blockchain, cryptocurrency

Bitcoin + Lightning = P2P Commerce

In the beginning, there was barter. Everyone had something to buy or sell. Transactions happened freely between regular folks. No middlemen were needed. Presumably, everyone pretty much got what they required (it could be assumed that needs were simpler back then). Then came currencies in lieu of barter and the people who issued the currencies. Currencies began to acquire power. Fiat currencies came much more recently, one could say they were created out of thin air, not backed by a physical commodity. Some people had more, some had less or even none. Income disparities were born and gradually grew. These gaps between the haves and have nots spiraled to the stupendous levels of today where the top 1% control nearly 40% of America’s wealth. It can be argued that the system of currencies helped build up these inequalities between countries and between individuals.

All through the power of the Exchange Rate Regime.

Bitcoin and other digital currencies hold out the tantalizing promise of someday going back to a level playing field. One common currency (or set of currencies) for the entire planet. No more national currencies, no more exchange rate driven schisms. Anyone can transact in digital currencies, anytime. But it is still a somewhat distant promise. Some of the things coming in the way are scale and cost of transactions. Then there is politics. But that is another discussion. Coming to scale, Bitcoin is still too slow today. Just about 3-4 transactions per second. Whereas Visa does about 2,000 transactions per second. At over 7,000 dollars and rising, Bitcoin is becoming more and more expensive. And transaction fees are simply out of whack. A few dollars per transaction depending on how fast you want it to go through, ruling out smaller transactions.

Enter the Lightning Network, a truly pathbreaking solution. It can dramatically expand the scale to millions to billions of transactions per second. Forget Visa. It will blow away pretty much everyone by a wide, wide stretch. It performs its uncanny magic by moving transactions off the Blockchain using payment channels. More importantly, it assumes that intermediaries cannot be trusted. So, no hanky-panky possible. Channels can be opened, funded, used to route transactions, and closed at any time. A channel is a 2-of-2 multi-signature address, which means that both parties to the transaction need to sign off to complete a transaction. Half-signed signatures can be freely sent around in both directions. The moment both parties sign off on a 2-of-2 transaction, it gets broadcast to the Blockchain and the channel closes.

Checks and balances are instituted through cryptography and lock-in times, with the Blockchain available as an impartial arbitrator at any time. Lock times prevent a channel from closing too soon or out of turn. Exchanging private keys used to sign transactions prevents broadcasting of invalid transactions as the counter party can use the private key to sweep all the funds of the offending party. Posting transactions to the Blockchain closes the channel and locks in the funds distribution. An entire web of nodes can be constructed to route multi-hop payments anonymously. Consider it an Internet of Money. Transaction fees are expected to be near zero. This opens the spigot on microtransactions.

But the most important benefit is probably the opening of the entire globe as a market, all the 7.6 billion humans, through a common currency. The Internet brought about global connectivity. But the prevalence of national barriers and exchange rate differentials means that barriers remain. And then there are the banks and other financial institutions who control the creation and flow of funds.

The blockchain provides a foundational layer for transactions to flow across the globe. As a layer two solution atop the blockchain, the Lightning Network hugely accelerates the movement of transactions and helps realize the original vision behind Bitcoin. Any citizen of the world can access a payment channel to transact in bitcoin or other digital currency, without having to deal with nation states and financial institutions in the middle. Possibilities are breathtaking.  Transactions can flow seamlessly, unencumbered, across borders. Frictionless.

Global trade should start to rise with everyone having the opportunity to participate in it. Not just the privileged few. Wealth equalization and growth should follow as more and more people are provided an avenue to generate wealth, with the world as their oyster. Ushering in the world of Person-to-Person (P2P) Commerce, a rising tide that will lift all boats. Let the fun begin.

ransomware, Uncategorized

WannaCry Wannabes Ahead

Considering the turn of events in the WannaCry ransomware outbreak, here is what it appears to look like from a high level:

  • Based on a vulnerability in Microsoft’s SMB protocol, the NSA develops an exploit called “Eternal Blue.”
  • After hacking the NSA, the Shadow Brokers get hold of artefacts for Eternal Blue and other NSA exploits.
  • Microsoft releases a patch for the SMB vulnerability in March for supported Microsoft Windows platforms.
  • An announcement is made by the Shadow Brokers that they have obtained this trove of NSA tools and exploits.
  • The group tries to auction off the proceeds, fails, and then selectively dumps some of the tools for free.
  • Hackers get hold of the tools and launch the WannaCry exploit in the beginning of May, a worldwide outbreak.
  • Folks using older versions of Windows not covered by the March patch and those who had not applied the patch are all especially vulnerable.
  • Microsoft provides an emergency patch for the versions of Microsoft Windows that are past their de-support deadlines.
  • A “kill switch” is discovered where the malware depends on an unregistered domain to carry out its work. Registering the domain deactivates the ransomware exploit, for now…

Essentially, the NSA cache seems to have turbocharged what was a “regular piece” of ransomware malware to enable it to spread like wildfire.

As an aside, it could be assumed that Microsoft was informed by the NSA about the hack, prompting them to come out with the March patch. Additionally, something that could potentially be asked is did the NSA discover the SMB vulnerability on their own or were they cued about it. Communication could, after all, flow both ways.

Taking a closer look at ransomware itself; where it appears to stand out is its finely-tuned use of cryptography to carry out its handiwork. A public and private key pair is generated for each infected machine, the public key is sent to the client machine, sets of private keys are generated and used to encrypt files on the target machine, and the public key is used to encrypt the private keys. At which point, the files are locked out, irredeemable without the use of the private key lying on the command and control server. It seems to be all about the use of keys, encrypted files stay on the machine, but remain inaccessible. It is almost like someone locks you in at home and demands a ransom to open the door and set you free.

So long as there are vulnerabilities to be exploited, clearly there will be no shortage of malware and exploits. Given that it is not just the hackers who are interested in vulnerabilities but also the powerful governmental spy agencies, we can expect no letup in such attacks.

NSA toolkits appear to have had exploits for many more vulnerabilities including for the Swift network and Linux systems. From an earlier release, firewalls from Cisco, Fortinet, and Juniper seem to have been among the targets with the tools enabling remote code execution and privilege escalation. Getting a foothold in a network and sending files to a target system were some of the other hacks that were reported. And there could be many more that the Shadow Brokers are yet to release.

Therefore, it is entirely conceivable that we could be seeing more such attacks that are inspired by NSA material. Several WannaCry wannabes may be in the works, more turbulence ahead.


To secure or to unsecure: a VPN question

“The wood is full of prying eyes.” So is the Internet. What does one do to get away from them all? After all the IP protocol was not designed with security in mind. They didn’t need to worry much about security during the Arpanet days.

When it comes to ensuring secure communications on the modern Internet, VPN tunnels have been the way to go for enterprise users. There are several options. First off, you have IPSEC VPN tunnels if you are looking to connect entire networks or subnets to each other. Then there are the SSL VPN tunnels that come in handy if it is a specific server or application or some other resource that you need to reach. If you are looking to tunnel through an incompatible network then the GRE tunnel would be a good option, with IPSEC bringing in the additional security layer. IPSEC came on the scene first with an entire suite of protocols: IKE, AH, ESP. Within the IKE protocol, keys are exchanged and parameters are negotiated. IKE Phase 1 establishes the management tunnel and Phase 2 sets up the IPSEC tunnel through which data is transferred. Data in the tunnel is secured using either the AH or ESP protocols. IPSEC is complex. Indeed, there are also some concerns that the complexity was intentionally introduced to hide cybersecurity flaws. But that is another story. On the other hand, SSL VPNs provide remote access to users via SSL VPN gateways. SSL has enjoyed wider adoption being less complex and needing just a web browser at the client end, with plug-ins for establishing the tunnel mode.

VPNs have been in the news lately. Cisco firewalls used to run VPNs were the subject of an NSA exploit. Through an attack targeting a weakness in the implementation of IKE, keys used to encrypt communications could be extracted. In the meantime, there have been some interesting developments around Juniper firewalls. It seems that the encryption algorithm was “intentionally” weakened to install a backdoor into the device so that eavesdroppers could tune into the encrypted communications taking place. Similarly, Fortinet firewalls were discovered to have a vulnerability that could be exploited with a script to gain administrator level access. At Palo Alto Networks, through a buffer overflow in their SSL VPN web interface, restrictions to bypass limit traffic to trusted IP addresses could be abused.

Looks like a case of backdoors galore.

From the enterprise world, the technology made a leap into the consumer world to meet the ever-increasing demand for privacy and safety as well as work around the geo-restrictions to media access globally. Therefore, the market for VPN services seems to have grown dramatically with several providers competing to win customers. Though, there are concerns that have been expressed about privacy. A study of 14 popular commercial VPN providers found 11 of them to leak information including the websites being visited and the content being communicated. It is said that VPN providers could potentially log their customers and that all they do is to provide a VPN proxy server. A lot depends on trusting the VPN provider. Certainly, it may not be difficult for the provider to listen to the communication going through their servers. Another vulnerability that was reported could enable attackers to unmask the real IP addresses of client devices, definitely a big problem when hiding their IP addresses is why users sign on in the first place. Also, many service providers use OpenVPN, which was the subject of the infamous Heartbleed exploit, again a case of keys being exposed through a hack. Some providers leverage outdated protocols like PPTP that can be broken through brute-force attacks.

Consequently, Internet privacy clearly has been turning into an oxymoron for a while now.  When VPN devices and services whose raison d’etre is security and privacy have been readily exploited, in circumstances that often look incriminating, it becomes a case of you can “run but you cannot hide” on the Internet. Unfortunately, there is no escaping from those pesky prying eyes. A question some enterprise buyers may have asked is did they secure their network or potentially un-secure it by installing expensive VPN appliances.