Bitcoin's governance bungles stain the blockchain's reputation

If the cryptocurrency can't organise its own evolution, we lose a chance at better security


Civilisation is an agreement. We agree to pay our tax, obey the laws, and generally avoid berserking around the joint. Where these agreements breaks down you get riots that scale into civil wars, then collapse. That’s less of an issue so long as the problem is over there - so that when a culture soils the sheets you don’t have to deal with the stink.

But if there’s one lesson of the connected era, it’s that there is no more over there.

An interesting case in point recently surfaced on the website of Dan Tentler, a geek who - when he’s not flying drones across the San Diego skies - takes a peek at the various vulnerabilities of all of our connected devices. That’s like shooting fish in a barrel these days, because so many of these devices have such shoddy firmware and such poor default security settings they’re practically begging for someone like Dan to come along and take a look.

At their sleeping babies.

It turns out that an entire class of webcams parents use to keep an eye on their offspring have such poor security settings that it’s possible to take a snap of the sleeping children from pretty much anywhere on the Internet. Neat, huh?

After Tentler’s findings surfaced, New York City’s Department of Consumer Affairs issued an extraordinary warning to the purchasers of those connected video cameras, advising them to “buy a secure device”, “use a strong password”, and other recommendations of the sort that come from a good place but fundamentally rely upon the manufacturer producing firmware that’s up to the task. More often than not, it isn’t.

Over the last few years we’ve learned ‘hardware is hard’. Now we’re learning, ‘firmware is harder’.

Firmware has to operate the device reliably, and handle all of the issues that arise from maintaining a connection to that cesspool of hackers and state actors we charmingly call the Internet. Firmware has to hold the line against the barbarians. That’s job #1. If that fails, then the hardware becomes a Trojan Horse.

With the number of connected devices per household heading from the tens into the hundreds over the next few years, that’s a lot of firmware that has to be just about perfect in its capacity to defend against attacks.

This problem isn’t new, it’s simply scaled to the point where it touches almost every one of us, almost all the time. In a world of connected objects, we keep walking into the buzz saws of vulnerability. But there is another way.

Nearly a year ago I wrote about the new ‘table stakes’ in connected devices - enough computational power to be able to run the ‘blockchain’ consensus security protocol that supports Bitcoin. IBM and Samsung publicly announced a partnership to create blockchain-based security that would work well across many connected devices.

That work continues. It’s never been more important. Yet, just as the blockchain rises to become a pillar of our IoT security strategies, the protocol behind it has developed some serious scaling issues.

That’s to be expected. Even a genius like ‘Satoshi Nakamoto’ - whoever that is - wouldn’t be able to anticipate the shortcomings of a protocol that now supports millions of transactions per day across a globally distributed and replicated database like the Bitcoin blockchain. No one had ever run the experiment before, and no protocol survives an encounter with the real world, with all its pointy edges of implementation.

That was demonstrably true for TCP/IP and all of the protocols that ride on top of it. There are now thousands of RFCs covering nearly every protocol - with frequent amendments as a protocol ‘grows up’ into something that’s widely used. That’s the form of the human endeavour: we learn, and we apply those learnings.

This doesn’t seem to be happening in Bitcoinland. For more than a year, various partisans have fought conflicts about how to make the network handle its increasing transaction volume, disagreements that threaten to break out into full-scale civil war, a fracturing of Bitcoin, and... well, no one knows what happens after that.

The Bitcoin community can’t seem to reach consensus on the changes required to grow up. It’s quite possible that at some point later this year the transaction volume on the Bitcoin blockchain will make something designed for reliability unreliable enough that no one will be able to trust it.

Security begins with governance. Where you can’t govern yourself, anyone else can govern you. If Bitcoin falls over, the blockchain - which can exist apart from Bitcoin and all its argy-bargy - will be unfairly stained with that instability, giving shonky hardware manufacturers all the reason they need to avoid the obvious security solution as ‘unreliable’.

In the connected world, we have to accept that civilisation asks us to build consensus. There is no other way forward, because consensus is the mortar in the wall that defends us against the barbarian hordes outside, constantly probing for weaknesses, looking for a way in. ®

Similar topics


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021