The Future of Cryptography and Cryptocurrencies
in a previous article, Jean-Baptiste Prunel spoke about the 42 IT school, a ground-breaking school with neither classes nor teachers yet teaching through projects, trainings and the willingness to get the job done.
We also spoke about Poleon.co, Jean-Baptiste’s first startup venture, which tried to track and predict a number of patterns on “what moves in a city”, for example the number of bikes available at a park station and at a particular hour. The Poleon.co project stopped because it lacked the structured, real-time data it needed.
Jean-Baptiste’s career, though, did not stop there. Quite the contrary—he bounced back and got a cryptography-related job.
Watch the Interview
(from minute 17 onwards)
Ledger: a Global Outreach Made in France
When Poleon.co’s activities came to an end in February 2018, Jean-Baptiste did not relinquish. He had met with the founder of a startup called Ledger months ago. Both had some good time together and Jean-Baptiste had thought it would be nice to work at Ledger. Then, he reconsidered this once-forgotten option, and Ledger hired him as their outreach officer.
Created in 2014, this venture partly based in Vierzon (French countryside) aimed at helping cryptocurrency owners to ensure the security of their stocks. As said by Éric Larchevêque (in French), one of those behind Ledger, “after several small hackings and wide-scale robberies happened in 2013 and 2014, we saw a clear need to protect both wallets and exchanges as well as anticipating on any potential security breach.”
Bitcoins, just as the other cryptocurrencies build on the same model, are immaterial and decentralized. Not being supervised by a central authority, they can nonetheless be followed and, sometimes, hacked. How do you guarantee the safety of an immaterial part of blockchain units?
Cryptocurrencies, Jean-Baptiste says, are accessible through a 64-characters long random password. This master password is impossible to remember by rote learning and must be kept somewhere. Ultimately, though, this security process has its flaws. The master password is too long to remember so most users keep it on a file, more often than not a clear, non-encrypted file. It can be stolen and copy-pasted, and if you lose it, you’ll lose the coins. “In cryptocurrency, there is no such thing as a ‘I forgot my password’ option. If you lost it, you lose real money.”
What could be surer or more practical than that? Many online wallets use a two-factors authentication (2FA). You have to type a normal, alphanumeric password and a code within a list of codes you received when you activated the 2FA option. But even then, the code list can be stolen too.
Ledger’s products ensure the security of your bitcoins differently. They allow one to “disconnect” his cryptocurrencies from the Internet by holding everything necessary within a physical support. If you don’t have an access to this support, you can’t take the coins away. An apparently simple yet efficient way to ensure no remote hacker can steal your coins, no matter the password(s) he or she managed to get.
Ledger’s first product was an USB key. There is a 64-characters master password here, kept within the key. The latter must be connected to the computer and allows for a multi-currency management. It sold extremely well—and Ledger developed a host of related products, such as an NFC-chip based wallet, a mobile-based solution and autonomous wallets coming with their own screen and mini-keyboard. Nano S, the last version of Ledger’s star USB key, sold more than a million units in nearly 165 countries.
By the beginning of 2018, Ledger managed to raise $75 million from various big investors to ensure its leading position on the global cryptocurrency security market. Although they already have company-oriented products, the company managers want to expand their customer base up to financial institutions and banking professionals.
Your Phone is a Joke!
Cryptocurrencies are an example of something new made out of something older. They “were built with technologies from the 1970s.” Developed with a geopolitical, Cold War-goal in mind, cryptography is “how you can hide something to someone with passwords, keys and encryption-decryption processes.” This basically simple principle, whose applications can be way more complicated than that, is what Ledger is built around: “you need cryptography to handle cryptocurrencies and ensure privacy.”
Just like the air we breathe, cryptography has already found its way pretty much everywhere. Smartphone apps, forum databases, Facebook and many other processes encrypt and decrypt contents every time you connect. It is ubiquitous. Which also means it is easily forgotten. Yet, Internet security is far from being a trivial topic.
When I ask Jean-Baptiste if the electronic security specialists from Ledger could crack my smartphone, he answers “your phone is a joke!” without a second thought. “It depends on the type of phone, of course. The Android ones are easy to crack. The data’s not secure at all. Especially since so many users store sensitive data unencrypted, on their notepad app for example.” As for the more secure data, Jean-Baptiste thinks he could “buy a software on the deep web and use it to crack your passwords and encrypted data within hours.”
iPhones would be harder to crack. They were built around a “more recent” kernel, where the sensitive data is more isolated from the rest of the phone, which accesses it less easily and less frequently, thus letting less room for potential security breaches.
Slightly bemused, I take my iPhone and wonder. How much time will you need to crack my passwords? If my passwords are numbers, they can be boiled down to a few combinations and easily cracked. “If your passwords are 4 digits long and made of numbers, a few hours will be enough. If they are 6 digits long, a few day perhaps.” And this is only in case the hackers use bruteforce on the gate everyone knows. Exploits, hidden information flows and 0-days, as we are about to see, can make things much easier for them. “It’s easy for people with the right abilities and materials, like the police, or hackers.”
Perhaps someone should create an open-source mobile operating system. Something open source is more protected than a proprietary software. Windows is “notoriously easy to break”, MacOS is already more secure because of its more recent structure, but Linux remains the most secure computer OS because its openness allows for a community of passionate developers to work on it.
The Linux security stems from the power of the hivemind: many developers check the code and monitor the flow of information within the system. They are eager to find problems or potential breaches and fix them, thus allowing for security fixes to come much quicker than from proprietary systems. Here the competitive spirit seems to work better with libre software than among classic companies. (Conscious capitalism is already something else.) If all software were open-source, Jean-Baptiste says, all IT would be way more secure.
Your Level of Risk Depends on Who You Are
All attackers were not made equals. Some are script kiddies who only look for the lower-hanging fruit. At the other end of the spectrum, some are global experts working for intelligence agencies or acting within small, elitist hacker cliques.
“Bruteforce attacks are but the simplest way to hack.” A long, alphanumeric password of at least eight digits can let such crude attempts take months or even years to crack the virtual nut. But some know the information flow better and avoid taking the front door. There are, or may be, 0-day flows or exploits: security breaches, hidden information flows or means to obtain information, that weren’t discovered yet and not found yet by the official public.
Once these are known, it may be a matter of hours before they are patched. Before that, these are unknown and can only be speculated. (Until they get exposed, like the NSA’s XKeyScore or the shadowy methods of economic hit men.) They are mostly used by intelligence agencies—who have the financial means, the experts and the secrecy culture to keep 0-days within their own bounds for as long as they can. As the Snowden story showed, it isn’t a “conspiracy theory” but a proven fact that various intelligence agencies do what they can to eavesdrop private conversations, read emails and the like.
It isn’t always that bad, Jean-Baptiste mentions. Intelligence services use their techniques to track hostile, violent groups like ISIS and have already prevented several terrorist attacks. “It isn’t black and white.” Even then, from the point of view of the company, not to mention the average, well-meaning pedestrian, privacy and coins security remain non-negotiable values.
Ledger works hard to ensure their own solutions let no “unknown flows” of information compromise the BitCoin, Ethereum, Monero et caetera they hold. The startup owns labs worth millions of dollars, Jean-Baptiste says, where experts conduct physical attacks on electronic materials to find their flaws and upgrade them. Known as pentesting or offensive security, this practice allows to act like a hacker to prevent ill-intentioned hackers from succeeding.
“In an iPhone”, Jean-Baptiste continues, “the data is encrypted. But let’s say you have the master password of your wallet somewhere in your device. If we have a physical access to it, we’ll uncover key chips and use lasers to read directly on particular transistors.” One of the techniques used consists in inducing an electromagnetic perturbation on chip so that the program starts malfunctioning and, perhaps, leaking data. This is hard to do and requires “high-level skills.”
It can be done when the phones or attacked device belong to people deemed important enough for whoever attacks. “Some people are very good” at this kind of attacks. Even if you have a lot of cryptocurrency to secure, for example if you are a millionaire in BitCoins as some young men achieved, the devices built by Ledger can help you to achieve a high level of security.
As Jean-Baptiste recalls, using a special device, built especially to ensure cryptocurrency security, remains surer than having your password on the iPhone you use for a million other things every day.
The Future of Cryptography
Some algorithms like PGP (Pretty Good Privacy) are already here. “They will probably still be around” in 2030: “they’ve been attacked a lot and are still here, which is the best proof of their security level”, Jean-Baptiste says while comparing these to buildings supposed to be resistant to earthquake and that prove themselves by simply standing after several shakings.
The crypto field is moving fast. According to my interviewee, the most promising advancement could be found in quantum cryptography. It is based on quantum computing. Jean-Baptiste explains it as such:
Classical computing uses bits. A bit is 1 or 0. It is the simplest memory unit. Quantum computing uses quantum bits. These can consist in many more rangers, not only 0 or 1 but 0.001 for example… 50 quantum computers may have more computing power than a classical computer being the size of the entire universe.
Just like fractals, quantum bits seem to open up to the infinite. The number of decimals can go indefinitely. This is enough to change everything. The technology, though, isn’t viable yet. Quantums remain unstable and the units cannot be maintained in a stable enough state to be used. Quantum research still progresses fast and the promised field should give its fruits someday.
To security specialists, quantum computing matters much. Quantum computers will have enough computing power to break every encryption algorithm already existing, “including PGP… this has already been showed by mathematical proofs.” Even Monero and other state-of-the-art secure cryptocurrencies might be swept by the quantum wave.
Thus, there will be a need to design new encryption algorithms, able to resist quantum-based attacks. A struggle is going on for “quantum supremacy.” Countries like France, the USA and others with good mathematicians have come to the fore. Breaking new ground here may be tantamount to getting control of the neighboring country’s missiles. The Google Chrome navigator is already known to include special algorithms meant to protect the data against quantum-based attacks.
How to Lead a Secure Digital Life?
Beyond the cryptocurrency issues, if one wants to protect his or her precious data, one should:
- have an iPhone rather than an Android or Windows Phone;
- use Firefox as a browser. It is open source, doesn’t spy on or track its users and has been proved to be the quickest browser available;
- use alphanumeric passwords with, at the very least, 6 digits;
- use different passwords for each service or website, with an eye on how sensitive the information they are meant to protect is. “Some websites do not matter much, you’ll log in twice a year, but others like your banking portal are way more sensitive and will be better protected with a special, longer password”;
- when the two-factor authentication (2FA) is available, activate it and use it. The service or website will send you a SMS or ask you to give another number from a list you received when you started using the service or activated the option. If possible, print the list and erase it so it cannot be accessed from your phone or computer. This “makes the access much harder to a hacker” and while it may feel annoying it may save you untold resources. “Companies that implement 2FA know they handle something sensitive, so if they make it available you should use it”;
- install specific plugins on your browser to prevent tracking. Jean-Baptiste customized his Firefox browser by installing HTTPS Everywhere, which forces website to load through the secure protocol https when they can, Privacy Badger which blocks the unnecessary trackers, uBlock Origin which does the same than Privacy Badger using another technique and blocks the ads, plus Facebook and Google Container to prevent said companies from tracking me all over the Web ;
- if you really worry about your data or feel inclined to specialize into security, ask yourself “how would one hack me?”;
- last but not least, put a piece of tape on your webcam. (Mark Zuckerberg does it!)