Thursday, December 5, 2013

Attack Surface

I'm sure this phrase, or a variant of it, has been around for some time, but I only recently heard it. Maybe three or four times in the span of as many weeks.

According to the internet, an attack surface is a software term of entry points to a program or system that either a program or black-hat hacker can utilize. The earliest citation I can find for the phrase goes back to 2004. I'm sure it has been used before this, but the concept of attack surface is about four billion years old and dates back to the development of the cell and its membrane. Think of all the methods of exploitation used by life: either through brute force penetration by viral bacteriophages, or entry through a protein channel, or corruption or dissolution of a transmembrane protein, or disassembly of the cell wall itself. Each in turn has some software equivalent - or soon will.

Perhaps a better way to think of an attack surface is not from the defender's point of view (one has to assume some vulnerability always exists), but rather the amount of effort required for each attack method. In which case, we have something more akin to an aggression vector, or an aggression tensor, where the amount of work done is taken into account in attacking entry points.

Which gets me to bitcoin. Everyone and his uncle seems to be obsessing over the value of this, what with all the frothing going on right now. But bitcoin isn't really what this is about is it? It's the bitcoin wallet that is important.

You know, at first, I was a little annoyed by all the bitcoin mining, because I knew that eventually the egalitarian nature of the enterprise would become subject to the Pareto distribution - those who aggregated first, or who had resources and capital first, would win out over the little guys. As I understand it, a bitcoin is "mined" by the number of hashes (a computer operation) it takes to solve a cryptographic algorithm, the number of which increases with value (the difficulty increases as the value increases). If you've been paying attention, you'll notice that the value has increased exponentially lately, and thus the computing power required to mine coins has increased commensurately.

People have pointed out the insane amount of energy, hardware, and specialization that has taken place in the effort to mine bitcoins. Yes, it's a waste, but once I thought about it for awhile, I said, eh, so what? I mean, how much energy, hardware, and specialization has been spent on video games, or bad movies, or professional sports?

It's not like all that computing power could have been used to crack any number of intractable problems, or used as Monte Carlo simulations for controlled fusion, or cancer research, or studies of the brain, or reducing poverty, hunger, disease and want... or any of the thousands of much more worthwhile scientific endeavors that exist, because, you know, Freedumb!

And I don't care that economists and banker and financial types are wasting their time and wringing their hands over bitcoin. It's just another commodity, ultimately nothing more than a different form of physical information, frozen CO2 and human ingenuity, a result of the combustion of fossil fuel and fossil oxygen, and you would be hardpressed to make it any more than that without human symbolism and meaning. (And how many commodities - other than food - are really truly important for human existence)?

Yeah, but Freedumb! the hackers and libertarians and other impractical types cry. The biggest problem, they say, is that the governments will attempt to control this and any other form of crypto currency. Eh, and so what? Is that really the problem?

No, the problem of the attack surface of bitcoin, which Satoshi Nakamoto* himself pointed out on the very first page of the technical  paper he wrote about bitcoin, is:
"The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes".
There you go.  If enough corrupt wallets are out there, bitcoin will never be an instrument of freedumb!.

Time for a redesign? And a little bit of tweaking, maybe?

Remember folks, NOTHING is ever done right the first time.


* "Who is Satochi Nakamoto?" might be the new "Who is John Galt?" which, honestly, was congenitally stupid from the get-go.

No comments:

Post a Comment