Are blockchains decentralized?

Trail of Bits report: “Blockchains can help push the boundaries of current technology in useful ways. However, to make good risk decisions involving exciting and innovative technologies, people need demonstrable facts that are arrived at through reproducible methods and open data.

We believe the risks inherent in blockchains and cryptocurrencies have been poorly described and are often ignored—or even mocked—by those seeking to cash in on this decade’s gold rush.

In response to recent market turmoil and plummeting prices, proponents of cryptocurrency point to the technology’s fundamentals as sound. Are they?

Over the past year, Trail of Bits was engaged by the Defense Advanced Research Projects Agency (DARPA) to examine the fundamental properties of blockchains and the cybersecurity risks associated with them. DARPA wanted to understand those security assumptions and determine to what degree blockchains are actually decentralized.

To answer DARPA’s question, Trail of Bits researchers performed analyses and meta-analyses of prior academic work and of real-world findings that had never before been aggregated, updating prior research with new data in some cases. They also did novel work, building new tools and pursuing original research.

The resulting report is a 30-thousand-foot view of what’s currently known about blockchain technology. Whether these findings affect financial markets is out of the scope of the report: our work at Trail of Bits is entirely about understanding and mitigating security risk.

The report also contains links to the substantial supporting and analytical materials. Our findings are reproducible, and our research is open-source and freely distributable. So you can dig in for yourself.

Key findings

  • Blockchain immutability can be broken not by exploiting cryptographic vulnerabilities, but instead by subverting the properties of a blockchain’s implementations, networking, and consensus protocols. We show that a subset of participants can garner undue, centralized control over the entire system:
    • While the encryption used within cryptocurrencies is for all intents and purposes secure, it does not guarantee security, as touted by proponents.
    • Bitcoin traffic is unencrypted; any third party on the network route between nodes (e.g., internet service providers, Wi-Fi access point operators, or governments) can observe and choose to drop any messages they wish.
    • Tor is now the largest network provider in Bitcoin; just about 55% of Bitcoin nodes were addressable only via Tor (as of March 2022). A malicious Tor exit node can modify or drop traffic….(More)”

How Secure Is Our Data, Really?

Essay by Michael Kende: “Stepping back, a 2019 study showed that 95 percent of such data breaches could have been prevented. There are two main causes of breaches that can be averted.

First, many breaches attack known vulnerabilities in online systems. We are all used to updating the operating system on our computer or phone. One of the reasons is to patch a defect that could allow a breach. But not all of us update each patch all of the time, and that leaves us exposed. Organizations operating hundreds or thousands of devices with different systems connecting them may not devote enough resources to security or may be worried about testing the compatibility of upgrades, and this leaves them exposed to hackers searching for systems that have not been updated. These challenges were exacerbated with employees working from home during pandemic restrictions, often on their own devices with less protected networks.

Second is the phenomenon known as social engineering in which an employee is tricked into providing their password. We have all received phishing emails asking us to log into a familiar site to address an urgent matter. Doing so allows the hacker to capture the user’s email address or user name and the associated password. The hacker can then use that information directly to enter the real version of the website or may find out where else the user may go and hope they use the same login details — which, human nature being what it is, is quite common. These phishing attacks highlight the asymmetric advantage held by the hackers. They can send out millions of emails and just need one person to click on the wrong link to start their attack.

Of course, if 95 percent of breaches are preventable, that means 5 percent are not. For instance, though many breaches result from known vulnerabilities in systems, a vulnerability is by definition unknown before it is discovered. Such a vulnerability, known as zero-day vulnerability, is valuable for hackers because it cannot be defended against, and they are often hoarded or sold, sometimes back to the company responsible so they can create a patch…(More)”.

Solferino 21: Warfare, Civilians and Humanitarians in the Twenty-First Century

Book by Hugo Slim: “War is at a tipping point: we’re passing from the age of industrial warfare to a new era of computerised warfare, and a renewed risk of great-power conflict. Humanitarian response is also evolving fast—‘big aid’ demands more and more money, while aid workers try to digitalise, preparing to meet ever-broader needs in the long, big wars and climate crisis of the future. 

This book draws on the founding moment of the modern Red Cross movement—the 1859 Battle of Solferino, a moment of great change in the nature of conflict—to track the big shifts already underway, and still to come, in the wars and war aid of our century. Hugo Slim first surveys the current landscape: the tech, politics, law and strategy of warfare, and the long-term transformations ahead as conflict goes digital. He then explains how civilians both suffer and survive in today’s wars, and how their world is changing. Finally, he critiques today’s humanitarian system, citing the challenges of the 2020s.   

Inspired by Henri Dunant’s seminal humanitarian text, Solferino 21 alerts policymakers to the coming shakeup of the military and aid professions, illuminating key priorities for the new century. Humanitarians, he warns, must adapt or fail….(More)”.

Guns, Privacy, and Crime

Paper by Alessandro Acquisti & Catherine Tucker: “Open government holds promise of both a more efficient but more accountable and transparent government. It is not clear, however, how transparent information about citizens and their interaction with government, however, affects the welfare of those citizens, and if so in what direction. We investigate this by using as a natural experiment the effect of the online publication of the names and addresses of holders of handgun carry permits on criminals’ propensity to commit burglaries. In December 2008, a Memphis, TN newspaper published a searchable online database of names, zip codes, and ages of Tennessee handgun carry permit holders. We use detailed crime and handgun carry permit data for the city of Memphis to estimate the impact of publicity about the database on burglaries. We find that burglaries increased in zip codes with fewer gun permits, and decreased in those with more gun permits, after the database was publicized….(More)”

Governance of the Inconceivable

Essay by Lisa Margonelli: “How do scientists and policymakers work together to design governance for technologies that come with evolving and unknown risks? In the Winter 1985 Issues, seven experts reflected on the possibility of a large nuclear conflict triggering a “nuclear winter.” These experts agreed that the consequences would be horrifying: even beyond radiation effects, for example, burning cities could put enough smoke in the atmosphere to block sunlight, lowering ground temperatures and threatening people, crops, and other living things. In the same issue, former astronaut and then senator John Glenn wrote about the prospects for several nuclear nonproliferation agreements he was involved in negotiating. This broad discussion of nuclear weapons governance in Issues—involving legislators Glenn and then senator Al Gore as well as scientists, Department of Defense officials, and weapons designers—reflected the discourse of the time. In the culture at large, fears of nuclear annihilation became ubiquitous, and today you can easily find danceable playlists containing “38 Essential ’80s Songs About Nuclear Anxiety.”

But with the end of the Cold War, the breakup of the Soviet Union, and the rapid growth of a globalized economy and culture, these conversations receded from public consciousness. Issues has not run an article on nuclear weapons since 2010, when an essay argued that exaggerated fear of nuclear weapons had led to poor policy decisions. “Albert Einstein memorably proclaimed that nuclear weapons ‘have changed everything except our way of thinking,’” wrote political scientist John Mueller. “But the weapons actually seem to have changed little except our way of thinking, as well as our ways of declaiming, gesticulating, deploying military forces, and spending lots of money.”

All these old conversations suddenly became relevant again as our editorial team worked on this issue. On February 27, when Vladimir Putin ordered Russia’s nuclear weapons put on “high alert” after invading Ukraine, United Nations Secretary-General Antonio Guterres declared that “the mere idea of a nuclear conflict is simply unconceivable.” But, in the space of a day, what had long seemed inconceivable was suddenly being very actively conceived….(More)”.

Police surveillance and facial recognition: Why data privacy is an imperative for communities of color

Paper by Nicol Turner Lee and Caitlin Chin: “Governments and private companies have a long history of collecting data from civilians, often justifying the resulting loss of privacy in the name of national security, economic stability, or other societal benefits. But it is important to note that these trade-offs do not affect all individuals equally. In fact, surveillance and data collection have disproportionately affected communities of color under both past and current circumstances and political regimes.

From the historical surveillance of civil rights leaders by the Federal Bureau of Investigation (FBI) to the current misuse of facial recognition technologies, surveillance patterns often reflect existing societal biases and build upon harmful and virtuous cycles. Facial recognition and other surveillance technologies also enable more precise discrimination, especially as law enforcement agencies continue to make misinformed, predictive decisions around arrest and detainment that disproportionately impact marginalized populations.

In this paper, we present the case for stronger federal privacy protections with proscriptive guardrails for the public and private sectors to mitigate the high risks that are associated with the development and procurement of surveillance technologies. We also discuss the role of federal agencies in addressing the purposes and uses of facial recognition and other monitoring tools under their jurisdiction, as well as increased training for state and local law enforcement agencies to prevent the unfair or inaccurate profiling of people of color. We conclude the paper with a series of proposals that lean either toward clear restrictions on the use of surveillance technologies in certain contexts, or greater accountability and oversight mechanisms, including audits, policy interventions, and more inclusive technical designs….(More)”

Russia Is Leaking Data Like a Sieve

Matt Burgess at Wired: “Names, birthdays, passport numbers, job titles—the personal information goes on for pages and looks like any typical data breach. But this data set is very different. It allegedly contains the personal information of 1,600 Russian troops who served in Bucha, a Ukrainian city devastated during Russia’s war and the scene of multiple potential war crimes.

The data set is not the only one. Another allegedly contains the names and contact details of 620 Russian spies who are registered to work at the Moscow office of the FSB, the country’s main security agency. Neither set of information was published by hackers. Instead they were put online by Ukraine’s intelligence services, with all the names and details freely available to anyone online. “Every European should know their names,” Ukrainian officials wrote in a Facebook post as they published the data.

Since Russian troops crossed Ukraine’s borders at the end of February, colossal amounts of information about the Russian state and its activities have been made public. The data offers unparalleled glimpses into closed-off private institutions, and it may be a gold mine for investigators, from journalists to those tasked with investigating war crimes. Broadly, the data comes in two flavors: information published proactively by Ukranian authorities or their allies, and information obtained by hacktivists. Hundreds of gigabytes of files and millions of emails have been made public.

“Both sides in this conflict are very good at information operations,” says Philip Ingram, a former colonel in British military intelligence. “The Russians are quite blatant about the lies that they’ll tell,” he adds. Since the war started, Russian disinformation has been consistently debunked. Ingram says Ukraine has to be more tactical with the information it publishes. “They have to make sure that what they’re putting out is credible and they’re not caught out telling lies in a way that would embarrass them or embarrass their international partners.”

Both the lists of alleged FSB officers and Russian troops were published online by Ukraine’s Central Intelligence Agency at the end of March and start of April, respectively. While WIRED has not been able to verify the accuracy of the data—and Ukrainian cybersecurity officials did not respond to a request for comment—Aric Toler, from investigative outlet Bellingcat, tweeted that the FSB details appear to have been combined from previous leaks and open source information. It is unclear how up-to-date the information is…(More)”.

Facial Recognition Goes to War

Kashmir Hill at the New York Times: “In the weeks after Russia invaded Ukraine and images of the devastation wrought there flooded the news, Hoan Ton-That, the chief executive of the facial recognition company Clearview AI, began thinking about how he could get involved.

He believed his company’s technology could offer clarity in complex situations in the war.

“I remember seeing videos of captured Russian soldiers and Russia claiming they were actors,” Mr. Ton-That said. “I thought if Ukrainians could use Clearview, they could get more information to verify their identities.”

In early March, he reached out to people who might help him contact the Ukrainian government. One of Clearview’s advisory board members, Lee Wolosky, a lawyer who has worked for the Biden administration, was meeting with Ukrainian officials and offered to deliver a message.

Mr. Ton-That drafted a letter explaining that his app “can instantly identify someone just from a photo” and that the police and federal agencies in the United States used it to solve crimes. That feature has brought Clearview scrutiny over concerns about privacy and questions about racism and other biases within artificial-intelligence systems.

The tool, which can identify a suspect caught on surveillance video, could be valuable to a country under attack, Mr. Ton-That wrote. He said the tool could identify people who might be spies, as well as deceased people, by comparing their faces against Clearview’s database of 20 billion faces from the public web, including from “Russian social sites such as VKontakte.”

Mr. Ton-That decided to offer Clearview’s services to Ukraine for free, as reported earlier by Reuters. Now, less than a month later, the New York-based Clearview has created more than 200 accounts for users at five Ukrainian government agencies, which have conducted more than 5,000 searches. Clearview has also translated its app into Ukrainian.

“It’s been an honor to help Ukraine,” said Mr. Ton-That, who provided emails from officials from three agencies in Ukraine, confirming that they had used the tool. It has identified dead soldiers and prisoners of war, as well as travelers in the country, confirming the names on their official IDs. The fear of spies and saboteurs in the country has led to heightened paranoia.

According to one email, Ukraine’s national police obtained two photos of dead Russian soldiers, which have been viewed by The New York Times, on March 21. One dead man had identifying patches on his uniform, but the other did not, so the ministry ran his face through Clearview’s app…(More)”.

Researcher Helps Create Big Data ‘Early Alarm’ for Ukraine Abuses

Article by Chris Carroll: From searing images of civilians targeted by shelling to detailed accounts of sick children and their families fleeing nearby fighting to seek medical care, journalists have created a kaleidoscopic view of the suffering that has engulfed Ukraine since Russia invaded—but the news media can’t be everywhere.

Social media practically can be, however, and a University of Maryland researcher is part of a U.S.-Ukrainian multi-institutional team that’s harvesting data from Twitter and analyzing it with machine-learning algorithms. The result is a real-time system that provides a running account of what people in Ukraine are facing, constructed from their own accounts.

The project, Data for Ukraine, has been running for about three weeks, and has shown itself able to surface important events a few hours ahead of Western or even Ukrainian media sources. It focuses on four areas: humanitarian needs, displaced people, civilian resistance and human rights violations. In addition to simply showing spikes of credible tweets about certain subjects the team is tracking, the system also geolocates tweets—essentially mapping where events take place.

“It’s an early alarm system for human rights abuses,” said Ernesto Calvo, professor of government and politics and director of UMD’s Inter-Disciplinary Lab for Computational Social Science. “For it to work, we need to know two basic things: what is happening or being reported, and who is reporting those things.”

Calvo and his lab focus on the second of those two requirements, and constructed a “community detection” system to identify key nodes of Twitter users from which to use data. Other team members with expertise in Ukrainian society and politics spotted him a list of about 400 verified users who actively tweet on relevant topics. Then Calvo, who honed his approach analyzing social media from political and environmental crises in Latin America, and his team expanded and deepened the collection, drawing on connections and followers of the initial list so that millions of tweets per day now feed the system.

Nearly half of the captured tweets are in Ukrainian, 30% are in English and 20% are in Russian. Knowing who to exclude—accounts started the day before the invasion, for instance, or with few long-term connections—is key, Calvo said…(More)”.

Ukraine shows us the power of the 21st Century Citizen

Essay by Matt Leighninger: “This is a new kind of war, waged by a new kind of citizen.

The failure of the Russian forces to subdue Ukraine quickly has astonished experts, officials, and journalists worldwide. It shouldn’t. The Ukrainian resistance is just the latest example of the new attitudes and abilities of 21st century citizens.

While social media has been getting a lot of attention in this “TikTok War,” the real story is the growing determination and capacity of ordinary people. Around the world, ordinary people are fundamentally different from people of generations past. They have dramatically higher levels of education, far less deference to authority figures, and much greater facility with technology.

These trends have changed citizenship itself. We need to understand this shift so that societies, especially democratic ones, can figure out how to adapt, both in war and peace.

The war in Ukraine is instructive, in at least four ways.

First, citizens now have the ability to make their own media; Ukrainians, under attack, are mass-producing reality TV. Thanks to footage produced by thousands of people and viewed by millions, the war has a constantly unfolding cast of characters. Ukrainian farmers towing Russian vehicles, a soldier moonwalking in a field, people joyriding on a captured Russian tank, and a little girl singing “Let It Go” in a Kiev bomb shelter have become relatable, inspiring figures in the conflict. Seemingly every time Ukrainians have success on the battlefield, they upload videos of burned tanks and downed planes…(More)”.