Security quotes of the week
The next day they discovered why they'd had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie [Ray Vaughan] could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie's bus, it turns out they were actually on UB40's bus that, unbeknownst to them, had just pulled up that night while they'd been ensconced in the hotel talking. Which Stevie's key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill [Gibson] were there inadvertently pilfering their beer…— Cathy GellisSo let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there's really not that much security to be had.
Some years ago, people started noticing all sorts of things embedded in the Bitcoin blockchain. There are digital images, including one of Nelson Mandela. There’s the Bitcoin logo, and the original paper describing Bitcoin by its alleged founder, the pseudonymous Satoshi Nakamoto. There are advertisements, and several prayers. There’s even illegal pornography and leaked classified documents [PDF]. All of these were put in by anonymous Bitcoin users. But none of this, so far, appears to seriously threaten those in power in governments and corporations. Once someone adds something to the Bitcoin ledger, it becomes sacrosanct. Removing something requires a fork of the blockchain, in which Bitcoin fragments into multiple parallel cryptocurrencies (and associated blockchains). Forks happen, rarely, but never yet because of legal coercion. And repeated forking would destroy Bitcoin’s stature as a stable(ish) currency.— Bruce Schneier and Barath Raghavan
Posted Mar 18, 2021 12:57 UTC (Thu)
by Herve5 (subscriber, #115399)
[Link] (13 responses)
Posted Mar 18, 2021 16:17 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (12 responses)
This is merely a potential complication, not an existential risk.
Posted Mar 18, 2021 17:39 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (11 responses)
1. A centralized authority is given the de facto ability to mark Bitcoins as unspendable. But this is contrary to the entire purpose, structure, and function of Bitcoin.
#2 is not completely impossible, but I think it would be rather impractical. More realistic is:
3. Some members of the community are forced to regard specific transactions as unspendable by their respective national governments.
You end up with Bitcoins that can be spent in France ("in France" = "in a block that was mined by a French miner subject to French law") but not in Russia, for example. That's fine as long as there's a reasonable amount of mining power left in at least one country that isn't denylisting a specific transaction; just transact via those miners instead. But then you have to consider KYC ("know your customer") laws, which (in short) say that you can't just take someone's Bitcoins and hand them a suitcase full of fiat money in a dark alley somewhere. You have to know who they are and what national laws apply to them, and you have to comply with those laws. If you want to exchange Bitcoins for fiat, now you have to ensure that your national government (and the exchanger's national government) aren't going to object to any prior transaction which is "reachable" from your UTXO(s). But since everyone uses mixers for privacy purposes, that history is probably going to include all sorts of random transactions well beyond your effective control.
I'm not saying this is impossible or unsolvable. I'm saying this is going to be hard, and may result in community members making unpleasant choices. For example, we might end up with mixers and/or miners using some sort of "ContentID for the blockchain" to avoid accidentally touching an "evil" transaction before it is specifically known to be illegal.
Posted Mar 18, 2021 20:24 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (10 responses)
KYC laws are beside the point. The issue at hand is problematic information embedded in transactions, not the transactions themselves.
Posted Mar 19, 2021 8:28 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (9 responses)
How do you intend to establish "consensus" without doing proof of work? Because the whole point of this hypothetical is that you *can't* do proof of work, because you can't validate the transaction in the first place. Will this just be "the 5-10 largest mining pools get together and agree to do a 51% attack to excise the bad transactions"? Or did you have something else in mind?
> Their government could also provide an "oracle" service which would validate the problematic transactions on their behalf without making the details public, which is similar to the second option but involves trusting their government rather than the community.
The government is not obligated to solve your problems for you. If you choose to use a protocol which involves sending illegal numbers back and forth over the internet, and the government instructs you to stop doing that, how you go about fixing your protocol is entirely your own problem. The taxpayer is not going to fund a server that helps a group of people in what is ultimately a purely private endeavor.
> KYC laws are beside the point. The issue at hand is problematic information embedded in transactions, not the transactions themselves.
KYC laws could require us to know who performed those transactions. If those transactions contain illegal numbers, and if we have to tell the government who performed those transactions, then the obvious next question is, has the statute of limitations run? Because if it has not, then the government is likely to prosecute the person who put the illegal number into the ledger, since it now has all of the required information to do that. If the guilty party cannot be identified, then the government may decide that someone (e.g. a BTC exchange, whoever last owned the BTC before/after the illegal transaction, heck, maybe even whoever was unlucky enough to mine the block) breached KYC by allowing such a state of affairs to arise, and prosecute that entity instead. Regardless, an illegal number has been circulated. The government very much wants to send someone to jail for that, and it's mostly just a matter of figuring out who gets prosecuted for what.
The point of bringing up KYC is that KYC is foundationally incompatible with the entire design and motivation of BTC. They will come into conflict in some way or another, because they are intended to accomplish diametrically opposed goals. Maybe KYC won't end up interacting with the illegal numbers problem in particular, but it's still going to be an issue in other situations, so it's important to keep an eye on KYC wherever it pops up.
Posted Mar 19, 2021 19:12 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link] (8 responses)
What makes you think that a miner must validate all the transactions in order to complete a proof of work? The proof of work depends on a nonce, a counter, a version field, the hash of the previous block, the root hash of the merkle tree of all transactions in the block, the current time, and the difficulty. There is no requirement to provide evidence that the transactions in the block have been validated. Other nodes will validate the transactions when they receive the block, and reject it if they cannot be validated—that's where community consensus or some black-box "oracle" would come into play to say whether any banned transactions used as inputs to the new transactions were properly spent without the miners having direct access to the banned transactions.
> The government is not obligated to solve your problems for you.
When they're creating the problems in the first place by declaring certain numbers to be "illegal" then they really should consider themselves obligated. In any case their assistance in mitigating the problems they created is not mandatory, but rather merely helpful to those miners under their jurisdiction.
KYC issues remain entirely out of scope for this discussion.
Posted Mar 19, 2021 20:31 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (7 responses)
Let's say transaction X contains an illegal number and must be suppressed. Transaction X spent UTXO Y, so now the main blockchain thinks that Y is spent. It also created UTXO Z, which the main blockchain thinks is spendable. But miners can't confirm either fact because they aren't allowed to look at X. If you're one of those miners, you basically have three options:
1. Assume that Y is spendable, because you can't confirm that it isn't.
None of these are acceptable:
1. Whoever owns Y can try to double spend it, and then you accidentally created a hard fork because your newly-mined block won't be accepted by anyone else.
The blockchain's "normal" solution to this dilemma is to say, well, you can't suppress the contents of transactions. You have to at least record the addresses and UTXOs involved. But if the government orders you to not do that, then... the protocol doesn't work any more.
If you have some sort of "proof of burn" for Z, then you can ignore it (e.g. because Z has a highly regular pattern which is unlikely to have any matching private key). But since we hypothesized that Z's address is being used to convey some file or other data, which is likely compressed to save space, it will look indistinguishable from random noise, so that's no help.
> When they're creating the problems in the first place by declaring certain numbers to be "illegal" then they really should consider themselves obligated.
Yes, this position sounds vaguely reasonable, but it is actually quite absurd. All data is numbers. All numbers are data. What you are advocating is the complete abolition of laws against:
* Child pornography, and other forms of abusive or non-consensual pornography
In my opinion, *some* of these things could do with *carefully targeted reforms,* since a few of those laws are very poorly written (e.g. copyright and hacking laws both tend to be absurdly overbroad) but wholesale abolition of all of the above is ridiculous and obviously not going to happen.
Posted Mar 19, 2021 21:54 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link] (6 responses)
This is backward. X is the new transaction, so it hasn't been seen before and can't be on any ban lists. Y would be the transaction whose details, for whatever reason, cannot be stored or shared. It's not "unspendable" per se—just difficult to validate since some nodes won't have the necessary data to check the signatures or the net balance of the transaction. To validate X (and thus Z) a node would need to confirm that Y was correctly spent, which requires some function which takes the transaction hash, output index, and signatures as inputs and returns either an error if the signatures are incorrect or the value of the output otherwise. Normally this would be implemented on the node using stored data from the blockchain but in principle it could be done by some other trusted party, whether that means the government ("trusted" is probably the wrong word here…), a group of peer nodes in other jurisdictions, or someone else. Or the affected nodes could simply assume that these transactions are valid in the absence of any warning flags from their peers, validate the ones they *can* see, and otherwise proceed as usual.
In practice most of the problematic transactions with significant amounts of data involved are already unspendable by reason of not having addresses/scripts that correspond to actual private keys, so a function that just claimed that the signatures of transactions on the ban list were invalid would be correct most of the time. If it gets it wrong, and the transaction is accepted by most other nodes, then the node will desynchronize for a time and potentially create a fork. If the rest of the network proceeds with the transaction included, however, then the node ought to accept the consensus opinion on the transaction's validity after some number of blocks and switch back to the main branch. Even if the transaction *were* invalid it wouldn't make sense to remain on a minor fork indefinitely.
> What you are advocating is the complete abolition of laws against: […various forms of speech…]
Yes, I am.
Posted Mar 19, 2021 22:07 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (3 responses)
> Yes, I am.
At which point, your freedom trumps mine. Do you really think me (or anyone else) will accept that?
Provided anarchy includes the requirement "do no harm", then it's a perfectly acceptable form of society. But that in itself is an abridgement of freedom, so freedom cannot be unrestricted - unless, of course, you're happy with a society where it's perfectly okay to murder you (to take it to extremes) just for the "crime" of using the public streets - or indeed for the crime of living in your own home ...
Cheers,
Posted Mar 20, 2021 0:35 UTC (Sat)
by nybble41 (subscriber, #55106)
[Link] (2 responses)
>> (nybble41) Yes, I am.
> (Wol) At which point, your freedom trumps mine.
Nonsense. Your life, liberty, and property are not affected by anything on NYKevin's list. Other people possessing or distributing this information does not impact your freedom in the slightest.
Posted Apr 6, 2021 19:37 UTC (Tue)
by immibis (subscriber, #105511)
[Link] (1 responses)
Posted Apr 6, 2021 20:01 UTC (Tue)
by pizza (subscriber, #46)
[Link]
That depends on, as always, the definition of "child pornography"
Remember, "child" in this context is anyone under the age of majority, ie 18 in the United States.
As for "pornography" ... to quote Justice Potter Stewart, "I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description[1]; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it."
So laws (presumably) intended to go after folks that sexually assault pre-pubescents are instead used to (successfully!) prosecute 17-year-olds that take photos of themselves. I highly doubt anyone would against the former, but a lot of folks consider the latter to be grossly unjust.
[1] "hard-core pornography" as opposed to (merely) "obscene material"
Posted Mar 20, 2021 1:37 UTC (Sat)
by nix (subscriber, #2304)
[Link]
The "forms of speech" you advocate making legal included the (implied) theft and publication of "a user's private data". So you'd be happy for someone to put on the blockchain your passwords, bank account number, credit card PIN, and the numeric representation of whatever authorization tokens might necessary for others to spend the contents of your bank account and impersonate you to the government? Because those things are all just numbers. Not illegal numbers at all, just private ones. (It is usually illegal to steal them, though, whether or not you republish them as well.)
(Jeremy Clarkson took up a position similar to yours in print. He soon recanted after someone transferred a modest sum of money from his bank account to charity to show him how foolish he was being. It turns out that privacy is sometimes a good thing and enforcement of privacy is sometimes a good thing too. You'd think a bitcoin advocate would grasp that, given how hot most of them are that the mapping between their real-world identities and the iffy things they did with their bitcoins should remain secret.)
I am a pretty radical advocate of transparency for the most selfish possible reason: I have trouble keeping track of what things I've told which people and in any case I live an incredibly boring life and do almost nothing anyone would be ashamed of, unless people exist who are ashamed of reading. But even I realise that I have some things it would be best for me to keep secret. Most of these are tokens of various sorts that other parts of society use as a proxy for my identity. Living a transparent life doesn't mean I want someone else to steal it! Do you really think otherwise?
Posted Mar 20, 2021 4:03 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link]
In *my* example, X is the old transaction, and the new transaction has not happened yet (and indeed, it may never happen, or may never even be possible if Z is owned by a burn address), so it intentionally has no name. Your example solves a different, simpler problem where the new transaction has definitely happened and all we have to do is validate it (and I should also note that your solution contains a black box, which I'm entirely unconvinced you can actually implement in a way that would be widely accepted within the Bitcoin community).
The fact that you did not even mention this rewriting of the problem space makes it extraordinarily difficult for me to take your arguments seriously. Your final paragraph, frankly, doesn't help with that problem.
Posted Mar 18, 2021 13:29 UTC (Thu)
by nathan (subscriber, #3559)
[Link]
Schneier scenario is strikingly convincing IMHO
If Schneier was a journalist instead of a competent engineer, he may really have titled his paper 'how the bitcoin is going to die?'...
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
2. The community is able to agree on exactly which Bitcoins to mark as unspendable in a decentralized and consensus-based fashion.
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
2. Assume that Y is unspendable, because some process outside of the blockchain has informed you of that fact. Don't acknowledge that Z exists.
3. Assume that Y is unspendable, and Z spendable, because some process outside the blockchain has informed you of that fact.
2. Whoever owns Z can try to spend it, and then you accidentally created a hard fork because you won't accept the block in which Z is spent.
3. Then you have to keep track of at least the address which owns Z, in order to validate a later spend of Z. The illegal number may be contained in this address, so the government hauls you off to jail. Also, if the process outside of the blockchain has lied to you, then you could mine blocks spending Z (when in fact Z does not exist), so you still accidentally create a hard fork.
* Publication of a user's private data
* Malware generally
* Copyright infringement generally
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
Wol
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
Schneier scenario is strikingly convincing IMHO
> Yes, I am.
Schneier scenario is strikingly convincing IMHO
Security quotes of the week