Jun

13

 Time to torture you all with another of my disreputable acquaintances. This one makes the hermit seem like a publicity whore. He (male, age 30) is not on Facebook or any other social media but is long Pandora and Etsy. I have been pestering him about Bitcoin because (1) I have no understanding of computers, software or any mathematics beyond algebra and geometry, (2) my lawyer brain says "scam" (so does the hermit's FWVLIW), and (3) the parallels with Ivar Krueger (and Ponzi and Madoff, for that matter) are too delicious to ignore.

Here is what the E*E has told me about Bitcoin:

"All computer systems are rife with security vulnerabilities, most of which are due to flaws in the software themselves.

Often times, this pattern occurs

1) Developer realizes flaw in software (like Windows for example)
2) Developer fixes flaw and releases patch
3) Users download and apply patch (via Windows update)
4) Hackers realize how to exploit flaw, and use it to attack people who haven't yet been updated

Although steps 1, 2, and 3 must happen in order, step 4 is relatively independent, and could occur at any time.

Let's say instead the following happens (also a very common occurrence)

1) Security researcher discovers flaw and goes public to the whole world.
2) Developers race to fix bug while at the same time hackers race to exploit it. The hackers finish first
3) Innocent end users, despite always following best practices and being vigilant about updating their software, fall victim to the flaw and get hacked
4) Developers finally fix the flaw, and release a patch to the world. Now, the hackers can only go after people who haven't yet updated.

The worst case scenario is also quite common, and very popular among state level actors

1) Hackers find the flaw, figure out how to exploit it, and start attacking innocent people in the wild.
2) Developers finally discover that there's a flaw, but only because the hackers are actively using it! They now have zero days to fix it, and deploy the fix (hence the term "Zero Day Exploit")

According to a Forbes article, here are some black market prices for zero day exploits.

What that's basically saying, is that for $100k, you can buy an exploit that could potentially let you into any and every windows computer in the world. Why so cheap? Because for now, there isn't a lot you can easily do to make money by hacking some random person's computer. Up until just the past few years, people would sell remote access to compromised windows machines for about $0.10 each, and they were used to either send spam email or launch denial of service attacks (basically, buy 10,000 hacked computers and have them all try to access the same website over and over to bog its server down with requests and thus not let legitimate users in).

Gibbons Burke writes: 

It seems to me that companies such as Apple and Microsoft would be prudently advised to purchase zero day exploits from the intrepid entrepreneurs who discovered them, potentially saving R&D expenses on internal staff who might spend years not finding these vulnerabilities. Seems like a bargain.

The scarcity thus created by eliminating the vulnerabilities from the wild would drive up market prices for exploits, putting them out of the reach of ordinary evildoers, but only within the budgetary abilities of national security agencies and the like who, we presume, can be trusted (!?) to make use of these vulnerabilities for the purposes of compelling national interest, if not simply to take them off the table, denying them to national enemies.
 


Comments

Name

Email

Website

Speak your mind

1 Comment so far

  1. jayson on June 13, 2016 9:41 pm

    This is, unintentionally I believe, a red herring. Bitcoin isn’t software as much as a protocol. The software simply executes the transactions on the public ledger (the blockchain) using a clever fully unencrypted protocol.

    Like every system, technical or not, there are ways to subvert it. However, I wouldn’t say that software vulnerabilities would be systemic risk. Mt. Gox is the biggest example of numerous software exploits, but the protocol and blockchain are completely unaffected.

    I’ll change my tune when someone says elliptical curve cryptography has been broken, but then bitcoin will be the least of our worries since all e-commerce will be in jeopardy.

Archives

Resources & Links

Search