Tuesday, March 6, 2018

Abusing Blockchain Transparency for Good

In 2013, I had just completed a year working on my DARPA Cyber Fast Track grant, creating a holistic threat model of the entire IoT landscape. The result of this research wasn't simply a threat model to end all IoT threat models: it was a blueprint for designing resilient, secure, long-lasting IoT technology. The question I then asked myself was, what do I build with this blueprint?

In answering that question, I spent the majority of 2013 looking at the intersection of technology and community service. I decided to set my sights on designing systems that could assist with the collapse of communities, something that has always been on the forefront of my work, and one of the reasons I had always focused on IoT. IoT has the potential to revitalize struggling communities by providing access to resources that are otherwise cost-ineffective or impractical.

So I designed a proof of concept system called DogeFling. DogeFling was the first step in an IoT system to facilitate community change through transparent donations. The way the proof-of-concept worked, everyone with a cellular phone could participate in the system. Donations were based on where your phone "lived" (the physical area in which you tend to live). So if your phone tends to "live" in Flint, Michigan, DogeFling would consider you a citizen of Flint.

If a crisis occurred anywhere in the world, the system would allow users to send monetary donations straight to your phone number via a text message, based on your location. Hurricane in Louisiana? DogeFling coins to the city of New Orleans and your currency would be evenly distributed across all phones "living" in the general area. You didn't need an account. You didn't need a bank. The system used Dogecoin to quickly and cheaply transfer money between parties.

This proof was demonstrated at Hack in the Box 2014 (the Haxpo side-conference). At the time, I donated 2,000,000 DOGE to talk attendees via DogeFling. The Doge could then be used at HITB in exchange for physical goods like t-shirts and hoodies, proving the system worked.

In practice, however, there were serious regulatory and legal gaps that the system on its own could not resolve. After looking into these, it became clear that there would need to be an alternative solution in order to make this system work.

The Flint Water Crisis

In April of 2014, it became crystal clear that a change in the way we donate money was needed. I'm sure all you readers are aware of the Flint water crisis. In 2014, Flint's water system was switched over to a local river, heavily contaminated by industrial ruin and infrastructure decay. This spread lead and other toxins into the community, causing one of the most horrific and significant health crisis of modern America. This crisis, as of writing this (March 2018), is ongoing

I was born at McLaren hospital in Flint, and was raised in the greater Flint community. I went to high school at nearby Grand Blanc High School, but spent most of my time at the Flint Institute of Arts, Flint Institute of Music, Southwestern Academy, and Flint Central. In my teenage years, I wasted most of my time at the historic Flint Capitol Theater. The first non-classical-music concert I ever attended was The Dead Milkmen at the Capitol Theater. I still have the ticket stub. 

When my friends and family told me about the Flint Water Crisis, I looked to DogeFling for an answer. But, legal issues and funding precluded me from using it, and common sense stopped me from saying "screw it" and launching without a net. 

A system like DogeFling would have been exceptional during the Flint Water Crisis. Money donated into the city was somehow disappearing. Bottles of water were ending up at storage facilities, churches, and other locations with no one to distribute them. Despite acquiring massive amounts of funding from the public, somehow, citizens were still left thirsty and desperate simply to bathe. And while I'm thankful for the celebrities that showed up with semi-trucks full of bottled water, only a fraction of that water was efficiently distributed (or distributed at all). 

Every dollar donated into the crisis resulted in only a fraction actually used to assist Flint citizens. 

With such an obvious need, I did what any sensible, cautious entrepreneur would do and started looking for venture capital. 

The Intersection of IoT and Blockchain

During 2014 and 2015, I augmented the Lab Mouse Secure IoT Platform to support Blockchain technology using Secure Elements and a custom communications protocol. This allowed us to integrate with almost any Blockchain technology with ease. However, the problem of cost was still high on the list of outstanding issues. 

The average IoT platform costs 10 to 25% of what a "secure" IoT platform costs. This is not feasible for most startups. Even when information security professionals cry out for and demand security by default, and when executives buy into the concept of IoT security, the costs are sometimes so high as to make the implementation impractical. 

If you're selling an IoT sensor for 1 USD, how can you suddenly triple your costs by integrating secure technology, either forcing your market to bear the weight (if it will), or forcing your own company to vastly decrease its profit margins. None of this is sustainable in an ecosystem where the average ARM Cortex-M0+ costs under 0.60 USD per unit at volume with no trusted element. 

My solution? RISC-V. With custom, open source, RISC-V processing technology, we can build secure processors with trust elements at a fraction of the cost of ARM processors. Integrating the RISC-V architecture into Lab Mouse, we can then offer a secure platform that is finally cost-effective

So, in 2016, I researched the RISC-V architecture and joined the RISC-V consortium. I currently sit on the Debug, Security, and general ISA groups and hope to soon get back to participating more heavily. In 2017 at Hack in the Box Amsterdam, I demonstrated security flaws in the RISC-V processor architecture that are now resolved, proving that I put in the effort to research the architecture to ensure it is resilient enough for use in the Lab Mouse solution. 

With this architecture, we will finally be able to build and offer IoT security accessible to everyone. This further allows cost-effective integration of Blockchain technology without the need for excessively robust processing architectures, large amounts of RAM, or large storage devices! 

Proving Elements Secure

The final step to a holistic secure IoT platform is designing a trust element that is cost-effective and can scale effectively. The majority of 2017 was spent doing just this. Using the DARPA threat model, and threat models for Secure Elements augmented during the development of the GSMA IoT Security Guidelines (written by me, 2016), I proved that major Fortune 100 Secure Element designs contained major security flaws that can be exploited to gain access to almost any network environment, even ones presumed otherwise trustworthy. 

This research will be released at HITB 2018, proving that Lab Mouse has a stronger understanding of how to build, deploy, and manage elements of trust than most modern corporations. 

Community Vending Machines

With a significant amount of effort performed proving what works and doesn't work in designing and deploying global, secure IoT ecosystems, it was time to get back to business. 

In 2016 and 2017 I reached out to venture capitalists and angel investors, and began building relationships to help launch the Lab Mouse ecosystem. 

But what is the ecosystem? 

We aren't just building secure IoT technology. That is only a requirement for what we are really doing: solving community problems like the Flint Water Crisis. 

With our secure IoT platform we are building technology to distribute donations directly to citizens and communities in need

Our first proof of concept is a Vending Machine that is integrated to the Stellar blockchain. Our token will be used to distribute funds donated into the Lab Mouse ecosystem directly to Vending Machines. Each machine will be directly on the blockchain, allowing users to monitor exactly where their money has been distributed. Because the Vending Machines are designed with Lab Mouse IoT technology, you know exactly when someone has received a donation, and what type of product they are retrieving from the machine. 

Because of the Flint Water Crisis, we started with the idea of vending bottles of water, so that citizens could pick up free bottles. This grew into other options. After speaking with Flint community leaders, and holding several meetings at Flint's Factory Two, we learned that the number one stolen consumer good in Flint's Genesee County is diapers. Not prescription drugs. Not alcohol. Diapers

As a result, we are augmenting our proof-of-concept design to support the distribution of packs of diapers, infant formula, and bottled water. 

Community Distribution Systems

By working with the local community, and using our blockchain token as a tracking unit, we can create distribution networks to refill vending machines around the city. Smart contracts can be used to facilitate distribution, because our secure IoT platform can identify when a contracted community member has fulfilled their job of transferring goods to a particular vending machine within the requisite time-frame. 

Furthermore, we can create incentives for helping distribution occur. By using the tracking data, we can move vending machines to more efficient locations, suitable for citizen use. 

But, most importantly, donations into the Lab Mouse IoT ecosystem directly support not only the products served by the vending machines, but the distribution, maintenance, and ongoing costs (energy consumption) required to support the machine and its ecosystem. 

The Result?

After 6 years of constant effort, this spring we will finally launch the proof-of-concept of a system long overdue: A way for citizens of the world to donate to a working environment where they can clearly see how their hard earned money is being used by citizens in need. We will use secure IoT technology built by Lab Mouse to ensure the IoT ecosystem is not just secure, but cost effective. We'll use blockchain's transparency, coupled with our secure IoT platform to guarantee how every penny is being used in the system. We'll make the system sustainable by integrating ongoing costs into the donations model, to ensure every method of distributing goods can be supported by the donations that enter the network. 

With this system, Lab Mouse hopes to change the way we think about IoT, Blockchain's usefulness, and the concept of philanthropy. We hope this is the first step in a long journey to prop up citizens in distress, to help revitalize communities long forgotten by the fallen titans of antiquated industry. 

The solution to modern economic distress isn't to pretend the revitalization of deprecated industries is profitable and sustainable. The solution is to use modern technology to distribute resources to provide opportunities for distressed citizens to educate themselves, their community, and to grow. We won't win this social war by offering another temporal band-aid on a long-term wound. We can only win by offering communities ways to ease their burdens, to give them opportunity, to reduce financial, emotional, and physical stress. Only then will we create environments where all people may thrive. 

Want to support us? Reach out: info at securitymouse dot com

Peace and Love,

Don A. Bailey
Lab Mouse Security

No comments:

Post a Comment