Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack.
An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).
Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.
In total, hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. These are not just opportunistic lone attackers, either. Sophisticated cybercrime organizations are now doing it too: analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, may have stolen a combined $1 billion from exchanges.
This is why distributed systems are terrible for things like money.
Great proof of concept, not so great when you actually need to get things done. One bad actor and everyone loses.
Well, one bad actor with over 50% of the computational resources of the entire network
Obviously more of a problem for relatively unknown currencies like Ethereum Classic(?), though apparently even those somehow manage to accumulate a value such that someone can steal $200k from a single exchange
You don't necessarily even need 51%, you can sybil attack on something like 30% sometimes.
And even then you don't have to own it, just have some sort of influence or control (viruses can help with this).
51% is just the foolproof way to do it. But even IRL outside of the blockchain, it is surprisingly easy to set up dangerous payloads and botnets without much work.
bowen on
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
+3
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
Given the lack of crypto regulation is something like this even illegal? Assuming no hacking of other people's computers occurred would there be any recourse if the perpetrators just came out and admitted they did it?
It must be an interesting conundrum. You've got to subvert the system enough to make your money, but not too much so the currency in question doesn't tank in value. No point in magically gaining control of a coin you can't offload for some real world cash somewhere.
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
Yeah, it's pretty clearly theft or at least fraud.
Probably not theft because nothing was stolen. Fraud would be tricky to prove because I don't think technically anyone lost their money? The were using the double spend tactic. But it's like having the ability to create gold out of nothing. Gold still has a value regardless of it being your magical fake gold. It just brings the price of gold down as a whole.
You'd probably have a hard time proving damages to your monopoly money?
bowen on
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
But at the time of sale it was genuine. It strikes me as analogous to buying ice from someone and trying to sue them when it all turns to water and flows away. It's on you to know that ice melts and it's on you to know that by their very nature the 51% King could theoretically be out there and make your e-coins valueless.
The 51% King didn't do anything to your stuff. He just shouted loud enough that your stuff was worthless that the rest of the world accepted his reality.
But I'm waffling from a mountain of extreme ignorance on the complexities of the situation both technically and legally.
Should be fraud.
You agreed to do a trade based on receiving a thing, and then the other party reneged on giving you the thing whilst tricking you into completing the trade by giving you a fake thing.
... Assuming they could find anyone that would do a trade by giving them a blockcoin in the first place.
Pretty hard to say it's fraud if the only thing that was received was an increase in fake wealth numbers on an exchange's ledger. The exchange could just change their fake wealth numbers unilaterally as soon as they detect the fraud for no cost.
That is, can't see it being fraud if they can't cash out lol
Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack.
An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).
Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.
In total, hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. These are not just opportunistic lone attackers, either. Sophisticated cybercrime organizations are now doing it too: analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, may have stolen a combined $1 billion from exchanges.
So much for the currency revolution.
Not really the same issue. The article I linked is a phising scam and requires a user to download a compromised client that'll then empty out a wallet.
It's seems like it might be electrum specific on how they use a distributed server setup to facilitate transactions, but it doesn't require the attacker to have a large percentage of the processing power.
They do some clever things to increase their server presence without actually increasing their number of actual servers.
No double spend or anything, they just jack your whole wallet using the main block chain.
Transactions are logged, everybody can see it, and yet the victims have no recourcse.
I'm still mentally approaching blockchain as a solution in search of a problem, and this IBM platform seems to me like something that could be done easier in other ways. Am I wrong or missing something?
I'm still mentally approaching blockchain as a solution in search of a problem, and this IBM platform seems to me like something that could be done easier in other ways. Am I wrong or missing something?
That's an accurate description of the blockchain.
A central immutable repository has potential boons for businesses that need a registry that can never change.
But the common peer to peer anarchy blockchains most people are familiar with are dangerous/shitty and don't really bring anything advantageous to the tables other than "you can do illegal things with me and the feds can't arrest you because it's essentially laundered money"
But a centralized blockchain might work in some business. Maybe something finance or healthcare related!
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Here comes the trusted exchange. No word in the article if these fall under FDIC protections.
BUT WHY
If the banks can eliminate say Mastercard with (this private) blockchain then they will.
I think you still need to issue some sort of physical token to your end users though, and the banks have outsourced that to Visa/Mastercard, so...
No idea really.
I'm still mentally approaching blockchain as a solution in search of a problem, and this IBM platform seems to me like something that could be done easier in other ways. Am I wrong or missing something?
That's an accurate description of the blockchain.
A central immutable repository has potential boons for businesses that need a registry that can never change.
But the common peer to peer anarchy blockchains most people are familiar with are dangerous/shitty and don't really bring anything advantageous to the tables other than "you can do illegal things with me and the feds can't arrest you because it's essentially laundered money"
But a centralized blockchain might work in some business. Maybe something finance or healthcare related!
For example, blockchain would work well for systems where a chain of custody is needed.
Here comes the trusted exchange. No word in the article if these fall under FDIC protections.
BUT WHY
That's easy: JP Morgan believes that JPM coins will not be treated the same as currency transactions and thus will not be limited by certain laws.
Additionally you have to initially purchase jpm coins from jpm in order to use them and/or JPM has started with a significant amount of seed coins.
Currency doesnt even have to be a scam to be a scam
It's the same reason anyone starts a crypto-currency. Start the thing up, horde all the initial easy coins for yourself, get people to buy in to pump up the price, sell off your coins for massive profit.
What's the advantage of cryptographically signing each block, if it's still centralized?
Why not just go with a traditional SQL table to track chain of custody, if you are already restricting who can write transactions to trusted actors?
The JPM coin appears to be bank to bank, so each bank needs to sign each transaction/block that it adds so that every other bank knows that the first bank is actually adding these transactions to the database, rather than some other actor submitting the transactions maliciously.
As for signing each block rather than each transaction, it would seem to allow greater throughput, but it does mean that any single transaction being invalid will invalidate the entire block.
(unless there's some sort of reversal transaction I guess that you can place in a future block? Not sure how that would work when you need to solve a double-spend; easier to just invalidate both transactions before they're added..)
What's the advantage of cryptographically signing each block, if it's still centralized?
Why not just go with a traditional SQL table to track chain of custody, if you are already restricting who can write transactions to trusted actors?
The JPM coin appears to be bank to bank, so each bank needs to sign each transaction/block that it adds so that every other bank knows that the first bank is actually adding these transactions to the database, rather than some other actor submitting the transactions maliciously.
As for signing each block rather than each transaction, it would seem to allow greater throughput, but it does mean that any single transaction being invalid will invalidate the entire block.
(unless there's some sort of reversal transaction I guess that you can place in a future block? Not sure how that would work when you need to solve a double-spend; easier to just invalidate both transactions before they're added..)
Blockchain doesn't solve the "is this transaction coming from the actual bank, or someone pretending to be the bank?" problem. That's solved by a basic private/public key system that works fine with a traditional database.
The "block" part of Blockchain is intended to solve the "everyone agrees that this is the correct history of transactions", by making it difficult (but, crucially, not insurmountable) to have two versions of the transaction history in circulation to fool some people into thinking certain transactions haven't happened (allowing you to double-spend). Bitcoin (I don't know about JPMcoin) does this by requiring an arbitrary load of computing power be wasted to "prove" that the majority of miners agree that one version is correct.
Think of it as instead of having a lock on your door, Blockchain security requires you to lean against it instead - only opening up when someone inserts their key and a light turns green. To stop some of the bigger criminals in the local neighbourhood pushing you aside, you get your friends to lean against the door as well. This has a couple of problems:
You're all leaning against a door, which makes your ability to do things like work, cook, clean etc. more difficult.
Getting everyone out of the way while someone new comes in/out takes time.
If the criminal goes and gets their friends, or just happens to push against your door when people have ducked away to do things like work, cook, clean etc., then they can just push their way in anyway.
Any decentralized "Proof of X" system requires a constant expenditure of wasted resources, with an accompanying transaction throughput hit. And it makes smaller communities vulnerable when someone from the Big City casts their attention over (such as the case with Ethereum Classic). Far easier just to buy a sturdy door with a sturdy lock and give keys to people you trust, and then you can focus on doing real work. Or, to drop the analogy, just have a central database that says "Yes, I trust this transaction came from this bank. Ask me if you have any further questions about their balance".
You describe a lengthy process and transaction using a fictional commodity.
Someone asks, "Why don't you just use money?"
There are very few answers you can give that aren't, "I want to break the law."
"Money isn't electronic?"
The JPM proposal sounds to me like they're reinventing what Visa/Mastercard are doing already.
With 'blockchain' added for buzz.
It's not that blockchain is finally useful here, but that the tech blockchain is built on underpins all electronic communications and so makes this a like-for-like replacement.
You describe a lengthy process and transaction using a fictional commodity.
Someone asks, "Why don't you just use money?"
There are very few answers you can give that aren't, "I want to break the law."
"Money isn't electronic?"
The JPM proposal sounds to me like they're reinventing what Visa/Mastercard are doing already.
With 'blockchain' added for buzz.
It's not that blockchain is finally useful here, but that the tech blockchain is built on underpins all electronic communications and so makes this a like-for-like replacement.
Thinking about it, the play here doesn't seem to be solving a trust issue - it's a control issue.
The wire system, with all its delays and charges, basically exists because when a big financial entity goes "Screw this nonsense, I'm going to make a simpler and easier version - come join me if you want in" everyone else goes "Woah, woah, woah... what do you mean join YOU? Why shouldn't everyone join MY version instead?" Visa/Mastercard/Square work fine for retail transactions, but banks in less regulated countries get a bit nervous at the thought of saying "Okay, you can do my transactions for me". And while central banks in stable democracies are theoretically a neutral third party, the banks in less stable countries have seen what happens when democracies go off the rails and don't want to relinquish control there either. It's largely a solved problem in G7 economies with FedWire/CHIPS/SWIFT, etc. but those aren't universally adopted.
JPMCoins, targeting banks, seem to be a way of saying "See... you can trust THIS system for a neutral transaction network. It's decentralized so we don't control it, neither does anyone else (in theory, in practice we'll see). You just have to pay us a service fee to use it..." Setting the new standard for global interbank transactions - especially where SWIFT is not as prevalent.
Most proof-of-work/memory/whatever blockchain based things have 51% attacks because the rules are:
- anyone can add a block
- it usually doesn't matter who adds a block
- they must do $THING to ensure someone can't spam millions of junk blocks / spin up millions of free clients
- for stability, the longest acceptable chain is the primary one and others are discarded
None of those would apply to JPCoin. There's nobody spamming the chain, everyone is an authorized user and either a block is good or bad or old so you can build it atomically. The chain head would likely be published continually - in order for the recipients to know they got the funds - so any backwards progress would be immediately detectable by everyone.
Most proof-of-work/memory/whatever blockchain based things have 51% attacks because the rules are:
- anyone can add a block
- it usually doesn't matter who adds a block
- they must do $THING to ensure someone can't spam millions of junk blocks / spin up millions of free clients
- for stability, the longest acceptable chain is the primary one and others are discarded
None of those would apply to JPCoin. There's nobody spamming the chain, everyone is an authorized user and either a block is good or bad or old so you can build it atomically. The chain head would likely be published continually - in order for the recipients to know they got the funds - so any backwards progress would be immediately detectable by everyone.
So why bother developing any new "block" protocol at all? Why not just go with an existing globally-accepted ACID database?
Edit: And what's to stop Financially Embattled Developing Country Bank from using a server farm for 10mins to simultaneously publish valid blocks to US banks and EU banks saying, "No, really, our last $100 went to you, not them". It's an authorized user, both blocks are good, and because nobody else is spamming the chain it requires trivial resources to generate said two valid blocks.
Posts
We won't get fooled again!
Interesting article on a phishing attack on the electrum network.
It’s not a very important country most of the time
http://steamcommunity.com/id/mortious
So much for the currency revolution.
Great proof of concept, not so great when you actually need to get things done. One bad actor and everyone loses.
Well, one bad actor with over 50% of the computational resources of the entire network
Obviously more of a problem for relatively unknown currencies like Ethereum Classic(?), though apparently even those somehow manage to accumulate a value such that someone can steal $200k from a single exchange
And even then you don't have to own it, just have some sort of influence or control (viruses can help with this).
51% is just the foolproof way to do it. But even IRL outside of the blockchain, it is surprisingly easy to set up dangerous payloads and botnets without much work.
It must be an interesting conundrum. You've got to subvert the system enough to make your money, but not too much so the currency in question doesn't tank in value. No point in magically gaining control of a coin you can't offload for some real world cash somewhere.
You'd probably have a hard time proving damages to your monopoly money?
Like when you make a fake designer purse. Counterfeiting?
The 51% King didn't do anything to your stuff. He just shouted loud enough that your stuff was worthless that the rest of the world accepted his reality.
But I'm waffling from a mountain of extreme ignorance on the complexities of the situation both technically and legally.
You agreed to do a trade based on receiving a thing, and then the other party reneged on giving you the thing whilst tricking you into completing the trade by giving you a fake thing.
... Assuming they could find anyone that would do a trade by giving them a blockcoin in the first place.
Pretty hard to say it's fraud if the only thing that was received was an increase in fake wealth numbers on an exchange's ledger. The exchange could just change their fake wealth numbers unilaterally as soon as they detect the fraud for no cost.
That is, can't see it being fraud if they can't cash out lol
Not really the same issue. The article I linked is a phising scam and requires a user to download a compromised client that'll then empty out a wallet.
It's seems like it might be electrum specific on how they use a distributed server setup to facilitate transactions, but it doesn't require the attacker to have a large percentage of the processing power.
They do some clever things to increase their server presence without actually increasing their number of actual servers.
No double spend or anything, they just jack your whole wallet using the main block chain.
Transactions are logged, everybody can see it, and yet the victims have no recourcse.
It’s not a very important country most of the time
http://steamcommunity.com/id/mortious
Currency pirating?
This is why immutable ledgers are bad.
Here comes the trusted exchange. No word in the article if these fall under FDIC protections.
BUT WHY
I'm still mentally approaching blockchain as a solution in search of a problem, and this IBM platform seems to me like something that could be done easier in other ways. Am I wrong or missing something?
That's an accurate description of the blockchain.
A central immutable repository has potential boons for businesses that need a registry that can never change.
But the common peer to peer anarchy blockchains most people are familiar with are dangerous/shitty and don't really bring anything advantageous to the tables other than "you can do illegal things with me and the feds can't arrest you because it's essentially laundered money"
But a centralized blockchain might work in some business. Maybe something finance or healthcare related!
If the banks can eliminate say Mastercard with (this private) blockchain then they will.
I think you still need to issue some sort of physical token to your end users though, and the banks have outsourced that to Visa/Mastercard, so...
No idea really.
That's easy: JP Morgan believes that JPM coins will not be treated the same as currency transactions and thus will not be limited by certain laws.
For example, blockchain would work well for systems where a chain of custody is needed.
Why not just go with a traditional SQL table to track chain of custody, if you are already restricting who can write transactions to trusted actors?
Because Science!!!
Additionally you have to initially purchase jpm coins from jpm in order to use them and/or JPM has started with a significant amount of seed coins.
Currency doesnt even have to be a scam to be a scam
It's the same reason anyone starts a crypto-currency. Start the thing up, horde all the initial easy coins for yourself, get people to buy in to pump up the price, sell off your coins for massive profit.
There really isn't, thus we're back where we started.
So it's not like JPM are hoping that the demand will drive up the value of their own seed coins.
so it's like a bank.
except instead of just putting in a database x pays y, you have to solve a bunch of pointless sudokus to do the same thing.
like all blockchain related nonsense, seems like nonsense.
The JPM coin appears to be bank to bank, so each bank needs to sign each transaction/block that it adds so that every other bank knows that the first bank is actually adding these transactions to the database, rather than some other actor submitting the transactions maliciously.
As for signing each block rather than each transaction, it would seem to allow greater throughput, but it does mean that any single transaction being invalid will invalidate the entire block.
(unless there's some sort of reversal transaction I guess that you can place in a future block? Not sure how that would work when you need to solve a double-spend; easier to just invalidate both transactions before they're added..)
Someone asks, "Why don't you just use money?"
There are very few answers you can give that aren't, "I want to break the law."
The "block" part of Blockchain is intended to solve the "everyone agrees that this is the correct history of transactions", by making it difficult (but, crucially, not insurmountable) to have two versions of the transaction history in circulation to fool some people into thinking certain transactions haven't happened (allowing you to double-spend). Bitcoin (I don't know about JPMcoin) does this by requiring an arbitrary load of computing power be wasted to "prove" that the majority of miners agree that one version is correct.
Think of it as instead of having a lock on your door, Blockchain security requires you to lean against it instead - only opening up when someone inserts their key and a light turns green. To stop some of the bigger criminals in the local neighbourhood pushing you aside, you get your friends to lean against the door as well. This has a couple of problems:
Any decentralized "Proof of X" system requires a constant expenditure of wasted resources, with an accompanying transaction throughput hit. And it makes smaller communities vulnerable when someone from the Big City casts their attention over (such as the case with Ethereum Classic). Far easier just to buy a sturdy door with a sturdy lock and give keys to people you trust, and then you can focus on doing real work. Or, to drop the analogy, just have a central database that says "Yes, I trust this transaction came from this bank. Ask me if you have any further questions about their balance".
"Money isn't electronic?"
The JPM proposal sounds to me like they're reinventing what Visa/Mastercard are doing already.
With 'blockchain' added for buzz.
It's not that blockchain is finally useful here, but that the tech blockchain is built on underpins all electronic communications and so makes this a like-for-like replacement.
The wire system, with all its delays and charges, basically exists because when a big financial entity goes "Screw this nonsense, I'm going to make a simpler and easier version - come join me if you want in" everyone else goes "Woah, woah, woah... what do you mean join YOU? Why shouldn't everyone join MY version instead?" Visa/Mastercard/Square work fine for retail transactions, but banks in less regulated countries get a bit nervous at the thought of saying "Okay, you can do my transactions for me". And while central banks in stable democracies are theoretically a neutral third party, the banks in less stable countries have seen what happens when democracies go off the rails and don't want to relinquish control there either. It's largely a solved problem in G7 economies with FedWire/CHIPS/SWIFT, etc. but those aren't universally adopted.
JPMCoins, targeting banks, seem to be a way of saying "See... you can trust THIS system for a neutral transaction network. It's decentralized so we don't control it, neither does anyone else (in theory, in practice we'll see). You just have to pay us a service fee to use it..." Setting the new standard for global interbank transactions - especially where SWIFT is not as prevalent.
- anyone can add a block
- it usually doesn't matter who adds a block
- they must do $THING to ensure someone can't spam millions of junk blocks / spin up millions of free clients
- for stability, the longest acceptable chain is the primary one and others are discarded
None of those would apply to JPCoin. There's nobody spamming the chain, everyone is an authorized user and either a block is good or bad or old so you can build it atomically. The chain head would likely be published continually - in order for the recipients to know they got the funds - so any backwards progress would be immediately detectable by everyone.
Edit: And what's to stop Financially Embattled Developing Country Bank from using a server farm for 10mins to simultaneously publish valid blocks to US banks and EU banks saying, "No, really, our last $100 went to you, not them". It's an authorized user, both blocks are good, and because nobody else is spamming the chain it requires trivial resources to generate said two valid blocks.