State of Computer Security, 2014 Edition

King Tut's tomb

After a bit of cleaning up, he'll be able to read King Tut's QR code.

Here's the definitive step-by-step guide to securing your Bitcoin. I wanted to link to it in order to preserve the state of the art in computer security as of right now.

What this writeup leaves undiscussed is the part where you build a pyramid to store your paper wallet, with a false burial room to misdirect the tomb raiders, and kill everyone involved in its construction so no thief can find it.

Yet the situation is far from amusing. You can see how routine it is for Bitcoin wallets to get hacked. There is no search string that can capture the amount of heartache and personal tragedy behind each and every one of those episodes. One can only guess how much it must hurt to have one's hopes and dreams collected and rerouted by a hacker.

Bitcoin is now a universal bug bounty. It used to be that you'd find a bug, disclose it to the vendor, then the vendor would leak press releases denying the severity of the bug ahead of your planned public disclosure date, and they might even attack you for good measure, and if you were lucky, they'd begrungingly give you a bug bounty after you incontrovertibly show an exploit. I know the kind of opposition I faced from Sun's corporate shills when I came up with an industrial-strength technique for generating tests and finding flaws, and used it on Java virtual machines. These techniques have now become a standard part of the testing process in industry, but reading the Sun press releases, you'd think that absolutely nothing had happened, and somehow we were the bad guys.

In contrast, when you discover a 0-day vulnerability these days, you can simply collect people's Bitcoins. The only testament to you having been there are the heartbreaking stories that people post on forums afterwards.

Now, this is in no way Bitcoin's fault: our computer systems are nowhere near secure enough, correct enough, or trustworthy enough to handle high value assets.

Share on Linkedin
Share on Reddit
comments powered by Disqus