Greetings sports fans. So I did say I was going to this post in my last post (I've added a link this in there) and I'm actually doing it. The main reason is that my friend Jamie mentioned me in the his podcast (highly recommended) and said that he would provide his listeners with a link to this if and when I do write it. Commence guilt trip. But, that's enough blabbering from me, down to the matter at hand: Why nobody has Megaupload go-ed bye-bye?
So, if you are reading this, you are either connected to the Internet or I finally got that book deal I wanted. For now, let's assume you have Internet access. One of the really interesting uses of the Internet is storing files online so that they can be accessed by many people. There were several really creative and some down right moronic ways thought of to this, but the one that really took off were called "file lockers."
Anywho, the concept of a file locker is simple: You sign up and you get some storage space on a server. You can then upload files and manage who can access them. You make it public, so that anybody can download it, or private, so that only you and/or selected other persons could download it. Of course, we all know there is no such thing as a free lunch, so "where's the money?" you ask. Well, let me tell you.
Some file lockers charged for their services, but some, like Megauplaod, were freemium. What they did is they put ads on the site and before you download something, unless you paid the membership fees. Sounds reasonable, right? Yes and then it gets hinky. So, not only did you have ads, but it seems that the site paid uploaders every time a file was downloaded. Not only that, but files that were not downloaded frequently enough were removed. But, it gets even more sinister and here's where the illegality comes in.
It's obvious that if somebody uploads illegal copies of TV, movies and music, then it will get downloaded more often than a picture of me on the beach. This pretty much encourages illegal file sharing. If offending content was found, it was removed, however it is alleged that the user accounts were not suspended or terminated. I have a distinct memory of reading somewhere that uploaders could pay to upload anonymously, thus even if the content was marked as illegal, it could be taken down, but not traced back to them. I cannot for the life of me find that article again and thus state this as a recollection that I can not back up. Moving swiftly on.
There was also the related website Megavideo, which was also somewhat devious. It has been alleged that all this infringing content was not searchable through the site's main search functionality, but was accessible to those who had the link. Again there is the same allegations of content being taken down without punishing the offenders and so on and so forth. Although there was a de jure legal use for the site, the de facto primary use was for the distribution of illegal content. So, the United States Government decided to do something about this.
About 2 years ago (2009), criminal investigations were started into the activities of Megaupload Inc., with a whole lot of red tape. The company itself is based in Hong Kong and a lot of the key people, including founder and chief Kim Dotcom, were in New Zealand. Well this went on for 2 years and we arrive in the present. Actually more like the recent past, but here we go.
A few months earlier, the US government had brought forth two acts called the Stop Online Piracy Act (SOPA) and the Proctect IP Act (PIPA) and this got everybody up in arms. That's a whole other kettle of fish, to be fried on another day. The main point is on January 18th 2012, a large number of websites "blacked out" and replaced their normal content with a page explaining why they are protesting SOPA and PIPA. On January 20th 2012, Dotcom and associates were arrested (alt article) and several assets were seized in a multi-country raid.
A large number of people think that this was a sort of backlash reaction to the blackouts, but it was in fact timed to coincide with a party Dotcom was hosting at his house, so that all the eggs would be in one basket, so to speak. These arrests were the culmination of a 2 year long investigation, with the cooperation of the police in all countries involved. Of course, nobody bothered to check that and Anonymous did their usual retaliation bit. Although the charges are being laid by the US, the police in all the countries involved were a part of the investigation, thus solving any jurisdictional issues.
I will be a little evil at this time and point out that there were millions of dollars worth of stuff seized, including some art, tech and a few luxury cars.There were also large accounts frozen and so on. The irony here is a large number of people justify piracy by saying it only affects the super rich guys in the super rich studios/labels, which kind of describes these guys. Not really sure why everybody is so vociferously supporting them, but I'm sure they have some really good reasons. Let's look at how exactly Megaupload is defending themselves.
The main defense that has been put forward is either "The majority of our traffic (and therefore business) was legitimate" or "we always took down infringing content." The first defense is, in my opinion, a big steaming pile of shit. That is like saying "You can't shut down my shop because only 10% of my income is from selling drugs." I don't at all doubt that there were users who were using in a fully legal manner, but that's really beside the point. The point put forward is that those in charge were aware of this infringement and actively promoted it. As for the second argument, takedowns were only effected if provided if a notice was provided and as said before there was no real punishment for the uploaders.
There is sort of the further complication that of them trying to rip off youtube, but that's something I haven't really looked at and don't feel well informed enough to comment. I would recommend that you read the linked article.
So, in all of this a lot of facts got jumbled up and a lot of people assumed things that were not true. There facts a touch murky, but with a bit of time, one can wade through and see what's going on. I guess it was a matter of bad timing on a couple of fronts. The bottom line is that they have been arrested, denied bail and will face an extradition hearing on February 22 2012. For now, Megaupload is gone and I don't think it's going to come back any time soon.
Showing posts with label money. Show all posts
Showing posts with label money. Show all posts
Monday, 6 February 2012
Sunday, 14 August 2011
Black Hat and the constant accompyning headlines!
So, recently there was the Black Hat conference in Vegas. For those of you who are less informed, this is basically a large gathering of security researchers presenting their latest findings. And by findings I mean what they have recently broken. Most people dub this a "hacker" conference which is not to unreasonable, but I have one issue with it. The media coverage of it.
The only reason the term "hacker" is used is to sound sexy to the media. They hear that word and they are doing backflips through rings of fire to get the story. And as we are aware the media doesn't always get it right when reporting computer security related issues. Black hat presentations are geared to getting the media attention and causing a bit of a frenzy.
A prime example of that is Don Bailey's presentation which was entitled "War Texting: Identifying and Interacting with Devices on the Telephone Network" which does raise some valid points about connectivity of critical devices (details in another post) but it was also well marketed. He showed that he could unlock cars just by sending a few text messages. When normal people hear something like "vulnerability in FPGA-based control systems" or something similar they do not really know what it means.
Say "I can unlock your car with my phone" and they are scared. Don did say (quote in this article) "I could care less if I could unlock a car door. It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat." Which is basically my grievance. As security researchers, we have to sexy up our ideas and then present them to the general populous. Which in turn leads to what I would deem to be an inconvenience.
If you want media attention, then you research on topics that you can sell with a little bit of FUD. Which does restrict your scope quite a lot. This then has a further effect that people view security researchers as only doing this kind of research. This leaves the more theoretical people, like myself, out in the cold, so to speak. Which may or may not be a bad thing, I am not really sure, but I am very sure that it does grind my gears a smidge.
The only reason the term "hacker" is used is to sound sexy to the media. They hear that word and they are doing backflips through rings of fire to get the story. And as we are aware the media doesn't always get it right when reporting computer security related issues. Black hat presentations are geared to getting the media attention and causing a bit of a frenzy.
A prime example of that is Don Bailey's presentation which was entitled "War Texting: Identifying and Interacting with Devices on the Telephone Network" which does raise some valid points about connectivity of critical devices (details in another post) but it was also well marketed. He showed that he could unlock cars just by sending a few text messages. When normal people hear something like "vulnerability in FPGA-based control systems" or something similar they do not really know what it means.
Say "I can unlock your car with my phone" and they are scared. Don did say (quote in this article) "I could care less if I could unlock a car door. It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat." Which is basically my grievance. As security researchers, we have to sexy up our ideas and then present them to the general populous. Which in turn leads to what I would deem to be an inconvenience.
If you want media attention, then you research on topics that you can sell with a little bit of FUD. Which does restrict your scope quite a lot. This then has a further effect that people view security researchers as only doing this kind of research. This leaves the more theoretical people, like myself, out in the cold, so to speak. Which may or may not be a bad thing, I am not really sure, but I am very sure that it does grind my gears a smidge.
Saturday, 25 June 2011
Why is digital money may be a bad idea.
Basically right after I posted this, I read this. Kind of an "I told you so" moment. But apart from that I am at a lack of words for this. I've been staring at my screen for a couple of days now and I have nothing (useful or insightful) to write. Apart from the fact that this whole real currency-bitcoin exchange is a little bit hinky and this is one of the problems you can have with it. For this post, please insert the accustomed amount of wit, cynicism and all that jazz you are used to. Thanks :)
Monday, 20 June 2011
Let's talk money, digital money!
Alrighty then, I'm going to assume that everybody has some basic understanding of the concept of money. Next, I assume you all have some idea of how to spend money online using things like paypal, credit cards, debit cards and so forth. Also, the reason nobody that people shouldn't be able to steal your details and thus your money, if it's all done right, depends heavily on crypto. Best way to explain what I do, is to ask "Have you ever bought anything online?" When they answer in the affirmative, then I say "You're welcome."
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments