Articles tagged "consultancy"

Least Authority Performs Incentive Analysis For Ethereum

Our mission at LeastAuthority is to bring verifiable end-to-end security to everyone.

As part of that mission, in addition to operating the S4 secure storage service, we also run a security consulting business. We LeastAuthoritarians have extensive experience in security and cryptography, and other companies sometimes hire us to analyze the security of their protocols and software.

Our most recent consulting client is Ethereum.

Ethereum is innovating in many ways, both in the technical design of the cryptocurrency itself, and in their engineering process. As part of the testing phase building up to Ethereum's release, they are performing a large scale security audit, involving contributions from many independent investigators, including Least Authority.

Our contribution is not a “security audit” per se, although we did find and report some implementation-specific bugs.

Instead, we took an in-depth critical look into two fundamental and innovative aspects of Ethereum's design: the new proof-of-work puzzle, Ethash, and the gas mechanism. Both of these features are inherently incentive-oriented. The proof-of-work puzzle is designed to encourage a large number of independent users to participate, yet to discourage "mining centralization" which is currently rampant in Bitcoin. For example, it would be considered a severe failure of the incentive mechanism if, in a year following Ethereum's release, there turns out only to be a single large Ethereum miner, crowding out other potential miners! Similarly, the gas mechanism is about encouraging users to make efficient use of common resources (e.g., storage in the blockchain and compute cycles available to validate transactions). For both of these, we're interested in answering similar questions: are the incentives of users well aligned? Can a greedy attacker profit by deviating from the protocol?

This has been fun for us because we've gotten to study in very close detail several aspects of how Ethereum works, and gotten to see their engineering process in action. We're impressed with many aspects of their engineering process, such as how all the work is done "in the public", so we could follow along as they release in-development code. Also they have several different implementations in different languages, by different teams. Lots of bugs are caught that way.

Today we're releasing our final report, which summarizes our findings and explains the steps Ethereum has taken in response. In general, we found the Ethereum virtual machine and gas mechanism to be well designed, and most of the hazards in contract composition are readily fixed. Based on our cost analysis of hardware configurations, the Ethash puzzle is likely to be GPU-friendly with minimal potential for improvement using customized hardware designs. As supplemental materials we also include tools for visualizing the storage trie structure and demonstrations of attacks using pyethereum as a simulator.


Least Authority Performs Security Audit of GlobaLeaks

At Least Authority, our mission is to bring verifiable end-to-end security to everyone. As a part of this mission, we provide security consulting services to free and open-source software projects. We also run a verifiably-secure cloud backup system, S4.

In the past, we've performed successful security audits of SpiderOak's Crypton project and of Cryptocat. Continuing this series of security audits, we've completed an audit of the GlobaLeaks whistleblowing framework.

This audit was funded by the Open Technology Fund (OTF). Regular security audits are an important part of the development of any software, and free and open source internet freedom software is certainly no exception. We applaud OTF for funding these highly beneficial audits.

Audit Results

Protecting whistleblowers is no easy task, especially since they may be up against powerful adversaries (governments, corporations, and criminal organisations) and the consequences of getting caught may be grave. It's unlikely that a single technical solution to this problem exists. To keep whistleblowers safe, any technical solution needs to be paired with OPSEC education.

One of the things we liked about the GlobaLeaks project is that it has OPSEC education and checks built right in to the user interface.

We identified several security issues in the GlobaLeaks software. You can read about each issue in the audit report. The issues have been addressed by the GlobaLeaks team in the latest stable version.

Further Reading

The full audit report: Report of Security Audit of GlobaLeaks.

The GlobaLeaks wiki page: LeastAuthority Report.

Tickets in the GlobaLeaks bug tracker for each of the issues we identified.


Least Authority Performs Security Audit For Cryptocat

This is the second post in our series about security audits of Free and Open Source end-to-end encryption software. The first post in the series was about our security audit of SpiderOak's crypton project.

Our mission at LeastAuthority is to bring verifiable end-to-end security to everyone.

As part of that mission, in addition to operating the S4 simple secure storage service, we also perform security consulting. We LeastAuthoritarians have extensive experience in security and cryptography, and other companies sometimes ask us to analyze the security of their protocols and software.

We audited the widely-used Cryptocat encrypted chat program. This audit was funded by Open Technology Fund as part of their Red Team project to provide multiple professional security audits to Internet freedom projects.

What were the results?

We found several security issues in the version of Cryptocat that we examined (Cryptocat v2.1.15). For each one, we reported it to the Cryptocat developers, and they have either deployed a fix in a newer release of Cryptocat or else disabled the feature that has the vulnerability.

The complete list of the issues we found is at the end of this article, along with a link to the report document.

Unfortunately we didn't have time to examine all parts of Cryptocat that we wanted to. We concentrated on the “crypto-related” parts: key generation and key management, random number generation, encryption and decryption, authentication and integrity, and the new file transfer feature. Most of the issues that we found were in those areas.

Our report explains what parts of it we looked at most closely (this is called the "coverage" results of the audit).

parting thoughts

I would like to thank the Cryptocat project, led by Nadim Kobeissi, for their commitment to doing development in the open, inviting external review, and moving to address the issues we uncovered. This open development process is a good complement to Cryptocat's Free and Open Source publication of their code and their commitment to providing end-to-end security for their users.

On top of that, I'd like to thank Cryptocat for their unflagging focus on usability. Usability is a critical factor if we are going to succeed at bringing verifiable end-to-end security to everyone, and it is an area where we as a community and as a society need to improve.

Any questions?

If you have any questions about these results or the process, please contact us or the Cryptocat developers.

The next project we are auditing is GlobaLeaks, so stay tuned.

further reading

The full report: Report of Security Audit of Cryptocat

The post on the Cryptocat blog.

Tickets on the Cryptocat github issue tracker to track the status of each issue:


Least Authority Performs Security Audit For SpiderOak

Our mission at LeastAuthority is to bring verifiable end-to-end security to everyone.

As part of that mission, in addition to operating the S4 simple secure storage service, we also run a security consulting business. We LeastAuthoritarians have extensive experience in security and cryptography, and other companies pay us to analyze the security of their protocols and software.

Almost all of our consulting clients are making Free and Open Source software which protects user freedoms and works against censorship. It is wonderful that in this day and age we can get paid to work on software in the public interest.

One of our clients is SpiderOak, a company who, like LeastAuthority, sells cloud storage with end-to-end encryption. They didn't hire us to evaluate the security of their current storage product (that would be a big job!), but instead to do a limited, two-week long, security audit of their new Crypton.io framework.

It was a fun project because we got to learn some of the details of the Crypton.io design and implementation. We came away with a favorable impression of the professionalism and good engineering practices of the SpiderOak team. Crypton.io is all Free and Open Source software, and it is designed for real, end-to-end security, which is part of why we wanted to take the job.

Today SpiderOak has published the security auditing report. We'd like to thank them for producing Crypton.io, subjecting it to this kind of independent review, and publishing the complete results. That's the right way to do things!

The next security audit that we performed, was for the Cryptocat secure chat app. We expect the report from that to also be published soon. Stay tuned!


Page 1 / 1