Some time ago, I wrote that I had given up on Ethereum. While the problems coming from the DAO hack are now in the past Ethereum has had a few other problems.
Granted, these problems have nothing to do with Ethereum itself. They are all exploits in the surrounding ecosystem. Hacking the CoinDash website to replace their public wallet address was particularly cheeky. This all reminds me of tales of the Wild West, when money was transferred between banks by stagecoach or by train. The technology simply didn't exist to provide the necessary security way the heck out on the prairie.
Seems like that's where we are now. The necessary technology does not exist, to provide the security that currencies like Ethereum and Bitcoin really require. Website hacks are a dime a dozen, and when a hack can be worth $millions... The same for software: When professional programmers still write code vulnerable to SQL injection - when our platforms even allow this as a possibility - then we simply do not have the technology to secure the stagecoach.
Previously:
$30 Million Below Parity: Ethereum Wallet Bug Fingered in Mass Heist
Hacker Allegedly Steals $7.4 Million in Ethereum During ICO
Used GPUs Flood the Market as Ethereum's Price Crashes Below $150
Ethereum Mining Craze Leads to GPU Shortages
Ethereum Unusable, DAO Refunds Possible
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @05:44PM (1 child)
Entanglement will solve everything.
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @05:48PM
Oh to be young and so optimistic. The next new shiny will soon be tarnished too.
(Score: 2) by pendorbound on Thursday July 20 2017, @05:49PM (10 children)
There are plenty of ways to secure crypto currency. All of the mentioned hacks were cases where existing security systems weren't used or were used improperly. Websites can be made to be secure. Client wallets likewise. Comparing these to a stage coach robbery while colorful is way off the mark.
If you need a less-techy analogy, the CoinDash hack was more like a bank's night drop box left unattended and someone sticking their own box in front of it to collect any money dropped by unwitting depositors. The Ethereum wallet hack was a safe that also took the combination "12345" in addition to whatever the owner set for it.
Lousy code and lax security practices all around. The technology to secure these things exists. It takes money to hire people who know what they're doing and the commitment from management and investors to not undermine them for budgetary or schedule concerns.
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @06:01PM
Sure does. It's called insurance against theft.
(Score: 5, Insightful) by bob_super on Thursday July 20 2017, @06:04PM (2 children)
In related news, it's 2017 and we just had a discussion about a popular web library being vulnerable to a freaking buffer overflow.
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @06:06PM
Buffer overflow, must not be Rusty enough!
(Score: 0) by Anonymous Coward on Friday July 21 2017, @02:55AM
Buffers are still overflowing
It's been going on for quite a while
Perhaps it's quite fashionable
It hasn't gone out of style
(Score: 2) by Fnord666 on Thursday July 20 2017, @06:35PM (4 children)
CoinDash aside, Ethereum hacks are a bit more than just lax security practices. Ethereum is not just a cryptocurrency, it's also a platform where you can build "smart contracts", the terms of which are defined programmatically. A bug in the programming of Parity.io's multisig contract, for instance, allowed a thief to subvert the contract and transfer a bunch of Ether into their own wallet [financemagnates.com]. Programming these smart contracts is a relatively new field, and it must be done exactly right or someone will find a way around it. You can expect this to happen again and again until the developer of the smart contract is held liable for any losses incurred due to a flaw in that contract's code. That will be the only way to insure that these contracts get the scrutiny they truly need and companies can rely on them to do business on the Ethereum (or any similar) platform.
(Score: 2) by JNCF on Thursday July 20 2017, @07:36PM (2 children)
This is a realm that is particularly difficult to regulate; there is practically no physical supply chain. Software can be released pseudonymously on the blockchain itself. You can't touch what you can't see. There will be solutions to this problem, and they will be solutions that your courts can't even dream of. I have no idea how long they will take to create, but your wigs and gavels aren't going to help.
(Score: 0) by Anonymous Coward on Friday July 21 2017, @02:48PM (1 child)
i don't think anyone was talking about bringing the useless fucking courts and government into the equation...
(Score: 2) by JNCF on Friday July 21 2017, @03:09PM
I see no sensible interpretations that don't involve jackboots, but I'm open to new ideas. Care to enlighten me?
(Score: 2) by rigrig on Thursday July 20 2017, @07:48PM
It isn't like people gave the developer a bunch of smartcoins and told him to write a secure contract: the contract was there first, so everybody could(and should) have had a look at it themselves before storing their money in it.
And if you can't properly verify a contract (or know someone who you trust who can), maybe don't trust it with your savings?
As this tweet [twitter.com] about the pull request that introduced the bug [github.com] points out:
No one remembers the singer.
(Score: 2) by Justin Case on Friday July 21 2017, @04:33PM
Wow! You've discovered something that millions of other developers have not. Please share your techniques!
(Hint: In 1999 when Cross Site Scripting was discovered, 95% of all web sites were vulnerable -- not because of flaws in the site's code, but because of routine error messages returned by practically every web server platform in existence. And here we are now almost 20 years along and Cross Site Scripting is still in the Top Ten [owasp.org]. You know, right along with the other nine.)
Once you get your own code perfect, and the lasagna layers of platforms are also perfect, and the OS is perfect, then all you have to deal with is that your hardware is pwned from the factory and your firewalls are obedient slaves of the NSA. And oh yes the https certificate system is thoroughly broken swiss cheese. But other than that, securing a web site is easy! It is a wonder more people don't do it!
Oh, wait, I forgot Security Vulnerability Number One: your users. There's no patch for that.
(Score: 3, Insightful) by Thexalon on Thursday July 20 2017, @06:45PM (2 children)
If you get involved in projects like Bitcoin and Ethereum, you're dealing mostly with folks that hate the government getting involved in their business. That's perfectly understandable. But guess who else doesn't like the government getting involved in their business? Criminals! And I don't mean invented crimes like speeding the libertarians usually complain about, I mean con artists, drug dealers, thieves, murderers, extortionists, and so forth.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by JNCF on Thursday July 20 2017, @07:42PM
With the exception of speeding, all of the crimes you listed were invented.
(Score: 2) by tonyPick on Friday July 21 2017, @05:47AM
Good-oh. Economics Anti-Vaxxers running through a combined history of finance system and computer programming blunders, all while betting real world money on their Dunning-Krugerrands. When we put it like that, what could go possibly wrong? :D
(Score: 2) by takyon on Thursday July 20 2017, @10:09PM
http://www.bbc.com/news/technology-40654194 [bbc.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]