So much has been written and said about blockchain that I decided it was high-time to actually do something practical with it. So, a couple of weeks ago, Stephen Schneiter, Chris Hodson and myself led a two-hour hands-on discussion about blockchain applications and their weaknesses at RSA 2018 in San Francisco. We gathered more than 120 folks in a room, gave a demo of a private Ethereum blockchain and then discussed specific problems in applied blockchain security.
Right away, Stephen, Chris and I noticed something unique about our group: they were all experienced – even grizzled – security veterans. But most didn’t have in-depth blockchain technology experience. The group, which included folks from Cisco, was there to learn more about how to use blockchain for various business solutions, including implementing international supply chain management and smart contracts.
It was a great opportunity to get them thinking about real-world, secure applications of blockchain. Let me explain.
We had about 10 tables, with roughly 12 folks each, and they had those large easel-sized sticky notepads next to them. The room kind of looked like we were playing in the world’s largest Pictionary competition. But instead of playing Pictionary, we asked each table to list, in years, their cumulative experience in security. As we expected, each group had literally hundreds of years of experience in cybersecurity.
But, when it came to their experience with blockchain, most of the tables listed 0 to 4 months. One listed 4 to 6 months, and another listed 27 months. We also had a major outlier: one table listed 6 years of experience. How is that possible? Well, one of the people at the table, Microsoft’s Ashok Misra, had all six years of experience himself. The rest of the table had bupkis.
So, naturally, after Stephen led the hands-on smart contract demo, we made sure to grill Mr. Misra and a couple of others pretty thoroughly. The gist of Mr. Misra’s experience focused on ways to avoid double spend in cryptocurrencies. He stated that the primary use of blockchain remains in cryptocurrencies, despite all of the talk about using blockchain for smart contracts and supply chain management. I remember him saying effectively that in Microsoft’s eyes, it’s all about cryptocurrency. I found that fascinating. I wonder: Does that give us an idea of what Microsoft is looking to do in regard to the next stage of e-commerce?
Our Blockchain Manifesto
One of the promises I made to the group was that we would publish the group’s findings in a manifesto. I can’t believe I used that word in public. I felt like such an incendiary, such a rabble rouser. It was exciting, though, to see how serious these folks were in thinking through applied blockchain security.
So, without further ado, here are the findings of our focus group, in manifesto-like form:
- The Wild Wild West
- The Applied Blockchain Security Order of Things
- Social engineering
- Software development lifecycle issues (e.g., buffer overflows, race conditions)
- Problems with underlying platforms and associated protocols
- Data corruption/manipulation
- Problems with the blockchain protocol itself
- Caution with Rush to Market
- Improving for the Future
- Race Conditions
- Privacy Concerns
- Unchangeable Records
- Blockchain as a Tool
- Apply Blockchain for a Reason
- Obfuscation of Data
Current blockchain implementation reminds us of the wild, Wild West of the internet back in the late 1990s. We may not be experts at blockchain yet, but we know an immature implementation of a strong technology when we see one. One participant even stated, “Hey, where’s the multifactor authentication on any of this?” Point well-taken!
We are worried about five different issues, in the following order:
We call the above list the applied blockchain security order of things.
The current software development lifecycle of blockchain remains suspect, in spite of the fact that blockchain apps are created using open-source methodologies. We are seeing serious issues in wallet software, as well as practical implementations. As we rush blockchain to market for supply chain management, smart contracts and (sigh) cryptocurrency, let’s not repeat past mistakes and rush poorly verified software and protocol implementations to market.
Right now, the blockchain protocol itself is quite difficult to hack. Many theoretical “greater than 50 percent attacks” exist but don’t appear to be an issue right now. But, remember, when SSL first arrived, it was considered secure. But just last week, TLS 3.0 was introduced, due to the myriad security issues of its predecessors. How ready are we to improve blockchain in the face of the inevitable advance of computing power worldwide?
In addition to double spend issues, it’s also necessary to consider issues such as race conditions, such as Time of Check, Time of Use (TOCTOU) vulnerabilities.
We feel it’s important to ask the following question: Do all organizations really want a permanent, public record of all transactions? One participant commented, “You know, some folks like to keep things private.” With the General Data Protection Regulation (GDPR) and a renewed interest in privacy worldwide, we expect to see blockchain applied very carefully, and specifically.
What about the need for fungibility (changeability)? Does everyone really want a fundamentally unchangeable blockchain record? Remember, one of the reasons why lie detector tests are not allowed in the United States is because generally, they’re pretty accurate!
Blockchain is not a “magic bullet” or cybersecurity savior. It’s a tool, like anything else. The group felt that blockchain is yet another service and platform to be secured; while it can be used for security purposes, it’s yet another tool, such as Linux, domain name system (DNS) or an e-commerce site.
One of the audience members, Danny Collins, pointed out that while blockchain was very interesting and useful in specific contexts (e.g., cryptocurrency, supply chain management and smart contracts), he and most of the others felt it was important to state that blockchain had uses in specific areas only. The general feeling in the room could be summed up as follows: “Why would I want to use blockchain, when it has all of that overhead, and when there are other tools and protocols that are readily available, perfectly scalable and work just fine?
It will be important to implement obfuscation/data hiding on the blockchain. What options are there to create a secondary blockchain? One of the ideas bandied about was that perhaps there will be sub-blockchains or even sharding, which allows semi-public exposure of data.
Scaling, energy usage and time to process aren’t specific security issues, but they remain important issues. We will see the use of sharding applied to blockchain so that transactions are more manageable. It is also likely the protocol will change to become more efficient.
Blockchain truly appears to be a useful tool to implement disintermediation, which is a fancy way of eliminating unnecessary third parties and allowing individuals to engage in trusted, direct transactions.
Blockchain workers of the world unite!
Okay, this isn’t exactly a manifesto, is it? But then again, Satoshi Nakamoto, the person who created the first practical blockchain whitepaper, isn’t exactly a real person, is he? I suppose I should call this list the dirty dozen, eh? Forgive me if I seem too flippant. I’m not – this group did some very serious work.
I’m really happy with what we were able to accomplish as a group. We showed people blockchain in action – something most of the folks had never seen before. We then got a snapshot of current blockchain security. It’s exciting to see how cybersecurity IT pros have now begun to think through applied blockchain security. We had a terrific time doing it, and I’m very interested to hear next year about how these IT pros have helped move the needle a bit in regard to applied blockchain security.