It was the scathingest paragraph in a highly scathing article titled, “Blockchain is not only crappy technology but a bad vision for the future.” Among other things, Stinchcombe debunks the myth that blockchain eliminates the need for trust between parties, using the example of a smart contract for the purchase of an e-book.
“When the novelist proposes the smart contract, you take an hour or two to make sure that the contract will withdraw only an amount of money equal to the agreed-upon price, and that the book… will actually arrive.
“Auditing software is hard! The most-heavily scrutinized smart contract in history had a small bug that nobody noticed -- that is, until someone did notice it, and used it to steal fifty million dollars. If cryptocurrency enthusiasts putting together a $150m investment fund can’t properly audit the software, how confident are you in your e-book audit?…
“It’s not trustless, you’re trusting in the software (and your ability to defend yourself in a software-driven world), instead of trusting other people.”
His suggestion is that our current system -- in which we send the money and rely on Visa or Amazon or the government (or, for that matter, basic decency and sustainable business practices) to make sure we get the book -- is actually pretty good.
We have built an entire social, legal and political ecosystem designed to enable the ordinary transactions of commerce. And if it ain’t broke…
Which brings us to last month’s cyberattack on the city of Atlanta. Hackers infected the city’s systems with the SamSam virus and then demanded around $52,000 (payable in Bitcoin) in ransom money.
We’re not sure if Atlanta paid the ransom. But we are sure the situation cost them. According to Wired’s Lily Hay Newman, the city spent more than $2.6 million on incident response, digital forensics, Microsoft Cloud infrastructure expertise, crisis communications and more.
$52,000 seems like a strange amount. After all, if you’re holding a whole city hostage, why not go for one million dollars?
The answer is simple: Because the hackers just want the city to pay. Don’t worry about justifying it, don’t do a cost-benefit analysis, don’t do a business case, just pay. Newman says that “attackers intentionally set their ransom prices at a level they think victims can afford. They want to maximize how much they walk away with, while still offering a ‘bargain’ to targets versus doing the work to rebuild systems and restore from backups.”
Fair enough. So why didn’t Atlanta just pay?
Newman again: “Paying the ransom up front might have saved the City of Atlanta time and money—and on paper would have cost several orders of magnitude less than the eventual cure—but it's not quite as simple a call as it seems. City officials had no guarantee that attackers would actually release their systems upon payment.” (Emphasis mine.)
See where I’m going with this?
We have built an entire social, legal and political ecosystem designed to enable the ordinary transactions of commerce. But ransomware isn’t an ordinary transaction of commerce. There is no Visa or Amazon or the government -- no trusted third party -- to ensure that when you pays your ransom, you gets your data. But if you put it on a smart contract…
One of the most powerful use cases for the blockchain is to facilitate criminal transactions. Isn’t that heartbreaking?