the answer for a few seconds are good: but if the people you ask, you really claim that you have forgotten, please make sure they ask them three questions again.Ask the “micro” details (what someone likes or does not like, specific jokes, etc.) is usually better than “macro” details, because the former is usually more difficult to make third parties unexpectedly excavated (for example, even if someone posted on Instagram, it was released on Instagram.For a dinner photo, Hyundai LLM is likely to capture the photo quickly and provide a location in real time).If your problem may be guess (in a sense, only a few potential options are meaningful), please add another problem to increase entropy by adding another problem.
If the security practice is boring, people usually stop participating, so it is healthy to make the safety problem interesting!They can be a way to remember positive common experiences.They can be the driving force for truly having these experiences.
Supplement security issues
No kind of security strategy is perfect, so it is best to stack multiple technologies together.
A potential complex attack, the attacker pretend to executives and the assignee in multiple steps of the approval process.
Both safety issues and delay can prevent this situation; both of them may be better.
The security problem is very good, because different technologies that fail due to inhumanization, security issues are based on the information that human beings are born with good at remembering.I have been using safety issues for many years. This is a habit that actually feels very natural and not embarrassing. In addition to other protective layers, it is worth incorporating your workflow.
Please note that the above -mentioned “individual” security issues are very different from the use cases of “enterprises to individuals” security issues. For exampleAfter 40 minutes of annoying concert, bank employees will appear, asking your name, birthday, and maybe you have the recent three transactions.I personally know that the type of answer question is very different from the type of question that companies know the answer.Therefore, it is worth considering these two situations alone.
Everyone’s situation is unique, so you are different from different people as different people as different people.Generally speaking, it is best to make technology adapt to people, not to make people adapt to technology.A technology does not require perfect to play a role: the ideal method is to superimpose multiple technologies at the same time, and then choose the technology that suits you best.In the world of depth for falsification, we do need to adjust our strategy to adapt to new reality that is now easy to forge and still difficulty forgery, but as long as we do this, it is still possible to maintain safety.
