What is a stable coin?

Apr15
by Shahid Sharif on April 15, 2018 at 3:34 pm
Posted In: Anonimity, Stable coins

WhatIsAStableCoinIntroduction

Although crypto currencies are all the rage these days, one of the issues they all share is the stability.   Where fiat currencies vary by a few percentage, the price variations in crypto currencies can be quite large, this makes them very unstable from monetary perspective.  Just like the issue of privacy & fungibility is being addressed by privacy coins, stable coins are trying to address the issue of stability.

Fiat currencies usually vary 2% or so, but crypto currencies are totally unpredictable. Hence one cannot rely on existing crypto currencies to use them for every day purchases and transfers like they do with fiat.

This article will answer the question What is a stable coin?

History

The first concept of stable coins was introduced in Second Life in 2003, it was called Linden Dollars. It is currently a $600 to $700 million economy.  The current conversion rate is 265 Linden Dollars to USD

Then in 2014 Bitshares introduced the concept of cryptocurrency and what we see now is its evolution, where multiple parties are proposing their solutions in terms of implementation.

Basic Ingredients

A stable coin should be:

  • Fungible: Untraceable, and value remains the same no matter who has used it.
  • Decentralized: Not controlled by a central body
  • Stable value: Value does not fluctuate more than 1-2%
  • Scalable: Transfer between parties is instant

 

Categories

Collateral can be of following types:

  • Fiat: Tether, USDT which is pegged to USD
  • Cryptocurrency: Dai which is pegged to Ether
  • Other assets: Petro which is pegged to oil

Implementations

  • Collateralized Centralized, for example Tether from Tether Limited. Collateral is stored with one single entity, which is risky.
  • Collateralized De-centralized – Dai from MakerDAO. Collateral is stored in a smart contract with master nodes having ability to vote on outcome of decisions.
  • Non collateralized de-centralized – Basecoin

 

Some stable coins

  • Basecoin
  • Digix
  • Dai
  • Havven
  • Nubits
  • Petro
  • Tether
  • Truecoin
  • WorldFree
└ Tags: , , , , , , , , , ,
 Comment 

Blockchain Security

Apr07
by Shahid Sharif on April 7, 2018 at 5:27 pm
Posted In: Blockchain, Cryptocurrencies, Distributed Ledgers, Encryption, Hacking, ICO, Security

Introduction

Blockchain has been the most searched term in 2017 and to date it still is.  In spite of the fact that blockchain technology has been around since 2009, with the first implementation being Bitcoin, there have not been any corporate-wide deployments yet.  There are three blockchain deployment models:

  • Public
  • Private
  • Hybrid

All the major deployments have been public, such as Bitcoin, Ethereum, Litecoin, etc.

There has not been a major uptake of the private deployment by the enterprises.

Use cases

The blockchain is not a solution to every problem.  In the current hype cycle, blockchain is being touted a solution to every problem on earth.

Before anyone embraces blockchain technology they should be clear on the requirements first and then look for solutions, and blockchain might well be the solution.  It should not be the other way around where we have a hammer in form of a blockchain, hence everything looks like a nail, thereby a solution looking for a problem.

Blockchain x.0

Of all the blockchains solutions currently available today, they are trying to address a specific vertical.  Now we are in blockchain 3.0 phase.  The evolution of Blockchain technology as I see it is as shown below(This is not an exhaustive list):

Blockchain 1.0 Blockchain  1.5 Blockhain 2.0 Blockchain 3.0 Blockchain 4.0
Bitcoin Monero Ethereum EoS Polkadot
Litecoin Zcash Corda NEO DFINITY
Dogecoin Zcoin HyperLedger Tezos

 

Smart Contracts

In 2015, Ethereum was released and it introduced the idea of smart contracts, which have nothing to do with legal contracts, hence smart contract ? legal contract. The term smart contract got coined when Ethereum Founder, Vitalik Buterin, was working on a project and that needed a level of automation, and they decided to call it smart contract. A smart contract is just an ability to programmatically execute decisions based on certain inputs. Blockchain 2.0 platforms introduced the concept of smart contracts and a distributed world computer where you could deploy a conditional code that would execute as soon as it was called on the nearest full node.

 

The Weakest Link

To date, all blockchains have been resilient to hack attacks due to the cryptographic mechanisms that have been implemented.

The most vulnerable are the public blockchains, which operate unprotected on the internet and the respective Proof of Work(PoW) and/or Proof of Stake(PoS) algorithms have provided that security.

All the hacks have been in the following areas:

  • Key management for the crypto wallets
  • Smart contract code being buggy, which allowed a threat actor to exploit the threat vector, a vulnerability in smart contract code, which caused the DAO hack in 2016. The hacker stole about $150M worth of Ether.

 

Security Considerations

As the blockchain platforms get more complex the number of threat vectors also increases exponentially.  For instance, following areas need special attention when building a blockchain platform and surprisingly most threat vectors are very similar to any application stack.

  • Cryptography: Key management, Encryption, Hashing
  • Consensus algorithm
  • Identity
  • Authentication
  • Authorization
  • Code review and testing development practices
  • Data integrity
  • Encryption mechanisms
  • Incident Response
└ Tags: , , , , , , , ,
 Comment 

Privacy By Design

Apr01
by Shahid Sharif on April 1, 2018 at 3:51 pm
Posted In: Compliance, Encryption, Passwords, Privacy, Security

 

Privacy by Design

The idea of “Privacy by Design” was first introduced in 1990’s by Ann Cavoukian the Information and Privacy Commissioner of Ontario from 1997 to 2014.

GDPR also has adopted it.

This is taking first principles approach.

Foundational Principles

The approach is based on seven foundational principles [http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/page-36#5] :

  • Proactive, not Reactive; Preventative not Remedial: The goal of privacy by design is to take preventative action by implementing measures to reduce the risk of privacy infractions.[198]
  • Privacy as the Default Setting: The default setting for all products and services should be to protect personal information so that an individual’s privacy is automatically protected without any action being required by the individual.[199]
  • Privacy Embedded into Design: The protection of personal information should be an integral part of information systems and business practices; it should not be an add?on.[200]
  • Full Functionality – Positive-Sum, not Zero-Sum: Privacy by design should be considered a benefit; there should be no trade?offs with other features to achieve this goal.[201]
  • End-to-End Security – Full Lifecycle Protection: The protection of personal information must extend throughout the system’s entire lifecycle.[202]
  • Visibility and Transparency – Keep it Open: Transparency is important to ensure that systems and practices are truly able to protect user privacy; independent verification must always be possible.[203]
  • Respect for User Privacy – Keep it User-Centric: Above all, privacy by design entails putting individuals’ interests first.[204]

Personal Data Types

  • IP Address
  • Email addresS
  • Address
  • Date of birth
  • Religion
  • Gender
  • Personal lifestyle/affiliations
  • Genetic
    • Race
    • Ethnicity
    • Health information
    • Etc.

Implementing “Privacy by Design”

The best way to implement “Privacy by Design” is to embed privacy requirements into your project delivery methodology. There are five phases of project delivery:

  • Initiation
  • Planning
  • Execution
  • Monitoring and Control
  • Closure

Initiation Phase

  • Identify soft and hard requirements
  • Identify teams to engage

Planning Phase

  • Purpose of data collection
  • Which data elements need to be captured?
  • Data classification
  • Data retention
  • Privacy Impact Assessment
  • Ensure a Configuration Management Database is updated to ensure inventory is accurate

Execution Phase

  • The inclusion of Data classification and Data retention into your data model
  • How is consent being collected, it should be explicit
  • Private data should be stored encrypted in transit and at rest
  • Data subjects must be able to request following actions on their data, update, delete, move( ability to export data in a readable format)
  • Data integrity is maintained all times
  • Strict authentication & authorization controls are implemented
  • In development code analysis is done to ensure code is secure
  • Before system goes live, ensure penetration testing of the application is completed and any issues remediated.
└ Tags: , , , , , , , , , , , ,
Comments Off on Privacy By Design

What is GDPR?

Mar30
by Shahid Sharif on March 30, 2018 at 10:57 am
Posted In: Audit, Compliance, Encryption, Privacy, Risk Management, Security

What is GDPR

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a regulation in EU law on data protection and privacy of European Citizens residing in European Union. It has a global reach with tough sanctions for non-conformance. It is all about providing assurances and rights to EU Citizens residing in EU, whose data is being collected by businesses to deliver a service or product.

  • GDPR stands for General Data Protection Regulation
  • It has evolved from Data Protection Directive, which came out in 1995
  • Adopted in April 2016 with a two year grace period, which means that by May 2018 Compliance has to be in place.
  • Address modern use of data
  • Respect the individual’s right to their personal data

Cost of non-compliance

  • Major: €20 million or 4% of annual global revenue, whichever is higher
  • Minor: €10 million or 2% of annual global revenue, whichever is higher
  • GDPR Article 83 explains the details

Parties involved

  • Data Controller: Entity Collecting Data
  • Data Processor: Entity processing data for the data controller
  • Data Subject: Entity whose data is being collected by Data Controller to provide a service
  • Data Protection Officer: Entity responsible for an organization to ensure data protection controls and necessary governance is in place.

Data types

Personal Data – Ability to identify an individual from the data

  • IP Address
  • Email address
  • Address
  • etc.

Special categories of Personal Data

  • Date of birth
  • Religion
  • Gender
  • Personal lifestyle/affiliations
  • Genetic
  • Race
  • Ethnicity
  • Health, etc

Rights of the Data Subject

  • Consent
  • Access
  • Deletion
  • Modification
  • Portability
  • Not to be subject to automatic data profiling

Breach notification

  • Data Processor: Immediately notify Data Controller
  • Data Controller: notify the authorities and Data Subjects of the breach within 72 hours

How am I impacted?

  • If you are a business operating anywhere in the world and are collecting information about EU citizens residing in EU, then you have to comply with GDPR.
  • Data subjects can be:
    • Your employees
    • Customers
  • In Canada compliance to PIPEDA is not enough
  • In United States compliance with state, regulations are not enough

Planning & Assessment

  • Thorough assessment and understanding of data subject information:
    • Where is it stored?
    • Which data elements are being collected?
    • What is the purpose of data collection?
  • Assign a Data Privacy Officer to provide proper guidance and governance oversight

Implementation

  • Implement policies, procedures, and governance mechanisms that address:
    • Tracking of explicit consent at every stage, ie, when the customer agrees to provide their data and when they revoke access to their data
    • Collect only the information that is necessary to provide the required service
    • Breach notification for both the Data Collector and Data Processor
    • How to serve Data Subjects’ requests to:
      • Delete their information
      • Update their information for accuracy
      • Move their data
    • Controls to protect the data in storage and transmission
    • Privacy by design

Other Mediums to listen on

└ Tags: , , , , , , , , , , ,
Comments Off on What is GDPR?

Cryptocurrency Anonymity, Privacy, & Fungibility

Mar18
by Shahid Sharif on March 18, 2018 at 5:47 pm
Posted In: Anonimity, Cryptocurrencies, Encryption, Passwords, Podcast, Privacy, Privacy Coins

Introduction

Today I will be talking about how privacy is being addressed by various blockchain solutions. I provided a brief introduction on why privacy is needed on blockchain and some solutions trying to address it in my previous post, https://www.securityprivacyrisk.com/what-are-privacy-coins/

Anonymity, Privacy, & Fungibility

When Bitcoin was introduced, it was said that transactions were anonymous. It was later discovered that the transactions were indeed pseudonymous, such that public addresses were alphanumeric numbers and did not have a persons name assigned to it, the moment a person is linked to a public address, the transaction is no longer anonymous.

Some people are okay sharing their personal information on social media, while others not so much. Obviously, the number of people who a concerned about their privacy is a very small number compared to extroverts.

Other use cases where privacy and anonymity are paramount is the use of blockchain for storing personal information such as health records, identity, and personal information such as date of birth, social security numbers, and other personal information.

To address this requirement for privacy, anonymity, and fungibility, various off-chain and on-chain solutions are being proposed.

Possible solutions

Some solutions that are available to address privacy, anonymity, and fungibility are accomplished via mixing:

  • Centralized: There are online services such as http://bitmixer.io, where, you send your bitcoin to a site, they charge you a fee for this service, and they return your bitcoin to your specified address. The issue with these sites is the trust, what if the site runs away with your bitcoin
  • De-centralized: There are privacy tokens that are implemented mixing using the protocol such as:
    • Ring Signatures: Another method to anonymize your transactions. It uses cryptography were encryption keys are added to the ring and when a transaction is signed a session key is generated from the key in the ring. Nobody knows which key was used. The more signatures in a ring the better anonymity of the transaction. The previous version of ring signatures only supported anonymizing sender and receiver, not the amount. RingCT was recently introduced that also anonymize the transaction amount.
    • CoinJoin: A method where several people agree to add their transactions in a pool and payouts are done from the pool disconnecting sender and receiver.
    • Zero-Knowledge Proofs are implementations where for one party (the prover) to prove to another (the verifier) that a statement is true, without sharing the exact information and asserting that the statement is true. Some of the implementations are:
      • zkSNARKS – Zero-Knowledge Succinct Non-Interactive Argument of Knowledge
      • zkSTARKS – Zero-Knowledge Succinct Transparent Argument of Knowledge

The blockchain is not a solution for every use case. There has to be a genuine need to use blockchain. This particular problem of privacy & anonymity is only an issue in public blockchains, private blockchains are permissioned and implement various controls to address the privacy & anonymity requirements.

Some Privacy Tokens

To address these very issues, privacy coins or privacy tokens have come into existence.

All these tokens are different implementations of the same requirement, making crypto token transactions untraceable for both the receiver and the sender.

Following is a list of tokens that I could find so far, there are many more.

Name

Symbol

TPS

Forked From

Former Name

Total Supply

Founded

Consensus Algorithm

Privacy Algorithm

Protocol

Transport

Send Options

ByteCoin

BCN

N/A

184.46billion

1-Jul-2012

CryptoNight-PoW

Ring Signatures

CryptoNote

Monero

XMR

1000

ByteCoin

Unlimited

18-Apr-2014

CryptoNight-PoW

RingCT

CryptoNote

CloakCoin

CLOAK

4.5million

3Jun2014

X13

CloakShield & ENIGMA Transactions

Aeon Coin

AEON

Monero

18.4million

6-Jun-2014

CryptoNightLite-PoW

Ring Signatures

Verge

XVG

100

Dogecoin

DogeCoinDark

16.5billion

1-Oct-2014

Scrypt, x17, groestl, blake2s & lyra2rev2

Wriath

DASH

DASH

56

Litecoin

Darkcoin, XCoin

18million

18-Jan-2015

Coin Join

Instant, Private

PIVX

PIVX

50

DASH

Unlimited

1-Feb-2016

POS v3

zPIV

Public

SwiftX

Zcoin

XZC

N/A

21million

28-Sep-2016

PoW

zk-SNARKs

Zerocoin

Zcash

ZEC

Bitcoin

21million

28-Oct-2016

Equihash-POW

zk-SNARKs

Zerocash

Transparent Address, Shielded Address

Zclassic

ZCL

Zcash

21million

5-Nov-2016

Equihash-POW

zk-SNARKs

Zerocash

Zoin

ZOI

Zcoin

21million

5-Nov-2016

Lyra2Zoin-PoW

zk-SNARKs

Zerocoin

Sumokoin

SUMO

Monero

88million

1-May-2017

CryptoNight-PoW

Ring Signatures

RingCT

ZenCash

ZEN

Zclassic

21million

23-May-2017

Equihash-POW

zk-SNARKs

Zerocash

Deep Onion

ONION

62.5

N/A

19.4million

1-Jul-2017

POS+POW

zk-SNARKs, Coin Join, Ring Signatures

DeepSend

Spectrecoin

XSPEC

19-Aug-2017

POS v3

Tor+Ring Signature

OBFS4

Tor

Bitcoin Private

BTCP

Bitcoin & Zclassic

2-Mar-2018

Equihash-POW

zk-SNARKs

ShadowCash

SDC

https://www.youtube.com/channel/UCQtYBTppBxS0WLeCBx33gNQ
└ Tags: , , , , , , , , , , , , , , , ,
Comments Off on Cryptocurrency Anonymity, Privacy, & Fungibility