Jun 17

Decentralized VPN – Zero Knowledge Systems v2.0

Before there was TOR there was Zero Knowledge Systems, they were a privacy network that let you set the number of hops you’d like to make before exiting as well as a simple system to manage multiple online identities. Sadly, they were not a commercial success, but they were an early cypherpunk company.

There is a now an open source project that hopes to bring a privacy VPN to the market using cryptocurrencies to pay for the solution. Mysterium just did an ICO (initial coin offering) arnd raised over $14M USD for development.

This is interesting for a couple of reasons. First, it is a direct throwback to a late 90’s failed cypherpunk idea. The question is are there now enough privacy conscious people out there willing to pay for such a service? If there are then maybe this time will be different.

The second is that they are going head-to-head with a free service that is trying to provide the same benefits. From their competitive matrix it seems their belief is that by putting an economy behind this they will be able to provide a faster service that TOR.

It is certainly true that TOR is slow, but the question is will be people willing to pay for privacy, especially if it is on metered usage instead of a flat fee. I’d be skeptical since I think the cognitive overhead of micropayments is why they haven’t been adopted and this feels similar to me. Anytime I have to think about whether or not to use a service it creates barriers, this is why most VPN providers have some sort of fixed pricing model, at least for “normal” usage.

This is one of those time I hope to be proven wrong. I’d really love a decentralized VPN to get wide scale adoption. Once I get my new high speed FIOS connection this month I may even try to run a node for a while to get a better feel for the project.


Jun 14

BlackNet Lives, Sell Your Secrets Here

In my post about the Cypherpunks I stated that some of their ideas, like ransom publishing and digital currencies, had finally come of age. Well another one just came to my attention black market information bizarres.

On the Cypherpunks list Tim May described BlackNet:

BlackNet is in the business of buying, selling, trading, and otherwise dealing with *information* in all its many forms.

Well, now there is PayPub, a system that allows a leaker to get paid as they anonymously release data:

Trustless provably fair information marketplace ========================================

“PayPub: Trustless payments for information publishing on Bitcoin” Scheme by Peter Todd Code by Amir Taaki

This is just a proof of concept prototype, but the code is out there for anyone who wants it.


May 14

Bad Crypto Looks Like Good Crypto Until it Breaks: Tech Due Diligence on Crypto

Given my security background I naturally look at a lot of security startups, and more than a few of these involve crypto. For those who don’t know, crypto can pose a problem in tech due diligence since bad crypto looks like good crypto, until someone breaks it.

Broken CryptoSo what does one look for to catch bad crypto? Glad you asked. The technical term for the red flags I try to spot is Mumbo-Jumbo. When I hear a hand waving explanation about how this crypto does something that no one has done before and that it is “tough for people to believe at first” my Spidey sense goes off. And if their white-paper is really just a glorified sales pitch then I’m really worried.

In the book EBoys the author talks about Benchmark’s investment in a crypto company where the founder claims to have implemented a one-time pad in his program. If you know anything about crypto then you know this just can’t be true. Full stop. Benchmark ends up investing and the company goes down in flames. As someone who knew about crypto, I was shaking my head the entire time they are discussing making the investment in the book because you know they company can’t be doing what they say they are.

So, what’s the point? I’ve seen a few companies recently that when I ask how they do their crypto, I get vague answers on the technical front and deflections about the how business benefits of their software are amazing. When the CEO says: “Do you know any other program that can do X, Y, and Z?” This is a huge red flag; if the CEO (or CTO) can’t explain how it works it is a problem. Sounds obvious right? But these companies are still getting funded by folks, which leads me to believe that not everyone is doing their due diligence on this correctly.

In contrast, a CEO recently gave me a great answer. He walked me through the public algorithms used and explained how they used public and private key cryptography to protect their data. When we dove in he explained what an attacker would have to do to get access to a users data, and how a compromise of their server would affect users. He talked about the security model and was forthright about its limitations, explaining how an attacker could get data under different sets of circumstances and the work they had done to mitigate them. Giving honest answers about what happens when a machine is compromised instead of insisting it will never happen should give confidence, not frighten people off.

Cryptography is subtle and can be tricky, so I often have an expert take a look as a final diligence step. But many times that level of scrutiny isn’t necessary; if the CTO can’t answer how the program generally protects users then a deep dive just isn’t warranted. There isn’t any need to call in an expert mechanic if the car is clearly missing its engine. If you’re going to pitch a product that relies heavily on crypto you need to be able to explain what it does; if you as CEO can’t explain how it works then how can an investor have any confidence in the product.

Jul 13

The Age of the Cypherpunks has Finally Come

Let’s start with an admission, I’m older than I look. Back when I was in high school there was an online group called the Cypherpunks. From Wikipedia:


Cypherpunks originated as an informal online group of people interested in privacy and cryptography who originally communicated through the cypherpunks mailing list, although there were also cypherpunk meetings and parties in real life.


The cypherpunks mailing list had extensive discussions of the public policy issues related to cryptography and on the politics and philosophy of concepts such as anonymity, pseudonyms, reputation, and privacy.


Apparently there is still an active node, but usage really peaked around 1997 or 1998; and I followed those discussions religiously. People were talking about really cool ideas around digital commerce and anything seemed possible.

Well, it looks like at least a few of those ideas have finally become a reality: Digital Cash and the Ransom Publishing Model.

Digital cash is pretty obvious, and it looks like Bitcoin is getting enough traction that we’ll at least get to see an interesting experiment play itself out. I’ve seen the potential in truly anonymous digital cash since I was in high school and I’m psyched to see people using Bitcoins.

Back in the day I worked on the Mnet Project, a distributed file share that used crypto and had come out of a micropayments file share called MojoNation.

Mojo was a digital cash currency that aimed to provide attack resistance and load balancing in a fully distributed and incentive-compatible way (see Agoric computing).

Long story short, I really wanted Mnet to become the basis for an online digital currency, but it never gained traction. But now we have Bitcoins, and I’m pretty excited to see what awesome ideas people come up with using true digital cash.

The second Cypherpunk’ish idea to gain traction is the Ransom Publishing Model, also known as the Street Performer Protocol. John Kelsey and Bruce Schneir released  a paper on this back in 1998, but people had been talking about it for a long time before that.

ABSTRACT: We introduce the Street Performer Protocol, an electronic-commerce mechanism to facilitate the private financing of public works. Using this protocol, people would place donations in escrow, to be released to an author in the event that the promised work is put in the public domain. This protocol has the potential to fund alternative or “marginal” works.


Sound familiar? Yeah, it’s Kickstarter.

I’m going to go back and revisit some of the other Cypherpunk ideas that had me really excited back then; I believe the world is finally ready for them.

If you have a Cypherpunk’ish idea whose time has come let me know, I’d love to chat about it.