https://mobile.twitter.com/alexander_paile/status/1344818412686553088
5 Likes
Let me tell you an example of how something that isn’t supposed to run code can run code.
A long time ago I heard about an *.txt file being used to infect computers.
It was devilishly sneaky.
No one would even imagine that a text file would run code, I mean, how could it? There are no macros, and notepad wouldn’t even understand it is code. It is just text.
Well, it worked like this: back then notepad had a limit to open text files, it could handle about a 32MB file max, and if it exceeded it would redirect you to Wordpad, and the legend says that Wordpad was able to execute macros! Imagine getting hacked with an txt file. Nuts!
Something similar happened with seemingly innocuous jpg files used as exploits to take over computers, jpg itself is obviously not an executable, but it can be exploiting a vulnerability in the browser’s image rendering causing a buffer overflow with a carefully crafted jpeg file.
The latter example was a very popular strategy used in many many occasions in different forms, I think it started with IE but then it was found similar vulnerabilities in other engines as well. The whole adobe suit (psd, ai, pdf, etc…) have been used as exploits.
Conceptually it is very similar with these DNA sequencers, the only difference is that the input is the DNA instead of a JPEG. Similar mishaps could be easily done like not properly checking input bounds (I mean why would you?) and having a fixed buffer size because it is just DNA right? You are not expecting to see a human DNA with 40 chromosomes or with 400, so why bother to consider these “impossible” edge cases…
I bet that your equipment from the 90s will also have gaping holes because no one will have even thought about security implications of not covering absurd edge cases from DNA samples.
So if you get a hacker a DNA synthesizer and boom, you get DNA as a vector.
5 Likes
There are some misconceptions here. A DNA sequencing machine just dumps the data to a computer, it doesn’t do analysis of the data itself. So the machine (at least in my day) had no computing power of it’s own.
The data dumped would be sorted by a program running at the time into a single file for each sample. It was raw chromatographic data + the programs estimate of the peaks in the data representing ACG ot T in a separate file. Nothing more would happen at that point from the sequencing machine and related software.
So unless the computer were hacked somehow, no way to run the code in any of the files.
Later, myself or the user of my facility (I ran a DNA sequencing core facility). Would take the sequence file and run a search with it though databases that we downloaded daily (you could do this online too, but risk someone seeing your research - not a popular idea in a for-profit company). We had a server specifically for searching these databases on our network. So in this case, that server would have to be compromised in some way and/or the software perverted.
I don’t know the workflow of contemporary machines, so can’t even speculate on what’s possible or not.
1 Like
I might have chicken-doxed myself a bit right there. 
3 Likes
Right here, these are the very programs being exploited.
In the article that started the debate here, they targeted the software that was compressing the sequenced DNA data. It’s exactly the same kind of situation @piluso was referring to, by the way, data that is supposed to be beyond suspicion used as a vehicle for malicious code.
No need to, you’re already hacked at that point.
1 Like
Sorting is enough.
jpeg exploits are technically exploits on the parsing engine.
It is more analogous than you think, from your description there is nothing that would scream “impossible” yet. In fact, it would be in the exact class of attacks.
Of course getting the database hacked through “conventional” means would be way more likely, but if you just abstract the “DNA” to “user input” I bet one bitcoin you will be able to make it behave in ways you wouldn’t even thought possible.
3 Likes
So yes, I was wrong there … although I left myself an out:
Also I’ve never doubted the possibility of such an attack in the present … just to say that back in the day when I worked in this field, such an attack would have been more science fiction than an actual occurrence … Not that it couldn’t have been done hypothetically, but rather that probably only a tiny handful of people would have thought of such an attack - hence a very rare thing to have happen and certainly not with some obscure DNA sequencing data analysis program.
We don’t consider DNA as private and sensitive as credit card numbers… yet.
Once there’s more we can do with genetic information, these systems will become prime targets.
1 Like
7 Likes
IMO, this is further evidence that Safe tokens are going to need an easy to use decentralized exchange in the future. The powers that be aren’t going to be tolerant of anything they can’t track and trace.
6 Likes
That’s right, and that’s why I’ve struggled so hard over the years to promote the ERC20 token and UniSwap. They will save Safe, because without access to a liquid market we are doomed to failure…
5 Likes
Just as I long suspected, bitcoin was bound for mainstream because of its public ledger/lack of privacy. Now they want to track transactions over $3,000 and for all exchanges to collect info so they know who owns the wallets. Then you have blockchain analysis companies. Government will love and adopt bitcoin and/or other blockchain solutions like CBDC (central bank digital currencies) and cash will be phased out entirely.
I think Safe will attract those that see their privacy and rights being ripped from their hands. Other privacy coins won’t be as easily accessible to the common person without centralized exchanges. DEX’s just aren’t as successful or attractive (though UNISWAP is for those well aquatinted with crypto) and mining is out of reach for most.
Safe Network will remain the easiest and best alternative to easily and privately earn private digital cash.
9 Likes
The only thing that freaks me out is “impermanent loss” as a liquidity provider. It does imply any loss is impermanent but it has the potential to be permanent from what I was gathering. Do you have any reassuring thoughts on that at all? The other thing I worry about is there being plenty of MAID liquidity provided but not enough ETH.
People want to receive passive income. The average person invests their money in bank deposits - in the US and China alone it is 8.5 trillion market. In the crypto, people give their crypto to intermediaries to earn a miserable 4.5% interest per year risking something that has gone up millions of percent (bitcoin 300 million%).
That’s why the DeFi market is so popular and that is why UniSwap is the largest decentralized exchange in the world:
In UniSwap v2 you can put liquidity in whatever pair you want, for example MAIDe / USDC and the exchange software automatically forwards you through the most liquid pair at the time you buy/sell:
4 Likes
All good and reassuring but am more curious about impermanent loss specifically.
What pair you reckon everyone would be most popular? I am always keen to stablecoin pairings myself.
People generally do not believe in the long-term success of crypto. That’s why they have a price at which they would sell. If you believe that one day the crypto will replace the fiat money, why sell? So I think most people are ok to make a profit right now and don’t worry about impermanent loss.
The most liquid pairs now are this. I think they will be the most used for Safe, too:
https://info.uniswap.org/pairs
2 Likes
I’m guessing this doesn’t apply to Bitrex Global, just the US Bitrex?
Does it matter, sooner or later they will be removed everywhere. Remember that the United States has started the war on drugs and in a few decades has forced the whole world to get involved in this war. Here we simply see the beginning of the war against freedom, anonymity and privacy (FAP) …
3 Likes
Impermanent loss has something to do with slippage between certain pairs or the way previous orders were conducted in a swap, if I remember correctly. I was listening to a deep dive on a podcast. I’ll register and pass it along when I’m back to work.