4183 stories
·
3 followers

After years of hype, private blockchains face their first commercial tests

1 Share
A man visits stand of US firm IBM at CeBIT computer fair in Hanover

Blockchain tech has been a buzzword for much of the last two years, as industries ranging from big banks to utilities try to shoehorn it into their existing infrastructures. Now IBM is announcing two new projects that finally put the technology to the test in the marketplace.

The first deal involves Canada’s major banks, telcos, and government agencies, who are using digital identity services from a firm called SecureKey. Later this year, customers of these services can opt-in to a blockchain-powered system, provided by SecureKey and IBM, which will verify their identities. They can then decide how much and what personal data to share with other companies who use the digital identity system. As an example of how the system works, SecureKey says a bank customer would be able to share his data with a utility to open an account, removing the need to go through a separate verification process.

The second deal uses an IBM blockchain for a carbon-trading platform in China, jointly developed with a company called Beijing Energy-Blockchain Labs. The platform is touted as a more efficient way to trade carbon assets because it provides a cheaper way to audit the transactions while keeping everyone compliant. The system was trialled last November and will be available later this year, IBM says.

The SecureKey project is the more interesting one. Digital identity has long been discussed as a particularly powerful use of blockchain technology, but no prototype has been released for public use yet. If Canada’s SecureKey and IBM make their promised system easy enough for consumers to use, it would be a clear demonstration of blockchain technology’s utility. It would also illustrate the difference between these so-called private blockchains, or distributed ledgers, and public blockchains exemplified by cryptocurrencies like bitcoin and ethereum.

IBM has been promoting the commercial viability of its blockchain tech forcefully. Last month, it announced its blockchain-powered solution for a major private equity funds administrator, Northern Trust, probably the first project using the technology commercially. Blockchain tech is just one of the services that IBM provides through its cloud. The cloud divisions of Microsoft and Amazon offer their own variants, and a major enterprise software provider is expected to announce its entry to the space this week. IBM’s first-mover advantage, however, may serve it well.



Read the whole story
Share this story
Delete

When Americans Lost Their Virginity

1 Share

Everyone has his or her own timeline, but here it is in general for Americans. Read More

Read the whole story
Share this story
Delete

The World Map of Billionaires

1 Share

Source: How Much

The post The World Map of Billionaires appeared first on The Big Picture.

Read the whole story
Share this story
Delete

Toys are more dangerous than cars and electrical appliances

1 Share
Teddy bear trade show Euro Teddy 2016

Each year, the European Commission releases a report of the withdrawn or recalled products that triggered the most notifications on the European Rapid Alert system. The bad news is that this year, toys set off the most alerts because they are choking hazards. The good news is that the total number of alerts is slightly down, and alerts for products made in China, the biggest source of dangerous products, is significantly down.

These are the most dangerous non-food consumer goods in Europe for 2016:

These are the hazards posed by toys, the product category with the most safety alerts:

These are the most common risks posed by dangerous products in Europe. According to the commission, the “injuries” category is mainly linked to motor vehicles.

Where are all those dangerous goods from? China by a long shot, but of course, China makes most of the world’s stuff. Slightly more disturbing is the high number of alerts of “unknown” origin.

Here’s a historical snapshot of the types of danger posed by these products over time. From 2007 to 2013 clothes were the most dangerous products, mainly because of a crackdown on the drawstrings on childrens’ trousers by national authorities and because of an EU ban on an anti-mold chemical used in shoes called dimethyl fumarate, according to an earlier commission report (pdf).





Read the whole story
Share this story
Delete

This Security Researcher Found the Bug That Knocked Out Bitcoin Unlimited

1 Share
<img alt="This Security Researcher Found the Bug That Knocked Out Bitcoin Unlimited" height="444" src="https://fs.bitcoinmagazine.com/img/images/BU_bug.width-800.jpg" width="800"><p>For over a year, attackers have had the ability to crash<a href="https://www.bitcoinunlimited.info/"> Bitcoin Unlimited</a> and<a href="https://bitcoinclassic.com/"> Bitcoin Classic</a> nodes. Yesterday, someone actually did it. According to websites like<a href="https://coin.dance/nodes/unlimited"> Coin Dance</a>, the number of Bitcoin Unlimited nodes fell sharply from almost 800 to less than 250 in a matter of hours. Bitcoin Classic was hit shortly after.<br/></p><p>One day earlier, the security researcher who found the vulnerability had reached out to <i>Bitcoin Magazine</i>.</p><p>“I am quite beside myself at how a project that aims to power a $20 billion network can make beginner’s mistakes like this.”</p><p><b>The Vulnerabilities</b></p><p>Bitcoin Unlimited and Bitcoin Classic are forks of<a href="https://bitcoincore.org/"> Bitcoin Core</a> that intend to increase Bitcoin’s block size limit. Both launched in 2015 and have been maintained by their own development teams since. While Bitcoin Classic was a relatively popular alternative to Bitcoin Core last year, Bitcoin Unlimited has been gaining traction lately. The world’s largest mining pool — <a href="https://www.antpool.com/">AntPool</a> —<a href="https://www.bloomberg.com/news/articles/2017-03-13/bitcoin-miners-signal-revolt-in-push-to-fix-sluggish-blockchain"> announced</a> it would switch to Bitcoin Unlimited, as have <a href="https://bitcoinmagazine.com/articles/where-bitcoin-mining-pools-stand-on-segregated-witness-1480086424/">several smaller pools</a>.</p><p>But not everyone believes that is a good idea.</p><p>“I am rather dismayed at the poor level of code quality in Bitcoin Unlimited and I suspect there [is] a raft of other issues,” a security researcher identifying herself only as “Charlotte Gardner” told <i>Bitcoin Magazine</i> on Monday. </p><p>Communicating over email, Gardner said she was auditing the software for her own use, but quickly came to the conclusion that it’s highly unsafe: “What concerns me is that this software is now being used by a huge portion of the Bitcoin mining ecosystem.”</p><p>Gardner revealed that she had submitted two vulnerabilities — “critical remote crash vulnerabilities” to be exact — to the Bitcoin Unlimited development team.</p><p>The first one is known as a “<a href="https://cwe.mitre.org/data/definitions/476.html">NULL pointer dereference</a>,” the second a “<a href="https://cwe.mitre.org/data/definitions/617.html">reachable assertion</a>.” In both cases, attackers can send especially crafted messages to Bitcoin Unlimited or Bitcoin Classic nodes to make these nodes crash. On an open peer-to-peer network like Bitcoin’s, this means that an attacker can get a list of Bitcoin Unlimited and Bitcoin Classic nodes from publicly available sources, like<a href="https://bitnodes.21.co/nodes/?q=/BitcoinUnlimited:1.0.0.1/"> Bitnodes</a>, and simply knock every single one of them offline.</p><p>“I’m surprised no one has noticed them yet,” Gardner told <i>Bitcoin Magazine</i> one day before the attack took place. “I guess not many people actually use the Bitcoin Unlimited software. But with their ‘rise,’ attackers may take more interest.”</p><p><b>The Disclosure</b></p><p>When contacting <i>Bitcoin Magazine</i> on Monday, Gardner did not immediately want to make the vulnerabilities public. That would have been irresponsible, she explained, as the bugs could still be exploited before the Bitcoin Unlimited development team had the chance to fix it.</p><p>But she did also submit the vulnerabilities to <a href="https://cve.mitre.org/">Mitre’s Common Vulnerabilities and Exposures (CVE) database</a>. This ensures that Mitre discloses the bugs in one month from now, which pressures the developers to actually fix the problem in time.</p><p>However, even following this responsible disclosure, Gardner thought there was a risk that the vulnerabilities would be abused as soon as they were fixed in the Bitcoin Unlimited code repository. After all, at that point the problem isn’t really solved: anyone running the released Bitcoin Unlimited software is still vulnerable until they download and run the new, revised version. This opens a window for attackers.</p><p>“The problem is, the bugs are so glaringly obvious that when fixing it, it will be easy to notice for anyone watching their development process,” she said.</p><p>It now appears that is exactly what has happened. While the Bitcoin Unlimited developers did indeed fix the issue shortly after it was pointed out to them, they did so with far too conspicuous a GitHub<a href="https://github.com/BitcoinUnlimited/BitcoinUnlimited/pull/371/commits/99d4062c570471d43b36b2ad0d416f36817a1743"> commit message</a>, Gardner told <i>Bitcoin Magazine</i> once it appeared the bugs seemed fixed and before the attacks began.</p><p>“Their commit message does ring alarm bells. I’m not sure if anyone will notice, but they probably should have obfuscated the message a bit more. The wording might attract closer scrutiny. But if it went unnoticed for this long, maybe it will go unnoticed.”</p><p>Clearly, it did not.</p><p>As Gardner warned, it didn’t take long for attackers to exploit one of the vulnerabilities: the first attacks<a href="http://pbs.twimg.com/media/C66GImZWkAE74sD.jpg"> happened</a> shortly after the bugs were fixed. A little later, user “shinobimonkey” took the issue to<a href="https://www.reddit.com/r/Bitcoin/comments/5zdkv3/bitcoin_unlimited_remote_exploit_crash/"> Reddit</a>, Bitcoin Core developer Peter Todd<a href="https://twitter.com/petertoddbtc/status/841702092687450113"> tweeted</a> about the bug and social media blew up. </p><p>Someone then even published<a href="https://ghostbin.com/paste/36hhq"> exploit code</a> for anyone to use, and before long most Bitcoin Unlimited nodes were down, to be followed by many Bitcoin Classic nodes. </p><p>“This is exactly why there is supposed to be a ‘responsible disclosure’ protocol,” Gardner told <i>Bitcoin Magazine</i> after the attacks took place. “But then it doesn’t help if the software project is not discreet about fixing critical issues like this.”</p><p><b>Code Quality</b></p><p>This is not the first time the code quality of Bitcoin Unlimited or Bitcoin Classic has been scrutinized.</p><p>As the best-known example, the<a href="https://pool.bitcoin.com/index_en.html"> bitcoin.com</a> mining pool, which runs Bitcoin Unlimited, mined an<a href="https://www.reddit.com/r/Bitcoin/comments/5qwtr2/bitcoincom_loses_132btc_trying_to_fork_the/"> invalid block</a> caused by a bug last January. All energy invested to produce the block was wasted, while mining pools that<a href="https://bitcoinmagazine.com/articles/why-bitcoin-mining-pools-aren-t-incentivized-to-broadcast-blocks-quickly-1475249510/"> spy mined</a> on top of the invalid block wasted some energy as well.</p><p>Before that, Bitcoin Core developers had already warned about buggy code on several occasions. On the Bitcoin-development mailing list, Matt Corallo<a href="https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-October/013241.html"> said</a> that he had found Bitcoin Classic’s flexible transactions codebase to be “riddled with blatant and massive security holes.” On Reddit, Gregory Maxwell<a href="https://www.reddit.com/r/Bitcoin/comments/5dkb6o/a_short_tour_of_bitcoin_core/da5d3x3/"> pointed out</a> that Bitcoin Unlimited nodes were crashing because the development team removed code that shouldn’t have been removed.</p><p>Addressing Bitcoin Unlimited lead developer Andrew Stone in response to yesterday’s events, Maxwell<a href="https://www.reddit.com/r/btc/comments/5zdrru/peter_todd_bu_remote_crash_dos_wtf_bug_assert0_in/dexfs5l/"> suggested</a> there are more problems with Bitcoin Unlimited’s codebase that have not yet been abused:</p><p>“There are vulnerabilities in Unlimited which have been privately reported to you in Unlimited by Bitcoin Core folks which you have not acted on, sadly. More severe than this one, in fact.”</p><p>Perhaps the main problem for Bitcoin Unlimited, as <a href="https://twitter.com/i/moments/841932734465495041">pointed out</a> by information security expert Andreas Antonopoulos, is that it lacks a significant development community to perform proper quality analysis. The number of developers working on Bitcoin Unlimited and Bitcoin Classic is relatively small, and the code that included the exploited vulnerability was merged after being reviewed by only one person — not a lot for security-critical code protecting people’s money.</p><p>Gardner agreed with this assessment:<br/><br/>“In this case, the vulnerabilities are so glaringly obvious, it is clear no one has audited their code because these stick out like a sore thumb,” she said. “I’m astounded the mining industry are running this software. But since they are, and a lot of people could get harmed, the best I can do, other than recommending they don’t use Bitcoin Unlimited, is to disclose the issues and hope they are competent enough to fix it.”<br/></p><p><i>Bitcoin Magazine</i> reached out to Bitcoin Unlimited developers Andrew Stone and Andrea Suisani, but received no response at time of publication.</p>

The post This Security Researcher Found the Bug That Knocked Out Bitcoin Unlimited appeared first on Bitcoin Magazine.

Read the whole story
Share this story
Delete

China’s Continuing Credit Boom

1 Share

China’s Continuing Credit Boom Jeff Dawson, Alex Etra, and Aaron Rosenblum Liberty Street Economics, Feb 27, 2017           Debt in China has increased dramatically in recent years, accounting for roughly one-half of all new credit created globally since 2005. The country’s share of total global credit is nearly 25 percent, up from…

Read More

The post China’s Continuing Credit Boom appeared first on The Big Picture.

Read the whole story
Share this story
Delete
Next Page of Stories