Duo Security + Gem: Zero Trust for the Cryptocurrency World (aka: Bitcoin)

Cyber Security Jun 26, 2015

Some days ago, I was talking with a friend of mine about new technologies which could redefine in the upcoming years how we will work, live and make business, and certain word came to the conversation like a bomb: Bitcoin. I’m an avid reader for tech news and sites, spending a lot of time reading articles from Nathaniel Mott at Pando about Security and Net neutrality, discussing topics from a recent article from First Round’s Review (BTW: the last one about Hacking Sales with Inbound Marketing is amazing), and many others good resources about tech. I trust in Pando like a one of the best and sincere platforms for sharing information about Startups, Venture Capital and more topics. So, when I began to search information about what is Bitcoin, and which companies are working hard in this space, so I went again to Pando looking for the basics. Following this idea, I found very interesting articles from Dennis Keohane, talking about the new funding raising of Circle, one of the most interesting Bitcoin startups:

“With Goldman Sachs’ investment, Circle — and by proxy Bitcoin — gets a huge uplift in visibility outside of the smaller venture capital community. While General Catalyst and Accel carry weight in the world of entrepreneurs and fast-growth startups, the approval of a multinational investment bank like Goldman, even with all its baggage, is a signal of Bitcoin’s arrival in the consciousness of the financial world at-large.”

or one of Michael Carney (right now he is a partner at Upfront Ventures) talking about Gem, the Bitcoin Security startup based in Venice, California:

Gem’s stated goal has been to eliminate the learning curve for bitcoin developers, while allowing the industry to adopt best-in-class security standards to store, encrypt, and backup end user bitcoin assets, without deep expertise in cryptography or security. The company’s API does exactly this by making a comprehensive set of security solutions available at the push of a button. Crucially, Gem never needs to take possession of end-user funds, meaning that relationships between consumer and developer go un-interrupted.

These articles made me to wonder why Bitcoin doesn’t reach a major adoption for consumers, and I began to getting deep in this though, and after a deep information search, the answer came in front of me:

“The Blockchain needs more to become in a more secure horse and Bitcoin companies need to be more serious with users credentials security”,

and it seems that it matters for a broad adoption.

Then, I started to search more focused in this problem, looking for info about Bitcoin hacks around the world, and for my surprise, the list is very large. Even, there is a forum topic at Bitcointalk describing a very good complication of the most famous hacks and heists. One of the most famous hacks was Mt. Gox Bitcoin exchange, giving to hackers the shocking number of $460 Million; so when you see creepy things like this one, you become in an instant skeptical person about Bitcoin; but this idea is changing quickly with companies like Circle, Coinbase and Gem; because they are putting an incredible grade of resources and expertise to create Bitcoin-based secure platforms.

Now, Where Duo could play a key role here? It’s simple: Duo’s Platform is focused in almost every type of clients who want to protect their assets, but they are articulately interested in certain target: The developers, which could use the Duo’s REST-based API to protect their applications using Two-Factor Authentication’s services; and they are becoming in a strong leader in this space. Like I mentioned in my previous post, Dug and Jon have a very well defined vision for the future of the company:

People-Centric Security

and I think that they are sharing the same vision with Gem, which offers a convenient way to create Bitcoin-based apps for any developer, thinking strongly in the security; so why not to work together in this vision? In the upcoming years. Bitcoin will be an important part of this vision, so why not to invest in the long term with a partnership with Gem? I have some ideas how Duo and Gem could work together and to build a strong root for Bitcoin security.

First, What is Bitcoin and the Blockchain?

To navigate in the hard topics of Bitcoin, I began to make own research about the protocol, the Blockchain and everything related to it. Digging and digging, I found two incredible books: the first one is “Mastering Bitcoin”, written by Andreas M. Antonopoulos, which is an amazing resource to understand the roots of the Bitcoin protocol, and how the Blockchain actually works; and the second one is “Blockchain: Blueprint for a New Economy”, written by Melanie Swan, which is more focused in the Blockchain’s part of the equation. I strongly recommend you to buy these two books if you want to enter in this space, which is very competitive and difficult to grasp if you don’t have the right resources.

So, looking for a definition of Bitcoin, I went to the wiki of the project and I found this:

“Bitcoin is a decentralized digital currency that enables instant payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology to operate with no central authority: transaction management and money issuance are carried out collectively by the network”“The original Bitcoin software by Satoshi Nakamoto was released under the MIT license. Most client software, derived or “from scratch”, also use open source licensing.”
“Bitcoin is the first successful implementation of a distributed crypto-currency, described in part in 1998 by Wei Dai on the cypherpunks mailing list. Building upon the notion that money is any object, or any sort of record, accepted as payment for goods and services and repayment of debts in a given country or socio-economic context, Bitcoin is designed around the idea of using cryptography to control the creation and transfer of money, rather than relying on central authorities. “

So, and the Blockchain?

“The blockchain is the public ledger of all Bitcoin transactions that have ever been executed. It is constantly growing as miners add new blocks to it (every 10 minutes) to record the most recent transactions. The blocks are added to the blockchain in a linear, chronological order. Each full node (i.e., every computer connected to the Bitcoin network using a client that performs the task of validating and relaying transactions) has a copy of the blockchain, which is downloaded automatically when the miner joins the Bitcoin network. The blockchain has complete information about addresses and balances from the genesis block (the very first transactions ever executed) to the most recently completed block. The blockchain as a public ledger means that it is easy to query any block explorer (such as https://blockchain.info/) for transactions associated with a particular Bitcoin address.”

So, Bitcoin is a protocol that basically is used to send and receive Bitcoins using a public key, which is like your email’s address for it. This key is an alphanumeric string, and you can see an example here:

1Cdid9KFAaatwczBwBttQcwXYCpvK8h7FK

You can use several Bitcoin´s clients to create wallets and keys for your Bitcoins. A very good practice is to have several keys for different purposes with your Bitcoins. But, precisely, this is one of the main security problems with Bitcoin, because if anyone can have access to these keys, you can lose all your Bitcoins instantly.

Getting deep in the security problems of Bitcoin

Looking for answers, I searched all related information to Bitcoin’s hacks, and the majority of these hacks are precisely based the theft of the keys associated to the users of the platforms which were hacked. For example, I found an article at The Verge, where they explained how to steal Bitcoin in three steps, and this sentence described quickly this:

The most lucrative attacks are carried out on online services that store the private keys for a large number of users, as Sheep Marketplace did. It seems these attacks are often carried out by insiders who don’t have to do much hacking at all. Just copy the database of private keys and you can gain control of the bitcoins at all those addresses. You, the thief, can now spend those bitcoins whenever you want, as long as the owner doesn’t move them first.

Following the research about this, I found an article at NewsBTC that Coinapult, another Bitcoin firm which was hacked, and the company was prompted to halt its operations to revamp its security. The problem with this hack is that company yet didn’t know how the hackers entered to their network, so this is a dangerous sign for it.

But, How Bitcoin could be hacked? I made to myself the same question, and researching about this, I found the question at Quora, with amazing answers about the topic. It’s totally worth it the time you spend reading the answers about it, but Alex Genadinik went beyond and share an incredible video from Rodrigo Souza, a well known Bitcoin entrepreneur, explaining the problems with Bitcoin security:

BTW, Coindesk published a very interesting article how to avoid Bitcoin scams in 2015, where Rodrigo and other experts talked about this topic.

That’s why any company focused in this space, needs to use every good security technique to protect its assets, and Duo’s Two-Factor Authentication services could be a very good deal for them. But what about Gem?

Why Gem is a leader in this space

Well, making a quick recap: the keys of the users are one of the most critical pieces of Bitcoin’s security. So, if you need protection for them, you need to be creative; and that’s why Gem is doing. Reading a recent interview with Gem’s CEO Micah Winkelspecht done by Crytocoins News, I saw that the company is using Multi-Signature technology to protect users wallets:

The disadvantage of the single signature transaction system used by traditional Bitcoin wallets is that it creates a pretty vulnerable security model — supported by the fact that just under 10% of all Bitcoins currently in existence have been lost or stolen — and multi-signature technology presents a potential solution to this problem. The beauty of Bitcoin is that it’s programmable money, so we’re able to program additional rules, like multi-signature transactions, that must be met in order to move a customer’s funds. For example, whenever a Gem wallet is created, three keys are issued, and we require at least two out of three keys to generate a transaction.Of these three keys, the customer holds two keys (one online and one stored securely offline), and Gem provides the third key as a cosigner. This way, the customer is always in possession of enough keys to move money without us, and we are never in possession of enough keys to move customer funds without the customer. If the customer’s online key was stolen, the attacker couldn’t access their funds because they wouldn’t have access to our cosigning key or the customer’s offline key. Likewise, if we were compromised, an attacker couldn’t gain access to the other two keys owned by the customer, and would still be unable to access their funds.

But, How Gem generate and store all Gem keys? Using Custom Hardware Security Modules (HSM).

“HSMs are hardware devices used for the generation and storage of private keys in other industries (financial services, aerospace, government), and if done right can present a strong defense to hacking attempts”,

said in a recent interview Ken Miller, Gem’s COO, who was the VP of Risk Management at PayPal, in charge of the development of anti-fraud systems in the early days of the company. In the interview, he described why this is important for the Bitcoin’s ecosystem:

“At Gem we are actually using these to generate and store all of Gem’s cosigning keys using FIPS-140–2-Level 3 certified machines, which means they are so secure that even if you had a rogue employee on-site where the device is who tried to break it open and steal the cards from inside, the device is designed to self-destruct.”

If you are more interested in the Security features that Gem provides, they dedicated a completed section of their site for it.

Duo’s Research Team + Gem’s team to find new ways to protect Bitcoin and the Blockchain

Duo’s Labs is full of PhDs (including Jon of course) and very technical people (like Zach, Steve and Adam for just mention to some of them) with an amazing expertise in Security, and what would happen if you join these professionals to Micah, Ken, and all the team from Gem, which have a background on it? Just good things I think. But united to all this, it’s all resources from both companies: Duo has raised $48 Million to date, and Gem has raised $3.3 Million to date, so they could combine this capital to do an aggressive hiring strategy to bring more Security experts and Bitcoin protocol developers on board. But what about a highly calculated Go-to-Market strategy thinking in a global expansion of it security services?

How a combined Go-to-Market strategy from Duo Security and Gem could be massive for both teams

This is when a good Product Marketing strategy comes to play. Bitcoin’s security is a very hard topic, even for experts, so why not to use a well known Growth Hacking tactic for it?


Slack and FireEye used it brilliantly, because they understood that their customers needed to embrace these new concepts in an way easier to dig (in the Slack’s case about internal-communication platform, and FireEye about Security Threats, specially its section of the site called: Current Threats). So, to educate users to see why they need strong platforms to secure its Bitcoin’s applications, I think that a series of resources could be very helpful for it:

  • Create a series of videos about explaining What is Bitcoin and the Blockchain, Bitcoin Security 101, Protecting your Bitcoin platform in 5 minutes with MFA
  • Create a combined webinar called: “Protect your Bitcoin Platform with Multi-Signature Technology and Multi-Factor Authentication”. This webinar should be done by experts in these fields, so if I had to select two persons of both companies, I would select to Brian Kelly from Duo Security and Ken Miller from Gem.
  • Create a whitepaper called: Zero Trust for the Cryptocurrency Era, using part of the research done in the Duo’s whitepaper called Security for an Age of Zero Trust, but applied to Bitcoin.
  • Make a space for Bitcoin Security news about hacks and heists in the Weekly Ink blog’s section.
  • Participate in a combined team in the next Blockchain Summit and in the upcoming RSA Conference APJ. This two events could allow to both companies to expose why Bitcoin security is important for the future, and how both teams are working hard on it.
  • Create compelling content about Bitcoin security with a Multi-Cultural Product Marketing team: this could be the base to reach more users, because with several people from different countries and cultures, thinking in an unique objective; they could write good posts in several languages at the same time about to tackle these problems. If I had to choose, I would hire professionals with a strong technical background but natural storytellers, combining male and female. 
    For example:
  1. A guy from Russia
  2. A girl from Korea (particularly from Samsung Security Research team)
  3. A guy from India, with a strong expertise in the security field in the country
  4. A Chinese-American girl with a PhD in Information Security or Computer Sciences focused research to target clients in the APAC region
  5. A guy from UK or Germany with the same profile to target European clients
  6. A girl from Brazil

I focused my eye mainly into BRICs countries (Brazil, Russia, India and China) for its vast number of Internet users, which could be translated to the always increasing of cyberattacks in these regions. So, if this team could communicate properly why they should use the combination of Duo and Gem from this same moment to protect its Bitcoin platforms, this could create strong roots for a quick global expansion of both companies.

BTW, if you want see the presentation I made for Duo, you can read it here:

Conclusions

So, like you can see, all the security problems with Bitcoin could represent an industry-changing opportunity for Duo Security and Gem; so if they take advantage of them, it could enter in a very ascending industry for the big door.

So, who knows !!! If you have any though about this partnership, please let a comment or send me a message at Twitter. Thanks for reading.

Subscribe to my Data-Driven posts here
Enter your email below to receive automatic updates.powered.by.rabbut.com

Marcos Ortiz Valmaseda

Editor at The Panda Way, where I help companies to earn more income through #investing. Cloud Data Engineer in the morning at Grupo Intercorp