Tag: law

Smart Contracts: Mission Possible

December 12, 2021 /

In the last article for 2021, I shall touch on one of the exciting topics in technology for the last decade. For sure, with its novel approach, blockchain technology managed to change and shape our technical landscape during that period. These days crypto is brutally adopted, and many people use cryptocurrencies every day. Additionally, we could see the mass adoption of NFT and how it changed the art industry. We saw many platforms making ICO as a replacement for IPO. All of these would not be possible without blockchain.

But what is blockchain? Essentially, blockchain is an append-only database system in which every transaction is cryptographically signed. Your digital identity is presented by a pair of public/private keys. The algorithms use these keys to encrypt/decrypt and sign/verify the data coming into and out of the database. These same keys are used to identify your wallet in the standard crypto-currencies world. However, a traditional key/value database system is not enough for real-world usage, which is why almost all blockchain networks now offer smart contracts. 

Every smart contract is a programming object with a lifecycle happening in the blockchain network. Additionally, every interaction with it is recorded and cryptographically signed with the same set of public/private keys used for your digital wallet. With such capabilities and a way for sending money, the blockchain networks offer pretty exciting opportunities:

You can see a standard workflow of using a smart contract on the diagram. The seller and buyer provide data to the code deployed in the blockchain, and it is executed to fulfill the contract
  • Replacement of standard contracts: In one ideal World, crypto would dominate people’s legal operations. It has all the tools for doing that, and many platforms, including IBM’s Hyperledger, offer such capabilities. Instead of signing on paper, people use digital signatures, and the system’s distributed nature ensures that no malicious modification can happen.
  • E-voting: Many people believe that we could replace the standard paper-based voting system entirely with the progress of zero-knowledge proof protocols. Indeed, the technology is promising and could offer genuine authenticity during the voting experience in the future. However, its current state (aka not supporting actual programming language experience) is hardly helpful for anything other than checking a simple boolean expression.
  • Decentralized Economy: In our current capitalism-based world, the parties issuing the money control the market. With the rise of crypto, that’s no longer true because now everyone can start issuing tokens and dictating how the market operates. And this is extremely helpful for smaller communities, which can detach themselves from the centralized issuing authority.

In conclusion, blockchain is quite existing technology, but unfortunately, it is still not mature enough for mass adoption. The main concern is that it is still possible to track the money transfers and identify the real people behind the public/private key pairs despite being anonymous. The same is true for smart contracts and e-voting – for sure, no one is going to be happy if people have access to her/his real estate’s notarial act or know for whom he/she voted. 

Legal pitfails for Start-Ups – part 2

November 27, 2021 /

In the last part discussed the difference between an idea and a patent and how the proper judgment of whether something is in breach of the intellectual property is a gray area. Additionally, we spent some time analyzing the way software companies make an idea to product. We pointed out that all companies usually use already established algorithms and design patterns free of copyright. In this part, we shall discuss some techniques and pain points Start-Up founders must be aware of.

First – this advice is more oriented towards every entrepreneur – please make sure you hire a good lawyer before you do a single step of your Start-Up journey. And by good, I mean a lawyer with good work etiquette and a moral compass between wrong and right. Additional experience in the field is a bonus, but it must not be the main reason you start working with someone. Additionally, a skilled lawyer can help you set up your company in a way, which can save you many troubles in the future.

Second – make sure that you have at least one technical person with legal knowledge. This person will work closely with your lawyer when you have to make a legal decision regarding your technical product and will clear technical details regarding your contract templates, customer complaints, and, in the worst case, if someone decides to attack your organization legally. Ideally, this person must be part of your founding team but not hired.

On the diagram you can see a standard legal contract workflow. After the initial contract you have actions and finally the contract must end with one of the exits

Third – be paranoid. Contracts are invented for both sides to have the worst-case scenarios covered. And by that, we mean the worst-case scenarios indeed. Some examples are death, theft of intellectual property, not honoring the deal from one of the sides, etc. I can give you some tips: make sure you have every exit situation covered; the contract must have a period and if there is a penalty rule, make sure that there is an upper limit for it.

Fourth – make sure you don’t make enemies. A significant percent of legal arguments are because of personal reasons. The most common cause is that someone’s ego is hurt so much that this same person decides to take legal action. From a business perspective, usually, the main reason is that one of the sides chose not to honor their deal and pay some money. Sometimes the cheating side could even fabricate a whole story to get away from court action.

In conclusion, please make sure you treat your customers, partners, and employees well. Not honoring a deal must be triggered only by terrible reasons, which are out of your control. It is the only way your reputation will stay intact, and you will not make yourself a bad name. From my experience, I can give you an example where not honoring the initial deal led to the company losing all of its technical team and a delay of at least two years. Eventually, the company bankrupted.

Red team that

September 16, 2021 /

Red team exercises and penetration testing became our new reality. Especially with COVID-19 and the additional boost to digital transformation, we are more and more digitally dependant. Many countries have started legally enforcing business and governmental organizations to ensure better their cyber security defenses. And the best way to do that is to have regular penetration testing drills once or twice per year.

However, we should ask ourselves how effective is this practice and whether it provides a good level of security for our data and assets. To do that, let’s analyze what the usual workflow of doing a penetration test is. Every engagement in cybersecurity starts with a legal contract, which defines the rules of engagement. In this legal contract, the defending side, the client, negotiates the regulations with the attacking side, aka the penetration testing company. In the case of 3rd party requirements such as governmental and corporation integrations, the rules are defined by the 3rd party. They can even give you a list of “trusted” penetration testing companies from which you have to choose. For example, when we had to do a security audit for Google and Microsoft to allow our integrations, they provided the list of auditing partners we had to use.

On the diagram, you can see a standard Red Team drill workflow. The rules are usually not set by the attacking team

And here is one of the main problems with penetration testing – there are rules of engagement. In the Real Word scenario, there is no such thing as a set of rules. The dedicated attacker can do whatever is necessary to penetrate your defenses, and he/she will not abide by the law. Comparison to conventional military drills is not practical but could even be harmful to your team’s attitude. It is much better to compare the attacker modus operandi to what guerilla fighters do, such as asymmetric warfare, without rules, requirements, etc. Attackers will do what is necessary to penetrate you no more or less.

The second problem with penetration tests is that the attacking team usually has limited time to penetrate your organization. The whole economy around red teaming is based on projects between two weeks and two months long. After that, the attacking team must go to the next assignment. In comparison, real-world hacker teams are usually part of criminal syndicates, and these criminal syndicates have other sources of income such as human trafficking, prostitution, drugs, and weapons. They can happily try to hack one organization for a year or more, especially if it is a big enough target.

And last, but not least – different motivation. In the red team case, the motivation is to abide by a requirement or by law. It means that the penetration team will ensure that the system passes the requirements and rarely will do more. When we speak about real hacker groups, usually we have a pretty limited set of motivation types – money and personal vendetta. Both of these are much higher on the motivation scale than a simple requirement fulfillment.

In conclusion, penetration testing is a helpful activity; however, it is not a panacea. The results coming from it gives a piece of information for your organization’s current cybersecurity state. Unfortunately, the limited scope of every penetration test will not give you a 100% guarantee that attackers can not destroy your defenses. It is much better to treat the red teaming as part of our cybersecurity strategy and valuable security tools.

Are law firms high value target for hackers?

May 20, 2021 /

New York-based law firm fell victim to a cyber attack. That wasn’t only unfortunate for the firm alone, but for the countless celebrity clients, they represent. Their client list comprises many A-level celebrities.

All these people fell victim to hackers.

The hacker group that carried out the attack remained unnamed. It got dubbed REvil because that’s the ransomware used by the group.

The cybercriminals targeted the law firm’s internal data systems. They managed to get away with 756 gigabytes of data, which they deemed was worth $21 million in ransom. When the law firm stated they had no intention of paying a dime in ransom, the criminals released a statement that they’re doubling their ransom request to the staggering $42 million.

After the firm refused to comply with the ransom demand, the hackers released an astonishing 2.4 gigabyte batch of data. It included private files and all sorts of sensitive information: contracts, non-disclosure agreements, promotional agreements, and expense sheets, among others.

The data dump wasn’t the only bombshell the cybercriminals dropped. They claimed to have an ace up their sleeve. They had private documents belonging to the American President. The law firm was quick to deny having any business dealings with the President. They only claimed that his name only got mentioned in some of their documents connected to their other clients.

Due to the hack’s success and the massive breach of privacy, the FBI got involved. They advised against paying the ransom as, in most such cases, payment doesn’t do much besides cost the victim money.

If you’re a victim of cybercriminals, you’re in a lose-lose situation. If you refuse to pay them, they can release the information they stole if that’s what they wish, and the victims get left to deal with the consequences. To pay the ransom they demand means you’re accepting their promise to destroy the data they stole.

You can see a standard distribution for malware types on the diagram and how the malware authors target their victims. In the case of organizations, the main approaches for crime making are data steal and ransomware

Can you trust the word of hackers? No, you can’t. However, it is essential to know that if the criminals do not hold their word, no one will pay the ransom to have this final option. Unfortunately, paying the ransom usually motivates more and more criminal groups to execute such operations.

This hack wasn’t their first attempt to score big. The attackers carried an attack on a foreign currency dealer as well. However, the ransom demand they went with paled compared to the $42, or even $21, million they demanded from the law firm. In this case, they asked for $6 million under threat to delete customer data. After a few weeks of having their services kept offline, the dealer caved and coughed up $2.3 million as payment.

Especially with COVID-19, more and more law and financial companies can become a target to attackers. It is essential to understand that blind fate into your cloud provider is only part of the equation. Every organization must take care of its defenses and upgrade them as much as it can. Only doing this can make attackers’ life harder.