Cybersecurity has become vital to all aspects of our digital life. Incidentally, the challenges created and questions raised by global Internet usage are attracting an increasing number of developers, researchers and tech entrepreneurs, who are keen to develop viable solutions to the acutest issues and threats.
How can we protect our data? Do we need to review the criminal penalties for hacking to more effectively deter illicit interference in the digital space? We spoke to Michael Perklin, Chief Information Security at ShapeShift, at the Genesis Moscow Conference to help elucidate these challenges and address the many other pertinent issues surrounding cybersecurity.
Michael Perklin has been performing digital forensic examinations, cyber investigations, and incident response post-mortems for over a decade. He is the co-author of the CryptoCurrency Security Standard and a board member of CryptoCurrency Certification Consortium (C4) as well as the Bitcoin Foundation. In addition to this, Michael has been qualified as an Expert Witness in the courts of Canada and the United Arab Emirates, and has testified about Bitcoin at the Canadian Senate's Committee on Banking, Trade, and Commerce. He is also the president of C4, a non-profit standards organization dedicated to developing and maintaining the standards that assist organizations using blockchain technology such as Bitcoin. Michael continues to conduct independent research in the security field and enjoys thinking of new ways to break things.
Binary District Journal: Why is the topic of cybersecurity so important?
Michael Perklin: “Cybersecurity is important for every aspect of your digital life today, and now that more and more companies are dealing exclusively online -- security becomes more important. Whereas before you could get away with not really securing things because not everybody knew how to break into systems.
Today, there are entire university courses on breaking into systems and securing systems; and there is so much knowledge online for people to learn how to hack into systems, that any company that doesn't take security seriously and try to secure their systems will find themselves as a failure. This can be seen very clearly with the Equifax hack in the United States.”
BDJ: How should we punish hackers?
MP: “Like with any disruptive technology, it changes the world so quickly that in many cases the laws don't have the chance to catch up. When cars were first invented, there was no such thing as speeding laws or the law where you aren’t allowed to drive under the influence of alcohol.
Over time as failures happen, as people crash and die, those laws came into place. With computers, there were no laws initially on the unauthorised access of a computer system, or the computing laws that are now pretty much ubiquitous around every jurisdiction. It’s not surprising to me that when it comes to blockchain technology, the laws haven’t caught up yet. But, given time, the laws will catch up and the laws will work one to one with traditional theft laws that we already have today.
As far as catching these hackers and punishing them, in some of my investigations I was able to identify who stole the funds and the proper authorities were notified. In other cases, there wasn't enough evidence to conclusively prove that a particular person effected the theft. So, on a case by case basis, the authorities are involved, and right now it’s up to them to follow through.”
BDJ: Is it possible to track the nationality of the hacker?
MP: “When it comes to people who gain unauthorised access to another computer system, it’s typically difficult to identify who the person was. The internet works by millions of switches, routers, and nodes that relay one signal from one line to another signal on another line. Sophisticated technologists are able to bounce their signal through so many of these routers and switches from around the world, that they could very easily obfuscate their origin.
So while it may appear that one particular IP address is the origin of a connection, that IP address may simply be relaying yet another node behind it. So for that reason, it’s difficult to conclusively prove who originated the communication unless you have access to the exact machine that was used to send that communication over the internet.”
BDJ: Are blockchains really unhackable?
MP: “Blockchains are very secure by design, however just because the system is secure, doesn't mean that you are secure. At the end of the day, you are responsible for your private keys and if you don't protect them properly, you will still get hacked. That's not the fault of the blockchain, that's the fault of how you protected your wallet. It’s very similar, like, someone walking down the street and they get mugged, and somebody steals US dollars from their wallet. Just because the US dollar system is secure, doesn't mean that you can't have your money stolen from your pocket. Blockchains are secure by default, but it’s still up to you to protect your private keys.”
BDJ: What was the most striking lesson that you took from Bitfinex hack?
MP: “Before I joined Shapeshift as their Chief Information Security Officer, I worked as a blockchain security consultant and a blockchain investigator for about 6 years before joining Shapeshift. In that capacity, I had the opportunity to investigate a lot of large-scale breaches, including Bitfinex’s breach and a variety of others. While I did find the root cause of each of these attacks, unfortunately, I’m not able to disclose those to the public; that would be Bitfinex’s choice to disclose my findings to the public.
But through the investigation of Bitfinex and through the investigation of a variety of other large-scale breaches, the cryptocurrency security standards were developed as a collaborative effort between myself and other security researchers in the space. The benefit of this knowledge can be reaped by anybody that reads and uses the cryptocurrency security standard in their own system.”
BDJ: What’s the best way to secure a password?
MP: “The way that blockchains work is very new compared to how classic computer science works. It’s similar to when we all first learning about how to protect our passwords; remembering a secure password was never something humans had to do until around the 80’s and early 90’s. The first people that created passwords they used their mother’s maiden name or they used their birthday -- very simple things that by today’s standards are horribly insecure. There was a lot of knowledge and a lot of education that we as a society had to go through, to learn how to secure our passwords safely.
Now we’re dealing with private keys, with many people, for the very first time, there’s a whole new set of skills, a whole new set of knowledge that you need to learn to protect private keys safely. Yes, today it is more difficult to do because this technology is so new there aren’t easy systems that have been created yet, that make it very point and click, that make it very simple to secure your private keys.
There will be a time tomorrow where private keys are stored very securely on whichever mobile device you have and in a way where you don't need to worry about writing down a password, or otherwise jumping through many of the manual hoops that we have today.”
BDJ: What is the most secure way to store digital currencies?
MP: “There are competing priorities when you’re dealing with a cryptocurrency: on the one hand, you want to store it securely; on the other hand, you want it to be very easy for transfer or trading another token for other assets. These are always at odds with each other. By far the most secure way to store your cryptocurrencies are in a hardware wallet, such as a keep key device. These pieces of hardware, they look similar to USB sticks, they store your keys completely away from your laptop so they cannot be stolen by any hacker who has broken into your laptop.
As for exchanges, when you place your tokens into someone else’s hands, they are now responsible for keeping your token safe. If they don't have security procedures and they lose your money, at the end of the day you are the one that is at a loss. For this reason, using any kind of exchange that doesn't take custody of your funds is by far the safest way for every user.
For example, Shapeshift, you never need to give your money away. Shapeshift never keeps your funds on deposit. It’s very much like a vending machine, you put one in and you get another out immediately. There’s no risk of you losing your funds if Shapeshift gets hacked.”
BDJ: Are scalability issues a serious problem for blockchains?
MP: “Most blockchains cannot scale to the level that is needed by the entire global system, but this is still very new in the blockchain era. It takes time to scale. It’s no different from the first people to use the internet, they could watch streaming videos online through their dial-up modems but over time technology advanced. People got faster modems that were able to handle the speed of the data that they wanted, and now streaming video is so commonplace that it’s almost impossible to imagine an internet where you could do something like that. So as far as blockchain scaling goes, I’m not worried. There will be growing pains and there is a lot of work that needs to be done by a lot of very smart people in the space, but they are doing that.”
BDJ: With the increasing quantity of data, how should we deal with privacy concerns?
MP: “The recent Equifax hack that affected almost every single American, shows very clearly that it’s not entirely your responsibility to protect your information when your information is in someone else’s hands. Now Equifax kept private records of every American, and these were leaked as a result of poor security and measures taken by the company. That underscores the necessity of data privacy.
The European Union has far better privacy laws than in North America, but there are cases where even European companies still need to store private information on its citizens as well. This is why systems that can operate without taking any private information are far more secure by default. For example Shapeshift, unlike any other exchange where you need to give your name, you need to have a scan of your passport, you need to upload a lot of very personal and sensitive information to that exchange just to operate.
With Shapeshift, you don't need any of this information - you simply go to the website and say ‘I have Bitcoin, I want Litecoin’, you send you Bitcoin in and you get your Litecoin out. Because Shapeshift doesn't take any of your personal information, there’s no opportunity for them to mishandle it and lose it, and that’s one of the reasons why in some jurisdictions that mandate that exchanges like Shapeshift store this information, Shapeshift simply doesn't serve that jurisdiction. If you tried to access the Shapeshift platform from North Korea, or the state of New York, or the state of Washington you will be greeted with the same message, saying you cannot use our system because we refuse to take your personal information.”
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]