Editor’s note:Why is security, an important issue in the age of Internet, often an afterthought? Can blockchain protect or undermine our privacy as privacy leaks have become commonplace?

Liz Steininger, CEO and managing director of Berlin-based Least Authority, sat down with QuarkChain scientist Yang Yaodong to discuss these issues.

图片说明：Liz Steininger 图片说明：Yang Yaodong

Blocksina transcribed the talk and slightly edited the piece for brevity and clarity.

Yang: Could you first introduce yourself and your company?

Steininger:Hello, I'm Liz Steininger, I'm the CEO and Managing Director of Least Authority. We are a company based in Berlin with a team around the world. We care a lot about the security and privacy of people.

And so we do a few things to help that effort. We do security consulting within the blockchain space, distributed ledger technology and all the related technologies. We also try to develop software that protects users' privacy and also makes security a priority.

Yang: How do you think blockchain will realize the goal of protecting privacy? Why is blockchain special?

Steininger: Blockchain is special in a lot of ways. One of the exciting things in technology is helping to do decentralized data and control for people. I'm sure a lot of people that are interested in blockchain technology have heard about the benefit of decentralization. And I think this can carry to the individuals also.

I think all individuals should retain and control their personal data; they should be able to decide when they share (data) with other people and how they share it, and when they can revoke access to their data.

By decentralizing the data, we can also have the opportunity to put that control more appropriately into users' hands. And we can do it through technology as opposed to perhaps asking a centralized company to protect their privacy rights.

Yang: Kind of returning data ownership to the people. But how do you interpret the paradox, that is, the need to ensure transparency on the one hand and to protect privacy on the other?

Steininger: So, transparency vs privacy. I think they are intertwined in a very good way. In a sense, information is power, having access to data is power. So in some cases, it's absolutely appropriate to be transparent about data; in other cases, you need to private about that data.



It helps to sometimes think in terms of power structures. If you are somebody in a position of power, like say, big commercial companies, or something like that, perhaps you have more of an obligation to be transparent to share that data with others.

But if you are an individual going against the big corporations, as an individual you don't have much power in society.

So therefore, I like privacy and need to be more private about my data. It should be a higher priority. That helps me to think about the power dynamics, transparency vs privacy.

Yang: There are other companies working in your field, using DLT to protect privacy. How does your company stand out?

Steininger: We mainly do two things. We work on technology, but we also try to help other projects, improve the security of their projects.

Security is fundamental to keeping data private. The field of security auditing and security consulting, and the field of data storage.

I don't even think about the competition yet, because there is still so much work to be done. There's so much market to reach.

We are now collaborating, trying to get heard to get the technology out there. There's a lot of space for us still. We are a small team, we all feel very strongly about privacy and security. So we a mission-driven team to help.

We just want to see more projects care about privacy. We also come from a variety of backgrounds and skill sets. So that diversity and passion just makes us a little bit different. It's not just business for us.

Yang: You said in a speech in Shanghai in September that issues like security and privacy have to be taken into account well before the construction of a blockchain ecosystem. Do you think your advice is widely heeded?

Steininger: I'd like to be heard. But maybe you can tell me that somebody is objective. I know many people don't think of privacy from the start of the design stage. There are many things that bother people when they build new technologies and privacy is often an afterthought.

I understand privacy is not the highest priority for everybody. But still it's helpful to just tell people that it should be a priority and maybe even if it's not their top priority, maybe it's down the list of things they try to consider.

Yang: We have seen quite a few high-profile hacking incidents, where fiat-to-crypto exchanges are hacked into and bitcoins got stolen. How can companies avoid being hacked?

Steininger: There are all kinds of different hacks. To give some general advice about avoiding hacks: Thinking about security from the design phase is one, but what does that means for a tech team? That could mean like, making sure that your code is good quality, that it's well commented and well-structured, that you fixed the bugs.

Another easy thing to do is think about being the adversary, like, who are the people who are going to hack you. What are they going to want to hack? If there's money involved, they are going want money.

Yang: But what if you are on a permission-less public blockchain, where you don't even know who your enemies are?

Steininger: Yeah, on public blockchains you make lots of different enemies. And this is called a threat model. You look at all of your potential threats. You rank the likeliness of it to happen, and the difficulty level that's required for that type of hack.

When you make those risk assessments, you start to figure out which ones you may need to prioritize and which ones are unlikely and low-impact, so that you can de-prioritize those.

Just go through the exercise of thinking, what is it that somebody wants to take from me? How could they break the system when they are being incentivized to hack and manipulate data, steal money, things like that, you need to think about that.

And then you can start to go through the levels of technology set, you can look at how they can do that at the network level, how can they do that at the code level? Levels and levels between architecture, literally.

Of course it can seem overwhelming. But you look at the whole picture, and you just pick your priorities based on the risk assessment and start working on those. And you know there is no such thing as 100% secure. But you can definitely minimize that risk.

Then you also have contingency plans, knowing what happens after you get hacked. So what happens internally? How do you monitor for hacks? Figure out what your plan is, so if we do get hacked, how would we respond? When do we tell our customers and how do we tell them? Is there a way we can make a report?

You can't plan for everything, but going through all these exercises puts you and your team in a different mental state. So when that does happen, you are prepared.

Yang: We know there is this hacking tactic called "double spending." Which kind of hacking tactics are more harmful?

Steininger: I think it depends on the blockchain, the technology, and what consensus you are using. Are you public or permissioned? What data are you storing there? What type of incentives would there be to take the data?

Unfortunately when it comes to these things, you can't just say that it depends on how the technology is used.

And incentives are the actual layers that are particularly interested in this space because, it's not just data, or centralized repository, but all kinds of things that you can exploit in the system.

Right now the industry is at a very experimental stage. We are innovating on all kinds of things. We are experimenting by changing things and different projects.

But I think as the industry matures and we start to see multiple projects doing similar things, some best practices will emerge. We'll start to come up with some better things, case studies and best practices that people can share.

All in all, I think it's down to the maturity of the technology.

From left to right：Wu Peng，Co-founder of Primas；Du Ting，CBO of QuarkChain；Yang Yaodong，QuarkChain scientist；Liz Steininger, CEO and managing director of Berlin-based Least Authority；Andy Wang，Greater China CEO of Blocksina；Diana，CMO of Blocksina Singapore

Yang: We talk a lot about security, are there other things about blockchain to pay attention to?

Steininger: I think security of smart contract is another. That is one area where some people are doing interesting experiments. We are moving fast.

So it's important to think now about their security now. Maybe it's secure for small experiments, but if we ever want to see some smart contracts take on some really important responsibility, and see them scale to lots of people, then security is likely to be a huge deal, because there will be targets that can be hacked.

Yang: Some believe that one of the big issues with smart contract is the language. What’s your take on that?

Steininger: You touched upon some very important problems. Some people don't see language as a problem, because the Solidity language is accessible to a lot of developers.

But in terms of language selection for security, that’s a tough one. There are particular languages that function more securely for certain purposes, just because they are a better fit.

It would be great to see just multiple smart contracts programs in languages out there, so that people could pick and choose the right programs.

I don’t want to bash solidity, but having a variety of smart contract programs languages certainly helps.

It’s funny you brought up the topic of smart contract, which made me think of Android mobile development.

For how many years have we been doing this? Sometimes we make the same security mistakes in a number of apps.

Yang: Besides the problem you mentioned, another one is scalability. In our case, we use sharding as a way to solve this problem. What's your opinion about sharding for solving the scalability problem?

Steininger: You are working on this every day, right? (Laughs) I agree with you, scalability is an important problem that we have to solve somehow, and I can add from the security perspective, that what might not be a security problem on a small scale might be seen as a problem on a large scale.

So that's one other thing we have to watch out for. The purpose is more transactions, but in doing so, we have to ask ourselves: what are we also bringing with that? Are we bringing disincentives?