Blockchain Security: Why Crypto & Blockchain Are Not Security!
Crypto and Blockchain security has taken a life of its own, evolving from validated transactions to be confused with providing security for an entire platform. This is especially true for highly distributed IoT platforms and overall IoT security. In this episode we discuss the Blockchain Security Fallacy to outline what Blockchain is and is not.
1. During the show we discussed but didn’t have specific details on the size of Digital Wallets stolen in 2017. According to this article on Medium, the top five Crypto coins collectively represented blonearly $1 Billion.
2. Also, on the podcast we referred to HTTP as Hypertext Transport Protocol rather than the correct term Hypertext Transfer Protocol.
3. Just as this podcast was being recorded, The New York Times published an article titled: Tech Thinks It Has a Fix for the Problems it Created: Blockchain. A perfect example of the type of messaging discussed in the podcast.
[00:00:17] Babak: Hello and welcome to Acreto’s Crypto-N-IoT podcast — a security huddle for All Things IoT and Crypto. I’m Babak Pasdar, Founder, CEO and CTO of Acreto. And I’m joined today by Acreto’s director of Market Research, Jennifer Perez-Harris. Hi Jenn.
[00:00:37] Jenn: Hi everyone!
[00:00:39] Babak: I feel like we’ve been so busy we’ve hardly connected lately.
[00:00:45] Jenn: I would say that’s pretty accurate. There’s so much stuff to do when you have a startup.
[00:00:52] Babak: So today we’d like to talk about the Blockchain security fallacy. There are a lot of folks out there who have this impression that Blockchain is not just validated transactions. Blockchain is not just secure transactions. Blockchain is security for the entirety of the application and the entirety of the platform. And that’s something we want to dispel in the industry.
And I’m not sure where the hype took off Jenn, but it seems like any time you see a PowerPoint these days about Blockchain, about Crypto, about some use case, there is at minimum a slide on security. Right?
[00:01:49] Jenn: One slide if you’re lucky. I mean, most of the time you’ve got people who just can’t stop talking about it, can’t stop throwing it into their marketing campaign stuff, can’t stop putting it up on their websites. People are going crazy for Blockchain security right now. It’s all over the place.
[00:02:05] Babak: Yeah. Which is good because there’s tremendous potential for this and a great number of use cases. However, we need to make sure that we recognize as an industry what Blockchain security is and what it is not.
Here’s a really interesting experience that I had – at least it was interesting to me. We were meeting with some money folks. And by the way, this prompted me to do this whole podcast and write the article. We were meeting with some money guys and we started talking about our platform. And one [money] guy goes: “But, you guys aren’t the next generation security.”
I just thought to myself — what are you talking about? I think we’re pretty next-generation. So I said, “OK, what do you consider next generation? What’s interesting to you?” He said “Well, everyone’s using Blockchain for security. This stuff doesn’t really secure your platform — next generation is Blockchain” and I just thought to myself — it really hit home for me right then and there that a lot of these folks are reading a ton of information, and it’s translating to Blockchain is security, Blockchain is the cure-all, right? It slices it dices, it juliennes, and that’s a challenge.
Because it seems like there’s a lot of people not just buying into this, but they’re architecting and implementing real applications, real use cases, applications that could have impact on the organization — either their pocketbook or their existence — and potentially people’s lives.
So we want to spend a little bit of time here and talk about the Blockchain security fallacy. And hopefully, by the end of this podcast, we’ll come out of it really understanding exactly what Blockchain is, how the application of security works with Blockchain, and what it is not. And that’s a really important point.
[00:04:46] Babak: What Blockchain security is not is just as important as what it is.
[00:04:53] Jenn: Absolutely. And I think that if any person can walk away from this and say “oh I heard someone talking about Blockchain security, and no, Blockchain can’t do that” — I think that that’s totally valuable. Before somebody has something terrible happen because they used Blockchain security as the end-all-be-all, it’s up to us and hopefully others to say “Hey look — it’s not what you think it is.”
[00:05:22] Babak: Get the message out.
[00:05:24] Jenn: Exactly. Get the message out.
[00:05:26] Babak: So, let’s talk about what Blockchain is. Blockchain is data validation and it does an exceptional job of that. There are a number of different use cases for this data validation model, but ultimately at the highest level, Blockchain is validation of data and transactions. So the use cases for Blockchain, the most obvious use case is Crypto-currency, so Crypto-currency is Blockchain as a denomination, or Crypto-currency as a denomination. Let me sidetrack here and talk about Crypto, Blockchain and what they mean to each other.
So Blockchain is a form of Crypto and I’m not going to call it Crypto-currency because it’s too confusing. I’m just going to call it Crypto. So Blockchain is a form of Crypto. There are other forms of Crypto like Tangle, which is what IOTA uses, or Hashgraph, which is what Swirlds uses. Blockchain is just one subset. Under the Blockchain subset, you have coins and networks like Bitcoin, Ethereum, Ripple, and so on and so forth.
[00:07:07] Babak: Under Tangle you’ve got coins like IOTA and they position themselves as their name implies — an IoT-centric Crypto-currency. And then there’s Swirlds, which very similar to IOTA. They are both consensus-based whereas Blockchain is proof of X — proof of work, proof of stake, proof of burn.
There’s a lot more, but Blockchain uses “proof of” to validate the transaction and Tangle and Hashgraph use a consensus model, and by consensus I mean if the vast majority of members of the network agree to something, then that transaction, or that something, is validated.
So getting back to what Blockchain security is and what Crypto security is. So Crypto serves the purpose of Crypto-currency, right? Crypto-currency is a denomination — Bitcoin, Ethereum, Ripple, IOTA, so on and so forth, they have a market value. You can use them in exchange for things or services.
Then there’s Crypto-transaction. Crypto-transaction is also a financial transaction, but it is denomination independent. So a Crypto-transaction is very much like a credit card. Think of it as a credit card, right? The difference between using Crypto for a transaction versus a credit card is that a credit card is a centralized trust model. You trust your credit card company, and your credit card company will trust you after they validate a certain number of things.
And then the vendor or whoever you’re paying it to has to trust their credit card company authorization service or bank. And that’s how the transaction works. With the Crypto-transaction, the buyer or the sender, the receiver or the seller, and the validator of the transaction don’t have to trust each other or even know each other.
[00:09:58] Babak: They probably aren’t even aware of each other’s existence. So, Crypto-transaction is a financial transaction that is denomination independent, so you can use Crypto-transactions to send Dollars, Deutschmarks, Rubles, Yen, or you can even use it to send other Crypto, like Bitcoin or Ethereum. Right.
So it validates that transaction just like a credit card, but it itself does not serve as a denomination. was that clear?
[00:10:37] Jenn: Yeah totally.
[00:10:39] Babak: So the third use case for Crypto is Crypto-validation, and this is a non-financial validation model for data and transactions. So this essentially makes sure that the data and the transaction was validated, and it’s a legitimate transaction rather than a manipulated transaction.
I think as a good use case — you’ve got sensors in a bridge right now, and you’re measuring stress on the bridge. And you are collecting that information over some period of time, years 5, 10, 15, 20, 30, whatever, and then your organization makes decisions based on maintenance, based on safety, and so on and so forth.
The data that that sensor sends to the database can use Crypto to validate and to make sure it’s legitimate data, lest someone come out there and send bogus information that would have a safety impact, or would be industrial espionage, essentially to corrupt the data set. And once once a data set is considered corrupt, all those years of data are really invalidated and lost.
So you can use Crypto to do that. And another example is the supply chain model that you hear IBM and SAP and all of those guys use, so you know — supply chain. There. I said it.
[00:12:32] Babak: So you have Crypto-currency that is denomination. You have Crypto-transaction very much like a credit card to conduct denomination independent financial transactions. And then you have Crypto-validation to validate the transaction, and it’s a non-financial. So those are three models.
Now, one of the important use cases for Crypto is that you can really tune it. I mean you know there’s a ton of coins out there and people sometimes say, “why the hell do we need so many coins?” Well, what’s interesting is you can really tune specific Crypto for specific industries. Right? So when a Crypto coin ends up being a dominant form of exchanging currency, transactions or data for a particular industry, that is referred to as a micro-economy. So the micro-economy is a very specific coin that is purpose-designed or at least everybody’s agreed to standardize on it based on the merits to that industry. And that becomes a micro-economy for the industry. Makes sense?
[00:14:14] Jenn: Yeah, so basically you’re saying that let’s say you work in the auto industry, you could have an auto industry specific coin just for that kind of supply chain or business.
[00:14:26] Babak: Absolutely. And everybody that engages in that industry could standardize on it. Right? So there’s a lot of benefit to that model. So, now we understand what Crypto and Blockchain do. Let’s talk about why Crypto and Blockchain can’t secure applications because of all the security hype out there.
So, an application, a business use case that uses Crypto consists of at least two or more exchange points. Right?
[00:15:12] Babak: So, let’s take a vending machine network for example. That vending machine network has the vending machines existing on a public network somewhere, be it in an airport or a number of airports, in convention halls, in hotels. And the vending machine sells expensive electronics, right? Like SIM cards, or SD cards and Bose QuietComfort 35s, which I actually bought out of a vending machine.
[00:15:48] Jenn: Oh, wow.
[00:I5:50] Babak: My other Bose headset crashed on me and I wasn’t going to go on a 12-hour flight without one. So, cash on the barrelhead. So this vending machine essentially needs to communicate to some back-end application and a lot of times it’s many back-end components. You know, there’s servers, there’s clouds, there’s applications, there’s management systems, there’s monitoring systems, there’s authorization systems. You can have a fiat currency authorization system, you can have a Crypto-authorization system and exchange…
So, they’re out there and they need to touch a lot of stuff, as a lot of stuff would need to touch them. And then all of these applications — the servers, the cloud, the applications, the management the monitoring systems authorization services, they have their touch points. All of these touch points that are kind of open so that people could come in and connect — these are known as an attack surface.
They represent an exposure point. They represent the basically open part of the armor so you can conduct transactions, you can move. And these attack surfaces end up being what hackers leverage to gain access to a system. So in as much as Crypto from a transaction perspective is minimally susceptible to manipulation and fraud…
[00:17:45] Babak: these attacks surfaces, given enough time, are likely to not just be attacked. Let’s just assume that they’re constantly attacked, but are also likely to be compromised. And a compromise of any part of this system, be it the IoT vending machine, the servers, clouds, applications, the monitoring systems, the management network, or the authorization system, compromise of any part of the platform could give someone privileged access to much of — or all of — that application platform. So what does that mean? I know that’s what you were asking Jen.
[00:18:35] Jenn: That’s exactly what I was asking.
[00:18:38] Babak: what does it mean? What it means is that someone could conduct a Crypto-transaction, move Crypto-currency, manipulate data via data validation, and those transactions will be every bit as legitimate because the source, the destination, the systems, all are legitimate systems, is just that somebody else took it over. And in as much as everybody talks about how secure Crypto-currency is.
Perfect example of this is all the wallets that are stolen every year. And you know those wallets represent a ton…Do you know what the value of wallets stolen is — to date?
[00:19:37] Jenn: I’m going to go with my default which is 100 billion dollars.
[00:19:43] Babak: OK. I’m pretty sure that that Dr. Evil answer was not the right answer. I think I heard somewhere — and we have to validate this and we’ll post it on the blog — but I think it’s like it was somewhere in the neighborhood of 250 million dollars. We’ll post the right answer on the blog. But it was a lot, right? As a unit of measure, it was a lot.
So that’s what the challenge is with folks who go out there and they’re talking about Crypto-currency, Crypto-transactions, Blockchain security being security for an application, and part of the concern is that a lot of people are believing this. Right?
[00:20:43] Babak: A lot of people have become believers, so I’ll share something with you. I was talking to the CEO of an IoT manufacturer and they seemed like they were a pretty good size organization, and we talked about our platform, and he goes, “you know, our devices aren’t smart enough to be hacked.”
I’m going to let that soak in. Our device — something that uses the Internet to communicate and conduct some transaction — wasn’t smart enough to be hacked. That caught me off guard and somebody actually said that. And my response to them was “well if they’re not smart enough to be hacked maybe they’re too dumb to know they’ve been hacked”. But this guy was a believer. He believed that.
And by the way the second part of this story is that he said “hey, we use Blockchain to secure our platform”. Which is in and of itself, an incorrect statement, it’s not a valid statement. So that’s the concern is that there are people that are believers. These guys believe based on all the buzz in the market that Crypto is security.
They believe based on all the buzz in the market that they don’t need to do anything else because Crypto is that cure-all for them. And they are architecting and they are implementing, platforms, applications, expensive systems or systems that could impact an organization significantly — or people’s lives significantly — based on this perception that Blockchain is security.
[00:23:08] Babak: So, by the way, I do want to speak to another point that I hear all the time, which is “Hey, but we secure our platform with HTTPS. We use encryption.” Encryption is not security. Encryption is privacy.
At one point I was hired to do an ethical hack on a financial organization that at that time had close to a trillion dollars in funds. And they spent millions of dollars on a security system and they wanted it validated. We compromised them 139 different ways and 136 of those ways was over and an HTTPS connection. So an HTTPS builds a secure tunnel that blinds the organization, blinds any of your security systems that are operating on the network, blinds anything in the middle as to what’s going on.
So a lot of times encryption HTTPS, as the S should really be replaced with a P, it’s not secure, it’s Private. But that encrypted connection actually helps the hacker and hackers hide their activity. So I just want to put that out there.
[00:24:41] Jenn: Wow — I had no idea. I had no idea and I think that a lot of people won’t know that either, because we’re basically all taught that you know, you hear it over and over on TV shows on the news…
[00:24:58] Babak: It is right in the name. It is right in the name. Hyper Text Transport Protocol Secure — the S stands for Secure — and it’s private. It’s not secure. So having said that, what drives all of this? And I’ve got a thesis on this. What’s your thesis on it? What drives this?
[00:25:26] Jenn: Well I can’t speak to any sophisticated thesis, just to say that the Blockchain security madness has taken over and needs to be stopped. But what is your thesis?
[00:25:36] Babak: My thesis is that marketing organizations and marketing departments for the big guys –I mean the companies that portray themselves as technology companies but they’re really sales and marketing organizations that have some tech, or you know holding companies for acquisitions.
I believe those marketing departments see, feel and hear the buzz. I believe they want to get engaged in the conversation, which is good. It’s great because there’s a tremendous opportunity here. And they should, but I also believe that in their effort to be relevant and valid and be recognized as a leader, and to be recognized as engaged in the conversation, if not leading it, they try to take something that is extremely complex, something that a lot of people still don’t understand exactly how it works.
And they dumb it down — and I don’t mean it in a demeaning way — I’m just saying they simplify it. And through that simplification effort they end up convoluting, misdirecting, confusing, and at some point that convoluted message ends up having a life of its own. What do you think?
[00:27:26] Jenn: I think that’s 100 percent accurate. And we’re seeing that right now.
[00:27:30] Babak: So, hopefully what people get out of this conversation we’re having out of this podcast, is that there is an absolute merit to Crypto and Blockchain. It is exciting, it definitely serves a purpose, it does exactly what it has always claimed to do, but not what the hype claims that it does. But don’t look at Blockchain security as a real thing.
[00:28:11] Babak: So next time somebody talks to you about Crypto security and Blockchain security or you see the slides go up that say security, hopefully you can apply the filters of this conversation to that message.
So you can learn more about this topic by reading our blog. The Blockchain security fallacy and that’s in the blog section of our Website, Acreto.io. A C R E T O.I O.
So let’s listen to a little skit that Jenn put together for us. She worked very hard on it. It really tries to, in a fun and joking way, speak to the hype out on the market regarding what Blockchain is and is not.
[00:29:17] Infomercial host: Willie Craze Dayz here for Bloxychain, the digital security cure-all. Bloxychain is powered by Crypto and activated by a globally decentralized community. It’s industry approved so you know it works. Use it as a currency! Bloxychain’s value just keeps going up up UP! Why? nobody knows. Maybe Goldman Sachs has a lot of it!
But Bloxychain is more than a currency. If you’re selling something, have an application, use distributed IOTs! Need to fix supply chain problems? If you conduct transactions — big transactions. Small transactions. Any transactions. Even micro-transactions! Bloxychain will secure them all.
No more dealing with those pesky firewalls, messy threat detection systems and confusing vulnerability reports. Why deal with the hassle? Use Bloxychain and don’t miss out! With Bloxychain, your applications will be hip. Your IoTs? Cool. Supply chains – fresh! Your transactions? Dare I say — Jiggy Wit it!
Bloxychain is taking the world by storm and regularly Bloxychain sells for 20,000 dollars per token.
[00:30:38] Infomercial host: But if you act now and use it as security, you can get it at the low, low price of your career. Not enough? Act now and you’ll get an E.R.C.20 token for a Taiwanese casino junket operator — on us.
But you have to call now. But wait — that’s not all! Be the first to secure your business and you’ll be the envy of the industry — before becoming the cautionary tale! Bloxychain is backed by a confused and turbulent industry, driven by marketing departments hellbent on making Bloxychain something it’s not. bloxychain is the digital security cure-all. The phones are lighting up, so don’t be left out. Operators are standing by, so get Bloxychain now!
Warning: Using Bloxychain may cause compromised applications, theft of digital wallets, failed projects and loss of career leading to severe regret and jobicidal tendencies.
[00:31:36] Babak: Blockchain security, Blockchain security, Blockchain security – everybody’s going nuts for Blockchain security! Okay — we hope you enjoyed that. I think it’s time for the news now. Jen, what have you got for us?
[00:31:44] Jenn: So, question of the day — Can Blockchain security solve voting issues?
Ever since the 2016 US election debacle, a lot of people have been looking for ways to improve the U.S. voting system. Too many factors have led to mistrust, and this includes problems with paper ballots and electronic voting irregularities and a lot of other issues.
So, now the Department of Homeland Security, some political groups and a number of ambitious startups are taking this issue head on.
Here’s their plan. With Blockchain, people will be able to see exactly who they voted for while remaining anonymous. Everyone gets their own key and hypothetically speaking, there will be no more meddling or funny business.
[00:32:37] Jenn: Interestingly enough, Blockchain is already actively used for voting in Iceland Estonia and Denmark — even Sierra Leone. And not to be left behind, there’s a startup in Boston called Voatz and they just got 2 million dollars in funding for their Blockchain-based voting system.
Now they’re testing it in smaller venues like town halls and they claim that 75000 ballots have already been successfully cast using their system.
So, coming soon to a voting booth near you: Blockchain? maybe.
[00:33:14] Babak: Interesting. It’s definitely something we need. What else?
[00:33:22] Jenn: Now we have a Japanese public utility that is using IoT, Blockchain security and Crypto-currency security. So IoT for utilities is valued at roughly 12 billion today and forecast to grow by 2020 – to guess how big?
[00:33:44] Babak: 25 billion?
[00:33:47] Jenn: try 40 billion. And utility companies for a while now have been promising a future where customers can pay their bills over IoTs using Crypto-currency.
So, now we have a utility company in Japan that is actually test-bedding the platform to do this. Chubu Electric Power — say that 15 times fast — is Japan’s third largest utility company and they’re working with an IoT startup to allow customers to use Crypto-currency as payment for charging their electric cars. Now they have developed a proprietary network protocol called the lightning network for this effort.
And one can say they’re charged up about the technology.
[00:34:35] Babak: Oh, God. You didn’t just do that did you.
[00:34:37] Jenn: I did. Proudly. we’re starting to see more and more practical applications for IoT and Crypto.
[00:34:46] Babak: Yeah, that part is really exciting because IoT and Crypto have been such science projects for so long and it’s really, really good to see people applying it to real business use cases to fulfill their potential. Good, good. What else?
[00:35:09] Jenn: All right. So now we have a cool story here about mind control. so mind control is finally here. Thanks to AI, IoT and Blockchain, mind control is turning out to be more than something you see in superheroes now, Babak. Today, new technology from a company called Neurogress allows stroke victims to use their thoughts to control artificial limbs.
So Neurogress is using artificial intelligence, IoT and Blockchain to tell body parts how and when to move.
It all starts with a wearable neural control device that looks like a set of headphones, except probably more expensive. Neurogress uses Blockchain to validate and recognize mind commands without having to intrusively place sensors inside the brain — which makes total sense because can you imagine having to undergo brain surgery after having dealt with a stroke?
[00:36:10] Babak: It really reminds me of all those days when my brothers used my own hand to hit me and say “you’re punching yourself!” I guess this adds a whole new meaning to hacking a limb.
[00:36:28] Jenn: Yeah. let’s hope that the people that use this use it for good.
[00:36:30] Babak: Well see, that’s the thing about security. There’s no hoping – you have to be proactive and take the lead on it because people will want to do bad things. Didn’t you see Homeland where the vice president’s IoT pacemaker was used to bring about their demise
[00:37:00] Jenn: Well yes I’m a big fan of that show and that’s one of my favorite episodes. Yes — that is probably a cartoon villain version but not too far from the truth. So Neurogress’s AI system will process information from an individual user’s mind, send it to an IoT-enabled device via a Blockchain command, and turn thoughts into action. Neurogress says they’ve tried it on a prosthetic and it works but it can be really cool and see this work for the masses.
[00:37:31] Babak: That is actually exciting because you know when you look at veterans, people who have lost limbs, it really has a huge impact on not just their lives but the life of all the people around them. So this is so super exciting to see something like this and at the same time it seems like you have to really, really approach this with a lot of caution, a lot of care, especially in the realm of security. Because if somebody takes over — I mean I could just see somebody taking over somebody else’s arm and having the arm do something that the person didn’t want done. And you could see the spectrum of scenarios but, cool! This is really exciting to watch.
[00:38:32] Jenn: That’s it in the exciting week of IoT, Crypto and Blockchain security news.
[00:38:37] Babak: So that’s it for our show. Stay tuned for our next podcast on IoT versus enterprise security. Be sure to sign up for updates on the Acreto.io website, on Twitter @Acretoio, and on medium at medium.com/acreto. Thank you for joining us on behalf of Jennifer Perez-Harris, I’m Babak Pasdar and we’ll catch you on our next podcast.
About Acreto IoT Security
Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.