Emin Gün Sirer has a fascinating post about how the use of NoSQL caused technical failures that led to the demise of Bitcoin exchanges Flexcoin and Poloniex. But these are only the latest in a long line of hacks of exchanges, other services, and individuals; a wide variety of bugs have been implicated. This suggests that there’s some underlying reason why Bitcoiners keep building systems that get exploited. In this post I’ll examine why.
Ed Felten provides good advice on this blog about what to do in the wake of Heartbleed, and I’ve read some good technical discussions of the technical problem (see this for a particularly understandable explanation).
Update Apr 11: To understand what Heartbleed is all about, see XKCD. Best. Explanation. Ever.
In this brief posting, I want to look at a different angle – what’s the scope of the vulnerability? [Read more...]
The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.
For now, here is a quick checklist of what you can do to protect yourself.
After a 5-year long campaign by European and U.S. digital rights NGOs, today the European Parliament turned a dubious Commission proposal on its head to safeguard the principle of net neutrality. It’s a historic win, and all over the news. It also shows how digital rights advocacy is maturing. [Read more...]
Last week the press reported that the White House will seek to redesign the NSA’s mass phone call data program, so that data will be held by the phone companies and accessed by the NSA, subject to a new warrant requirement. The Foreign Intelligence Surveillance Court will issue the warrants.
Today Josh Kroll and I, with colleagues at Stanford University, released a draft paper on how to use cryptography to implement warrants to data in a secure, private, and accountable way.
[UPDATE (April 3, 2014): We've found an error in our paper. In the threshold signature scheme that we used, there are restrictions on the threshold value. In particular if the key is shared over a degree t polynomial, then 2t+1 players (not t+1) are required to to construct a signature. We thought that this could be reduced to t+1, but our technique was flawed. We are exploring various modifications, and we will post further details when we have an update.]
The Bitcoin ecosystem has been plagued by thefts and losses that have affected both businesses and individuals. The security of a Bitcoin wallet rests entirely on the security of its associated private keys which can digitally sign transactions to irreversibly spend the coins in the wallet. In a new paper, we show how to use the cryptographic technique of threshold signatures to increase the security of both corporate and individual wallets.
Perhaps Bitcoin’s toughest security challenge is protecting Internet-connected wallets from insider threats. Such hot wallets cannot be kept in highly secure, offline cold storage. One good way for businesses to mitigate this vulnerability is to have hot wallets jointly controlled by multiple parties. This way, no party can independently steal corporate funds. In our paper, we show how to achieve joint control of wallets using threshold signatures.
Last Wednesday evening, I attended the D.C. Open Government Summit: Street View, which took place at the National Press Club in conjunction with Sunshine Week. The Summit was sponsored by the D.C. Open Government Coalition, a non-profit that “seeks to enhance the public’s access to government information and ensure the transparency of government operations of the District of Columbia.” The Summit successfully focused on two main ideas – using government information to innovate and using government information to inform. I left the Summit encouraged by the enthusiasm for innovation and transparency in the attendees and among some District of Columbia government leaders, but also discouraged because there was a consensus that Washington, DC is still far behind cities such as New York, Kansas City, and Boston in using technology for innovation in government and there is not a vision or financial commitment from the Mayor’s office to facilitate government-wide progress.
At an academic meeting recently, I was surprised to hear some social scientists accept as obviously correct the claim that involving “algorithms” in decision-making, instead of sticking with good old-fashioned human decision-making, necessarily reduces accountability and increases the risk of bias. I tend to believe the opposite, that making processes algorithmic improves our ability to understand why they give the results they do. Let me explain why.