Introduction: OKX Web3 Wallet has specially planned the Security Special Issue column to provide special answers to different types of on-chain security issues. Through the most real cases happening around users, in collaboration with experts or institutions in the security field, dual sharing and answers from different perspectives are conducted, so as to sort out and summarize the rules of safe transactions from the shallow to the deep, aiming to strengthen user security education while helping users learn to protect their private keys and wallet asset security from themselves.
When surfing in the Web3 world, there are two things you cannot save
One transaction is to pay Gas on the chain; the other transaction is to buy equipment off the chain
But whether on-chain or off-chain, security is equally important~
This issue is the 4th security special issue. We have specially invited the OneKey security team and the OKX Web3 wallet security team to teach you how to add some buffs to your device security from the perspective of a practical guide.
OneKey Security Team: Founded in 2019, OneKey is a company that focuses on secure open source hardware wallets and software wallets. It also has a security attack and defense laboratory and has received support from first-tier institutions such as Coinbase, Ribbit Capital, and Dragonfly. Currently, OneKey hardware wallets are becoming one of the best-selling hardware wallet brands in Asia.
OKX Web3 Wallet Security Team: Hello everyone, I am very happy to share this. The OKX Web3 Wallet Security Team is mainly responsible for the construction of various security capabilities of OKX in the Web3 field, such as wallet security capabilities, smart contract security audits, on-chain project security monitoring, etc., providing users with multiple protection services such as product security, fund security, and transaction security, and contributing to maintaining the entire blockchain security ecosystem.
Q1: Can you share some real device risk cases of users?
OneKey Security Team: Device risk cases involving Web3 users are diverse. We will give some examples of common cases.
In case 1, after user Alice left her device, someone around her physically hacked into the device and stole her assets without her knowledge. This is often referred to as an evil maid attack in the computer security field and is one of the most common types of device risks encountered by users.
From colleagues at the LuMao Studio, the aunt who cleans the room, to even your close bedmate, they could all be attackers who are motivated by money. We have previously helped users track down stolen assets in their hardware wallets. After the user reported the case, they reported to the exchange and obtained the KYC of the exchange account used by the attacker. In the end, they found out that it was someone close to them who did it. As the saying goes, You can be on guard against a thief in your own home, but you cant be on guard against a thief in your own home.
In the second case, user Bob was physically coerced into handing over his device with asset control rights. This has a ridiculous name in the crypto community - the $5 Wrench Attack.
In recent years, with the emergence of the Crypto wealth effect, kidnapping and extortion against high-net-worth individuals seems to be intensifying, especially in countries with high crime rates. In early 2023, the media reported a robbery of an offline virtual currency transaction. The victim participated in an offline digital currency investor gathering and was controlled in the car after dinner. The criminals forcibly used the victims facial recognition to unlock the phone and wallet software, exchanged the cryptocurrency in the wallet for 4.1 million USDT, and then transferred the funds and left. Recently on Twitter, it was also widely circulated that a crypto mining OG said that he had been robbed by an international criminal group and was extorted for most of his lifes accumulated crypto assets.
OKX Web3 Wallet Security Team: Today’s topic is very good. We have previously talked about many on-chain security topics such as private key security, MEME transaction security, and money laundering security. In fact, device security is also very important. Let us share some classic cases.
Case 1: Tampered Hardware Wallet
User A purchased a hardware wallet from an unauthorized platform and started using it without verification. In fact, the wallet firmware had been tampered with, and multiple sets of mnemonics had been pre-generated. In the end, the users crypto assets stored in the hardware wallet were completely controlled by hackers, resulting in heavy losses.
Precautions: 1) Users should try to purchase hardware wallets from official or trusted channels. 2) Before using the wallet, complete the official verification process to ensure the firmware is secure.
Case 2: Phishing Attack
User B received an email from the Wallet Security Center stating that there was a security issue with the users wallet and requiring the user to enter the wallets recovery phrase for a security update. In fact, this was a carefully designed phishing attack, and the user eventually lost all his assets.
Precautions: 1) Users should never enter private keys or recovery phrases on any unverified website. 2) Use the hardware wallet’s screen to verify all transactions and operations.
Case 3: Software Security
User C downloaded malware from an unverified channel. When the user performed wallet operations, the malicious logic in the software caused asset loss.
Precautions: 1) Users download software from official channels and update relevant software and firmware regularly. 2) Use antivirus software and firewall to protect your device.
Q2: Physical equipment and facilities commonly used by users and types of risks
OneKey Security Team: Devices involved in the security of user assets usually include the user’s mobile phone, computer, hardware wallet, USB storage device, and network communication equipment (such as WIFI).
In addition to the Evil Maid Attack and the violent crime $5 Wrench Attack that we mentioned earlier, which we will encounter when leaving the device, we will add a few more aspects that require special attention below.
1. Social Engineering and Phishing Attacks
Social engineering and phishing attacks are currently very common and effective means of attack. Attackers use human weaknesses to trick users into performing dangerous operations. For example, malicious phishing links and attachments. Attackers may send emails, text messages, or social media messages containing malicious links, disguised as trusted sources, such as bank notifications or reminders from social media platforms. Once users click on these links or download attachments, malware will be implanted in the device, causing the device to be remotely hacked.
For another example, impersonating technical support personnel, attackers may pretend to be technical support personnel and contact users by phone or email, claiming that there is a problem with their device and that immediate action is required. They may trick users into providing remote access to their devices or leaking sensitive information. Currently, as long as you mention cryptocurrency-related terms on Twitter, an army of robots will soon come to pretend to be technical support to serve you.
2. Supply Chain Attacks
Supply chain attacks refer to attackers implanting malicious content during the production or transportation of devices. This can be seen in the following three aspects.
The first is hardware tampering. Attackers may implant malware during the manufacturing process of hardware wallets or USB storage devices. For example, if a user purchases a hardware device from an unreliable source, they may receive a tampered device that may be pre-installed with malware that can steal information or allow remote access.
The second is software tampering. An attacker may attack the devices software supply chain and tamper with the software or firmware update package. When the user downloads and installs these updates, the device may be implanted with backdoors or other types of malicious code.
The third is logistics attacks: attackers may intercept and tamper with devices during transportation. For example, hardware devices may be replaced or tampered with during express delivery to facilitate subsequent attacks.
3. Man-in-the-middle attack
A Man-in-the-Middle Attack (MITM) is a method in which an attacker intercepts and tampers with data transmission during communication between two parties.
For example, when users use unencrypted network communications, attackers can easily intercept and tamper with the data in transit. That is, when using unencrypted HTTP websites, attackers can intercept and modify the data sent and received by users.
Another example is public Wi-Fi. When using public WIFI, users data transmission is more easily intercepted by attackers. Attackers can even set up malicious public WIFI hotspots. Once users connect, attackers can monitor and steal users sensitive information, such as login credentials and bank transaction records. In extreme cases, your own WIFI may also be hacked and malware may be installed.
4. Third-party internal attacks and software vulnerabilities
Third-party internal attacks and software vulnerabilities are risks that are difficult for users to control, but they have a significant impact on the security of physical devices.
The most common are software and hardware security vulnerabilities. These vulnerabilities may be exploited by attackers to conduct remote attacks or physical bypass attacks. For example, some plug-ins or applications may have undiscovered vulnerabilities that attackers can use to gain control of the device. This can usually be solved by keeping security updates. At the same time, hardware should consider using the latest encryption chip.
Insider activities on the software side: Insiders of software developers or service providers may abuse their access rights to conduct malicious activities, steal user data or implant malicious code in the software. Or malicious activities may be caused by external factors.
For example, there was a case in which LuMao Studio’s assets were stolen because of the use of a multi-open fingerprint browser, which may have been caused by the internal malicious behavior of the software or plug-in. This shows that even legitimate software may pose a threat to the user’s asset security if its internal control is not strict.
For example, Ledger had a panic attack before - Connect Kit, which was used by many dapps, had problems. The cause of the attack was that a former employee fell victim to a phishing attack, and the attacker inserted malicious code into the GitHub repository of Connect Kit. Fortunately, Ledgers security team deployed a fix within 40 minutes of being informed of the problem, and Tether also froze the attackers USDT funds in time.
OKX Web3 Wallet Security Team : We summarize some physical devices commonly used by users and expand on the potential risks they may cause.
The physical devices commonly used by users at present mainly include: 1) Computers (desktops and laptops), used to access decentralized applications (dApps), manage cryptocurrency wallets, participate in blockchain networks, etc. 2) Smartphones and tablets, used for mobile access to dApps, managing crypto wallets and conducting transactions. 3) Hardware wallets, dedicated devices (such as Ledger, Trezor), used to securely store cryptocurrency private keys to prevent hacker attacks. 4) Network infrastructure, routers, switches, firewalls and other equipment to ensure the stability and security of network connections. 5) Node devices, software devices that run blockchain nodes (can be personal computers or dedicated servers), participate in network consensus and data verification. 6) Cold storage devices, devices used to store private keys offline, such as USB drives, paper wallets, etc., to prevent online attacks.
The potential risks that may arise from current physical equipment are mainly the following
1) Physical equipment risks
• Lost or damaged device: If a device such as a hardware wallet or computer is lost or damaged, it may result in the loss of private keys and the inability to access crypto assets.
• Physical intrusion: Criminals use physical means to invade devices and directly obtain private keys or sensitive information.
2) Cybersecurity risks
• Malware and viruses: Attack user devices through malware to steal private keys or sensitive information.
• Phishing attacks: Disguising as legitimate services to trick users into providing private keys or login credentials.
• Man-in-the-middle attack (MITM): The attacker intercepts and tampered with the communication between the user and the blockchain network.
3) User behavior risks
• Social engineering attack: Attackers use social engineering to trick users into revealing private keys or other sensitive information.
• Operational errors: User errors when trading or managing assets may result in the loss of assets.
4) Technical risks
• Software vulnerabilities: Vulnerabilities in dApps, crypto wallets, or blockchain protocols can be exploited by hackers.
• Smart contract vulnerabilities: Vulnerabilities in smart contract code can lead to the theft of funds.
5) Regulatory and legal risks
• Legal compliance: Different countries and regions have different regulatory policies on cryptocurrencies and blockchain technology, which may affect users asset security and trading freedom.
• Regulatory changes: Sudden changes in policy may result in asset freezes or trading restrictions.
Q3: Is a hardware wallet a must for private key security? What types of private key security protection measures are there?
OneKey Security Team: Of course, hardware wallets are not the only option for private key security, but they are indeed a very effective way to enhance private key security. Its biggest advantage is that it can isolate private keys from the Internet from generation, recording to daily storage, and requires users to verify and confirm transaction details directly on the physical device when performing any transaction. This feature effectively blocks the risk of private keys being stolen by malware or hacker attacks.
Let’s first talk about the advantages of hardware wallets:
1) Physical isolation: Hardware wallets store private keys in dedicated devices that are completely isolated from networked computers and mobile devices. This means that even if a users computer or phone is infected with malware, the private keys are still safe because they have never been exposed to the Internet.
2) Transaction Verification: When using a hardware wallet to conduct transactions, users must confirm and verify the transaction details directly on the device. This process prevents attackers from transferring assets without authorization even if they obtain the users online account information.
3) Security chip: Many hardware wallets use dedicated security chips to store private keys. These chips have undergone strict security certification, such as CC EAL 6+ (such as the standard adopted by new hardware wallets such as OneKey Pro and Ledger Stax), which can effectively protect against physical bypass attacks. Security chips not only prevent unauthorized access, but also resist a variety of advanced attack methods, such as electromagnetic analysis and power analysis attacks.
In addition to hardware wallets, there are many other ways to enhance the security of private keys. Users can choose the appropriate solution according to their needs:
1) Paper wallet: A paper wallet is an offline storage method that prints private and public keys on paper. Although this method is simple and completely offline, it is necessary to pay attention to physical security issues such as fire prevention, moisture prevention, and loss prevention. If possible, it is best to buy a metal plate for physical recording (there are many options on the market, such as OneKeys KeyTag).
2) Mobile cold wallet: A cold wallet refers to private keys or encrypted assets that are stored completely offline, such as an offline mobile phone or computer. Similar to hardware wallets, cold wallets can also effectively avoid network attacks, but users need to configure and manage these devices themselves.
3) Sharded encrypted storage: Sharded encrypted storage is a method of dividing the private key into multiple parts and storing them in different locations. Even if an attacker obtains a part of the private key, it is impossible to fully recover it. This method improves security by increasing the difficulty of attack, but users need to manage each private key shard to avoid being unable to recover the private key due to the loss of some shards.
4) Multisig: Multisig technology requires multiple private keys to sign a transaction in order to complete the transfer operation. This method improves security by increasing the number of signers to prevent a single private key from being stolen and causing assets to be transferred. For example, a three-party multisig account can be set up, and transactions can only be executed when at least two private keys agree. This not only improves security, but also enables more flexible management and control.
5) Cryptography innovation technology: With the development of technology, some emerging cryptography technologies are also being applied to private key protection. For example, technologies such as Threshold Signature Scheme (TSS) and Multi-Party Computation (MPC) further improve the security and reliability of private key management through distributed computing and collaboration. Generally, enterprises use them more, and individuals rarely use them.
OKX Web3 Wallet Security Team: Hardware wallets prevent private keys from being stolen by cyber attacks, malware, or other online threats by storing them on an independent, offline device. Compared to software wallets and other forms of storage, hardware wallets provide higher security and are particularly suitable for users who need to protect a large amount of crypto assets. Private key security protection measures can be roughly based on the following perspectives:
1) Use secure storage devices: Choose a reliable hardware wallet or other cold storage device to reduce the risk of private keys being stolen by cyber attacks.
2) Establish a comprehensive security awareness education: Strengthen the attention and protection awareness of private key security, be vigilant of any web page or program that requires the input of private keys, and when you must copy and paste the private key, you can only copy part of it and leave a few characters to enter manually to prevent clipboard attacks.
3) Safe storage of mnemonics and private keys: Avoid taking photos, screenshots, or recording mnemonics online. Try to write them down on paper and store them in a safe place.
4) Separate storage of private keys: Divide the private key into multiple parts and store them in different places to reduce the risk of single point failure.
Q4: Current vulnerabilities in authentication and access control
OneKey Security Team: Blockchain does not need to identify and store our identity information like Web2. It uses cryptography to achieve self-custody and access to assets. This means that private keys are everything. The biggest risk of user access control of encrypted assets generally comes from improper storage of private keys - after all, user private keys are the only credentials for accessing cryptocurrency assets. If private keys are lost, stolen, exposed, or even encounter natural disasters, assets are likely to be lost permanently.
This is also the significance of the existence of our OneKey and other brands, providing users with a secure private key self-custody solution. Many users often lack security awareness when managing private keys and use unsafe storage methods (such as saving private keys in online documents and screenshots). The best way is to use offline generation and storage. In addition to manual dice rolling and handwriting, you can also consider using the previously mentioned hardware wallet with mnemonic metal plate engraving.
Of course, there are also many users who use exchange accounts to directly store assets. At this time, identity authentication and access control are more similar to Web2.
This will be related to the users password security awareness. The use of weak passwords and repeated passwords is a common problem. Users tend to use simple, easy-to-guess passwords or reuse the same password on multiple platforms (such as email verification), increasing the risk of being attacked by brute force or after data leakage.
Although multi-factor authentication (such as SMS verification codes, Google Authenticator) can increase security, it can also become a target of attack if it is not implemented properly or has vulnerabilities (such as SMS hijacking). For example, SMS hijacking SIM swap attacks - attackers transfer the victims phone number to a SIM card controlled by the attacker by deceiving or bribing employees of mobile operators, thereby receiving all SMS verification codes sent to the victims phone. Vitalik has previously suffered a SIM SWAP attack, in which the attacker used his Twitter to send phishing messages that caused damage to the assets of many people. In addition, improper storage of backup codes of multi-factor authenticators such as Google Authenticator may also be obtained by attackers and used to attack accounts.
OKX Web3 Wallet Security Team: This is a sector that deserves attention. At present, we need to pay attention to
1) Weak passwords and password reuse: Users often use simple, easy-to-guess passwords, or reuse the same password on multiple services, increasing the risk of passwords being cracked by brute force or obtained through other leak channels.
2) Insufficient multi-factor authentication (MFA): Multi-factor authentication in Web2 can significantly improve security, but once the private key is leaked in the web3 wallet, it means that the attacker has full access to the account, making it difficult to establish an effective MFA mechanism.
3) Phishing and social engineering: Attackers trick users into revealing sensitive information through phishing emails, fake websites, etc. Currently, phishing websites targeting web3 are group-based and service-oriented, and it is easy to be deceived if you do not have sufficient security awareness.
4) Improper API key management: Developers may hardcode API keys in client applications or fail to perform proper permission control and expiration management, which may lead to the keys being misused after being leaked.
Q 5: How should users prevent the risks brought by emerging virtual technologies such as AI face-changing?
OneKey Security Team: At the 2015 BlackHat conference, hackers around the world unanimously agreed that facial recognition technology is the most unreliable method of identity authentication. Nearly a decade later, with the advancement of AI technology, we already have a nearly perfect magic to replace human faces. As expected, ordinary visual facial recognition can no longer provide security. Therefore, the recognition party needs to upgrade the algorithm technology to identify and prevent deep fake content.
Regarding the risks of AI face-swapping, there is really not much that users can do except protect their own private biometric data. Here are some small suggestions:
1) Use facial recognition apps with caution
When choosing to use facial recognition applications, users should choose those with a good security record and privacy policy. Avoid using applications from unknown sources or with questionable security, and update the software regularly to ensure the latest security patches are used. Previously, many small loan company apps in China illegally used users facial data for resale and leaked users facial data.
2) Understand Multi-Factor Authentication (MFA)
Single biometric authentication is risky, so combining multiple authentication methods can significantly improve security. Multi-factor authentication (MFA) combines multiple verification methods, such as fingerprints, iris scans, voiceprint recognition, and even DNA data. For the identification party, this combination of authentication methods can provide an additional layer of security when one authentication method is compromised. For users, it is also important to protect their own privacy data in this regard.
3) Be skeptical and beware of scams
Obviously, when both the face and the voice can be imitated by AI, it becomes much easier to impersonate a person across the network. Users should be particularly wary of requests involving sensitive information or fund transfers, and adopt double verification to confirm the identity of the other party by phone or face-to-face. Stay vigilant, do not trust urgent requests, and identify common fraud methods such as impersonating executives, acquaintances, and customer service. Nowadays, there are many people impersonating celebrities, and you should also be careful of fake platforms when participating in some projects.
OKX Web3 Wallet Security Team: Generally speaking, emerging virtual technologies bring new risks, and new risks will actually bring about new research on defense methods, and new research on defense methods will bring about new risk control products.
1. Risk of AI forgery
In the field of AI face-swapping, many AI face-swapping detection products have emerged. The current industry has proposed several methods to automatically detect fake human videos, focusing on detecting unique elements (fingerprints) in digital content caused by the use of deepfakes. Users can also identify AI face-swapping by carefully observing facial features, edge processing, and audio-visual asynchrony. In addition, Microsoft has also launched a series of tools to educate users on deepfack recognition capabilities, so that users can learn and strengthen their personal recognition capabilities.
2. Data and Privacy Risks
The application of large models in various fields also brings data and privacy risks to users. In the normal use of conversational robots, users should pay attention to the protection of personal privacy information, try to avoid direct input of key information such as private keys, keys, passwords, etc., and try to hide their key information through substitution, obfuscation and other methods. For developers, Github provides a series of friendly detections. If the submitted code contains OpenAI apikey or other risky privacy leaks, the corresponding Push will report an error.
3. Risk of Abuse of Content Generation
In daily work, users may encounter a lot of results generated by large models. Although these contents are effective, the abuse of content generation also brings about false information and intellectual property rights issues. Now there are some products that can detect whether text content is generated by large models, which can reduce some corresponding risks. In addition, when developers use code generation of large models, they should also pay attention to the correctness and security of the generated code function. For sensitive or open source code, they must conduct sufficient review and audit.
4. Daily attention and learning
When users browse short videos, long videos and various articles on a daily basis, they should consciously judge and identify, and remember possible AI-forged or AI-generated content, such as common male and female voices, pronunciation errors, and common face-swapped videos. When encountering critical scenarios, they should consciously judge and identify these risks.
Q 6: From a professional perspective, please share some physical equipment security advice
OneKey Security Team: Based on the various risks mentioned above, let us briefly summarize the protection measures.
1. Beware of the risk of intrusion of networked devices
In our daily lives, connected devices are everywhere, but this also brings potential risks of intrusion. In order to protect our high-risk data (such as private keys, passwords, MFA backup codes), we should use strong encryption methods and try to choose storage methods that are isolated from the network to avoid storing these sensitive information directly in plain text on the device. In addition, we need to always be vigilant against phishing and Trojan attacks. You can consider separating dedicated devices for cryptocurrency operations from other general-purpose devices to reduce the risk of being attacked. For example, we can separate the laptop used for daily use and the hardware wallet used to manage crypto assets, so that even if one device is attacked, the other device can still remain safe.
2. Maintain physical monitoring and protection
To further secure our high-risk devices, such as hardware wallets, we need to take strict physical monitoring and protection measures. These devices at home should be stored in a high-standard anti-theft safe and equipped with a comprehensive smart security system, including video surveillance and automatic alarm functions. If we need to travel, it is especially important to choose a hotel with secure storage facilities. Many high-end hotels offer dedicated secure storage services, which can provide an extra layer of protection for our devices. In addition, we can also consider carrying a portable safe with us to ensure that our important devices are protected in any situation.
3. Reduce risk exposure and prevent single points of failure
Distributing devices and assets is one of the key strategies to reduce risk. Instead of storing all high-authority devices and crypto assets in one place or one wallet, we should consider distributing them in safe places in different geographical locations. For example, we can store some devices and assets at home, in the office, and with trusted relatives and friends. In addition, using multiple hot wallets and hardware cold wallets is also an effective method. Each wallet can store a portion of assets to reduce the risk of single point failure. For increased security, we can also use multi-signature wallets, which require multiple authorized signatures to conduct transactions, thereby greatly improving the security level of our assets.
4. Contingency measures for worst-case scenarios
When facing potential security threats, it is crucial to develop contingency plans for the worst case scenario. For high net worth individuals, keeping a low profile is an effective strategy to avoid becoming a target. We should avoid showing off our crypto assets in public and try to keep our property information low-key. In addition, it is necessary to develop a contingency plan for device loss or theft. We can set up decoy crypto wallets to temporarily deal with possible robbers, while ensuring that the data of important devices can be remotely locked or wiped (if there is a backup). When traveling publicly in high-risk areas, hiring a private security team can provide additional security, and using special VIP security channels and high-security hotels to ensure our safety and privacy.
OKX Web3 Wallet Security Team: We will introduce it in two levels, one is the OKX Web3 APP level and the other is the user level.
1. OKX Web3 APP level
OKX Web3 Wallet uses a variety of methods to reinforce the App, including but not limited to algorithm obfuscation, logic obfuscation, code integrity detection, system library integrity detection, application tamper-proofing, and environmental security detection. It minimizes the probability of users being attacked by hackers when using the App. At the same time, it can also prevent the black industry from repackaging our App to the greatest extent, reducing the probability of downloading fake Apps.
In addition, in terms of Web3 wallet data security, we use the most advanced hardware security technology and chip-level encryption to encrypt sensitive data in the wallet. The encrypted data is bound to the device chip. If the encrypted data is stolen, no one can decrypt it.
2. User level
For users physical devices including hardware wallets, common computers, and mobile phones, we recommend that users strengthen their security awareness from the following aspects:
1) Hardware wallet: Use a well-known brand of hardware wallet, purchase it from official channels, and generate and store private keys in an isolated environment. The medium for storing private keys should be fireproof, waterproof, and anti-theft. It is recommended to use a fireproof and waterproof safe, and store private keys or mnemonics in different safe locations to improve security.
2) Electronic devices: It is recommended that mobile phones and computers that install software wallets use brands with better security and privacy (such as Apple), and reduce the installation of other unnecessary applications to create a pure system environment. Use Apples identity ID management system to back up multiple devices to avoid single-machine failures.
3) Daily use: Avoid performing sensitive operations on wallet devices in public places to prevent camera records from being leaked; regularly use reliable antivirus software to check the device environment; regularly check the reliability of the physical device storage location.
Finally, thank you for reading the 4th issue of the OKX Web3 Wallet Security Special Issue. We are currently preparing the 5th issue, which will include real cases, risk identification, and security operation tips. Stay tuned!
Disclaimer
This article is for reference only and is not intended to provide (i) investment advice or investment recommendations; (ii) an offer or solicitation to buy, sell or hold digital assets; or (iii) financial, accounting, legal or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may fluctuate significantly or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please be responsible for understanding and complying with local applicable laws and regulations.
