Blockchain! It’s the latest thing, except that that it’s not really that new. Someone, back in the 80s, was doing successive hashes of a dataset and publishing them in the New York Times “personals” page, to guarantee retroactive non-tampering. [reference below]
The last time I was talking to venture capitalists, they didn’t want to hear about anything that was not blockchain-based, presumably because they didn’t understand it but it sounded almost as cool as quantum, therefore it was time to back the truck up and buy a ton!
Imagine my surprise when my spambots brought me the following:
Blockchain needs more tactical.
This demonstrates one problem with irrevocable anonymous transactions: theft. As soon as people started getting excited about bitcoin I decided to ignore the fad because it was obviously a bad idea, based on incomplete threat models. Unfortunately, that meant that I didn’t make a ton of money like some of my friends did. I have one acquaintance who farmed a big load of bitcoin in the early days, bought some when they were cheap, sold them when they were expensive, and funded a start-up that made him rich indeed – in real money. Oh, well.
There are other problems, some of which have cropped up. First and foremost, it’s not actually the case that bitcoin transactions cannot be tracked by the NSA. Early on there was a large theft of bitcoin and where they disappeared to, nobody knows – but many of us suspect they went into the control of the gnomes at Ft Meade. Once you have a large enough amount of currency, you can trace who is participating in transactions by varying the transaction amount. For example, let’s say I am selling fentanyl online and someone comes to buy a bunch; the price is $19.29. The next buyer gets a price of $19.30. Then I look for someone buying $19.29 worth of bitcoin, or splitting a bitcoin into a piece that adds to $19.29. There’s my buyer. The more transactions we do, the clearer my picture gets. Next time the buyer wants fentanyl, the price is $18.91. Etc. That’s one problem.
The bigger problems that make the bitcoin threat model incomplete are:
- endpoint security
- software supply chain security
- denial of service
- denial of service extortion
- the whole bitcoin infrastructure is a piece of shit
Endpoint security is pretty straightforward. If I’m unlocking my wallet and I’m doing it on a laptop running Microsoft Windows, there’s a decent chance it’s vulnerable to attack or already has malware on it. Let’s assume there’s someone running a keylogger and they’re collecting keylogger data from thousands of laptops, searching for strings that indicate someone is unlocking their bitcoin wallet. For all the fancy cryptography of the blockchain, the wretched system still depends on a user entering a password, and that’s the obvious point of attack, as our spammer above is trying to demonstrate.
Software supply chain: how many people who use bitcoin have taken the source code for their wallet and examined it closely for backdoors, then built their own version of the executable, and run it on an operating system/platform free of backdoors? Nobody. Besides, the processors all appear to be backdoored anyway. But the wallet is not where the real action is, it’s the mining app. Suppose we hop in our time machine and go back a few years and write a bitcoin mining app that is super easy to use, has a lovely interface, and every time it uncovers a bitcoin it rolls dice inside and 1 in 10 times instead of telling the user “here is your new bitcoin!” it sends me the bitcoin and never mentions it to the user. Then I sit back and get rich – it’s the very best way to mine for bitcoin. Basically, this is the capitalist model: the coal mine owner never mines the coal, they let others do the mining and extract “surplus” which is “profit.” So it’s all legit capitalism it’s not even theft.
Denial of service is when you make something unusable; this is also a form of asymmetric attack: you can hurt your target at a low cost, doing high cost damage. [cyberinsurgency] One possibility is that the government eventually gets tired of bitcoin and orders all the ISPs to stop carrying the traffic. It doesn’t have to be 100% effective – even 50% effective would make the system unusably unreliable. Governments like China, with their “Great Firewall” can do this sort of selective blocking if they want to. What happens to the value proposition of bitcoin if people aren’t able to do transactions? Whups.
Denial of service extortion is one I am surprised hasn’t happened yet. The current bitcoin infrastructure has serious performance problems. What if someone developed a capability to jam bitcoin services and make the transactions even slower? How much would it be worth for them not to do that? This is reasonable capitalism, in a world where the government pays farmers not to grow corn – ok, pay me not to send packets. Admittedly, not growing corn is legal but not sending packets is a bit more complicated, and could be a felony. Scratch that, it could get you killed.
The whole bitcoin infrastructure is a piece of shit – that ought to be obvious. Large parts of it are based on basic web technology, which is, itself, a piece of shit. I.e.: SSL. Anyone who things that SSL protects their transactions needs their head examined. Oh, it tries to protect their transactions, it just doesn’t try very hard. Let me introduce you to one of my favorite cryptographers’ paradoxes; I call it the “Paradox of NSA superiority”, namely any cryptosystem that is in widespread use is backdoored or has been cryptanalyzed by the NSA, or it wouldn’t be in widespread use. I know that sounds silly, but it’s actually not. Consider SSL: the original protocol included bidirectional authentication. That would have been nice, right? Why didn’t that happen?
And how did the idea of negotiable encryption options get into the protocol? Anyone who designs encryption systems knows that negotiable options are a yummy point of attack, especially if “clear text, please!” is an option – you just fool the system into negotiating no encryption at all. How did that get into SSL? Well, it was part and parcel of the fallback encryption system being RSA’s RC40 – a 40-bit key system that NSA could blow through like it was toilet paper. How did RC40 wind up in SSL? NSA paid RSA to put it in the mix, that’s how that happened. “Here, world, use this awesome new security system, lol lol lol” said NSA.
http servers (Apache most notably) have a long history of implementation bugs, including many remotely exploitable buffer overruns. Back in the day hackers would pop the stack and fire up a root shell and pwn the system. What if, hypothetically, some agency had a secret exploit and instead of starting a shell they just pulled the server side secret key out of the process memory? A key harvester that used an exploit in this manner would not get noticed by 99.99999% of its targets because it would look like a failed connection, but the attacker can now transparently monitor all SSL coming in or out of that server. That would be useful, I suspect.
Anyway, update your blockchain wallet password. And if you can’t do it, post your password in the comment section and one of us will update it for you.
I thought the original reference to sequential hashing was one of Lamport’s papers, and got sucked into searching through them. Finally I broke down and asked Bill Cheswick, who I know was involved somewhat in it and he immediately replied with [this] Stuart Haber’s bellcore “How to time-stamp a digital document” which, I believe, establishes a great deal of prior art for blockchain.
Why did anyone ever think that TeX fonts were attractive? Gyucch!
Having a large number of btc secretly in government hands would also allow them to crater the market on demand – another useful capability. I cannot imagine the NSA would not realize that, either.