Vitalik Buterin’s Seven Deadly Crypto Sins: Account Security
In the following series, BTCManager will be walking through, in detail, seven questions posed by the co-creator of Ethereum Vitalik Buterin. These seven questions are some of the most relevant features of this booming ecosystem. From security, as in this week’s installment, to governance and everything in between. The series was inspired by a discussion between Buterin and a WeChat group called “Mars Finance Global Family.”
To get started, have a look at the first installment related to Bitmain’s move to centralization and the threat of 51 percent attacks.
To Secure or Not to Secure
In 1960, a computer scientist named Fernando Corbató was working at MIT’s computer lab and invented the first password prompt for the computer. Two years later, another researcher at the lab, Allan Scherr, wanted more computer time and stole all the passwords. He then describes how he stole them in the following:
“There was a way to request files to be printed offline by submitting a punched card. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”
According to a CSO report, cybersecurity spending is estimated to exceed $1 trillion by 2021 and damages will likely exceed $6 trillion as well. Billionaire Warren Buffett says that cyber attacks are the number one problem with humankind and puts them on par with nuclear weapons.
Cybersecurity Venture also estimates that there will be 3.5 million unfilled cybersecurity jobs by 2021. Further emphasizing the dramatic shortage of skills, Robert Herjavec of the Herjavec Group told a group of new students:
“I highly recommend pursuing your education in information technology or computer science. There is a zero-percent unemployment rate in cybersecurity and the opportunities in this field are endless.”
With all of this heavy emphasis and spending on security, Vitalik Buterin asks why are there not yet good solutions to account security?
Hack the Planet
Perhaps to understand how to build a better lock, we should first look to what — or whom — we’re keeping out. Hollywood tends to popularize and stereotype hackers with a few common character archetypes. From the young high school hacker played by Matthew Broderick in Wargames to the arch nemesis personification of classified document leaker Edward Snowden.
As portrayed by Hollywood, these hackers tend to gain their notoriety from exploiting previously undiscovered flaws in systems and, like a common thief, make off with a bag of digital goods. The reality is far from the Hollywood mythos as possible. As Snowden tells it:
“What we’ve seen over the last decade is we’ve seen a departure from the traditional work of the National Security Agency [NSA]. They’ve become sort of the national hacking agency, the national surveillance agency. And they’ve lost sight of the fact that everything they do is supposed to make us more secure as a nation and a society.”
Some hackers make a good living from these exploits. A new vulnerability can be sold in underground markets earning their creators a royal income stream. One storefront operated by a Russian hacking gang called RIG claims to be making as much as $90,000 per week per manager. An individual malware or ransomware spreader can earn as much as $90,000 per month.
Other hackers are state sponsored. The WannaCry ransomware scheme that introduced many businesses and consumers to a Bitcoin-based Ransomware attack is rumored to have been created by North Korea. Perhaps, the Bitcoin time traveler was right about North Korea amassing a pile of the digital cryptocurrency.
Thomas P. Bossert, Trump’s homeland security advisor, wrote in an op-ed to The Wall Street Journal said:
“The [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible. We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either.”
The malicious motivations of hackers seem to be clear. Hackers are seeking notoriety or money in exchange for their exploits. But how are they able to do this in the first place?
It’s all Ones and Zeros until it’s not
Another way to think about data is to look at how it’s created and managed today. From the cloud to their desktops, consumers tend to create data and to store them in documents that ultimately reside on a hard drive somewhere. Each level of this system is also subject to an attack due to the very nature of the system.
Any computing device, from computers to tablets to networking equipment, are all built to process transitory bits of data. The individual storage components of this system, such as RAM, hard drives, or memory sticks, are constructed to be modifiable or updated. All of this ability to modify things makes even an unhackable device hackable.
Devices that can be compromised can be found everywhere. At this year’s Defcon, a computer hacking event, Ricky Lawshae hacked a control system made by a technology company called Crestron. These control devices are found throughout hotels, office buildings, and universities. They manage things like temperature, lighting, door locks, and other environmental and building control systems in the enterprise. In the presentation of the vulnerability at Defcon, Lawshae discusses:
“I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.”
Over the last 50 years, there has been measured attempts taken on making digital documents that are immutable and verifiable. The idea is that by encrypting a document using a series of keys, it is then possible to verifiably decrypt the same text to read its’ contents. During transit, it would be impossible to modify that document without destroying it. Given the amount of math behind securely encrypting and decrypting documents, this has led to slower computers and conversely slower adoption by the business community.
These digital locks have been slow to be adopted, and as a result, there are many unlocked doors in every system.
Change Is the law of Nature
When computer components communicate with each other, they rely upon industry standards. For example, the wireless protocol that a consumer’s cell phone uses to communicate with the internet relies upon the IEEE 802.11 standard. Companies like Apple, Microsoft, and others pay tens of thousands of dollars per year to join the standards-making body and to work out how these devices will communicate with each other.
The IEEE working group can come out with a standard, such as WPA2, to allow a consumer to enter a Wifi password securely. The working group will usually focus on speed and ease of use over security concerns. Matthew Green, a cryptographer at Johns Hopkins University, explains further:
“This sort of complicated crypto is a fertile area for bugs. The problem is not so much that there are a ton of bugs in WPA2. It’s that it will be very hard to patch most low-cost consumer devices. So all it takes is one bad one to screw a lot of people up for years.”
When a vulnerability occurs, it can exist for years until the IEEE standards working group can dictate the new WPA3 protocol for security. This bureaucracy begs the following question: Is it possible to design an operating system that is secure by default?
A great starting point would be an immutable ledger. A blockchain-enabled operating system like EOS could potentially bring about the change that is needed to secure our systems. By building something that is guaranteed from the ground up, it would then be possible to have reliable security at every level.
The EOS development team discusses the process of building a blockchain-enabled operating system in their white paper excerpted below:
“This is achieved by creating an operating system-like construct upon which applications can be built. [The] resulting technology is a blockchain architecture that scales to millions of transactions per second, eliminates user fees, and allows for quick and easy deployment of decentralized applications.”
Still even this “operating system” is not without its flaws. An ethical hacker, Guido Vranken, spent a week finding errors in the EOS platform and eventually turned a pretty penny.
Thank you. A couple more waiting to be rewarded. I think the final tally was $120K but I lost count. Took me about a week.
— Guido Vranken (@GuidoVranken) June 4, 2018
Securing our Future
The technology behind blockchain offers the most compelling opportunity for enhancing our security and protecting our work. As these technologies gather more developers and users, something beautiful may emerge.