Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday July 20 2017, @05:25PM   Printer-friendly
from the ephemeral-ethereal-wealth dept.

Some time ago, I wrote that I had given up on Ethereum. While the problems coming from the DAO hack are now in the past Ethereum has had a few other problems.

Granted, these problems have nothing to do with Ethereum itself. They are all exploits in the surrounding ecosystem. Hacking the CoinDash website to replace their public wallet address was particularly cheeky. This all reminds me of tales of the Wild West, when money was transferred between banks by stagecoach or by train. The technology simply didn't exist to provide the necessary security way the heck out on the prairie.

Seems like that's where we are now. The necessary technology does not exist, to provide the security that currencies like Ethereum and Bitcoin really require. Website hacks are a dime a dozen, and when a hack can be worth $millions... The same for software: When professional programmers still write code vulnerable to SQL injection - when our platforms even allow this as a possibility - then we simply do not have the technology to secure the stagecoach.

Previously:
$30 Million Below Parity: Ethereum Wallet Bug Fingered in Mass Heist
Hacker Allegedly Steals $7.4 Million in Ethereum During ICO
Used GPUs Flood the Market as Ethereum's Price Crashes Below $150
Ethereum Mining Craze Leads to GPU Shortages
Ethereum Unusable, DAO Refunds Possible


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by pendorbound on Thursday July 20 2017, @05:49PM (10 children)

    by pendorbound (2688) on Thursday July 20 2017, @05:49PM (#541996) Homepage

    There are plenty of ways to secure crypto currency. All of the mentioned hacks were cases where existing security systems weren't used or were used improperly. Websites can be made to be secure. Client wallets likewise. Comparing these to a stage coach robbery while colorful is way off the mark.

    If you need a less-techy analogy, the CoinDash hack was more like a bank's night drop box left unattended and someone sticking their own box in front of it to collect any money dropped by unwitting depositors. The Ethereum wallet hack was a safe that also took the combination "12345" in addition to whatever the owner set for it.

    Lousy code and lax security practices all around. The technology to secure these things exists. It takes money to hire people who know what they're doing and the commitment from management and investors to not undermine them for budgetary or schedule concerns.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @06:01PM

    by Anonymous Coward on Thursday July 20 2017, @06:01PM (#542004)

    Sure does. It's called insurance against theft.

  • (Score: 5, Insightful) by bob_super on Thursday July 20 2017, @06:04PM (2 children)

    by bob_super (1357) on Thursday July 20 2017, @06:04PM (#542007)

    In related news, it's 2017 and we just had a discussion about a popular web library being vulnerable to a freaking buffer overflow.

    • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @06:06PM

      by Anonymous Coward on Thursday July 20 2017, @06:06PM (#542008)

      Buffer overflow, must not be Rusty enough!

    • (Score: 0) by Anonymous Coward on Friday July 21 2017, @02:55AM

      by Anonymous Coward on Friday July 21 2017, @02:55AM (#542154)

      Buffers are still overflowing
      It's been going on for quite a while
      Perhaps it's quite fashionable
      It hasn't gone out of style

  • (Score: 2) by Fnord666 on Thursday July 20 2017, @06:35PM (4 children)

    by Fnord666 (652) on Thursday July 20 2017, @06:35PM (#542018) Homepage

    There are plenty of ways to secure crypto currency. All of the mentioned hacks were cases where existing security systems weren't used or were used improperly. Websites can be made to be secure. Client wallets likewise. Comparing these to a stage coach robbery while colorful is way off the mark.

    If you need a less-techy analogy, the CoinDash hack was more like a bank's night drop box left unattended and someone sticking their own box in front of it to collect any money dropped by unwitting depositors. The Ethereum wallet hack was a safe that also took the combination "12345" in addition to whatever the owner set for it.

    Lousy code and lax security practices all around. The technology to secure these things exists. It takes money to hire people who know what they're doing and the commitment from management and investors to not undermine them for budgetary or schedule concerns.

    CoinDash aside, Ethereum hacks are a bit more than just lax security practices. Ethereum is not just a cryptocurrency, it's also a platform where you can build "smart contracts", the terms of which are defined programmatically. A bug in the programming of Parity.io's multisig contract, for instance, allowed a thief to subvert the contract and transfer a bunch of Ether into their own wallet [financemagnates.com]. Programming these smart contracts is a relatively new field, and it must be done exactly right or someone will find a way around it. You can expect this to happen again and again until the developer of the smart contract is held liable for any losses incurred due to a flaw in that contract's code. That will be the only way to insure that these contracts get the scrutiny they truly need and companies can rely on them to do business on the Ethereum (or any similar) platform.

    • (Score: 2) by JNCF on Thursday July 20 2017, @07:36PM (2 children)

      by JNCF (4317) on Thursday July 20 2017, @07:36PM (#542033) Journal

      You can expect this to happen again and again until the developer of the smart contract is held liable for any losses incurred due to a flaw in that contract's code. That will be the only way to insure that these contracts get the scrutiny they truly need and companies can rely on them to do business on the Ethereum (or any similar) platform.

      This is a realm that is particularly difficult to regulate; there is practically no physical supply chain. Software can be released pseudonymously on the blockchain itself. You can't touch what you can't see. There will be solutions to this problem, and they will be solutions that your courts can't even dream of. I have no idea how long they will take to create, but your wigs and gavels aren't going to help.

      • (Score: 0) by Anonymous Coward on Friday July 21 2017, @02:48PM (1 child)

        by Anonymous Coward on Friday July 21 2017, @02:48PM (#542382)

        i don't think anyone was talking about bringing the useless fucking courts and government into the equation...

        • (Score: 2) by JNCF on Friday July 21 2017, @03:09PM

          by JNCF (4317) on Friday July 21 2017, @03:09PM (#542398) Journal

          held liable for any losses incurred

          I see no sensible interpretations that don't involve jackboots, but I'm open to new ideas. Care to enlighten me?

    • (Score: 2) by rigrig on Thursday July 20 2017, @07:48PM

      by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Thursday July 20 2017, @07:48PM (#542040) Homepage

      You can expect this to happen again and again until the developer of the smart contract is held liable for any losses incurred due to a flaw in that contract's code. That will be the only way to insure that these contracts get the scrutiny they truly need and companies can rely on them to do business on the Ethereum (or any similar) platform.

      It isn't like people gave the developer a bunch of smartcoins and told him to write a secure contract: the contract was there first, so everybody could(and should) have had a look at it themselves before storing their money in it.
      And if you can't properly verify a contract (or know someone who you trust who can), maybe don't trust it with your savings?

      As this tweet [twitter.com] about the pull request that introduced the bug [github.com] points out:

      2000+ line changeset containing critical code merged w/out security review or formal signoff, 1 person commenting. Maybe not best practices

      --
      No one remembers the singer.
  • (Score: 2) by Justin Case on Friday July 21 2017, @04:33PM

    by Justin Case (4239) on Friday July 21 2017, @04:33PM (#542436) Journal

    Websites can be made to be secure.

    Wow! You've discovered something that millions of other developers have not. Please share your techniques!

    (Hint: In 1999 when Cross Site Scripting was discovered, 95% of all web sites were vulnerable -- not because of flaws in the site's code, but because of routine error messages returned by practically every web server platform in existence. And here we are now almost 20 years along and Cross Site Scripting is still in the Top Ten [owasp.org]. You know, right along with the other nine.)

    Once you get your own code perfect, and the lasagna layers of platforms are also perfect, and the OS is perfect, then all you have to deal with is that your hardware is pwned from the factory and your firewalls are obedient slaves of the NSA. And oh yes the https certificate system is thoroughly broken swiss cheese. But other than that, securing a web site is easy! It is a wonder more people don't do it!

    Oh, wait, I forgot Security Vulnerability Number One: your users. There's no patch for that.