Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Photo: Getty
Show Hide image

The Prevent strategy needs a rethink, not a rebrand

A bad policy by any other name is still a bad policy.

Yesterday the Home Affairs Select Committee published its report on radicalization in the UK. While the focus of the coverage has been on its claim that social media companies like Facebook, Twitter and YouTube are “consciously failing” to combat the promotion of terrorism and extremism, it also reported on Prevent. The report rightly engages with criticism of Prevent, acknowledging how it has affected the Muslim community and calling for it to become more transparent:

“The concerns about Prevent amongst the communities most affected by it must be addressed. Otherwise it will continue to be viewed with suspicion by many, and by some as “toxic”… The government must be more transparent about what it is doing on the Prevent strategy, including by publicising its engagement activities, and providing updates on outcomes, through an easily accessible online portal.”

While this acknowledgement is good news, it is hard to see how real change will occur. As I have written previously, as Prevent has become more entrenched in British society, it has also become more secretive. For example, in August 2013, I lodged FOI requests to designated Prevent priority areas, asking for the most up-to-date Prevent funding information, including what projects received funding and details of any project engaging specifically with far-right extremism. I lodged almost identical requests between 2008 and 2009, all of which were successful. All but one of the 2013 requests were denied.

This denial is significant. Before the 2011 review, the Prevent strategy distributed money to help local authorities fight violent extremism and in doing so identified priority areas based solely on demographics. Any local authority with a Muslim population of at least five per cent was automatically given Prevent funding. The 2011 review pledged to end this. It further promised to expand Prevent to include far-right extremism and stop its use in community cohesion projects. Through these FOI requests I was trying to find out whether or not the 2011 pledges had been met. But with the blanket denial of information, I was left in the dark.

It is telling that the report’s concerns with Prevent are not new and have in fact been highlighted in several reports by the same Home Affairs Select Committee, as well as numerous reports by NGOs. But nothing has changed. In fact, the only change proposed by the report is to give Prevent a new name: Engage. But the problem was never the name. Prevent relies on the premise that terrorism and extremism are inherently connected with Islam, and until this is changed, it will continue to be at best counter-productive, and at worst, deeply discriminatory.

In his evidence to the committee, David Anderson, the independent ombudsman of terrorism legislation, has called for an independent review of the Prevent strategy. This would be a start. However, more is required. What is needed is a radical new approach to counter-terrorism and counter-extremism, one that targets all forms of extremism and that does not stigmatise or stereotype those affected.

Such an approach has been pioneered in the Danish town of Aarhus. Faced with increased numbers of youngsters leaving Aarhus for Syria, police officers made it clear that those who had travelled to Syria were welcome to come home, where they would receive help with going back to school, finding a place to live and whatever else was necessary for them to find their way back to Danish society.  Known as the ‘Aarhus model’, this approach focuses on inclusion, mentorship and non-criminalisation. It is the opposite of Prevent, which has from its very start framed British Muslims as a particularly deviant suspect community.

We need to change the narrative of counter-terrorism in the UK, but a narrative is not changed by a new title. Just as a rose by any other name would smell as sweet, a bad policy by any other name is still a bad policy. While the Home Affairs Select Committee concern about Prevent is welcomed, real action is needed. This will involve actually engaging with the Muslim community, listening to their concerns and not dismissing them as misunderstandings. It will require serious investigation of the damages caused by new Prevent statutory duty, something which the report does acknowledge as a concern.  Finally, real action on Prevent in particular, but extremism in general, will require developing a wide-ranging counter-extremism strategy that directly engages with far-right extremism. This has been notably absent from today’s report, even though far-right extremism is on the rise. After all, far-right extremists make up half of all counter-radicalization referrals in Yorkshire, and 30 per cent of the caseload in the east Midlands.

It will also require changing the way we think about those who are radicalized. The Aarhus model proves that such a change is possible. Radicalization is indeed a real problem, one imagines it will be even more so considering the country’s flagship counter-radicalization strategy remains problematic and ineffective. In the end, Prevent may be renamed a thousand times, but unless real effort is put in actually changing the strategy, it will remain toxic. 

Dr Maria Norris works at London School of Economics and Political Science. She tweets as @MariaWNorris.