Bitcoin's blockchain: Potentially a hazardous waste dump of child abuse, malware, etc

Boffins warn of legal risks from arbitrary data distribution


Bitcoin's blockchain can be loaded with sensitive, unlawful or malicious data, raising potential legal problems in most of the world, according to boffins based in Germany.

In a paper [PDF] presented at the Financial Cryptography and Data Security conference on the Dutch Caribbean island of Curaçao – "A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin" – researchers from RWTH Aachen University and Goethe University identified 1,600 files added to the Bitcoin blockchain, 59 of which include links to unlawful images of child exploitation, politically sensitive content, or privacy violations.

The researchers suggest Bitcoin's blockchain can also be loaded with malware, something Interpol warned about three years ago but has not yet been documented in the wild.

"Despite potential benefits of data in the blockchain, insertion of objectionable content can put all participants of the Bitcoin network at risk, as such unwanted content is unchangeable and locally replicated by each peer of the Bitcoin network as benign data," researchers Roman Matzutt, Jens Hiller, Martin Henze, Jan Henrik Ziegeldorf, Dirk Müllmann, Oliver Hohlfeld, and Klaus Wehrle explain.

The Bitcoin blockchain is a distributed ledger or database that contains linked records of all Bitcoin transactions. These records or blocks hold batches of hashed transactions and are linked to preceding blocks by a cryptographic signature. The blocks also allow for additional data, and therein lies the issue.

In an email to The Register, Roman Matzutt, a researcher with RWTH Aachen University and one of the co-authors of the paper, said the problem exists with other blockchains that allow content to be inserted, such as Litecoin and Ethereum.

"We did not yet investigate more privacy-aware blockchain systems such as Monero or the upcoming Mimblewimble," he said. "Such blockchains need further investigation with respect to how easily identifiers that appear on the blockchain can be manipulated."

The paper identifies several mechanisms for adding arbitrary data to the Bitcoin blockchain. There's CryptoGraffiti, a web-based service to read and write data to the blockchain, as well as Satoshi Uploader, P2SH Injectors, and Apertus.

Augmenting transactions in this way allows for additional arguably useful Bitcoin-related services, such as digital notarization and digital rights management. But it also adds the possibility of abuse.

Break the Bitcoin!

At present, few Bitcoin blockchain transactions contain extra data – only 1.4 per cent of the roughly 251 million transactions in Bitcoin’s blockchain, the researchers say – and only a small portion of that fraction are objectionable or illegal.

Nonetheless, the presence of even a small amount illegal or objectionable content could pose problems for participants.

"Since all blockchain data is downloaded and persistently stored by users, they are liable for any objectionable content added to the blockchain by others," the paper says. "Consequently, it would be illegal to participate in a blockchain-based systems as soon as it contains illegal content."

The researchers acknowledge that there haven't yet been definitive court rulings on this specific issue but insist "However, considering legal texts we anticipate a high potential for illegal blockchain content to jeopardize blockchain-based system such as Bitcoin in the future," they state.

CryptoGraffiti anticipates the risk posed by objectionable content in policy statement for those who attempting to post data to the Bitcoin blockchain: "By using this service you agree not to save anything illegal on the blockchain. In case of abuse we may report your IP address to the police."

That's not necessarily much of a deterrent. While adding something like "Remember Tiananmen Square" or a picture of the Dalai Lama to the blockchain wouldn't be an issue in the US, it could cause Chinese authorities to take steps to prevent that content from being redistributed through Bitcoin nodes in China.

Adrian Colyer, a partner with VC firm Accel in London who wrote a blog post about the paper, suggests the ability to add arbitrary data to Bitcoin's blockchain could be used as a pretense for governments to harass political foes operating Bitcoin nodes.

"If a government wanted to clamp down on a given blockchain, all it has to do is anonymously post a transaction containing illegal or objectionable data, wait for it to propagate to all the miners in the country, and then go after them for possession," he mused.

Matzutt confirmed that an individual could "poison" the blockchain by inserting a politically contentious image. Using a ~21 KB image of Nelson Mandela that's is already on the blockchain as an example, he said it would cost about US$380 at today's market price of Bitcoin (~$8,400) to insert the data.

"I cannot judge whether authorities would then ban Bitcoin, but I believe that this is a theoretical possibility, especially in very oppressive and [opaque] jurisdictions," he said. "Really exploiting blockchain content to systematically prosecute users of blockchain content requires a certain arbitrariness of the respective government as there are also other ways to officially regulate (and also forbid) blockchains."

In an email to The Register, Bitcoin contributor Dave Harding said these concerns have been the subject of discussion in the Bitcoin technical community for years and have led to problems such as the 2014 DOS/STONED incident in which the signature of an old computer virus was added to the blockchain, causing Microsoft Security Essentials to interfere with Bitcoin network nodes as it attempted to remove the file.

Harding said fixes have been proposed, such Bitcoin Core developer Gregory Maxwell's P2SH².

"Ultimately, however, I don't believe it's entirely possible to prevent users from including arbitrary data in a decentralized blockchain," said Harding. "The best mitigations known are merely to make it very expensive to publish arbitrary data on a per-byte basis."

Matzutt echoed Harding's sentiments. "Our findings are that content inserters can always insert some bytes per transaction output by brute-forcing identifiers," he said. "Hence, the problem can only be mitigated but not entirely eliminated."

He pointed to an upcoming paper, to be presented in April, that deals with the issue.

"While there are technical countermeasures against (easy) content insertion, we believe the only viable countermeasure that can potentially find its way into Bitcoin would be to introduce mandatory minimum fees that penalize transactions with many outputs," he said. "This disincentives inserting large transactions, which are especially well-suited for content insertion and once the community reaches consensus on the exact fee model, it is easily deployable via one fork."

Matzutt argues that until countermeasures such as fees are formalized, the Bitcoin community could deploy a quick fix such as rejecting "suspicious" transactions.

"In our paper we consider transactions 'suspicious' if they have many outputs (at least 50, corresponding to ~1 KB of insertable data) that only spend very small amounts," he explained. "These transactions are not likely to be economically feasible transactions, but in the end this can lead to rejection of legitimate transactions and thus would only be a temporary fix." ®


Other stories you might like

  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022