Hacker News new | past | comments | ask | show | jobs | submit login
Unstoppable Code? (dshr.org)
72 points by EvanAnderson 50 days ago | hide | past | favorite | 51 comments



People are looking at this from the wrong end. They're assuming that ransomware attackers will keep getting away with it.

They won't.

They've crossed a threshold. They're now considered terrorists. It's not just law enforcement any more. Law enforcement has limited resources chasing a large number of crooks. Now CIA, NSA, and DoD are looking for them, with far more resources aimed at a few targets.

All it takes is one slip-up. One intercepted phone call. One Bitcoin transaction that can be traced. One boast to a friend. One purchase of an expensive car. One crypto key that wasn't totally random. One hint on social media. It may take a while. But eventually the attackers will make a mistake, if they haven't already.

Back in 2009, Somali pirates attacked the US-flagged Maersk Alabama and kidnapped the captain. They didn't expect the US to send two warships, helicopters, and a SEAL team after them. But that's what happened. Three of the pirates are dead, one is in a US prison.

The US has a long tradition of overreacting to attacks, going back to the Tripoli pirates demanding ransom during the Jefferson administration. (Jefferson sent a fleet and the Marines. The pirates lost.) The Barbary pirates during the Teddy Roosevelt administration (Roosevelt sent battleships. The pirates lost.) The Somali pirates during the Bush administration. (The pirates lost.) Bin Laden during the Obama administration (Bin Laden lost.)

Somewhere, there's a few very scared hackers.


Your examples are about spending oversized amounts of resources to send messages to would-be imitators. How are you going to dissuade new hackers popping up when they have total freedom in where to base their operations and hiding their tracks is so easy (compared to managing militias)?

Seems to me in that case, defense is easier than offense. There's now huge financial incentives for extending strict security to more areas than just military/transportation/communication infrastructure systems.


> How are you going to dissuade new hackers popping up?

Hackers are subject to economic pressures and cost/benefit/risk analysis just like anyone else. If government puts a heavy thumb on the scale, then maybe you start to think there are easier ways to make a few million bucks that don't run the risk of your ending up dead or in prison for life.

As an example, kidnapping used to be a reasonably common crime in the United States (with a high payoff) but in the wake of the Lindburg Kidnapping, the US made kidnapping a federal crime and a capital offence.[0] Instead of dealing with local cops, kidnappers were now facing a dedicated team of FBI agents with substantial resources and the death penalty when they got caught. Suddenly, it makes a lot less economic sense to be a kidnapper and ransom kidnappings have mostly disappeared in America.

[0] https://en.wikipedia.org/wiki/Federal_Kidnapping_Act


It would seem to me that Ransomware attackers coming from Russia or China would have a pretty solid first line of defense. That is, as long as they keep the hands that are feeding them happy in said country.


Yeah, but then you're talking about state-sponsored malware attacks, and into the realm of international diplomacy: sanctions, embargoes, blockades and (theoretically) war.


Why do you think that would be the result? They aren’t state sponsored per se, just state turning a blind eye. Plus, it’s already been happening this way for many years. Why would we suddenly start sanctioning China and Russia, risking war?


Various states were turning a blind eye to ransomware operators on their soil because it was considered a petty crime. It wasn't even a variable considered in international negotiations. But if a superpower like US suddenly views ransomware as terrorism, it becomes diplomatically relevant. Politicians will start asking questions, likely realizing it's not worth it to start pushing the US on this point, leading to law enforcement suddenly being much more interested.


They should be able to fund their efforts from seized crypto assets.


> Somewhere, there's a few very scared hackers.

The hackers probably only sold the software, and will be difficult to trace. Also, they have plausible deniability as they can say the software was for research purposes only and never meant to be used, do harm, etc.


A few ransomware people have already been caught.

- Sébastien Vachon-Desjardins. "Information on a Polish server identified Vachon-Desjardins as one of the most profitable affiliates of the NetWalker organization". "RCMP seized hundreds of thousands of dollars from Vachon-Desjardins's home and safety deposit boxes after his arrest, while also discovering a cryptocurrency wallet with contents valued at about $50 million." [1]

- Joshua Polloso Epifaniou. [2]

[1] https://www.cbc.ca/news/canada/ottawa/gatineau-man-facing-ex...

[2] https://www.justice.gov/usao-ndga/pr/cypriot-hacker-pleads-g...


Although all (bar one) of the points made seem sound to me the take-away should probably be "and then go and do bitcoin anyway". Maybe I'm an idealist, but allowing people to freely signal what they think is worth supporting financially will cause more good than harm.

I think there is a strong argument that even with all the negative externalities listed, the positive are even greater. I mean, what if the world's billionaires are eventually forced to transect on a public blockchain? A lot of shadiness will suddenly become really hard to hide. Net crime may well reduce; we don't know what we don't know in that sphere.

> Funding "rogue states" such as North Korea and Iran."

Now on to the point I disagree with. Find Iran on a map. Look left of it and right. You'll see two countries invaded by the US on the flimsiest of pretexts. The US not being able to use financial means to rub salt in the wounds of people it wants to bully is a win for the world. This is a positive externality.


> I mean, what if the world's billionaires are eventually forced to transect on a public blockchain?

That’s never going to happen because the technology is not going to get that far. How do you have effective monetary policy with a deflationary currency? Governments and central banks are not going to willingly give up that power, nor should they. Blockchain currencies just do not make sense on the macroeconomic level.

Moreover we already have solutions for investigating financial crime, it would be much easier to improve policy and enforcement there than overhaul our economy for what would be at best an indirect benefit.


The shady stuff that the world's billionaires are doing is in large parts already publicly reported, and already pretty appaling, and few people seem to care. Not downright criminal stuff, but by now I doubt that changes anything.


>I think there is a strong argument that even with all the negative externalities listed, the positive are even greater.

I think you have to be completely deluded to believe that.

> I mean, what if the world's billionaires are eventually forced to transect on a public blockchain? A lot of shadiness will suddenly become really hard to hide.

Wasn't one of the big promises of crypto anonymity so that it would be the salvation of the prosecuted? And now it's supposed to completely eliminate anonymity and that is supposed to be a good thing?

Schrödinger's Blockchain?

>Net crime may well reduce; we don't know what we don't know in that sphere.

We have ample hard evidence that the opposite is the case.


> Wasn't one of the big promises of crypto anonymity so that it would be the salvation of the prosecuted?

The Bitcoin blockchain is a public, permanent ledger of every transaction ever made. The people claiming it is anonymous were always being optimistic. I think it might be strictly worse than the existing banking system for privacy.

People trying to use Bitcoin for anonymous crime are in for a very nasty shock at some point. It is a better idea to go old school and bank with HSBC.


Care to provide any sources to that "ample hard evidence"?


OP's article has a bunch of them. it opens with one.


What I want to see a source for is your claim that there is hard evidence for the opposite of "net crime being reduced", not random anecdotes and opinion pieces.

I see nothing there indicating a quantitative increase in crime victims or number of crimes being committed due to cryptocurrency.


There's entire new forms of crime being enabled by cryptocurrency.

Most notably, ransomware is doing 20 billion dollars worth of damage annually (increasing quickly), and depends pretty much 100% on cryptocurrency for payment: https://cybersecurityventures.com/global-ransomware-damage-c...


There are two views, I suppose. Stalin did build an industrial state. It was based on slave work causing death and untold damage to millions. But it did allow them to persist against Germany. Which is all good as long you are not the one being slaved, that tends to shift the viewpoint significantly.


Unlike Proof of Work based blockchains which require seizable factory infrastructure to break even, Proof of Stake doesn't need one.

Most Proof of Stake supporters see this as a good thing because it means there's no electricity waste and higher degree of "censorship resistance".

However what will actually happen is this "censorship resistance" is what will make the PoS blockchain as a whole get "censored", ironically.

Proof of Work blockchains, while wasting a lot of energy, can be regulated easily because the government can simply regulate the large miners in their countries. However Proof of Stake, because it can't be traced easily, the regulators will have to try to stop the entire blockchain as a whole.

Of course, it's impossible to completely stop it, but the governments can do a lot of things in their "anti-decentralized tech playbook" to make sure the adoption never goes mainstream. (See Tor, BitTorrent, etc.)


dammn... now I wanna see the play book.. I can guess some of them, but feel like I am missing some. And I really think centralization has massive systemic bugs that have caused(and continue to cause) a big worrying set of problems.


> Unlike Proof of Work based blockchains which require seizable factory infrastructure to break even, Proof of Stake doesn't need one.

This isn’t inherent to PoW consensus. In 2010, Bitcoin was CPU mineable on any ordinary Windows PC. It wasn’t until Bitcoin commanded a significant market value — which wasn’t guaranteed in the slightest — that industrial scale mining operations came into the foray.

> Most Proof of Stake supporters see this as a good thing because it means there's no electricity waste and higher degree of "censorship resistance".

Your understanding of censorship resistance is gravely mistaken [1]:

    Overcoming censorship is not possible in a PoS system, as the censor
    has acquired majority stake and cannot be unseated. As such PoS
    systems are not censorship-resistant and the theory is therefore
    invalid.
If 51% of the stake — even if owned by separate entities — were to deliberately engage in censorship, the general public would have absolutely no recourse. Conversely, in Proof of Work systems, new miners could join the network at any time to challenge the majority miner censor. That is simply impossible under a Proof of Stake model with network censors.

In addition to being vulnerable to total censorship, Proof of Stake consensus suffers from the misfeature of not even having a quantitative fork ranking protocol — i.e. it lacks a way to objectively compare the truthfulness of divergent blockchains. Under adversarial conditions, the PoS chains pos1, pos2, and pos3 cannot be quantitatively ranked by hashing power the way the PoW chains pow1, pow2 and po3 could be, as there is no hashing power in PoS. Instead, there is only “phone-a-friend” consensus, which Vitalik Buterin has euphemistically referred to as “weak subjectivity”.

Jude C. Nelson, who has a PhD in distributed systems from Princeston, critiques PoS better than anyone [2]:

    PoW requires less proactive trust and coordination between
    community members than PoS -- and thus is better able to recover
    from both liveness and safety failures -- precisely because
    it both (1) provides a computational method for ranking fork
    quality, and (2) allows anyone to participate in producing
    a fork at any time. If the canonical chain is 51%-attacked,
    and the attack eventually subsides, then the canonical chain
    can eventually be re-established in-band by honest miners
    simply continuing to work on the non-attacker chain. In PoS,
    block-producers have no such protocol -- such a protocol
    cannot exist because to the rest of the network, it looks like
    the honest nodes have been slashed for being dishonest. Any
    recovery procedure necessarily includes block-producers having
    to go around and convince people out-of-band that they were
    totally not dishonest, and were slashed due to a "hack" (and,
    since there's lots of money on the line, who knows if they're
    being honest about this?).
> Proof of Work blockchains, while wasting a lot of energy, can be regulated easily because the government can simply regulate the large miners in their countries.

Because Proof of Stake blockchains can’t even come to consensus under adversarial conditions without human intervention (per JCN), these “blockchains” can actually be understood as distributed append-only ledgers managed by trusted central organizations the membership to which is gated by wealth. It’s highly misleading — even outright deceptive — to promote such systems as being more permissionless than PoW-powered systems like Bitcoin.

“Green-friendliness” was never a design goal of cryptocurrency: creating a lasting store of value sans institutions, exchangeable pseudonymously over the internet, was.

[1]: https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-o...

[2]: https://news.ycombinator.com/item?id=26810619


> This isn’t inherent to PoW consensus. In 2010, Bitcoin was CPU mineable on any ordinary Windows PC. It wasn’t until Bitcoin commanded a significant market value — which wasn’t guaranteed in the slightest — that industrial scale mining operations came into the foray.

This is inherent to the PoW consensus. Satoshi Nakamoto himself even said Bitcoin would end up in data centers because of this property. It's not that hard to understand why this would be the case. PoW is powered by competition, and competition begets scale, just like any other industry.

> Your understanding of censorship resistance is gravely mistaken [1]:

Before making this kind of condescending comments, maybe make sure that you are not the one who's misunderstanding what I am saying? I was talking about what many PoS supporters think, not what I thought. Go ahead and re-read what I said.

Their (The PoS supporters) idea is that "because it's much more difficult to find PoS validators than PoW miners because PoW miners need to maintain a factory whereas PoS validators can just hide in their mom's basement and make money, it's more difficult for the governments to regulate PoS than PoW". And my point was that that was an incorrect belief.

My entire post was talking about this false sense of "censorship resistance", basically Pro-PoW and anti-PoS, and you didn't need to lecture me on your superior understanding of PoW. I understand everything you said, but you completely misunderstood my point. If you didn't get that by reading, maybe it's your reading comprehension problem.


Unfortunately, oweing to the fierce competition in the Bitcoin space, it’s long since become difficult for onlookers to distinguish between an argument of the form “PoW bad, PoS good, insert weakly anti-PoS sentiment as controlled opposition here to end up with a pro-PoS post”, and furtive PoS astroturfing — which has proliferated as of late.

As someone who has long been all too familiar with the various sophistry tactics commonly employed by Bitcoin’s competition, frankly that was my impression of your post. I apologize if I misread your intent.

> This is inherent to the PoW consensus. Satoshi Nakamoto himself even said Bitcoin would end up in data centers because of this property

Bitcoin wouldn’t have ever warranted industrial scale mining operations if not for BTC’s significant price appreciation. But PoW systems were never guaranteed to be commercially successful. It’s perfectly possible for Bitcoin to once again become CPU mineable on ordinary Windows PCs — assuming its market price collapses.


I also interpreted the post as arguing PoS is more censorship resistant than PoW.

I regularily receive a silly critic, which I always take the time to debunk, and then often get told "it was joke.. come on".

We live interesting times.

Edit: Not questioning the honesty of the author, the clarification is legit.


The answer to criminal use of bitcoin would seem to be to prosecute anyone transacting with the wallets/addresses/whatever that have received ransoms and the like. You could probably build a case against those people as dealing in the proceeds of crime. Mixers/tumblers are easily classified as money launderers.

Maybe all that's needed is a few tweaks to the legislation and some political will.


It would work very well with Bitcoin, which uses a public ledger, but that wouldn't work with fully anonymous cryptocurrencies using zero-knowledge proofs to transmit messages and/or money.

Maths are funny like that.


As long as there exists either an exchange willing to look the other way or a trustless bridge to another blockchain that does offer anonymity (inherently or via trustless on-chain mixers), it will be trivial to anonymize pseudonymous blockchains as well.

Looking the other way in this context can be as simple as "enforce address/wallet embargos with a delay of ten minutes": That's enough to swap all dirty and trackable tokens for clean anonymous/anonymizable tokens.


I bet that ZCash would grow for that reason, but it hasn't really happened. Bitcoin is not seen as flawed even though all transactions are analyzable.


Which makes me wonder why ransomware authors so often choose to demand payment in Bitcoin and not for example Monero.


I think it's fair to interpret this as a sign that even the theoretical non-anonymity of Bitcoin is not enough of a threat to disincentivize illegal uses (or alternatively it can be trivially circumvented).



Very likely they will move to Monero and back with any such payment. Monero should have been a stablecoin, would have done a lot better for this type of semi-sinister use case.


It hurts to see a call to strong arm people into not using what is essentially a coordination tool, based on such a limited analysis. For a good summary of the potential of cryptocurrency, I recommend this 2014 article by Walter Isaacson:

https://time.com/3476313/can-bitcoin-save-journalism/

We're starting to see realization of that potential in the emergence of a mechanism to directly monetize the production of culture, via NFTs, as this 2021 details:

https://a16z.com/2021/02/27/nfts-and-a-thousand-true-fans/

An illuminating 2013 article by the same author:

https://cdixon.org/2013/12/31/why-im-interested-in-bitcoin

The calls to ban cryptocurrency now remind me of the efforts to stop the public from having access to strong cryptography in the 1990s. Without the success of the cypherpunk movement, in which a critical mass of tech activists, private sector interests, and forward thinking government officials all supporting democratization of access to the technology, led to export controls on the strong cryptography being lifted, the multi-trillion dollar e-commerce market as we know it today would never have emerged.


In a podcast with Lex Friedman, George Hotz said something along the lines of: "Cryptography is one of the few games where the defense wins."

Transitively, this statement applies to a set of crypto currencies too. I, hence, think it'd be unproductive for anyone to deny this property by e.g. trying to outlaw certain applications of cryptography.

While I wasn't alive during that time, I believe that for ideas of similar weight that require immense ethical decision making strength (e.g. anything related to splitting atoms) political and game theoretical advances had to be made before humanity was ready to "live peacefully with that knowledge."

It's not by accident that cryptography was once deemed a weapon by certain states.

Now it's time that states don't turn their eyes away and merely say "careful, you may loose all your money." That's irresponsie. Rather they must collaborate to ensure that crypto has a useful, peaceful and non-destructive future.


Bruce Schneier has argued that where the advantage lies in offense vs defense depends on the nature of the attack surface:

https://www.schneier.com/blog/archives/2017/04/attack_vs_def...

Friedman and Holz are being simplistic.


I think my argument is of simplistic nature too. I anyways believe that I can make a more extended argument for why I believe it'll become difficult for states to extract taxes in the future on an deonic authority-basis ("there shall be taxes because we want it").

Coins cannot be taken away. Infrastructure can go darker to evade state-level control. Shadow economies are feasible. Hence, IMO states should create a friendly environment for the best possible outcome of their citizens. It's epistemic authority that the state needs to apply now ("You shall pay taxes because is a hard requirement for xyz to work").


>> Massive carbon emissions.

This argument keeps being made but it's BS. There are plenty of PoS tokens which use very little electricity.

Also, crypto discourages consumption by discouraging spending through social HODLING behaviour. HODLING a token collectively to make the price go up means that community members have less fiat available to spend on consumables which reduces their collective consumption and reduces carbon emissions.

In a crypto ecosystem, all the different tokens are competing for which community can HODL the hardest. The communities who produce the most value and spend the least are going to end up the richest (highest market cap) with the loudest economic voice. This is a lot better than the fiat monetary system where spending is not a factor because everyone is forced to support (and absorb the stresses caused by) the spending of billionaires within that system. When a billionaire spends hundreds of millions of dollars to buy a super-yacht or private jet, it doesn't crash their currency... Maybe it should!

Imagine what good that would do to the environment if everyone was competing to consume less!

There is also an argument that Bitcoin mostly uses cheap, surplus electricity because that's the only kind that's cheap enough to make mining profitable.


> Also, crypto discourages consumption by discouraging spending through social HODLING behaviour. HODLING a token collectively to make the price go up means that community members have less fiat available to spend on consumables which reduces their collective consumption and reduces carbon emissions.

This doesn't make sense. Holding an asset so that it appreciates in value causes it to, well, appreciate in value. There are plenty of ways to exercise that value without actually exchanging it: it can be used to issue loans or secure other financial instruments. The blockchain space seems to be rife with these sorts of schemes.

But also, to the larger point: you're not reducing consumption if your goal is to inflate the value of an asset until you're stinking rich. You're deferring consumption until you have the resources commensurate to your desired level of consumption. That's what everybody does, to be clear: it's only blockchain people who seem to have trouble looking it in the eye.


>> You're deferring consumption until you have the resources

But the point is that everyone is deferring consumption until some time in the future but that perfect time when you can cash out all at once never actually happens (note that a blockchain is public so it's not possible to quietly sell your assets without drawing attention and crashing prices; especially for people who own a lot of the asset). Traders can easily front-run you if you attempt any large sale.

On the other hand, fiat provides many opportunities for billionaires to cash out and pass the costs onto regular tax payers. The pandemic was a perfect example of that; the reserve banks printed a ton of cash which propped up the markets and allowed billionaires to cash out huge sums without causing any crash.

Also, there will always be a new up-and-coming tightly-HODLED coin by a younger generation to compete with yours.


> But the point is that everyone is deferring consumption until some time in the future but that perfect time when you can cash out all at once never actually happens (note that a blockchain is public so it's not possible to quietly sell your assets without drawing attention and crashing prices; especially for people who own a lot of the asset). Traders can easily front-run you if you attempt any large sale.

I don't understand what this is supposed to be in contrast to. This is precisely how the normal market works: the vast majority of Jeff Bezos's actual wealth is illiquid and impossible to cash out at once, because doing so would be an extremely strong signal to the market that he no longer trusts his investments.

This is also fundamentally how retirement (normally) works: Joe Schmo doesn't liquidate all of his retirement accounts the day he turns 65; he draws on them (and potentially incurs taxation) as necessary. Tens of millions of people in the developed world retire every year; the market doesn't crash when they do.

To whit: there's nothing new about any of this. If cryptocurrency is an investment and you hold it like any other, then it behaves like any other. The only material differences appears to be the preponderance of scams and unsustainable behavior (cf. permagrowth around the next great coin).


Would it be possible to set up a network like folding@home designed to destroy bitcoin? It would be an interesting state sponsored exercise.


Massive waste of time; if the US wanted to "destroy" Bitcoin they'd just Magnitsky Act it. Make it illegal to touch any financial institution that handles it or any country that hasn't also declared it illegal.

Not 100% effective - it hasn't destroyed Cuba - but would cut off the supply of money, advertising, and the ability of people to pay ransoms in it.


"If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth."

- Section 6, Bitcoin Whitepaper


This implies a "rational" actor in the sense that they would not be willing to effectively set money on fire to hurt other system participants.

A nation state wanting to destabilize or destroy trust in a given cryptocurrency might not fit that definition.

I don't think that's a likely outcome, though – governments have much more economical tools at their disposal achieving the same outcome.


As the article explains, those who would want to attack Bitcoin would not care about the costs involved, since their goal is to destroy the network, not to make money off of it.


The big caveat is obviously the word "greedy". A state need not be greedy, nor for that matter needs a group of politically motivated people running a LOIC against any Bitcoin node they may find.


Somebody needs to inform these guys that their bitcoins are infungible and worthless. Same with anybody that goes into a mixer with them.


"Knives are a bad technology because you can use them to stab people, ergo knives shouldn't exist."


You were so close. Think of firearms instead.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: