Skip to main content

Cryptocurrency insecurity: IOTA, BCash, and too many more

Cryptocurrencies: a weird agglomerate of fascinating technology built by brilliant engineers; a whole new and potentially important form of economics; … and hype-machine puffed-up crazy-talk nonsense. So, as you might expect, they also combine state-of-the art resilient engineering and comical clown-car so-called security. Yes, that’s right — I want to talk about IOTA, and (to an extent) Bitcoin Cash.

Modern security practices include: an understanding of and commitment to responsible disclosure; making yourself available and accessible to third-party security researchers; offering bug bounties; fuzzing your code; etcetera. They also include valuable truisms such as “don’t roll your own crypto.” Here that’s crypto as in cryptography, and it means, always always always use tried and time-tested cryptographic algorithms and implementations. Do not try to build your own from scratch. You will regret it.

IOTA, currently the world’s tenth most valuable cryptocurrency, took an … assertively contrarian stance regarding this dictum. They didn’t just roll their own crypto, they rolled their own fundamental units, deciding that binary wasn’t good enough by half, and that trinary was where it’s at, that their trits and trytes were so much better than bits and bytes.

I confess part of me has a grudging respect for the surreality of this kind of whackadoodle performance art. Alas, this half-admiration doesn’t extend to the recent saga in which a) they rolled their own crypto; b) MIT and BU researchers found a flaw in it; c) IOTA first said that the flaw was intentional, and then, apparently, that it was created by an imperfect AI (!); d) a spectacular war of words (between those parties and several others) erupted. Then, yesterday, Neha Narula, the Director of MIT’s Digital Currency Initiative, presented last year’s work in a talk at Black Hat — and even though that work stemmed from last year

I interviewed Narula this morning and she said, still amazed, that it actually seemed to her as if IOTA thought her talk yesterday would reveal a new, previously undisclosed vulnerability. Their fundamental misunderstanding of how software security works, and what responsible disclosure means, is staggering.

You may well think IOTA is such an extremely ridiculous project that it’s unfair to use it as an example. But if so, bear in mind that cryptocurrencies remain a very weird field, and many people who have put a lot of money into them are unable to distinguish ridiculous projects from serious ones. A couple of days ago I visited Las Vegas’s “cryptocurrency nightclub,” all too appropriately called MORE; the general idea is that people can both invest in MoreCoin (yes, really) and spend it on better access / parties at Vegas and similar destinations. Whether you think this is a valid concept or a crazy get-rich-quick scheme, it’s an example of how cryptocurrencies are increasingly aimed at the unsophisticated public. To its intended audience, there’s not much difference between Morecoin and Bitcoin; any technical ludicrousness is no bar to success.

But if you want to talk about something more serious and higher-profile, fine; let’s talk about Narula’s most recent post, this one describing and regarding a bug in Bitcoin Cash, one of the very few currencies traded on Coinbase. Some months ago, a developer, Cory Fields, discovered that the hard fork which birthed Bitcoin Cash included some refactoring of Bitcoin’s consensus code … such that a malicious block could be crafted which would split Bitcoin Cash into two separate blockchains.

This would be very bad, would almost certainly have drastically diminished Bitcoin Cash’s value, and could conceivably be used for a double-spend attack; meaning, given Bitcoin Cash’s value and liquidity, it was a bug which could conceivably have been used to generate many millions of dollars in cold hard cash. Fortunately Fields is an admirable fellow and decided to do the right thing.

But … how? Who to contact? The people with commit rights to the Bitcoin Cash repo, he supposed; but none of them had provided secure methods of public contact. This was information that could be used to bilk many millions of dollars, it couldn’t be emailed in plaintext — and what’s more, if somebody else discovered the bug but this Core developer was the only one known to have discovered it, he would be painting a big target on his back. How can you perform responsible disclosure when there’s no outlet to disclose to?

In the end, Fields found a way. (A very complicated way.) And the bug has been fixed. But the difficulties he had highlights the fact that, as cryptocurrencies mature, their security policies and procedures need to mature along with them. Kudos to those who are already well along this path, such as Ethereum, EOS, and Tezos; and brickbats to those who make it hard to disclose vulnerabilities, and/or those who respond with weaponized ignorance.

from TechCrunch


Popular posts from this blog

Android blatantly copies the iPhone X navigation gestures

Google unveiled some of the new features in the next version of Android at its developer conference. One feature looked particularly familiar. Android P will get new navigation gestures to switch between apps. And it works just like the iPhone X.“As part of Android P, we’re introducing a new system navigation that we’ve been working on for more than a year now,” VP of Android Engineering Dave Burke said. “And the new design makes Android multitasking more approachable and easier to understand.”While Google has probably been working on a new multitasking screen for a year, it’s hard to believe that the company didn’t copy Apple. The iPhone X was unveiled in September 2017.On Android P, the traditional home, back and multitasking buttons are gone. There’s a single pill-shaped button at the center of the screen. If you swipe up from this button, you get a new multitasking view with your most recent apps. You can swipe left and right and select the app you’re looking for.If you swipe up o…

Square launches restaurant point-of-sale platform

Square, which has already made its way into retail stores and service-based businesses (think hair salons, massage therapists, etc), is officially getting into the restaurant business with the launch of Square for Restaurants. Square for Restaurants is a point-of-sale system that handles everything from menu updates, floor layouts, employee scheduling, performance tracking to tip splitting.Usually, restaurants have “some old legacy thing or something else,” Square Seller Lead Alyssa Henry told me.“Historically, we’ve not served this customer segment very well,” Henry said. “With Square for Restaurants, we’re excited to finally be able to serve this customer segment and deliver on a couple of key things that are core to Square but also highly valued by sellers of all types.”This new product is designed to be fast, self-serve, elegant and cohesive, Henry said. It also integrates seamlessly into Square’s existing ecosystem that includes Payroll, Capital and more. Given Square’s ownership…

Recapping the TechCrunch China Shenzhen 2018 event

This year we returned to Shenzhen, the Chinese city known as the world’s ‘Silicon Valley for hardware,’ for an event that was packed full of future-looking discussions, innovative startups, experienced founders, VCs and more.We love Shenzhen. Sure, Beijing has Zhongguancun and Shanghai has its international and diverse entrepreneurial community. But Shenzhen has a certain je ne sais quoi, an energy that pervades the entire city. Maybe it’s the great weather or maybe its youth of the place — both the residents and the age of the city itself — but every time we come to this southern city, we’re amazed by the people, projects, and companies thriving here.#Shenzhen, not Beijing or Shanghai, is the forerunner of Chinese innovation, says @ganglu, founder and CEO of TechNode— TechNode (@technodechina) November 19, 2018 This year was no different. From blockchain smartphones to battling robots, from hackathons to VC speed …