Welcome to the 67 new people who joined the onchain letters community since Sunday!
I'm thankful for all 763 of you and I hope everyone is having a great start to the week π₯
If you're enjoying my writing, please share Onchain Letters with your friends in Crypto and join the /onchainletters channel on Farcaster π€
A letter to samczsun & Security Alliance
Key Takeaways
Digital attacks have been around since 1988 and countless companies the public trusts today have faced breaches of some kind. Security is always a work in progress for any network based system - blockchains are no exception.
It's time for crypto to have its own CERT. Without a dedicated team of top cybersecurity engineers, the crypto ecosystem will always be one step behind the hackers. Bugs are an inevitable part of product development but that doesn't mean we can't optimize our response mechanisms.
If you're a founder and running your own protocol or an investor that has a portfolio of protocols, going through the Whitehat Safe Harbor agreement in depth should be a no brainer. It's best to use the resources such as SEAL 911 and Drill training instead of facing the wrath of blackhat hackers.
Since the last Bitcoin halving in May 2020, Rekt News has listed 185 hacks in the crypto space. The total amount lost just from the first ten projects on the leaderboard comes out to $3.85 billion!
In the past 4 years, hacks have been mainstream media's goto news in order to bring down crypto and underscore the negative aspects of the space. However, it makes sense for them to do so to a certain extent. The truth is, these defi products do come with significant risk! There are people out there that trust these protocols with their hard earned money. I don't know about you, but I would never want to lose any of my savings no matter how much I believe in decentralization and open source.
The thing is though, hacks are a double edged sword. Though it's absolutely brutal that protocols are drained maliciously, blackhat ('evil') hackers keep developers on their toes. With every attack comes a valuable learning lesson for the entire ecosystem.
It can be easy to forget that crypto is still relatively young compared to the rest of the web. And with any new networking technology, there's a period of vulnerability and adaptation as security measures catch up with innovation.
Hacks on the internet have been around even before Tim Berners Lee invented the world wide web! It took time for all of these technologies to become a safer place. Similarly, as crypto security continues to grow stronger, we'll see less teams fall victim to blackhat hackers and more people feel comfortable interacting with promising protocols.
Today's letter has 3 sections:
The Morris Worm & CERT
Bringing safe harbor to web3
The crypto avengers & Resources
Let's dive in π
The Morris Worm & CERT
On the night of November 2nd, 1988, there was a program released on the internet from a computer at MIT.
The software program was intended to replicate itself and spread to other machines. It exploited vulnerabilities in UNIX systems, used a backdoor in e-mail, and also attempted to guess user passwords in order to gain unauthorized access to machines on the network.
Within 24 hours, an estimated 6,000 of the approximately 60,000 computers connected to the internet had been hit...Among many of the casualties were Harvard, Princeton, Johns Hopkins, NASA, and the Lawrence Livermore Laboratory. - FBI.gov
Though no files or information was destroyed, many military functions were slowed down and institutions did end up disconnecting their systems from the internet for days.
It turned out that the genius behind the hack was Robert Tappan Morris, a 23 year old graduate student at Cornell University. To cover his tracks, he released the program by hacking into an MIT computer from his Cornell terminal.
This incident came to be known as the Morris Worm and was the first hack the internet community had faced.
In fact, the worm led to the first felony conviction in the US under the 1986 Computer Fraud and Abuse act. Note: Morris didn't end up going to prison, but was instead charged with a fine and order for 400 hours of community service.
But most importantly, this incident led to the formation of the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.
CERT/CC
CERT was formed by DARPA (Defense Advanced Research Projects Agency) in order to address network security problems and provide the necessary coordination to respond to network emergencies such as the Morris worm.
Some of CERT's responsibilities:
Incident response - help organizations out after major security incidents
Vulnerability analysis - work with vendors to patch bugs before they spread
Research - improve general network resilience
Training - help enhance cybersecurity within organizations
From its founding in 1988 all the way to 2016, Richard Pethia served as the director and grew the group from a small team to a research organization of more than 200 people dedicated to cybersecurity.
In the last 30+ years, many of the major cybersecurity incidents around the world were analyzed and patched by the team at CERT. Some examples include:
ILOVEYOU Virus (2000)
Code Red (2001)
Stuxnet (2010)
WannaCry Ransomware (2017)
CERT has been the glue between big tech companies, government agencies, and cybersecurity professionals to help keep the internet a safe place.
Now, why is the story of the Morris worm and CERT relevant for today's letter? Well, for two reasons:
To serve as a reminder that it's not just the crypto ecosystem that faces hacks but rather all parts of the web. Hacks have been around since 1988 and countless companies the public trusts today have faced breaches of some kind. Security is always a work in progress for any network based system - blockchains are no exception.
It's time for crypto to have its own CERT. Without a dedicated team of top cybersecurity engineers, the crypto ecosystem will always be one step behind the hackers. Bugs are an inevitable part of product development but that doesn't mean we can't optimize our response mechanisms.
Bringing safe harbor to web3
For those of you that don't know, samczsun is one of the most important people in the crypto space and operates completely anonymously. He even used a voice modulator on a recent episode of the Chopping Block podcast. On the day to day, he works as the head of security at Paradigm and is responsible for keeping the fund and their portfolio companies secure. But in his spare time, he's busy working as an s-tier white hat hacker to keep the industry safe from bad actors.
There have been a variety of hacks that he has helped out with in different war rooms over the past few years. And the entire ecosystem looks to his threads after a major incident to better understand what the heck is going on.
Additionally, he's called out vulnerabilities for major players in the ecosystem such as SushiSwap, Fuse, Geth, etc.
In fact, Sam is so good at his job that the meme in crypto is that getting a late night message from him might be the scariest thing for a founder. Either your protocol has been hacked or is about to be.
Last Wednesday, Sam officially announced a project he has been putting together for over a year: Security Alliance (SEAL).
The core mission behind SEAL is to provide white hat crypto security researchers an organization to safely work under. Or as Sam mentions:
In web2, we have the concept of "safe harbor" for security researchers, and I wanted to bring that idea to web3
But what exactly are cybersecurity safe harbor laws?
Simply put, safe harbor laws are designed to encourage individuals and organizations to be proactive about their cybersecurity by providing legal protection to researchers who identify and report security vulnerabilities.
These laws and policies recognize that individuals who disclose vulnerabilities can potentially save companies and users from significant harm due to data breaches or other security incidents. In other words, it takes out the fear of legal action, which can often be a barrier for security researchers to do their best work.
However, these laws don't directly apply to crypto. There still isn't any legal clarity for security engineers in the blockchain space and how they can interact with protocols in time sensitive situations.
Key part..."whitehats felt it was too risky to intervene".
So, after a long 18 months, Sam worked with countless people in the space to spin up the Whitehat Safe Harbor agreement.
I read through the whole agreement and the main thing it comes down to is providing whitehat security researchers clarity and legal protection from protocols if they follow the rules and act in good faith.
The Safe Harbor initiative is a preemptive security measure for protocols, similar to a bug bounty. It is a framework specifically for active exploits, i.e. situations where a vulnerability has begun to be exploited by a malicious actor. If a protocol has adopted Safe Harbor before such an incident occurs, whitehats will have clarity on how to act in a potential rescue, and will be more likely to help intervene.
To me, this security alliance is basically the CERT for crypto - a group of the most prolific good-faith cybersecurity researchers under one organization working with different stakeholders (companies, legal entities, investors, etc.) to provide top tier security and emergency response for the space.
I believe the newly formed security alliance will be one of the most important groups in crypto as we head into the next cycle. It's in the bull markets where things get the craziest, people get drunk off of get rich quick schemes, and bad actors take advantage of new developers and experiments.
We're bound to hear about all kinds of hacks in the next year but fortunately this time around we have a dedicated group of researchers with the right incentives and protection to act quickly.
So who are these whitehat hackers that serve as crypto's first responders?
Meet the crypto avengers πͺ
Crypto Avengers & Resources
In the past year, while the Whitehat Agreement was coming together, some of the top crypto security researchers grouped together to start providing two invaluable services through security alliance:
SEAL 911
Drill Training
Seal 911
As described on the website:
SEAL 911 is a project designed to give users, developers, and even other security researchers an accessible method to contact a small group of highly trusted security researchers.
Here's a list of the crypto avengers from all parts of the ecosystem that people go to if their protocol is in trouble.
This telegram bot makes it easy to reach any of them with emergency security requests.
Drill Training
The SEAL team also has their drill scenario template uploaded on GitHub so that any security team in the space can use it. There's 3 phases:
Recon - performing a thorough analysis of the protocol's attack surface
Validation & Tabletop exercise - helping the team figure out their response process, role assignments, and understanding of the attack surface
Live Drill Planning - test the two phases above in a live attack scenario
You can also check out the tools section they have listed which includes Foundry, Hardhat, Silverback, and a Live Fork & Explorer.
If you're a founder and running your own protocol or an investor that has a portfolio of protocols, I highly recommend going through the Whitehat Safe Harbor agreement in depth.
Security should be the #1 priority for any crypto founder out there. Without the best security, the product is irrelevant. Samczsun and the security alliance team have finally formed a group that I believe every protocol should take advantage of.
As I mentioned at the start of this letter, Rekt leaderboard has counter 185 breaches in the last four years. In this coming bull market, the goal as an ecosystem should be to minimize the number of hacks that happen. We're getting better, the resources are coming together, and I believe it's only a matter of time before we see that number dropping down.
Before I wrap up this letter, I also wanted to share this tweet by Vitalik that discusses how AI-assisted formal verification could be an awesome preventative technique for bugs in protocol code. Hopefully we see tools in this niche emerge soon so there's an extra layer of security that developers have before launching their code to production.
The nature of any kind of security is that it's a constant game between the cat and mouse. Blackhats hack, whitehats protect and fix, and the cycle continues as long as innovation continues. There's no such thing as 100% secure when it comes to technology, but it's up to the "good side" to try our best to protect the networks through preventative tools and optimized response protocols.
No matter how many creative applications the crypto space builds, the mainstream audience will never onboard if we can't get security right.
Thanks to samczsun and the crypto avengers for keeping the ecosystem a safer place π
That's all for today's letter - I hope everyone has a great rest of the week!
- YB