Regulating DAOs

Read Time:9 Minute, 35 Second

In August, the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the cryptocurrency platform Tornado Cash, a virtual currency “mixer” designed to make it harder to trace cryptocurrency transactions—and a worldwide favorite money-laundering platform. Americans are now forbidden from using it. According to the US government, Tornado Cash was sanctioned because it allegedly laundered over $7 billion in cryptocurrency, $455 million of which was stolen by a North Korean state-sponsored hacking group.

Tornado Cash is not a traditional company run by human beings, but instead a series of “smart contracts”: self-executing code that exists only as software. Critics argue that prohibiting Americans from using Tornado Cash is a restraint of free speech, pointing to court rulings in the 1990s that established that computer language is a form of language, and that software programs are a form of speech. They also suggest that the Treasury Department has the authority to sanction only humans and not software.

We think that the most useful way to understand the speech issues involved with regulating Tornado Cash and other decentralized autonomous organizations (DAOs) is through an analogy: the golem. There are many versions of the Jewish golem legend, but in most of them, a person-like clay statue comes to life after someone writes the word “truth” in Hebrew on its forehead, and eventually starts doing terrible things. The golem stops only when a rabbi erases one of those letters, turning “truth” into the Hebrew word for “death,” and the golem ceases to function.

The analogy between DAOs and golems is quite precise, and has important consequences for the relationship between free speech and code. Ultimately, just as the golem needed the intervention of a rabbi to stop wreaking havoc on the world, so too do DAOs need to be subject to regulation.

The equivalency of code and free speech was established during the first “crypto wars” of the 1990s, which were about cryptography, not cryptocurrencies. US agencies tried to use export control laws to prevent sophisticated cryptography software from being exported outside the US. Activists and lawyers cleverly showed how code could be transformed into speech and vice versa, turning the source code for a cryptographic product into a printed book and daring US authorities to prevent its export. In 1996, US District Judge Marilyn Hall Patel ruled that computer code is a language, just like German or French, and that coded programs deserve First Amendment protection. That such code is also functional, instructing a computer to do something, was irrelevant to its expressive capabilities, according to Patel’s ruling. However, both a concurring and dissenting opinion argued that computer code also has the “functional purpose of controlling computers and, in that regard, does not command protection under the First Amendment.”

This disagreement highlights the awkward distinction between ordinary language and computer code. Language does not change the world, except insofar as it persuades, informs, or compels other people. Code, however, is a language where words have inherent power. Type the appropriate instructions and the computer will implement them without hesitation, second-guessing, or independence of will. They are like the words inscribed on a golem’s forehead (or the written instructions that, in some versions of the folklore, are placed in its mouth). The golem has no choice, because it is incapable of making choices. The words are code, and the golem is no different from a computer.

Unlike ordinary organizations, DAOs don’t rely on human beings to carry out many of their core functions. Instead, those functions have been translated into a set of instructions that are implemented in software. In the case of Tornado Cash, its code exists as part of Ethereum, a widely used cryptocurrency that can also run arbitrary computer code.

Cryptocurrency zealots thought that DAOs would allow them to place their trust in secure computer code, which would do exactly what they wanted it to do, rather than fallible human beings who might fail or cheat. Humans could still have input, but under rules that were enshrined in self-running software. The past several years of DAO activity has taught these zealots a series of painful and expensive lessons on the limits of both computer security and incomplete contracts: Software has bugs, and contracts may do weird things under unanticipated circumstances. The combination frequently results in multimillion-dollar frauds and thefts.

Further complicating the matter is that individual DAOs can have very different rules. DAOs were supposed to create truly decentralized services that could never turn into a source of state power and coercion. Today, some DAOs talk a big game about decentralization, but provide power to founders and big investors like Andreessen Horowitz. Others are deliberately set up to frustrate outside control. Indeed, the creators of Tornado Cash explicitly wanted to create a golem-like entity that would be immune from law. In doing so, they were following in a long libertarian tradition.

In 2014, Gavin Woods, one of Ethereum’s core developers, gave a talk on what he called “allegality” of decentralized software services. Woods’s argument was very simple. Companies like PayPal employ real people and real lawyers. That meant that “if they provide a service to you that is deemed wrong or illegal … then they get fucked … maybe [go] to prison.” But cryptocurrencies like Bitcoin “had no operator.” By using software running on blockchains rather than people to run your organization, you could do an end-run around normal, human law. You could create services that “cannot be shut down. Not by a court, not by a police force, not by a nation state.” People would be able to set whatever rules they wanted, regardless of what any government prohibited.

Woods’s speech helped inspire the first DAO (The DAO), and his ideas live on in Tornado Cash. Tornado Cash was designed, in its founder’s words, “to be unstoppable.” The way the protocol is “designed, decentralized and autonomous …[,] there’s nobody in charge.” The people who ran Tornado Cash used a decentralized protocol running on the Ethereum computing platform, which is itself radically decentralized. But they used indelible ink. The protocol was deliberately instructed never to accept an update command.

Other elements of Tornado Cash—­its website, and the GitHub repository where its source code was stored—­have been taken down. But the protocol that actually mixes cryptocurrency is still available through the Ethereum network, even if it doesn’t have a user-friendly front end. Like a golem that has been set in motion, it will just keep on going, taking in, processing, and returning cryptocurrency according to its original instructions.

This gets us to the argument that the US government, by sanctioning a software program, is restraining free speech. Not only is it more complicated than that, but it’s complicated in ways that undercut this argument. OFAC’s actions aren’t aimed against free speech and the publication of source code, as its clarifications have made clear. Researchers are not prohibited from copying, posting, “discussing, teaching about, or including open-source code in written publications, such as textbooks.” GitHub could potentially still host the source code and the project. OFAC’s actions are aimed at preventing persons from using software applications that undercut one of the most basic functions of government: regulating activities that it deems endangers national security.

The question is whether the First Amendment covers golems. When your words are used not to persuade or argue, but to animate a mindless entity that will exist as long as the Ethereum blockchain exists and will carry out your final instructions no matter what, should your golem be immune from legal action?

When Patel issued her famous ruling, she caustically dismissed the argument that “even one drop of ‘direct functionality’” overwhelmed people’s expressive rights. Arguably, the question with Tornado Cash is whether a possibly notional droplet of free speech expressivity can overwhelm the direct functionality of running code, especially code designed to refuse any further human intervention. The Tornado Cash protocol will accept and implement the routine commands described by its protocol: It will still launder cryptocurrency. But the protocol itself is frozen.

We certainly don’t think that the US government should ban DAOs or code running on Ethereum or other blockchains, or demand any universal right of access to their workings. That would be just as sweeping—and wrong—as the general claim that encrypted messaging results in a “lawless space,” or the contrary notion that regulating code is always a prior restraint on free speech. There is wide scope for legitimate disagreement about government regulation of code and its legal authorities over distributed systems.

However, it’s hard not to sympathize with OFAC’s desire to push back against a radical effort to undermine the very idea of government authority. What would happen if the Tornado Cash approach to the law prevailed? That is, what would be the outcome if judges and politicians decided that entities like Tornado Cash could not be regulated, on free speech or any other grounds?

Likely, anyone who wanted to facilitate illegal activities would have a strong incentive to turn their operation into a DAO—and then throw away the key. Ethereum’s programming language is Turing-complete. That means, as Woods argued back in 2014, that one could turn all kinds of organizational rules into software, whether or not they were against the law.

In practice, it wouldn’t be so easy. Turning business principles into running code is hard, and doing it without creating bugs or loopholes is much harder still. Ethereum and other blockchains still have hard limits on computing power. But human ingenuity can accomplish many things when there’s a lot of money at stake.

People have legitimate reasons for seeking anonymity in their financial transactions, but these reasons need to be weighed against other harms to society. As privacy advocate Cory Doctorow wrote recently: “When you combine anonymity with finance—­not the right to speak anonymously, but the right to run an investment fund anonymously—you’re rolling out the red carpet for serial scammers, who can run a scam, get caught, change names, and run it again, incorporating the lessons they learned.”

It’s a mistake to defend DAOs on the grounds that code is free speech. Some code is speech, but not all code is speech. And code can also directly affect the world. DAOs, which are in essence autonomous golems, made from code rather than clay, make this distinction especially stark.

This will become even more important as robots become more capable and prevalent. Robots are even more obviously golems than DAOs are, performing actions in the physical world. Should their code enjoy a safe harbor from the law? What if robots, like DAOs, are designed to obey only their initial instructions, however unlawful­—and refuse all further updates or commands? Assuming that code is free speech and only free speech, and ignoring its functional purpose, will at best tangle the law up in knots.

Tying free speech arguments to the cause of DAOs like Tornado Cash imperils some of the important free speech victories that were won in the past. But the risks for everyone might be even greater if that argument wins. A world where democratic governments are unable to enforce their laws is not a world where civic spaces or civil liberties will thrive.

This essay was written with Henry Farrell, and previously appeared on Lawfare.com.

Read More

Security startups to watch for 2022

Read Time:33 Second

The problems cybersecurity startups attempt to solve are often a bit ahead of the mainstream. They can move faster than most established companies to fill gaps or emerging needs. Startups can often innovative faster because they are unfettered by an installed base.

The downside, of course, is that startups often lack resources and maturity. It’s a risk for a company to commit to a startup’s product or platform, and it requires a different kind of customer/vendor relationship. The rewards, however, can be huge if it gives that company a competitive advantage or reduces stress on security resources.

To read this article in full, please click here

Read More

USN-5680-1: gThumb vulnerabilities

Read Time:30 Second

It was discovered that gThumb did not properly managed
memory when processing certain image files. If a user were
tricked into opening a specially crafted JPEG file, an
attacker could possibly use this issue to cause gThumb to
crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2019-20326)

It was discovered that gThumb did not properly handled
certain malformed image files. If a user were tricked into
opening a specially crafted JPEG file, an attacker could
possibly use this issue to cause gThumb to crash, resulting
in a denial of service. (CVE-2020-36427)

Read More

Guloader Spam Indiscriminately Sent to State Elections Board

Read Time:4 Minute, 24 Second

Recently, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement – Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections (9I-100622-PSA). The focus of the PSA was to inform the public of the potential manipulation of the midterm election cycle in the United States by foreign agents using social engineering and social media disinformation tactics to influence voters and to sow discord as well.Around the same time of the announcement, FortiGuard Labs observed a Guloader campaign being sent to an elections body in the United States. Although there is no sign that they were specifically targeted, we want to highlight what’s involved in these attacks given the 2022 U.S. midterm elections in November. The infection vectors are simple malicious spam that do not rely on exploiting a vulnerability or macros.FortiGuard Labs found a campaign from a purported industrial equipment manufacturer in Indonesia, containing a malicious ISO attachment. Figure 1. Email used in this spam campaignISO email attachments are often used to avoid detection by security solutions. Clicking on the attachment triggers the ISO file. Once mounted, an EXE file-a GuLoader malware variant-becomes visible. The victim then needs to run the “Requisition order-PT. LFC Teknologi,pdf.exe” executable manually to start the infection routine. Figure 2. GuLoader file in the mounted ISO fileThis file is digitally signed via an untrusted root certificate, seen below.Figure 3. Digital signature information for “Requisition order-PT. LFC Teknologi,pdf.exe”.The GuLoader payload is a so-called first stage malware that has been seen in the wild for the past few years. It is designed to deliver a second stage payload that can be tailored to the attacker’s liking. Some reported second stage payloads include Remote Access Trojans (RATs), infostealers, and ransomware.This particular GuLoader variant reaches out to 195[.]178[.]120[.]184/sMHxAbMCsvl181[.]java, which was no longer available at the time of the investigation. However, we believe the java file to either be a decryption key or a payload download. Another, GuLoader sample (SHA2: 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e) was submitted to VirusTotal on September 14th. This sample accesses 195[.]178[.]120[.]184/uFLBwGvx55[.]java and available OSINT suggests that the payload is the Azorult infostealer. Azorult is capable of exfiltrating data such as passwords from browsers, email, and FTP servers, and harvesting files with extensions specified by an attacker. It can also collect machine information such as user and computer name, installed programs, Windows version, and installed programs. Such stolen information can be a precursor to future attacks.Based on the traits of the GuLoader sample, FortiGuard Labs tracked down additional files involved in the same malicious spam campaign. The attacker mostly used IMG and ISO attachments along with file names in English, German, Spanish, Turkish, and Chinese. Taking a look at VirusTotal, submissions of the attachments are from the US, Czechia, China, Turkey, Germany, UK, Israel, Ireland, and Hungary. The GuLoader variant was also submitted to VirusTotal from the US, Bulgaria, Canada, China, the United Arab Emirates, and Korea. The email delivered to a board of elections in the United States was sent to a publicly available webmaster address. This indicates that the attacker sent these malicious emails to as many recipients as possible in the hope that someone would manually execute the malware. This is the first step to a potential compromise of machines related to the elections board of this United States state, and will allow the attacker to obtain a foothold to obtain unauthorized data for dissemination or simply various angles of disruption (ransomware, wiping, extortion, etc.) and even worse, perhaps sell access to an adversary for financial gain.Fortinet ProtectionsFortinet customers are already protected from the malware identified in this report through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:The following (AV) signatures detect the malware samples mentioned in this blog• NSIS/Injector.AOW!tr• W32/BHQ!tr• W32/BHQ.YXCIMZ!tr• W32/Qbot.G!tr• JS/Agent.BLOB!tr.dldr• LNK/Agent.RD!tr• JS/Starter.3A1B!tr• BAT/Starter.NIU!trThe WebFiltering client blocks all network-based URIs.Fortinet also has multiple solutions designed to help train users to understand and detect phishing threats:The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.We also suggest that organizations have their end users undergo our FREE NSE training program: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.IOCsFile IOCs (SHA2)GuLoader variants distributed in this spam campaign• 162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f• 21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb• 28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc• 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e• 70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f• 71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388• 74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229• 857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f• 9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641• 9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471• 9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808• aeca53c38a1bc40b7a53d5fcf7adceda97ac54ac56af1f161763c622c8e70d4f• b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294• b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402• bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b• cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c• d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f• ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5• e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42• e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45eEmail attachments (IMG and ISO) used to distribute GuLoader in this spam campaign• 162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f• 21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb• 28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc• 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e• 70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f• 71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388• 74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229• 857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f• 9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641• 9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471• 9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808• b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294• b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402• bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b• cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c• d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f• ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5• e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42• e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45eNetwork IOCs related to the GuLoader spam campaign• gwinaz[.]pro/PL341/index.php• kngpdrp[.]shop/PL341/index.php• chino[.]shop/PL341/index.php• www.funeralprogramsshop[.]com/e65x/

Read More

RCE Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352) Being Exploited in the Wild

Read Time:1 Minute, 43 Second

FortiGuard Labs is aware of reports that a vulnerability affecting Zimbra Collaboration Suite (CVE-2022-41352) is a newly reported zero-day and is being exploited in the wild. CVE-2022-41352 is a Remote Code Execution (RCE) vulnerability that allows an attacker to perform remote code execution on vulnerable servers.Why is this Significant?This is significant because CVE-2022-41352 is a remote code execution vulnerability which is a zero-day and is actively being exploited in the wild.Zimbra Collaboration, formerly known as Zimbra Collaboration Suite, is a cloud-based email, calendaring, and groupware solution developed by Synacor and is widely used worldwide. According to its Web site, Zimbra is used in more than 140 countries and over 1,000 government and financial institutions.What is CVE-2022-41352?The vulnerability exists due to Amavis’ (Zimbra’s Anti-virus engine) usage of “cpio” to extract archives in emails and scan contents. By leveraging the vulnerability, an attacker can gain improper access to any other Zimbra user accounts, which can lead to remote code execution.What is the CVSS Score?CVE-2022-41352 has a CVSS rating of 9.8. Zimbra rates the vulnerability as “major”.How Widespread is this?While we do not know how widespread this is, the first report of this vulnerability being exploited has been reported to be around the beginning of September 2022.What Versions of Zimbra Collaboration Suite are Vulnerable to CVE-2022-41352?Zimbra Collaboration Suite version 8.8.15 and 9.0 are vulnerable.Has the Vendor Released a Patch for CVE-2022-41352?Yes, the vendor released a patch on October 10, 2022.What is the Status of Protection?FortiGuard Labs released the following IPS signature for CVE-2022-41352:Zimbra.Collaboration.Suite.cpio.Remote.Code.Execution (default action is set to “pass”)Any Suggested Mitigation?As mitigation, Zimbra recommends installing the pax package, an utility for creating and extracting archive files, to Zimbra servers. For details, please refer to the Appendix for a link to “Security Update – make sure to install pax/spax”.

Read More