Bigger, Better, Faster ...

There has been a lot of talk about how Blockchain and somehow by extension, how cryptocurrency is hack-proof and the technology is immune from cyber-criminals. My favorite and maybe least arrogant explanation starts with the notion that the Bitcoin Blockchain is essentially a digital global ledger and in virtual real-time, every Blockchain transaction is recorded in a block that is added to the ledger.

Then, because each newly added block must refer to the preceding block to be valid, the technology creates a chain of blocks with time-stamps and exchanges of values acting like a digital wax seal and magically preventing anyone from altering the ledger.

The argument goes that if a bad guy wanted to hack a block, he would have to hack not just that block but the entire chain, and since all blocks use the highest levels of cryptography, and reside not just on one computer but on millions of computers across the universe simultaneously, it would somehow be impossible to break in.

This renders all forms of cryptocurrency safe from criminal mining attempts or other forms of attempted theft and corruption of the base values. This is the theory that is supposed to qualm any fears investors may have in trading these un-backed and un-regulated digital currencies.

Except when it turns out to be false.

We just saw a group of clever hackers by-pass all that by hijacking not Blockchains themselves but instead government websites in the U.S. and Europe in order to mine cryptocurrency through the computers and smartphones of visitors to those sites.

This illicit cryptocurrency mining, known as crypto-jacking, was taking place on more than 4,200 websites last Sunday right during the AT&T golf tournament, using a malicious version of a tool called Browsealoud. This Browsealoud software product is embedded into tens of thousands of websites to help the blind and people with poor vision by providing an audio version of the text contained in the site. If you want to get to thousands of miners, you need only infect one site, in this case CoinHive, a popular JavaScript crypto-miner for the Monero Blockchain, and change the hosted script file.

It really didn’t take the cyber-criminal community long to figure out a way around the supposedly impenetrable protective shield provided by Blockchain technology.

Simple, dimple – infect websites that are legitimately used to mine cryptocurrency like CoinHive, gain a vast network of active miners who will then generate as many cryptocurrencies as you like and make a ton of dough in an afternoon without breaking a sweat.

And before all of the Blockchain fans bombard me with comments about the fact that it wasn’t Blockchain that was hacked, the point is that the very fact of Blockchain did nothing to prevent the corruption and illicit mining of cryptocurrency and soon, someone will figure out how to hack Blockchain itself as well. Either way, whether the lock held or failed, the horses were gone.

Of course, the market appears undaunted as BitCoin rebounded from its Friday low of $7,000 to $8,500 by Monday morning in spite of the breaking CoinHive news and may be on its way back to $20,000 by week’s end. And it should surprise no one that Microsoft announced Monday their embrace of public blockchains, such as bitcoin and ethereum, for use in decentralized identity systems, to further the movement away from the possibility of censorship and toward the provision of individual control over their identity and reputation.

This announcement explained that after examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards, Microsoft concluded that Blockchain technology and protocols are well suited for enabling decentralized IDs.

This from the same company that gave us the famous vulnerability in their implementation of the SMB1 protocol, which allowed hackers to use the NSA developed exploit EternalBlue to execute malicious code on any and all Windows machines from Windows Vista, Windows Server 2008, through to Windows 10, and Windows Server 2016.

That same vulnerability was then used in a modified version to create the WannaCry outbreak and subsequently modified further to morph into NotPetya. As a refresher, NotPetya cost FedEx and Maersk each over $300 million in quarterly earnings, and at last tally was worth over $893 million in total global losses.

We also just saw that Faraday cages are not hermetic after-all and can be bypassed by manipulating the magnetic fields and extracting all of the operating system data from a dis-connected laptop with a smartphone positioned outside the cage. Interestingly, this discovery was prompted by documents that demonstrated how the CIA used malware to infect air-gapped machines. The exploit, called “Brutal Kangaroo,” allowed CIA attackers to infiltrate closed air-gapped networks which are also supposedly shielded from malware attacks.

So, let me get this straight.

We have discovered in the past few months that the backbone of all of our Internet communications is flawed and exploitable, the DNS service that we all use for email and web browsing can be tunneled to steal account data, Faraday cages are not bullet-proof after-all and the microchip that every one of our computing devices including our smart phones depend on can easily be compromised at the hardware level to enable malware penetration into everything.

And now, just to double down on risk, we want to use the same technology that was just outsmarted by a bunch of low-level hoods … to create decentralized IDs to protect our personally identifiable information from thieves … by the same people who failed to protect the software backbone of the world’s most popular desktop and server operating systems … resulting in almost a billion dollars in lost revenue, and un-told secondary loss amounts.

Which means we may have arrived at that critical moment where not unlike the arc of social media momentum, we have achieved peak addictive compulsion (more data, more digitalization, more connectedness, more returns, more productivity, more profitability) and the more we push the envelope, the harder it will be to return to the simple fundamentals of managed cybersecurity behavior, let alone to even contemplate engineering a fresh infrastructure. Or is quantum computing supposed to do all that by itself?

Our fascination with endless social validation feedback loops seems to mirror our enthusiasm for continued investments in a digital future, and to hell with the consequences.

Dopamine is powerful stuff.