Two years ago, in 2009, an open-source, peer-to-peer digital cash system launched.
Cutely called Bitcoin, it was based on an academically-flavoured paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System”.
The paper’s author, and the creator of the Bitcoin project, was the enigmatically-named Satoshi Nakamoto.
No-one seems to know – or, more accurately, no-one is saying – who Nakamoto is, where he (or she) lives, what his real name might be, or any other background information. That’s hardly unexpected for someone who’s passionate about on-line anonymity.
The benefits of an anonymous worldwide digital currency are obvious. A reliable system would be more useful than traditional cash, as it could be used on-line and between countries. No need to post banknotes overseas, visit currency dealers, pay exorbitant commissions and worry about arbitrage.
Better still, anonymous digital cash means that you don’t need to worry about leaving an eternal trail of information about your buying habits which might get sold on to less-than-scrupulous marketing companies, or used to bombard you with credit offers you don’t want, or incorrectly recorded and held against you later, leaked in a hack, or abused by an authoritarian government to bundle you off to a re-education camp for buying “unsuitable” stuff.
For just the same reasons, many governments and law enforcement agencies are publicly opposed to cash of all sorts, or at least to its unregulated anonymous use. Most countries now have strict reporting regulations concerning withdrawals, deposits, or even just the possession, of amounts of cash more than a few thousand dollars. And as long as the “unsuitable” stuff some fans of cash are buying and selling is a threat to public order – illegally-manufactured drugs, unlicensed weapons, human traffic – you can see their point.
Furthermore, most countries have strict controls on the issue of official cash currency, relying on a central bank to regulate how, and in what quantity, official currency is created.
Done properly, central regulation helps prevent both counterfeiting and devaluation. Done badly, of course, it can have catastrophic results.
So the Bitcoin experiment has always been controversial. It’s a currency, of sorts, but it’s not regulated by any official authority, and it’s (almost entirely) anonymous.
Sadly – whatever your viewpoint on anonymity in purchasing – the experiment has just suffered a huge setback.
Bitcoin’s own site still isn’t saying what happened, but it looks as though the servers of one of its “Bitcoin-to-real-money” gateways, known as Mt. Gox, were hacked. Badly-hashed passwords were stolen and useable logins recovered. Uncontrolled fraudulent trades then quickly pushed the real-world value of Bitcoins close to zero.
And a Bitcoin user calling himself Kevin claims legitimately (if rather fortunately) to have spotted the plunge in the Bitcoin market, and to have snuck in a bid – at $0.0101 per Bitcoin – apparently just 1% above the market-manipulator’s own “bottom of the market” bid.
Kevin ended up with Bitcoins recently worth nearly $5,000,000 for just under $3000.
But the Mt. Gox operators rolled back the seemingly fraudulent transactions which caused the currency to crash, restoring the value of each Bitcoin to about $17.50.
That’s probably a satisfactory result for most people – except, perhaps for Kevin, assuming he’s telling the truth. He won’t make the killing he might have hoped. (On the other hand, he won’t be stuck with $3000 of worthless Bitcoins, which might have happened if the system had imploded altogether.)
Nevertheless, this sort of interventionist “regulated market correction” isn’t quite what you’d expect from a worldwide, anonymous, libertarian-style digital cash market. Whatever happens from now on, it’s a blow to the sustainability of the Bitcoin experiment.
And the Mt. Gox response contains some interesting wording, such as:
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
It’s probably more accurate to say that the site was indeed, in effect, hacked. After all, the effect of the breach was unauthorised access and the theft of a critical database.
So what are the lessons to be learned?
* Trust is hard to win and easy to lose.
* Passwords should NEVER be stored in plaintext or poorly-hashed.
* Contractors must always be required to meet or exceed your own data security standards. You can’t outsource your accountability.
* If you are breached, you should be prompt, clear and open in your response. Skip the excuses – they just waste time.
* If you’re an unofficial upstart who wants to compete with strongly-regulated financial institutions, you need to outdo them in the value you give to the security of your customer’s information.
The last point applies to us all.
The sooner we start seeing information security as something to do well because it adds value, rather than merely as a drain on expenditure which we need to minimise, the better!