Ethical dilemmas and economic problems surrounding the disclosure of vulnerabilities in cryptocurrencies.
Any complicated piece of software is likely to contain bugs, some of which can be weaponized into harmful exploits and potentially even monetized to yield financial gains to attackers. Cryptocurrencies are complex systems themselves so it isn’t very surprising by now that many exploits, hacks, and attacks are found on a regular basis. This often results in theft and other damages that can cost millions of dollars.
Suppose you stumble upon a vulnerability in a software system. Being the responsible law abiding nice guy that you are, you want to tell people about the problem rather than use it to attack the system. The practice of “Responsible disclosure” evolved for that very reason. It usually entails telling the company or organization that produced the software about the problem, giving them sufficient time to evaluate the vulnerability and issue a patch. This is usually followed by a public disclosure of the vulnerability once the system has been fixed.
Vulnerabilities in Cryptocurrencies are Harder!
Now, let’s suppose that you discover some vulnerability within a cryptocurrency system such as Bitcoin, Ethereum, ZCash, or an ICO token running inside one of these systems. The situation is much more complex. Let me mention a few issues that immediately come to mind:
The existence of the bug may directly impact the market value of tokens or coins. While it is possible that a software bug in some conventional software will affect its stock price, it isn’t very likely (The stocks of small companies aren’t usually traded publicly, and large companies are usually quite robust). In cryptocurrencies such an effect is much more likely. This means that the group of affected individuals may be large: all those who hold the relevant tokens. In fact, you yourself may be holding tokens. What is the ethical thing to do? Sell? Hold?
The vulnerability is easily monetized. In other systems, it’s not that easy to benefit from a vulnerability. If, for example, you could make someone else’s machine crash every time they open their browser, you might not be able to find a way to profit yourself. There isn’t always a clear path to monetization. With cryptoccurencies things are easier for attackers. You could always short the cryptocurrency. This makes information about the exploit very sensitive.
Who to disclose to? There isn’t a clear entity that is in charge of development, no clear decision maker and no one to negotiate responsible disclosure with. The CEO of Bitcoin cannot ask you to delay publication of the exploit for one month and that he guarantees that a patch will be pushed out by then (mostly because this person does not exist). How do you choose which developers to contact? How do you keep information about the vulnerability contained?
Sometimes the original developers can’t help. The bug may exist within some smart contract that cannot be rolled back easily (think of the DAO once money is already locked inside, outside of any single person’s reach). Do you publicly disclose? How do you do it? Individuals learning of the exploit earlier will be hurt less (if they sell tokens) or may in fact use the exploit themselves.
Insider trading. Even if there is a company that is behind the system, the developers themselves often have a stake in the system (from the founder’s reward or premined coins) that they can often liquidate. What if they think the bug is too hard to fix and decide to dump all of their coins before others become aware of the problem?
The vulnerability can exist in many systems. Most of the code in the cryptocurrency world is open-source, and code / ideas are often used across many projects. This implies that the vulnerability can potentially affect multiple platforms. Ideally, disclosure should be to a small number of individuals that can effectively fix the problem.
I’m afraid I’m going to leave you with more questions than answers. It’s possible that easy answers don’t exist at all. But let us not despair! We’ve seen cases in the past in which vulnerabilities were successfully disclosed to small groups of developers and successfully fixed, and also many occurrences of attacks that were handled with more extreme (some would say controversial) measures. For example, white hat groups that attempted to block attackers during the DAO hack, and the Parity multi-sig wallet hack.
My guess is that we are going to see many more cases that test the ethical boundaries of security research, as well as the economic incentives for disclosure (are bounty programs sufficient to defend us?). I hope that we find clear and ethical practices that promote more secure and stable systems.
In March 2015, 10 human rights NGOs ranging from Amnesty International to ACLU, and from Privacy International to Liberty, filed an application with the European Court of Human Rights (ECtHR) challenging the United Kingdom’s surveillance regime under the Regulation of Investigatory Powers Act 2000 (“RIPA,”) which has since been replaced by an expanded legislation called the Investigatory Powers Act 2016 (“IPA.”) The case relies on the Snowden revelations and concerns the legality of the UK’s bulk interception of internet traffic transiting undersea fiber-optic cables landing in the UK, as well as access to information gathered by the NSA and shared with UK agencies. At a first glance this might seem like an ordinary surveillance case that is no different than many of the other cases the ECtHR has heard in recent years. What makes the case unique is that the NGOs are basing their argument for illegality not solely on the basis of Article 8 of the European Convention on Human Rights (Right to Privacy) or Article 10 (Freedom of Expression), but also on Article 14 (Prohibition of Discrimination). RIPA (much like the new IPA) distinguishes between the interception of external and internal communications, setting different degrees of protections for each. The NGOs claim that to grant persons “present in the UK [...] additional procedural safeguards” while denying the same protections to those outside the UK amounts to indirect discrimination on grounds of national origin. Oral hearings have been scheduled for the end of this year, with the hopes that a decision could be made in 2018. The ECtHR is thus poised to determine whether it is ever possible to justify differentiations in oversight, protections, and minimization procedures for domestic and foreign surveillance.
At face value, the human rights NGOs seem to stand on solid ground. Human Rights treaty bodies and U.N. experts have taken a unanimous position rejecting such distinctions and protecting the myth of a singular and universal right to privacy. In 2014 the U.N. Office of the High Commissioner for Human Rights issued a report following a General Assembly Resolution on the Right to Privacy in the Digital Age. In that report, Commissioner Pillay addressed the foreign/domestic surveillance debate and noted the following (para. 35-36):
”[there exist] ongoing discussions on whether “foreigners” and “citizens” should have equal access to privacy protections within national security surveillance oversight regimes. Several legal regimes distinguish between the obligations owed to nationals or those within a State’s territories, and non-nationals and those outside, or otherwise provide foreign or external communications with lower levels of protection. If there is uncertainty around whether data are foreign or domestic, intelligence agencies will often treat the data as foreign (since digital communications regularly pass “off-shore” at some point) and thus allow them to be collected and retained. The result is significantly weaker – or even non-existent – privacy protection for foreigners and non-citizens, as compared with those of citizens.
International human rights law is explicit with regard to the principle of non-discrimination. Article 26 of the International Covenant on Civil and Political Rights provides that “all persons are equal before the law and are entitled without any discrimination to the equal protection of the law” and, further, that “in this respect, the law shall prohibit any discrimination and guarantee to all persons equal and effective protection against discrimination on any ground such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.” These provisions are to be read together with articles 17, which provides that “no one shall be subjected to arbitrary interference with his privacy” and that “everyone has the right to the protection of the law against such interference or attacks”, as well as with article 2, paragraph 1...”
Similar positions have been expressed by the Special Rapporteurs on Counter Terrorism (para. 62) and the Special Rapporteur on the Right to Privacy (para. 36). The Human Rights Committee has similarly echoed this position, suggesting that safeguards against arbitrary interference with the right privacy must be guaranteed to “all individuals, regardless of nationality and physical location when intercepted” (para. 26). Human rights scholars such as Professors Korff and Milanovic have similarly argued that any surveillance laws that adopt these distinctions reflect prima facie xenophobic biases, violate the prohibition on discrimination, and therefore must be “fundamentally re-written“ (p. 35).
Prof. Michael Reisman once compared those charged with upholding the myth system to a man “pulling blankets over his head to avoid the cold reality of dawn.” Indeed the practice of intelligence agencies stands in stark opposition to the strong rhetoric voiced by the human rights community in Geneva. The Washington-based Center for Democracy and Technology concluded in a 2013 report that: “most countries, even those that have recognized privacy as a universal right, seem to apply much lower protections (if any) to surveillance directed at foreigners.” I would even more decisive: there is not a single country that applies similar or higher standards of oversight and protections in the context of foreign surveillance than in the context of domestic surveillance.
In a recent article, I argue that these distinctions are not only a common feature in the surveillance legislation of state or the practice of signals intelligence agencies, but that they are justified. Discrepancies in jurisdictional reach and technological capacities make it necessary that countries be allowed greater leniency in adopting foreign surveillance policies. By waging an absolutist battle for universality, the human rights NGOs are losing the far bigger war, that of providing some human rights protections in the foreign surveillance context. Adopting the understanding that the differentiation in legal treatment is justified would allow us to replace the notion of a one-size-fits-all jurisprudence. We could then begin to consider the appropriate contours of a tailored human rights framework for foreign surveillance.
Although most computer users in the U.S. and around the world are familiar with the risks associated with malicious software (i.e. viruses, worms and Trojans), relatively few users are aware of the hazards of Ransomware and its potential consequences for an attacked computer system and its users. Since several scholars believe that a new campaign of Ransomware is just around the corner, it is important that clients of Internet Service Providers familiarize themselves with this type of cyber attack and exercise extra caution when opening unfamiliar emails, browsing suspicious websites, and downloading software, music, and movies from peer-to-peer websites.
What is Ransomware?
Ransomware is malicious software designed to hijack computer user files, encrypt them, and then demand ransom payment in exchange for the decryption key (Luo and Liao 2007). The prevalence of Ransomware campaigns has increased significantly over the last five years (Kharraz et al. 2015). Initiators of Ransomware campaigns plan the execution of ransomware in a careful manner, and use various techniques to get their malware onto a victim’s computer. Specifically, malicious advertisements, spam emails, and botnets are commonly employed by Ransomware initiators in order to propagate their attacks (Savage et al. 2015). However, alongside the Ransomware initiators’ use of these methods, Ransomware affiliates provide services for those Ransomware initiators who wish to carry out these attacks (Kharraz et al. 2015). Importantly, the Ransomware affiliates do not need to have technical skills to create a Ransomware or to maintain and run the operation – all they are required to do is to maximize the spread of the Ransomware. In return for their service, the Ransomware affiliates receive a cut of the profit from each Ransomware infection for which they were responsible. In some cases, Ransomware initiators offer Ransomware affiliates access to the Ransomware control panel in exchange to an access fee (around US$300) (Savage et al. 2015).
Once it has infected a target computer, the Ransomware encrypts the files that are hosted on the target computer, and then sends a message to the legitimate computer user with a request to pay the ransom if the victim wishes to regain access to the encrypted files. Since Ransomware scammers seek to disguise their identity and avoid detection by law enforcement agencies, the Ransomware asks victims to send the ransom money using money wire transfers, payment voucher systems, or cryptocurrencies such as Bitcoin (the majority of new Ransomware threats require victims to use Bitcoin transactions as the method of payment). When payment is received on the offender’s end, the server on which the decrypter is hosted sends the key to the victim and allows access to the encrypted files again.
From that point on, Ransomware offenders try to launder the ransom money in order to avoid detection by law enforcement agencies. However, laundering money depends on the victims’ method of payment. If the Ransomware offender chooses to receive ransom payments in the form of payment vouchers, he will use online betting and casino sites that accept voucher codes for payment for laundering the money. Once laundered through these sites, the money can be cashed by prepaid debit cards and withdrawn from ATMs in different locations around the world. In contrast, if ransom payments are made through Bitcoin, Bitcoin laundering services (also known as Bitcoin mixers) are used to mix together Bitcoins from legitimate and illegitimate sources. By the time the Bitcoins are cashed out in the Bitcoin exchange market, it is difficult to differentiate between legitimate and illegitimate Bitcoin transactions.
How Can We Reduce the Risk of Infection?
In general, increased awareness among computer and Internet users can reduce the risk of Ransomware infection on your private computer or company network. The following tips should be useful in protecting your computer from Ransomware:
Make sure you have anti-virus and anti-spyware software installed on your computer.
Do not download anything in response to a warning banner you receive from an Internet website you visit or a program you did not install on your computer.
Always keep software and applications on your computer up-to-date.
Make sure that your pop-up blocker is always enabled on your Internet browser.
Do not disable your firewall.
Don’t open email from people you don’t know, and be sure that you can verify the source before opening attachments or clicking links in any email, IM, or posts on social networks.
Make sure that all computer users in your organization are familiar with these security awareness practices.
While there are no guaranties that applying those tactics will completely protect your computers from infection by a Ransomware, awareness of this type of attack and an understanding of some of the ways to prevent it will reduce your risk of falling victim to this type of cyber crime.
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian knot: a look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 3-24). Springer International Publishing.
Luo, X., & Liao, Q. (2007). Awareness Education as the key to Ransomware Prevention. Information Systems Security, 16(4), 195-202.