Computer Security researcher Dan Kaminsky tried to hack Bitcoin and failed

Via the Business Insider

“Two years ago, I tried to hack BitCoin. I failed. This was very exciting.”

Dan explains why the Bitcoin network, which is “a Pot Of Gold At The End Of The Rainbow for any hacker who could break it”, has performed so well.

“Seriously though, as an engineer and as a hacker (and I promise you, these are two very different things), BitCoin surprised me.  Here was a system with the following properties:

• Created an enormous global cloud of always-on, listening machines
• Spoke its own fiddly little custom network protocol
• Written in C++, which for all of its strengths is not usually the safest thing in the world to be reading random Internet garbage with
• Directly implemented the delivery of a Pot Of Gold At The End Of The Rainbow for any hacker who could break it

By all extant metrics in security system review, this system should have failed instantaneously, at every possible layer.”

“And, to be fair, it has failed at other layers – BitCoin thefts have occurred, in the meta-code that surrounds the core technology itself.

But the core technology actually works, and has continued to work, to a degree not everyone predicted.”

“A lot of the slop that permeates most software is much less likely to be present when the developer is aware that, yes, a single misplaced character really could End The World.  The reality of most software development is that the consequences of failure are simply nonexistent.  Software tends not to kill people and so we accept incredibly fast innovation loops because the consequences are tolerable and the results are astonishing.

BitCoin was simply developed under a different reality. 

The stakes weren’t obscured, and the problem wasn’t someone else’s. 

They didn’t ignore the engineering reality, they absorbed it and innovated ridiculously.”

“Bitcoin reflects an entirely alien design regime. (To geek out a bit, in the context of actual security paranoia, C++ is actually a great choice.  It allows for clean infrastructure, and if you know what you’re doing, you actually know what you’re doing.  Modern languages like JavaScript and Ruby are great, in that they do a huge amount for you under the surface, but then you don’t actually know what they’re going to do.  Ruby got burned pretty badly recently when some systems listening on the network were a little too … friendly.  Engineering is a game of tradeoffs.  So, of course, is business.)”

“But all that was obvious two years ago, when my fifteen point list of obvious likely bugs was systematically destroyed by a codebase that quite frankly knew better. “

“BitCoin is actually an exploit against network complexity.  Not financial networks, or computer networks, or social networks.  Networks themselves.

To be quite specific:  BitCoin is a rejection of the regulation of monetary flows. 

The cost of regulating any network actually goes up exponentially with the number of nodes that must be monitored (you need a hierarchy of systems to perform ‘guard labor’ to make sure systems are behaving within declared parameters).  

But the cost of adding yourself to the BitCoin network is not exponential.”

Despite his praise, Kaminsky does not believe that Bitcoin is without its flaws. Dan is concerned that Bitcoin’s computing power, and as such the ‘official truth’ of who owns what,  is being concentrated “in the hands of less than five or ten organizations”.

“the BitCoin experiment is not complete, there is actually quite a bit of interesting work to be done and it’s not at all clear what the future holds for the technology. “

Read the piece in its entirety here.

 

• Category: General
• Tag: Bitcoin, Security