The Back of the Envelope (a blog)

Facebook’s new 10-digit security hole

On Friday, we learned:

In so doing, Facebook has just created a massive security hole which exposes every single one of its users to life-alteringly shitty hacks. I’m frankly astonished nobody internally at that company thought about this before pushing this feature.

“What’s the issue?” I hear you ask. The issue here is that your average workaday user who is even a little security minded will not only use their cell phone to do two-factor authentication for their Facebook login, but will also use the same cell phone for every other two-factor login or password recovery system they have, including, for example, their e-mail account or their bank. This is not an intelligent approach to security, as using cell phones for two-factor authentication is, to put it mildly, not even remotely secure.

“How so?” You inquire. Well, the answer is because cell phone companies are run by idiots when it comes to security, so even if you leave specific instructions with your provider to not port your SIM without a PIN and photo ID, smooth-talking criminals can still convince telco employees to do it anyway, with the result that the crook obtains control of your phone number – and can receive any communications sent to it.

This is not a theoretical problem. Cast your mind back to mid-2017, coming off the back of the Bitcoin boom. One day, I get a really weird Twitter message from my friend @twobitidiot, aka Ryan Selkis, asking me if I can lend him some Bitcoin.

Now, as Ryan knows, I am probably the filthiest nocoiner – i.e. non-Bitcoin investor – in existence, in large part because (a) when I got into crypto I was poor and young and (b) 100% behind permissioned blockchain implementations, which the startup I co-founded invented. Investing in shitcoins would have been uncouth, a betrayal to my most deeply-held values and firm belief that global, systemically-important financial institutions love us and want us to prosper.

I was naturally suspicious of his inquiry. I had good reason to be:

This story was repeated over and over again last year. People got their phone numbers ported. The hackers logged in to all of their accounts. The hackers took all of their stuff. Lather, rinse, repeat.

Nobody has really gotten to the bottom of how these phone numbers were ported with such laser-like efficiency. Personally, I think Facebook’s service played a part. At the time, I remember that I and others were getting bombarded with friend requests from slick-looking fake CEOs with good hair claiming to helm fake startups in SE Asia. As a general rule, I don’t add people on Facebook who I haven’t met. Other people do, and a slick CEO of an edgy tech startup is a great person to make friends with, especially for folks in crypto looking to expand their networks. As these friend requests rolled in, they began to look increasingly credible as more and more crypto people I know appeared to be “friends” with these accounts.

Meaning that if crypto people had posted their cell phone numbers as “friends-only” or “friends of friends” on their accounts, the fraudsters had their numbers, too, and could start creeping their way towards the bit/shitcoin hoards these people were thought to hold on crypto exchanges and the like. This is some serious business.

internet-serious-business

Which brings us to the problem of Facebook making cell phone numbers searchable by default, even to a user’s friends only or “friends of friends,” even when the user wants to keep their phone number private (the “only me” setting). (Edit: the cell phone lookup is set to be shared with “everyone” by default, which is crazy; not that the most restrictive, friends-only, search function is protective enough, since fraudsters can and do find their way onto “friend” lists.)

Due to this, to be blunt, Facebook’s new search feature will allow fraudsters to use Facebook to verify the identities of cell phone subscribers, even where Facebook users have locked down their cell phone numbers on their profiles to avoid this very outcome. In permitting anyone to search cell phone numbers, Facebook has compromised the security of every individual user of its service in the name of convenience.

All someone needs to do, conceivably, to exploit this new “feature” from Facebook is to punch in random cell phone numbers until they hit paydirt and discover a corresponding identity. If the user isn’t particularly security-minded, they’ll have birthdates and addresses publicly viewable, too. After the target is identified, the hacker simply calls up the user’s cell service provider, and social engineers a SIM port. Boom. All SMS-based 2FA that person used with that number, on any service, is now compromised. Including the 2FA for the user’s Facebook account.

There are a couple of solutions a Facebook user can adopt, in the meantime, to help ameliorate this issue. One option is to remove your phone number and not use SMS 2FA, or switch to a service like Google Voice that is not susceptible to social engineering. Another is lock down the settings to the extent you can (searchable to friends-only) and hope that (a) your friends don’t get hacked and (b) that you haven’t friended anyone accidentally who is a hacker or a fake, which – at least for some of my buddies in crypto – is a day late and a dollar short.

What these solutions share is that most of Facebook’s userbase is blissfully unaware of the risks of SMS-based 2FA, so they won’t take these measures or won’t implement them effectively.

I’m pretty sure I’m not wrong about this, but if I am, I’ll be happy to discuss it on Dissenter. It strikes me that the engineering boffins over at FB are – not being cryptogeeks – almost totally blind to the risk they’ve just created for hundreds of millions of users as a result of SIM porting. It also strikes me that the best way to address that risk is to kill the feature.

After they do, we all need to seriously re-evaluate our relationship with any interactive service that asks us for our mobile phone numbers before we can use it, if a company of Facebook’s size can make an error so elementary that a lawyer who can barely program “hello world!” in Python picked up on it, but all their engineers and security professionals didn’t.

Ethereum is (arguably) doomed to be centralized

I will preface this blog post by saying that my aim here is to set out and list some suggestive, not definitive, evidence I see of increased centralization in the Ethereum ecosystem. It sets out a hunch, not a mathematical proof. If you disagree with my opinion, that’s your prerogative. If you want to convince me otherwise, go dig up the hard data and prove me wrong.

So. Is Ethereum centralized? Isn’t it? The answer, I suspect, depends on who you ask. In the spirit of generating debate, recently I have tweeted about the increasing centralization seen in the Ethereum cryptocurrency ecosystem. See, e.g., the following hard-hitting and dynamic, yet tender and, somehow, ineffably, heartwarming contribution of mine to the corpus of Twitter crypto literature:

Ethereum people were none too pleased:

For those of you who are annoyed with me for this series of tweets, please understand two things.

First, when I start referring to the legendary feats of exploration undertaken by the Marmot Star Empire, that’s generally a good sign that I am pulling your leg.

Second, the blanket assertion that Ethereum is a decentralized system, accepted as gospel by most of the Ethereum ecosystem is, at the very least, arguable. There might have been a time in the past, say 2015-16, where the network could have tolerated the loss of a large number of rank-and-file nodes, selected at random, without much of an impact on the network’s overall functioning. Today that is no longer true.

I would have eventually sat down to write a blog post on the subject but, very fortunately, Twitter user @PaulApivat took the time to read my tweets and summarized them for me in his very considered reply which we should all read. Paul more or less boils down the “Eth is centralized” argument into five pillars:

  1. Ethereum is reliant on a handful of private companies to survive.
  2. Block reward cuts can be agreed seemingly without objection.
  3. Tokens likely remain in few hands, and accordingly so is ecosystem influence.
  4. Three entities can collude to reduce mining rewards.
  5. Infura dominates the market for node infrastructure available to developers.

Which I would, if starting from scratch, condense down to four:

  1. Tokens. The pre-mine looks suspicious as hell. Concentration of large amounts of Ether wealth grants the holder of that wealth outsize influence over the supply of the coins that can be brought to market, including the ability to crash the currency. As put by Muad’dib, “the power to destroy a thing is absolute control over it.”
  2. Nodes. The fact that Ethereum has not solved scaling means that centralized service providers, currently Infura, exercise outsize influence over node infrastructure. This is because an archive node now pushes 2 TB in size. The fact that everyone relies on Infura for the system to work, combined with the inability of core devs to find credible scaling solutions, means node counts are falling quickly – and the result is effective centralization in Infura’s hands (which at the end of the day is really just repackaged Azure). (Note, failure to solve scaling is in the interests of the centralizers as it favors them ergo they don’t care about finding a solution. Perhaps this is an accident, perhaps not, but it’s difficult to say for sure from outside.)
  3. Clients. There are 13 (or more), but the vast majority of nodes run one of two (Geth or Parity).
  4. Too-easy alignment of interests and too-rapid decisionmaking. Major changes like adjustments to mining rewards – changes which would be anathema in other, more longstanding competitors like Bitcoin – are quickly agreed with no objections on the part of major ecosystem players. A lack of public disagreement for changes on that scale makes it likely that those changes are informally agreed before they are formally proposed.

So is Ethereum centralized or decentralized?

I don’t know. But then again, neither do the folks who vociferously assert that Ethereum is the great, decentralized World Computer.

Setting definitional problems to one side (what does “decentralized” actually mean?) I think it is still possible to have a productive discussion about this system based on the commonly-held understandings of “centralized” and “decentralized” among cryptocurrency users and observers.

Earlier in my career, I did a stint in anti-trust litigation. During that time I learned that collusion, where it occurs, is not always apparent to the end-consumer, and is, every single time, informal and unwritten.

The evidence, as I see it, raises red flags that there may indeed be a lot more centralization in the Ethereum ecosystem than anyone realizes.

This will be an unpopular view, especially among Ethereum people, many of whom are my friends. I do not care. Nobody owes the Ethereum ecosystem an obligation to take Ethereum cheerleader-marketers at their word when they tell us that Ethereum is decentralized, or when they say that Ethereum is capable of delivering on promises which assume that Ethereum’s approach to decentralization both works today and is capable of scaling up in the future (see e.g. garbage claims like those made for Plasma, a layer 2 solution endorsed by Vitalik and oft-touted by boosters which claims to enable “billions of transactions per second”).

Screen Shot 2019-01-18 at 3.20.34 PM.png

Truly outrageous claims have been made for Ethereum over the years. The claims are so numerous and diverse that a complete exposition of them does not bear repeating here. But extraordinary claims require extraordinary evidence. And at the moment, even Ethereum’s most basic claim – that it is “decentralized” – should be considered at least somewhat in doubt. Only

  • hard-hitting analysis aimed at determining whether collusion has occurred or is occurring in relation to major proposed protocol changes,
  • transparency over the extremely mathematically sketchy pre-sale process,
  • an honest discussion about the fact that Ethereum can’t handle anything approaching normal daily user traffic for a mediocre web app, and
  • more honest discussions about Ethereum’s continuing failure to scale and the likely centralization that is required for Ethereum to continue operating normally under these conditions

will help us get to the truth.

In increasingly greater numbers, reasonable people aren’t buying Ethereum’s lofty pitch. If Ethereum doesn’t like that and is looking for someone to blame, it need only look in the mirror.

The holes in the map: England’s unregistered land

A fantastic introduction to registered and unregistered land in England, for the uninitiated.

Who Owns England?

Coding and writing by Anna Powell-Smith.

Around 15% of the freehold land in England & Wales is unregistered. What this means is that if you go to the Land Registry and ask them ‘Who owns this piece of land?’, they simply can’t tell you, for a huge chunk of the country.

This situation is both odd and harmful for reasons that I’ll go into shortly. Part of the reason that such a strange situation has been allowed to go on is that you simply can’t see how much ‘mystery land’ there is out there. There has never been a map that highlights how much we don’t know.

I thought it was time this was rectified. So I’m pleased to announce that I’ve built the first ‘missing land’ map, ever, for England & Wales. Please take a look and then return here to see what this all means.

What does…

View original post 1,171 more words

What do you legally “own” with Bitcoin? A short introduction to krypto-property

Knut Karnapp posed this very interesting question over on Twitter. His answer:

To me you own a part of the Bitcoin UTXO set uniquely assigned to you, and only you — by virtue of the corresponding private key. With this comes great responsibility. If you lose your private key, you lose your bitcoins. If your private key gets stolen civil law may dictate that the key itself and the UTXOs accessed by it are still “yours”. As far as the Bitcoin network is concerned though the private key grants power of disposition to whomever is in possession of said key.

That’s a solid answer from a de facto point of view, where continuing knowledge of the private key basically == what most people commonly refer to as control, or ownership. From a workaday transactional standpoint I basically agree with it wholeheartedly. De jure, on the other hand…

It Depends

“Ownership” is more than mere control; it is a legal concept and law is a local phenomenon. Accordingly, when you ask yourself whether and how something is owned, it’s generally a safe assumption to begin, in the first instance, by looking at the governing law of the asset and asking what that governing law says.

With certain things, like securities, the governing law of the issuing jurisdiction/entity and the governing law of the instrument (if different) are likely to be dispositive. International bearer securities, e.g.,  utilize well-worn issuance frameworks like the New Global Note structure, which divides up legal and beneficial title in the underlying security by contract in a manner that is highly certain and leaves little room for ambiguity. With real property (an apartment, a house, some land) you usually look to the law of the situs as the starting point for that inquiry. Generally speaking it’s the same story for chattels, save where ownership of those chattels is represented by a certificate of title or the like.

The problem with Bitcoin, of course, is twofold.

First, Bitcoin does not avail itself of existing categories of property, like chattels or instruments; indeed, it defies them in many respects. As a consequence, any contractual or systemic understanding of the thing – to the extent one exists at all – is going to be implied, and seeing as courts haven’t really grappled with foundational questions about what Bitcoin is, we don’t know what that implication will look like. The best we can do for now is guess what the boundaries of that implication, once set down in writing, will be.  We will call this the Classification Problem.

Second, a bitcoin does not really have a physical location, and is a fundamentally global good – it exists on every computer which runs a full node, and is arguably issued everywhere and nowhere at the same time.  But the Classification Problem will be determined by reference to local, not global, rules. We will call this the Forum Problem.

Bitcoin-as-math-problem

The “Forum Problem” is a simple one; Bitcoin has no identifiable origins, no clear home, so each different country/jurisdiction in which litigation over Bitcoin is brought (in the case of the U.S., the states and the various federal jurisdictions) will feel entitled to apply its own rules to the asset. For the majority of commercial arrangements, harmonization can probably be achieved by choice-of-law clauses among the counterparties to the transaction.

The “Classification Problem” is where things get more interesting. Here we ask what rules each jurisdiction would apply if some litigation arose which involved fundamental questions about the nature of ownership as it pertains to Bitcoin the asset. Usually, those fundamental questions are not in dispute in the kind of workaday litigation that comes before the courts. Courts take judicial notice of who owns what bitcoins based on the facts of the case; Alice sold some bitcoins to Bob, there are no competing claims to the bitcoins and the question is whether one of the parties reneged on the high-level commercial terms of the deal.

What hasn’t happened yet, and what invariably will happen as more and more cases  hit the courts, is that someone will ask the question, “what property classification do we apply to Bitcoin – WTF is it that Bob actually owns?” This is because, at its core, a bitcoin is really, in its purest essence, only a solution to a randomly-generated math problem. Because the problem is very hard, the combination of a UTXO plus the ability for a recipient to spend it, armed with the knowledge of the relevant private key, is treated by most of us today as property. That “property” creates a write permission on a massively distributed cryptographic ledger which nobody controls, although control of that write permission can be transferred to other users of that database by spending the associated coins to those other users.

Because the secret embodied by a private key one does not know is very difficult to obtain – and impossible to obtain on a commercial timescale with existing technology – people call Bitcoin a “digital bearer asset.” Bitcoin is most assuredly not a bearer asset or chattel, though. Nor is it a documentary intangible, as it is not a contract and is silent, apart perhaps from the provisions of the MIT Licence, as to what a court should do when presented with one (more on that below). Unlike physical goods which can only exist in one place at one time, it is conceivable that with a powerful enough computer, the solution could be found entirely honestly by a third party simply doing some math and stumbling upon the answer at random, or by asking the right questions and exploiting some as-yet-undiscovered weakness in the implementation.

Screen Shot 2018-11-25 at 10.41.12 AM
For example. Courtesy of Hacker News

Bitcoin might, therefore, be better described as a digital I-know-something-you-don’t-yet-know asset. “Yet,” because the information is not secret (in the same way as a trade secret, e.g.) or impossible to ascertain; it’s out there waiting to be ascertained by someone clever enough, or a computer powerful enough, to figure it out. The term “cryptoasset” that is cavalierly thrown around by your  garden-variety ICO bro inadvertently turns out to be an accurate description for this new class of ownership. Lawyers wishing to confer dignity on the phrase might call it “crypto-property” instead.

If we really wanted to make it our own and de-emphasize the “there’s a lot of cryptography in this thing” aspect of Bitcoin, which is not legally relevant, in favor of an laser-focused emphasis on exclusive knowledge of the secret key as being dispositive for control and highly relevant for ownership, I might suggest the radical step of changing the spelling of the prefix to “krypto,”  per the original Greek κρυπτῷ, so we’re left with krypto-property.”

Contrasting approaches between England and the U.S.

Who owns the solution to that really hard to solve, but solvable nonetheless, math problem? I ask this question, which seems like an obvious or even pedantic one, only because I am fairly certain that the world’s two largest common-law jurisdictions – England and Wales, and the United States – would reach different conclusions.

Now, of course Bitcoin is treated as various things by various agencies of the state – most significantly, as “property,” by both the IRS (American taxman) and HMRC (English taxman). But that doesn’t answer the question of what kind of property the stuff actually is.

In England, for example, longstanding precedent has held that “the right to confidential information is not intangible property;” see Oxford v. Moss, (1979) 68 Cr App Rep 183 (a student cheating on a test by reading the answer sheet in advance could not be convicted of theft, as the answer to the test – as pure information – was not intangible property and therefore incapable of being stolen). This principle nukes the notion that a private key is worth more than the paper that you [really should not] have written it on.

At the same time, English law may have an equity, which looks a lot like a property interest in confidential information that has been misappropriated, that gives a party wronged  (i.e., for our purposes, the person from whom knowledge of a private key was wrongfully obtained) a right to restitution. Anyone looking for the detailed treatment should read the section “Information as Property” at page 1 in Palmer & McKendrick’s Interests in Goods (1998).

I wrote a fairly lengthy analysis on the English law in this area back in the day, which, annoyingly, I have since lost. TL;DR, if an attacker fraudulently obtains a private key, English law provides a a remedy, but if an attacker should stumble upon a key by accident or by brute force, it probably doesn’t. This is unsatisfactory but it’s what we’ve got.

Contrast this with the U.S. position, where the courts have found that property rights can subsist in pure information such as unpublished or recently-published news (INS v. Associated Press, 248 U.S. 215 (1918)) or straightforwardly analogize doctrines such as relativity of title as a hack/workaround (e.g. Popov v. Hayashi, WL 31833731 Ca. Sup. Ct. 2002). Incidentally, a relativity-of-title-theory approach would also solve, for most practical purposes, what the inimitable Izabella Kaminska described as “Bitcoin’s Lien Problem” in 2015; it strikes me that that theory of ownership should be fairly good fit with UTXO-based systems where one can trace title to a given coin perfectly, give notice of theft or fraud efficiently, and prove current “possession” with a high degree of precision. Crucially, it might prevent an attacker – even an accidental one – from getting superior title to the Bitcoin he obtains, as long as the courts or the legislatures decide that’s how they want to crack that nut.

Equally, and another idea I have noodled on, is that Bitcoin’s code is really the first “smart contract” in that the code embodies a binding contractual understanding among the users. However, the fact that the code can be forked by consensus of the users to say anything at any time suggests to me that a court would likely conclude that there was not a clear intention to create a contract by running the code and so might refuse to enforce a particular mode of operation on the users of the network (see e.g. Jones v. Padavatton, [1968] EWCA Civ 4). Incidentally this absence of a contractual understanding/effective ousting of the jurisdiction of the court is why Bitcoin cannot and should not be described as a chose in action.

Wrapping up, the reason that the matter of Bitcoin’s ultimate classification as property hasn’t come up yet is because, in common practice, ownership  disputes are resolved at a higher conceptual level than inquiring about the “nature of a bitcoin itself” – when I deposit coins at an exchange, e.g., it ought to be pretty clear from the exchange’s TOS that if I have a balance on the exchange, I can ask the exchange to spend an amount equal to that balance back to me on request and, if they fail to do so, I can ask a court to force the exchange to render specific performance or pay damages. A dispute of that kind, of which there have been many, doesn’t ask at what point title transferred and what the fundamental nature of that title is, because it doesn’t have to. It looks instead at the contractual obligations between the counterparties and whether those obligations were satisfactorily performed.

One could write chapter and verse comparing these two jurisdictions and their treatment of Bitcoin as an asset. That said, it’s a Friday night and I have places to be, so for now it will have to suffice to say only that the question has no answer and at some point, probably sooner rather than later, there is going to be a case that explores these fundamental issues (I am frankly shocked that Oxford v. Moss hasn’t been raised yet in any of the UK-based Bitcoin fraud prosecutions).

I look forward to reading those decisions.

Postscript

Too good not to share.