BitShares 2.0 BlockChain Could Have Prevented The Ashley Madison Hack

[luckybit]

Blockchains are good for authentication, but their data is public.
Hosted Wallets are good for authentication *AND* encryption so long as server-side indexing of the data isn't required.   So if I wanted something like drop-box, MEGA, or Google Docs, then I would want the file encrypted on the server and only visible in my browser. 

A dating website would be problematic if you expect the server to cross-reference profiles and find matches. 
Social Media would be slightly less effective without server-side indexing and matching.

Identabit will be using a "private blockchain" to protect privacy.  *IF* one of those private servers were hacked then the chain data could be made public.  Even though no-ones account control was compromised, their financial history would have been.

It is possible to break the data into chucks, distribute the data across various nodes, do computation independently on these nodes, and then only the entity with the private key client side can put it back together.

Enigma for example is choosing to go this route and I don't see why Identabit couldn't eventually go the same route except for the fact that first the Enigma project has to prove what they show to be theoretically plausible.

Enigma whitepaper: http://enigma.media.mit.edu/enigma_full.pdf

Data is split between different nodes, and they compute functions together without leaking information to other nodes...

Specifically, no single party ever has access to data in its entirety; instead, every party has a meaningless (i.e., seeminglyrandom) piece of it.

Enigma has a decentralized offchain distributed hash-table (or DHT) that is accessible through the blockchain, which stores references to the data but not the data themselves. Private data should be encrypted on the client-side before storage and access-control protocols are programmed into the blockchain

we describe a generic solution to this problem for any functionality in Section
5.2, which makes secure MPC feasible for arbitrarily large networks.

5.4 Adaptable circuits

Code evaluated in our system is guaranteed not to leak any information unless a dishonest majority colludes (t ≥n2). This is true for the inputs, as well as any interim variables computed while the code is evaluated. An observant reader would notice that as a function is evaluated from inputs to outputs, the interim results generally become less descriptive and more aggregative.

For simple functions or functions involving very few inputs, this may not hold true, but since these functions are fast to compute - no additional steps are needed.

However, for computationally expensive functions, involving many lines of code and a large number of inputs, we can dynamically reduce the number computing nodes as we progress, instead of having a fixed n for the entire function evaluation process. Specifically, we design a feed-forward network (Figure 5) that propagates results from inputs to outputs. The original code is reorganized so that we process addition gates on the inputs first, followed by processing multiplication gates. The interim results are then secret-shared with N c nodes, and the process is repeated recursively.

To complete our definition of shared identities, we incorporate the idea of meta-data. Meta-data encapsulates the underlying semantic meaning of an identity. Primarily, these include public accesscontrol rules defined by the same predicates mentioned earlier, which the network uses to moderate access-control, along with any other public or private data that is relevant.

For example, Alice may want to share with Bob her height, but not her weight. Alternatively, she may not even want to tell Bob her exact height, but will allow him to use her height in aggregate computations. In this case, Alice and Bob can establish a shared identity for this purpose. Alice invokes a private contract that shares her height using MP C[
0alice height0] = alice height, which Bob can reference for computations, without accessing Alice’s height value directly.

So if we assume the secrets are broken up into shares, then through secure multi-party computation the Bitshares independent nodes can compute on these shares no matter how or where they are distributed. Privacy could be preserved in the scheme due to the fact that no one would know who owns the data, and the data would be broken up into chucks and distributed across so many computers that it would take collusion between many different computers to piece it all together.

All the Bithshares/Identabit team has to do is take the Enigma algorithms and adapt them to work for Bitshares 2.0. This in combination with some of the insights from VerSum:

"Refereed delegation of computation is a setting for outsourcing
computation in a verifiable manner. A RDoC system allows a client
to learn the correct result of a computation if it can talk to a pool of
servers, at least one of which is honest. Even if all other dishonest
servers are cooperating to try and deceive the client, the client will
still learn the correct result. The client does not have to specify
which server it thinks is honest; it merely needs to talk to a pool
servers of which it believes at least one to be honest."

[Chris4210]

Interesting post. worth to share

[BunkerChainLabs-DataSecurityNode]

Attention Bytemaster and other Bitshares Devs, please review VerSum paper.

https://bitsharestalk.org/index.php/topic,18122.msg231688.html#msg231688

Interesting piece. Thanks for the find!

[luckybit]

I just published this.. thought some of you might want to like and share.. Feel free to use my memes too.

https://www.linkedin.com/pulse/bitshares-20-blockchain-could-have-prevented-ashley-madison-baha-i

I tried to keep it simple for most to understand.. this was for linkedin.. not coindesk.

Special thanks to Crypto Prometheus who helped with editing my grammar.

Enjoy!

Attention Bytemaster and other Bitshares Devs, please review VerSum paper.

https://bitsharestalk.org/index.php/topic,18122.msg231688.html#msg231688

[BunkerChainLabs-DataSecurityNode]

I really liked your article but I am just wondering if one important issue is not oversimplified here.
Ashley Madison is mostly a database with a website on top of it.
Are we sure that BitShares can at this stage offer an infrastructure for a decentralized data storage business?
I would think of MaidSafe or Storj, but how does BitShares fit into this?

I noted in my post that technically at present it wasn't possible because 2.0 is not released. So really it's a all moot anyways.

I also simplified the story with the expectation and understanding that there would be some kind of customized solution required for what bytemaster had mentioned. So yes, there are other storage type solutions, but the dynamic global permissions solution is something else with 2.0.

I would imagine some kind of additional custom encryption layer <snipping because I was giving too much away>. OK.. not going to get anymore into that and possibly give away secret sauce. We may want to create something to this effect in Bunker Labs. Another worker proposal perhaps in the future.

We are just starting to scratch the surface... and as I mentioned in the OP.. this was really targeting the linkedin audience and not crypto.. so touching on technicals in broad strokes is the most digestible way for people to take it in.

[bytemaster]

I really liked your article but I am just wondering if one important issue is not oversimplified here.
Ashley Madison is mostly a database with a website on top of it.
Are we sure that BitShares can at this stage offer an infrastructure for a decentralized data storage business?
I would think of MaidSafe or Storj, but how does BitShares fit into this?

I think this is an area where there is a lot of confusion over encryption, authentication, and "security". 

Blockchains are good for authentication, but their data is public.
Hosted Wallets are good for authentication *AND* encryption so long as server-side indexing of the data isn't required.   So if I wanted something like drop-box, MEGA, or Google Docs, then I would want the file encrypted on the server and only visible in my browser. 

A dating website would be problematic if you expect the server to cross-reference profiles and find matches. 
Social Media would be slightly less effective without server-side indexing and matching.

Identabit will be using a "private blockchain" to protect privacy.  *IF* one of those private servers were hacked then the chain data could be made public.  Even though no-ones account control was compromised, their financial history would have been.

[jakub]

I really liked your article but I am just wondering if one important issue is not oversimplified here.
Ashley Madison is mostly a database with a website on top of it.
Are we sure that BitShares can at this stage offer an infrastructure for a decentralized data storage business?
I would think of MaidSafe or Storj, but how does BitShares fit into this?

[BunkerChainLabs-DataSecurityNode]

Just like to thank everyone for the positive feedback. Given the response I am likely going to turn out more opinion pieces on how blockchain technology could have changed current events as they are reported.

[BunkerChainLabs-DataSecurityNode]

This is very true. This is something most people in cybersecurity know but can't switch companies to because in many cases the suits at the company don't trust blockchain technology.

So it's the suits you have to convince. So you should show how much money can be saved in legal fees rather than promote security merit because the security people know this stuff.

What exactly is it that the suits don't trust about it?

They are slow to change, and they don't really understand the technology. It's not a matter of trust, but more they simply don't understand blockchain technology and think it's just Bitcoin or have misconceptions.

The only way to prove the power of the blockchain is to start companies which have the same business model as theirs, but with greater security and efficiency than them, and when they see that new companies are appearing and eating their lunch, or small businesses are starting up on some new technology, that is when it reaches the decision makers.

The point isn't that blockchain technology is bad for security because anyone who seriously knows security knows it's good for security. It's more that it's culturally disruptive, and strange to people. They don't believe it is anything more than a Ponzi or whatever they heard about it which means the only way to prove elsewise is to beat them in the business world.

It would be great if anyone could start a blockchain business with a few clicks of a bottom, such as a decentralized ebay, a decentralized dating, a decentralized video chat, and even forums like these.

Ok yes, that was what I understood also.

I agree.. the way forward is to lead by example. The opportunities for business models based on acquisition are plentiful.

[luckybit]

This is very true. This is something most people in cybersecurity know but can't switch companies to because in many cases the suits at the company don't trust blockchain technology.

So it's the suits you have to convince. So you should show how much money can be saved in legal fees rather than promote security merit because the security people know this stuff.

What exactly is it that the suits don't trust about it?

They are slow to change, and they don't really understand the technology. It's not a matter of trust, but more they simply don't understand blockchain technology and think it's just Bitcoin or have misconceptions.

The only way to prove the power of the blockchain is to start companies which have the same business model as theirs, but with greater security and efficiency than them, and when they see that new companies are appearing and eating their lunch, or small businesses are starting up on some new technology, that is when it reaches the decision makers.

The point isn't that blockchain technology is bad for security because anyone who seriously knows security knows it's good for security. It's more that it's culturally disruptive, and strange to people. They don't believe it is anything more than a Ponzi or whatever they heard about it which means the only way to prove elsewise is to beat them in the business world.

It would be great if anyone could start a blockchain business with a few clicks of a bottom, such as a decentralized ebay, a decentralized dating, a decentralized video chat, and even forums like these.

[BunkerChainLabs-DataSecurityNode]

This is very true. This is something most people in cybersecurity know but can't switch companies to because in many cases the suits at the company don't trust blockchain technology.

So it's the suits you have to convince. So you should show how much money can be saved in legal fees rather than promote security merit because the security people know this stuff.

What exactly is it that the suits don't trust about it?

[luckybit]

Here is an idea to pass to Bytemaster although I'm sure he is listening.

Instead of trying to convince naive men in suits to change their ways why don't we make it easier for competitors to eat their lunch?

Let's make it very easy, within a few clicks, for a person to set up a website with a Bitshares 2.0 blockchain backend. This way the pain can be spread in the most profitable way imaginable and only when new competitors are making money more efficiently will the blockchain model spread.

So for example why not make a dating site powered by blockchain technology? The users of these sites powered by blockchain technology never have to know how the site works. In fact it is better if they don't know.

Any entrepreneur want to make a blockchain powered decentralized dating/decentralized Tender?

[luckybit]

I just published this.. thought some of you might want to like and share.. Feel free to use my memes too.

https://www.linkedin.com/pulse/bitshares-20-blockchain-could-have-prevented-ashley-madison-baha-i

I tried to keep it simple for most to understand.. this was for linkedin.. not coindesk.

Special thanks to Crypto Prometheus who helped with editing my grammar.

Enjoy!

This is very true. This is something most people in cybersecurity know but can't switch companies to because in many cases the suits at the company don't trust blockchain technology.

So it's the suits you have to convince. So you should show how much money can be saved in legal fees rather than promote security merit because the security people know this stuff.

[CLains]

 

[fav]

Feel free to use my memes too.

of course! great article btw