Security And Usability
Transcript By: Bryan Bishop
- Melanie Shapiro
- Alan Reiner
- Kristov Atlas
- Elizabeth Stark (moderator) and maybe Melanie Shapiro? malani?
Security and usability.
Elizabeth: I think this is a highly relevant discussion. I talked a bit about regulation. Regulation might be the number threat, but security might be the number two threat. I am excited to have a panel of leaders in this space who are actively building in this ecosystem. I am going to ask each to do a quick intro.
Alan: I am the original creator of Armory and the Armory Bitcoin wallet. Last year I gave an introduction to Bitcoin. We have been around since 2011. I started to acquire Bitcoin from mining. Now we are developing enterprise solutions on the topic of security and usability they would say that Armory does not have usability at top of mind. Others have that in mind. Our focus is security though. That’s where we’re going with large institutions who have the resources to get over the usability and do the security right.
Melanie: I got into Bitcoin in 2011. I was doing a PhD sponsored by Microsoft at the time. I became utterly fascinated by it. I spent the next couple years figuring out how to do something meaningful in this space. Biometrically secure will be launching in a couple weeks.
Kristov: I started writing a book about Bitcoin privacy. That is a topic that I care about quite a bit.
Elizabeth: What do you see as the biggest pro and biggest con in terms of Bitcoin security?
Melanie: I think one of the biggest limitations is the users themselves. I think that placing responsibility in the hand of users is often times there is human error. Losing a piece of paper and private keys.
((feed just skipped forward by like an hour))
Alan: Sometimes the community mischaracterizes the security as one size fits all.
Kristov: There will be different needs that people have for Bitcoin. But I am not sure that I agree that we are necessarily going to see people being their own banks, and then we will gravitate back towards something in between. I think that what we will see is closer to the realm of being your own bank in the Bitcoin space because in terms of engineering we can accomplish this, we can allow grandma to be her own bank without a substantial risk of funds. I think there are some things that we need to develop to get there. There is a temptation to say, man, hey, … achievable..
Elizabeth: I gave my grandfather a bitcoin for christmas a few years ago. It is currently being held in a hosted wallet. So I want to know…. where will he be his own bank?
((lots of streaming problems))
Melanie: To get people to actually …. using Bitcoin.. you are competing with credit cards. It’s fairly simple to use a credit card. We should all be developing products that… to use …
Melanie: So that you can be a little bit careless. You’re not completely at risk if you lose that credit card. With Bitcoin, obviously we all know that… that’s not the case.. so you have to change that perception and that behavior… and getting people…. You do need to own your own security. You do need to be more aggressive about that.
Kristov: So I think the world in which … where we adjust from a very old world perspective to the world of Bitcoin and cryptocurrency. A lot of the challenges that come around security come from the fact that Bitcoin is so … When you put it in the realm of money, people care a lot more. NSA downloading your photos from Facebook, meh. When you have bad Bitcoin privacy, people take all of your money and they hunt you down. So putting things in the realm of money is going to change things quite a bit in a way that we are not going to expect.
Elizabeth: A recent survey among Facebook users were unaware that they were using the Internet. Usability is going to be a major issue. QR codes or strings of alphanumeric.. or long random passwords.. are not usable. Are usability and security fundamentally at odds with each other? And if not how can we address that issue?
Melanie: As you become more secure and you add layers of authentication and security.. it gets more challenging… it does not have to be that way. There are great products that are secure and easy to use.
Elizabeth: Like what?
Melanie: I think that LaunchKey is an interesting product. What’s ideal security though?
Elizabeth: I think that LaunchKey is a device-based authentication company. Kind of like authy?
Melanie: I think we need to define what ultimate security looks like. And then what does the ultimate use case look like? That’s where we should looking for products. It’s hard enough to enter into the Bitcoin ecosystem to think about these things. It needs to be as few steps as possible. It also needs to be the security of paramount importance for that user.
Alan: My perspective is sort of contrary, but not specifically. I have an enterprise focus at the moment. Focusing on large organizations with employees managing money. It would be hard to say Bitcoin is going to be mainstream but we wont have large banks handling money? The difference between the consumer and the institution is that the consumer is managing their own money. They wont steal from themselves, it’s already their money. But when you have employees managing, it’s a different story. You just can’t do that or don’t make sense in the consumer space. My focus is on enabling those larger organizations which is the narration that I am going with. Those organizations have to have a high security solution that is not going to be usable by consumers, but they can also train employees and implement strong processes.
Melanie: I think that the way that security will look for consumers and institutions will be different. People have time to be trained.
Kristov: What we aim for is not perfect security but a certain threshold, which is context-dependent. I think there is a trade-off has been reached in other industries, like automobiles. There’s some tradeoff with a car that is fun to drive and a car that is safe. A car with no doors and no roof, you can do all kinds of exciting things with cars if you have no safety standards. I think we will figure this out with Bitcoin.
Elizabeth: Does centralization of say consumer funds pose a threat to the ecosystem when it comes to security? We have seen hacking, like against Bitstamp.
Alan: My opinion is that, that whole infrastructure around centralized Bitcoin storage solution is not mature. We know about cold storage and multisig, and one of the things I talk about is in the institutional security world.. having employees manage valuables is not new. They have processes around that involve people, witnesses, lawyers, notaries. They have existed, they just haven’t got into the Bitcoin system yet. There’s this kind of.. it’s going to be there. It just hasn’t been there. So drawing too many conclusions based on the current state does not necessarily mean it wont be there. The maturity level and the institutions and so on, it just hasn’t lead to that being integrated properly yet.
Kristov: Yeah the pattern is, let’s start a Bitcoin company, okay well we’re going to make a copy of how it worked in the last financial system, we will have a lot of controls removed because it’s Bitcoin and new, and that’s a lousy place to start off. Naturally that’s where they started. If we can get everyone, especially the leaders to adopt the cutting edge technological things, we would be a lot better off, like multisig and proof of reserves, voting, threshold signatures, if we could people more uniformly applying this across the board we would see less theft.
Elizabeth: What role does education play in engaging both the enterprise and consumer side of things?
Melanie: I think education plays a huge role. The kind of education is in the hands of the media, and they don’t do a good job of understanding Bitcoin. I think a huge challenge is how we as a community face towards that audience. I think we are getting better at that. I think the conversation is becoming a little bit more positive, except when we have price volatility. I think that’s where the education has to start. People have to start speaking out about the benefits and why we need Bitcoin security. And once you have a positive conversation sand then you can educate consumers about what it is actually like to use Bitcoin.
Kristov: I have a few thoughts about education. It’s a stop-gap measure for designing security into systems. If we can educate users to be more proactive about protecting themselves, then we don’t have to build the security into it. We should just build it into it, it should be intuitive and natural. Education is not a replacement of that. We can’t get everyone to the point of being an undergrad MIT computer science student. So in the Bitcoin space, I think this is a good place to be, a lot of the progress that is made is driven by consumer demands and not by industry standards or government demands. For this progress to be made, this has to be driven by educated consumers. A lot of what I run into is a lot of Bitcoin consumers are not informed about the privacy aspect of Bitcoin. They know a little about security, much less about privacy. We are not seeing a lot of demand for privacy-friendly services. So we need to educate users about how it is important and it is going to impact you and you should be asking for privacy from these companies. I think this will create better services.
Elizabeth: What benefit can blockchains provide for security beyond just money itself? We have talked about the future of this space. What do you see in the future?
Kristov: So, I think that Bitcoin is actually in terms of pushing the boundaries on security, I think it’s kind of moving in several directions at once. In the cryptography side of things, we are ahead of the curve. We are seeing people splitting up keys, using cold storage instead of hot wallets, using multisig. That’s more advanced than what banks are doing. There’s a very low percentage of banks that are doing things like splitting up cryptography keys so that attackers have to compromise multiple sites; they don’t do that. On the front of application consumer, like network application security stuff that happens everywhere on the web, we’re behind because we’re a new industry, but I think we will catch up pretty quickly. I think that Bitcoin is already ahead, 10 years from now it will be staggering as to how far ahead Bitcoin is for securing funds and banks are not going to be able to catch up without joining up with Bitcoin.
Alan: I think that at its core, multisig is something totally new to the world of physical security… This idea that you can have something protected by private keys that are all generated independently in their own environments, they are never brought together, you can independently generate them, the people managing the devices don’t have to know who the other people are, they don’t have to know the security of the other locations. You can create a truly truly decentralized security system and no point was ever a single point of failure. I toured the Verisign facilities where they have a 6000 pound safe that holds tons of cryptographic material. And they have 17 people to get into that safe. That cryptographic material was generated in one place, sure, and there’s a huge process, but maybe you can scale this back now that you have 7 independent locations and there was never any colocation from start to end, you have a fully distributed security model.
Melanie: Well, one, multisig. Healthcare, banking, finance, I think everyone will see what’s going on in our space and modeling their security off of what we have been doing for years.
Elizabeth: There are still browser vulnerabilities. Mainstream users do not like browser extensions. What about hardware approaches to ensure security?
Melanie: It’s a multisig hardware wallet, one of the keys is in a database on the server, one of the keys is on the device, one is in third party cold storage that you can manage. We generate one of the keys on the device, so that we can maintain the RNG and know which keys you generate. The key in cold storage is third party, and if you want access to it that’s great, but I think for the mainstream user that key and protecting it themselves I don’t think that sits well for me, so for mainstream users that will not work out. Each one of our private keys is secured by a different layer of authentication, biometric inherence factor protects the key in the database, and the information layer protects the key in cold storage.
Kristov: One of the challenges around hardware wallets, we need trusted competing devices. In the consumer space, we see a condensing to one device. We used to have a camera, mp3 camera, now we have one device and they are all getting smaller unless you are an iPhone user of course. Hardware wallets do not need to be these huge beefy machines. Maybe it’s just a chip on the phone, maybe it’s something embedded in your body, it’s not something that will weigh you down. But right now, the smallest device that I have heard of, outside of Ledger, there’s trezor and these other things that is like really big and you have to carry it around. That’s a burden for the average user.
Melanie: One of the things we’re doing and putting money into is, right, I think money is moving towards a single phone that we all want. When that phone has everything about you, like healthcare, money, that’s…
Elizabeth: What happens if you lose your phone or it’s stolen?
Melanie: I think hardware plays a huge role in this ecosystem. In two years, I have no idea what role it will play.
Alan: On the enterprise side, things are not necessarily getting smaller. These are concepts that have been around for 20 years to protect other types of cryptographic material. This is known as HSM. These are $5k-$30k Linux boxes that you put into a rack, it destroys itself when you try to break into it, it’s what the biggest banks in the world use, it’s what the rootzone DNSSEC security that protects the backbone of the internet uses. Only recently there are a few working on some. Armory has announced integration with HSMs. Again it goes back to the maturity of it. As large institutions get into it, like insurance banks, they are already familiar with it. Banks and insurance companies are already familiar with HSMs. That’s a prereq for declaring that you have a secure solution. This should be a requirement from the start.
Elizabeth: Recently we saw BitGo release a standard for security. Do we need to establish a set of practices amongst the community?
Melanie: We use the matrix they came up with with C4.. My engineers all have it on their desk ((if you actually read it though, it’s… not good)).
Kristov: Coming to consensus about this is critical. I am working on my own project in the privacy space, we are working on publishing standards in the privacy space as well. It’s basic stuff that we have been doing in security and infosec for a long time.
Melanie: It should not be the wild west.
Alan: It is going to converge. What you are going to see is that as more institutions get involved, especially in the enterprise market, you see a lot of overlap in the way these things are managed. What’s trusted ends up being the standard. You see all these companies that you believe are secure, what are they doing similarly? That is going to become the standard. The transparency of it and the standardization. New players that come in will have a chance to know what to do to get insurance quicker, and the insurance company will trust me more because of the vetting.
Melanie: Companies should not have to make this up on their own. BitGo and C4 are two different entities. I think that the community itself should work together to have best practices. We need more of that.
Elizabeth: What about backdoors? Some people on the international level are taking this seriously. I am going to assume that the panel is against this. What can we do about backdoors?
Melanie: I was interviewing someone who worked at the NSA. I asked him what he worked on. He was working on consumer firmware. It was a real problem, we didn’t hire him ((why not? he was experienced…)) We are manufacturing, we have a device that we are shipping out. We are using a New York state manufacturing company, it’s 5 miles down the road from my office. We are there when the devices are being manufactured. We want to be intimate with the process. Having internal… having operational security within your organization is important. We need standards for that as well.
Kristov: I work for Blockchain.info, and one of their philosophies is that you design the software so that when someone comes knocking, it needs to be too late to do that. That boat had already sailed several years ago. I encourage companies to do that as much as possible, not because there’s a particular organization that they are concerned about, but rather because if you can give access to one organization then others can take it from you as well. We need to build these systems as secure and private as possible from the ground up, otherwise there is a countdown on your business or organization where the compromise happens and people will be really disappointed in you.
Alan: Operationally transparent is the right word I think. At the end of the day listening to someone like Joi Ito talking about FMTs and wondering about whether there is any end to the paranoia.. well, much of it is justified. At the end of the day, the problem is split into many pieces, and you need strong process at each of those steps. At the end of the day you cannot prevent everything, but you can reduce it and pick out large parts of the problem and know that some things have been done right. And perhaps there are forces beyond our control. You cannot throw up your hand and say it’s unsolvable, you must solve this.
Q: We hear about stolen accounts in the world. Millions of stolen accounts. I know lots of people around me that are probably among those stolen accounts. But I have never heard anyone complaining that any money was stolen from his account particularly. That’s the first thing. Can Bitcoin be stolen in the first place? At all? And by the way, if I can buy coffee with my Bitcoin, that’s not security that’s limitation.
Alan: Can Bitcoin be stolen at all? I think that’s a question of again something that Joi Ito said. The cryptography is sound and it is really the process around it that is insecure it. So maybe it’s a philosophical question to say, well they weren’t really stolen, but… the fact is that, the world depends on the actual programs and algorithms and the cryptography behind it. When we talk about stealing coins, it will be the human element not necessarily… it may be that you had humans in the loop making bad decisions about which technology.