Bitcoin’s Remarkable Lack of Security Holes (and Ukraine)

(By the way, anyone know of a link to a transcript of the Snowden SXSW talk?)

For those of you following the situation in Ukraine: here’s one bit that isn’t being widely reported. As you know the Eastern cities (Donetsk, Kharkiv) have seen considerable pro-Russian sentiment. I read an interesting analysis which suggests this is not (just) Russian covert stuff at work, but the citizens seeing Russia as their way out of the oligarch mess.

See, in eastern Ukraine, oligarchs have run the show for decades. Now the new government put some of them officially in power, which in practical terms just cuts out the middlemen. Yet the citizens there see the oligarchs much like western Ukraine saw, well, Yanukovych and the oligarchs, and the East wants power to the people too! That the East has semi-sunny memories of Stalin and the Soviets makes that archetype an easy reach.

Anyway, sometimes the most interesting things are little details that get mentioned in passing…

Like this bit —

“Penetration testing expert Dan Kaminsky, chief scientist of White Ops [said] that whoever built the Bitcoin protocol made it incredibly secure. “In 2011, I spent four months trying to break Bitcoin and failed, and this was very interesting, because it shouldn’t have failed,” he said in an interview at last week’s RSA conference.” [1]

Dan Kaminsky is by all accounts a ninja when it comes to finding flaws, so it’s quite remarkable that he found none at all in Bitcoin. Or, for that matter, that no major security holes have been poked in the cryptocurrency yet.

Now, I am not a programmer. I don’t know necessarily know what’s reasonable and what’s not. But with that said…

As we’ve seen earlier, Bitcoin is a quite complex system, with many points of complexity — like the smart contracts bit which Assange called out at SXSW, and which I previously recommended avoiding — built in which would seem to offer unnecessary attack surface.

Normally, when we look at computer security, a simple rule applies: “If builders built buildings like programmers write programs, the first woodpecker to come along would destroy civilization.”

And the more complex a program is, the more holes it has. But not so with Bitcoin. (only one major security flaw has ever been spotted in underlying protocol, and it was quickly dealt with)

In a certain sense there’s philosophical similarity between the currency and some of the malware we’ve seen come out of the US national security apparatus, like Flame with its “everything up to and including the kitchen sink” approach. And this would be consistent with Dorian “I Am Not The Satoshi You Are Looking For” Nakamoto’s initial denial…

“I am no longer involved in that and I cannot discuss it” after all sounds indeed like “I got hired to work on this secret project by some shady government people, did my thing, and now I’m done and my lips are contractually sealed.”

(Certainly the “metadata revealed to the world” part is something every intelligence agency loves about Bitcoin. And if Bitcoin was engineered by people with government connections, and Dorian was involved, his subsequent denial isn’t surprising either. ‘you have a duty to protect the security of operations even after you leave employment…’ or whatever)

Is Bitcoin the product of government engineering? There are very, very, very few open source projects out there with such a strong security track record.

What would it take to engineer something like Bitcoin — IN SECRET —
and have it come out fully-baked enough that the civilian security community hasn’t poked any significant holes in it yet, despite the best and the brightest giving it the ‘ole college try?

The other conceivable explanation I can think of is, it’s possible someone brought together some really good hackers and paid their rent for a few years so they could work on it… in that case my money’s on Nick Szabo as Satoshi. [2] But who would do such a thing, and why? The next step in the ‘global cyber brain’?

Wait, ok, here’s another thought. The US computer hacking community has about one informant for every five hackers[3] (compare this to one informant for every 66 residents of East Germany) — how about some people with government/military backgrounds getting together and working with or at least recruiting hackers…

[1] https://www.informationweek.com/security/attacks-and-breaches/mt-gox-bitcoin-meltdown-what-went-wrong/d/d-id/1114091

[2] https://likeinamirror.wordpress.com/2013/12/01/satoshi-nakamoto-is-probably-nick-szabo/

[3] http://cryptome.org/0002/vigilant-snitch.htm

Advertisements
%d bloggers like this: