Categories
Ethereum Privacy Security

When is a hack a hack?

This was cross-posted from LinkedIn.

 

The recent kerfuffle around Ethereum and the #DAO “hack” is just another in a long list of events which illustrate the difficultly in defining the term “hacking.”  For those unfamiliar with Ethereum and the DAO, a little background. Ethereum is a blockchain technology which expanded on the idea of Bitcoin, to allow for a more programmable blockchain. For simplicity sake, think of Ethereum as a giant distributed virtual computer running on thousands or millions of other computers. Incentive to run this computer is paid in the form of ether (which can be traded for Bitcoin or other forms of money, directly or indirectly). The DAO is a program that was created to run on this computer, that acted like a giant venture capital firm, but without any partners, or anybody else running the helm. Anybody who contributed ether to the DAO was able to help determine the investments the DAO made. All of this was done through code, snippets of computer programs running Ethereum language of choice, golang. The DAO is actually a specific instance of a generic form of DAO or Decentralized Autonomous Organization (Ethereum refers to them as Democratic Autonomous Organization). In the height of hubris, the first DAO called itself the DAO, something akin to the first Corporation calling itself “The Corporation.”

Don’t worry if your head is spinning, it’s a lot to take in and a paradigm shift for sure. I’ve left audiences in a collective coma talking about the future of DAOs. Suffice to say, if half the words in the preceding paragraph were befuddling, you should start learning and fast. This is the future and it’s coming faster than you think. Regardless, what happened next in the story of the DAO is nothing short of extraordinary. People starting throwing money at the DAO: millions of dollars, something north of $150 million at one point. Then, disaster struck. Remember the DAO is just a computer program running on a distributed computer. Someone realized they could send some instructions to the computer program and simply direct all that money to them. It was eloquent and simple. Poof. $60 million dollars in ether was drained from the DAO. The Ethereum crowd was in shock. Their shining example of the future had just been hacked. Or had it?  The hacker claimed the program acted as it was programmed to do. He was just able to interact with that program in such a way that earned him $60 million. Now Ethereum is facing an existential crisis. The whole point of a DAO is an unstoppable immutable program, but now that all this money went bye-bye, they want to stop that program and can fork the Ethereum blockchain to do so (or make a change to the underlying infrastructure to do so). But Ethereum’s crisis is not the subject of this article. The subject is hacking. You see this is the first case where hacking may not really be hacking. In fact, every case maybe the same.

Computers do what you tell them to do

In the United States, the principle anti-hacking law is the Computer Fraud and Abuse Act (CFAA). However, much has been made about the ambiguity of the law. The law makes criminal someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer.” A protected computer is broadly defined in a way that means just about any computer attached to the internet. The act was used in the prosecution of Aaron Swartz who downloaded massive numbers of articles from JSTOR. As a Harvard researcher, he was entitled to access those files though not in the manner he did (a potential violation of the JSTOR terms of service). While it has been surmised that his intent was to upload all the articles for free access, he never did so, having been arrested prior to that. Regardless, that would have been a violation of copyright law, not the CFAA. The question here is whether violating a sites terms of service “exceeds authorized access” and is a federal felony.

Another notorious example is Lori Drew. She was prosecuted for creating a fake MySpace page and using that page to court then taunt a teenage girl, who later committed suicide. Again, a violation of MySpace’s terms of service and again, a federal felony.

Finally, there is the case of Andrew “Weev” Augheimer. Weev accessed an AT&T website used by iPads users to register their iPads. When the website was accessed with a user’s ID number, if they had previously registered, it displayed their email address that they registered with. Weev wrote a script that cycled through ID numbers and grabbed email addresses. In other words, he accessed a publically facing website (of the form http://att.com/ipad?id=1) and simply incremented the ID numbers.

None of the people in the previous two cases are shining examples of model citizens. Swartz is more of a Robin Hood character than swashbuckling criminal. But the question remains, is what they did (on a technical basis) so heinous? If I were to create a website with a link on the front page that says “You are not authorized to click this button” and you did, and it provided information on a second page; you’re now a criminal. Does this seem right?

While hacking is defined on a technical basis, the unauthorized access or exceeding authorized access of a computer, the criminality seems more based on the results, motives or intent. Clearly a case for prosecutorial discretion. No sane prosecutor would contemplate your trial for clicking that button, but Weev was a “bad” person. The prosecutor is that case said “His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he.”  In this case, Weev wasn’t trying to spam the email addresses or gain financially, he was out to embarrass AT&T for their bad security.

You don’t have to be a jerk to be scared of the law

But what about security researchers? White hat hackers whose job it is to expose security vulnerabilities with the aim of benefiting society by making it more security. They are scared. Scared of prosecution by an overzealous prosecutor or overly defensive company making a federal case out a genuine desire to do good. Rather than shore up their security, many companies would choose to hide behind the law, going after security researchers rather than improve their own products or spend the resources up front to build security in.

While I don’t have a good suggestion for codification of a law that punishes evil-doers while not punishing saints, I do know that the current state is not sustainable. The criminality should be in the results not the mechanism.

Which brings us back to Ethereum and the DAO. Ethereum is an experiment. It portends a future state of truly revolutionary computing. The DAO was an experiment. As with any start-up, its hard to spend money on security when you’re trying to build your product. But as the DAO shows, security can’t be an afterthought, even when you’re just experimenting.

 

 

 

Categories
Bitcoin Regulation Security

Bitcoin and the Zombie Apolcalypse

Today I get to talk about two of my favorite topics: Bitcoin and the Zombie Apocalypse. Though both have entered popular culture, unfortunately only one is real. But there is a real phenomenon very closely related to the day of the dead that has relevance to the Bitcoin community.

That phenomenon is a pandemic.

A pandemic is an epidemic infectious disease that spreads far beyond a small localized population to infect whole countries, continents or even the globe. Why is this relevant to Bitcoin? Well Bitcoin is very well situated to survive a pandemic which affects large population. The decentralized and diverse nature of the ecosystem makes it extremely resilient to distribution. As long as the base network persists and at least one mining operation continues, Bitcoin will remain an effective value transfer system.

However, there are two Achilles heels. The first is that many Bitcoin users don’t interact directly with the Blockchain but rather go through a service which monitors to the blockchain for transactions. Whether it is a hybrid wallet or a payment service like BitPay or Coinbase, if these company’s servers go offline, it effectively cuts off their customers from the network. As we have seen to date (with the implosion of so many Bitcoin businesses), they are ill prepared for the significant risks they are undertaking.

Major financial institutions are subject to guidelines published by the FFIEC, including business continuity planning for pandemics. I would be willing to bet that even the most solid names in Bitcoin don’t have a good business continuity or disaster recovery plan.

Eat more Bitcoin!
Night of the Living Dead

The second issue Bitcoin has is the need for all transactions to occur online. While fully offline digital currency is not efficient nor realistic, a hybrid approach which has some offline capablities is important in a world that might have spotty internet service, electricity or intelligent devices. While a few people have tried to move Bitcoin offline by producing tokens with private keys embedded behind holograms, its a jerry-rigged and not very good method of creating offline money with Bitcoins. I do hope to change that.