Blockchain experts are putting a stop to governments putting backdoors in software Blockchain experts are putting a stop to governments putting backdoors in software
4.5
WHY THIS MATTERS IN BRIEF Governments want backdoors in software and criminals want to exploit them to spread malware, now a blockchain based system... Blockchain experts are putting a stop to governments putting backdoors in software

WHY THIS MATTERS IN BRIEF

  • Governments want backdoors in software and criminals want to exploit them to spread malware, now a blockchain based system from Switzerland could put a stop to both


 

A new blockchain based software update framework from the team at the Decentralized-Distributed Systems (DEDIS) lab at the Swiss Federal Institute of Technology in Lausanne (EPFL), Switzerland could help prevent the spread of malware like Petya, but, as an added bonus it would also make it difficult, if not impossible, for governments to force software companies to deliver software updates with backdoors in them in secret.

 

RELATED
South China Airlines swaps boarding cards for facial recognition

 

The Petya ransomware, and its “wiperware” variant NotPetya, were both spread after an attacker managed to take over the network of Ukrainian accounting firm, M.E. Doc, and inject malicious code into one of their legitimate software updates.

The new proof-of-concept technology, which has been dubbed “Chainiac” by its team is a first of a kind decentralised framework that eliminates these single points of failure and enforces a new level of transparency on software updates which, in turn, makes it possible for security analysts and other interested individuals to continuously review and monitor the authenticity of updates and identify vulnerabilities.

“What Chainiac is trying to do,” said Bryan Ford who led the group that conducted the research, “is create an end-to-end architecture for software life cycle management, all the way from the developers to deployment and updates on end-user devices.”

 

RELATED
Wanxiang announces plans to use Blockchain to underpin it's $30 Billion Smarter Cities program

 

As criminals and nation states continue to increase their attacks on the software supply chain it’s going to become increasingly important that we can ensure the integrity of the software we all use, and rely on. After all, I doubt you’ll want to download a version of Apple’s next iOS update only to then find the NSA, or someone else is watching you via your webcam.

Wave and say hi, now go and get the sticky tape and shove it over the lens – who says beating the government isn’t easy? For example, documents released by NSA whistleblower Edward Snowden revealed that in 2011, the NSA was looking at how to compromise the Google Play Store in order to replace legitimate smartphone apps with backdoor versions they could use to spy on users or even manipulate them with targeted propaganda. And over in the UK, under the Investigatory Powers Act, which came into force in January this year, the government’s currently considering passing a law that will legally compel software makers to build backdoors into their software using secret court orders – and other nations are following suit.

 

RELATED
China's puts final touches to its 2,000km long unhackable quantum network

 

“How do we know what software we are really running?” said Emin Gün Sirer, associate professor at Cornell University and co-director of the Initiative for Cryptocurrencies and Smart Contracts, “a lot of attacks go after that exact foundation. Someone switches the binaries you’re using but everything appears to be the same.”

Chainiac builds on Cothority, a blockchain based transparency tool Ford’s team released in 2015 that allows independent individuals and experts to collectively sign off on the authenticity of software updates.

Collective signing means that every time Apple, for example, releases a new iOS update the iOS device won’t accept the update until it’s been collectively signed and verified by a threshold number of thousands of trusted witnesses attesting publicly that a valid, non-backdoored update had been issued.

 

RELATED
DARPA teams go head to head to find the worlds best robo-hacker

 

However, while a collectively signed software updates could still contain backdoored code, for example, developers could be bribed, blackmailed, or threatened to insert a backdoor, Cothority, now a component of Chainiac, would make it impossible to ship the update in secret. Chainiac also integrates reproducible builds, a system which lets technical end users, or automated witness servers, to recompile the source code and get a byte-for-byte identical binary, ensuring the distributed binaries haven’t been tampered with.

“The essence of the idea is that [Chainiac] allows users, who just want the latest binary, to check this one collective signature,” Ford said, “and see that this signature shows that this group of Cothority servers has independently reproduced this binary, and tested that this is the one and only correct output corresponding to the source code that the developer has produced.”

 

RELATED
The ultimate bioweapon, scientists have developed an Extinction Gene

 

The Debian Project has already deployed reproducible builds for 94 percent of the tens of thousands of software packages that make up that Linux distribution, which is widely used on cloud servers and embedded devices, plus its downstream variant Ubuntu. Ford’s team tested Chainiac on Debian packages with good results, and Debian seems like they could be an early adopter.

Meanwhile, proprietary software, such as Apple’s iOS or Microsoft’s Windows, could also use Chainiac to achieve similar levels of transparency, Ford emphasized.

“In that case the Cothority nodes responsible for checking the reproducible builds need to be run by organisations that have NDAs with the software provider giving them access to the source code for this purpose. That makes it at least in principle feasible for proprietary software,” he added.

 

RELATED
Nvidia's latest autonomous drone flies off grid

 

The project also incorporates a novel form of blockchain technology, called a “Skipchain,” that allows software updates to be announced on a distributed ledger.

“Blockchains are used to transfer things, but that’s not their only use,” Sirer said, “they’re great for transferring things like Bitcoin, but they’re also great for announcing facts. … [Chainiac] is also a broadcast medium for vetting software updates.”

Ford’s research seems unlikely to please government leaders who are increasingly frustrated at the growing use of encryption, as well as the upcoming 5G standard, and how it cuts off their ability in some ways, but not completely, to surveil people.

 

RELATED
World first as researchers hack a computer using modified DNA

 

If you’re a government type though put down those tissues, and stop wiping your eyes, because, thanks to Quantum Computers, you’ll soon be able to crack over 70 percent of all the encryption standards on the planet in mere minutes. Yes dear spyling, swap those tears of sadness for tears of joy and get back to your massive bank of screens, crack open a fresh beer and sit back and watch us all on your huge bank of TV monitors. Oh the joy. Anyway back to the story…

Chainiac is the latest salvo in an increasingly bitter war between software makers and governments for control of the integrity of the code on which our lives depend, and it’s also likely that nation states who want to subvert the software development process for law enforcement or espionage purposes are already looking for new ways to undermine these new “transparency mechanisms.”

 

RELATED
New GE connected dishwasher could disrupt two industries

 

“We’ve seen sovereign states put enormous resources into hacking,” Sirer said, “will [Chainiac] be open to gaming? Will it be more secure or open to attack? There is every reason for hope and every reason for experimentation.”

Cryptographers have been vocal against government use of backdoored software updates, arguing that destroying trust in software updates makes everyone less safe, and security expert Bruce Schneier, a fellow at the Berkman Klein Center at Harvard University, said it is never acceptable for governments to use backdoored software updates.

“It is akin to a public health issue,” he said, “we need everyone to be able to trust the update process implicitly, and that it will always work in the best interests of the user. Hijacking that process for surveillance or espionage purposes threatens to undermine trust in one of the most critical security technologies we need and all rely on.”

Matthew Griffin Global Futurist, Tech Evangelist, X Prize Mentor ● Int'l Keynote Speaker ● Disruption, Futures and Innovation expert

Matthew Griffin, Futurist and Founder of the 311 Institute, a global futures think tank, is described as “The Adviser behind the Advisers.” Recognised in 2013, 2015 and 2016 as one of Europe’s foremost futurists, innovation and strategy experts Matthew is helping governments and multi-nationals re-invent everything from countries and cities to energy and smartphones. An award winning author, entrepreneur and international speaker Matthew also mentors XPrize teams and is regularly featured on the BBC, Discovery, Kurzweil, Newsweek, TechCrunch and VentureBeat. Working hand in hand with accelerators, investors, governments, multi-nationals and regulators around the world Matthew helps them transform old industries, and create new ones, and shines a light on how new, powerful and democratised technologies are helping fuel disruption and accelerate cultural, industrial and societal change. Matthew’s clients include Accenture, Bain & Co, Bank of America, Booz Allen Hamilton, Boston Consulting Group, Dell EMC, Deloitte, Deutsche Bank, E&Y, Fidelity, Goldman Sachs, Huawei, JP Morgan Chase, KPMG, McKinsey & Co, PWC, Qualcomm, SAP, Schroeder’s, Sequoia Capital, UBS, the UK’s HM Treasury, the USAF and many others.

No comments so far.

Be first to leave comment below.

Your email address will not be published. Required fields are marked *

Translate page »

Pin It on Pinterest

Share This