Voice of the MANXers: Series #3
The third MANX Ask Me Anything (AMA) focused on network security. It was conducted on August 30, 2018 in the MANX Academy of Token Economics (MATE) group, an invitation-only telegram group focused on informational and educational discussions on all aspects of blockchain technology. The members of the group are selected for their active engagement in the global MANX communities.
This session was led by Dr. Yang Tang (head of network security), Dr. Yawei Cui (cofounder), and moderated by Jennifer Bie-Purewal (head of global communities). This transcript has been edited for clarity.
Jennifer: What is the difference between security on blockchain and network security in general?
Yang: General computer systems can use hardware for system protection because of its centralized deployment. But with blockchain, because of the P2P network, every point in the entire network must be robust enough.
To achieve this, it is necessary to implement a dynamic security policy to protect the network with powerful encryption algorithms and intelligent analysis depending on the user’s environment. At the same time, the code must be strictly checked. MANX is doing all these things.
Yawei: This question is from our Chinese community. We have noticed that you have been in this area for quite a while and has been working for one of the largest banks in the world — China Construction Bank. How do you plan to use that experience for MANX?
Yang: MANX is a new blockchain infrastructure. Its design ideas are great and unprecedented. MANX will benefit from my information security experience in the world’s largest bank.
MANXer V: Building a blockchain often comes at a pretty severe compromise to security (there are ways around this, but most of them are not particularly elegant). What about yours? What problems do you need to contain now? And in future?
Yang: MANX’s security architecture is in the highest level in the international financial security field.
The MANX security architecture aims to build a financial-level, smart and proactive blockchain security system to provide intelligent, one-stop, open-share and on-demand security services.
1. Secure fund transactions and customer information
2. Balance transaction security and customer experience
3. Source level, full-lifecycle protection
MANXer T: How is your network security policy arranged? I mean everybody makes things secure, but it is not always enough to keep it secure. Do you have QA team or it will be made via outsourcing?
Yawei: We are building the team now. QA will be done in-house.
As for our policy in general, the goal of TPS is efficiency, and the goal of security is to protect asset safety. MANX will take the protection of asset safety as a yardstick. Intelligent measures will be taken to enhance security intensity and processing efficiency to ensure that the project meets TPS goals and security requirements.
MANXer N: Is it true “the more secure, the less speed”?
Yawei: Your question is about the relationship between security and speed, mostly measured in TPS in this industry. First of all, we do not think safety and efficiency are contradictory.
We maintain that real security is needed to meet business needs, such as the design of a TPS infrastructure goal, and our security measures are designed to meet that goal. Security measures may increase authorization control, change encryption strength and affect business rules, but the combination of security measures must improve the overall performance of the business. There is a balance point.
We now know that Yang has been an expert in the banking industry. In fact, banks have done a good job with security in general. MANX’s security management and technology application will also follow the concept of “safety as a service”.
MANXer M: Seems everyone enjoys seeing everything live on GitHub because they think they can track the project team perfectly. I’m not saying this is true or not. My questions are:
1. Is it necessary to do so?
2. Is it safe to do so?
3. What factors must the project teams pay special attention to so as to ensure the safety of the database and privacy of those who are involved in the project?
Yang: Yes, it is a good way to let everyone know the progress of the project by using GitHub. But some aspects of the core technology should be protected, especially the contents of system vulnerabilities. Because we want to launch more mature products for SMEs, we will gradually open up the content to help developers and users better understand and use. This is why we set up the MANX Academy of Token Economics.
The code we put on GitHub will be strictly security tested and logically secure. We can’t put any stage of code, even passwords, on the Internet without thinking about it. These human errors are exactly what hackers expect.
We often say that information security involves people, assets and technology. All good projects are developed by people, so the security awareness and security management capabilities of the development team determine whether developers will make low-level mistakes in software security.
As a result, MANX has formed a cyber-security team from the start, which is not common for most Internet companies. We identify and classify and protect the most valuable assets most strictly. The security, integrity and usability of the database will be the focus of our attention. Our data protection measures include database homomorphism encryption, database audit, biological identification and data leakage prevention.
MANXer T: How will you handle risk management when it comes to securing the transactions records? Someday banks will use blockchain, maybe someday we will use your blockchain for transferring our assets.
Yang: MANX realizes the boundary defense and depth defense at the same time for each node. By dynamically adjusting the security strategy, the system boundary protection system evolves from the “Cask Model” to the “Multi-waterlocks Model”, which effectively avoids the Buckets Effect in the conventional security architecture.
MANXer B: Is there any reason by developing private chain for SME before the public chain?
Yawei: A bit of confusion here. MANX is not a private chain. It is a public chain aiming to serve everyone, especially SMEs and individuals.
MANXer G: Will the security features of MANX reduce its target TPS?
Yawei: The answer is no. Let me reemphasize one point: The goal of TPS is efficiency, and the goal of security is to protect asset safety.
MANXer G: Can users choose security tools/strategies flexibly?
Yawei: According to the application requirements, MANX will provide various types of security components that can be called by users, including client-auth component, small and micro enterprise user-auth component, cryptographic service component, data security component, security monitoring component and infrastructure security component.
MANXer G: Let me ask one more. How to deal with privacy protection?
Yawei: Privacy protection is a key area that MANX has always focused on. On May 25, 2018, the European Union’s “General Data Protection Regulations” (“GDPR”) came into effect.
At the beginning of the system design, the MANX team has carried out in-depth research and analysis of IT privacy protection regulations and standards in 18 countries and regions. The privacy protection compliance review will be incorporated into the development process.
Yawei: How does MANX solve the “eclipse attack”?
Yang: Nodes on the blockchain must remain in constant communication in order to compare data. An attacker who manages to take control of one node’s communications and fool it into accepting false data that appears to come from the rest of the network can trick it into wasting resources or confirming fake transactions.
In MANX, security rules and security levels are intelligently generated based on context information, transaction amount, and familiarity to produce the best security verification methods to give customers the best security experience.
The system implements a regular upgrade of the security model through self-learning and intelligent optimization techniques to adapt to the external attacks and fraud prevention requirement.
Jennifer: There are many more questions unanswered on this topic. As I described at the beginning, when it happens, it is not just headline news. It is about you, me and everyone. Let’s keep the discussion going!
The next AMA will be on Token Economics, led by Dr. Dennis Zhang, head of token economics and dApp development. Again, it will be held in MATE. Please join our telegram group t.me/macrochain, get informed, get engaged, get invited, and get whitelisted!