In this AMA Slogging, we were joined by David Schwed, COO at Halborn. Since smart contract audits are never enough to ensure your company's security, Halborn brings ethical hackers and blockchain specialists into your company to protect the services and apps working directly with your preferred protocol from cyber attacks.
We had the chance to dive into topics such as DeFi, blockchain, smart contracts, Web3, and cybersecurity. We also asked David about his role as COO and Halborn's future.
This Slogging thread by Sara Pinto, Utsav Jaiswal, David L. Schwed, Kelley Dane, Valentine Enedah, Mónica Freitas, Limarc Ambalina, Mark Finnigan and Marco Sullivan occurred in slogging's official #amas channel, and has been edited for readability.
Hey channel, please join me in welcoming David L. Schwed for this AMA!
David is the COO of Halborn, an award-winning blockchain cybersecurity firm that uses ethical hackers to provide end-to-end cybersecurity advisory services and products to Web2 companies and over 250 Web3 organizations, including Coinbase, Avalanche, and more.
Previously, he served as the Global Head of Digital Assets Technology for BNY Mellon, where he was responsible for integrating the IT strategy for BNY Mellon’s digital asset offerings across the enterprise. In addition, he has worked in the financial services sector at a senior level for Merrill Lynch, Salomon Smith Barney, Citigroup, and Galaxy Digital.
He is also the founding director and professor of the cybersecurity Master’s program for the Katz School of Science and Health at Yeshiva University where he is their practitioner-in-residence.
Go ahead and ask David anything about:
Hey David L. Schwed! It's a pleasure to have you here with us! Can you tell us a bit about Halborn and your role as COO?
About Halborn
https://halborn.com/ is an award-winning, elite cybersecurity company for blockchain organizations.
Security work never ends. Halborn serves as a third-party partner to continuously assess an organization’s most vital assets, drive maximum value and provide world-class cybersecurity consulting and execution every step of the way — far beyond smart contracts.
https://halborn.com/ | https://halborn.com/blog/ | https://twitter.com/HalbornSecurity | https://www.youtube.com/c/Halborn/
My role within Halborn is to lead the Operations of the company and ensure our continued growth and maintain our position as the leader in the industry.
Hey David L. Schwed. What do you think are some of the major differences between web2 and web3 from a cybersecurity perspective?
At the end of the day, may of the Web3 specific threats are similar in nature, but one must fully understand the ecosystem in order to effectively mitigate those risks. As an example, without understanding the immutability of a blockchain transaction, key management/custody isn't necessarily something that would be given the requisite level of scrutiny. As an example, HSMs are generally the standard in enterprise environments, but the standard HSM infrastructure is not secure enough IMO. We would now need to look at Multi-Sig or leveraging MPC to further protect. That along with a more secure operational security posture around the management of that infra.
Thanks for the introduction, David L. Schwed. What do you think are the key security challenges to the mainstream adoption of crypto?
Great question and a lot to unpack when it comes to crypto.
I see a lot of similarities today when it comes to custody and when cloud providers were in the first few years of their offerings. Many companies were hesitant to "trust" the cloud providers to host their infrastructure and provide many aspects of the security of those assets. There was this mentality of "I can do it better myself" and we saw many enterprises slow to adopt cloud providers. Custody seems to be the same. The saying "not your keys, not your crypto", while true, is somewhat problematic since many firms and individuals do not understand how to securely self-custody. So with that being said, the safer option would be to use a 3rd party custodian.
There needs to be a lot of education in this space. MPC has become a marketing word with little understanding if how it actually works and the fact that there are different MPC protocols.
Hi David L. Schwed. What an impressive background! How did you start on blockchain? And what do you think are the best use cases?
Thank you! I started on Blockchain back in 2011/2012, but more from a technological curiosity as opposed to a "future of finance, etc" type of interest. I started by buying some BTC, setting up a node and wallet, and sending some transactions back and forth.
Outside of financial service use cases, I think we will see DLT used in the legal sector as a means to effectuate contractual obligations. It can potentially reduce litigation since the "contracts" are now somewhat programmatic. Gaming is another area where we will see growth. Whether it's in-game economics/items or simply using a large decentralized infrastructure.
Also, supply chain as well. Companies like Walmart are already using it ...
Hello, David L. Schwed
So glad to have you here!
With regards to Defi, how are secured transactions made considering the fact there is no centralized body to check and confirm processes?
Also, David L. Schwed, can we really achieve perfect immutability in cryptocurrency?
Regarding Valentine's question re:DeFi. Effectively the transaction is managed by a smart contract, which is code. So as an overly simplified scenario:
Say I wanted to swap ETH for BTC
and you wanted to swap BTC for ETH
We'd both be interacting with this smart contract which would facilitate the transfer thus removing the centralized party.
Valentine Enedah, for perfect immutability, are you referring to the absolute inability to reverse a transaction?
David L. Schwed, thanks for explaining. I definitely can I see how people are more uncertain about getting into crypto, and how it can be a challenge. What do you think it could be done to educate on this subject?
Also, can you explain a little more about MPC? I'm into marketing but never came across these protocols,
Sara Pinto, we need standards like we have in other areas of tech. We have the COBIT framework from ISACA. We have the NIST CSF Framework. There are organizations, such as C4, that are working on those standards.
We also need to start training traditional Web3 tech, security, and finance folks on this new ecosystem. Those that are technical have a much better opportunity of picking up the nuances in DLT better than taking someone from Uni and trying to teach them both Crypto AND tech/security/finance.
David L. Schwed, that's pretty cool. Blockchain has allowed awesome things, such as Web3, so I have to ask, what do you think of its growth? Especially with all the Metaverses emerging. Seems like the sky is the limit with Web3.
Kelley Dane, I think we've only scratched the service of what can be accomplished with DLT. I was at a conference and one of the panelists said something that resonated with me. She said... can we stop critiquing and trying to predict what we are going to use DLT for... it will naturally occur. She brought up AirBNB and Uber. She said to imagine when the internet was becoming popular and someone suggested we'd use this new technology to rent people's homes. They'd be laughed at.
I 100% agree... the best part of new technology is watching it evolve.
David L. Schwed, immutability in the sense that transactions stored on the network cannot be manipulated, replaced, or falsified.
David L. Schwed, with regards to DeFi and to further understand it, if it depends on the smart contract, that means essentially, the smart contract has to be effective right?
What are the key values that define the effectiveness of a smart contract?
Valentine Enedah, in that case, while unlikely... in its current state, it's not possible. Should someone take control of a majority of the miners in a PoW ecosystem or validators for PoS, then transactions are at risk. There are also forks. Look at ETC and ETH. ETH was formed as a fork to reverse transactions. So while not technically a reversal of transactions on that chain, the community decided to fork and follow the new chain which reversed the transactions.
Valentine Enedah, since smart contracts are code, the trust comes down to the firm/team behind that particular DApp. So as a user of a DApp I'd want to familiarize myself with the security posture of that firm as well as the firm that audited that smart contract. Now the important thing to check is whether the DApp that was audited is the same one that you are interacting with.
David L. Schwed, this is quite insightful. With regards to reversible transactions, can you throw more light on how they mitigate crypto theft?
Interesting! So how do we check or audit the DApp?
Valentine Enedah, what I wrote previously is more theoretical since you asked about perfect immutability. Realistically if the technology has enough validators or miners, the cost to effectuate such an attack is insurmountable. That being said, for smaller projects or those that have a more permissioned validator infrastructure, the threats are more prevalent.
The way the attacks should be thwarted is through both detective and preventative controls. Typical cyber principles are needed, such as zero trust, logical/physical network/device segmentation, security monitoring, etc, are all tools to help secure.
Valentine Enedah, as far as the audit, I'd first start by asking the project itself if they've been audited and ask for a copy of the report. Many projects publish their reports to instill trust. As an example, here are some public reports that we've published for clients - https://github.com/HalbornSecurity/PublicReports
I'd also suggest checking the Rekt list which shows which firms audited projects that were breached. Now I wouldn't stay away from a firm that is on it, but something to take into consideration.
Hi David L. Schwed! Nice to meet you! 😊
I'm curious about your background as a professor.
1. How has that experience shaped your entire career in cybersecurity? Or was it an "ending point"?
2. Why did you create the Yeshiva University master's program?
3. What major trends have you noticed in the field and the students?
Mónica Freitas nice to meet you as well!
1. How has that experience shaped your entire career in cybersecurity? Or was it an "ending point"?
There were 2 points in my life/career when I knew I wanted to get into academia. The first was when I was in Law School. I went to law school as an adult and brought with me the tools I learned over the year to tackle new challenges and as such picked up the material very easily. I found myself conducting review sessions with my peers before finals. I really enjoyed teaching and helping others succeed. The other time was when I had my own company and was genuinely interested in helping my employees grow as individuals and reach their potential.
So I think having that experience in truly helping others has allowed me to focus on helping others and in turn companies without any expectation of something in return.
2. Why did you create the Yeshiva University master's program?
I am an entrepreneur as well (started/exited a company). I also love cybersecurity. This opportunity allowed me to marry two of my passions. I was able to create from the ground up the curriculum, hire professors, market the program, and recruit students... all in a subject matter that I loved!
3. What major trends have you noticed in the field and the students?
I'm noticing a lot of focus on tools and not the underlying technology and how it works. My fear is cybersecurity professionals are relying on vendors for solutions.
David L. Schwed, wow, thank you for giving me clarity. With regards to Web 3 vs Web 2, how does security differ between them?
Also, what popular blockchain platforms would you recommend for developing scalable blockchain applications?
Valentine Enedah I wrote this earlier regarding differences:
At the end of the day, may of the Web3 specific threats are similar in nature, but one must fully understand the ecosystem in order to effectively mitigate those risks. As an example, without understanding the immutability of a blockchain transaction, key management/custody isn't necessarily something that would be given the requisite level of scrutiny. As an example, HSMs are generally the standard in enterprise environments, but the standard HSM infrastructure is not secure enough IMO. We would now need to look at Multi-Sig or leveraging MPC to further protect. That along with a more secure operational security posture around the management of that infra.
Regarding which chain... I think it all depends on the use case of what you are looking to build, developer support, as well as overall security. My personal preference is Ethereum.
Pardon me, now I have more clarity on your perspective.
Thank you.
Oh wow, that's very true and gives a new perspective on this topic. Right now, what do you think are the biggest challenges and issues with Web3?
Kelley Dane, I think the biggest problem in Web3 is a combination of a talent gap as well as a lack of mature institutional adoption.
David L. Schwed, thank you for your thoughtful answers! I hope you don't mind if I keep exploring this topic a bit more.
Mónica Freitas
1. How hard was it to juggle both of your passions? I would love to work and do volunteer work full-time, but it's hard to picture a scenario in which this works.
It was definitely hard work, but I enjoyed what I was doing so it wasn't difficult from a mental capacity. The hours were long but I knew what I was working for and there was also a time limit on school so I knew it was only a few years. I also had support from my wife who understood that a bulk of my time for a while was going to be occupied. If you are passionate about volunteering, then go for it. I am as well and am on the board of a few non-profits. It's definitely doable.
2. I'm not sure if anyone has asked you this, but what was your first investment/startup? What was the first project you put your chances in, and how did you know it was the right call?
My first investment/start-up was actually my own company MASS Communications. We ran it for about 10 years and were acquired in 2018. I knew it was the right call because I believed in my partner's vision. From an investment strategy, my first investment was in https://www.blocka.com/While I loved what they were building, my decision was 100% based on my conversation with their founder. I knew instantly he was going to be successful.
3. What can we do to foster more interest in the technology instead of the tools? Is there something that can be done while in universities or more in the professional line?
It's definitely a shift in how some people teach. When I was a professor I focused on technology and would discuss tools as they relate to a specific technology. For example, if I were to teach pen testing. I wouldn't start with the tools. I would explain what the tools are doing from a technological level. As a very simple example, discuss the OSI layer and how devices/hosts communicate. Then discuss what the purpose of the pen test is... to find a "way in" into a network. So I would explain how certain ports may be open. So now based on the OSI layer and teaching how devices/hosts communicate that should resonate. If I jumped to a tool and said it found port 21 was open... that would be useful but not the full picture.
Thanks for explaining, David L. Schwed! On what other topics do you think there should exist more education? Tech subjects can be complex and, sometimes, not the easiest to get a grasp. Was the need for education one of the reasons why you founded the cybersecurity Master’s program?
Also, you discussed smart contracts with Valentine, and I'm not sure if you covered this topic, but what do you think are smart contracts' biggest vulnerabilities?
Sara Pinto, yes... I found from working that many cyber professionals were not true technologists, but merely those that could learn the aspects of their job by learning repetitive tasks and runbooks. Cybersecurity was growing more important and necessary so I combined some of my passions and decided to head into academia.
Sara Pinto, the biggest vulnerabilities are the lack of institutional maturity in many of the organizations that are developing them. Their smaller budgets and reduced staff and need to be quick in response time to the market result in many deficiencies. Many of the "hacks" were avoidable if the organizations spent more time doing code reviews, testing, and more secure infrastructure.
Wow, thanks for all your thorough and insightful answers, and thanks for being here.
Thanks as well for your work in making the internet a safer place.
My question is: What security threats or issues do you think need to be resolved before crypto payments can become as mainstream as swiping a credit card?
Are there any major questions we haven't answered yet that need to be answered before that can happen?
Limarc Ambalina, I think the biggest problem that needs to be solved before widespread adoption is custody and UX. The technology for consumers to safely and securely hold their keys, while present, is still somewhat emerging and immature. The user experience is also confusing even to many in the technology field.
Thank you once again for the insightful answers.
I had some extra questions that I needed clarification on.
Valentine Enedah,
1. What are the current scalability issues with Blockchain products?
Issues are mainly transactions per second. That can be solved in many different ways (Layer 2, sharding, PoH/PoS consensus, etc)
2. Since blockchain is a system of recording information in a way that makes it difficult or impossible to change, hack or cheat the system, how then can it be possibly hacked?
While reversal of older transactions may not be possible for public chains, during a 51% attack there can be reversals and double spends, etc. If the chain is centralized, then all transactions can be reversed, etc. Can also attack the protocol itself for vulnerabilities to effectuate malicious gains.
3. What is the major difference between the Bitcoin blockchain and Ethereum blockchain?
Few major ones
BTC has a finite supply, no complex smart contracts, Proof of Work
ETH is an unlimited supply, complex smart contracts, and is Proof of Stake
Thanks for your answers, David L. Schwed. I would also like to ask a more Halborn related question. Halborn is trusted by many, which is pretty amazing. What's next for Halborn?
Sara Pinto, Halborn is continuing to grow the services side of the business as well as develop new products. We've already launched two and have many more in the pipeline. I encourage everyone to check out https:/http://www.ziion.org... it's an opensource toolkit for blockchain security and development.
Hello, David L. Schwed! These questions go hand in hand with Limarc's. Apart from fluctuation, what would you say it's crypto's major liability right now? Also, what is the crypto market missing technology-wise so it can become of mainstream use?
Mark Finnigan, when something is too good to be true, it usually is. All of these projects offering such high yields sometimes result in poor risk management. The yield has to come from somewhere so it can be in risk loans/bets or failure to spend operational monies on securing their project. I think what's missing is regulation along with enterprise risk management modeling tools.
What achievement in your career are you most proud of? And what advice would you give to professionals making their first steps in cybersecurity?
Amazing! Thank you so much.
I understand that humans still remain the weakest link in any cybersecurity defense chain.
Could you share simple practices we can indulge in to support and promote cybersecurity awareness?
Valentine Enedah, great question. I would highly encourage anyone interested in the ecosystem to undergo training. Not necessarily for the certifications, but to gain an understanding of this world. TradFi has consumer protections by means of regulation... crypto is not there yet so that gap needs to be filled by the consumer's own education. Some great resources.
https://cryptoconsortium.org/
https://www.blockchain-council.org/
Hello, David.
Thank you once again for being here.
I recently discovered there are various types of hackers (White, Grey, Black).
What are the distinct differences between them?
Also, what are the common types of cybersecurity Attacks?
Marco Sullivan, the terms are used to differentiate the motives of the actors.
Blackhat hackers are those who use their knowledge for malicious/malicious/unethical means.
Greyhats are in the middle in the sense that their motives may not rise to the level of a blackhat but it's not done in a truly altruistic manner.
Whitehats are ethical hackers that work for organizations to help them secure vulnerabilities.
As far as common attacks, the OWASP publishes a top ten... although focused on web application security, it's a great list to keep up with.
https://owasp.org/Top10/
What should people have in mind when it comes to security in Web3? Do you have any advice to improve protection in this area?
Kelley Dane, education is critical at the moment due to a lack of consumer protection in the ecosystem. I would encourage everyone to really understand (at a high level) what a wallet is... what a DApp is and how they work. That basic level of understanding will help improve phishing attempts as it will raise awareness of someone trying to authorize a token approval.
https://info.etherscan.com/tokenapprovals/
And just like that, we've reached the end of our AMA. Thank you, David L. Schwed, for sharing your insights with us. It was a pleasure chatting with you. Any final thoughts you want to share with our community?
Thank you for having me on! I had a lot of fun. The final insights are that the crypto community is like no other that I've been involved in. Everyone is genuinely excited about all of the possibilities to disrupt so many areas. Everyone is willing to help others on their crypto journeys. I encourage anyone that is interested in crypto to reach out to others in the space and network with them. You may be surprised how many are willing to spend time helping others learn. Please reach out to me on LinkedIn to connect! https://www.linkedin.com/in/davidschwed/