Pamela Morgan on Security: “You Don’t Get to the Moon Without Blowing Up a Few Rockets”
In what’s turning into the “year of the hack,” security issues are increasingly top of mind for those working in the Bitcoin and blockchain space.
Security expert Pamela Morgan is CEO of Third Key Solutions, attorney at Empowered Law PLLC, and board member of C4. She and her partners at Third Key Solutions, Andreas M. Antonopoulos (CTO) and Richard Kagan (Business Advisor), provide advice and security solutions for wallets, exchanges, crowd sales, and new innovative Bitcoin and blockchain projects.
Bitcoin and Blockchain "More Secure Than Ever Before"
In an interview with Bitcoin Magazine, Pamela Morgan noted the contradiction that, despite recent events, Bitcoin and blockchain technologies may actually be more secure now than ever before:
“Bitcoin is more secure than it has ever been and it keeps getting stronger. The same is true for several other blockchains that increase their security as they mature and broaden their reach. But this is seemingly contradicted by frequent hacks affecting many users.”
“The contradiction lies in a subtle but important difference: Funds controlled directly by individuals in a decentralized manner and secured by decentralized blockchain protocols are extremely secure.”
“On the contrary, when a single entity concentrates control of funds from many individuals with custodial (aka hot) wallet accounts or poorly implemented large cold storage wallets, they become an extremely attractive target — a honeypot for attackers.”
Security Becomes an Important Priority for Ethereum
One such entity, the Ethereum DAO, suffered a cyber attack in June (losing one-third of its total funds) and the subsequent split into Ethereum and Ethereum Classic.
This tested Ethereum’s vulnerabilities and, among other measures, resulted in the hiring of Martin Holst Swende, a former NASDAQ information security specialist.
Swende will work with Ethereum Foundation-funded projects to enhance their security and will be responsible for Ethereum’s overall security during its ongoing development, working with smart contract developers and creating a special security website.
“Unintended Consequences Such as the Re-entrancy Bug”
We asked Morgan about her take on the unprecedented Ethereum DAO attack. She told us:
“Rapid and disruptive innovation is inherently risky. You don’t get to the moon without blowing up a few rockets and we won’t get to secure, large-scale smart contracts without blowing up a few DAOs. The same basic mantra of business applies here too — fail fast, fail cheap. The DAO achieved the former.”
“Writing smart contracts that control funds securely is difficult. Over time, the security-critical components will mature through many iterations and many losses. Even though the Ethereum platform is past its beta, every new smart contract and component should be treated as pre-alpha software.”
“Smart contracts need to mature and the Ethereum platform doesn’t magically make them robust. Both the platform and the contracts will mature through iteration together. The funds controlled by smart contracts should be proportional to their degree of maturity and testing.”
“Too much money was invested too quickly in an immature and overly complex contract. Complexity is the enemy of security. The flexibility introduced by a Turing complete, high-level smart contract language brings with it unintended consequences, such as the reentrancy bug that was introduced in the DAO contract.”
Bitfinex: One for the Books
The August hack of Hong Kong-based bitcoin exchange Bitfinex, one of the top bitcoin traders globally, to the tune of roughly $70 million, sent a chill through the digital currency world and shook any complacency around the security of bitcoin exchanges.
Some experts have tied the hack to a shaky bitcoin price and wonder if it will take a while to restore confidence; others believe that Bitcoin’s security has been affirmed since Bitfinex was able to avoid a shutdown and Bitcoin's blockchain retained its security and functionality in spite of the hack.
In his response to the Bitfinex attack, Stefan Thomas, one of the original Bitcoin developers and Ripple’s Chief Technology Officer said, “There’s no history of how to write secure code. It is not surprising that it would be easy to miss typical problems.”
“The architecture of a bitcoin service provider, such as an exchange, holding funds for tens of thousands of users is inherently flawed. Re-centralizing data, in this case bitcoin keys, is the opposite of the decentralized architecture of Bitcoin itself.”
“Multisignature technology has been widely misunderstood as a security “fix” but multisig is simply a tool. Two entities controlling the keys and funds of 100,000 users is a bit better than one entity, but not as good as 100,000 points of control.”
“No one knows how to secure large concentrations of data. The data breaches of companies like Yahoo, Target, Best Buy and even the NSA demonstrate this point. The very same issues of scale apply to bitcoin data. The difference between a bitcoin theft and identity theft is that bitcoin users feel the sting immediately.”
Staying One Step Ahead of the Hack with Formal Verification
“Formal verification” is the new buzzword in the security business. Morgan thinks it is likely that eventually, “most smart contracts will incorporate formally verified components to build a strong foundation, and use more flexible coding practices for the rest of their contracts.”
“Formal verification is an interesting methodology that rebalances the tradeoff between flexibility and security,” she added. “Many programmers will find it difficult to write code that can be formally verified; but for core services, such as deciding who owns a contract and who controls funds (authentication, authorization, policy) formal verification could deliver much more secure code.”
“Decentralized Consensus is the Innovation that Matters.”
A number of developers have argued that the security flaw in blockchain technology is its requirement to achieve distributed consensus on new security measures.
Updates to software in blockchain are inhibited because a majority who run the software must agree to the rollout.
However, Morgan takes a different view:
“We already have systems that are centralized, controllable and can be censored — like Ripple. They are not novel. They are not disruptive. They are business-as-usual with the word “blockchain” painted on as a thin veneer of innovation. Decentralized consensus is the innovation that matters.”
“Overall, I attribute the hacks in our industry as symptoms of growing pains in a fast moving space. Certainly some are caused by sloppiness, bad actors, and the re-introduction of centralization, but I believe most of it is simple human error in the face of unexplored territory and complexity. We simply don’t understand all the risks and there’s only one way to learn — real money, real risk, real people.”
“Eventually security functions smart contracts will be built by combining battle-hardened and mature modules for common functionality — much like cryptographic libraries and random number generators, people will not write their own. Until then, we try, we test, we fail and we try again. As these systems iterate and mature, they become more and more secure, more useful, and therefore more valuable.”