Blockchain Addresses Security Controversy: 'We Need to Do Better'
It has been a terrible couple of weeks for bitcoin wallet provider Blockchain.
First, the firm’s product lead got into an online spat with a Coinbase engineer on Reddit. Then, Blockchain's wallet was pulled from Bitcoin.org, an informational website managed by bitcoin core developers and community members, for poor security.
The company found itself publicly promising to reimburse customers after a random number generator flaw that led to hundreds of addresses being compromised. Further, unsubstantiated online reports suggested that bitcoins had been stolen as a result of the issue.
So, what went wrong, and what’s going to happen next?
Let’s take the most recent issue first. The firm was forced to make a security disclosure on its blog and on Reddit, admitting that a development error had led to a problem with the generation of private keys. Private keys (effectively the private addresses used to hold bitcoin) were generated with a low degree of entropy, making them easy for attackers to retrieve.
Blockchain offered to reimburse all customers for lost funds, but the online blowback was still huge, with commenters accusing the company of bad development work and managerial problems.
Commenters on Bitcoin Talk criticised Blockchain for several things, including letting developers push code to a production environment.
One Reddit commentator said:
“This is seriously simple stuff. Web business 101. A developer should literally not have the ability to put anything near production, because if they do they will eventually do something stupid.”
“I don’t think that’s accurate to say that this is a real criticism on Reddit,” Blockchain CEO Nicolas Cary told CoinDesk, about accusations of poor development processes.
“I think a few outspoken community members that have a lot of their own personal brand at stake are making some accusations. We’re listening to those. We know that we have to do better. We have a very strong development team."
"We have built a huge amount of software," he continued. "We have released safely all the time, we have quality assurance leads. We have a security team. The real message to the community is that we are going to get better. We know we need to do a better job. At the same time, we have the humility to do what's right and take care of our users when there are issues."
Core bitcoin developer Peter Todd also criticised the company for only having a manual testing repository in its GitHub repository, rather than a fully automated test suite.
Blockchain’s senior executives did not offer a formal response to Todd’s tweet. Neither did they confirm that there was an automated test suite in the company, discuss their development process or comment about the $30.5m Series A funding deal Blockchain completed in October.
Redditors had criticised the firm for failing to tighten security issues with the money. Sources close to the company privately pointed out that it takes time for a freshly funded company to use that money and make the necessary internal changes.
The Bitcoin.org delisting
All of this happened just days after the organisers of Bitcoin.org took Blockchain off the list of wallets that it provides for bitcoin users, with commenters suggesting that "it should be revisited with reasonable criteria at least as demanding as other wallets".
In the discussion within the GitHub pull request concerning the wallet’s listing on Bitcoin.org, site maintainer Saïvann Carignan highlighted several factors. The first was bugs and losses, of which there have been several, he said.
The second was backup and password security. "[Blockchain] hasn't adopted security features which are slowly becoming standard in other wallets (e.g. BIP32, random passphrases, backup on setup, rotating addresses, 2FA by default),” he said.
He also criticised the company for not being transparent enough, and not resetting the app’s source code, adding:
“To be fair, each of these issues would have blocked or delayed listing Blockchain if the wallet was submitted today. Accordingly, I think the logical next step to incentivize security and reduce risks for the user is to raise the bar for Blockchain like other wallets”.
Ben Reeves, Blockchain’s CTO, posted a response in that GitHub discussion addressing the complaints and promising several changes. This was praised by the other participants, on the basis that the initial criticisms concerned the track record of the Blockchain service. So, the consensus remained to delist the wallet for at least 60 days, and to let Blockchain resubmit it after that.
Carignan acknowledged complaints that there was no set policy for listing or delisting wallets from Bitcoin.org, and opened another discussion to develop a standard process.
"We are eager to resubmit there. We respect their decision, but ultimately we have made a lengthy defense for our position. We are still the only open-source company," said Cary, who added that the company is making changes to its software, and that people should expect "exciting things coming to market in 2015".
A wider FinTech problem
Blockchain has made its mistakes, but Emin Gün Sirer, an associate professor of computer science at Cornell University and an expert in bitcoin security issues, warned against a witch hunt.
"To their credit they have realised that their processes were broken when they made some personnel changes internally to bring different people in charge of security. I have had private conversations with them and it sounds like this is a bunch of people trying very hard to patch the flaws as they appear."
These security issues are a sign of a wider problem in the cryptocurrency space, warned Sirer.
"There is no room for the smallest screwup, and we’re finding out that standard practices that are normal in Silicon Valley are unacceptable in the bitcoin world because there’s so much at stake," he said, arguing that the rate of security failures is high across the bitcoin industry.
Cary also called the timing for this whole affair "suboptimal". That seems accurate, given an online spat that broke out between Coinbase and Blockchain executives earlier this month over bitcoin wallet security, in which Blockchain staff criticised Coinbase’s operating model.
It all started with a Reddit post by Charlie Lee, the creator of litecoin, who took a job at Coinbase 18 months ago. Lee, now engineer manager at the company, wanted to set the record straight about security at the centralised wallet service.
Lee described what the service has done for the security of its users. Among those he listed were default requests for two-factor authentication (using something you have, such as a phone, in addition to something you know, like a password) if making transactions above $100. The service also included a bitcoin vault for its users, and stores 97% of its own coins in cold storage, said Lee (CoinDesk has covered some of Coinbase’s security before).
All this information is part of the public record. The interesting part came in one part of Lee’s post, in which he compared CoinBase’s security to that of Blockchain. One part of the post (later removed) read:
“Over the past year though, Coinbase kept introducing new security features while Blockchain wallet's security has stayed exactly the same, and arguably became worse.”
This led to an angry riposte by Keonne Rodriguez, product lead at Blockchain, who criticised Lee for chasing his own agenda, and likened him to “a shady lawyer chasing an ambulance”.
A serious approach
Name calling and criticising doesn’t help anyone, suggested Michael Perklin president of Bitcoinsultants, and a specialist in bitcoin security. Perklin, also a director at the Bitcoin Alliance of Canada, has a background in security within other industries.
“I enjoy accurate discussions based on the merits of the argument,” concluded Perklin. “But whenever anyone throws mud at someone else, they have to get themselves dirty first.“
Those comments all occurred before Blockchain’s latest security debacle. What does Cary have to say about it now? He is still eager to draw distinctions between the two models.
“We have a lot of respect for what Coinbase are doing. We’re not here to start a mud-throwing contest with anyone. We want to have a company that basically has a long-term vision for the success of bitcoin, and takes consumer protection very seriously, and takes care of consumers where there are problems, but also continues to take a non-custodial approach to managing risk.”
Cary said that the company was eager to actively engage and listen. “We take all of these things super-seriously. We are here for the long term,” he concluded.
Businessman balancing image via Shutterstock
SecondMarket: Syndicate Bidders Real Winners of Bitcoin...
Asian Exchange Quoine Raises $2 Million for Global Expansion