Emin Gün Sirer has a fascinating post about how the use of NoSQL caused technical failures that led to the demise of Bitcoin exchanges Flexcoin and Poloniex. But these are only the latest in a long line of hacks of exchanges, other services, and individuals; a wide variety of bugs have been implicated. This suggests that there’s some underlying reason why Bitcoiners keep building systems that get exploited. In this post I’ll examine why.
A Belgian university recently banned all watches from exams due to the possibility of smartwatches being used to cheat. Similarly, some standardized tests in the U.S. like the GRE have banned all digital watches. These policies seems prudent, since today’s smartwatches could be used to smuggle in notes or even access websites during the test. However, their potential use for cheating goes much farther than that.
As part of my undergrad research at the University of Michigan, I’ve recently been focusing on the security and privacy implications of wearable devices, including how smartwatches might be used for cheating in an exam. Surprisingly, while there’s been interest in the security implications of wearable devices, the focus within the research community has been on how these devices might be attacked rather than on how these devices challenge existing social assumptions.
A recent UK observer with a packet sniffer noticed that his LG “smart” TV was sending all his viewing habits back to an LG server. This included filenames from an external USB disk. Add this atop observations that Samsung’s 2012-era “smart” TVs were riddled with security holes. (No word yet on the 2013 edition.)
What’s going on here? Mostly it’s just incompetence. Somebody thought it was a good idea to build these TVs with all these features and nobody ever said “maybe we need some security people on the design team to make sure we don’t have a problem”, much less “maybe all this data flowing from the TV to us constitutes a massive violation of our customers’ privacy that will land us in legal hot water.” The deep issue here is that it’s relatively easy to build something that works, but it’s significantly harder to build something that’s secure and respects privacy.
Joint post with Andrew Miller, University of Maryland.
Bitcoin is broken, claims a new paper by Cornell researchers Ittay Eyal and Emin Gun Sirer. No it isn’t, respond Bitcoiners. Yes it is, say the authors. Our own Ed Felten weighed in with a detailed analysis, refuting the paper’s claim that a coalition of “selfish miners” will grow in size until it controls the whole currency. But this has been disputed as well.
In other words, the jury is still out. But something has been lost in all the noise about the grandiose statements — on their way to getting to their strong claim, the authors make a weaker and much more defensible argument, namely that selfish miners can earn more than their fair share of mining revenue. [Read more...]
There has been a lot of noise in the Bitcoin world this week about a new paper by Ittay Eyal and Emin Gun Sirer (“ES” for short) of Cornell, which claims that Bitcoin mining is vulnerable to attack. In a companion blog post, Sirer says unequivocally that “bitcoin is broken.” Let me explain why I disagree.
This post has three parts. First, I’ll give some necessary background on how Bitcoin works. Second, I’ll explain the essence of the ES attack. Third, I’ll explain a serious flaw in the logic of the ES paper and why, as a result, the ES attack is not nearly as scary as they indicate.
If you talk about ‘metadata’, ‘big data’ and ‘Big Brother’ just as easily as you order a pizza, ethnography and anthropology are probably not your first points of reference. But the outcome of a recent encounter of ethnographer Tom Boellstorff and Edward Snowden (not IRL but IRP), is that tech policy wonks and researchers should be careful with their day to day vocabulary, as concepts carry politics of control and power.
The main takeaway of two recent disclosures around N.S.A. surveillance practices, is that Americans must re-think ‘U.S. citizenship’ as the guiding legal principle to protect against untargeted surveillance of their communications. Currently, U.S. citizens may get some comfort through the usual political discourse that ‘ordinary Americans’ are protected, and this is all about foreigners. In this post, I’ll argue that this is not the case, that the legal backdoor of U.S. Citizenship is real and that relying on U.S. citizenship for protection is not in America’s interests. As a new CITP Fellow and a first time contributor to this amazing blog, I’ll introduce myself and my research interests along the way. [Read more...]
Josh wrote recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.)
Today I want to write about another incident, in 2003, in which someone tried to backdoor the Linux kernel. This one was definitely an attempt to insert a backdoor. But we don’t know who it was that made the attempt—and we probably never will.
Yesterday we saw two stories that illustrate the limits of cryptography as a shield against government. In San Francisco, police arrested a man alleged to be Dread Pirate Roberts (DPR), the operator of online drug market Silk Road. And in Alexandria, Virginia, a court unsealed documents revealing the tussle between the government and secure email provider Lavabit.