SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
A crypto-currency collector who was locked out of his $1m Ethereum multi-signature wallet this week by a catastrophic bug in Parity's software has claimed the blunder was not an accident – it was "deliberate and fraudulent."
On Tuesday, Parity confessed all of its multi-signature Ethereum wallets – which each require multiple people to sign-off transactions – created since July 20 were "accidentally" frozen, quite possibly permanently locking folks out of their cyber-cash collections. The digital money stores contained an estimated $280m of Ethereum; 1 ETH coin is worth about $304 right now. The wallet developer blamed a single user who, apparently, inadvertently triggered a software flaw that brought the shutters down on roughly 70 crypto-purses worldwide.
[...] Cappasity has alleged the wallet freeze was no accident: someone deliberately triggered the mass lock down, we're told, and there's evidence to prove it. By studying devops199's attempts to extract and change ownership of ARToken's and Polkadot's smart contracts, it appears the user was maliciously poking around, eventually triggering the catastrophic bug in Parity's software. "Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate," said Cappasity's founder Kosta Popov in a statement this week.
Source: https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/
Previously: $300m in Cryptocurrency Accidentally Lost Forever Due to Bug
(Score: 0) by Anonymous Coward on Wednesday November 15 2017, @03:21PM (1 child)
I disagree, you even use the word 'exploit' for the group of people you see doing no harm.
That doesn't mean I think the people making the mistakes shouldn't carry part of the blame, but this is a very gray line, where the % blame for those making the mistake and % blame for the exploiters isn't correlated.
Lets take a internet security example.
Company x makes the mistake of not securing a web server, they do not have a security policy, didn't think about it, have no people in place to handle it, ... large % of blame
Company y makes a mistake securing their webserver, a patch wasn't rolled out quick enough and someone exploits it. They do have a security team, policy, ... and already applied the patch on their staging system and were testing it out before patching their production system. % blame is very low
Scoundrel A, is browsing around a web store, sees a button for a promotion and discount and clicks it several times as some network latency slowed down the website response. He triggers a bug and gets a huge monetary reward. % blame is very low (0 I would say)
Scoundrel B, searches the intertubes for exploits and hacks, uses them on a bunch of webstores and finally gets through in one of them, being able to steal a small monetary reward. % blame is very high.
In the above case, I think Parity holds a large % of blame, its their software and it had a bug against their core business. Holding and securing wallets.
I'm not familiar with what the user did, but if he was trying everything he could think of to trigger bugs or exploits, he also holds a large % blame. (Unless he was doing it while considering using Parity and wanted to check out the quality of their systems first)
I agree with the sentiment about the laws though, close the damn loopholes, and create a spirit of the law as law. E.g. A big section of law has a introduction of what the law is trying to accomplish and what the motives for the law are. Intentionally spending much effort to subvert that can then be considered illegal.
(Score: 0) by Anonymous Coward on Thursday November 16 2017, @04:58AM
Consider a formally verified kerberos(sans DES)/NTP/microkernel system used to gain access to internal resources. All you need do is only grant creds to people who sign your contract stipulating they use the systems in good faith to perform their work, and you're good to go with liability once again being fully (and now justly) on the hacker without having to impose unknowable laws on everyone in the country.
IIRC (IANAL) It's illegal in the US to retrieve information from a secured computer system without or in excess of your authorization. What exactly are you authorized to extract from whatever system www.google.com resolves to? How did you gain that authorization if it isn't implicit in them offering the information to the public? If it is implicit then how do you determine if it was intentionally offered to the public or if it's meant to be an internal website, or a customer-only website? Do you feel it's acceptable to visit 'simple' URLs without permission but not 'complex' ones? What about editing the GET parameters in a URL (?foo=bar), surely a feat beyond most users? (weev got time for that, and his mate 3 years probation)
How would you feel about a lawyer who you hired as a freelancer who intentionally made it possible for the client not to pay --- because its easier to write a contract which doesn't require payment --- on the grounds that "they probably won't notice" or "I didn't consider that they wouldn't want to pay"?
What if the same lawyer outright refused to write correct contracts on the grounds its far too hard/time-consuming/elitist/everyone knows that the client is meant to pay within a reasonable window of time?
What if instead of actually doing his job the lawyer then advocated that client's be legally held to what he intended the contract to do, rather than what it actually says?
What if he justified it by saying that it's obvious what the contract was meant to say, and while he can forgive innocent mistakes if someone spends the time to understand the contract and abide by it then they should be liable for the effects of his refusal to do his job?
How would you feel if every lawyer you hired had the same attitude, and sighed and rolled their eyes when you pointed out a loophole before explaining that it's ok because nobody really cares if contracts are correct.
How would you feel if your lawyer, whose work you're liable for and not him, was trained in six weeks and calls themselves a sports-star lawyer?
If we lived in a world were important programs (such as the banking system/nuclear weapons systems/firewalls/car firmware/pacemaker firmware/remote CCTV cam firmware/Therac-25 firmware) were already formally verified, would you advocate for throwing it away to lower the cost of development for future products? What if you were given a sneak peak at the last ten years of tech security news and told voting machines and jumbo jet firmware would also be unverified in your new world? That ADS-B would be unauthenticated?
>Intentionally spending much effort to subvert that can then be considered illegal.
This assumes that intentionally vague legalese is unambiguous. I agree that a statement of purpose is a damn good idea, but I feel it ought only ever exonerate and never under any circumstances convict given that it is specifically written to be vague.
tl;dr: Your solutions are pragmatic solutions for the short-term, and valuable during the transition period; they are not a suitable endgame.