By Jon Matonis
Forbes
Monday, May 28, 2012
As the Bitcoinica brokerage saga metastasizes yet again with the shocking revelation that no recent database backups exist, earlier security warnings to the company’s founder are being reviewed. One observer suggested that “as the potential payoff of a hacker approaches $1 million, the likelihood of being hacked approaches 90%.”
Over eight months ago, another reviewer posted:
“I’ve
worked on financial systems before. As others have stated, if you’re
dealing with real money, then you have a big bulls-eye painted on your
forehead, and you need to make sure that your system is hardened. Make
sure you understand attack vectors and protect against them — XSS, SQL
Injection, man-in-the-middle, etc. Make sure your passwords are salted
and hashed. Auditing. Can’t emphasize this enough. Things will go wrong,
and when they do, you need to be able to tell when, where, and why. In
our case, we had shadow tables in our database where we logged changes,
and then consolidated and exported that data into an auditing system. We
could confirm that a user made X change at Y time from Z IP address.”
Large
financial system websites are some of the most lucrative online targets
and bitcoin has the added dimension of a target-rich environment that
rarely results in prosecution. Not only is it difficult to prosecute the
individual or individuals responsible for the hack, it is difficult to
prosecute the financial site itself for negligence due to the many
disclaimers inherent in voluntary and unregulated service providers or
due to complicated offshore circumstances (although New Zealand does
offer a dispute resolution scheme
for Bitcoinica retail clients). Additionally, there is always the
possibility of an artificial hack staged by an insider. Therefore,
self-regulation is the order of the day and in the sometimes
jurisdiction-less environment of the Internet, bitcoin entities and
their customers currently operate under their own brand of lex mercatoria to enforce accountability.
 |
| Lex mercatoria wine merchants |
Lex mercatoria
is Latin for “merchant law” and it is the body of commercial law used
by merchants throughout Europe during the medieval period emphasizing
contractual freedom and alienability of property. Like an air guitar,
bitcoin is arguably the ultimate form of intangible alienable property.
The difference being, of course, that air guitar transactions are not
publicly recorded on a distributed and enforced ledger.
Merchants relied on this legal system developed and administered by them while shunning legal technicalities and deciding cases ex aequo et bono.
We are actually in the midst of such a case right now as the leading
Bitcoinica parties attempt to sort out the claims process to the best of
their abilities with limited account records. There is no court. There
is no judge. Bitcoin is not defined as legal property. Deliberation
is currently focused on the most fair and just method of separating the
legitimate claims from the fake claims. But this is new ground for a
bitcoin-related settlement and undoubtedly it will set an early
benchmark for future cases. The prior hack involving Linode servers was settled in full via Bitcoinica customer reimbursements.
As
for the attacking hacker, it will most likely go unprosecuted since
fungible bitcoins possess many of the characteristics of physical cash
and even if the attacker had been sloppy, the amount involved does not
really justify expensive network traffic analysis that would potentially
link an IP or bitcoin address to a real-world identity.
The investment adviser for the transfer of Bitcoinica LP, Tihan Seale, posted
that “Bitcoin Consultancy was first retained to perform a comprehensive
security audit on March 27th and they became owners and operators of
Bitcoinica LP on April 24th.” This latest security breach at Bitcoinica
occurred on May 11th. In a separate email, Seale reiterated, “I’m
responsible for deal selection and due diligence for the fund that
invested in Bitcoinica. I expect the Bitcoin Consultancy members will
continue to operate the business going forward. They have expressed
their commitment to seeing things through, and they have my respect for
this.”
Whatever becomes of the Bitcoinica margin trading entity in
the future, it is clear that a sort of ‘digital’ lex mercatoria is
emerging — one that recognizes the complete voluntarist nature of the bitcoin protocol in commerce. We don’t have to imagine The Enterprise of Law: Justice Without the State because we are living through it now.
Self-regulation
may be the only available option as authorities are in a quandry.
Specifically regulating bitcoin imbues it with legally-recognized value
and that is something that the State will resist for as long as
possible. So, happily we continue to trade our air guitars.
To the bitcoin detractors, these various security breaches
are not a fault of the peer-reviewed bitcoin cryptographic protocol but
a lapse of security experience and poor judgment by the respective
administering companies. The beatings will continue until security
improves. Trust in the overall connected infrastructure may have been
fractured temporarily, but just as the guild structure flourished the
improved lex mercatoria that evolves as a result will strengthen bitcoin in the end.
For further reading:
“Interview with Zhou Tong”, Coinabul, May 29, 2012
