Addendum: “Web3 security is a mess”

Just a few unpublished notes from my last piece…

Addendum: “Web3 security is a mess”
Photo credit: Sincerely Media

Just a few unpublished notes from my last piece

Money laundering

“The broad generalizations about the use of Bitcoin in illicit finance are significantly overstated. The blockchain ledger on which Bitcoin transactions are recorded is an underutilized forensic tool that can be used more widely by law enforcement and the intelligence community to identify and disrupt illicit activities. Put simply, blockchain analysis is a highly effective crime fighting and intelligence gathering tool.”

This quote is from a 2021 report written by former CIA director Mike Morell titled “An Analysis of Bitcoin’s Use in Illicit Finance” which explains that reports of money laundering and general dark money moving across cryptocurrency ecosystems such as Bitcoin are incorrectly exaggerated. He provides various data points to support this thesis.

In reality, it appears the vast majority of dark money and laundered funds still move across traditional banking systems, as confirmed by Chainalysis, who said illicit activity among all cryptocurrencies as a percent of total cryptocurrency activity from 2017 to 2020 was less than 1%. They go on to state “Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods”.

Similarly, Europol wrote, “The use of cryptocurrency as part of criminal schemes is increasing and the uptake of this payment medium is accelerating. However, the overall number and value of cryptocurrency transactions related to criminal activities still represents only a limited share of the criminal economy when compared to cash and other forms of transactions”.

Environmental concerns

Many people, myself included, are tired of waiting for Ethereum’s long-planned upgrade to a consensus mechanism which does not require the massive use of energy which currently makes the use of Ethereum an all-around bad choice for our planet. Despite Ethereum’s first mover advantage, other blockchains have emerged with properties which are vastly more environmentally friendly than Ethereum or Bitcoin’s Proof of Work mechanisms, but direct energy comparisons are difficult to find.

The only top 10 (by market capitalization) blockchain with a functional smart contract layer and thriving community of which I am aware that can currently claim carbon neutrality is Solana. Solana runs on roughly 1650 validators, or core distributed servers. The energy use of each of these validators is comparable to that of a standard web server, as Solana uses the Proof of History (excellent article via @bill_papas_12) consensus mechanism.

It is the choice of each individual, whether they are an NFT artist, a dApp developer, investor, dabbler, etc. to perform a bit of due diligence and decide which blockchain(s) provide the combination of capabilities which support their goals. I encourage new folks coming into the industry to primarily consider environmentally friendly blockchains and to leave aging chains like Ethereum behind. However, if the purpose is to learn blockchain technologies to support your work in infosec, you must become familiar with Ethereum. Despite the diligent work of climate activists, the bulk of transactions involving smart contracts are still conducted primarily on Ethereum today.

Lack of infosec investment in the Web3 space

A few years ago, when I ran a boutique cybersecurity consulting firm, I spoke to and worked with several companies of varying stature in the blockchain and cryptocurrency spaces. I was typically referred to these organizations as a consultant who could help develop a security program, or improve some aspect of the program such as vulnerability management or incident response. Instead, what my cofounder and I typically found were cultures with low respect for established program-level information security methodologies, such as NIST guidelines, and other common approaches which help some of the largest and most mission-critical organizations in the world keep their assets safe.

We noted a frequent inefficient tendency to “reinvent the wheel” and often encountered resistance to proven approaches to infosec from other industries. However, we also noted the organizations which had been successful in hiring a few security professionals had focused the bulk of their efforts on secure engineering and security architecture, which seem to be the most appropriate methods of shifting security as far ‘left’ as possible to appropriately manage what are essentially very limited industry resources for Web3 companies: specialized security workers.