Episode 171 - Ransomware, Security First, and Crypto-corporations
Max talks about the recent ransomware attack on the colonial pipeline that let to gas shortages in the southeastern US, how this could encourage security-first principles in design, and the promise and flexibility of crypto-corporations.
Links
CDC Says Fully-Vaccinated Americans no longer need to wear masks
Scitechdaily: Colonial and the national cyber defense problem
Washington Post: Ransomware is Big Business and there will be more
CNBC: No need to Panic over Colonial Ransomware
Red Hat: 3 Principles for Security-First architecture
Casa: 3-of-5 Bitcoin Security
Encyclopedia of Math: Monotone Boolean Function
Related Episodes
Episode 126 on electoral systems
Episode 108 on subverting shareholder fiduciary rules on boards
Episode 48 with Daniel Kronovet on blockchain voting for budget allocation
Episode 5 with Christian Lundkvist on Ethereum Smart Contracts and Hacks
Transcript
Max Sklar: You're listening to The Local Maximum, Episode 171.
Time to expand your perspective. Welcome to The Local Maximum. Now here's your host, Max Sklar.
Max: Welcome, everyone. Welcome. You have reached another Local Maximum. It's May 2021. More specifically, I don't know why you'd say the date today, May 17, 2021. Before we get into today's main topic, I'm going to talk about the ransomware attack on the colonial pipeline. We're gonna talk a little bit more, we're gonna get kind of into the weeds of what Security-First development means. Then just some interesting ideas on what a crypto corporation could be like, all of the different ways of decision makings that you could design when it comes to private keys, cryptography, cryptocurrency. I'll get into all of it, I'll make sure you understand it, or at least understand enough of it.
First of all, I want an update on, I want to give you an update on my in-apartment studio here in New Hampshire, which is kind of a new thing. Obviously, back in New York City, or not obviously, I'm explaining it. But back in New York City, I tended to have one room, maybe a little bit when I was in Manhattan, I had a separate room for podcasting, but since that was temporary, I couldn't turn it into a podcast studio. Now, here in New Hampshire, I have a separate room dedicated to things like podcasting and whiteboarding and separate work and things like that. So this has been a lot of fun. I am working on upgrading my equipment, I just got the ZOOM PodTrak P4 along with a new microphone stand. So hopefully, that will make the sound a little bit better than it was last time in the studio. Well let me know if it's not as good. Well, I'll know. But you can let me know anyway. Some of you did. But if the sound is not as good, we'll adjust again, but I think we are getting there.
Those of you who remember, Aaron came by a couple of weeks ago, and we used this studio for the first time. I kind of assumed that I wouldn't get many in-person guests here in New Hampshire. For those of you who have been with me for a long time, you probably remember that I used to have a lot of guests when I was in New York. I started this podcast in 2018, and I used to visit other people's offices. Some, a lot of people would visit me in the office and at Foursquare HQ in New York. That would be a lot of fun. I mean, I remember going to Union Square Ventures, interview Bethany Crystal and Hilary Mason, I went to her office. One time I went out to Queens to interview Clyde Vanel, a member of the New York State Assembly. So all that was great. And then I had a lot of people in the office too: I remember even someone like David Pietrusza came to the office, Charlie Oliver came to the office, all sorts of people came to the, I'm not gonna mention everybody, but it was very exciting.
One of the funniest ones was the whole team from Liberland, that was pretty crazy when the founder of Liberland came in, and then his entire cabinet of the president of Liberland was there in the office. I was not expecting that. So anyway, hopefully I'll have people here, I feel like the scene is different now. You can't really visit people's offices in New York City anymore. So that's done. It's not like I'm leaving it, it's like it no longer exists, since a year plus ago, let's say 18 months ago, since March 2020. I think the last person to come into my office was Adam Kapelner, to talk about experimental design. After that, you weren't allowed to have guests in the office.
Now I'm in New Hampshire, and it turns out I will have some in-person guests over the next few months, which is really exciting. Some people might even come, to here, to The Local Maximum studio, which is crazy. It'll probably be a bit of a different flavor, there's a different scene up here. That will maybe change the nature of the podcast. But we'll talk more about that later, and we'll, I feel like even though I've been doing this for three years, I'm constantly evolving this podcast. I feel like I'm getting better at carrying a show, carrying solo shows like I am today. Solo shows are often very difficult, because you have to kind of talk for 20 to 40 minutes. I feel like this one, I kind of put it off. I'm better off sometimes just turning the microphone on and seeing where it goes.
But it's so, I'm evolving in terms of upgrading my technology. I've got the ZOOM PodTrak P4 here, and hopefully the sound is better. Let's see what else happened this week? I went to New York at the beginning of the week. And it was nice. I was able to visit some friends and I was able to eat at a few nice places. Veselka is one of them, Ukrainian restaurant that I really liked. They used to be 24 hours, I would go overnight when I was in grad school and do my homework there at like three in the morning, order chocolate milks or whatever. But it's still really sad there. It's just not the way it used to be. You walk past a lot of places that you used to go to, and the signage is all scratched out. You look at the interior and it’s all gutted and you just think, when is this coming back? You walk around on the street. There's, who is walking up and down the street? It's just not as exciting as it used to be. Let's put it that way.
So anyway, let's get, I'm glad to be back in New Hampshire. It just feels very claustrophobic in New York these days? Maybe it's just because I moved out here, and everything is so open. Then going back there, it's not. But no, I was in New York 15 years, it was great. It's just things have changed a little bit there. I think the fact that there's not a whole circus of things going on to kind of keep you occupied, then that's what makes me feel more claustrophobic because it's just, which areas are going to be more dangerous. There's a lot more like weirdos on the street shouting at you. It’s sort of like, I don't know what's going to happen, and there's no upside. So hopefully that changes. But we'll see I'll watch from afar to see if it does.
Okay, so let's talk about, oh, yeah. Then of course, we don't need masks anymore. So that's kind of a marker here that's changed this week from last week, and from the rest of the pandemic. The mask mandate in New Hampshire has been lifted for a while. But now the CDC has said vaccinated people don't need to wear masks. A lot of stores have dropped it, so a lot of places around here have dropped the mask mandates. And of course nationwide, that's happened. So that's changed, this is really addressed for those of you who are listening from the future, and you're trying to create a movie that takes place in the US around this time. Well this is around the week where people kind of stopped wearing masks, although they're still masks everywhere. I don't know when it's going to end. I bet if I were still in New York, I mean, there was masks everywhere in New York when I was there. So I assume that that's still the case. But we'll see what happens over the next few weeks. I have a feeling that it's just going to get less and less here in New Hampshire, which really makes life easier and easier. So that'll be cool.
All right. So what exactly happened in this cyber attack? What is it? First of all, what is this? Because it's not an act of terrorism. It was not a political cyber attack, it was not a geopolitical thing, it was not somebody trying to get at the United States or anything like that. This was essentially a mafia, a criminal organization looking to make money. So they use something called ransomware, which means that, and this happens to individuals sometimes; I don't know anyone's happened to but it could happen. Basically it's software that gets into your computer or your network or your system, and it encrypts all your data, so it makes it unusable for you. It makes it so that you really can't decrypt your data without their decryption keys. And they require a ransom. Oftentimes, the ransom that they choose is a lot smaller, something that you can actually pay. Whereas it's worth your while to pay the ransom versus trying to figure out on your own trying to track them down.
In this example, they asked for 75 Bitcoin, how much is 75 Bitcoin? It was a lot. Back when they asked for it, it was $5 million. So they asked for $5 million. But if you think about it, the entire, this colonial pipeline which is on the entire southeast, basically anywhere from Florida, part of Northern Florida, to parts of Texas, up to New Jersey. Basically, that triangle had massive gas shortages and people waiting online at the gas tank and prices rising. $5 million is actually a pretty small price to pay to make that go away immediately. Now, 75 Bitcoin a week later is only $3.3 million. So maybe they could have waited a week. I don't know. But they ended up paying that ransom. Oftentimes, that seems like a good idea in the short run. Let's talk about, I'll get to in a few minutes, what that means for the long run. Because you essentially feel like the bad guys won, they got their $5 million. But who, how, if you think about it for that to actually make a difference, this is not some huge organization. If this were an organization of, you know, 50 100 people splitting up that $5 million, doesn't go very far. So it's kind of like a small number of people who probably didn't expect, I don't know if they knew what they were getting into here.
But anyway, I tried to read a bunch of articles, to try to understand a little bit more about what's going on. So I'm going to quote from some of these articles so we can start to understand. This first one is from Scitechdaily, which is a little bit less known. I also read CNN, Washington Post, CNBC. It's amazing how small-minded some of these mainstream media organizations can be. Oftentimes you're talking about it in a partisan way, like, oh, they hacked the pipeline just like they hacked the election back in 2016. It's so dumb.
Then of course, there's a lot of, well, this is Biden, you know, it's Biden's fault. Or he didn't respond to it. I don't know, there's a lot that can be said about that. But I think the more interesting thing is, first of all, a lot of people don't understand what exactly happened here. So from Scitechdaily, they seem to think that the problem lies in outsourcing, or partially at least. I'm going to quote them here: “Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.” Well, I guess that I'm not sure. But that's not the full story, but I guess that kind of makes sense, if you have some software teams, particularly teams that are, could be a security, could introduce a security hole. Well, you don't know if they've been infiltrated if they're not nearby, and they're in Eastern Europe somewhere.
I'm also going to quote here that they say that “The ransomware attack on Colonial Pipeline on May 7, 2021, exemplifies the huge challenges the U.S. faces in shoring up its cyber defenses. The private company, which controls a significant component of the U.S. energy infrastructure and supplies nearly half of the East Coast’s liquid fuels, was vulnerable to an all-too-common type of cyber attack. The FBI has attributed the attack to a Russian cybercrime gang. It would be difficult for the government to mandate better security at private companies, and the government is unable to provide that security for the private sector.” Okay, so this is essentially a mafia, and it is a gang of criminals. So what do we do about that? I'm going to get to that in a second.
But first, I'm going to do a couple more quotes. One from the Washington Post's about ransomware in general, of which there have been a few, even have some against the government. Sometimes they'll attack individual computers, they'll be like, pay $300 and get everything back. A lot of people would end up doing it because you lost everything, and you just pay $300, which, nobody likes to pay $300 but it goes away and you forget about that pretty quickly. So it says here in the Washington Post, most incidents go unreported, anecdotally. Uh, you know, that makes sense. It's kind of embarrassing. Anecdotally, and not necessarily embarrassing ‘cause it’s not really your fault, but it's like most people don't want to talk about it. Anecdotally, according to companies that help victims hit by ransomware attacks, more than half pay some form of ransom estimated last year to average about $312,000. That must be for corporate clients. According to Palo Alto network, another cybersecurity company that deals regularly with ransomware attacks, some experts suspect that amount is low.
So, you have all of these companies paying these amounts to cyber criminals who are holding data for ransom. Now, is there anything that you could do to protect yourself from these things? Well, I don't know what you could do as an individual, but certainly, well, just general security, hygiene security practices are good. Make sure you know what you're downloading onto your computer. Most things that you download are not going to be ransomware attacks. But I'm not exactly sure. I wish I had an example of what type of application people have downloaded that they thought they were downloading something else, and it was a ransomware attack, although I haven't heard about it. But there. Look, these things can be protected for. Particularly, we're talking about here, physical infrastructure, physical oil pipelines, which, you know, you should be able to secure with, and again, I'm not kind of an expert in their, in their network system or their security system. But I would bet that they haven't, they didn't invest nearly enough into it. And I suspect that they'll invest a lot more now, not just because they lost $5 million. Not enough, it was just $5 million, they probably wouldn't invest because, you know, then it's a lot to hire a team and whatnot.
But no, they lost, you know, think of how much they lost with all that, you know, with all that business they lost over one week for an entire section of the country. It's, that's got to be, I don't even want to put an order of magnitude on it. But it's got to be way more, orders of magnitude more than the $5 million they lost the ransom. So a lot of organizations, when they get into this situation, they decide to pay the ransom, because it's so small, compared to fixing the problem compared to going after the criminals. I mean, going after this criminal gang, maybe it's possible, maybe you can, you know, send a team of private detectors over to Eastern Europe, and you can track them down, but it's going to cost you a lot more than $5 million to do that. So but of course, some people say that, and it's true, that paying these ransoms encourage more attacks, because then more people, essentially, the criminal gang and other criminal gangs like yeah, great, okay, we got paid, we got our payday from doing this sort of thing. So why don't we do it again?
There is a flip side to that, and I'm concerned about that, it's sort of, it's very unsavory, the idea of paying a ransom because it's almost like, you feel like the bad guys won. But there is a flip side to paying ransom, because it also encourages another side of the arms race, it encourages more security. So in other words, if you're in a bad neighborhood, and people are getting broken into, but people with locks are not getting broken into, then, yes, you might have some fantasies about getting a vigilante group together and going and getting the bad guys. But in reality, that's probably not going to happen if you're in one of these neighborhoods. You're better off just locking your doors.
And in this case, when it comes to cybersecurity, there are a lot of things that you can do that make you safe from these types of attacks. Ultimately, I think that we're leading into an era of Security-First development, where a lot of the services that are being created, a lot of the software that is being created, a lot of the new software, and a lot of the new networking protocols and standards and all that, are going to be Security-First.
They're going to keep these attacks in mind when they're being developed. So that it's not like each company has to figure out best security practices, it’s just built into all of the software. And that might seem, for those of you who have worked in the industry, especially that might seem kind of pie in the sky, because there's so many things you look at and you're like, oh my god, this is this is so bad. I can't believe this hasn't already been attacked. But as time goes on, and as more of these attacks take place, and it's not over, I'm sure more and more will take place, it will spur on the development of Security-First practices and protocols which, there are a lot of things that can mean I realize that that's vague.
But I feel like rather than just slapping something together, that slapping together some software and some networks that run core infrastructure, at organizations or for countries, you generally have kind of a base layer that you can consider very secure and build on top of that. I think that's sort of where, where we're leading to. If you think all people will never be people will never be that careful about security, well, maybe these ransomware attackers will make them more cognizant of security. And you know what, I'd rather be attacked by these ransomware guys than be attacked by a country or a group of terrorists that are actually trying to take down the infrastructure, because that would be way worse.
So alright. One example of Security-First development is blockchain itself, which is kind of ironic, because the cyber hackers are using Bitcoin in their scheme, they want to be paid in Bitcoin. But it's not because Bitcoin is unsecured, it's because the Bitcoin is very secure for the criminals, once they get it, they can be assured that they got it. And there are ways they can, they can also be assured that they're not going to be, they're not going to have their funds frozen, or anything like that. And the Bitcoin blockchain has never been hacked, and most blockchains have never been hacked. The Ethereum blockchain has never been hacked, it's just that some of the smart contracts, which exists on the chain, which are more complicated pieces of code have been hacked, because someone made a mistake in the code. So what you want is something, you want kind of development to be slower, almost, you want to make very simple pieces of code that are well tested. Once you have that, more people will be able to use it.
I'm going to link on the show notes page, which is www.localmaxradio.com/171, I'm going to link to the Red Hat Security-First architecture article. It probably would only be useful to engineers. But generally, I think there's some interesting ideas in here about how to design for security from the get go. A lot of legacy systems will, that, there are a lot of systems out there, even from banks, even from the core infrastructure that haven't been upgraded in many, many years, they might be subject to attacks like this. They might have to rebuild.
If they do rebuild, they're going to use a more modern approach where they deal with these problems where you could have attackers all the way in another country in another part of the world, because you really want to be able to avoid that. I think you can. This is physical infrastructure. It's not, there should always be an override, where you could be able to do things manually, and there should always be backups that are not connected to the rest of the system, and so on and so forth. So, a lot of this can be designed for, it's just a matter of doing it. Okay, so that's just what I wanted to say about that story.
Now, I want to talk a little bit about governance in general. We're all taught how a bill becomes a law, for example, but how much do you know about corporate governance? I bet a lot of people don't know that much about corporate governance. You don't know how does a CEO get removed by the board of directors, or how are people on a board chosen? Even though the ladder is just as likely to affect us, I mean, laws are likely to affect us. But if the management of your company is reshuffled, that can affect you. If you're buying products, if you're buying products from certain companies, and then they decide to change what they do, that affects you. So oftentimes, that stuff affects us just as much, and we're less likely to know how that all works. And now, with the advent of cryptocurrencies, I’ll use Bitcoin as the example. We can create any system we want of governance, and I talked about this before I talked about this.
Well, I'll get into what I talked about in Episode 126 in a bit. But it's interesting that you can create systems whereby you can have a certain combination of people voting to allocate money to a certain thing, or you can have certain people voting on whether some action gets taken on the blockchain, though the main one that I can think about is spending some money, that's the one that's easy to wrap around. That you know, you could spend Bitcoin if certain people agreed. These arrangements are very interesting. They're no longer fiduciary. So if you have a corporate board, that board needs to act in the interest of the shareholders of your shareholder, you know that you can invest. They're not going to use it in their, in their own personal interest, for example. In Episode 108, of course, we talked about the Bernie Sanders plan to add different people to boards, different stakeholders who will use the corporation to, to allocate funds for their own interests or to outside interests, which I said might not be a good idea.
But there are kind of legal guidelines there. Whereas the difference with crypto is going to be there's no legal guidelines, so you have to trust whoever owns these keys that they'll vote, well, maybe you'll trust, they'll vote in their own interest, and maybe on their own interest is what you want. Then you want to be part of this system. And sometimes, it could be keys that the same person has access to. So for example, there's something called Castle Wallet out there, which is a security solution for people who own large amounts of Bitcoin. And what they have is they have a three a five wallet system. So they have five keys out there, and you need three to spend your Bitcoin, but you put all five in different places. And so that means that and this is not for your day to day spending. This is for what you have kind of stored away. And so basically, it means someone robs your house, no problem, they get one of the five keys, there's nothing they can do. And then you could quickly regenerate that. And so it makes your situation a lot more secure. So it's five voters, but then you need a majority of the five voters, but it's all essentially, well, the company has one. But it's all essentially the same person voting on it just in different situations, as you can make things much more secure. It's probably the most secure thing you can imagine.
It changes the game, if you think about something like hiding gold. You could be pretty secure about hiding gold, you could hide vaults. But somebody else can get access to that vault. Let's say if there's political upheaval, or there's a war or something, I've been listening to Michael Saylor interviews on Bitcoin, and he makes the case that, you know, with gold, yes, you could store your gold in a vault. But if you want to store it for 100 years, there'll probably be a war or something. If you have it in Multisig wallets, then it makes it less likely that a physical attacker can actually get a hold of your cryptocurrency, in which case they're less likely to try to begin to, you know, they're less likely to try to begin with, which hopefully, the idea is to create a more peaceful society, which we all want.
That's interesting. Let's say we have a situation, a Multisig situation. I told you about one that is a good example, it's three of five and all five are owned by the same person in different places. But you could also think of a situation where you have five keys, and they're owned by five different people, and you need three of them to agree to spending. And in Episode 126, I talked about this. When it came to voting system, this was more in the context of political voting systems, but I talked about something called, you're not gonna like this term, Monotone Boolean functions. That is a, it's a crazy math phrase, but it basically, it means a scheme for a certain group of people can vote to have this happen. Monotone Boolean functions are very broad. It basically means their ands and ors. I'm going to give some examples of new forms of corporations or joint ownerships that you create. The first one I think you can imagine pretty easily is the so-called M of N. And I don't know why they always use the same letters, but M is the number of votes needed and N is the number of votes total. So the Castle Wallet, for example, is three of five, you could do something like, you know, seven of 12, let's say there are 12 voters you need seven to spend the money, or you could do more, you could do 40 or 50. Or you could do two of 50, which is kind of very dangerous, because if you have 50 people, all it takes is for two to get together, make a scheme to take it, so that the… But who knows, there might be cases where you want something like that. So you can have, set number of votes and you could set the threshold, but you can do something a little bit more sophisticated than that.
First of all, you can assign people multiple votes, that's not too hard to do. That would be step two. So you can have an electoral college situation where each person, you have nine votes, you have 12 votes, you have six votes, etc, etc. We need this threshold to have something occur, to spend that money. Then step three is you can imagine there are all sorts of different combos that you can use to spend. Essentially what these Boolean Monotone functions do is, there are a series of for those of you who are not, for not programmers, they're just a series of like statements that are ands and ors. So you need that guy, or you need that girl and one of these six people, or you need this cluster to say yes, which is M of N.
You basically have some combination of people where it's not necessarily a series of votes where you can say, okay, it's, it's just a vote, you need a threshold? No, it's like, it's something a little bit more complicated. I guess, one one you can think of is like, hey, I need, I need Person A and then one of Person B, and person C. I guess you can kind of assign them a vote, vote numbers, that would get that to work. But you get the idea. It's sort of like, maybe maybe there's a case where it's sort of federated, where I have three clusters of three of fives, and there are 15 people, and they're organized in three clusters of three fives, and then of the three, you need two out of three to make that action. So it's like a federated system, you have three clusters, and of that three, two need to vote. And within the three, meaning three of five to vote, something like that. I know, it's kind of mind boggling when I'm just doing this by audio, but you can build things up that are very, very complicated, is the idea.
I think that these new forms of decision making rules, of which you can make any Boolean Monotone function, there's a lot so the term that I mentioned in Episode 126, is the Dedekind number, which is, given the number of voters how many potential functions are there, and it's pretty exponential. Well, just for two there’s six, but then it goes up, it goes up even from there. If you have 10 voters, there are tons of different arrangements that you can make. I don't even have it in front of me, but picture just like billions and billions. So what kind of arrangements? What kind of virtual corporations are people going to make there? That's sort of an interesting idea. I don't know what the, I feel like it's interesting to think about, what is, what sort of schemes will people come up with in the future to organize human action in that way? It also brings into question, what is ownership now? What does ownership mean? If you talk about ownership of cryptocurrency, ownership of Bitcoin, okay, I could kind of wrap my head around that, is that okay, well, I have a key that I can use to spend the Bitcoin. Great, I'm the owner.
That's sort of what we consider, but what if I just own the keys to some vast Boolean Monotone scheme, some kind of virtual corporation here, then what happens? Am I the owner, am I the part owner, and all of this becomes in some ways more opaque because you don't know who owns what key, it becomes very hard to regulate and becomes easy to anonymize. And I think this becomes kind of a new type of corporation that people can get involved with, that can move around large amounts of capital in a short period of time, and in interesting and unique ways. I'm excited to see what people come up with in that area. I wish I could be more specific, but again, it's, think about it this way. They say they're going to try to tax Bitcoin spending, okay, you tax Bitcoin spending if you trade Bitcoin for Ethereum, or something like that.
But what if you're part of, what if you have the key to some kind of one of these virtual corporations and their trading, then are you liable? Do you have, and how do you… I don't think that will ever be a, I don't think you'll be able to A) tax the corporation, because there'll be no one to talk to and B) you won't be able to tax the individuals because they will be so dispersed and so easy to anonymize, you wouldn't be able to track them down.
So I'm not saying that every organization should run this way. I think the idea of a traditional corporation where you know who the people are — some people would say there's someone to sue in there — but you know who the people are, and you have someone who is accountable. And you have people who are forming management teams, forming boards, etc., to go after a certain goal that is still available. But these hidden corporations, I feel like there's going to be a lot that comes out of it both good and bad. I mean, some of these criminal organizations might decide to do it this way. But I feel like there's also a lot of innovation to be made in the legitimate private markets and the legitimate area of innovation as well.
So let me know what you think of that, let me know if that made sense to you at all. Because it does make sense to me. I'm not just talking air here. I think this is something that I think about a lot. But these are new ideas. And I feel like in due time, maybe it'll be in a few years, maybe five years, 10 years. It'll be very clear what I'm talking about. And I’d be interested in investing in some of these. I don't know what I guess I have to do a lot more research, but we'll see.
So, alright, hopefully, you understand a little bit more about what happened with Colonial. Hopefully, you understand why they paid the ransom, why it's unsavory, but also, maybe how this could be fixed in the future, with Security-First development. Then hopefully, you got some mind blowing ideas when it comes to the future of virtual corporations and how these Boolean Monotone functions or whatever you want to call it, just the series of ands and ors can create schemes of cooperation that we never thought imaginable in the past. Comment on my Locals Page maximum.locals.com and also support the show there at maximum.locals.com. Appreciate everyone who supports it. Have a great week, everyone.
That's the show. To support The Local Maximum, sign up for exclusive content and our online community at www.maximum.locals.com. The Local Maximum is available wherever podcasts are found. If you want to keep up, remember to subscribe on your podcast app. Also, check out the website with show notes and additional materials at www.localmaxradio.com. If you want to contact me, the host, send an email to localmaxradio@gmail.com. Have a great week.