周鸿祎对话王峰：无意做空EOS 从没买过虚拟币

　　周鸿祎对话王峰：无意做空EOS，从没买过虚拟币

　　周鸿祎表示，没有所谓的蓄谋已久，也不是大家想象的恶意做空，“360不是非要进军区块链，而是说，我不服输，在大安全这个新时代里面，我希望能够继续发挥360安全守护者这个作用。”

　　郑洁瑶

　　5月30日，360创始人周鸿祎做客“王峰十问智库群”，就昨日发生的EOS安危安全漏洞话题与王峰展开对话。

On 30 May, the founder of 360, Zhou Hongjing, engaged in a dialogue with Wang Feng on the security gap in EOS yesterday.

　　5月29日午间，360安全卫士官方微博发布消息称，近日，360公司Vulcan（伏尔甘）团队发现了区块链平台EOS的一系列高危安全漏洞。经验证，其中部分漏洞可以在EOS节点上远程执行任意代码，即可以通过远程攻击，直接控制和接管EOS上运行的所有节点。随后，周鸿祎在微博中表示，EOS平台的智能合约虚拟机中发现的一系列新型安全漏洞“价值百亿美元”。

On the afternoon of 29 May, the 360 Security Guard official Weibo reported that in recent days, the 360 company Vulcan (Volgan) team had discovered a series of high-risk security gaps in the block chain platform EOS. Empirical evidence showed that some of those gaps could be remotely executed on EOS nodes, i.e., they could directly control and take over all of the nodes running on EOS. Subsequently, Zhou Hongjong stated in Weibo that a new set of security gaps in the EOS platform's smart contract virtual machine were “valued to be worth millions of dollars.”

　　5月30日凌晨，EOS创始人BM在电报群中回应360披露的EOS安全漏洞问题，称360报告中提到的漏洞早已被EOS修复，且早于360发布报告的时间。对于漏洞本身，BM称大部分漏洞来源于第三方代码库，而非EOS核心代码；且该漏洞不能改写可执行内存，也不能获得Root权限，除非部署节点时就已经是以Root用户身份来运行。

In the early morning hours of May 30, the founder of EOS BM responded to the 360-disclosed EOS security gap in the cable collection, stating that the 360 report had been repaired by EOS earlier than when the report was issued. For the leak itself, BM stated that most of the bug originated in the third-party code library rather than in the EOS core code; and that it could not rewrite memory or get root privileges unless the node was deployed as a root user.

　　此外，BM还特意指出，对于任何挑起市场恐慌的行为将取消其奖励资格，似乎暗指360制造恐慌。

In addition, the BM specifically stated that any act of provoking market panic would disqualify it from being rewarded and would seem to imply that 360 caused panic.

　　针对BM的回应，周鸿祎在今天和王峰的对话中解释道，360并没有在制造恐慌，也没有要做空EOS的想法。在公布漏洞前，360安全团队已经私下联系了BM，并等到对方确认修复之后才对外公布了漏洞，这也是为什么代码修复的时间早于公布的时间。

In response to the BM’s response, Zhou Hongjing explained during today’s conversation with Wang Feng that 360 was not creating panic, nor was there any attempt to empty EOS. Before the leaks were announced, 360 security teams had contacted BM privately and waited until each other had confirmed that the leaks had been made public, which is why the code was repaired earlier than when the leaks were published.

　　“如果说我们要制造恐慌，直接在主网上线时放出这个，恐慌效果一定比现在要好的多，”周鸿祎表示。

“If we're going to create a panic, we're going to release it directly on the main web line, the panic must be much better than it is now,” says Zhou Hongjing.

　　单纯针对此次事件，周鸿祎认为，漏洞可能会影响到EOS的主网上线进程，且他个人认为EOS应该延迟上线。“我们的安全团队还在持续发现一些EOS的漏洞，当然发现后我们也会第一时间及时的提交给他们，我们的建议是修复之后再上线。”他否认360和EOS有业务上的合作。

In response to this incident alone, Zhou Hongjing argued that the leak could affect the EOS main web-line process, and that he personally believed that EOS should be delayed. “Our security team continues to discover some of the EOS loopholes, and, of course, we will submit them as soon as we do, and our advice is to get back online as soon as it is repaired.” He denied that 360 and EOS have operational cooperation.

　　周鸿祎还称，360团队从2017年年底就开始研究区块链安全，未来会基于区块链安全生态推出三个系统，主要包括数字货币钱包安全审计系统、区块链安全态势感知系统和区块链节点安全解决方案。

Zhou Hongjing also stated that the 360 team had been studying block chain security since the end of 2017 and that three systems based on block chain security ecology would be introduced in the future, including, inter alia, the digital wallet security audit system, the block chain security situational awareness system and the block chain security solution.

　　以下为完整对话内容：

The following is the complete content of the dialogue:

　　王峰：昨天中午360发布EOS高危安全漏洞消息的时候，当时我正好在和联创策源的老大冯波在外面喝咖啡，听到消息心里一震：360对区块链动手了！随即冯波就给周总发了微信，没想到周总很快就回复了。所以，今天我们请来了江湖大佬，人称“红衣主教”的周鸿祎同学做客“王峰十问”，主题是：EOS安全风暴。

Wang Feng: When the EOS high-risk security breach was released at 360 p.m. yesterday, when I was out drinking coffee with the co-founder Von Bo, I heard the news: 360 was working on the block chain. Then Fung Bo sent a message to Zhou, and Zhou replied quickly. So today, we invited the Big Bang, who is known as the “Red Bishop”, Zhou Hong-hwan's friend, to visit Wang Feng Qui, whose theme is: “EOS Security Storm”.

　　先让我们看一看他的经历吧。 本科毕业于西安交通大学电信学院计算机系，后被保送西安交大管理学院系统工程系攻读研究生。曾创办 “3721网络实名”，开创中文上网服务之先河，历任雅虎中国总裁等职务；2006年创立360，推出“免费安全”战略，开创了中国互联网的新格局；2011年3月30日，周鸿祎带领奇虎360在美国纽交所上市；今年1月，周鸿祎当选“2017十大经济年度人物”；2月份，360集团在上海证券交易所成功上市。周鸿祎同时也是政协第十三届全国委员会经济委员会委员。

He graduated from the Faculty of Computers of the Telecommunication School of the Xian University of Transport, and was escorted to the Faculty of Systems and Engineering of the Xi'an University of Management. He founded the “3721 Network,” which opened the prelude to Chinese Internet service, and became the President of Yahoo in China; in 2006, he created 360, introducing a “free security” strategy, which created a new set of Internet features in China; on 30 March 2011, Zhou Hongjing led Chihu to the United States New York Exchange; in January this year, Zhou Hongjing was elected “2017 Economic Year Man”; and in February, the 360 Group successfully took the market at the Shanghai Stock Exchange.

　　下面，开始我们今天的十问吧——直击风暴。

Now, let's begin with the ten questions we have today — a direct hit on the storm.

　　第一问，360以PC安全卫士起家，其后一直从事互联网安全应用，我也知道近几年也逐渐布局于企业级安全领域，为什么你的安全触角一下子进入区块链领域。我们团队浏览一遍你最近一年的个人微博，也仅仅有两次与区块链相关，一次是去年“九四监管”前后，一次是昨天转发360安全卫士针对EOS安全漏洞的公告。中间很长一段时间，鲜有提及区块链。在今年春节之后，3点钟微信群火爆区块链期间，你也从未轻易表达过对区块链的看法，可是昨天，通过爆料EOS严重安全漏洞之际，360闪电出击，在一天之内连续公布了与币安、欧链、EOS LaoMao、Dbank等项目的合作，这是为什么？看起来你是蓄谋已久啊，后面还有大招？

The first question is, 360 is owned by PC Security Guards and since then has been involved in Internet security applications. I also know that in recent years you have gradually been deployed in the area of business-level security. Why did your security tentacles get into the area of block chains? Our team went through your last year's personal microblogging, and only two times related to block chains, one before and after last year's “94 regulation”, and the other yesterday's announcement of 360 Security Guards against EOS security holes. For a long time, there was little mention of block chains.

　　周鸿祎：其实也没有谋多久，从年前开始，我自己也在努力学习区块链的东西。 我在3点钟群里没怎么表达看法，是因为确实还没怎么看懂一些东西。 但在安全上我们是专家，所以在17年年底18年年初，实际上我们就已经在关注区块链安全，开始研究区块链技术和相关的安全问题。

I didn’t say much at 3 o’clock, because I didn’t really see much. But we were experts in security, so at the end of 17 and early 18 years, we were actually concerned about block chain security, and we started studying block chain technology and related security issues.

　　在这个过程中，我们和业内很多项目也都有过接触沟通和交流的，我们的心态还是比较开放的，我们也希望大家都能够关注安全问题，所以当大家主动来找我们，希望在区块链安全方面有些深入沟通交流，我们也非常愿意为区块链行业提供更安全的解决方案。 后面我们肯定还是会继续深入研究区块链安全问题，也会继续保持开放心态，欢迎大家来交流合作。

In the process, we also have contacts and exchanges with many projects in the industry, and our mindsets are still relatively open, and we hope that we will all be able to focus on security, so when you come to us on your own initiative and hope for some in-depth communication on block chain security, we are very much willing to offer safer solutions to the block chain industry. We will certainly continue to study the block chain security issues in depth, and we will remain open-minded, and we will welcome all to share our cooperation.

　　尽管很多区块链、数字货币的设计都标榜非常安全，但任何软件系统，只要非常复杂，这种复杂度，都会带来风险，都会有安全问题。 区块链技术也一样，现在比较火热，我们现在关注的也比较多。

While many block chains and digital currencies are designed to be very secure, any software system, as complex as it is, poses risks and security concerns. The same applies to block chain technology, which is now hot, and we are now paying more attention.

　　我们最近发现了很多区块链系统、交易所系统、钱包系统存在问题。 之前大家都在关注区块链带来的商业机会，但是很少有人关注区块链安全问题。 最近EOS准备上线，在区块链行业里非常具有代表性，我们这次发现EOS漏洞，提交给对方，希望督促他们修补系统，所以我们披露漏洞，是我们安全公司的职责所在。

Most recently, EOS was ready to go online, very representative in the block chain industry, and this time we discovered EOS loopholes that we submitted to each other in the hope of urging them to fix the system, so we revealed loopholes that are part of our security company’s responsibility.

　　没有大家想象的什么蓄谋已久，也没有什么大招，我们的大招就是踏踏实实帮助区块链行业排除风险。

Nothing has been planned for as long as you can imagine, and nothing big has been done. Our big move is to help the block chain industry out of risk.

　　我至今也不觉得自己懂区块链，我个人也没有买虚拟货币，看着大家在这些群里热烈的讨论，每个人都忧国忧民，每个人都像经济学家、哲学家、思想家一样的发出各种见解，我真的觉得自己像个白痴一样听不太懂。但是我们比较懂的就是安全，所以我们希望和大家一起交流，让区块链行业更安全。

I still don't feel like I know the chain of blocks, and I don't buy virtual money personally, and I look at the lively discussion in these crowds, where everyone is worried about their country, where everyone gives opinions like economists, philosophers, thinkers, and I really feel that I don't understand it as an idiot. But what we know is that we are safe, so we want to talk with you and make the sector safer.

　　王峰：第二问，在360公布#3498 EOS漏洞之前，EOS的bug已经在Github上提交了3497条，但360出手前鲜有人关注并产生如此之大的影响。实话实说，你如何看待昨天披露安全漏洞的严重程度？为什么称这个漏洞价值百亿美元？为什么360安全卫士在微博上将之称为“史诗级”漏洞？在我过去的理解里，“史诗级”一般来形容丰功伟绩，是对某件事的高度赞扬，哈哈。好一个“史诗级”啊。

Wang Feng: The second question is, before 360 announced the #3498 EOS bug, EOS bug had already submitted 3497 on Github, but 360 had little attention and had such an impact. To be honest, how do you see the extent of the security breach revealed yesterday? Why is it worth 10 billion dollars? Why does 360 security guards call it an “historic” gap on Twitter? In my understanding of the past, “historic level” is a high praise for something.

　　周鸿祎：我先来解释下这个漏洞被人利用可以用来干什么。 如果漏洞被人利用，可以控制EOS网络里面的每一个节点每一个服务器，那就不仅仅是接管网络里面的虚拟货币、各种交易和应用，也可以接管节点里面所有参与的服务器。拿到服务器权限，就可以为所欲为了。 如果有人做一个恶意的智能合约，就能够把里面所有的数字货币直接拿走了。 所以这个对于区块链网络来说，不会有比这个更严重的漏洞了。

If someone uses it to control every node of the EOS network, it can take over not only the virtual money, transactions, and applications in the network, but also all the servers involved in the node. If you get server access, you can do whatever you want.

　　再说“史诗级”，EOS在区块链发展史上的重要性大家肯定知道，如果说，这个漏洞我们没有提出来，EOS没有修复，等到EOS主网上线了，被恶意的黑客发现并利用了，那时候EOS会不会一夜之间就被搞掉了，我们都不好说。 EOS现在的估值至少百亿美金了，所以我觉得这个漏洞价值百亿美金并不夸张。 另外就是这个其实是我们安全圈内部的说法，是半个舶来语。“史诗级”是从“Epic”翻译过来的，国外安全社区经常用“Epic bug”或者“Epic fail”来形容比较重大的安全漏洞。

Moreover, the importance of EOS in the history of the development of the block chain must be recognized: if this gap is not raised, EOS is not repaired, and when the main EOS web line is discovered and used by malicious hackers, it is difficult for us to say that EOS will be knocked out overnight. EOS now values at least $10 billion, so I think it's not an exaggeration.

　　当然我从公关的角度来看，史诗级这个词大家理解不一样，太文艺青年了，所以说成百亿美金的漏洞，大家会不会觉得更接地气一点。

From a public relations point of view, of course, the word epic is understood differently, too artisticly young, so if you're talking about a $10 billion gap, you'll feel a little bit more comfortable.

　　因为很多标题党，吓尿了、吓哭了、吓软了、崩溃了……都被滥用了，所以用了个史诗级，其实说百亿美金级别最好了。

Because many title parties peed, cried, fainted and collapsed... they were abused, so they used an epic class, which was the best $10 billion.

　　王峰：第三问，今天凌晨，EOS创始人BM在电报群中回应360披露的EOS安全漏洞问题，称360报告中提到的漏洞早已被EOS修复，且早于360发布报告的时间。对于漏洞本身，BM称大部分漏洞是来源于第三方代码库而非EOS核心代码；且该漏洞并不能改写可执行内存，且不能获得Root权限，除非部署节点时就已经是以Root用户身份来运行。BM的回应，暗指360制造恐慌，并声明对于任何挑起市场恐慌的行为将取消其奖励资格。对此，你怎么看？ 说实话，我觉得BM很厉害，他反击的时候，我和我们火星财经旗下的EOS Galaxy的负责人许波正在看到了他直接在电报群的回复，他的迅速回应减轻了大众对EOS安全隐患的恐慌感，反而让更多人猜测是360精心策划的安全炒作。鸿祎，这个问题，我希望你能更直接给予回复。

Wang Feng: Third question: In the early hours of this morning, the founder of EOS, BM, responded to the EOS security gap revealed by 360 in the cable collection, stating that the gap mentioned in the 360 report had already been repaired by EOS and was issued earlier than 360. For the leak itself, BM claimed that most of the bug originated from the third-party vault rather than from the EOS core code; and that it did not rewrite memory and do not have access to root privileges unless the node was deployed as a Root user. BM responded by implying that 360 created panic and declared that it would disqualify him for any act that provoked a panic in the market.

　　周鸿祎：没问题，慢慢来，让子弹先飞一会。你说的消息其实已经不是最新的，最新的嘛，慢慢说。

Zhou Hongjing: No problem. Take your time and let the bullets fly for a while. The news you say is not the latest, but the latest.

　　王峰：我们团队内有EOS Galaxy的BP（超级节点）竞选项目，所以内部技术团队也非常关心。

Wang Feng: Our team has EOS Galaxy's BP campaign, so the in-house technical team is very concerned.

　　周鸿祎：对于已经修复这个事情，我还是需要和大家普及一个知识，就是我们安全厂商对外公开披露的漏洞，一定是先和对方沟通，提交给对方去修复，在得到他们修复的确认之后，然后我们再公开。 因为如果EOS没有修复，我们公布出来了，肯定会有一大波黑客立马上去搞他们，所以我们发布报告的时间当然会是晚于修复时间的。

Zhou Hongjing: For something that has been repaired, I still need to share with you that our security firm’s public disclosure gap must be communicated to each other, submitted to each other for repair, after confirmation of their repair, and then made public. Because if EOS is not repaired, we'll have a big Bosnia-Herzegovina on the spot, so of course we'll have to issue the report later than the repair time.

　　这个不仅仅是对EOS，对微软谷歌苹果都是一样的，对于安全漏洞，通常的步奏就是，首先是挖掘漏洞，挖出来之后就会研究，会怎么被黑客们利用，把这些研究透了，再向相关的厂商汇报，比如这次EOS的，就是把怎么利用的视频还有涉及的详细代码报告给了对方，再然后就是对方修复，等对方确认修复之后，我们才会对外公布。

This is not just the same for EOS, but also for Microsoft Google Apples. For security holes, the usual steps are, first, to dig holes, then to find out how they will be used by hackers, to get through these studies, and to report back to the relevant manufacturers, for example, this EOS, to report to each other how the video is used and the code details involved, and then to fix them, and we will not publish them until the other party has confirmed that they have been repaired.

　　他提到的这个root权限，root权限是指计算机系统里面的最高权限。 是否获得root权限，不影响攻击者控制EOS节点，没有root权限也是一样的。 如果用户使用root权限运行eos，那么攻击者就可以获取root权限。

Whether or not to obtain root privileges does not affect the aggressor’s control of the EOS nodes, or the absence of root privileges. If the user uses root privileges to run the eos, the attacker can get root privileges.

　　BM的回应有点让人混乱，看起来以为是，我们报告前，他们已经修复了，其实是我们遵循了负责任的行业标准流程，报告->修复->公开。

The BM response was a bit confusing and seemed to think that they had been repaired before we reported that we had followed a responsible industry standard process, reporting - > repair - & gt; public.

　　非常明确地说，我们先私下联系了BM，通知了他们eos漏洞，希望他们先修复，这都是有聊天记录截屏的。等到eos修复了，我们再对外发布这个漏洞公告。

To be very clear, we contacted the BM in private and informed them about the bugs in the Eos, hoping that they would fix them first, all of which were blocked by the chat logs. When the bugs were restored, we released the leaks to the public.

　　今天我们也还在和对方继续保持沟通，对方对我们表示感谢，也表示会给我们发放漏洞奖金，会对外发致谢……

We're still communicating with each other today, and we're grateful, and we're going to pay a leaky bonus, and we're going to thank each other.

　　这也是安全圈的行业通行做法，对方不修复，我们不会公告。 这事我们一直在BM单独沟通，他在Telegram上的留言的截图是昨天晚上的，比较断章取义。 实际上那个留言之后，他很快回复说，漏洞是真实存在有效的。 但是就被截了一点儿。

We've been talking about this separately to the BM, and his message on Telegram last night was transcribed out of context. Indeed, after that message, he quickly replied that the gap was real and valid.

　　至于制造恐慌，如果说我们要制造恐慌，直接在主网上线时放出这个，恐慌效果一定比现在要好的多。

As for creating panic, if we're going to create panic, we're going to release it directly on the main web line, and the panic must be much better than it is now.

　　我再强调一遍，我们提交的漏洞，EOS官方是确认真实有效的，并且我们在和EOS官方及BM一直在沟通关于漏洞提交和定性的事情，而且，今天早上在和BM沟通时，他们依然是非常认同我们的成果和技术实力的。

I would like to stress once again that the loopholes we have submitted, that the EOS official confirms their validity, that we have been communicating with the EOS official and BM about their submission and characterization, and that this morning, when we spoke with BM, they were still very much in agreement with our achievements and technical strength.

　　在这整个过程中，360都是非常负责任地严格遵循安全行业的安全漏洞披露原则的。 我们做为国内最大的一家安全厂商，在全球也是排名前三的安全厂商，我们希望和全球同行和科技公司一起，解决网络安全问题，降低网络安全问题给用户带去的损害。 帮助大家发现漏洞、修补漏洞，让大家提供安全放心的产品给用户，是我们共同的责任。 区块链作为新兴的技术方向，我们参与进来，无论是这次披露EOS漏洞，还是之前和其他区块链机构的沟通，都是希望和大家一起共同构建安全放心的区块链产品和服务。

Together with our global counterparts and technology companies, we hope to address cybersecurity and reduce the damage it causes to users. It is our shared responsibility to help identify loopholes, fix them, and make safe and secure products available to users.

　　王峰：今年的区块链最大的话题就是EOS，现在很多人都担心 EOS会延期发布公网版本，这个安全隐患被曝光后，更多人关心他们的发布时间。以360安全技术团队评估，EOS Dawn 4.0的公网版本是否有可能推迟发布？

Wang Feng: The biggest topic in this year’s block chain is EOS, and many are now worried that EOS will delay the release of the public web version, and that more people will care about their release when the security threat is exposed. Is it possible to delay the release of the public Internet version of EOS Dawn 4.0, as assessed by the 360 Security Technology Team?

　　周鸿祎：我认为应该延迟上线的，我们的安全团队还在发现一些EOS的漏洞，我们也会第一时间及时的提交给他们，我们建议修复之后再上线。

Zhou Hongjian: I think we should delay access, and our security team is still discovering some of the EOS loopholes, and we will submit them as soon as possible, and we suggest that we do so after the repairs.

　　王峰：第四问，此次发布EOS漏洞事件，让Vulcan（伏尔甘）团队一战成名，可是此前行业内很少有关于他们的消息，大家对他们依旧很陌生，能否向我们具体介绍下他们？我们注意到，你最近不断提及360安全大脑，能一并介绍下吗？在这个事情上，你们安全大脑团队跟BM团队是通过telegram直接交流的，你们实质接触是从什么时候开始的？坊间说，你们和EOS很快有合作要公布，你方便在这里透露吗？

Wang Feng: The fourth question is, when did you get into contact directly with the BM through Telegram? When did you say that you and EOS are working together soon?

　　周鸿祎：你们说的行业内，肯定不是安全圈子里面。 360 Vulcan团队在安全圈子里，大家应该多多少少都知道。Vulcan最早是我们360安全卫士的攻防研究团队，有一年他们要参加Pwn2Own，这是个比较厉害的世界黑客大赛，要参加这种大赛，所以他们组了一个小组，就是Vulcan团队。

Zhou Hongjing: The industry you are talking about is certainly not in the safety circle. 360 Vulcan teams are in the security circle, and everyone should know more or less. Vulcan was our 360 security guard's offensive research team, and one year they were going to the Pwn2Own, a more powerful world hacker competition, so they formed a team, the Vulcan team.

　　他们在攻防研究、挖掘厂商漏洞和帮助厂商修复漏洞上实力很强的。 上面那张照片，应该是他们2015年组队去参加Pwn2Own 2015获奖的，当时用了17秒攻破了微软的IE11，是历史上首支成功攻破IE的亚洲团队。 Pwn2own 黑客大赛上，Vulcan团队连续多年斩获了十几项冠军，在Pwn2own 2017上更是拿到了世界总冠军。所以圈子内部，对他们是绝对不陌生的。

The photo above is supposed to have formed a team in 2015 to win the Pwn2Own 2015 award, which took 17 seconds to break Microsoft’s IE11, the first Asian team in history to successfully break IE. At the Pwn2town hacker competition, the Vulcan team won more than a dozen championships over the years, and won the world championship at Pwn2own 2017.

　　最近的安全大脑是这样的，从名字上大家就能看出来一点，大脑，肯定要能学习、还能做运算做决策的。所以简单说，360安全大脑，是一个具有感知能力、学习能力、推理能力、预测能力和决策能力的综合性智能系统。 然后就是360安全大脑能够干什么，这次EOS漏洞的发掘，其实就是结合360安全大脑和安全专家的能力

So, in short, the 360 safe brain is an integrated intelligence system with sensory, learning, reasoning, predictive, and decision-making capabilities. Then what does the 360 safe brain do, and this EOS leak is actually a combination of 360 safe brain and security expertise?

　　再给大家举个例子说一下吧。 不知道大家记不记得2016年美国曾遭遇过一次大断网事件，这个事情后来查出来了，是黑客利用安防智能摄像头搞了一次DDoS攻击，360被邀请参与了事件的紧急处置，最后还受到了FBI的致谢。 360安全大脑在这中间做了什么呢，其实这个事情发生之前，我们就在安全社区，我们圈子里做了预警，我们是最早做过预警的，就是我们的360安全大脑，发现了有针对安防智能摄像头的异常访问流量。

I wonder if you remember that the US experienced a major blackout in 2016, which was later discovered by hackers using the security security camera for a DDoS attack, 360 being invited to take part in the emergency treatment of the incident, and finally thanks to the FBI. What did the 360 security brain do in the middle of this, before this happened, we made an early warning in the safe community, and we were the first to do that, our 360 security brain, discovered an unusual flow of access to the security security camera.

　　安全大脑是人工智能基于大数据的分析判断，加上我们的富有经验的安全专家的人脑，构成了真正的安全超脑。

Safety brain is an artificial intelligence judgement based on big data analysis, which, together with the human brain of our experienced security experts, constitutes a true security superb.

　　跟BM团队联系是我们安全团队直接联系沟通的，最早应该就是28号的时候。

Contacting the BM team is a direct communication with our security team, beginning with the 28th.

　　我们和EOS方面目前没有直接合作的，区块链安全是我们一直关注的问题，此外360也是互联网科技企业，像EOS这些主要的公链，我们在技术研究方面一直有投入。从年初开始就已经与一些合作伙伴，就EOS生态建设、安全防护、主节点的竞争等方面进行交流讨论。

There is currently no direct cooperation between us and EOS, and block chain security is a constant concern for us, as well as for Internet technology firms, such as EOS, whose main public links we have been investing in technological research. Since the beginning of the year, discussions have been held with a number of partners on EOS eco-building, safety protection, competition in main nodes.

　　王峰：第五问，让我们直面一下阴谋论吧，虽然我不相信，但坊间有传闻，360联合某些组织在做空EOS。抱歉我不得不问这个问题，因为在国内有很多EOS超级节点的参与者，他们中有很多人是EOS的狂热支持者，昨天360曝光安全漏洞，引发了各种猜测和起哄，有群友要求提出这个问题。

Wang Feng: Fifthly, let's face up to the conspiracy theory, though I don't believe it, but there are rumours in the neighborhood that 360 unites some of the organizations with EOS. I'm sorry to have to ask this question, because there are a lot of EOS supernode participants in the country, many of whom are fanatical supporters of EOS, and 360 exposed the security gap yesterday, causing speculation and concocts, and a group of friends asked for it.

　　周鸿祎：大家从我们披露漏洞的时间其实应该就能知道我们肯定不是在做空。 假如我真想恶意做空的话，完全可以捂着，等EOS主网上线，直接爆出来。

CHO: You should know from the time we reveal our loopholes that we are definitely not empty. If I really want to do it badly, I can cover it until the EOS main web line explodes.

　　我们现在的做法是什么？是安全行业标准的漏洞通报机制，先和EOS团队联系，提交漏洞详情，然后等他们修复完成了，我们才对外公布，这是非常负责任的做法。我们是希望EOS乃至整个区块链行业发展的更好。

What are we doing now? It's a leak notification mechanism for safety industry standards, contacting the EOS team, submitting the details of the leaks, and then we're making them public when they're finished. We're hoping that EOS and the whole block chain industry will grow better.

　　王峰：第六问，关于安全问题，我从“王峰十问”一开始就问过做量子链的帅初。后来发现其中很多隐患，比如除了EOS之外，我注意到以太坊也有过几次严重的安全事件：2016年6月17日，当时最大的众筹项目TheDAO遭到攻击，导致300多万以太币资产被分离出资产池；2017年7月21日，智能合约编码公司Parity确认有 15万以太币被盗。以及，最近的BEC被巨量增发抛售。以EOS和以太坊如此的体量和实力尚且如此，对于其他区块链项目而言，也需额外警惕安全风险。你认为区块链企业自身应该采取哪些措施，加强区块链的安全性？

Wang Feng: Sixthly, on security issues, I asked the first person to make a quantum chain from the tenth question of Wang Feng. Many of them were discovered, for example, in addition to EOS, and I noticed that there had been several serious security incidents in Ether: on 17 June 2016, the largest crowd-raising project, TheDAO, was attacked, resulting in the separation of more than 3 million of its assets from the asset pool; on 21 July 2017, the smart contract coding company, Parity, confirmed that 150,000 dollars had been stolen.

　　周鸿祎：区块链领域里面，我认为真正的安全问题其实还没出来。 通过这次披露EOS漏洞，我们希望是让大家能够重视区块链安全问题。 在网络安全行业里，有两种情况是最可怕的，一种是做沙漠里的鸵鸟，知道不改，还有一种是知道了不爆出来，最后被人利用，这两个才是最可怕的。

By revealing the EOS leak, we hope that you will be able to focus on block safety. In the cyber-security industry, there are two things that are most terrible, the ones that are desert ostrichs, who know they will not change, and the ones that know they will not explode, and are eventually exploited, both of which are the worst.

　　我最近还在提一个概念，叫“大安全”，简单说，就是网络安全的影响已经从最初简单的信息安全，演变到现在，从线上到线下，都会受到网络攻击的威胁，并且新威胁越来越多。 区块链作为这两年新火起来的技术，它遇到的安全威胁，我也把它归到新威胁里面。

I am also referring recently to a concept called “big security.” Simply put, the impact of cybersecurity has evolved from simple initial information security to now, from the top to the bottom of the line, under threat of cyber attacks, and new threats are on the rise.

　　这种情况下，光靠某个企业，比如区块链行业里，你某个项目自身，安全防护能力肯定是有限的，反过来光靠360这样一家安全公司也不行，所以应该是整个安全行业需要得到发展。 所以，区块链行业，要能够与网络安全行业，做到协同开放，大家一起来做这个事情。你上一个区块链项目，区块链本身，王峰你肯定比我懂得多，但是安全问题上，肯定我的人更专业，那如果我们来给你们做一下安全检测，是不是安全风险就会降低很多？

So, if the block chain industry is to be able to work with the cyber-security industry, and be open to all, do this. You must know more about your last block chain project, the block chain itself, than I do, but on security, I'm sure my people are more professional.

　　我们一定要记住，有这么一句话，叫“没有攻不破的网络”，只有没被发现的漏洞，或者被发现没公开的，不存在没有漏洞的网络。 所以，我们希望无论是区块链行业，还是其他行业，要能够正视网络安全问题的重要性。

We must bear in mind that there is a phrase called “no invincible network” that only undetected loopholes, or undisclosed ones, do not exist. So we want to be able to address the importance of cybersecurity, whether in the block chain industry or in other industries.

　　王峰：从目前的漏洞产生机制上看，360安全团队只曝光了EOS智能合约的设计缺陷，实际上，从漏洞风险上看，我们认为可能在P2P端口、RPC端口、服务器与集群等方面还可能潜藏着很多安全的大坑。360的技术团队对这些问题是否会对EOS进行系统的评估？这个问题，比较技术向一些。希望您和360安全团队给我一些你们的看法。

Wang Feng: From the current gap generation mechanism, 360 security teams have only exposed the design flaws of the EOS smart contracts, and in fact, from the risk of the leaks, we believe that there may still be a lot of safety pits in P2P ports, RPC ports, servers, and clusters. 360 technology teams will be systematically assessing EOS on these issues?

　　周鸿祎：上一个问题，再补充一下，做法上，除了我刚刚说的，利用网络安全行业的外部公司力量，你还可以做一些漏洞奖励计划，让整个安全社区都来帮助你解决安全问题。我们每年都会帮谷歌、微软和苹果他们解决很多问题，他们都有自己的漏洞奖励计划，对提交漏洞的团队给予奖励

Xiao Hungxing: Last question, let me add, in addition to what I just said, you can use the external corporate power of the cybersecurity industry as a way of making a hole-in reward scheme for the whole safe community to help you solve your security problems. Every year, we help Google, Microsoft and Apple solve a lot of problems, and they have their own bug-incentive scheme, which rewards the team that submits the bugs.

　　是的，从黑客攻击者的角度来说，对一个系统或者应用来说，有很多的攻击面，他们通过各种途径和方式尝试突破，软件设计和实现的缺陷是其中一个也是最直接的攻击面。

Yes, from the perspective of hacker attackers, there are many faces of attack for a system or application, and they try to break through a variety of ways and means, and the flaws in software design and realization are one of the most direct ones.

　　360有很多安全团队，他们会从不同角度发现系统的脆弱性，通过评估给出整体的安全解决方案。 目前区块链应用主要以智能合约应用和数字货币为主，从360安全团队发现的安全威胁来看，在区块链新领域的确还存在很多安全威胁，我们会逐步在这方面拓宽关注和研究的方向。

360 has a large security team, which will identify the system’s vulnerabilities from different angles, and assess the overall security solution. Currently, the block chain is largely based on smart contract applications and digital currency, and there are indeed many security threats in the new area of the block chain, which we will gradually broaden our focus and research.

　　王峰：第七问，一位从事过信息安全的朋友提醒我问您这样一个问题，显然是只有你同行才有这样的水平。这个问题是：在Vulcan团队发现这个大漏洞之后，你们是如何考量曝光漏洞的时机和方式？你们认为现在这样的漏洞爆出时机和方式，是否体现了或者符合网络安全行业通用的、负责任的处理方式？

Wang Feng: Seventh question: A friend who has been involved in information security reminds me that this is clearly a level only for your peers. The question is, how do you consider the timing and manner of exposure of the breach after the Vulcan team discovers it? Do you think that the moment and the manner in which the breach has come out reflects, or is consistent with, a responsible approach common to the cybersecurity industry?

　　周鸿祎：前面我也说了，这次我们的处理方式，是非常负责任的，也是网络安全行业比较通用的。

Zhou Hongjian: As I said earlier, this time our approach is very responsible and more common in the cybersecurity industry.

　　时机上，我们发现漏洞之后，Vulcan团队在完成对这个大漏洞利用研究测试之后，立刻联系了EOS创始人BM，我们是希望帮助EOS开发团队先解决这个漏洞的，保证漏洞不会攻击者利用，在他们修复完成之后，才披露的。

At the moment, when we discovered a gap, the Vulcan team immediately contacted the EOS founder, BM, after completing a research test on the use of this big gap, and we wanted to help the EOS development team to solve the gap first, to make sure that it would not be used by the attacker, and only after their repair had been completed.

　　采用这种比较公开的方式，我们也是希望以此呼吁大众关注区块链技术的同时也注意区块链安全。 我认为现在的漏洞爆出时机和处理方式都是合适的，负责任的。

In this more open way, we would also like to draw public attention to the technology of block chains, as well as to the security of block chains. I think that it is appropriate and responsible for the timing and handling of the leaks now.

　　王峰：第八问，如果360进入区块链行业，360的机会在哪里？你如何评价目前区块链行业数字货币交易所处于中心地位的状况？

Wang Feng: The eighth question is, where is 360 if 360 enters the block chain industry? How do you assess the central position of the current block chain digital currency exchange?

　　周鸿祎：我们现在看区块链，涉足区块链，肯定还是围绕安全。

Zhou Hongjing: Now we look at the block chain, we walk into the block chain, surely around security.

　　安全问题不是说这次我们披露了，大家热闹一天就完了。我希望大家记住，EOS这个漏洞，不是最后一个，也一定不是最厉害的一个。 未来区块链行业一定会出现更多的安全问题，之前传统互联网领域里面遇到的安全问题，区块链行业里面一定也会遇到。 这就是我们在其中的机会，当然我们也有自信和实力在其中担起责任，保护区块链行业健康稳定安全发展。

The security problem is not to say that we have revealed it this time, but that the day is over. I want you to remember that the EOS gap is not the last, nor the most powerful.

　　王峰：其中，我们有注意到，360在5月中旬发布了“区块链安全态势感知系统”，同时针对钱包、交易所、矿池和智能合约四大块推出了“区块链生态安全解决方案”。已经上线的产品有Dbank数字钱包，功能比imtoken还要多。能否介绍下360在区块链安全方面的布局和方案，比如：交易所安全怎么做？矿池安全怎么做？智能合约安全方面又怎么做？

Wang Feng: Of these, we note that 360 released the Block Chain Security Situational Awareness System in mid-May and launched the Block Chain Eco-Safe Solutions for wallets, exchanges, ponds and smart contracts. Products already online include Dbank digital wallets with more functionality than mtoken. Could you describe the layout and programmes of 360 in the area of block chain security, for example: How to secure an exchange? How to secure a mine pond? What to do in the area of smart contract security?

　　周鸿祎：过去这段时间，360在区块链方向上，我们的安全团队还是很用心的研究了很多，也拿了一些方案。 我们未来会基于区块链安全生态推出三个系统，主要包括数字货币钱包安全审计系统、区块链安全态势感知系统和区块链节点安全解决方案。

CLA: Over the past time, 360 has been in the direction of the block chain, and our security team has done a lot of research and has taken some options. We will launch three systems based on the block chain’s safety ecology, including, inter alia, the digital wallet security audit system, the block chain security situational awareness system, and the block chain’s safety solution.

　　第一个，数字货币钱包安全审计系统，这里面会详细地列一些审计的要点，阐述如何做一款比较安全的数字钱包，从而保障用户的财产安全。

First, the digital wallet security audit system, which sets out in detail some of the audit highlights on how to make a more secure digital wallet, thereby safeguarding the property of users.

　　第二个是区块链安全态势感知系统，这个系统是基于360安全大脑的，可以自动对异常区块、异常交易、异常地址和智能合约进行监控，不仅可以将交易风险降到最低，而且还可对非法数字货币进行溯源。

The second is the block chain security situational awareness system, which is based on a 360-safe brain that allows automatic monitoring of unusual blocks, unusual transactions, unusual addresses and smart contracts, not only to minimize transaction risks, but also to trace illegal digital currencies.

　　最后一个是区块链节点安全解决方案，目前主要会针对EOS

The last one is the block chain security solution, which will now focus mainly on EOS.

　　王峰：未来几年，区块链行业会出现一家像PC互联网时代的360这样有影响力的安全企业吗？在区块链时代，360安全产品是否能否全面开源？

Wang Feng: In the coming years, does the block chain industry have an influential safety firm like the 360 in the PC’s Internet age? In the block chain, can 360 secure products be fully sourced?

　　周鸿祎：补充一下，这是我们已经对外发布的区块链安全态势感知系统。

Zhou Hongjing: To add, this is the block chain security situational awareness system that we have already issued to the public.

　　区块链行业里会不会出现一个360，我觉得应该不会出现这种情况，区块链方面的问题的解决会是产业化的，360肯定会是其中的主力，但不会像PC时代那样一枝独秀，会有很多从事安全的企业和个人一起来保障区块链的安全。

If there is a 360 in the block chain industry, which I don't think should happen, the solution to the problem of the block chain will be industrial, 360 will certainly be the main force, but it will not be a unique feature, as it was in the PC era, and there will be a lot of businesses and individuals working together to secure the block chain.

　　王峰：第九问，在前不久的第二届世界智能大会上，你提到过“人工智能本身就存在安全问题。”你举例说，360安全团队曾利用超声波干扰技术，成功实现对特斯拉的欺骗，让它相信前方的障碍物并不存在；360安全团队也因为上报了这个漏洞，进入了特斯拉名人堂。你的观点是，人工智能也许可以有99.99%的概率保证识别是正确的，但是对于安全来讲，它只要出现一次识别错误，就会造成严重后果。

Wang Feng: Ninth question: At the second World Smart Congress, not so long ago, you mentioned that “artificial intelligence is a security problem in itself.” You said, for example, that the 360 security team, using ultrasound jamming techniques, had succeeded in deceiving Tesla and convinced it that the obstacles ahead did not exist; and that the 360 security team had entered the Tesla Hall because it had reported the leak. Your view is that artificial intelligence may have a 99.99% probability that it can be identified correctly, but for security, it would have serious consequences if it were to have an error of identification.

　　比如，前段时间，Uber公司改装后的自动驾驶测试车在美国撞死了一位女士，充分表明今天的人工智能技术并不是一个完备体系。真没想到360在安全方面考虑和涉猎到这么广的领域，我好奇地是，360定义的安全业务的边界有多大？360定义的安全业务的边界有多大？AI/IOT/Blockchain？

For example, in the past, Uber's modified auto-drive test vehicle hit a woman in the United States, making it clear that today's artificial intelligence technology is not a complete system. I'm curious to see 360 thinking about and pursuing such a wide range of areas in terms of security. What is the boundaries of the 360-defined security operation? What is the boundaries of the 360-defined security operation?

　　周鸿祎：我们关注人工智能或者区块链，其实不管是AI和区块链的安全，都有一个共同点，就是无论是AI的算法，还是区块链的算法，都是要写代码实现的，而代码是人写的，肯定会有漏洞的。

Zhou Hongxi: We are concerned about artificial intelligence or block chains, whether AI and block chains are secure, and there is one thing in common: the algorithms of AI and block chains are meant to write codes, and the code is written by people, and there must be loopholes.

　　我之前看到过一个数据，开源软件中，每千行平均就有6-8个安全漏洞。 所以对于新生事物，不管是新兴技术还是什么，看到美好一面的同时，作为搞安全的，我会不自觉的看到他们潜在的安全风险。搞安全的人更像是一个“看门人”，时刻都要保持一颗怀疑之心、守护之心。

I have seen one data before, with an average of 6 to 8 security holes per 1,000 lines of open source software. So, for new things, whether new technology or something, to see a good side, I see their potential security risks unwittingly as security.

　　王峰：最后一问，在PC互联网时代，360和腾讯的3Q大战，堪称中国互联网史影响最大、波及用户范围最广的一场战争，也创下了360发展史上的辉煌纪录，事后马化腾在腾讯内外也多次提及，是3Q大战刺激了腾讯的开放平台战略，而在移动互联网时代，今日头条、小米科技、美团点评等等迅速崛起，与PC互联网时代占尽先发优势不同，360优势并不明显，这会不会让你感觉到失落？我们都知道你是一个不服输的人，这会不会是360有一天大举进军区块链很大的动力？

Wang Feng: Last question: In the era of the PC Internet, the 3Q war between 360 and Steam, which was the most influential and far-reaching war in China's Internet history, created a brilliant record of 360 years of development, and has been mentioned many times since then, is it the 3Q war that stimulated the open platform strategy of the Stewardship, while in the era of mobile Internet, the rapid rise of today's headlines, millet technology, America Group evaluation and so on, unlike the pre-eminence of the PC era, the 360 advantage is not obvious, and does it make you feel lost? We all know that you are an unchallenged person, and that this is a huge incentive for 360 to enter the chain of military districts one day?

　　周鸿祎：其实做安全这个行业，说刺激也很刺激，你看不管是去年5月的勒索病毒，还是昨天的EOS漏洞，一下子就让全行业都关注到你了。

Zhou Hongjian: In fact, it's a safe industry, and it's exciting to say, whether it's the blackmail virus last May or yesterday's EOS leak, you're getting the attention of the whole industry.

　　但与此同时，实际上，搞安全是一件需要耐得住寂寞，需要长久投入努力的事情。比如上面我说Vulcan他们参加黑客大赛11秒攻破IE 11，但在那之前，他们扒代码的时间你是想象不到的。然后，不参加比赛了，虽然帮助微软帮助谷歌帮助苹果修复了很多漏洞，你们都不知道，我们更像是一群守护者，站在大家身后的人。

But at the same time, in reality, security is something that needs to be patiently lonely and long-term. For example, as I said above, Vulcan's 11 seconds into hacking the IE 11, but before that, you can't imagine the time they took the code. And then, instead of doing the game, helping Microsoft to help Google fix apples, you don't know, we're more like a group of guardians standing behind everybody.

　　PC时代那时候，病毒木马横行，我们顺应潮流用360安全卫士、360杀毒帮大家解决了安全问题，可能获得的关注比较多。

At the time of the PC era, when the viral wooden horses were running, we responded to the tide by using 360 security guards and 360 drug squads to solve the security problems that might have received more attention.

　　但在移动互联网时代，实际上我们也做了很多事情，你们可以看看去年谷歌致谢榜单里面，我们在安卓上，帮助谷歌修复两百多个漏洞，全球第一，是第二名的三倍。除了这类工作，我们还和公安合作，比如推出猎网平台，打击电信电话网络诈骗。

But in the era of mobile Internet, we actually did a lot of things, and you can look at last year's Google Express, where we helped Google repair more than 200 holes on Andre, the world's second highest, three times the number. In addition to this kind of work, we worked with public security, such as launching hunting platforms and fighting telephonic network fraud.

　　这些事情，可能不会像当年一样刺激，但我觉得我们是做了非常有价值的一些事情，从内心来说，我们还是比较骄傲的。

These things may not be as exciting as they were then, but I think we did something very valuable, and we're still more proud at heart.

　　这些年，我们在原创核心技术上积累也是非常多的，比如上面说的安全大脑，其实是我们多年技术积累的结晶。

Over the years, we have also accumulated a great deal of original core technology, for example, the safety brain, which is actually the crystallization of our technological accumulation over the years.

　　360安全大脑的网络安全空间大数据，现在是全球规模最大的。也因为有这些大数据和数据中心，360安全大脑的态势感知、智能查杀、攻防与溯源，包括应急响应上，现在在全球都非常具备竞争力。

Large data on cybersecurity in a secure brain are now the largest in the world. And because of these big data and data centres, 360 secure brain situational awareness, smart detection, offensive and traceability, including emergency response, are now very competitive globally.

　　我不服输，但不是说非要进军区块链什么的，而是说，在大安全这个新时代里面，希望能够继续发挥360安全守护者这个作用。区块链应用以后有可能深入生活、生产的多个方面，360作为国内最大的安全公司，当然希望充当一个“守护者”的角色，为区块链应用保驾护航。

I do not lose, but rather say that, in the new era of greater security, I hope to be able to continue to play the role of the 360 protectors of security. The extension of block chains has the potential to go deep into many aspects of life and production, while 360, as the largest security company in the country, certainly wants to act as a “guard” to protect the chain.

　　王峰：一直想做“王峰十问”和周鸿祎的对话内容，想不到BM和EOS给了我机会，不知道接下来你们有什么动作，无论怎么火星财经会继续关注区块链安全问题。上一期的罗永浩说一定要做区块链手机，让我印象深刻，显然，越来越多的企业进入区块链领域，从自己擅长的领域切入，我预感后面会有更多的企业进入区块链领域。

Wang Feng: I've always wanted to be part of the dialogue between Wang Feng and Zhou Hung-chung, and I didn't think that BM and EOS would give me the opportunity to know what you're going to do next, and no matter how much the Martian Economy will continue to focus on block chain security. The last issue of Lo Young-ho said it was important to make block chain cell phones, and I was impressed that, apparently, more and more businesses are moving into block chain areas, cutting from the areas in which they are good at.

　　“我不害怕世界的变化，也不怕巨头的围剿。我担心的是失去进取心，不再有挑战的精神，被自己击倒。”这句话是你说的，我很喜欢。听说你最近出了一本新出，上次的书《颠覆者》，这次又是讲产品的《极致产品》，大家可以看看。

"I'm not afraid of the changes in the world, I'm not afraid of the giants. I'm worried about losing my heart, not being challenged, being knocked down by myself." That's what you said, I like. I heard you recently published a new book, the last one, The Subversive, and this time, The Great Product of the Product, and you can see it.

责任编辑：白仲平

注册有任何问题请添加 微信：MVIP619 拉你进入群

文章转载注明 网址：https://netpsp.com/?id=69270