A Finextra member 17 June, 2016, 19:20 2 likes

I don't even pretend to understand half of the technology in this article but I nonetheless find it very alarming. The fact that you can reset or turn back time within a blockchain seems to undermine the fundamental concept of an immutable record. This attack and similar hacks to come will raise doubts about the validity of crypto-currencies and the blockchain in general, not just this particular incident.

A Finextra member 18 June, 2016, 19:46 0 likes This is the sort of alarmist ignorance that we need to guard against. The DAO was a premature distributed application released without proper testing or audit or regulatory compliance being incorporated. The technology needs work but neither ethereum nor ether was hacked.. only the application was. We need to make sure it does not set back the efforts of the community to evolve a robust architecture.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 19 June, 2016, 11:45 0 likes

@KenOverholt + 1. Who is to decide whether DAO was a premature application released without proper testing? Why does the common man need to know the difference between ethereum and ether, let alone the difference between which of the two, or neither, was hacked? One moment, DAO had money. A moment later, DAO lost that money. If that kind of thing happens repeatedly, that's all the knowledge that the common man needs to have to lose faith in cryptocurrencies.

Juergen Rahmel - IETC Information Engineering Ltd - Hong Kong 20 June, 2016, 03:59 3 likes

Should we be surprised? Here is what we knew so far:

Creating a universal infrastructure based on secret keys for all participants is hard - see the history of e.g. PKI.

Applying good cryptography is hard - the maths don't lie, but the issues always are with implementation, integration, endpoint security, the humans involved, etc.

Creating transaction systems with high availability, reliability, accessibility and security is hard – and it does not get easier when distributing part of that work to others.

Blockchain is a great and genius concept, but a highly non-trivial one and it is based on many foundations like the ones just mentioned. There is no solution to it, magically solving all problems that have plagued Banking IT and Security in the past decades.

Creating applications on top of any transaction system increases complexity even more and introduces new vulnerabilities outside the controllable area of the underlying transaction system (see the issue at hand here, or recent issues with SWIFT).

Widespread acceptance of such new FinTech by the 'common man' (as said by KS) will depend on the ability of the FinTech community to resolve such issues transparently as they appear. They will continue to appear.

Prevent, Detect, Respond. There is no 100% Prevention. Common wisdom, also valid for the Blockchain. 

 

Russell Bell - Fastbase Ltd - Wellington 20 June, 2016, 04:34 0 likes

Ken is right to be concerned at the prospect of a blockchain turning back time.  Crypto-currency transactions are supposed to be final, immune to reversal regardless of community or political pressure.

The Ethereum developers are proposing a software change that they claim isn't a roll-back but observers (and the currency markets) aren't convinced; the value of an ether (Ethereum currency unit) has halved in the last few days to about 12USD.  However Ethereum isn't Bitcoin which remains solidly irreversible and is well-liked by the markets lately.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 June, 2016, 08:47 0 likes

@JuergenRahmel + 1. I totally agree that "there is no 100% prevention". Problem with overzealous prevention strategies is that they tend to throw the baby out with the bathwater. Once the current VC-funded fintech exuberance fizzles out, fintech will realize that it is their responsibility to "resolve such issues transparently as they appear." and that trying to justify issues on the grounds of "trailblazing technology" is naive.

A Finextra member 20 June, 2016, 12:29 0 likes

"There is no 100% prevention" - yes, that's true. But this is no excuse for being relaxed or fatalistic on IT security. Another - unfortunately not so common - wisdom is that it is very hard to build secure systems based on vulnerable platforms. It would be much better to avoid PC/smartphone technology commonly affected by malware when building criticals systems where lives or lots of money are at stake. Looking at PCI DSS requirements 5.1.2 reveals that there are systems that are not commonly affected by malicious software.

Not every participating node in a blockchain-type system can be expected to be that robust versus malware, but it should be expected that a sufficient number of robust nodes holding the distributed ledger do protect its integrity versus malware attacks. 

Russell Bell - Fastbase Ltd - Wellington 23 June, 2016, 22:50 1 like

For a robust analysis https://www.youtube.com/watch?v=_O5fdMFKEC0