Can someone explain how exchanges operate?

[whotookmycrypto]

So after Binance recovers from their recent hack, CZ goes around disclosing information such as the below.





Can someone explain the following:

1) Why are they making such disclosures? Wouldn't they make it easier for hackers to get to them? For example, just for the sake of argument (know it's a bad argument because of math, large numbers, publicly visible to begin with but just put that aside) - if you provide the address hackers can begin trying to brute force it. But if you don't disclose it, a hacker would not even know where to start. It's like a robbery victim pointing hackers where to attack next.

Think the question here is: why are they comfortable with hackers knowing such information.

2) Why do they appear to use only ONE address for BNB cold wallet? Isn't this like putting all your eggs in one basket?

3) Likewise, how many hot wallets addresses do they use? Any way to find out such information?

Clearly know nuts about this. Thanks.

[TryNinja]

1) Why are they making such disclosures? Wouldn't they make it easier for hackers to get to them? For example, just for the sake of argument (know it's a bad argument because of math, large numbers, publicly visible to begin with but just put that aside) - if you provide the address hackers can begin trying to brute force it. But if you don't disclose it, a hacker would not even know where to start. It's like a robbery victim pointing hackers where to attack next.

The same way anyone can start brute-forcing satoshi's address or any of the Bitcoin top 10 rich wallets.

Think the question here is: why are they comfortable with hackers knowing such information.

It's in his tweet: "Transparency". When people know which address holds most of your reserves, they can suspect anytime it drains out.

Also, it's not hard to found that info after some blockchain analysis.

[bitmover]

It would take something close to centuries to brute Force a Bitcoin address.

As the image below states, our money is secured by the laws of the universe.

[dothebeats]

Can someone explain the following:

1) Why are they making such disclosures? Wouldn't they make it easier for hackers to get to them? For example, just for the sake of argument (know it's a bad argument because of math, large numbers, publicly visible to begin with but just put that aside) - if you provide the address hackers can begin trying to brute force it. But if you don't disclose it, a hacker would not even know where to start. It's like a robbery victim pointing hackers where to attack next.

Think the question here is: why are they comfortable with hackers knowing such information.

No. If anything, this actually helps Binance and the community track the activities made on the address. One can always know the public key, as it is what's actually needed anyway for someone to receive funds, without compromising the security of the said address. They can brute-force it all they like, but then again no such methods of brute-forcing is invented to crack open bitcoin.

2) Why do they appear to use only ONE address for BNB cold wallet? Isn't this like putting all your eggs in one basket?

It's a cold wallet. It's supposed to be the storage of pretty much everything, or at least a majority of the resources they control. If they have multiple cold wallets, that means they would employ multiple security measures, and focusing your attention to a single wallet is better than dividing your attention, resources, time and effort in guarding funds. Hackers would have a higher chance into cracking into multiple wallets, too, rather than a single, heavily-guarded one.

3) Likewise, how many hot wallets addresses do they use? Any way to find out such information?

Not sure whether exchanges fully disclose that information to the public.

[r1s2g3]

2) Why do they appear to use only ONE address for BNB cold wallet? Isn't this like putting all your eggs in one basket?

It's a cold wallet. It's supposed to be the storage of pretty much everything, or at least a majority of the resources they control. If they have multiple cold wallets, that means they would employ multiple security measures, and focusing your attention to a single wallet is better than dividing your attention, resources, time and effort in guarding funds. Hackers would have a higher chance into cracking into multiple wallets, too, rather than a single, heavily-guarded one.

I am not understanding you point , make one and heavily guard it?  Why not make 10 and heavily guard it? To be precise what do you mean by "heavily guard" it? I guess security of cold wallet is due to its offline nature not due to "guarding" it.

[bob123]

1) Why are they making such disclosures? Wouldn't they make it easier for hackers to get to them? For example, just for the sake of argument (know it's a bad argument because of math, large numbers, publicly visible to begin with but just put that aside) - if you provide the address hackers can begin trying to brute force it. But if you don't disclose it, a hacker would not even know where to start. It's like a robbery victim pointing hackers where to attack next.

Think the question here is: why are they comfortable with hackers knowing such information.

Just for the sake of the argument (just theoretical, because practically you can not bruteforce the private key to a given address):
An attacker could simply download the whole blockchain and look for the address containing the most coins. And then simply try to bruteforce this address.
Or, an attacker could withdraw some coins from binance and then track the origin of these coins. In the end he would also find the cold wallet address.

It is not like you could hide it anyway. So there is no reason to not publicly post it.

2) Why do they appear to use only ONE address for BNB cold wallet? Isn't this like putting all your eggs in one basket?

Not really.
Mathematically it is secure. So nothing can be done here.
Regarding physical access etc.. If there would be 10 private keys.. they probably would be secured in the same way.. So with physical robbery (if they could steal the 1 private key to the cold wallet), they could steal all of their private keys.

3) Likewise, how many hot wallets addresses do they use? Any way to find out such information?

You could try to estimate the amount with blockchain analysis. But this won't be an accurate number i think.
And additionally they are generating new 'hot wallet addresses' each day.

I am not understanding you point , make one and heavily guard it?  Why not make 10 and heavily guard it? To be precise what do you mean by "heavily guard" it? I guess security of cold wallet is due to its offline nature not due to "guarding" it.

Agreed. That does not make sense. Anyone have any ideas?

Look above:

Not really.
Mathematically it is secure. So nothing can be done here.
Regarding physical access etc.. If there would be 10 private keys.. they probably would be secured in the same way.. So with physical robbery (if they could steal the 1 private key to the cold wallet), they could steal all of their private keys.

It would just create additional effort without gaining much (if anything at all).

[r1s2g3]

I am not understanding you point , make one and heavily guard it?  Why not make 10 and heavily guard it? To be precise what do you mean by "heavily guard" it? I guess security of cold wallet is due to its offline nature not due to "guarding" it.

Agreed. That does not make sense. Anyone have any ideas?

Look above:

Not really.
Mathematically it is secure. So nothing can be done here.
Regarding physical access etc.. If there would be 10 private keys.. they probably would be secured in the same way.. So with physical robbery (if they could steal the 1 private key to the cold wallet), they could steal all of their private keys.

It would just create additional effort without gaining much (if anything at all).

Got you. But human greed and social engineering do not follow mathematical models.
If you create one, it will have big sum and human greed will always like to take chance to get access on it.
But if you create 100 than the greed will be 100 time less and people will not like to risk their jobs/career for that small amount.

Somehow I believe in most of hacking it is always inside job.

[whotookmycrypto]

Got you. But human greed and social engineering do not follow mathematical models.
If you create one, it will have big sum and human greed will always like to take chance to get access on it.
But if you create 100 than the greed will be 100 time less and people will not like to risk their jobs/career for that small amount.

Yes, thought so too. If all funds are aggregated into a single wallet, then it makes it a very attractive target. Andreas had this video where he discussed why hackers go after exchanges. Couldn't locate it but would share if found. Basically, he said that hackers approach this in terms of reward / effort ratio. The key thing he mentioned is that security is not scalable.

So if random user X holds $900 in his wallet and uses moderate security that requires an effort of 2 to crack, then the ratio is 50.

On the other hand in exchanges, they hold say $900 million. But the security that an exchange offers cannot be a million times stronger. Consequently, the reward / effort ratio for hackers is actually higher.

Which goes back to the original question, why don't exchanges split up their funds into wallets then?

Somehow I believe in most of hacking it is always inside job.

Popped it into Google. Poof! You are right.

https://www.benzinga.com/pressreleases/17/11/p10792005/most-cyber-attacks-are-inside-jobs

[Crypto Girl]

Somehow I believe in most of hacking it is always inside job.

Certainly it does.

Creating this so called transparency is just a show up thus they can gain back trader's trust.
They think of they disclose everything people will presume that their money is in the safe hands. However, this deep cold wallet thingy isn't new since  Xapo had used this over the years.

Though not sure if they use what Xapo used.
https://blog.xapo.com/what-would-happen-if-xapo-got-hacked/

[bob123]

Got you. But human greed and social engineering do not follow mathematical models.
[...]
But if you create 100 than the greed will be 100 time less and people will not like to risk their jobs/career for that small amount.

That's true. But you can't social engineer some information out of someone who doesn't has the desired information (in this case: the private key(s))

The employees of binance (or any other exchange) do definitely not have the access to the cold wallet private key. That would be a big blunder.

You'd need to invest quite some time and effort to gain access to the private keys (circumventing physical / digital security measurements etc. ).
And in this case, it again doesn't matter whether it is just 1 or 100 private keys.

[cryptjh]

1) Why are they making such disclosures? Wouldn't they make it easier for hackers to get to them? For example, just for the sake of argument (know it's a bad argument because of math, large numbers, publicly visible to begin with but just put that aside) - if you provide the address hackers can begin trying to brute force it. But if you don't disclose it, a hacker would not even know where to start. It's like a robbery victim pointing hackers where to attack next.

Think the question here is: why are they comfortable with hackers knowing such information.

If there was a major hack on binance BNB tokens, I think Binance would end up making a hardfork, making the hacked tokens worthless.

I like the transparent way binance have so no one panic when they see major holding of Bitcoins going out from binances wallets. 

All transactions are open for everyone to see on the blockchain, so hackers can find them just as easy as everyone else, but hacking a wallet are near impossible and finding what address belongs to what wallet are even more impossible.