HackerTrans
TopNewTrendsCommentsPastAskShowJobs

crunchatized

no profile record

Submissions

Why Is It Taking So Long to Secure Internet Routing? (2014)

queue.acm.org
2 points·by crunchatized·hace 4 años·0 comments

comments

crunchatized
·hace 4 años·discuss
>to obscure cash flows, something which is specifically illegal.

It's only illegal under 18 U.S. Code § 1956 to conduct transactions to obscure the source of "the proceeds of some form of unlawful activity." There's no law against obscuring the sources of cash flows in general. And on an otherwise completely public blockchain, there was a major use case for obfuscating flows for the sake of user privacy.
crunchatized
·hace 4 años·discuss
The phrase 'according to the treasury' and Ctrl-V are doing a lot of work there. The government says a lot of things. The other day the Secretary of State claimed Tornado Cash was a DPRK sponsored hacking group before deleting the tweet. Not everyone in authority has a real great understanding of the technology involved.

https://web.archive.org/web/20220808155413/https://twitter.c...

> We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to...(AML/CFT) obligations willingly and repeatedly.

The Tornado Cash mixer contracts have been immutable since May 2020. It's a dumb piece of software that can't be modified or upgraded. Its authors have no control over who uses it on the blockchain.

https://tornado-cash.medium.com/tornado-cash-is-finally-trus...

It's kind of a strange accusation to say that someone has 'willingly and repeatedly' neglected to comply with legal obligations by failing to do something that's technically impossible to accomplish. All the GitHub users did was write code, and simply writing code, while not executing it to do something illegal, seems like it would be pretty well protected by the First Amendment, since code is speech. Turning people's lives to shit over what a software tool they invented gets used for later, after it's completely out of their hands, is pretty wild.

You copied and pasted Brian E. Nelson's complaint:

> Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.

But what Nelson fails to mention is that a) everyone involved has failed to impose 'effective' controls because it's physically impossible for anyone to, and b) basic measures to block sanctioned entities were actually implemented by the operators of the Tornado Cash website (which just got added to the SDN list anyway). So the complaint is that the control measure in place isn't an 'effective' control measure against entities that don't use the website.

https://www.coindesk.com/tech/2022/04/15/tornado-cash-adds-c...

And not that the exact number matters, but the Treasury is alleging an obviously maximally exaggerated amount of money laundering. $7 billion is the total value of deposits into Tornado Cash over all time. For that to be $7 billion laundered, 100% of all deposits, ever, put into the mixer would have to have come from illegal sources, which is obviously false. Depositing legally earned money into a privacy smart contract isn't money laundering. A sizeable portion of deposits are illicit, but far from a majority.

>Since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources.

https://blog.chainalysis.com/reports/tornado-cash-ofac-desig...
crunchatized
·hace 4 años·discuss
Let's Encrypt is the lone, singular CA that actually already had a defense against this attack.

> In multiple vantage point verification, a CA performs domain control validation from many vantage points spread throughout the Internet instead of a single vantage point that can easily be affected by a BGP attack. As we measured in our 2021 USENIX Security paper, this is effective because many BGP attacks are localized to only a part of the Internet, so it becomes significantly less likely that an adversary will hijack all of a CAs diverse vantage points (compared to traditional domain control validation). We have worked with Let’s Encrypt, the world’s largest web PKI CA, to fully deploy multiple vantage point validation, and every certificate they sign is validated using this technology (over a billion since the deployment in Feb 2020). Cloudflare also has developed a deployment as well, which is available for other interested CAs.

> But multiple vantage point validation at just a single CA is still not enough. The Internet is only as strong as its weakest link. Currently, Let’s Encrypt is the only certificate authority using multiple vantage point validation and an adversary can, for many domains, pick which CA to use in an attack. To prevent this, we advocate for universal adoption through the CA/Browser Forum (the governing body for CAs).

That defense alone is still not perfect ("some BGP attacks can still fool all of a CA’s vantage points"), but that's the state of the art.