They expect the apps to be secure, scalable, and free of defects.
Thanks to Open Source Software, this is entirely possible! ... right?
As Panama Papers learned, Maybe not.
But are blog owners alone? No.
Stores on Opencart, Magento, and basically anything built using Drupal were all at risk at various points. Virtually every software product suffered--open source or not.
The top-50 list of software with the most vulnerabilities includes:
A former owner with administrator access had their account compromised and 2, 643 BTC were lost.
A Bitcointalk user "allinvain" complained about losing 25, 000 BTC to a thief.
MyBitcoin allegedly closed down operations to steal 78, 739 BTC from customers. The current value of stolen coins is staggering.
Bitomat.pl lost 17, 000 BTC when it accidentally deleted the private keys that owned the funds. More a problem with system design than a hack.
A series of bad transactions destroyed 2, 609 BTC. MtGox pioneered it with BTC, but QuadrigaCX later perfected the art with ETH.
First Pirate Savings and Trust, later known as Bitcoin Savings and Trust, defrauded investors out of an estimated 263, 024 BTC. If investors got their coins back today, there'd probably be no hard feelings.
Employees with access to the data stored on cloud servers at Linode were able to pilfer over 43, 000 BTC from customers.
A Silk Road vendor going by the name of Tony76 offered remarkable deals on drugs, prompting a fury of users to attempt to buy at a discount. Turns out, it was a 30, 000 BTC scam.
Hackers stole 38, 527 BTC from Bitcoinica and its users in May/2012, then 40, 000 BTC were misappropriated from the Bitcoinica Mt. Gox wallet in July/2012 (those funds eventually were returned).
Bitfloor, one of the largest exchanges at the time, lost 24, 000 BTC. A 'small' early loss that has a huge current value.
Inputs.io lost ~4, 000 BTC because of a server-side vulnerability -- a significant loss by today's standards. Always validate inputs; don't assume a $2/hour Elbonian programmer will.
GBL seems to have scammed its investors out of ~22, 000 BTC. They may not have pioneered scamming Bitcoin users, but they get an honourable mention.
Picostocks lost 6, 000 BTC despite being a relatively unknown player--if that can be said of a company that can survive a 6, 000 BTC loss.
Sheep Marketplace, an online drug market, stole or lost 96, 000 BTC according to a self-proclaimed 'Forensic Blockchain Accountant'. I suppose users should be happy all they lost was BTC and not their freedom.
A quirk with Bitcoin made it possible to modify the hash of a broadcast transaction such that the transaction hash you see might not be the one the miners do. Biggest amongst those affected was Mt. Gox who claimed to have lost approximately 850, 000 BTC
An inside job cost Mintpal ~3, 700 BTC. It's hard to convince someone to guard a million dollars for $10/hour. The struggle is real!
4, 474 BTC were stolen from Silk Road 2, an internet drug market cashing in on the branding of the first.
425 BTC were stolen from Pandora Marketplace, an internet drug market on TOR.
Poloniex's sloppy coding resulted in the loss of 12% of their BTC--76 total. A very small loss, but one that was quite avoidable by a company now given a large amount of trust.
CryptoRush was robbed of ~950 BTC and ~2, 500 LTC by an "IP from Ukraine". A well engineered product is almost always better than a rushed one.
Cannabis Road, yet another drug market, was hacked for 200 BTC. You know the motto: don't say bye to BTC from your own supply.
Bitstamp's hotwallet was compromised. While it was fortunate that the publicly exposed servers used a hotwallet rather than acting as a massive vault, more 18, 866 BTC was taken.
One of the smaller hacks, BTER lost ~7, 100 BTC. Notably, the hack took place on the cold storage wallet which is traditionally maintained with the utmost security.
A few months earlier, BTER also lost more than $6 million worth of NXT.
Is nothing sacred?
Kipcoin, a Chinese bitcoin exchange and wallet service, reported that ~3, 000 BTC had been stolen by hackers. Customers got to celebrate a new year with the loss of their funds.
A rogue Secret Service agent stole 1, 606.6488 BTC during the arrest and conviction of the operator of the Silk Road.
Cryptsy, a significant player in altcoin exchange, reported that it was missing 13, 000 BTC and 300, 000 LTC of user funds. There was an ensuing lawsuit.
The DAO was supposed to be the ultimate ICO. Unfortunately, it was plagued with security issues. The Ethereum network split in two over the controversy. Given the 1, 500-2, 000% gain in Ether prices, the millions of Ether that were vulnerable, and the split it's difficult to reason about how big an impact the DOA meltdown had. The market cap of Ether had the DAO succeeded might have exceeded Bitcoin's. The DOA might have driven Ether prices up by showing the community can respond, or it could have hurt more than 10 Mt. Gox hacks. We'll never know.
Approximately 120, 000 BTC was stolen from Bitfinex. Multisig wallets with a third party--Bitgo--were supposed to be more secure than alternatives. Secret sauce a good burger does not make.
Canadian exchange QuadrigaCX upgraded their Ethereum node. As a result, ~67, 000 ETH are 'stuck' in a contract--a significant error caused by a simple software update.
Bithumb, one of the largest crypto exchanges--operating in Asia--was compromised due to the security of an employee's personal computer. No official statement as to the magnitude of the loss has been made, but it may be in the billions of KRW.
Coindash had a successful ICO. But hackers perhaps got the better deal. ~43, 488 ETH was stolen by hackers who inserted their address on the Coindash website, where the Coindash address should have been.
An issue with Parity's multisig contract implementation left more than 527, 000 ETH vulnerable. The actual losses seem to have been reduced to 150, 000 ETH thanks to whitehat hackers securing 377, 000 ETH and promising to give them back (protip: you always want a doctor of debugging on call).
A 'trustless' client side wallet served from the domain classicetherwallet.com reminded users of ETC that the term 'trustless', like 'decentralized', is perhaps used too loosely in the cryptocurrency industry. An estimated 16, 500 ETC were stolen.
The response from Veritaseum seems to suggest losing 36, 000 (maybe 50, 000) of their VERI tokens is minuscule. Perhaps they'll fund this ICO with VERI tokens, since they're okay with giving them up so freely? ... with their OWN VERI tokens, of course. Doctor Oss doesn't condone throwing your user's coins away.
Another ICO trying to do the same thing as all the other ICOs--and getting funds stolen in the same way. 15, 000 ETH were stolen by hackers who put their wallet address on the Enigma website.
No quick review of Cyber Crime's intersection with Cryptocurrencies would be complete without discussing ransomware (dishonorable mention to drug markets and the people who steal from them).
Do you use Windows? Linux? Mac OS X? Android? IOS? If you answered yes to any of these questions, are you worried about ransomware or stolen bank/credit card/exchange login info?
What about your health records? Worried about those being stolen?
Are you a famous celebrity with nude selfies on your iCloud?
Cyber Crime is scary. It can impact virtually anyone. And it has HUGE financial impact.
We need vaccines for all the ills inter-connectivity can bring. Somebody call a doctor!
Are you trying to create a decentralized store of value free from the influence of those currently in power?
That's almost like making a skyscraper that won't get blown down.
What do you know about the big bad wolf? Would you buy a straw house without asking a real estate agent or engineer?
Let us help.
When a skyscraper is built by an army of tradespersons, their collective work is inspected by someone with a holistic understanding of the project, and intimate material-sciences knowledge.
Code also needs to be inspected to ensure that when the individual pieces work, it also works as a whole.
We will treat the code as an integrated circuit, and ensure everything is wired correctly.
Late August 2017 saw the recall of 465, 000 St. Jude pacemakers.
With IoT devices becoming more and more prevalent, and the incredible speed at which malware spreads (e.g. the Mirai Botnet), we should be VERY CONCERNED ABOUT CYBER SECURITY.
Flying a plane into a building, historically, causes approximately 3, 000 deaths.
Fighting a war in Afghanistan because of someone flying a plane into a building, historically, causes approximately 3, 000 U.S. military deaths.
The Mirai Botnet could have potentially killed 465, 000 people!
In September 2017, we learned that Equifax was responsible for leaking highly sensitive information about more than 100 million people.
Again, we think you should be VERY CONCERNED ABOUT CYBER SECURITY.
In case you've seen Mr. Robot, we now find ourselves in a situation where we could end up living in a post-banking wasteland if the rest of the economy doesn't absorb the debt created by Equifax's lack of spending on cyber security.
Rather than inform companies immediately (we work with a company using Equifax's services--I can assure you they made no disclosures in Canada), Equifax executives liquidated their shares.
They were more concerned with keeping the money they stole from the American people than they were in protecting the people and companies that use their services (skimping on cyber security to get rich is like skimping on safe building materials--be it theft or negligence or reckless endangerent, it's still wrong).
If you sell a credit monitoring service, and your company is the one that 'stole the identity', how could you charge someone for a monitoring service and not tell them. THAT IS LITERALLY FRAUD.
We also recently learned that Windows has made it possible for impossible-to-detect malware to exist for 17-years.
At the risk of becoming repetitive, we think you should be VERY CONCERNED ABOUT CYBER SECURITY.
The Windows market share amongst desktop users is HUGE. This revelation is to desktops what the one about Equifax is to people who use money.
Money and Operating Systems are, like it or not, integral to the survival of modern society (imagine grocery stores stopped taking cash and their computers didn't work. Where are you getting your food next week?)
Humans and AIs are similar beasts. They use multi-channel stimulus streams, reward and loss functions, and are constantly adjusting the significance of signals from their environments.
Stimulus streams--whether that be the data between a video game and server, or radio station and listener--follow certain patterns.
We visualize everything in a given stimulus stream like its a hieroglyph. A face emoji might be a "smiling emoji". It might be "a yellow faced emoji". It might simultaneously be "an emoji with a smile".
When you know what the relevant stimulus inputs are, you are able to train classifiers to competently spot outliers and anomalies.
We've helped a Europol analyst get a grasp of the blockchain, and how one might be able to use it to track down Cyber Criminals.
He was provided with a copy of the software powering Blockchain.Exposed so he could combine the KYC disclosures from Exchanges to Europol with public, identifying information about businesses that use Bitcoin
Although Blockchain.Exposed doesn't offer the public access to the insights that machine learning / graph network traversals offer, it does give a quick view of what citizens are capable of doing to fight Cyber Crime.
We've both audited exchanges made by others--full of fund-losing exploits--and created secure trading platforms for businesses pushing the envelope in their jurisdictions.
We're familiar with what goes wrong. We know what to do right.
When designing a circuit, you don't slap a bunch of semiconductors together with a fuzzy feeling in your mind, then proudly proclaim you've succeeded.
We want to make better tools so you can put the hammer down and pick the compass up.
For every 1 ETH received during the ICO at the smart contract address, the smart contract will return 10 DOC (Doctor Oss Coins).
Trust Bitcoin with $ 109.07 B? Even if a developer pushing updates says "There are never guarantees with software"?
Wouldn't it be better to have some kind of tool where you could have a guarantee?
A guarantee that your BTC, ETH, etc. won't simply disappear while you sleep?
One where:
Instead of gambling on eSports, we propose you gamble that we can make more off Bug Bounties than you pay for your tokens.
As an added bonus, you should get the benefit of avoiding being hacked once we've audited the apps you use.
With $ 11.58 B in losses to hackers already, a small investment in the crypto ecosystem's security simply makes CENTS[sic]
The ICO starts block 4, 262, 000 (approx. Sep 11, 2017--the day commemorating fearful citizens) and ends block 4, 466, 000 (approx. Nov 11, 2017--the day commemorating citizens breathing a sigh of relief).
The token smart contract has a depositProfits method. It adds the WEI transferred with the method call to a 'contract profits' variable.
When DOC are sent to the token contract address ( 0x7e2a7e9a814e4018b7a2128e010339d1fae3b778 ), they are 'burned'. The percentage of total supply you burned is calculated, and you receive that percentage of the profit variable's ether. The profit variable is reduced by what you received and total DOC issued decreased by what you burned.
E.g. 100 DOC were issued. 100 ETH were deposited into the contract profit variable. You burn 10 DOC, you get 10 ETH. Now there's 90 DOC and 90 ETH left. Burn 5 more DOC? Get 5 more ETH.
If funding reaches $10 M USD we will, as a bonus, vastly improve the blockchain.exposed explorer, open source it, and host it so that Crypto Enthusiasts can become 'Forensic Blockchain Accountants' in their own right from their own homes and track down some of the BILLIONS of USD in illegally obtained Crypto. It would feature an effective implementation of the 'coloured coins' concept.
90% of the bounties paid to us for bugs we find with the tools we will develop will be converted into ETH and deposited as the manufactured reward for kickstarting this project--stored in the profit variable (or, should another fork occur, split between ETH and forked currencies respecting the smart contract, in the ratio we deem appropriate based on our estimation of how long a given fork might survive--which you can then hedge against by burning tokens on one fork and not another).
With some bounties topping out at $250, 000.00 USD we hope to offer a substantial benefit to contributors quickly, with added benefit in terms of security following in toe.
Our intention is to claim as many bug bounties as possible before releasing the code to the OSS community, to disclose responsibly and ensure--as much as is possible given vendor cooperation--the patching of critical internet infrastructure before exposing the internet to potential harm, and to release the code regardless of profitability in the near future (current goal: winter 2022).
When 10% of the value of bug bounties and the remaining ICO funds are no longer sufficient to cover the ongoing cost of development and bug hunting, the code base will be released on github (or other source-sharing service if need be) under an MIT license, to the extent that MIT licensing is possible.
Salaries will be aligned with prevailing market rates given experience, job duties, and individuals' costs of living. Expenses will be limited to those required to operate the business--office space, telecommunications, salaries, insurance, professional fees, domain registration, necessity-only computing power. Basically, limited to only expenses that would pass the scrutiny of a rigorous tax audit.
The funds from the ICO are transferred to an account on a Trezor hardware wallet. From there, they will be split into multiple accounts to hedge against the minuscule risk of account address collisions and resulting theft. The recovery seed is split into two halves, stored separately.
Unfortunately, this is more than we can say about most ICOs.
Aaron isn't particularly known for being a free man. Tirelessly, he analyzes, debugs, repairs, and in so doing expands his network.
At 18, he found himself holding email addresses and passwords for executives at Industry Canada. When he met with them, they explained, "jokingly", that if they catch someone breaching their cyber security, they take them out back behind the wood shed and shoot them. Fine when the person goes down to Ottawa to meet you in person, not so great a strategy when the attacker is in Ukraine.
Later, he turned his eye to the law. Reduced it to a system of logic statements. Concluded that since they cannot be combined into a satisfiable prologue script, the law must not be 'real'. He then learnt the hard way that even if the law isn't 'real' and/or "can't protect you", there are people with guns willing to shoot or kidnap you, and people with keybaords willing to hack you or blow up power plants.
Aaron thought that we trust online games with a lot of control over our computers. He thought we should have some kind of assurance that they aren't doing anything sneaky with our data or connection. So, he made a signal analysis application to do so.
Then came bitcoin. A new hope. Among the many Crypto-Space projects Aaron was involved in was auditing the source code for the Taurus Exchange (which, at least at one point, shared some of its code base with the infamous > 10-million dollar losing QuadrigaCX). The code base was terribly flawed. There were simple ways of bypassing the 'escalating trust' model, of causing a DoS, and of course, of stealing funds because of poor race condition handling (then again, Poloniex had trouble too, so these aren't uniquely Canadian problems).
There IS a unique, one-size-fits-all solution though. DOC COINS!
He also helped a Europol analyst with his goal of developing an in-house forensic blockchain analysis tool. Of all the domain names you could host one at, Blockchain.Exposed is obviously the best, and Aaron controls it.
While working for an exchange, Aaron had the pleasure of implementing Equifax services. He wasn't impressed. He wasn't surprised when they were hacked.
Among the changes he wants to see implemented is a new browser element. A "secure password" box. The site you're logging in to gets your login name. It returns "Account Salt" and "Login Salt". The browser then hashes the account salt with the password, and returns it when the secure password box is read, not the password itself. The site can then hash that value with the Login Salt.
You may be asking yourself why. To protect users against themselves. Users who never change or pick new passwords. If sites never get to see your password, then a site for cooking recipes can't try logging in to your facebook using the login name and password you chose at www.recipesforhackingfacebook.com.
Jacob has always been enthralled by mathematics. The purity and predictability of algorithms. The reproducibility of mathematical proofs. The timelessness of the truth.
That there is still debate about climate change is the unmistakable result of failing to reduce the evidence and laws of physics to a mathematical proof, and a civilization filled with people who wouldn't understand the mathematical proof if they had it.
When he isn't busy teaching at Hamilton High Schools or Colleges, or being the CEO of Board and Tale Games Inc., Jacob can be found raising his twins with his equally talented wife.
The internet might know Jacob more for creating the algorithmically-balanced tabletop game Stratos that, as one presumes is typical of all games created by mathematicians with a penchant for combinatorics, allows a near endless number of world configurations, game rules, and ensuing dominant strategies.
His M.Sc. thesis dealt with efficiently finding faults, through masterful application of combinatorics, that are caused by and only evident during interactions between multiple partially-faulty components. He co-published an article about such an adaptive algorithm implemented with a CPU-friendly Big-O complexity that's humbling. This experience with "observed to cause failure" analytics perfectly complements the proposed "known to cause failure" system. The first audits and enhances the later.
Manually performing logic-table analysis of code has yielded great results and revealed what could have otherwise been very costly mistakes. But, it takes a lot of time. And there is a lot of code. That makes manually auditing with logic tables as impractical as building a skyscraper without power tools.
The smart contract was verified on an Ethereum test network. It worked flawlessly.
Then, we did one last pre-flight test of the Smart Contract on the live Ethereum network to ensure it would work with the latest rules and fees.
You can [Click to see the TEST contract details]. We've hidden them so that visitors to this page don't accidentally copy the wrong address.