Major Zcash Vulnerability Fixed

Zcash just fixed a vulnerability that would have allowed "infinite counterfeit" Zcash.

Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not ncessary.

Posted on February 5, 2019 at 2:59 PM • 46 Comments

Comments

grahamFebruary 5, 2019 4:55 PM

From what I have observed, the most fervent cryptocurrency zealots only have a superficial understanding of blockchain but are willing to trust their life savings to it. It's the assumption that they understand blockchain and all its risks that is the real problem.

FaustusFebruary 5, 2019 5:38 PM

Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not necessary.

I don't follow the logic. It's software. It had a bug. The bug was caused by a human, found by a human and fixed by a human, presumably. Zcash is far from the premiere blockchain product in any case. Why the breathless denunciation of the blockchain, and not every other software application that has ever had a bug? Which is: ALL of them.

I suppose people denounced the folly of airplanes too when initial attempts failed. I think this kind of reasoning has been demonstrated to be unreliable.

Isn't the security industry about making trustworthy protocols and automated processes?

Humans are much less consistent than software. In the last 20 years autopilots for example have made aircrashes much much rarer.

Certainly we don't want a future where people can't eat because they are unneeded. But we don't have to ignore how software works. Under many circumstances software does work better than people. And the proportion of those circumstances is growing. That's just reality.

We have to address the pretty marvelous opportunity that in the near future humans may not be required to work that much. Luckily all the big corporations that might be tempted to starve away the extras actually need these humans as customers to survive, so there is opportunity for a win win solution.

The blockchain is a data structure, not an alien monster. Of all data structures, why despise this one? It's not like you can demonstrate that it's a vulnerable construction. It's as good as its hash function.

Some, er, HUMAN, made a programming error. It happens.

Crap, another human died with the keys to his customer's cryptocurrency. https://boingboing.net/2019/02/04/crypto-ceo-dies-with-the-passw.html. If only key storage had been automated...

Now, on the other hand, unions ARE evil... !!!

I don't mean to be disrespectful. Let a thousand opinions flourish! But the world seems to be spinning faster these days and I definitely have a touch of future shock as opinions I felt I held in common with my peers become outliers.

Do we still agree that cryptography shouldn't be regulated?

WeatherFebruary 5, 2019 5:55 PM

How would you stuff up the currency of the world? Great difficult.
How would you stuff up the blockchain currency of the world? easy find a bug in software or the hash function.

1 million people or 1 ,sometimes dropping a nuke from orbit isn't the thing that causes the most damage.

Plus the post I asked removed, never trust computers, the general population can't now if it is accurate, if smart PhD people ...

FaustusFebruary 5, 2019 6:01 PM

@ Graham

The concept of a blockchain is pretty simple. But the profusion of currencies each have their own twist and introduce their own potential bugs.

I have only used the classics: bitcoin, litecoin and monero. But it is so easy to screw up and lose your keys or get hacked. And regulatory pressure will probably kill all of them off or at least depress their prices.

Crypto is not a place to put money you are not willing to lose.

DaveFebruary 5, 2019 6:05 PM

@Faustus: I think the idea here is that code is inherently insecure simply because it was designed by humans. And the more complex it becomes as more pieces of otherwise-independent code are connecting together, the harder it is to secure it.

WeatherFebruary 5, 2019 6:23 PM

S
Your on a submarine, and you are trying to exit a airlock, the people in the control room report (all locks secure) ,you in the airlock see a red light instead of green.

You are a piolet on a aircraft, you have been told this might be the last trip, Opic has raised the fuel cost, which wouldn't be a problem, but by the graph vine you here the company money buffer was in the share market, but , and as a person and a social chacter the management told you a little bird was going to raise interest rates.

It a large airline with 50 planes in the air at one time, as you drift out of you day dream, you notice the autopilot has adjusted 1 degree to miss a storm, dame you though that will add 30 mins and already its been a long flight, the rain radar say mild tublance

KorayFebruary 5, 2019 7:06 PM

Online shopping has "replaced" people. However, if your order is somehow stuck and not shipping, you can eventually reach a customer service person, who can listen to you, conclude that you are right and "fix" the order. There's always some kind of a "manual control" switch in every system managed by machines.

In the blockchain what happened in the past is precisely what the math says. You can't argue with it and you can't fix it. Cryptocurrency doesn't just unburden people with minutiae; it actively "excludes" people from the process altogether. Trust is entrusted in the protocols, and exclusively so (and its potentially buggy) implementations.

This may be why cryptocurrencies are celebrated by certain people. Yes, "bad" governments, big banks, etc. can't interfere to do bad things. But, nobody can interfere to do "good" things, either. If you think none of these institutions ever do anything good, I can see why it appeals to you.

FaustusFebruary 5, 2019 7:08 PM

@ Dave

Something like the blockchain has an actual security proof. However, there are all sorts of additional functions that are hard to verify so I understand your point.

But it remains true that the source of the error is human. Putting more humans in the process will make it less secure, not more. That is why social engineering is the hack of choice: It is so easy to fool the humans you don't need to defeat the code.

Bitcoin is the longest lived cryptocurrency and it hasn't been successfully hacked. https://www.quora.com/Has-the-Bitcoin-blockchain-itself-ever-been-hacked But its hashes are getting increasingly subject to attack by quantum computer. And it is a known fact that if someone can get over 50% of the processing power on the bitcoin network, they can attack it. But someone who had invested enough to get 50% of the hashing power would be ill served by the currency crash that would result from a hack.

FaustusFebruary 5, 2019 7:19 PM

@ Koray

Actually blockchain errors and hacks can be fixed by a process known as a "hard fork". Ethereum has done it to reclaim money after a hack. It has to be agreed on by over 50% of the processing power of the coin. Exchanges have reclaimed stolen coin that hackers tried to pass through them. However, Bitcoin is philosophically opposed to reversing transactions because of hacks.

Charles George JaraguaFebruary 5, 2019 7:29 PM

Whatever, this isn’t what we meant by “smart money“ back in the 80s.

Impossibly StupidFebruary 5, 2019 7:37 PM

Yeah, Bruce, I'm calling straw man, too. I don't know anyone who is saying that humans shouldn't be involved when exceptional circumstances occur. Whether it's cryptocurrency or banking software, errors and bugs crop up over time, and the humans are the only ones who can roll in to the rescue for the foreseeable future. Of all the systems to trust, though, I find it rather odd that you're expecting us to accept human say-so as the foundation rather than solid mathematics.

Alyer Babtu February 5, 2019 9:35 PM

Saying it’s software, encryption, mathematics, likening to engineered systems etc. is very generic. It doesn’t seem to address the specifics of the question. One can say everything is dynamical systems, but these vary diversely from elementary to chaotic. There was once (naive) enthusiasm and expectation that differential equations were a “universal solvent” but that changed drastically. Cryptocurrencies and blockchains may be mathematical software but still be unsuited to their intended use.

Paper in this regard:

https://scholar.princeton.edu/sites/default/files/markus/files/blockchain_paper_v5a.pdf

ThothFebruary 5, 2019 10:27 PM

Blockchain ? NFC payments ? Credit cards ? ATMs ? QR payments ? Online banking ? SWIFT ? Telegraphic Transfer ?

Every single traditional and institution backed transaction or cryptocurrency transactions are the same. They are bug ridden.

What is news ?

Look at every year's security conferences and papers have endless problems and are prone to failures and vulnerabilities ?

Traditional institution backed transactions cannot get security right. Do we even expect new payment technologies like cryptocurrency and so on to get every single line of code right.

I think this is more about the usual P-&/vs-C debate again and the likes. Back to square one.

Do you even trust the numbers displayed on the bank's ATM screen ?

If we want to compare traditional banking technologies and cryptocurrency, the big difference is the traditional banking system, you absolutely have not a single part of the system within your control. Do you have the Triple DES transaction key stored in yiur ATM and Credit card to control the release of your electronic bank funds ? No.

Are you able to request the bank to load your favourite Triple DES key value into your credit card and ATM card so you have control over its electronic value ? No.

Do you control the value backed behind every dollar or currency value ? No.

Do you control your cryptocurrency ECC keypair ? Yes. You can mint them air-gapped and offline or use your own RNG.

Are you able to use your own favourite wallets or make your own wallets ? Yes.

Do you control your own value ? Yes. The catch is you use your own cryptocurrency keys.

What does crypto exchanges do ? They are for speculative trading no doubt. You are still able to exchange small amounts of cash for cryptocurrency without using exchanges ... because big amounts will trigger banks to look into the transactions so small amounts or face-to-face meetings to transfer and exchange small sums of values are possible.

Exchanges are not the chokepoint. It is the misconception that you need an exchange to get the value out of it. You just need to use forums like Reddit to look for willing local participants to trade small amount of tokens for value.

If you are not doing speculative trading and only holding small values of cryptocurrency tokens worth say a couple hundred USD worth, the risk and lost ia reasonable just like any store-value schemes for digital tokens.

The misconception and problems with cryptocurrency is public perception.

Have you tried to understand it and tried it in person ?

Have you tried to think of improvements and suggest improvements ?

Have we considered the consequences of the destruction or fall of all cryptocurrency technologies via Government interventions or by some other means ?

This is similar narrative with gun control and substance control.

Clive RobinsonFebruary 6, 2019 1:16 AM

@ Bruce, ALL,

How about throwing on another 26 "Proof of Stake" cryptocurrencies that have been hit by just a couple of vulnerbilities found by researchers?

https://www.zdnet.com/article/security-flaws-found-in-26-low-end-cryptocurrencies/

Or how about human frailty,

https://www.zdnet.com/article/145-million-funds-frozen-after-death-of-cryptocurrency-exchange-admin/

For those claiming "software errors" dont forget the little hierarchy of attack stack the likes of the SigInt agencies work to,

1, Standard,
2, Protocol,
3, Implementation.
4, Human failings.

Crypto currencies are very vulnerable to level 2 because we realy don't understand protocols sufficiently to make them secure.

As for human failings well after thousands of years humanity has not fixed that one...

Good luck if you think you can fix all the levels on that stack, the people you are playing against have way more incentive and resources.

P.S. For those who find the Fortune.com site "Data raping" policies more than a little shocking, ZDnet has one you can read without cookies or javascript enabled,

https://www.zdnet.com/article/zcash-cryptocurrency-fixes-infinite-counterfeiting-vulnerability/

CassandraFebruary 6, 2019 3:39 AM

@Clive Robinson

I thought you had added another level to that stack recently?:

0) Legal/regulatory
1) Standard
2) Protocol
3) Implementation
4) Human failings

I think you could write a very interesting book illustrating each level with multiple examples. I believe I have said before that you really ought to write an autobiography, and within it share your insights, but given its likely content, it would have to be published posthumously, and I have no wish to read it any time soon for that reason.

Cassandra

DaveFebruary 6, 2019 7:48 AM

@Thoth :
> Every single traditional and institution backed transaction or cryptocurrency transactions are the same. They are bug ridden.

We agree that all software is ridden with bugs. It’s the trust we have in the monetary system, created throigh regulation and backed by the government’s military, police, and global influence that allows us to exchange traditional money with confidence, even if bugs are found in its components.

jbmartin6February 6, 2019 7:59 AM

I think many are missing Schneier's point. I could be wrong also, but I believe he is talking about the belief of many that use of blockchain-based cryptocurrency and so-called "smart contracts" will gain traction because of the costs in our financial system of the many human-based checks and cross checks. The idea is that you don't need all these intermediaries like analysts, lawyers, courts, et al. when you can just encode it all into a "smart" contract. But, since these contracts are just code, they will have failures. With a human contract, you have recourse if there is some unexpected backdoor in the contract, there are various principles such as material misunderstanding of fact for example. With a "smart" contract there is no recourse except a hard fork. It seems to me "dumb contract" would be a better name, akin to the dumb terminals old folks used.

Chris RhodesFebruary 6, 2019 8:55 AM

Self-Driving Car: *crashes*
Bruce: "This demonstrates the ridiculousness of the notion that code can replace people."

A true analysis would, of course, include the question "compared to what?" If you think blockchain-based currency protocols are insecure, boy do I have some things to tell you about the way the current, "people-based" currencies work!

FaustusFebruary 6, 2019 9:29 AM

Cryptocurrency is essentially public key crypto with a simple hash protected blockchain. Is everybody arguing against cryptocurrency because somebody might make a mistake, or there have been bugs? You could use the same argument against cryptography itself. Or anything.

It is a defeatist and regressive argument. We use more complex software every day. Ecommerce is hacked all the time. Should we abolish it?

I understand the security people need to take a cynical view and concentrate on potential problems. But I, for one, write large scale cutting edge software. I invent things. I push the envelope. It is an exciting, stimulating existence. Innovation is the activity that makes software great.

It sounds like a lot of people never reached such heights, or have left the mountain to be color commentators, and would rather watch mountain climbers fall.

I am far from an Ayn Rand acolyte, but this is Atlas Shrugged territory. I want to create software that serves people and provides good, interesting, well paid jobs in my adopted country. We are in challenging times that could use new ideas. But if people would rather tear down than build, let them enjoy their ruins. I won't be there.

@jbmartin6

Smart contracts DO often involve people. They are the ones who verify that the conditions of the contract have been met when the contract involves physical things. But yes, smart contracts are intended to avoid lawsuits, which are a long and expensive and unreliable way to resolve contract disputes. Lawsuits are heavily and unfairly biased in favor of the party with the most money. And towards lawyers and their immense fees.

@Alyer Babtu

I have no problem with the paper, but it is nothing to do with your gloss. In using cryptocurrencies and the blockchain there are trade offs in favor of decentralization. This is not news. I certainly wouldn't suggest putting the whole monetary system on it, nor does anybody I know. It is one of several options.

As countries are finding more and more ways to force compliance in every corner of their citizens' lives (China, yes, but I'm looking at you too UK & EU), decentralization gives us space.

If you are happy to have every aspect of your life adjudicated by a faceless committee there is no need for you to use it. Join a large corporation, Google, Facebook, IBM, Amazon, etc and you'll magically find that your disturbing desire to color outside the lines fades away to be replaced by the mortgage payments on your McMansion.

Maybe people are angry because, despite their large paychecks, they suspect somewhere people are freer and having more fun than they are. (Yes, we are.)

JohnnySFebruary 6, 2019 9:29 AM

I think the thing that's getting missed here is the inevitable end game: The whole cryptocurrency thing is a bubble. And when it pops (and it is starting to pop now for BitCoin) it's going to be a very hard lesson for the last person holding cryptocurrency because it's going to go to zero.

Every other currency has something to back it up: National currencies have some sort of backing that allows a holder to expect the nation to do something to prevent their currency crash, even if it's just to tweak interest rate or control spending (Venezuela and Zimbabwe are notable examples of when this goes wrong). Negotiable instruments are always backed by some enterprise or physical holding. So a holder can usually expect that such a currency that is falling will get some support from a nation state or private actor to prop the currency back up. Even in the Dutch Tulip bubble, after the crash the holders actually DID have some tulip bulbs! And in the case of currency as specie, the actual currency has intrinsic value as a precious metal or similar valuable object.

But in the case of cryptocurrency, the actual currency has no backers and no intrinsic value. It's just a number on someone else's computer somewhere. So there is NO economic force pushing the value back up when it drops: Eventually the value of the cryptocurrency must drop to nothing. When it does, there's no economic force to revive it. And whoever is holding the currency at that point just lost everything.

I think that in the "real world" this will (ironically) have a bigger negative impact on all the blockchain technologies than the software vulnerabilities and insecurities. The cryptocurrency crash may be associated closely with the blockchain tech that underlies cryptocurrencies, and make then undesirable in the business world where they actually may have a valid use case.

FaustusFebruary 6, 2019 10:12 AM

@JohnnyS

I don't think you understand the nature of fiat currency. Its sole backing is its use value, the fact that other people will accept it. Otherwise, how could currencies be devalued by 50 or 90% (a relatively common occurrence) if there were intrinsic value? Where did the value go?

People need currency to transact. In emergencies things like buttons have served as coinage. Currency today is all about use value.

Bitcoin has been attacked by all sides and it still retains a lot of value. People who were in at $90 are not crying. Not at all. Bitcoin has special use value in partial anonymity and ease of remittance across distance. (As well as deficits in ease of secure use and government repression.)

This isn't to say that bitcoin (or any currency) couldn't be quashed by unremitting repression. Gold itself, even with its intrinsic value, was quashed in the US as a currency for a large part of the 1900s.

If you show me a successful heart transplant, my attacking the transplant patient does not make the transplant any less successful. That fact that bitcoin is being repressed and it still is doing quite well speaks volumes to those who would listen. If it wasn't such a threat, why would so many people be attacking it? There are plenty of actually flawed protocols that don't get this attention.

FaustusFebruary 6, 2019 10:15 AM

@ David Rudling

That is a great story and a pretty clever way to try to suppress bitcoin.

Now the child porn isn't only in churches and parliamentary offices.

Paul R. DittrichFebruary 6, 2019 10:28 AM

There are NO perfect humans, therefore NO system built by humans can be perfect.

I don't care if we're talking about cryptocurrencies, software code or airplane autopilots. The real lesson is a simple feedback loop:

Never stop trying for perfection, but expect some degree of imperfection and be prepared to recover from the inevitable failures.

MikeAFebruary 6, 2019 10:49 AM

@David Rudling
---
In addition, Money Button has banned the user that uploaded the material.
---

Because as we all know, it is impossible to hide your true identity on the Internet.
Or to create a new one when one of your others was burned.

FaustusFebruary 6, 2019 10:53 AM

@ Paul R. Dittrich

There are NO perfect humans, therefore NO system built by humans can be perfect.

I don't care if we're talking about cryptocurrencies, software code or airplane autopilots. The real lesson is a simple feedback loop:

Never stop trying for perfection, but expect some degree of imperfection and be prepared to recover from the inevitable failures.

Well said.

Women laying in ponds distributing swordsFebruary 6, 2019 11:10 AM

@ faustus:


That fact that bitcoin is being repressed and it still is doing quite well speaks volumes to those who would listen. If it wasn't such a threat, why would so many people be attacking it?

Many people, individually or in self-selected groups, are not white-hat researchers working to verify proofs. Because bitcoin is treated as a store of value (whether from valuable material like specie, or from government fiat like dollars or Euros, or from a mutually-agreed social contract, or from a virgin's pure intentions) ... some people are putting money into it, and other people see it as something from which they might be able to get someone else's money. People invested effort and took risk to develop lockpicking tools and skills a thousand years ago when a locked door or a locked trunk were the security technology protecting gold and silver coins. People are doing the modern equivalent today when cryptocurrencies built on blockchain are the security technology protecting credits that can be used as money.

Maybe somewhere there are totalitarians trying to get rid of bitcoin to block decentralization and maintain domination of their society; maybe there are billionaires trying to get rid of bitcoin so their traditional wealth will hold its power to keep them on top. But I would wager that if an omniscient narrator counted every attempt to crack bitcoin's security, and all the similar attempts to crack other cryptocurrency systems, he would find that far more stemmed from greed to take money, or from malice to harm a foe, than from any perception of bitcoin as a "threat".

FaustusFebruary 6, 2019 12:14 PM

@ Women laying in ponds distributing swords

I see I was being unclear. When I asked why so many people were attacking bitcoin I meant verbal attacks. Speaking against bitcoin.

Although defeating its security is a good way to reduce support for bitcoin -- a successful hack on its central technologies would cause me to walk away from it, for good reason -- I agree with you that most hacking attacks on bitcoin are probably motivated by greed.

Impossibly StupidFebruary 6, 2019 12:43 PM

@Dave

It’s the trust we have in the monetary system, created throigh regulation and backed by the government’s military, police, and global influence that allows us to exchange traditional money with confidence, even if bugs are found in its components.

And yet we see that sort of "confidence" game value evaporate all the time. Whether it's runaway inflation sweeping countries like Venezuela or the US government shutting down time and time again. If your only "trust" is in the nation-state, things can collapse just as quickly as they could with any cryptocurrency bubble.

@jbmartin6

With a human contract, you have recourse if there is some unexpected backdoor in the contract, there are various principles such as material misunderstanding of fact for example. With a "smart" contract there is no recourse except a hard fork.

Just because that is the current limitation on cryptocurrency implementations doesn't mean it's the only possible mitigation in the future. The biggest problem with these first generation solutions is that they have a large number of binary settings for things. Trust should never be all-or-nothing. Ledgers should not necessarily be global.

@JohnnyS

I think the thing that's getting missed here is the inevitable end game: The whole cryptocurrency thing is a bubble.

And what you might be missing in turn is that pretty much all the economic systems that are being imposed around the world are unsustainable growth bubbles.

Every other currency has something to back it up

Nope. The vast majority are all fiat. And even intrinsic values of the "gold standard" are just collective agreements. I mean, seriously, what real value does a hunk of gold have to you? To act like code is less valuable, especially when you look at all that computers and technology have done for us, is laughable.

@Paul R. Dittrich

Never stop trying for perfection, but expect some degree of imperfection and be prepared to recover from the inevitable failures.

Yeah, if there's any rational thing that Bruce is complaining about, it's the unchecked automation that allows errors to propagate at a massive scale. There needs to be some well-reasoned brakes and disaster recovery systems built into the protocols we adopt globally. Whether it's cryptocurrency or the "click here to kill everybody" IoT devices we adopt, we need to work harder to make them as secure as possible.

DaveFebruary 6, 2019 8:39 PM

@graham: From what I have observed, the most fervent cryptocurrency zealots only have a superficial understanding of blockchain

It's not the blockchain they have a superficial understanding of, it's how financial systems work, which they usually have no understanding of whatsoever. They see a global conspiracy by banks/governments/the rich/whatever to monopolise wealth, and think that their disruptive technology will change all that, blissfully ignorant of that fact that while some of what's in place may be there to preserve the status quo, most of it is there to deal with fraud, handle glitches in the system, and so on. There's hundred of years of evolution in there to handle any eventuality, while blockchain is at the level of a bunch of kids playing with version 0.1a to see what happens next.

DaveFebruary 6, 2019 8:52 PM

@Faustus: Something like the blockchain has an actual security proof.

"Beware of bugs in the above code; I have only proved it correct, not tried it" - Donald Knuth

There follows a history covering at least twenty years of people repeatedly finding bugs in it, proving their fix correct, and then having more bugs found.

The code in question was about ten to fifteen lines long. How many million lines of code is involved in all the BTC stuff?

DaveFebruary 6, 2019 8:57 PM

@Thoth: Blockchain ? NFC payments ? Credit cards ? ATMs ? QR payments ? Online banking ? SWIFT ? Telegraphic Transfer ?

What makes blockchain the odd one out is that all of those systems have multiple, in-depth, time-proven mechanisms in place to handle glitches and discrepancies. With blockchain, one glitch and you're on your own. Once your virtual currency is gone, it's gone, there's no coming back. It's the car without brakes and seatbelts of the financial world, a lot of the time it seems to work fine, but then one day...

FaustusFebruary 6, 2019 9:22 PM

@ Dave

The blockchain itself is simple and can be proven to be as secure as the hash. As I noted above, all the much larger supporting logic is subject to bugs. But nobody has hacked the bitcoin blockchain yet.

Certainly it is possible that someone will pull off a successful hack on the bitcoin blockchain. Or that any airplane will fall out of the sky from a bug. Some have. Or that any system will fail. I wouldn't recommend putting money you need in cryptocurrency, particularly because of the political climate.

But that doesn't mean that blockchain technology cannot be deployed, tested and improved. It's called progress. And the nice thing about being a programmer is that you can do major work without asking anybody's permission.

65535February 6, 2019 10:15 PM

@ Faustus
“Crap, another human died with the keys to his customer's cryptocurrency. https://boingboing.net/2019/02/04/crypto-ceo-dies-with-the-passw.html. If only key storage had been automated...” –Faustus

I don’t know what to make of the incident. A investor hints that it is a fraud.

‘“Canadian resident Xitong Zou told CoinDesk…“The fact that it [CEO Cotten’s death] happened a month ago, and they just announced it now, and no proof of death, no obituary, no linkedin profiles of any of the staff, no physical addresses, limited crypto withdrawal limits, etc all makes people suspicious.”’- Coindesk

https://www.coindesk.com/quadrigacx-crypto-exchange-users-say-they-still-cant-get-their-money-out

If you take a look at your link’s picture of Ouadriga CX’s CEO he has clean cut red hair. If You look at this picture of him he now has odd black hair and a beard with an awkward mustache.

https://www.ndtv.com/world-news/crypto-exchange-founder-gerald-cotten-filed-will-12-days-before-he-died-he-was-30-1989129

This Quadrige CX company had extensive lawsuit[s] anginst it with a major bank in early 2018. The CEO makes a will 12 days before his death and gives it all to his wife then travels to India. He dies in late 2018 in India. The news of his death is withheld for a month or more. Some of the articals about him say there was no record of him entering India.

The India death certificate is not signed. I thought most death certificates were signed by a person.

https://www.coindesk.com/indian-death-certificate-crypto-exchange-quadrigacx-death

Was his remains creamated?

No recovery of a body?

All very confusing.

NickFebruary 7, 2019 2:52 AM

"this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not ncessary".

So you'd trust a person you've never met, but not trust code that is open for review by yourself and others?

I don't understand.

As for "governance", ultimately that's done by politicians: the least trustworthy class of people on the planet, with the possible exception of people actually in prison for fraud.

ThothFebruary 7, 2019 4:00 AM

@Dave

"What makes blockchain the odd one out is that all of those systems have multiple, in-depth, time-proven mechanisms in place to handle glitches and discrepancies."

You can search the online web via your search engine for bad trades and things like exploits on the SWIFT network (i.e. some odd years ago an attack on Bangladesh bank) and many other banking networks. Note that the some of these attacks had huge loses in funds and some were up till today unable to refund the lost amounts.

The above statement also probably hints at the lack of practical hands-on meddling with financial networks and systems :) (i.e. extensive working with financial institutions on their IT/Sec side).

FaustusFebruary 7, 2019 9:43 AM

@ 65535

Interesting follow on!!

I never use exchanges. I always spin up my own node. Exchanges have a very bad history of (supposedly) being hacked, (supposedly) losing keys, and quite definitely being ripped off by their often pseudonymous operators. Running your own node supports the network and makes it more resistant to 50% attacks.

I you don't understand cryptocurrency enough to find the software, verify its legitimacy (SO VERY IMPORTANT), compile it and run it yourself, you should be using a payment processor that supports crypto and indemnifies you against loss (and always converting the coin immediately to dollars/euros/etc or moving it out of any exchange involved), or you should be working with "play" amounts of money. Or no crypto at all.

SkizzoFebruary 7, 2019 2:41 PM

"Yeah, if there's any rational thing that Bruce is complaining about, it's the unchecked automation that allows errors to propagate at a massive scale."

Even having over 70 people helping with the arguably much less complex task of just writing a book about cryptography didn't prevent dozens (hundreds?) of errors from making their way into the final manuscript. Funnily enough, I was using spelling and grammar checkers back on my Apple //e in the 80's that would have caught many of these errors.

SkizzoFebruary 7, 2019 3:02 PM

Typical verbiage of commercial banking account agreements...
“You agree to be bound by any transfer, instruction or payment order we receive through the Services, even if it is not authorized by you, if it includes your password or is otherwise processed by us in accordance with our security procedures. You agree to establish, maintain and update commercially reasonable policies, procedures, equipment and software that will safeguard the security and integrity of your computer system and information from unauthorized use, intrusion, takeover or theft, and prevent your password from unauthorized discovery or use.”

“You bear all risk of fraudulent transfers and other losses arising from your failure to follow this agreement or from the interception of your communications prior to their receipt by us. The Bank will not reimburse you if you fail to follow the procedures outlined in this agreement. You agree that The Bank is authorized to execute, and it is commercially reasonable for us to execute, any instruction received by us with your password.”

IOW, you're not getting your money back if your account is compromised.

PhaeteFebruary 7, 2019 8:47 PM

Normal progression i'd say.

It took us how many centuries (millenia?) to try get rid of most of the vulnerabilities in paper and metal cash.
People shaved coins, we made them ribbed to notice that etc, and this arms race will always continue, paper and metal money is still not 100% invulnerable to counterfeiting.
So this will continue, independent of the current form of currency.

As far as the software angle, it's already what controls most of the money available on this earth; in banks, funds and other constructs where your money is represented in numbers on paper and not in direct paper/metal currency.

Still fun and informative to read though.

Is there a Darwin awards like project for software i am asking myself now.

PhaeteFebruary 9, 2019 10:13 AM

@Faustus,

That's not exactly what i mean with The Darwin Awards
Although how to apply that meaning to software (or IoT perhaps) i am not quite sure yet, got several ideas floating around.

FaustusFebruary 9, 2019 5:14 PM

@ Phaete

Oh! An anti-award!

@ A Nonny Bunny

Oh, blaming the data structure for its application, eh? What about the crimes enabled by the linked-list? The social irresponsibility of the B-tree?

In reality, nobody knows how much electricity bitcoin uses. Anti-bitcoin groups claim the electricity cost is equal to the amount of bitcoin mined, which is its theoretical maximum. Which is simply their propaganda. If it were true the bitcoin hashrate would keep the same proportion to bitcoin price, which it does not:
https://bitinfocharts.com/comparison/hashrate-price-btc-ltc.html

According to them, halving the price of bitcoin automagically halves the electricity it uses. With its price decrease why is bitcoin not getting congratulated for its electricity savings, eh?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.