Crime and Crypto

In this blog we have been mentioning ransomware frequently of late and this has caused people to ask about cryptocurrency, because ransoms are almost always paid in cryptocurrency. If you squint this is sort of on topic so here you go, for all you crypto-curious readers: a blog post about cryptocurrency, as it relates to crime. If you are interested in a wildly unstable and terrifyingly speculative investment opportunity, crypto is also that, but you will have to look elsewhere for that information.

If you have never been able to figure out what cryptocurrency is and feel that perhaps it is just beyond you, rejoice! Quantum physics is mind-bending. Moral philosophy is nuanced and complex. MC Escher's prints are hard to follow. Cryptocurrency is easy to understand and often appallingly badly explained.

Before we explain "crypto" we should first re-introduce you to paper money. You think of paper money as a hard-to-forge object whose value is backed by a government. In fact, paper money is a token of value and that value is in the serial number on the bill. Since human beings can't verify the serial number without technological help, the hard-to-forge object is what we focus on. But the value is the serial number, which tells you which of the value units this unit actually is. The value units are issued by a government by serial number, tracked by serial number, and validated by serial number.

That is a strange idea, so let it sink in for second.

Once we understand that paper money is a piece of paper with a serial number on it, explaining crypto is incredibly easy: crypto is a piece of data with a serial number on it. Ta da! That is the whole explanation.

Now that you understand stand the model, you will have questions and the answers to those questions will end up being a moderately sized collection of facts. However, now that you are equipped with an analogy to organize those facts, those facts won't blur into a ball of vague unease.

Let's focus on Bitcoin, because Bitcoin was the first crypto to have any currency. Also, whoever wrote Bitcoin released the software so anyone who wants can make their own cryptocurrency and people do. The overwhelming majority of currently used crypto is based on Bitcoin or is simply a different instance of the Bitcoin technology.

Whoever created the software base for Bitcoin, and then ran that software for years to issue serial numbers, was trying to free themselves from the tyranny of governmental control of currency, to let everyone in the world engage in financial transactions free of governmental oversight. How do I know this? Because whoever they are, they wrote a manifesto to go along with the software. It is pretty short (9 pages) and if you are into conceptual frameworks for software, this is for you: Bitcoin: A Peer-to-Peer Electronic Cash System.

In essence, Bitcoin created an entire virtual version of physical cash, including issuing value units, validating value units and recording transactions in those value units. Those last two are done using a public, universally-available ledger. For some reason, instead of calling it The Bitcoin Transaction Ledger, which would be clear, people started referring to it by the technology on which it is based, Blockchain. This makes no sense: most of us don't care about transaction-oriented, forgery-resistant distributed database technology. We care about how Bitcoin works, at least a basic level.

So why "crypto" and not emoney, or some such? Because cryptocurrency is encrypted. You can only access it with your encryption key, your personal encryption key. This is where the paper money analogy breaks down: when a value unit becomes yours, you get to encrypt it. Cool, right? Unless you lose the key. If only you can decrypt the crypto, how do other people know you have it? Because the encryption is public key/private key encryption which means that there is a way for me to let you look at it.

So what does all this have to do with crime? Here we run into a common problem with societal change: in its elevation of privacy, which here is defined as avoiding governmental scrutiny, crypto has given criminals a way to avoid law enforcement. In giving strangers a way to trust each other when exchanging goods or services for value (which is why cash and Bitcoin are both called "a medium for exchange") crypto has made it possible for criminals to have private banking services.

However lofty its inventor's goals may have been, crypto has become an untraceable way criminals do business. Ransomware is only a small part of this problem.

There is some good news, however, which highlights an important principle of security in general and cybersecurity in particular: security is inconvenient. Really inconvenient. Ask anyone who works in a secure facility how often they have to use their ID badge. So it is with crypto: using it is kind of a pain in the neck, so that untraceable qualifity, that anonymity comes with a price. In order to make crypto more convenient, the concept of a crypto "wallet" was invented. This concept does not fit the crypto security model very well and you have to be really careful when you use a wallet. This goes double for the very convenient crypto "exchange" (by analogy with stock exchange). Law enforcement has had great success in tracking wallets and, ironically, criminals have had great success penetrating and robbing crypto exchanges.

And that, dear reader, is what crypto has to do with crime in general and ransomware in particular.