Monday, May 28, 2012
As the Bitcoinica brokerage saga metastasizes yet again with the shocking revelation that no recent database backups exist, earlier security warnings to the company's founder are being reviewed. One observer suggested that "as the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%."
Over eight months ago, another reviewer posted:
"I've worked on financial systems before. As others have stated, if you're dealing with real money, then you have a big bulls-eye painted on your forehead, and you need to make sure that your system is hardened. Make sure you understand attack vectors and protect against them -- XSS, SQL Injection, man-in-the-middle, etc. Make sure your passwords are salted and hashed. Auditing. Can't emphasize this enough. Things will go wrong, and when they do, you need to be able to tell when, where, and why. In our case, we had shadow tables in our database where we logged changes, and then consolidated and exported that data into an auditing system. We could confirm that a user made X change at Y time from Z IP address."Large financial system websites are some of the most lucrative online targets and bitcoin has the added dimension of a target-rich environment that rarely results in prosecution. Not only is it difficult to prosecute the individual or individuals responsible for the hack, it is difficult to prosecute the financial site itself for negligence due to the many disclaimers inherent in voluntary and unregulated service providers or due to complicated offshore circumstances (although New Zealand does offer a dispute resolution scheme for Bitcoinica retail clients). Additionally, there is always the possibility of an artificial hack staged by an insider. Therefore, self-regulation is the order of the day and in the sometimes jurisdiction-less environment of the Internet, bitcoin entities and their customers currently operate under their own brand of lex mercatoria to enforce accountability.
|Lex mercatoria wine merchants|
Lex mercatoria is Latin for "merchant law" and it is the body of commercial law used by merchants throughout Europe during the medieval period emphasizing contractual freedom and alienability of property. Like an air guitar, bitcoin is arguably the ultimate form of intangible alienable property. The difference being, of course, that air guitar transactions are not publicly recorded on a distributed and enforced ledger.
Merchants relied on this legal system developed and administered by them while shunning legal technicalities and deciding cases ex aequo et bono. We are actually in the midst of such a case right now as the leading Bitcoinica parties attempt to sort out the claims process to the best of their abilities with limited account records. There is no court. There is no judge. Bitcoin is not defined as legal property. Deliberation is currently focused on the most fair and just method of separating the legitimate claims from the fake claims. But this is new ground for a bitcoin-related settlement and undoubtedly it will set an early benchmark for future cases. The prior hack involving Linode servers was settled in full via Bitcoinica customer reimbursements.
As for the attacking hacker, it will most likely go unprosecuted since fungible bitcoins possess many of the characteristics of physical cash and even if the attacker had been sloppy, the amount involved does not really justify expensive network traffic analysis that would potentially link an IP or bitcoin address to a real-world identity.
The investment adviser for the transfer of Bitcoinica LP, Tihan Seale, posted that "Bitcoin Consultancy was first retained to perform a comprehensive security audit on March 27th and they became owners and operators of Bitcoinica LP on April 24th." This latest security breach at Bitcoinica occurred on May 11th. In a separate email, Seale reiterated, "I'm responsible for deal selection and due diligence for the fund that invested in Bitcoinica. I expect the Bitcoin Consultancy members will continue to operate the business going forward. They have expressed their commitment to seeing things through, and they have my respect for this."
Whatever becomes of the Bitcoinica margin trading entity in the future, it is clear that a sort of 'digital' lex mercatoria is emerging -- one that recognizes the complete voluntarist nature of the bitcoin protocol in commerce. We don't have to imagine The Enterprise of Law: Justice Without the State because we are living through it now.
Self-regulation may be the only available option as authorities are in a quandry. Specifically regulating bitcoin imbues it with legally-recognized value and that is something that the State will resist for as long as possible. So, happily we continue to trade our air guitars.
To the bitcoin detractors, these various security breaches are not a fault of the peer-reviewed bitcoin cryptographic protocol but a lapse of security experience and poor judgment by the respective administering companies. The beatings will continue until security improves. Trust in the overall connected infrastructure may have been fractured temporarily, but just as the guild structure flourished the improved lex mercatoria that evolves as a result will strengthen bitcoin in the end.
For further reading:
"Bitcoin: The Cryptoanarchists’ Answer to Cash", Morgen Peck, IEEE Spectrum, June 2012
"Taking the law online: Judge.me’s plan to build the future of legal systems", Zachary Caceres, May 29, 2012
"Interview with Zhou Tong", Coinabul, May 29, 2012