A few thoughts - Tuesday, February 17, 2015
Posted: Tue Feb 17, 2015 12:51 pm
A few thoughts for today:
Security is a complicated topic
With the collapse of exchange Bter, it seems like security has come to the foreground once again in the bitcoin world. This event, combined with Benjamin Lawsky's impending regulations and some unfounded accusations that bitcoin developer Gregory Maxwell leveled at my brother, encouraged me to talk about this topic a little.
There is no excuse for exchanges losing millions of dollars to theft, then shutting down and passing the losses onto customers. On the other hand, it's also ridiculous to lock a $100 paper wallet in a huge vault that costs thousands of dollars to secure. The security of a system should be proportional to the value of what is being protected. There are many people in the community who either don't understand the economics of this, or who disagree with the idea. Two of these people are Benjamin Lawsky and Gregory Maxwell.
Lawsky, in his "BitLicense" regulations, requires all bitcoin-holding businesses to undergo security audits and to post large bonds. However, there are many businesses for which this type of security is foolish. Businesses that have physical offices where they receive dollars, buy bitcoins, transmit those bitcoins across the world, and sell bitcoins, should not be required to have huge security requirements because their money is quickly paid out. There is very little owed to anyone else that can be stolen. The worst case of a hack here is that someone makes off with a few transactions before the people on the other end realize that their money hasn't arrived and the system shuts down.
Gregory Maxwell, a core bitcoin developer, decided to engage my brother in an argument where he accused him of being negligent with our customers' money. While I don't think it's appropriate for Maxwell to be making such accusations without evidence, or even to be expressing his thoughts on businesses at all, I disagree with the entire premise of his criticism. While we strive to be as secure as possible, we have indeed not paid professional security auditors at $100/hr to attack our systems for a week. Instead, we have reviewed the code for common attacks like SQL injection, locked down systems, restricted access rights, encrypted passwords, and so on. Our security practices are not at the same level of Coinbase's because we don't have as much to lose as Coinbase.
Assume that the pool grows to the $500/day in profits that will be necessary to justify its existence in 6 months. Even at that time, the total holdings of the pool will never exceed $20k, because we never hold more than 2 days' funds due to the mandatory payouts. If hackers were somehow able to hack in to every wallet and every exchange, then in the worst case we could cover the losses from personal accounts. In the case that the pool grew larger, then we would spend the profits on those security experts to further strengthen our defenses, obtain insurance, protect against bad exchanges, and so on. But Maxwell and Lawsky seem to think that everyone, even people who currently measure holdings in the hundreds of dollars, should be spending the same amount on bulletproof security measures.
If it costs $100 to prevent a 5% risk of loss of $1000, then it makes economic sense to not spend the $100 and take the expected loss of $50. The only time this becomes a problem is when the amount of money at stake is so huge that nobody can reasonably cover the losses, like in the case of Bter.
Why are these people so incompetent?
While on the question of security, the next question to be asked is how, in exchange after exchange, people can be so incompetent so as to lose thousands of bitcoins.
Bter said that their cold wallet was hacked. How can a cold wallet be hacked? There are $100 hardware devices that can sign transactions completely offline so that it is completely impossible for anyone on the Internet to ever gain access to the cold wallet. With other exchanges, the common culprit seems to be SQL injection, but SQL injection is a vulnerability that has been known for at least a quarter-century. There are also very easy ways to avoid it: always use parameterized queries. I could understand if hackers gain access to exchanges using exotic zero-day vulnerabilities, but the attack vectors being used are almost unbelievable. In the case of CAVirtex, which shut down today, it was the development server that was hacked. How does a development database get hacked when it should never be connected to the Internet? Did they have an open wifi connection with someone sitting outside in a truck connecting to the local network? Even our production database isn't connected to the Internet.
We should look at the economic factors to explain why these people keep getting hacked. Here's a common story I would propose:
First, the exchanges are started as a small business. As the business grows, the owners are making money, but they get greedy and decide not to scale up their security with the business, because security audits are costly. The reason they neglect the security audits is because they often live in countries where there is no liability when a disaster strikes. They realize that they can keep the money they earned so far, which is likely a lot, and be able to post a message on their websites and live in luxury afterwards.
None of these exchanges that have failed are headquartered in the United States, where there would probably be strict liability in most cases. Instead, Bter was based in China, where rule of law means something different than it does elsewhere in the world.
Getting back to economics, people respond to incentives and weigh the risks and benefits. They adjust their behavior according to the consequences of their actions. The answer to failing exchanges isn't to require everyone to submit to costly registration and reporting requirements. In that case, the good people can't afford the expense to comply at startup (so they don't start), and the bad people don't care about complying at all (so they do).
Note that the BitLicense regulations do not focus at all on the penalties for hackings. Lawsky is focusing on the wrong problem. The answer is to provide concrete penalties associated with the loss of customer funds, like personal bankruptcy and jail. Many people are rational, and when you threaten people with stiff penalties for not reimbursing customers, they will often adjust their behavior accordingly to reduce their risk of these negative consequences.
The reason there are so many exchange heists is not because of a lack of regulation, but because of a lack of consequences.
Timing
Last week, I was going to wrote a post discussing how I was incorrect about the bubble cycle and how the false bubble in June did not lead to a true bubble months later. About a year ago, I posted a number of underlying assumptions about bitcoins and their usage that I believed caused the cycle. I previously stated that the only reason bitcoins would fail or break the cycle is if people simply didn't use them, and I think that's what has happened so far.
But I'm going to hold off on that post for a few more weeks for two reasons. First, there seems to be a lot of talk in /r/bitcoinmarkets of an impending rise. I have difficulty believing that the forces at work in the decline since June have changed, but I'll give them the benefit of the doubt for a few weeks. What's interesting is that if they are correct, then there are exactly 23 days remaining until two cycles will have passed since the November 2013 bubble. Also, you can pay attention to how the previous cycles had a period of close to zero volatility before the rapid rise occurred.
I have my doubts that bitcoin prices will recover any time soon (by "recover," I mean rising above the false bubble in June, not these quick pumps and dumps now). There hasn't been anything that changed since January in terms of adoption or usage. If I'm right and prices do not rise, then I'll post my theory about why I was wrong on the cycle in a few weeks.
Security is a complicated topic
With the collapse of exchange Bter, it seems like security has come to the foreground once again in the bitcoin world. This event, combined with Benjamin Lawsky's impending regulations and some unfounded accusations that bitcoin developer Gregory Maxwell leveled at my brother, encouraged me to talk about this topic a little.
There is no excuse for exchanges losing millions of dollars to theft, then shutting down and passing the losses onto customers. On the other hand, it's also ridiculous to lock a $100 paper wallet in a huge vault that costs thousands of dollars to secure. The security of a system should be proportional to the value of what is being protected. There are many people in the community who either don't understand the economics of this, or who disagree with the idea. Two of these people are Benjamin Lawsky and Gregory Maxwell.
Lawsky, in his "BitLicense" regulations, requires all bitcoin-holding businesses to undergo security audits and to post large bonds. However, there are many businesses for which this type of security is foolish. Businesses that have physical offices where they receive dollars, buy bitcoins, transmit those bitcoins across the world, and sell bitcoins, should not be required to have huge security requirements because their money is quickly paid out. There is very little owed to anyone else that can be stolen. The worst case of a hack here is that someone makes off with a few transactions before the people on the other end realize that their money hasn't arrived and the system shuts down.
Gregory Maxwell, a core bitcoin developer, decided to engage my brother in an argument where he accused him of being negligent with our customers' money. While I don't think it's appropriate for Maxwell to be making such accusations without evidence, or even to be expressing his thoughts on businesses at all, I disagree with the entire premise of his criticism. While we strive to be as secure as possible, we have indeed not paid professional security auditors at $100/hr to attack our systems for a week. Instead, we have reviewed the code for common attacks like SQL injection, locked down systems, restricted access rights, encrypted passwords, and so on. Our security practices are not at the same level of Coinbase's because we don't have as much to lose as Coinbase.
Assume that the pool grows to the $500/day in profits that will be necessary to justify its existence in 6 months. Even at that time, the total holdings of the pool will never exceed $20k, because we never hold more than 2 days' funds due to the mandatory payouts. If hackers were somehow able to hack in to every wallet and every exchange, then in the worst case we could cover the losses from personal accounts. In the case that the pool grew larger, then we would spend the profits on those security experts to further strengthen our defenses, obtain insurance, protect against bad exchanges, and so on. But Maxwell and Lawsky seem to think that everyone, even people who currently measure holdings in the hundreds of dollars, should be spending the same amount on bulletproof security measures.
If it costs $100 to prevent a 5% risk of loss of $1000, then it makes economic sense to not spend the $100 and take the expected loss of $50. The only time this becomes a problem is when the amount of money at stake is so huge that nobody can reasonably cover the losses, like in the case of Bter.
Why are these people so incompetent?
While on the question of security, the next question to be asked is how, in exchange after exchange, people can be so incompetent so as to lose thousands of bitcoins.
Bter said that their cold wallet was hacked. How can a cold wallet be hacked? There are $100 hardware devices that can sign transactions completely offline so that it is completely impossible for anyone on the Internet to ever gain access to the cold wallet. With other exchanges, the common culprit seems to be SQL injection, but SQL injection is a vulnerability that has been known for at least a quarter-century. There are also very easy ways to avoid it: always use parameterized queries. I could understand if hackers gain access to exchanges using exotic zero-day vulnerabilities, but the attack vectors being used are almost unbelievable. In the case of CAVirtex, which shut down today, it was the development server that was hacked. How does a development database get hacked when it should never be connected to the Internet? Did they have an open wifi connection with someone sitting outside in a truck connecting to the local network? Even our production database isn't connected to the Internet.
We should look at the economic factors to explain why these people keep getting hacked. Here's a common story I would propose:
First, the exchanges are started as a small business. As the business grows, the owners are making money, but they get greedy and decide not to scale up their security with the business, because security audits are costly. The reason they neglect the security audits is because they often live in countries where there is no liability when a disaster strikes. They realize that they can keep the money they earned so far, which is likely a lot, and be able to post a message on their websites and live in luxury afterwards.
None of these exchanges that have failed are headquartered in the United States, where there would probably be strict liability in most cases. Instead, Bter was based in China, where rule of law means something different than it does elsewhere in the world.
Getting back to economics, people respond to incentives and weigh the risks and benefits. They adjust their behavior according to the consequences of their actions. The answer to failing exchanges isn't to require everyone to submit to costly registration and reporting requirements. In that case, the good people can't afford the expense to comply at startup (so they don't start), and the bad people don't care about complying at all (so they do).
Note that the BitLicense regulations do not focus at all on the penalties for hackings. Lawsky is focusing on the wrong problem. The answer is to provide concrete penalties associated with the loss of customer funds, like personal bankruptcy and jail. Many people are rational, and when you threaten people with stiff penalties for not reimbursing customers, they will often adjust their behavior accordingly to reduce their risk of these negative consequences.
The reason there are so many exchange heists is not because of a lack of regulation, but because of a lack of consequences.
Timing
Last week, I was going to wrote a post discussing how I was incorrect about the bubble cycle and how the false bubble in June did not lead to a true bubble months later. About a year ago, I posted a number of underlying assumptions about bitcoins and their usage that I believed caused the cycle. I previously stated that the only reason bitcoins would fail or break the cycle is if people simply didn't use them, and I think that's what has happened so far.
But I'm going to hold off on that post for a few more weeks for two reasons. First, there seems to be a lot of talk in /r/bitcoinmarkets of an impending rise. I have difficulty believing that the forces at work in the decline since June have changed, but I'll give them the benefit of the doubt for a few weeks. What's interesting is that if they are correct, then there are exactly 23 days remaining until two cycles will have passed since the November 2013 bubble. Also, you can pay attention to how the previous cycles had a period of close to zero volatility before the rapid rise occurred.
I have my doubts that bitcoin prices will recover any time soon (by "recover," I mean rising above the false bubble in June, not these quick pumps and dumps now). There hasn't been anything that changed since January in terms of adoption or usage. If I'm right and prices do not rise, then I'll post my theory about why I was wrong on the cycle in a few weeks.