First, they came for the crypto bros, and I didn't give a fuck about them because I assumed everything they were doing was wrong & illegal (despite critical advances made in open source computation at scale using encryption for integrity & end-user private key mgmt) #infosec
I'm writing this for my #infosec/#privacy audience who I hope will foresee the slippery slope between applying global sanctions to an individual vs. an audited, open source protocol, published as public contracts on a permissionless, decentralized blockchain/global state computer
They state: "The (criminal) origin of the cryptocurrencies is often not or hardly checked by such mixing services"
Except that isn't quite true, as Tornado Cash's frontend applied checks for sanctioned addresses against Treasury's OFAC list using the Chainalysis oracle as of April 2022 following the news that OFAC had traced the Ronin Bridge hack's funds to DPRK.
They also implemented a "compliance tool" in mid-2020 (<1 yr after launch) which allowed people to de-anonymize their transactions, proving source of funds, so long as they were in possession of the original private note.
This all much too late, since DPRK was able to launder more than 5,505 Ether this way as of May. In reality, this sanctions move comes so late, it can only really serve as deterrence. DPRK's Lazarus Group already got a lot of what they wanted coinspeaker.com/ether-ronin-ha…
Unfamiliar with Lazarus Group? Let's just say they have a reputation.
They were placed on the sanctions list in April 2022 along with many of the aliases which have been given to them by various agencies, cybercrime investigators, and security companies
They've been referred to by security companies as a "scourge" which has been "responsible for some of the largest cyber attacks worldwide" (@NCCGroupInfosec).
@MITREcorp states "some security researchers report all NK state-sponsored cyber activity under the name Lazarus Group"
US Gov's own advisories about this actor via @CISAgov go all the way back to 2017's WannaCry attack which was propagated using EternalBlue, a severe Windows exploit previously stolen from the NSA & leaked online by The Shadow Brokers (Russia?)
Anyway, I'm giving you all this context (assuming you aren't an #infosec follower & already know it!) so we can contextualize this new move to sanction a contract (code, not an individual), as a legitimate method used to combat illicit financial flows/deal with belligerent states
--but with mostly unknown (and so far harmful) geopolitical/legal ramifications for people involved with open source code which protects privacy to the current exclusion of law enforcement.
These actors are well understood, with companies like @Mandiant providing detailed reconnaissance given their vantage point of responding to these incidents quite regularly.
Mandiant's conclusions about why DPRK continues with increasingly sophisticated cyber heists align with DPRK's global isolation, the current geopolitical environment, and placement on the sanctions list of wallet addresses/contract addresses which are associated with Tornado Cash
I think sanctions against the Tornado Cash protocol can be understood as a desperate defensive salvo in a war that has been going on for a long time, with the TC devs/community being caught up due to DPRK drawing attention specifically to their open platform.
@chainalysis about large rise in mixer usage by the North Korea-linked cybercriminal groups (July 2022):
It should also be said that you shouldn't taunt @USTreasury in the media or they might actually do the thing you said they can't do bloomberg.com/news/articles/…
Firms like @chainalysis still can't "demix" (de-anonymize) funds blended thru next-gen mixers like Tornado Cash due to their zk-SNARK implementation, so the recommendation has to be to tackle these issues via policy means. Hence sanctions which indiscriminately affect licit users
But to a certain extent, that dev was right.
It's pretty tough to do a unilateral or multi-lateral takedown of an immutable, distributed infrastructure in the manner to which the government has become accustomed.
Anyway, privacy is good, but also stopping petty ass loser Kim Jong-un from getting weapons, nukes, resources, etc is also very good and commendable.
More than 40% of the flows sent to TC are provably from illicit means.
The tech community can unite to develop solutions to these problems, but only if we agree to face the hard discussions about dealing with cybercrime with serious geopolitical impact as well as the "hard line" we need to have with regard to privacy for all without backdoors.
Nickname: free form text field
Headline: free form text field
Gender: radio selection 🙄🙄
Appreciate the ability to express myself, @Yelp, thank you! 🙄
But why, though? Surveillance capitalism (data collection, profiling, and advertising dollars) says that if the company can further segment people to target them with expensive shit for queer folk to buy, that's an ideal scenario for them.
Absolutely fascinating how the average white collar (individual contributor) worker is strongly incentivized to keep quiet about any problems in the workplace because the mere act of reporting a negative situation starts the process which will inevitably culminate in their firing
The only people who don’t know this are those who are naïve, or those who have already decided that the unknown, but likely-negative personal costs associated with speaking out -about an issue are more valuable than the potential workplace drama and job loss
Income stability is more important for those with more to lose, so the more you climb up the chain, and the more power you’re supposed to have to influence your org for the better, the more entrenched you are—and even less likely to speak out about anything at all
Men, the death trial is not to be taken at face value.
If you think it’s just another celebrity culture thing, you haven't been paying attention to our changing culture which is stripping women of care, rights, autonomy, & now, even our ability to speak out about our abuse.
Everyday there’s a bit more. BTW, one of Depp’s lawyers on this trial (not with the main firm) also represented Foreign Minister Lavrov, sanctioned oligarch Deripaska, & Julian Assange. The latter might seem unconnected, but he pops up when Russians are mentioned for good reason.
Threat of well funded corporate litigation limits the press’s ability/desire to report on issues affecting the public. Writing critical stories about Big Tech is quickest way to lose privileged media access to otherwise opaque tech co’s, disincentivizing investigative journalism.
Basically, the larger and stronger the company, the less likely we are to learn the facts about its negative effects on the world, limiting our collective and individual abilities to do anything about these harms.
Do you see how being responsible for the protection of corporate intellectual property, strategies, plans, systems, etc. at a major corporation, especially one repeatedly accused of wrongdoing, can be problematic?