Good afternoon, Cyber Saturday readers.
In honor of “blockchain week,” which is kicking off in New York City, I’ve been thinking about the security of smart contracts, self-executing computer programs designed to encode business relationships. A smart contract might codify, for example, an agreement like this: If Justify, a racehorse, wins the Kentucky Derby, pay $10 in Bitcoin to some lucky fellow’s digital wallet. The code eliminates the need for a bookie.
Now imagine a future in which such contracts automate tasks once relegated to lawyers, pencil-pushers, and other intermediary parties. Blockchain boosters dream of a day when they can route around middlemen with these sorts of self-driving computer programs, thereby making markets more efficient, so the thinking goes. There’s a snag though: Smart contracts are software applications, and software applications have bugs.
Sometimes, as with The DAO, an ill-fated, decentralized venture capital fund built on Ethereum, a popular cryptocurrency network, those bugs can be ruinous. Hackers stole $50 million in cryptocurrency from the project in 2016 thanks to a simple “reentrancy” flaw. The bug allowed an attacker, or group of attackers, to continually withdraw money from the smart contract-powered organization until its coffers had been thoroughly pilfered.
Similar flubs abound in the field of cryptocurrency. Chris Wysopal, cofounder and chief technologist at Veracode, an application security shop bought by CA Technologies for $614 million in cash last year, gave a keynote talk at Collision conference in New Orleans earlier this month in which he provided an overview of the security challenges posed by smart contracts. “The blockchain is really secure, but the things that have to interact with it, those things aren’t secure,” Wysopal told the audience. “It’s probably one of the toughest problems right now” in security, he said.
Although I did not catch Wysopal’s talk in person (you can watch it here), I chatted with him afterward at B.B. King Blues Club and Grill and in between jazz sets at various bars along Frenchman Street. He said that if he were a thief, smart contracts are where he would focus the majority of his attention and energy today. Target the youngest projects with the worst quality assurance processes, the highest valuations, and the weakest defenses. It’s a recipe for success; in this world, baddies no longer have to worry about monetizing the data they steal. They can steal (virtual) money itself.
If you happen to be in New York for blockchain week, temper your enthusiasm with that alarum. It’s what the smartest folks will do.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Smacked down. Symantec’s market value collapsed by a third after the antivirus maker disclosed an internal investigation prompted by a whistleblower. “The Company’s financial results and guidance may be subject to change based on the outcome of the Audit Committee investigation,” Symantec said in its statement accompanying its annual earnings report. It’s unclear what the investigation concerns, although the company clarified that it is not related to a security breach.
Equifax…again. Just when you thought the credit bureau had moved on from its data breach, Equifax said in an SEC filing that tens of thousands of more consumers records were compromised in its 2017 data breach. Hackers accessed photos of 38,000 driver’s licenses, 12,000 Social Security or taxpayer ID cards, 3,200 passports, and 3,000 other ID documents, the company said. And so the blast radius continues to widen.
Secret tweets. Twitter is reportedly testing end-to-end encrypted Direct Messages. A computer science student noticed the experimental feature embedded in a package of code for Twitter’s Android application, the sort of place where tech companies tend to drop to-be-released updates early. It remains to be seen whether the company will roll the feature out publicly as rivals, like Facebook, already have.
Mixed signals. Due to an idiosyncrasy in the way Mac operating systems handle app notifications, messages sent via the encrypted chat app Signal appear to be recorded indefinitely in the memory of Apple computers, security researchers have warned. The bug could cause a log of conversations that had supposedly self-destructed or been deleted to persist.
Fool me three times…
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Have we learned nothing? Despite fixes being available, thousands of businesses are still downloading vulnerable versions of Apache Struts, the software hackers exploited to loot Equifax. While it’s hard to say whether companies are using this code in production, it is likely that many are. One would think that businesses would have learned from Equifax’s mistake by now. Apparently not.
How Relying on Oil Makes Us More Vulnerable to Cyberattacks, by Nathan Sproul
The U.S. Navy Revives Second Fleet to Counter Russian Aggression, by David Z. Morris
ONE MORE THING
You can’t handle the truth. A recently published study conducted at Harvard Business School found that online ads were less effective on people who were told they were targeted based on tracking activity on other websites. Advertisers who disclose their privacy-intrusive methods turn off consumers. “If you track people across the internet, as Facebook routinely does, and admit that fact to them, the transparency will poison the resulting ads,” writes The Intercept.