Blockchain sessions were in full force at the RSA security conference, which I attended last week. The sessions were informative and very well attended, especially considering they weren’t all directly aligned with the topic of security.
Here are some key takeaways (see also an interview I did with ISMG ISMG: Gartner’s Litan on Blockchain ).
Hype or Reality?
When it comes to BlockChain, we definitely are descending down the Gartner Hype Cycle slope towards the trough of disillusionment. You can sense this quickly in conversations with peers and other blockchain market observers. But that doesn’t mean all of it is hype. It does mean that the air is starting to clear, as the hype fades and reality kicks in.
So far, I’ve seen three practical use cases for blockchain technology. They are outlined below, along with some of the key takeaways from last week.
- Cryptocurrency and digital payments; Here I learned what the leading indicators are for a ‘scam’ currency vs. one that is much less likely to be a scam. Essentially, users need to beware of currencies controlled by central parties with consolidated (few) nodes and transaction validation power. With truly decentralized crypto-currency blockchains, transactions are validated across hundreds or thousands of nodes, and there is in fact no ‘scammer’ able to control the currency — unless game theory proves incorrect and collusion amongst decentralized participants ensues.
- In contrast, with ‘scam’ currencies, the protocol and token economics seems to be engineered to make the holders and creators rich, even though many of them masquerade as decentralized protocols that will revolutionize finance. Founders of some of these currencies actively pump and market their coins on social and mainstream (TV) media. Most of the time, the tokens they are selling are rarely, if ever used.
- Federated Identity; Bring your own identity to work or to your service provider. After being totally cynical about this use case, I heard a really interesting discussion about a project with the healthcare industry that made me optimistic that blockchain-based federated identity can actually work. In the healthcare example, a user brings their self-provisioned identity with them, when they visit various established healthcare providers. Those providers – e.g. doctors, pharmacists, insurance companies – vet the identity using old fashioned methods like looking at the patient’s driver’s license or insurance card. Once the identity is verified, the provider then raises the identity’s assurance score (aka risk score) by updating the identity’s record on the blockchain. Over time, the identity becomes more reliable for both low and high assurance transactions.
- Blockchain based advertising platforms – this wasn’t covered in the conference, but during RSAC, Brave announced a partnership with Dow Jones Media Group and their Barron’s and Marketwatch publications (See Dow Jones Media Group partners with Brave Software ). This represents a very encouraging sign that traditional advertising models could very well be gradually disintermediated (See Market Insight: How to Capitalize on Disruptive Blockchain-Based Advertising Platforms That Enable GDPR Compliance ).
Security and privacy risks to blockchain
- Privacy wakeup call We’ve known for a long time that bitcoin payments are not anonymous because addresses can be tied to human names. But a new patent just granted to Amazon actually endorses the tracking and attribution of bitcoin transactions, and the sale of the linked tracked data to third parties including government agencies for tax reporting. See Amazon Patent on Streaming Data Marketplace.
- Here’s an excerpt from the patent: “One example is a data stream that publishes or includes global bitcoin transactions (or any crypto currency transaction). These transactions are completely visible to each participant in the network. The raw transaction data may have little meaning to a customer unless the customer has a way to correlate various elements of the stream with other useful data. For example, a group of electronic or internet retailers who accept bitcoin transactions may have a shipping address that may correlate with the bitcoin address. The electronic retailers may combine the shipping address with the bitcoin transaction data to create correlated data and republish the combined data as a combined data stream. A group of telecommunications providers may subscribe downstream to the combined data stream and be able to correlate the IP (Internet Protocol) addresses of the transactions to countries of origin. Government agencies may be able to subscribe downstream and correlate tax transaction data to help identify transaction participants.“
- There are alternative crypto currency schemes like Zcash (opt in privacy) and Monero (privacy by default) that do reportedly preserve anonymity so I’d expect more adoption of these alternatives in the future.
- Security Risks – it’s more of the same old tricks Here I saw data that validated my assumption that attacks on blockchain take the same form as attacks on bank accounts or other valuable assets. See Bitcoin Graveyard; A list of Blockchain related hacks . As noted in the graphic, server breaches, application vulnerabilities and account takeovers were the root cause of most of the breaches. Hacks of the protocol were in the clear minority.
- Most interestingly, I also learned that in response to these threats, some blockchain exchanges are well equipped to detect and block them. See Binance explains API/Phishing Attack; Hackers walk away losing money In this case, Binance’s advanced fraud analytics were so good that the exchange not only stopped the attack in real time, but they were also able to confiscate the hacker’s own cryptocurrency balances held in his/her account!
Women in Security
I moderated a lively and active panel on this subject with three women – Lital Asher Dotan, Maya Pizov, and Shira Shamban, who served in Israel’s elite 8200 cyberintelligence unit. See Lital Asher-Dotan LinkedIn Post on Panel
We spoke about 8200’s recruitment practices which start with the selection of candidates when they are still in high-school. Rather than look for hands on programming experience, they look for important fundamental traits such as curiosity, the ability to see patterns, think logically, communicate effectively, and more. Software development skills can always later be taught once the students join the unit.
8200 recruitment practices result in a unit population that is 55% female, compared to the 11% women representation we see in cybersecurity professions, albeit there are many factors that contribute to that disparity. The panelists noted they did not experience any bias in the military where people were judged based on their performance and what they could deliver, and not on how they looked. But the panelists also said that when they left the military, they started encountering sexual biases which they were able to adeptly manage and dismiss in their most ‘commanding’ sort of way.
All in all it was a very stimulating conference. Lots of in-person discussions on many different security topics that are always great food for thought.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.