Crypto makes security tangible. When an account is hacked, the funds are withdrawn right away.
Not all hacks have pecuniary motivations. National security hacks are in a different class.
Still, the capture-the-flag aspect of crypto — where an attacker has a strong incentive to instantly use the private keys, lest funds are moved — is a sharp contrast to silent compromise.
Still, the capture-the-flag aspect of crypto — where an attacker has a strong incentive to instantly use the private keys, lest funds are moved — is a sharp contrast to silent compromise.
You know who isn't good at security? Government IT developers.
You know who needs to constantly think about security? Crypto developers.
The predator/prey aspect of crypto security is creating a generation of engineers who know how to harden systems. digitalguardian.com/blog/top-10-bi…
You know who needs to constantly think about security? Crypto developers.
The predator/prey aspect of crypto security is creating a generation of engineers who know how to harden systems. digitalguardian.com/blog/top-10-bi…
From this vantage point, ransomware is just a symptom of the partial crypto-ification of the world.
The vulnerabilities existed, it just made them visible.
But if all *valuable* code & data goes on-chain, then ransomware doesn't work. It'd have to compromise a hardened chain.
The vulnerabilities existed, it just made them visible.
But if all *valuable* code & data goes on-chain, then ransomware doesn't work. It'd have to compromise a hardened chain.
Size (imperfectly) measures security.
The higher the market cap of a true* public blockchain, the larger the bug bounty on it. All else being equal**, you'd expect smart contracts on more valuable chains to be more secure.
* decentralized with real private keys
** it's not yet!
The higher the market cap of a true* public blockchain, the larger the bug bounty on it. All else being equal**, you'd expect smart contracts on more valuable chains to be more secure.
* decentralized with real private keys
** it's not yet!
I recognize that saying "put all valuable code and data on-chain" in 2021 is a bit like saying "download 1MB of JS to run a rich web app" in the year 2000.
But hacks are here, and scalability is coming, and you can squint to see this future. csis.org/programs/strat…
But hacks are here, and scalability is coming, and you can squint to see this future. csis.org/programs/strat…
I think this is the right version of @elidourado's idea.
Blockchains exist in an environment that provides de facto cash bounties to find all the obvious security holes without catastrophic cost.
Size of market cap then **roughly** quantifies security.
Blockchains exist in an environment that provides de facto cash bounties to find all the obvious security holes without catastrophic cost.
Size of market cap then **roughly** quantifies security.
https://twitter.com/elidourado/status/1392984926300123140
The use of market cap as a **rough** proxy for security of on-chain code will get better over time, as more hacks occur.
It's also an external check, in addition to an organization's necessarily imperfect self-certification.
And it's easy to understand, even for the layman.
It's also an external check, in addition to an organization's necessarily imperfect self-certification.
And it's easy to understand, even for the layman.
You could imagine a scenario where engineers *want* to put valuable code & data on-chain sooner, in order to harden it.
A safe way to do this might be to run it in parallel with dummy data & a serious on-chain bounty. Hack it & get the funds.
Productized version of @Hacker0x01?
A safe way to do this might be to run it in parallel with dummy data & a serious on-chain bounty. Hack it & get the funds.
Productized version of @Hacker0x01?
As I think about it, the rise of public blockchains is the complete opposite of the standard government/bank IT procurement process.
Rather than "evaluate" security via cargo cult checkboxes, only use chains that have secured $100B+ for 5 years. That's what's safe for code/data.
Rather than "evaluate" security via cargo cult checkboxes, only use chains that have secured $100B+ for 5 years. That's what's safe for code/data.
The current government/bank IT procurement process selects for people who can navigate legacy bureaucratic systems. Fake security.
The public blockchain development process selects for engineers who can navigate the red-in-tooth-and-claw environment of crypto. Real security.
The public blockchain development process selects for engineers who can navigate the red-in-tooth-and-claw environment of crypto. Real security.
Cosmos (& others) already did something like this. Their Game of Zones used an incentivized, adversarial testnet.
What I'm realizing, though, is the breadth of applicability. *All* valuable code and data may eventually go on chain. Only way to be secure. v1.cosmos.network/newsletters/co…
What I'm realizing, though, is the breadth of applicability. *All* valuable code and data may eventually go on chain. Only way to be secure. v1.cosmos.network/newsletters/co…
Better ransomware than handsomeware!
Handsomeware: software selected by governments & megacorps to *look* secure, rather than actually be secure
Ransomware: exposes those issues in peacetime for relatively low cost
Samsonware: actually secure software
Handsomeware: software selected by governments & megacorps to *look* secure, rather than actually be secure
Ransomware: exposes those issues in peacetime for relatively low cost
Samsonware: actually secure software
https://twitter.com/tolmasky/status/1396110486186364930
• • •
Missing some Tweet in this thread? You can try to
force a refresh
