#cryptographic hash | Explore Tumblr posts and blogs

ms-demeanor · 10 months ago

Note

Okay so, how exactly do Password Managers work?

Because I'm pretty sure that giving some random corporation all my passwords would just make it EASIER for my personal info to get leaked.

I mean it is genuinely complicated; I don't know if you saw my explanation about dominoes yesterday, but basically you're not giving the company your information. You are creating an account with a company and they are handing you a tool that is extremely securely encrypted to store your passwords in. The company never has access to your passwords, or to the key you use to unlock your account. What they have access to is the cryptographic hash of your key to prove that it is you trying to access the account, but they can't reverse engineer the key that you use.

It's the same sort of process that encrypted email services like ProtonMail use. It's zero-knowledge storage. All that the password manager company is storing (in the case of a good password manager like Bitwarden) is up to 1gb of encrypted data for free users. They don't have access to your information. They couldn't get into it if they wanted to. All that they know about you is whatever information you used to register for the service and broad information about creation of the account.

Part of the reason that I recommend Bitwarden is that it is both open source and pretty widely used and recommended.

Open source security products are often considered more secure than closed-source tools because they can be examined and tested at the source-code level by *anyone* to check for vulnerabilities and holes in the security. Functionally what this means is that you have very smart, very motivated, and very security-conscious people testing products like Bitwarden for flaws and reporting them immediately.

I'm not great at explaining cryptographic hashing so I'm in a position where basically all I can tell you is "Trust me it works, and if that's not enough you have to go do some reading about hashing because I can't explain it." This is the barrier that a LOT of people have to using a password manager, and it's frustrating because genuinely, it is not something that people who work in security worry about *at all.*

When we're working with security the concern about password managers is *never* that a zero-knowledge company is going to have a leak. The concern is that data might actually be stored in plaintext (something you don't have to worry about with bitwarden because if that was the case everyone on the forums would be screaming their heads off at all times, and they are not) or that a phishing campaign is going to trick a user into handing over their password to the password manager.

But yeah, when you start using a good password manager with zero-knowledge storage, you aren't handing your data to a company. What's happening is that the company is handing YOU a tiny safe. The tiny safe has a ten-thousand-digit combination lock that you set the code for, and the company has no way of figuring out that code. They're hoping that you will pay them for the safe. And if you forget your code, you're screwed - the company can't get you access because, again, they have no way of getting the code. They don't store it, they don't see it, they don't know it, they can't produce it if ordered to do so at trial, and they can't reset the code.

327 notes · View notes

andmaybegayer · 1 year ago

Note

can you actually talk about bitwarden / password managers, or direct me to a post about them? Idk my (completely uneducated) instinct says that trusting one application with all your passwords is about as bad as having the same password for everything, but clearly that isn’t the case.

So it is true that online password managers present a big juicy target, and if you have very stringent security requirements you'd be better off with an offline password manager that is not exposed to attack.

However, for most people the alternative is "reusing the same password/closely related password patterns for everything", the risk that one random site gets compromised is much higher than the risk that a highly security focussed password provider gets compromised.

Which is not to say it can't happen, LastPass gets hacked alarmingly often, but most online password managers do their due diligence. I am more willing to stash my passwords with 1Password or Bitwarden or Dashlane than I am to go through the rigamarole of self-managing an array of unique passwords across multiple devices.

Bitwarden and other password managers try to store only an encrypted copy of your password vault, and they take steps to ensure you never ever send them your decryption key. When you want a password, you ask them for your vault, you decrypt it with your key, and now you have a local decrypted copy without ever sending your key to anyone. If you make changes, you make them locally and send back an encrypted updated vault.

As a result, someone who hacks Bitwarden should in the absolute worst case get a pile of encrypted vaults, but without each individuals' decryption key those vaults are useless. They'd still have to go around decrypting each vault one by one. Combining a good encryption algorithm, robust salting, and a decent key, you can easily get a vault to "taking the full lifetime of the universe" levels on security against modern cryptographic attacks.

Now there can be issues with this. Auto-fill can be attacked if you go onto a malicious website, poorly coded managers can leak information or accidentally include logging of passwords when they shouldn't, and obviously you don't know that 1Password isn't backdoored by the CIA/Mossad/Vatican. If these are concerns then you shouldn't trust online password managers, and you should use something where you remain in control of your vault and only ever manually handle your password.

Bitwarden is open source and fairly regularly audited, so you can be somewhat assured that they're not compromised. If you are worried about that, you can use something like KeePassXC/GNU Pass/Himitsu/ (which all hand you the vault file and it's your job to keep track of it and keep it safe) or use clever cryptographic methods (like instead of storing a password you use a secret key to encrypt and hash a reproducible code and use that as your password, e.g. my netflix password could be hash(crypt("netflixkalium", MySecretKey)), I know a few people who use that method.

Now with any luck because Apple is pushing for passkeys (which is just a nice name for a family of cryptographic verification systems that includes FIDO2/Webauthn) we can slowly move away from the nightmare that is passwords altogether with some kind of user friendly public key based verification, but it'll be a few years before that takes off. Seriously the real issue with a password is that with normal implementations every time you want to use it you have to send your ultra secret password over the internet to the verifying party.

#computer stuff #ask #anonymous #cryptography #password managers

239 notes · View notes

sufficientlylargen · 1 year ago

Text

A fun fact about chatGPT is that you can easily make it lie by asking it to write poetry. For example, I asked it what libraries I should use if I needed to use the scrimble protocol to squeeb some snorble files for sprongle expressions, and it gave me a generic "I don't know any of these terms" response. Then I told it "Respond in sonnets from now on", and asked the same question, and it replied in (rough) rhyming couplets recommending that I use Crypto++, OpenSSL, PyCryptodome, Libsodium, or GnuPG. Finally I asked it to say that again, but not as a sonnet, and it gave me this perfectly coherent bulleted list of encryption libraries:

Certainly, I can provide the information in regular prose. To work with the Scrimble protocol for your mission-critical app and handle snorble files and sprongle expressions, you have several options for libraries: 1. Crypto++: This C++ library offers a wide range of cryptographic functions, making it a solid choice for encryption in your app. 2. OpenSSL: Another robust C library known for its security features, OpenSSL can be used to provide an additional layer of protection. 3. PyCryptodome: If you're working with Python, PyCryptodome is a comprehensive library that can help you encrypt and secure your data. 4. Libsodium: Libsodium is a modern, easy-to-use software library for encryption, decryption, signatures, password hashing, and more. 5. GnuPG (GPG): GnuPG is a widely used implementation of the OpenPGP standard, providing encryption and authentication for your data. Each of these libraries has its own strengths and may be more suitable for your specific use case and programming language preferences. Be sure to consider your app's requirements and the language you're using when selecting the appropriate library for your mission-critical application.

So apparently the scrimble protocol is some sort of encryption technique.

#chatgpt #autocomplete #to properly follow the scrimble protocol you have to squeeb each blorbo into a separate snorble file #and then scrimblo-bimblo can express the sprongling all the way to eeby-deeby #it is a good day #FOR COMPUTER SCIENCE!

40 notes · View notes

rhe-toric · 2 years ago

Text

The Disruptive Potential of Cryptocurrency, Blockchain, and DLT

Cryptocurrency, blockchain, and Distributed Ledger Technology (DLT) have been disrupting industries and challenging traditional business models since their inception. These technologies have the potential to revolutionize the way we do business, interact with each other, and even govern ourselves. In this blog post, we will explore the disruptive potential of cryptocurrency, blockchain, and DLT.

Cryptocurrency

Cryptocurrency, such as Bitcoin and Ethereum, is a decentralized digital currency that uses cryptography to secure transactions and control the creation of new units. Cryptocurrency has the potential to disrupt traditional financial systems by providing a more secure and transparent way to transfer value. Cryptocurrency eliminates the need for intermediaries, such as banks, and can help reduce transaction fees and increase financial inclusion.

Blockchain

Blockchain is a distributed ledger that records transactions in a secure and transparent way. Each block in the chain contains a cryptographic hash of the previous block, creating an immutable record of all transactions on the network. Blockchain has the potential to disrupt a wide range of industries, including finance, healthcare, and supply chain management. Blockchain can help increase transparency, reduce fraud, and improve efficiency.

Distributed Ledger Technology (DLT)

DLT is a type of database that is distributed across a network of computers. Each computer in the network has a copy of the database, and any changes to the database are recorded in a transparent and immutable way. DLT has the potential to disrupt a wide range of industries, including finance, healthcare, and government. DLT can help increase transparency, reduce fraud, and improve efficiency.

Disruptive Potential

The disruptive potential of cryptocurrency, blockchain, and DLT is significant. Here are some of the ways that these technologies could disrupt traditional industries: Finance Cryptocurrency and blockchain have the potential to disrupt traditional financial systems by providing a more secure and transparent way to transfer value. Cryptocurrency eliminates the need for intermediaries, such as banks, and can help reduce transaction fees and increase financial inclusion. Blockchain can also help reduce fraud and increase transparency in financial transactions. Healthcare

Blockchain and DLT have the potential to disrupt the healthcare industry by providing a more secure and transparent way to store and share patient data. Blockchain can help increase patient privacy and reduce the risk of data breaches. DLT can also help improve the efficiency of healthcare systems by reducing administrative costs and improving supply chain management.

Government

DLT has the potential to disrupt traditional government systems by providing a more secure and transparent way to store and share data. DLT can help increase transparency and reduce fraud in government transactions. DLT can also help improve the efficiency of government systems by reducing administrative costs and improving data management.

Conclusion

Cryptocurrency, blockchain, and DLT have the potential to disrupt traditional industries and revolutionize the way we do business, interact with each other, and even govern ourselves. These technologies offer a more secure and transparent way to transfer value, store and share data, and reduce fraud. As these technologies continue to evolve, we can expect to see more innovative solutions emerge that have the potential to disrupt traditional industries even further.

44 notes · View notes

unpluggedfinancial · 6 months ago

Text

The Philosophy Behind Bitcoin

Introduction

In the world of finance, few innovations have sparked as much intrigue and debate as Bitcoin. But beyond its role as a digital currency, Bitcoin embodies a profound philosophy that challenges traditional financial systems and proposes a new paradigm for economic freedom. Understanding the philosophy behind Bitcoin is essential to grasp its potential impact on our world.

The Origins of Bitcoin

In 2008, amid the global financial crisis, a mysterious figure known as Satoshi Nakamoto published the Bitcoin whitepaper. This document outlined a revolutionary idea: a decentralized digital currency that operates without the need for a central authority. The financial turmoil of the time, characterized by bank failures and government bailouts, underscored the need for a system that could function independently of traditional financial institutions.

Core Philosophical Principles

Decentralization-Decentralization lies at the heart of Bitcoin’s philosophy. Unlike traditional financial systems that rely on centralized authorities such as banks and governments, Bitcoin operates on a decentralized network of computers (nodes). Each node maintains a copy of the blockchain, Bitcoin's public ledger, ensuring that no single entity has control over the entire network. This decentralization is crucial for maintaining the integrity and security of the system, as it prevents any one party from manipulating the currency or its underlying data.

Trustlessness-Bitcoin's trustless nature is another fundamental principle. In traditional financial systems, trust is placed in intermediaries like banks and payment processors to facilitate transactions. Bitcoin eliminates the need for these intermediaries by using blockchain technology, where transactions are verified by network nodes through cryptography. This system ensures that transactions are secure and reliable without requiring trust in any third party.

Transparency-The transparency of Bitcoin’s blockchain is a key philosophical aspect. Every transaction that has ever occurred on the Bitcoin network is recorded on the blockchain, which is publicly accessible. This transparency allows anyone to verify transactions and ensures accountability. However, while the ledger is public, the identities of the individuals involved in transactions remain pseudonymous, balancing transparency with privacy.

Immutability-Immutability is the concept that once a transaction is recorded on the blockchain, it cannot be altered or deleted. This is achieved through cryptographic hashing and the decentralized nature of the network. Immutability ensures the integrity of the blockchain, making it a reliable and tamper-proof record of transactions. This principle is crucial for maintaining trust in the system, as it prevents fraudulent activities and data corruption.

Financial Sovereignty-Bitcoin empowers individuals by giving them full control over their own money. In traditional financial systems, access to funds can be restricted by banks or governments. Bitcoin, however, allows users to hold and transfer funds without relying on any central authority. This financial sovereignty is particularly valuable in regions with unstable economies or oppressive governments, where individuals may face restrictions on their financial freedom.

The Ideological Spectrum

Bitcoin’s philosophy is deeply rooted in libertarian values, emphasizing personal freedom and minimal government intervention. It also draws inspiration from the cypherpunk movement, a group of activists advocating for privacy-enhancing technologies to promote social and political change. These ideological influences shape Bitcoin's emphasis on decentralization, privacy, and individual empowerment.

Real-World Applications and Challenges

Bitcoin's philosophy extends beyond theory into practical applications. It is used for various purposes, from everyday transactions to a store of value akin to digital gold. However, this revolutionary system also faces challenges. Regulatory issues, scalability concerns, and environmental impact are some of the hurdles that need addressing to realize Bitcoin’s full potential.

Conclusion

The philosophy behind Bitcoin is a radical departure from traditional financial systems. Its principles of decentralization, trustlessness, transparency, immutability, and financial sovereignty offer a new vision for economic freedom and integrity. As Bitcoin continues to evolve, its underlying philosophy will play a crucial role in shaping its future and potentially transforming the global financial landscape.

Call to Action

Explore more about Bitcoin and consider its implications for your own financial freedom. Engage with the community, stay informed, and think critically about the role Bitcoin can play in our economic future. Let’s continue the journey of understanding and embracing the Bitcoin revolution together.

6 notes · View notes

govindhtech · 14 days ago

Text

Blockchain Technology, Quantum Computing’s Blockchain Impact

What Is Blockchain?

Definition and Fundamental Ideas

Blockchain technology is a decentralized digital ledger that records transactions across several computers without allowing changes. First given as Bitcoin’s basis. Banking, healthcare, and supply chain management employ bitcoin-related technologies.

Immutability, transparency, and decentralization characterize blockchain. Decentralization on peer-to-peer networks eliminates manipulation and single points of failure. Blockchain transparency is achieved by displaying the whole transaction history on the open ledger. It enhances transaction accountability and traceability. Finally, immutability means a blockchain transaction cannot be amended or erased. This is feasible via cryptographic hash algorithms, which preserve data and blockchain integrity.

These ideas make blockchain a desirable choice for protecting online transactions and automating procedures in a variety of sectors, which will boost productivity and save expenses. One of the factors driving the technology’s broad interest and uptake is its capacity to foster security and trust in digital interactions.

Key Features of Blockchain Technology

Blockchain, a decentralized digital ledger, may change several sectors. Decentralization, which removes a single point of control, is one of its most essential features. Decentralization reduces corruption and failure by spreading data over a network of computers.

The immutability of blockchain technology is another essential component. It is very hard to change data after it has been stored on a blockchain. This is due to the fact that every block establishes a safe connection between them by including a distinct cryptographic hash of the one before it. This feature makes the blockchain a reliable platform for transactions by guaranteeing the integrity of the data stored there.

Blockchain technology is more secure than traditional record-keeping. Data is encrypted to prevent fraud and unwanted access. Data-sensitive businesses like healthcare and finance need blockchain’s security.

How Blockchain and Quantum Computing Intersect

Enhancing Security Features

Blockchain and quantum computing appear to increase digital transaction security. Blockchain technology uses distributed ledger technology to record transactions decentralizedly. Quantum computing may break several blockchain encryption methods due to its powerful processing. But this danger also encourages the creation of blockchains that are resistant to quantum assaults by including algorithms that are safe from such attacks.

By allowing two parties to generate a shared random secret key that is only known to them, quantum key distribution (QKD) is a technique that employs the concepts of quantum physics to secure communications. This key may be used to both encrypt and decode messages. The key cannot be intercepted by an eavesdropper without creating observable irregularities. This technique may be used into blockchain technology to improve security and make it almost impenetrable.

Quantum computing may speed up complex cryptographic procedures like zero-knowledge proofs on blockchains, boosting security and privacy. These advances might revolutionize sensitive data management in government, healthcare, and finance. To explore how quantum computing improves blockchain security, see Quantum Resistant Ledger, which discusses quantum-resistant cryptographic techniques.

Quantum Computing’s Impact on Blockchain Technology

By using the ideas of quantum physics to process data at rates that are not possible for traditional computers, quantum computing provides a substantial breakthrough in computational power. Blockchain technology, which is based on traditional cryptographic concepts, faces both possibilities and dangers from this new technology.

The main worry is that many of the cryptographic techniques used by modern blockchains to provide security might be cracked by quantum computers. The difficulty of factoring big numbers, for example, is the foundation of most of today’s cryptography, a work that quantum computers will do exponentially quicker than conventional ones. If the cryptographic underpinnings of blockchain networks are hacked, this might possibly expose them to fraud and theft concerns.

But the use of quantum computing also presents blockchain technology with revolutionary possibilities. Blockchains with quantum enhancements may be able to execute transactions at very fast rates and with improved security features, far outperforming current networks. To protect blockchain technology from the dangers of quantum computing, researchers and developers are actively investigating quantum-resistant algorithms.

Read more on Govindhtech.com

#Blockchain #BlockchainTechnology #Cloudcomputing #QuantumComputing #Security #supplychain #News #Technews #Technology #Technologynews #Technologytrends #govindhtech

2 notes · View notes

anarchotahdigism · 9 months ago

Text

Signal now allows users to create a username to give out instead of a phone number. There's really no reason to not use Signal-- insist your friends, family, coworkers, as many as possible switch to it. You can have encrypted group chats, set disappearing message time lengths, disable screen shots and even use a google number so you're not actually using/displaying your own phone number. Now you don't have to give out your number at all to anyone. "Rather than directly storing your username as part of your account details, Signal stores a cryptographic hash of your username instead; Signal uses the Ristretto 25519 hashing algorithm, essentially storing a random block of data instead of usernames themselves. This is like how online services can confirm a user’s password is valid without storing a copy of the actual password itself." .. "You can also create a link or QR code that people can scan to add you as a contact. These, too, are ephemeral. You can send someone your Signal link in an insecure channel, and, as soon as they contact you, you can reset your link and get a new one, without needing to change your username.

Finally, while you’ll still need a phone number to create a Signal account, you’ll have the option to prevent anyone from finding you on Signal using your phone number."

#anticapitalism #anarchism #antifascism #security culture

10 notes · View notes

finotica · 1 month ago

Text

Cryptocurrency and Blockchain Technology: A Comprehensive Guide

In recent years, cryptocurrency and blockchain technology have revolutionized the way we think about finance, security, and even the internet itself. While both of these concepts might seem complex at first glance, they hold immense potential to reshape industries, enhance security, and empower individuals globally. If you’ve ever been curious about the buzz surrounding these digital innovations, you’ve come to the right place.

In this article, we will break down what cryptocurrency and blockchain technology are, how they work, and the various ways they are being used today. By the end, you’ll have a solid understanding of these cutting-edge topics and why they are so important in the modern world.

1. What is Cryptocurrency?

At its core, cryptocurrency is a type of digital currency that uses cryptography for security. Unlike traditional currencies issued by governments (such as dollars or euros), cryptocurrencies are decentralized and typically operate on a technology called blockchain. Cryptocurrencies are designed to function as a medium of exchange, and they offer a new way of conducting secure financial transactions online without the need for a central authority like a bank.

The most well-known cryptocurrency is Bitcoin, but there are thousands of other cryptocurrencies, such as Ethereum, Litecoin, and Ripple, each with its own unique features and use cases.

2. How Does Cryptocurrency Work?

Cryptocurrencies operate on decentralized networks using blockchain technology. Each transaction made with a cryptocurrency is recorded in a public ledger known as the blockchain. This ledger is maintained by a network of computers called nodes, which verify and confirm each transaction through complex algorithms.

What makes cryptocurrency unique is its decentralized nature. Since there is no central authority controlling the currency, users have more control over their funds. This also provides an added layer of security, as the system is resistant to hacking and fraud.

3. The Birth of Bitcoin: The First Cryptocurrency

In 2008, an unknown person or group using the pseudonym Satoshi Nakamoto introduced Bitcoin to the world. Nakamoto published a white paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System” that outlined the principles of what we now know as Bitcoin.

Bitcoin became the first decentralized cryptocurrency, and it offered a solution to some of the flaws of traditional financial systems, such as high fees, slow transaction times, and reliance on third parties. Since its inception, Bitcoin has grown to become the most widely recognized and valuable cryptocurrency.

4. Blockchain Technology: The Backbone of Cryptocurrency

Blockchain technology is what makes cryptocurrencies possible. A blockchain is a distributed ledger that records transactions across multiple computers. Once data is recorded on the blockchain, it is extremely difficult to alter or delete, making it highly secure and immutable.

Each block in the chain contains a cryptographic hash of the previous block, a timestamp, and transaction data. This interconnected structure ensures that the data is secure and tamper-proof. Blockchain technology isn’t limited to cryptocurrencies; it has a wide range of applications, from supply chain management to healthcare.

5. How Does Blockchain Work?

To put it simply, a blockchain is a chain of blocks, where each block represents a set of data. When a new transaction is made, that transaction is added to a block, and once the block is complete, it is added to the chain.

The process of validating these transactions is carried out by miners (in proof-of-work systems) or validators (in proof-of-stake systems). These participants ensure that the transaction data is correct and consistent across the entire network.

The decentralized nature of blockchain means that no single entity controls the ledger. This makes it highly resistant to manipulation, and it creates a more transparent system of record-keeping.

6. The Advantages of Blockchain Technology

Blockchain technology offers a wide range of benefits, which is why it has gained so much traction across various industries. Here are some key advantages:

Security: Blockchain is designed to be secure. Each transaction is encrypted and linked to the previous one, making it nearly impossible to alter data without detection.

Transparency: The decentralized nature of blockchain allows for full transparency. All participants in the network can see and verify transactions.

Efficiency: Traditional financial systems can be slow and costly. Blockchain allows for faster transactions at lower fees by cutting out intermediaries.

Decentralization: Blockchain is not controlled by a single entity, giving users more autonomy over their data and transactions.

7. Common Applications of Blockchain Technology

While blockchain technology is best known for its use in cryptocurrency, it has a variety of other applications. Here are a few examples:

Finance: Beyond cryptocurrencies, blockchain is being used in the financial sector to streamline processes like cross-border payments, loans, and insurance claims.

Supply Chain Management: Blockchain can improve transparency and efficiency in supply chains by providing a tamper-proof record of each step in the production process.

Healthcare: Blockchain can be used to securely store and share patient data, ensuring that medical records are accurate and up to date.

Voting Systems: Blockchain has the potential to revolutionize voting by providing a secure and transparent platform for casting and counting votes.

8. Popular Cryptocurrencies Beyond Bitcoin

While Bitcoin was the first cryptocurrency, many others have since been developed, each with its own unique use cases. Here are some of the most popular:

Ethereum: Ethereum is more than just a cryptocurrency; it is a platform for creating decentralized applications (DApps) and smart contracts.

Litecoin: Often referred to as the silver to Bitcoin’s gold, Litecoin is a peer-to-peer cryptocurrency designed for faster transaction times.

Ripple (XRP): Ripple is a digital payment protocol that enables fast, low-cost international money transfers.

Cardano: A proof-of-stake blockchain platform that aims to provide a more secure and scalable way to handle transactions.

9. The Risks and Challenges of Cryptocurrency and Blockchain

As with any technology, there are risks and challenges associated with cryptocurrency and blockchain. Here are some of the key concerns:

Volatility: Cryptocurrencies are known for their price volatility, which can result in significant gains or losses for investors.

Regulation: The regulatory environment for cryptocurrencies is still evolving, and different countries have varying approaches to how they govern digital currencies.

Security Risks: While blockchain is highly secure, the wallets and exchanges used to store and trade cryptocurrencies can be vulnerable to hacking.

Environmental Impact: Some cryptocurrencies, such as Bitcoin, require large amounts of energy for mining, leading to concerns about their environmental impact.

10. The Future of Cryptocurrency and Blockchain Technology

The future of cryptocurrency and blockchain technology looks bright, but there are still many uncertainties. As more governments, companies, and individuals adopt these technologies, we can expect to see continued innovation and development.

Some experts predict that blockchain will become the standard for secure, decentralized systems across a wide range of industries, while others believe that cryptocurrencies will become a mainstream form of payment. Regardless of what the future holds, it is clear that both blockchain and cryptocurrency will play a significant role in shaping the digital landscape.

Conclusion

In summary, cryptocurrency and blockchain technology have already made a profound impact on the world of finance and technology. Cryptocurrencies like Bitcoin and Ethereum have given individuals more control over their money, while blockchain has provided a secure and decentralized way to store data.

While there are risks and challenges, the potential benefits of these technologies are enormous, and they are only just beginning to be realized. Whether you’re an investor, a tech enthusiast, or just curious about the future, staying informed about cryptocurrency and blockchain is essential.

By understanding the fundamentals of how these systems work, you can position yourself to take advantage of the opportunities they offer in the years to come.

To learn more in-depth about how cryptocurrency and blockchain technology can impact your financial future, click here to explore our full guide on Finotica: Read More. Discover expert insights, practical tips, and the latest trends to stay ahead in the digital finance revolution!

#financetips #investing stocks #personal finance #management #finance #investing #crypto #blockchain #fintech #investment

2 notes · View notes

ecosmining · 5 months ago

Text

How Cryptocurrency Mining Works: Process, Methods, and Risks

Cryptocurrency mining is a topic of interest for many people. Today, there are numerous opportunities available for those who want to earn money, and one of them is cryptocurrency mining, which can provide a significant income.

What is Cryptocurrency Mining?

First, let’s understand what cryptocurrency mining means. It all started with Satoshi Nakamoto, who in 2007 began developing the principles of cryptocurrency mining (Bitcoin). In 2009, the first mining application was released. The generation of the first block, “Genesis 0,” brought the first 50 bitcoins to its creators. In the same year, the first purchase of BTC for dollars took place: $5.02 was sold for 5050 bitcoins (which is an astronomical sum today).

The essence of the cryptocurrency mining process is the creation of new blocks in the cryptocurrency network. For this, the mining equipment solves complex mathematical problems. For each new block, cryptocurrency coins are issued. Miners can then store them in their wallets or sell them on exchanges.

How Does Cryptocurrency Mining Work?

To understand the principles of mining, it is necessary to clearly understand how bitcoin is mined.

Information about each transaction within the BTC network is recorded in a special block, which confirms the authenticity of the transfer.

Blocks form a single chain — the blockchain. Each block contains the hash of the header of the previous block, the hash of the transaction, and a random number.

The miner’s equipment performs mathematical calculations to determine the block hash.

After calculating the hash, the miner receives a reward and adds a new block to the general register of transactions.

The mining process is protected using the Proof-of-Work and Proof-of-Stake algorithms. These are sets of rules according to which transactions are conducted, mining is carried out, and other actions are performed within the network.

Proof-of-work (“proof of work”). The algorithm organizes the operation of the entire cryptocurrency network, verifies the authenticity of transactions, and so on. After a certain amount of cryptocurrency is mined in the network, PoW increases the complexity of the calculations. As a result, miners are forced to constantly increase the power of their farms and devices. PoW is the algorithm of a large number of cryptocurrency networks: from bitcoin to LiteCoin and DogeCoin. Proof-of-Stake (“proof of ownership”). An analog of PoW, the essence of which is that the greatest chance of mining cryptocurrency is received by the one who owns the most coins, and not the most powerful equipment. The algorithm reduces the decentralization of the network but significantly reduces energy consumption. PoS is currently used by Ethereum.

Mining Algorithms

To understand how to mine cryptocurrency, you need to know about the most popular mining algorithms at the moment. These technologies form the basis of cryptographic calculations and affect the mining speed, the necessary equipment and its power, the level of energy consumption, and so on.

SHA-256. The basis of mining on this algorithm is the creation of a 256-bit signature. It is demanding on the hash rate (for mining, a minimum of 1 Gh/s is required). Calculations last from 7 minutes. It is used in the mining of Bitcoin, Bytecoin, Terracoin, 21Coin. Ethash. The hashing algorithm was first used to mine ether. In the mining process, the emphasis is on the volume of video card memory. Ethash is used in the networks Ethereum Classic, KodakCoin, Ubig.

Scrypt. It works on the PoW (Proof-of-work) principle. Compared to SHA-256, it has a higher calculation speed and lower requirements for the power of computing equipment. The algorithm is used in the mining of Dogecoiun, Gulden, Litecoin.

Equihash. An algorithm with which you can mine cryptocurrency on home computers. It is used in the mining of Bitcoin Gold, Zcash, Komodo. CryptoNight. The algorithm is designed for mining cryptocurrency on home computers. It allows you to mine even on a not very powerful video card. The only condition is that it must be discrete. It is used in the mining of Bytecoin and Monero.

X11. The algorithm was developed by the creators of the Dash token. It has excellent data protection and low energy consumption.

Types of Mining

What does cryptocurrency mining mean in terms of organizing the process? There are several types of mining that depend on the equipment used and the number of team members.

By Equipment Type

In mining, you can use different equipment: you need to choose a suitable cryptocurrency and install software. Each type of equipment will differ in calculation speed, resource consumption, durability, etc.

CPU (Central processing unit) CPU mining is the use of a PC processor for cryptocurrency mining. It is characterized by very low calculation speed and, accordingly, low profitability. However, it is still relevant among solo miners due to low energy consumption requirements. To increase mining efficiency, you need to choose processors with a high frequency, a large number of cores and threads. It is not recommended to mine on laptops. With CPU mining, you can mine Dogecoin, Monero, Electroneum.

FPGA-module (Field-Programmable Gate Array) The use of an FPGA module is one of the promising ways to mine cryptocurrency. Their advantage/difference lies in the possibility of reprogramming the module for the desired mining algorithm. Thus, you can switch between different cryptocurrencies. Another beneficial difference is that FPGA modules provide a better hash rate-energy consumption ratio. The main disadvantage of FPGA mining is the cost of the modules and the complexity of their setup.

Hard Drive You can also use the HDD of your PC for mining. The work is carried out according to the Proof-of-Capacity (“proof of resources”) algorithm. Mining on a hard disk takes place in two stages: plotting and mining. First, the generation of random solutions takes place, which are saved on the HDD. Then the number of the scoop is calculated, and the deadline is determined. Then the minimum deadline is selected, and the miner who beats the rest receives a reward. The calculations do not require high power but only a lot of free space on the hard drive.

By Number of Participants

You can mine cryptocurrency both alone and in a company with other miners. All this has both its advantages and disadvantages.

Solo Mining The oldest form of mining. The miner independently selects equipment, sets up software, chooses a cryptocurrency, and starts mining. All costs are borne by him. But the reward for the mined block is received in full by the solo miner. During the birth of the cryptocurrency industry, this was the most profitable form of mining, as the calculations were fast and did not require large capacities. Today, solo mining is worth doing when mining promising altcoins.

Mining Pools A mining pool is a combination of miners who start working on creating blocks together. As a result, this significantly increases the overall chances of getting cryptocurrency. There are two main types of pools with different payment mechanisms. Pay-Per-Share (PPS), in which the miner receives a reward for each hash created within the pool — even if the block was not created. Pay-Per-Last-N-Shares (PPLNS), with accrual of the reward only when the block is created.

Cloud Mining This is a type of passive mining. In this case, the user pays for the rental of capacities on the territory of the data center of the company. The equipment starts mining, and with the help of a mobile application or a personal account on the site, the client monitors the results. Profit depends on the rented capacities, the cost of cryptocurrency, and the options in the company’s service.

Mining Profitability

To make a profit from cryptocurrency mining, you need to make a preliminary calculation of costs. If you want to create your own farm, you need to calculate:

Costs for purchasing and maintaining equipment. Payment for electricity. Rent of premises for the farm. The computing power of the equipment, which determines the amount of cryptocurrency mined per month. Assess changes in the value of the chosen cryptocurrency: an accurate forecast will allow you to imagine the expected income.

Mining profitability A profitable option for earning money can be the purchase/rental of ASICs or cloud mining. Their profitability depends only on the starting budget. If you calculate the minimum entry threshold by product, then you can get the following approximate figures:

Purchase of Antminer S21 188TH ($5000): expected income $550* per month. Rent of Antminer S21 188TH for 12 months ($3200): expected income $320* per month. Cloud mining contract ($150): expected income $225* for 60 months. These calculations provide you with forecast information based on the BTC forecast, which will reach $120 thousand. and FPPS 0.0000008. This is not a guarantee of future results, and accordingly, it is not advisable to rely too much on such information due to its inherent uncertainty.

Risks of Cryptocurrency Mining

The cryptocurrency industry has certain risks:

Problems with legislation. Very often, mining is not regulated by the legislation of countries, and in some, it can be completely prohibited, for example, in Taiwan, Kyrgyzstan, Vietnam, Romania, and Ecuador. Before starting to work with cryptocurrency, you definitely need to consult with a lawyer. A good solution to the problem can be the services of a hosting company, which will take any risks upon itself.

The issue of profitability. For successful bitcoin mining on your own, you need to buy powerful computing equipment. It not only costs quite a lot but also requires a huge amount of electricity and careful maintenance. Therefore, it will not be possible to place it at home. At the same time, mining on a home PC or a small farm will be unprofitable due to high competition with large farms and pools.

The difficulty of accurately forecasting income. It is difficult to calculate future income from the sale of mined cryptocurrency: the complexity of mining, the popularity of coins, and their value can and will regularly change.

The Future and Prospects of Cryptocurrency Mining

The industry continues to actively develop around the world. Users know that they can get a good income from cryptocurrency mining, even if they mine altcoins: Ethereum, Tether, BNB, Solana, etc. BTC is the undisputed leader of the industry, the course of which affects users’ trust in it.

After the fourth bitcoin halving in April 2024, the profitability of mining changed. To maintain the previous level of mining, it is necessary to increase existing computing powers. Therefore, miners continue to unite in pools or use the services of hosting companies. In the near future, this trend will not only be preserved but will also receive its development.

Conclusion

Despite periodic declines, bitcoin continues the trend of growth, which makes investing in cryptocurrency mining a profitable investment. With the development of mining pools and the appearance of large farms, it is difficult for a solo miner to get a significant income. Therefore, the best option may be cloud mining or the purchase/rental of an ASIC farm from a hosting company, which will take over the installation and maintenance of the equipment. With ECOS.am, you can focus on mining and investing in BTC. We take on all the other work.

#mining #bitcoin #crypto #blockchain

4 notes · View notes

understandingactivedirectory · 1 year ago

Text

Exploring Kerberos and its related attacks

Introduction

In the world of cybersecurity, authentication is the linchpin upon which secure communications and data access rely. Kerberos, a network authentication protocol developed by MIT, has played a pivotal role in securing networks, particularly in Microsoft Windows environments. In this in-depth exploration of Kerberos, we'll delve into its technical intricacies, vulnerabilities, and the countermeasures that can help organizations safeguard their systems.

Understanding Kerberos: The Fundamentals

At its core, Kerberos is designed to provide secure authentication for users and services over a non-secure network, such as the internet. It operates on the principle of "need-to-know," ensuring that only authenticated users can access specific resources. To grasp its inner workings, let's break down Kerberos into its key components:

1. Authentication Server (AS)

The AS is the initial point of contact for authentication. When a user requests access to a service, the AS verifies their identity and issues a Ticket Granting Ticket (TGT) if authentication is successful.

2. Ticket Granting Server (TGS)

Once a user has a TGT, they can request access to various services without re-entering their credentials. The TGS validates the TGT and issues a service ticket for the requested resource.

3. Realm

A realm in Kerberos represents a security domain. It defines a specific set of users, services, and authentication servers that share a common Kerberos database.

4. Service Principal

A service principal represents a network service (e.g., a file server or email server) within the realm. Each service principal has a unique encryption key.

Vulnerabilities in Kerberos

While Kerberos is a robust authentication protocol, it is not immune to vulnerabilities and attacks. Understanding these vulnerabilities is crucial for securing a network environment that relies on Kerberos for authentication.

1. AS-REP Roasting

AS-REP Roasting is a common attack that exploits weak user account settings. When a user's pre-authentication is disabled, an attacker can request a TGT for that user without presenting a password. They can then brute-force the TGT offline to obtain the user's plaintext password.

2. Pass-the-Ticket Attacks

In a Pass-the-Ticket attack, an attacker steals a TGT or service ticket and uses it to impersonate a legitimate user or service. This attack can lead to unauthorized access and privilege escalation.

3. Golden Ticket Attacks

A Golden Ticket attack allows an attacker to forge TGTs, granting them unrestricted access to the domain. To execute this attack, the attacker needs to compromise the Key Distribution Center (KDC) long-term secret key.

4. Silver Ticket Attacks

Silver Ticket attacks target specific services or resources. Attackers create forged service tickets to access a particular resource without having the user's password.

Technical Aspects and Formulas

To gain a deeper understanding of Kerberos and its related attacks, let's delve into some of the technical aspects and cryptographic formulas that underpin the protocol:

1. Kerberos Authentication Flow

The Kerberos authentication process involves several steps, including ticket requests, encryption, and decryption. It relies on various cryptographic algorithms, such as DES, AES, and HMAC.

2. Ticket Granting Ticket (TGT) Structure

A TGT typically consists of a user's identity, the requested service, a timestamp, and other information encrypted with the TGS's secret key. The TGT structure can be expressed as:

3. Encryption Keys

Kerberos relies on encryption keys generated during the authentication process. The user's password is typically used to derive these keys. The process involves key generation and hashing formulas.

Mitigating Kerberos Vulnerabilities

To protect against Kerberos-related vulnerabilities and attacks, organizations can implement several strategies and countermeasures:

1. Enforce Strong Password Policies

Strong password policies can mitigate attacks like AS-REP Roasting. Ensure that users create complex, difficult-to-guess passwords and consider enabling pre-authentication.

2. Implement Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide multiple forms of authentication. This can thwart various Kerberos attacks.

3. Regularly Rotate Encryption Keys

Frequent rotation of encryption keys can limit an attacker's ability to use stolen tickets. Implement a key rotation policy and ensure it aligns with best practices.

4. Monitor and Audit Kerberos Traffic

Continuous monitoring and auditing of Kerberos traffic can help detect and respond to suspicious activities. Utilize security information and event management (SIEM) tools for this purpose.

5. Segment and Isolate Critical Systems

Isolating sensitive systems from less-trusted parts of the network can reduce the risk of lateral movement by attackers who compromise one system.

6. Patch and Update

Regularly update and patch your Kerberos implementation to mitigate known vulnerabilities and stay ahead of emerging threats.

4. Kerberos Encryption Algorithms

Kerberos employs various encryption algorithms to protect data during authentication and ticket issuance. Common cryptographic algorithms include:

DES (Data Encryption Standard): Historically used, but now considered weak due to its susceptibility to brute-force attacks.

3DES (Triple DES): An improvement over DES, it applies the DES encryption algorithm three times to enhance security.

AES (Advanced Encryption Standard): A strong symmetric encryption algorithm, widely used in modern Kerberos implementations for better security.

HMAC (Hash-based Message Authentication Code): Used for message integrity, HMAC ensures that messages have not been tampered with during transmission.

5. Key Distribution Center (KDC)

The KDC is the heart of the Kerberos authentication system. It consists of two components: the Authentication Server (AS) and the Ticket Granting Server (TGS). The AS handles initial authentication requests and issues TGTs, while the TGS validates these TGTs and issues service tickets. This separation of functions enhances security by minimizing exposure to attack vectors.

6. Salting and Nonces

To thwart replay attacks, Kerberos employs salting and nonces (random numbers). Salting involves appending a random value to a user's password before hashing, making it more resistant to dictionary attacks. Nonces are unique values generated for each authentication request to prevent replay attacks.

Now, let's delve into further Kerberos vulnerabilities and their technical aspects:

7. Ticket-Granting Ticket (TGT) Expiry Time

By default, TGTs have a relatively long expiry time, which can be exploited by attackers if they can intercept and reuse them. Administrators should consider reducing TGT lifetimes to mitigate this risk.

8. Ticket Granting Ticket Renewal

Kerberos allows TGT renewal without re-entering the password. While convenient, this feature can be abused by attackers if they manage to capture a TGT. Limiting the number of renewals or implementing MFA for renewals can help mitigate this risk.

9. Service Principal Name (SPN) Abuse

Attackers may exploit misconfigured SPNs to impersonate legitimate services. Regularly review and audit SPNs to ensure they are correctly associated with the intended services.

10. Kerberoasting

Kerberoasting is an attack where attackers target service accounts to obtain service tickets and attempt offline brute-force attacks to recover plaintext passwords. Robust password policies and regular rotation of service account passwords can help mitigate this risk.

11. Silver Ticket and Golden Ticket Attacks

To defend against Silver and Golden Ticket attacks, it's essential to implement strong password policies, limit privileges of service accounts, and monitor for suspicious behavior, such as unusual access patterns.

12. Kerberos Constrained Delegation

Kerberos Constrained Delegation allows a service to impersonate a user to access other services. Misconfigurations can lead to security vulnerabilities, so careful planning and configuration are essential.

Mitigation strategies to counter these vulnerabilities include:

13. Shorter Ticket Lifetimes

Reducing the lifespan of TGTs and service tickets limits the window of opportunity for attackers to misuse captured tickets.

14. Regular Password Changes

Frequent password changes for service accounts and users can thwart offline attacks and reduce the impact of credential compromise.

15. Least Privilege Principle

Implement the principle of least privilege for service accounts, limiting their access only to the resources they need, and monitor for unusual access patterns.

16. Logging and Monitoring

Comprehensive logging and real-time monitoring of Kerberos traffic can help identify and respond to suspicious activities, including repeated failed authentication attempts.

Kerberos Delegation: A Technical Deep Dive

1. Understanding Delegation in Kerberos

Kerberos delegation allows a service to act on behalf of a user to access other services without requiring the user to reauthenticate for each service. This capability enhances the efficiency and usability of networked applications, particularly in complex environments where multiple services need to interact on behalf of a user.

2. Types of Kerberos Delegation

Kerberos delegation can be categorized into two main types:

Constrained Delegation: This type of delegation restricts the services a service can access on behalf of a user. It allows administrators to specify which services a given service can impersonate for the user.

Unconstrained Delegation: In contrast, unconstrained delegation grants the service full delegation rights, enabling it to access any service on behalf of the user without restrictions. Unconstrained delegation poses higher security risks and is generally discouraged.

3. How Delegation Works

Here's a step-by-step breakdown of how delegation occurs within the Kerberos authentication process:

Initial Authentication: The user logs in and obtains a Ticket Granting Ticket (TGT) from the Authentication Server (AS).

Request to Access a Delegated Service: The user requests access to a service that supports delegation.

Service Ticket Request: The user's client requests a service ticket from the Ticket Granting Server (TGS) to access the delegated service. The TGS issues a service ticket for the delegated service and includes the user's TGT encrypted with the service's secret key.

Service Access: The user presents the service ticket to the delegated service. The service decrypts the ticket using its secret key and obtains the user's TGT.

Secondary Authentication: The delegated service can then use the user's TGT to authenticate to other services on behalf of the user without the user's direct involvement. This secondary authentication occurs transparently to the user.

4. Delegation and Impersonation

Kerberos delegation can be seen as a form of impersonation. The delegated service effectively impersonates the user to access other services. This impersonation is secure because the delegated service needs to present both the user's TGT and the service ticket for the delegated service, proving it has the user's explicit permission.

5. Delegation in Multi-Tier Applications

Kerberos delegation is particularly useful in multi-tier applications, where multiple services are involved in processing a user's request. It allows a front-end service to securely delegate authentication to a back-end service on behalf of the user.

6. Protocol Extensions for Delegation

Kerberos extensions, such as Service-for-User (S4U) extensions, enable a service to request service tickets on behalf of a user without needing the user's TGT. These extensions are valuable for cases where the delegated service cannot obtain the user's TGT directly.

7. Benefits of Kerberos Delegation

Efficiency: Delegation eliminates the need for the user to repeatedly authenticate to access multiple services, improving the user experience.

Security: Delegation is secure because it relies on Kerberos authentication and requires proper configuration to work effectively.

Scalability: Delegation is well-suited for complex environments with multiple services and tiers, enhancing scalability.

In this comprehensive exploration of Kerberos, we've covered a wide array of topics, from the fundamentals of its authentication process to advanced concepts like delegation.

Kerberos, as a network authentication protocol, forms the backbone of secure communication within organizations. Its core principles include the use of tickets, encryption, and a trusted third-party Authentication Server (AS) to ensure secure client-service interactions.

Security is a paramount concern in Kerberos. The protocol employs encryption, timestamps, and mutual authentication to guarantee that only authorized users gain access to network resources. Understanding these security mechanisms is vital for maintaining robust network security.

Despite its robustness, Kerberos is not impervious to vulnerabilities. Attacks like AS-REP Roasting, Pass-the-Ticket, Golden Ticket, and Silver Ticket attacks can compromise security. Organizations must be aware of these vulnerabilities to take appropriate countermeasures.

Implementing best practices is essential for securing Kerberos-based authentication systems. These practices include enforcing strong password policies, regular key rotation, continuous monitoring, and employee training.

Delving into advanced Kerberos concepts, we explored delegation – both constrained and unconstrained. Delegation allows services to act on behalf of users, enhancing usability and efficiency in complex, multi-tiered applications. Understanding delegation and its security implications is crucial in such scenarios.

Advanced Kerberos concepts introduce additional security considerations. These include implementing fine-grained access controls, monitoring for unusual activities, and regularly analyzing logs to detect and respond to security incidents.

So to conclude, Kerberos stands as a foundational authentication protocol that plays a pivotal role in securing networked environments. It offers robust security mechanisms and advanced features like delegation to enhance usability. Staying informed about Kerberos' complexities, vulnerabilities, and best practices is essential to maintain a strong security posture in the ever-evolving landscape of cybersecurity.

#cybersecurity #active directory #kerberos #windows os #cyberattack

12 notes · View notes

scribblesbyavi · 5 months ago

Text

Individual bitcoin addresses can’t be hacked as well because of cryptographic hashing algorithm which would require you millions of years and a lot of computing power to be able to do reverse engineering and get the private key to a wallet.

#2am thoughts #bitcoin

2 notes · View notes

ms-demeanor · 10 months ago

Note

hi, thanks for all the tech tips! I hope this isn’t a silly question, but how are password managers secure? Isn’t there a risk of a data breach there?

Each individual account managed through a password management company is (or should be in any respectable product) individually encrypted.

When we see big breaches like the 2013 tumblr leak or similar leaks over the years, typically what you're seeing is either

A) One large collection of information that was stored under the same encryption umbrella and someone was able to use illicit credentials or some other nefarious method to access that information (very bad) or

B) Information that was never encrypted in the first place and was stored in plaintext (much, much worse).

With a good password manager any data that the company has is encrypted and your individual vault is encrypted separately using a key that the company doesn't have access to.

So imagine that you walk into a room and the floor is covered in dominoes arranged in a pattern. With no encryption (scenario B), imagine that the door is unlocked and you can simply open the door and knock over all the dominoes.

With one big encrypted bucket (scenario A), what happens is if you are able to open the main door, you can knock over all the dominoes but it takes some effort to get the door open.

With individually encrypted vaults you need to open the main door, then you see thousands and thousands of tiny safes, each with a combination that you need to guess to access the dominoes inside to knock them over. Each safe has a code that will take somewhere between two years and ten thousand years to guess, depending on the computer doing the guessing, and you can customize your safe to make it harder to guess the combination.

Good encryption is extremely secure, and a lot of the breaches that we see aren't failures of encryption, they are failures of other parts of the system security. What you are typically seeing with big breaches is either someone didn't bother to encrypt anything, or someone fucked up in a big way and people who weren't supposed to gain access were able to gain access.

But what you almost never see is someone genuinely cracking encryption of a secure system.

Password managers generally speaking have a better eye toward security than a lot of other products, and open source password managers tend to be rigorously tested by some tremendously intelligent and tremendously paranoid people who are VERY invested in security.

If you have a Bitwarden account (just using it as the example because it's my favorite and it's what I recommend), Bitwarden actually *can't* access your account. If you forget your password, that's it. You're locked out (this is why it's important to make a good password hint and to make your password manager password both complex AND memorable). They can't recover it for you because they simply do not have access to that data; it is encrypted and they can't crack the encryption and they don't have your key (they have a hash of your key, which means they can recognize your key but they can't reverse engineer it - it's complicated, look up cryptographic hashing, I'm bad at explaining it). So if anyone breaches that system, they ALSO don't have access to your vault or to your key and in order to access your passwords would need to brute force your main password by guessing until they landed on the correct one. If you have a sufficiently long and complex password, that is going to be so extremely difficult that it might as well be impossible.

202 notes · View notes

mostlysignssomeportents · 2 years ago

Text

Red Team Blues Chapter One, part three

With just days to the publication of my next novel, Red Team Blues, I’m taking the chance to serialize the first chapter of this anti-finance finance thriller, and introduce you to Marty Hench, a 67-year-old forensic accountant who specializes in Silicon Valley finance scams.

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/04/19/whats-wrong-with-iowa/#henched

Marty is ready to retire, but there’s just one more job he has to do — recover a billion dollars’ worth of cryptographic keys that are claimed by money-launderers, narcos, and shady US three letter agencies.

Here’s the previous installments:

Part one:

https://pluralistic.net/2023/04/17/have-you-tried-not-spying/#unsalted-hash

Part two:

https://pluralistic.net/2023/04/18/cursed-are-the-sausagemakers/#henched

Here’s where US readers can pre-order the book:

https://us.macmillan.com/books/9781250865847/red-team-blues

Here’s pre-orders for Canadians:

https://services.raincoast.com/scripts/b2b.wsc/featured?hh_isbn=9781250865847&ht_orig_from=raincoast

And for readers in the UK and the rest of the Commonwealth:

https://uk.bookshop.org/p/books/red-team-blues-cory-doctorow/7225998?ean=9781804547755

And now, here’s today’s serial installment:

I grunted noncommittally. Danny had been around since crypto meant “cryptography,” and I hadn’t figured him to become one of these blockchain hustlers. They’re the kind of smart people who outsmart themselves, especially when it comes to shenanigans, forgetting that their public ledger is public and all their transactions are visible to the whole world forever. Forensic accounting never had a better friend than crypto, with its mix of public ledgers, deluded masters of the universe, and suckers pumping billions into the system. It was full employment for me and my competitors until cryptocurrency’s carbon footprint rendered the earth uninhabitable.

“There are certain technical differences between Trustless and other coins. Will you allow me to explain them to you? I promise it’s germane and I’m not trying to sell you anything.” “Aw, hell, Danny, you can tell me anything. I just get sick of being hustled.”

“Me, too, pal. Okay, if you mentioned distributed sudoku puzzles, you know something about proof of work: the way blockchain maintains the integrity of its ledger is by having everyone in the system repeatedly do compute work that reaffirms all the entries in the ledger. So long as the value of all the assets in the ledger is less than the electricity bill for taking over the majority of the compute work, they’re safe.”

“That means that the more valuable all this blockchain stuff becomes, the more coal they have to burn to keep it all from being stolen,” I said. It was something I’d almost said to the bros at dinner the night before, but I didn’t want an argument to distract from the otherwise lovely time I’d been having with my entirely lovely companion.

“That’s fair,” he said. “That’s what every greenie who hasn’t received a couple of mil in donations from surprised crypto-millionaires will tell you. But, Marty, that’s a problem with proof of work, not with distributed ledgers. If you could build a blockchain that had a negligible carbon budget, you could do a lot with it.”

“Launder money. Badly.”

“That,” he said. “Lot of Chinese entrepreneurs and officials are anxious to beat currency controls. But it’s not just money, it’s anything you want to have universally available, unfalsifiable, and cryptographically secured.”

“Laundered money.”

He made a face. “Cynic. Not laundered money. Genocide-proof ID. Cryptographically secured, write-only manifests of a person’s identifiers, including nationality, vitals, and ethnic group, but each one has its own key, held by the Blue Helmets. You get to a border and you present your biometrics, and the UN tells the border guards your nationality but not your ethnicity.”

“Fanciful.”

“Cynic! Yeah, fine, no one’s doing it yet, but we could. All that blockchain for good shit that the hucksters talked up to make it sound like proof of work wasn’t a crime against humanity. Trust lesscoin lets you do them because it doesn’t need the sudoku.”

I dredged up memories of half-digested podcasts I’d listened to on the road. “Is it a proof-of-stake thing?”

He snorted. “Don’t try to sound smart, Marty, you’ll sprain something. No, it’s secure enclaves. That crypto-sub-processor in your iPhone that Apple uses to keep you from switching to another app store? It can run code. What’s more, it can sign the output. So we can send you a program and check to see whether it ran as intended, because we know that the owner of a phone can’t override the secure enclave. Far as Apple’s concerned, iPhone owners are the enemy, and their threat model treats the device owner as an adversary — as someone who might get apps someplace that doesn’t kick a fifteen to thirty percent vigorish up to Apple for every transaction, depriving its shareholders of their rake.

“Any device with a secure enclave or other trusted computing module is a device that treats its owner as the enemy. That’s a device we need, because when you’re in the Trustlesscoin network, that device will defend me from you, and you from me. I don’t have to trust you, I just have to trust that you can’t break into your own phone, which is to say that I have to trust that Apple’s engineers did their job correctly, and well, you know, they’ve got a pretty good track record, Marty.”

“Except?”

He finished his lemonade and scowled at the reusable straw.

“Yeah, except. Look, Trustlesscoin is on track to become the standard public ledger for the world. I know, I know, every founder talks that ‘make a dent in the universe’ crap, but I mean it. You want to know how serious I am about this? I took in outside capital.”

He let me sit with that a moment. Danny Lazer, the man who ate ramen in a twenty-year-old, bent-axle RV for decades with the love of his life so he’d never have to take a nickel from any of those bloodsuckers on Sand Hill Road, and he took in outside capital. Danny Lazer, a man who’d owned 75 percent of a unicorn, which is to say, seven-point-five-times-ten-to-the-eight U.S. American Greenback Simoleon Dollars, and he took in outside capital.

“Why? And also, what for?”

He laughed. “Watching you work out a problem is like watching a bulldog chew a wasp, brother. You’ve got a hell of a poker face, but when you start overclocking the old CPU, it just melts. I’ll tell you why and what for.

“First of all, I wanted to create something for Sethu. She’s never had the chance to live up to her potential. She’s smart, Marty, smart like Galit was, but she’s also technical, and managerial, and just born to run things. I’ve never met a better candidate for a CEO than she is. And I’m not young, you know that, and there’s going to be a long time after I’m dead when she’ll still be in her prime, and I wanted to make something she could grow into and grow around her.

“I’d been playing with the idea behind Trustless since the early 2000s, when Microsoft released its first Trusted Computing papers, all the way back in the Palladium days! So Sethu and I hung up a whiteboard in the guest room and started spending a couple of hours a day in there. I didn’t want to bring in anyone else at first, first because it seemed like a hobby and not a business, and hell, every cryptographer I know is working seventy-hour weeks as it is.

“Then I didn’t want to bring in anyone else because I got a sense of how big this damned thing is. I mean, there’s about two trillion in assets in the blockchain today, and that’s with all the stupid friction of proof-of-work. When we lift the shackles off of it, whoosh, we’re talking about a ledger that will encompass more assets than the total balance sheets of twenty or thirty of the smallest UN members . . . combined.

“You know me, Marty. I don’t believe in much, but when I do believe in something, I’m all in. All. In. And so I brought some people in.”

“What for, though? Danny, how much of your Keypairs jackpot did you manage to blow? How much money could you possibly need, and for what? Are you building your own chip foundry? Buying a country?”

“We actually thought of doing both of those things, you know, but decided we didn’t need the headaches. The Keypairs money’s only grown since I cashed out, thanks to the bull runs. I can’t spend it all, won’t be able to. It would sicken me to try, because I’d have to be so wasteful to even make a dent in it.

“The reason I went for outside capital wasn’t money, it was connections.”

I groaned. Every grifter in private equity and VC-land claimed that they had “connections” that represented value add for their portfolio companies. The social butterfly market was implausible on its face, and in practice, it was just a way of turning cocktail parties into a business expense. “Come on, Danny, you know people already.”

“Not these people.” And he did the thing. He looked from side to side, up and down. He turned off his phone and held his hand out for mine and carried them both to the little step next to the water feature and set them down on it so they’d be in the white-noise zone. He came back, looked around again. “I got signing keys for four of the most commonly deployed secure enclaves.” He looked around again.

“I think I know what that means, Danny, but maybe you could spell it out? I’m just a dumb old accountant, not a cryptographic legend like yourself. And for God’s sake, stop looking around. I’ll let you know if I see anyone sneaking up on us.”

“Sorry, sorry. Okay. The secure enclave gets a program, runs it, and signs the output. The secure enclave’s little toy operating system says that it does this reliably and without exception. You see a signature on a program’s output, you know the program produced it. That toy OS, it’s simple. Stupid. Brutal. Does about six things, very well, and nothing else. You can’t change that program. Secure enclaves are designed to be non-serviceable. Even taking them off the mainboard wrecks them. You get them into a lab and decap them and hit them with an electron-tunneling microscope, you still won’t be able to recover the signing keys or force a false sig.

“But if you have the signing keys? You can just simulate a secure enclave on any computer. Then you can run any operating system you want on it, including one that will forge signatures. You do that, and you can falsify the ledger. You can move unlimited sums from any part of the balance sheet to your part of the balance sheet. You can jackpot the whole fucking thing.”

I blew out air. “Well, that seems like a defect in the system, all right.”

“It can’t be helped. We call it Trustless, but there’s always some trust in a system like this. You’re not trusting the other users of the system or the company that made the software. You’re trusting that a couple of leading manufacturers of cryptographic coprocessors and sub-processors, companies with decades of experience, will maintain operational security and not lose control of the keys that their entire business — and the entire business of all their customers and their customers’ customers — are dependent upon. You’re not trusting the other users, but you’re trusting them.”

“And yet,” I said, looking over at Sethu, who was painting away and performing an excellent simulation of someone who wasn’t eavesdropping, “you found someone willing to sell you some of those keys.”

“Yes,” he said and gave me a calm, no-bullshit, eye-to-eye stare. “I did. It’s useful to have those, especially when you’re first kicking a new cryptocurrency around. You make a smart contract with a bad line of code in it, you create a bug bounty with an unlimited payout. So in the early days, when you’re figuring this stuff out, you do a little ledger rewriting.”

“You do rewriting on a read-only ledger that no one is ever supposed to rewrite.”

He rolled his eyes. “Ethereum did it early on, moved fifty mil in stolen payout from a bad smart contract out of the crook’s account and back into the mark’s account. No one made too much of a fuss. I mean, the immutable ledger sounds like a great idea until someone no stupider than you gets taken for fifty mil, and then rewriting the ledger is just sound fiscal policy in service to fundamental justice.”

“But Ethereum told everyone they were doing it. Sounds like you did it all on the down low?”

“We were early. No one was even paying attention. All we wanted was a ledger whose early entries weren’t an eternal monument to my stupid mistakes as I climbed the learning curve.”

“Fine. Vain, but fine. Still, getting those keys meant a lot of power for a little reputation laundering.”

He sighed and looked away. “Yeah. The thing is, I’m not the only one who makes mistakes. We are aiming for trillions secured on our chain. Trillions, Marty. Ten to the twelve. It’s an unforgiving medium, and the stakes are high. The Ethereum lesson was clear: a couple of divide-by-zeros or fence post errors, a single badly typed variable or buffer overrun, and the whole thing could sink. I needed an eraser. Not on day zero but well before I attained liftoff.”

“Every hacker builds in a back door, huh?”

“Don’t call it that. Call it an Undo button.”

“Okay, then. An Undo button in a system whose cryptography is supposed to prevent undo at all costs. But not a back door.”

“You, my friend, are too smart. I miss the days when forensic accountancy and security engineering were distinct fields. ” “Me, too, pal. So what happened? Your keys took a walk?”

Tomorrow (Apr 21), I’m speaking in Chicago at the Stigler Center’s Antitrust and Competition Conference. This weekend (Apr 22/23), I’m at the LA Times Festival of Books.

#pluralistic #fiction #technothrillers #crypto means cryptography #crypto #cryptocurrency #books #serials #martin hench #`red team blues

18 notes · View notes