The Social Dilemma

Reading Time: 7 minutes

“Nothing vast enters the life of mortals without a curse.”

In 2020, Netflix released a documentary drama movie named “The Social Dilemma” directed by Jeff Orlowski which explores the rise of social media and the damage it has caused to society, focusing on its exploitation and manipulation of its users for financial gain through surveillance capitalism and data mining. According to recent estimates, approximately 3.8 billion people are active on social media worldwide which means that today more people are connected than ever through various social media platforms. Look around yourselves, which are the most visited Apps on your smartphones, you get to know how deep social media has penetrated our life. When asked about the impact of social media, creators said that they had never imagined to which extent their product would go on impacting the lives of common people across the globe. Social media did a fantastic job in helping people in their difficult times, it helped in searching the donor for organ donation, helped the needy to get donations, helped students to get free study materials online very easily, helped beginners to start cooking and there are endless examples of how social media has helped humans. But something has changed over the years. The world is changing at an unprecedented rate like never imagined before and that not in a good direction. 

 

Earlier the social media platforms were used for sharing photos and videos and connecting to people. The Internet was simple at that time. Now social media platforms like Facebook, Snapchat, Twitter, Tiktok, Google, Pinterest, Reddit, Linkedin, etc. compete for our attention. 

Today’s big tech giant companies are making their product keeping three main goals in their mind:- 

 

1.) Engagement goal- They want to drive up usage and keep you scrolling on their platforms. They want you to scroll through their platforms as much as you can do. But the question is how do they do that, right? They do it by using the machine as persuasive social media actors. It is called persuasive technology. Let me explain by giving a reference to two studies that were conducted at Stanford University in the mid-1990s that showed how the similarity between computers and the people who use them makes a difference when it comes to persuasions. One study examined the similarities in personalities while another study examined similarities in affiliation. Research highlights of the study are below.

 

Research Highlights: The Personality Study:

  • Created dominant and submissive computer personalities 
  • Chose as participants people who were at extremes of dominant or submissive 
  • Mixed and matched computer personalities with user personalities 
  • Result: Participants preferred computers whose “personalities” matched their own. 

Research Highlights: The Affiliation Study:

  • Participants were given a problem to solve and assigned to work on the problem either with a computer they were told was a “teammate” or a computer that was given no label. 
  • For all participants, the interaction with the computer was identical; the only difference was whether or not the participant believed the computer was a teammate. 
  • The results compared to responses of other participants: people who worked with a computer labeled as their teammate reported that the computer was more similar to them, that it was smarter, and that it offered better information. These participants also were more likely to choose the problem solutions recommended by the computers.

2.) Growth goal- They want you to connect with your relatives, your friends, even strangers and make them your friends, explore various attractive locations, crave tasty food, invite more people on the platform for engagement, etc. for one and only one reason, You visit their platforms more and more. Let me give you some examples from your daily social media experience. There are two forms of interactions that take place on Facebook: active interaction (liking, sharing, commenting, reacting) and passive interaction (clicking, watching, viewing/hovering).

 

  • Active interaction: Whenever someone likes your post or vice-a-versa, it gives a sense of joy that they like us or we like them. It creates a loop for you and them to visit each other’s profile more often and chat which means you will chat with them on social media platforms and you visit more. You share memes with them, react to their stories, you react to their reactions and ultimately you end up spending more time on their platform. It also creates a rat race for more no. of likes which can affect mental health. The more you crave for likes, the more you are expected to spend time on social media figuring out how you can increase your likes and get recognition amongst your peers. Below is the excerpt from a study on “The social significance of the Facebook Like button” by Veikko Eranti and Markku Lonkila.
The Social Dilemma

The figure suggests, first, that the relationship with the original poster of an object may have an impact on likes: We are more prone to like a post by a close Facebook friend than one by an acquaintance whom we have accepted as our friend somewhat reluctantly. Second, the quality, number, and network structure of previous likers are likely to affect one’s likes. This is probably even truer in the case of a sensitive or contradictory topic (e.g., a post on a political issue). Thus, if F1, F2, and F3 are close friends, F3 is more prone to like a post of controversial nature if F1 and F2 have both already liked it. Third, the imagined audience constructed subjectively by the user of the pool of all Facebook friends (some subset of F1–F4) is likely to influence liking behavior. 

  • Passive interaction: Now remember when you were not talking with anybody, not reacting to any stories, not commenting on any post but still active on social media, what were you doing? You were seeing videos and simply scrolling through various posts, memes, videos, reels hoping for the one post that you may find interesting and can like or comment on it, isn’t it? How long it took you to find the post you wanted to see. Probably not too much, your social media platform did not take a long time to guess what you want to see, but the question is how? Adam Mosseri, head of Instagram might answer your question, “Today we use signals like how many people react to, comment on, or share posts to determine how high they appear in News Feed. With this update, we will also prioritize posts that spark conversations and meaningful interactions between people. To do this, we will predict which posts you might want to interact with your friends about and show these posts higher in the feed. These are posts that inspire back-and-forth discussion in the comments and posts that you might want to share and react to – whether that’s a post from a friend seeking advice, a friend asking for recommendations for a trip, or a news article or video prompting lots of discussions.”
The Social Dilemma

3.) Advertising goal- When two people are connecting on the social media platform for free, it’s obvious someone is paying for it. A third party is paying for manipulation for those two, the other two, and every other person who is communicating through social media. We are in the era of surveillance capitalism where big tech giants are collecting a massive amount of data and collecting them at one place to show personalized ads to their customers and earn maximum money from advertising. It’s the gradual, slight, imperceptible change in your behavior and perception that is the product.

 

“If you’re not paying for the product, then you are the product.”

 

In one of the experiments conducted by Facebook on “Experimental evidence of massive-scale emotional contagion through social networks,” they found, “people who had positive content reduced in their News Feed, a larger percentage of words in people’s status updates were negative and a smaller percentage were positive. When negativity was reduced, the opposite pattern occurred. These results suggest that the emotions expressed by friends, via online social networks, influence our moods.” that suggests that Facebook can now affect or say change one’s real-life behavior, political viewpoint, and many more things. Effects of it have been felt across the globe in the form of fake news, disinformation, rumors, etc. Terrorist organizations used the very same formula and brainwashed hundreds of thousands to fight for them and kill innocent people. Now very same techniques are used by right-wing hate groups across the globe like white supremacists groups. We have seen examples of mob lynching in India due to rumors spread in the area. It is not just about fake news but it has more dangerous fake news of consequences. According to a recent study, fake news is five times more likely to speak than real news. We are transforming from the information age to the disinformation age. Democracy is under assault, tools are starting to erode the fabric of how society works. If something is a tool, it genuinely is just sitting there, waiting patiently. If something is not a tool, it’s demanding things from you. It’s seducing you. It’s manipulating you. It wants things from you. And today’s big tech giants have moved away from having a tools-based technology environment to an addiction and manipulation based technology environment. 

 

“Only two industries call their customers ‘users’, illegal drugs and software”

 

Big Tech giants namely Facebook, Amazon, Apple, Alphabet, Netflix, and Microsoft have grown tremendously over the past years. They have established monopolies in their respective industries where other smaller companies are either wiped out or struggling very hard to survive. The reason behind this is the cutting-edge technology developed by these companies which other companies can’t even compete on with them along with the unbelievable amount of data that they possess which makes their innovation more effective.

The Social Dilemma

Steps can be taken to make people aware of social media and its dangers. Chapters or subjects can be introduced at school levels to make children aware of the difference between social media and social life. Monopolies of the companies can be destroyed by the governments using anti-trust laws which would allow more competitors to enter the industries and create a safe and user-friendly environment on social media platforms. And lastly, strict laws should be made on data privacy and data protection.

 

“Any sufficiently advanced technology is indistinguishable from magic”



NANOMATERIALS

Reading Time: 10 minutes

INTRODUCTION

Nano means one billionth that means 10^-9 times in scientific notation. Have you ever thought how small it is? Avg human height is around 1.5-2m, size of ants are about 2mm, the diameter of a human hair is around 100mm and size of our DNA is around 2nm that means it is 10^-9 times smaller than average human height. To imagine how small is one-billionth let’s go on the other side and see how big an object would be if we are one billionth time larger than the humans. The diameter of the sun is about one billionth times larger than a human. That’s pretty big. So our DNA is as small as humans as humans are from the sun.

What are nanomaterials?? What is its importance? Where are they used? Let’s dive into the world of smallness!!!

Nanomaterials include a broad class of materials, which has at least one dimension less than 100nm. Depending on their shape, they can be 0-D, 1-D, 2-D or 3-D. You may be thinking what this small piece of material can do?? Nanomaterials have an extensive range of applications. The importance of these materials was realized when it was found that size can influence the physicochemical properties of a substance. Nanoparticles have biomedical, environmental, agricultural and industrial based applications.

Nanoparticles are composed of 3 layers-

  • The Surface Layer- It may be functionalized with a variety of small molecules, metal ions, surfactants and polymers.

  • The Shell Layer- It is a chemically different material from the core in all aspects.

  • The Core- It is the central portion of the nanoparticle and usually referred to as nanoparticle itself.

These materials got immense interest from researchers in multidisciplinary fields due to their exceptional characteristics.

CLASSIFICATION OF NANOPARTICLES

Based on the physical and chemical characteristics, some of the well-known classes of NPs are-

  1. CARBON-BASED NPs

  • FULLERENES- It contains nanomaterials that are made up of globular hollow cage such as allotropic forms of carbon. They have properties like electrical conductivity, high strength, structure, electron affinity and versatility. They possess pentagonal and hexagonal carbon units, while each carbon is sp2 hybridized. The structure of C-60 is called Buckminsterfullerene

  • CARBON NANOTUBES(CNTs)- They have elongated, tubular structure, 1-2nm in diameter. They structurally resemble graphite sheets rolling upon itself, which can have single double and many walls and therefore are named as single-walled (SWNTs), double-walled (DWNTs) and multi-walled carbon nanotubes (MWNTs) respectively. They are widely synthesized by decomposition of carbon, especially atomic carbons, vaporized from graphite by laser or by an electric arc to metal particles. Chemical Vapour Deposition (CVD) technique is also used to synthesize CNTs. They can be used as fillers, efficient gas absorbents and as a support medium for different inorganic and organic catalysts.

NANOMATERIALS

  1. METAL NPs

They are purely made up of metal precursors. Due to Localized Surface Plasmon Resonance (LSPR) characteristic, they possess unique optoelectrical properties. Due to excellent optical properties, they find their application in various research areas. For example, gold nanoparticles are used to coat the sample before analyzing in SEM.

  1. CERAMIC NPs

They are inorganic, nonmetallic solids, synthesized via heat and continuous cooling. They are made up of oxides, carbides, carbonates and phosphates. They can be found in amorphous, polycrystalline, dense, porous or hollow forms. They found their application in catalysis, photocatalysis, photodegradation of dyes and imaging application.

  1. SEMICONDUCTOR NPs

They possess wide band gaps and therefore show significant alteration in their properties with bandgap tuning. They are used in photocatalysis, photo optics and electronic devices. Some of the examples of semiconductor NPs are GaN, GaP, InP, InAs.

  1. POLYMERIC NPs

They are organic-based NPs, mostly nanospheres and nanocapsules in shape. They are readily functionalized and therefore have a wide range of applications.

  1. LIPID NPs

They contain liquid moieties and are effectively used in many biomedical applications. They are generally spheres with diameters ranging from 10 to 1000nm. They have a solid core made of lipid, and a matrix contains soluble lipophilic molecules.

SYNTHESIS OF NPs

There are various methods used for the synthesis of NPs, which are broadly classified into two main classes-

  1. TOP-DOWN APPROACH

Top-down routes are included in the typical solid-state processing of the materials. It is based on bulk materials and makes it smaller, thus using physical processes like crushing, milling and grinding to break large particles. It is a destructive approach, and it is not suitable for preparing uniformly shaped materials. The biggest drawback in this approach is the imperfections of the surface structure, which has a significant impact on physical properties and surface chemistry of nanoparticles. Examples of this approach include grinding/milling, CVD, PVD and other decomposition techniques.

NANOMATERIALS

  1. BOTTOM-UP APPROACH

As the name suggests, it refers to the build-up of materials from the bottom: atom by atom, molecule by molecule or cluster by cluster. They are more often used for preparing most of the nanoscale materials which have the ability to generate uniform size, shape and distribution. It effectively covers chemical synthesis and precisely controls the reaction to inhibit further particle growth. Examples are sedimentation and reduction techniques. It includes sol-gel, green synthesis, spinning and biochemical synthesis.

CHARACTERIZATION OF NPs

Analysis of different physicochemical properties of NPs is done using various characterization techniques. It includes techniques such as X-ray diffraction (XRD), X-ray photoelectron spectroscopy (XPS), Infrared (IR), SEM, TEM and particle size analysis.

  1. MORPHOLOGICAL CHARACTERIZATION

Morphology always influences most of the properties of the NPs. Microscopic techniques are used for characterization for morphological studies such as a polarized optical microscope, SEM and TEM.

SEM technique is based on electron scanning principle. It uses a focused beam of high energy electrons to generate a variety of signals at the surface of solid specimens. It is not only used to study the morphology of nanomaterials, but also the dispersion of NPs in the bulk or matrix.

TEM is based on electron transmission principle so that it can provide information on bulk material from very low to higher magnification. In TEM a high energy beam of electrons is shone through a skinny sample. This technique is used to study different morphologies of gold NPs. It also provides essential information about two or more layer materials.

NANOMATERIALS

  1. STRUCTURAL CHARACTERIZATION

Structural characteristics are of primary importance to study the composition and nature of bonding materials. It provides diverse information about the bulk properties of the subject material. XRD, Energy dispersive X-ray (EDX), XPS, IR, Raman and BET are the techniques used to study the structural properties of NPs.

XRD is one of the most used characterization techniques to disclose the structural properties of NPs. Crystallinity and phases of nanoparticles can be determined using this technique. Particle size can also be determined by using this technique. It worked well in identification of both single and multiphase NPs.

EDX is usually fixed with field emission-SEM or TEM device is widely used to know about the elemental composition with a rough idea of per cent weight. Nanoparticles comprise constituent elements, and each of them emits characteristic energy X-rays by electron beam eradication.

XPS is one of the most sensitive techniques used to determine the exact elemental ratio and exact bonding nature of elements in nanoparticles materials. It is a surface-sensitive technique used in-depth profiling studies to know the overall composition and the compositional variation with depth.

  1. PARTICLE SIZE AND SURFACE AREA CHARACTERIZATION

Size of the particle can be estimated by using SEM, TEM, XRD and dynamic light scattering (DLS). Zeta potential size analyzer/DLS can be used to find the size of NPs at a deficient level.

NTA is another new and exclusive technique which allows us to find the size distribution profile of NPs with a diameter ranging from 10 to 1000nm in a liquid medium. By using this technique, we can visualize and analyze the NPs in a liquid medium that relates the Brownian motion rate to particle size. It can be helpful in biological systems such as protein and DNA.

NPs have large surface areas, so it offers excellent room for various applications. BET is the most used technique to determine the surface area of nanoparticles material. Principle of this technique is adsorption and desorption and Brunauer-Emmett-Teller (BET) theorem.

  1. OPTICAL CHARACTERIZATION

Optical properties are of great concern in photocatalytic applications. These characterizations are based on Beer-lambert law and basic light principles. The techniques used to give information about absorption, luminescence and phosphorescence properties of NPs. The optical properties of NPs materials can be studied by well-known equipment like Ultraviolet-visible, photoluminescence and the ellipsometer.

PHYSICOCHEMICAL PROPERTIES OF NPs

So it’s all about the size, isn’t it? Yes and no. When a material becomes a nanomaterial is not so simple. A nanomaterial may have different properties compared to the same substance in bulk form. That means that a material could change when it goes from bulk to nanoform, but at what size that happens varies depending on the substance.Nanoparticles are used in various applications due to their unique properties such as large surface area, strength, optically active and chemically reactive.

  1. ELECTRONIC AND OPTICAL PROPERTIES

The optical and electronic properties of nanoparticles are dependent on each other. For example, gold colloidal nanoparticles are the reason for the rusty colours seen in blemished glass windows, while Ag NPs are typically yellow. The free electrons on the surface of nanomaterials are free to move across the material. The mean free path of Ag and gold is ~50nm, which is greater than the NPs size of these materials. Therefore, no scattering is expected from the bulk, when light interacts. Instead, they set into a standing resonance condition, which is responsible for LSPR in the NPs.

  1. MAGNETIC PROPERTIES

There is a class of nanoparticles known as magnetic nanoparticles that can be manipulated using magnetic fields. Such particles consist of two components- a magnetic material and chemical component that has functionality. These types of materials have a wide range of applications which includes heterogeneous and homogeneous catalysis, biomedicine, magnetic fluids, MRI and also in water decontamination. Magnetic properties of NPs dominate when its size is less than the critical value, i.e. 10-20nm. The reason for these magnetic properties is the uneven electronic distribution in NPs.

  1. MECHANICAL PROPERTIES

To know the exact mechanical nature of NPs different mechanical parameters such as elastic modulus, hardness, stress and strain, adhesion and friction are surveyed. Due to distant mechanical properties of NPs, it finds its application in fields like tribology, surface engineering, nanofabrication and nanomanufacturing. NPs shows different mechanical properties as compared to microparticles and their bulk materials.

  1. THERMAL PROPERTIES

It is well known that metals have better thermal conductivities than that of fluids. Same is the case of NPs. Thermal conductivity of copper is much higher than water and engine oil. Thermal conductivity of fluids can be increased by dispersing solid particles in them. Using the same way nanofluids are produced which have nanometric scales solid particles dispersed into a liquid such as water, ethylene glycol or oils. They are expected to exhibit superior properties relative to those of conventional heat transfer fluids and fluids containing microscopic solid particles. As heat transfer takes place at the surface of the particles, it is better to use the particles with large surface area, and it also increases the stability suspension.

APPLICATIONS

As discussed above the nanoparticles have various unique properties. Due to their properties, they find their applications in multiple fields, including drugs, medication, manufacturing, electronics, multiple industries and also in the environment.

NANOMATERIALS

Nano-sized inorganic particles have unique, physical and chemical properties. They are an essential material in the development of various nanodevices which can be used in multiple physical, biological, biomedical and pharmaceutical applications. Particles of an iron oxide such as magnetite (Fe3O4) or its oxides from maghemite (Fe2O3) are used in biomedical applications. Polyethene oxide (PEO) and polylactic acid (PLA) NPs have been revealed as up-and-coming systems for the intravenous administration of drugs. Biomedical applications require NPs with high magnetization value, a size smaller than 100nm and a narrow particle size distribution. Most of the semiconductor and metal NPs have immense potential cancer diagnosis and therapy.

Image shows the bamboo-like structure of nitrogen-doped carbon nanotubes for the treatment of cancer.

NANOMATERIALS

In specific applications within the medical, commercial and ecological sectors manufacturing NPs are used which show physicochemical characteristics that induce unique electrical, mechanical, optical and imaging properties. Nanotechnology is used in various industries, including food processing and packaging. The unique plasmon absorbance features of the noble metals NPs have been used for a wide variety of applications including chemical sensors and biosensors.

Nanomaterials are also used in some environmental applications like green chemistry, pollution prevention, the recommendation of contaminated materials and sensors for ecological stages.

NPs such as metallic NPs, organic electronic molecules, CNTs and ceramic NPs are expected to flow as a mass production process for new types of electronic equipment.

NPs can also offer applications in mechanical industries, especially in coating, lubricants and adhesive applications. Its mechanical strength can be used to produce mechanically more reliable nanodevices.

CONCLUSION

Nanomaterials are no doubt the future of technology, being the smallest material they have a wide range of applications due to their unique physical and chemical properties. Due to their small size, NPs have a large surface area which also makes them suitable candidates for many applications. Even at that size, optical properties dominate, which further increase their importance in photocatalytic applications. Though NPs are used for various applications, still they have some health hazard concerns due to their uncontrollable use and discharge to the natural environment, which should be considered to make the use of NPs more convenient and environmentally friendly.

WONDER, THINK, CREATE!!!

Keep Learning!, Keep Growing!

Team CEV

Day20 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 3 minutes

author: aman

Blog VIII - Part I - Day 20

Hey there, Sorry for time being away.

In the complete series the main focus was to get the undergrads of my college to a kind of "ROAD" that is not taken "usually". This was something out of the world of Competitive Coding and Machine Learning. Since the Internet is Changing, and Blockchains are the one who is the Lead Changer of this internet revolution. I guess, transformation would be the right word.

We have discussed about a lot of things, let's put them together.

In this micro-blog

  • Connecting the Dots
Connecting the Dots

So, we've talked about a lot of things in the series of the Blogs. However, I must say that I couldn't cover everything I knew in detail, but here I'll try to connect the dots for you.

Let me list the blogs with the topics they covered. (You are free to skip through the list, just come back if you want to grab a look at what has been already done.)

We talked about various sotware attacks, attacks on Blockchains, how terminologies(soundness, completeness) could mean so much, vulnerabilities, specs/invariants, bugs in few of the most trusted spaces. We also had 2 guest lectures in the series. Let me now end up with a complex case in case of Bitcoin.

The case leaves a possibility for an attacker to Partiotion the Bitcoin network into multiple parts, creating a possibility to fork bitcoin into 2 parallel chains. Let's see how it works:

BGP Highjacking attack on Bitcoin

The Bitcoin network is highly centralised, even after known to be a decentralised network. And even if the Blockchain is completely encrypted the routing of messages is still very much open. The routes are easily deductible to the adversaries.

See Here : https://bitnodes.io/

To explain it more, the complete Bitcoin network is spread to multiple ISPs (Internet Service Providers), which are again built up of multiple network clusters, called as Autonomous Systems(ASes). To communicate some messages between these ASes uses a protocol called the Border Gateway Protocol(BGP). This complete complete procedure is termed as Internet Routing.

~13 ASes host about 30% of the entire network, while 50 ASes host the 50% of the Bitcoin Network

Any attacker with accesss to the routing infra, can Highjack the BTC network. As a result of attacking mentality they can partition the BTC network in several parts. Probably bringing a major network towards their side.

Now they can add as many blocks in their side, and broadcast the chain in the network. By the general rule of Bitcoin network, "the longest chain is considered to be the final chain", the malicious one gets updated in the real etwork.

"hese attacks, commonly referred to as BGP hijacks, involve getting a router to falsely announce that it has a better route to some IP prefix."

"50% of Bitcoin mining power is hosted in only 39 prefixes (i.e., in 0.007% of all Internet prefixes). This allows an attacker to isolate ~50% of the mining power by hijacking only these 39 prefixes. Much larger BGP hijacks (involving orders of magnitude more IP prefixes) are routinely seen in the Internet today."


You see this is a big thing. The Internet Routing has a developing history of more than 35 years, and the BGPs are still considered to be stable. It is said that, Bitcoin has already gone through hundreds of BGP routing attacks, and the attacks are still not deductible.


So turning back and seeing the dots to be connected, we find,

  • a 100% secure system isn't possible
  • not a lot of people are aroung the security of these systems
  • the higher institutes are still hustling to create an environment of secure information exchange
  • developing techniques to check a system for its security is extremely difficult, and this is the place where actual computer science comes in
  • the attack surfaces are open in Hardware devices as well,
  • the Finance field is already being exploited for its vulnerabilities and application for the Blockchain tech

One thing to notice is that, even if the Blockchain tech fails, there will be a definite transformation in the internet we will be using tomorrow.

The security is everything. For a world running on Data, User's privacy, access to the systems comes in first.

So, that should be a lot of motivation I guess. I don't have any pre compiled list of the things, one can work on in the future, but BLOCKCHAIN + SECURITY, is surely the most citable area of work.

I'll try to cover more in details sometime. And yeap, I never read the Blogs twice, so pardon for the errors.

Shoot your questions and error reporting here [email protected].

- Aman Pandey

amanpandey.codes

Day19 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 4 minutes

author: aman

Blog VII - Part I - Day 19

So, towards an end of this series.

I was quite busy in some other blog so couldn't write this one quickly.

In this blog I'll take up a case of a Security tool used in Ethereum Smart Contract bug discovery, ECHIDNA. I'll try to unwrap a few things about how a security can be used to analyse a "script", that governs the business of an organistion over Blockchain network. I'll try to cover almost everything taught last time in these 2 upcoming micro-blogs.

Let's take a look what's coming up...

In this micro-blog

  • One thing you can't believe in...
  • Fuzzer
  • Echidna
  • the Trail
One thing you can't believe in...

You might be having this strong image of BLOCKCHAIN, that a fraudulent transaction in a Blockchain cannot be reversed. Well...what is I say, it is actually inaccurate.

One of the famous article in MIT Technology Review, by Mike Orcutt, titled as "Once hailed as unhackable, blockchains are now getting hacked", stated the following:

"Blockchains are particularly attractive to thieves because fraudulent transactions can’t be reversed as they can be in the traditional financial system."

The statement is actually inaccurate!

Ethereum classic is an example to it. Remember, I've told you people before about the famous DAO attack. The had a massive $50 million money heist. Well the attacker is still a mystery.

The funds stuck until July 14, 2016. See the article. The possibility of attack was due to a vulnerable smart contract, that governs the functioning of DAO.

This was the problem until the Ethereum Chain was forked, after a long debate among the community. The transaction was rewritten in the new chain and now there exists 2 ethereum chain. One, that we use now, and where the DAO attack never happened. The other one, Ethereum Classic, where the DAO attack happened.

This is a note published by Vitalik Buterin, the founder of Ethereum Blockchain.

Strange!! yeah...?

Lets try to know about something which is used as a help to "not" get into such troubles...

Fuzzer

Prevention is better than cure! Since, every crucial thing from a developer side depends on how well the contracts are written. If the contract does not release any possibility of attack, any loopholes of information leakage, the contract is probably secure.

Just like normal computer programs, there exists this old and always alive Computer Science (we may call it fundamental though). Analysing the programs statically and in dynamic environments to detect the bugs that can be triggered or are automatically getting triggered.

There are several techniques to anlayse a program. Symbolic analysis, Dynamic Analysis, Model Checking, Fuzzing...

There had been a lot of Security Tools in development recently. Here is a sophisticated list of all, in the official listings of CONSENSYS.link

I will talk a bit about the only fuzzer system available for Smart Contract Analysis, by an Argentanian company TrailofBits. The tool is known as ECHIDNA.

Bonus excerpt(link)

ECHIDNA

day19_01 **pretty logo! isn't it?

ECHIDNA, is a property-based fuzzer system available for generating malicious inputs and break the smart contracts. It means, we write a certain property(like the one a system should "always" follow, or should "never" follow), and the system runs it on a local virtual machine, which is inbuilt with the tool. The system starts fuzzing. i.e. inputting the contract with random inputs, to check where the system fails the written property. These inputs are determined by input generation techniques, which are certainly in "possible limits" tha EVM can handle, and are not that arbitrary.

The tool is written in HASKELL, which is a FUNCTIONAL PROGRAMMING LANGUAGES, which you probably have never heard about. This means the code is short and does a lot. To give a intuitive brief, the Functional programming language are actually concerned about "What the thing is?" rather than "How the thing works?". Most of the SAT/SMT solvers, that I have talked about before are built over functional programming languages.

How ECHIDNA works? from user's point of view You write a smart contract with certain invariants(the property you think should never change and the smart contract should always follow). Then you run that within the system.

the Trail

After discussing all this... you must have got a great idea about what is actually going out around the world.

The next blog will be a very special Connect the dots... thing. Will have no technical knowledge.

I will just cover the things I & the 2 guests Kaushik & Gaurav has compiled for you people.

Will finally unveil the "The Road Not TAKEN..."

Thanks!!!

Day17 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 3 minutes

author: aman

Blog V - Part II - Day 17

Hey People, I have given a gist of how the EVM stores the smart contracts on its machine.

In this I will directly discuss some technical things about, how deep you can dive into using just the information told about in the previoud micro-blog. Will try to give a glimpse, rest you can think of autonomously.

Let's do it...

In this micro-blog

  • Ethereum Virtual Machine (EVM)
  • The two Properties of EVM
  • How the Smart Contracts are actually stored?
  • Some supplementaries
  • These trail of Digits have some meaning
  • How can the attackers mis-use it?
Some supplementaries

I would suggest to open up following things in other tabs, would help you people throughout:

These trail of Digits have some meaning

I will keep this explanation as vague as possible, as we have some people onboard who have excitement about the blockchain, despite their core interests and Fields.

You know right, EVM is a Stack based machine, as 2 + 2 is actually written as 2 2 +, postfix notation.

If you break this "strange series of digits", 608060405234801561001057600080fd5b5060016000819055506......

according to as shown in ethervm.io tab.

Day17 - "Why?" & "What in?" Security & Blockchain?

EVM is a stack-based machine and for actions to happend on this machine, these trails are converted into the OPCODES.

Each OPCODE has a size of 1 byte. EVM has a set of 140 OPCODES in total

Byte CountBYTCODEOPCODE
000060PUSH1 0x80
000260PUSH1 0x40
000452MSTORE
000534CALLVALUE
000680DUP1
000715ISZERO
000861PUSH2 0x0010
..............
..............
..............

Now, you understand how this thing works in EVM Stack? It would be infeasible to explain here how does a stack work. You better watch a video here call stacks & a big blog series here

If you are wondering how can you find the contract with that data? Well...just try copying pasting the following BYTECODE, and decompile in the ethervm.io/decompile, you'll find the same contract as was written in the previoud micro-blog simpleContract.sol.

608060405234801561001057600080fd5b50600160008190555060c6806100276000396000f3fe6080604052348015600f57600080fd5b506004361060325760003560e01c806360fe47b11460375780636d4ce63c146062575b600080fd5b606060048036036020811015604b57600080fd5b8101908080359060200190929190505050607e565b005b60686088565b6040518082815260200191505060405180910390f35b8060008190555050565b6000805490509056fea265627a7a723158200e135b4c7bcf7bde9dca1f257d97637d8137b315e29248b5654ac7830dab9e8264736f6c63430005100032
How can the attackers mis-use it?

The level of publicity, Blockchain provides, any user can directly use the address of the contract deployed, to instatiate a variable of that, contract and call its various function.

This is not small, this can let the potential attackers exploit the contract and cause big-attacks like, DAO-Reentrancy attack, or DDoS Gas attack, explained in the previous blogs.

As I have told, these work as the fill in the blanks, the vacant spaces within the Bytecode are initiated by 0 , which is then replaced by the hexadec code of the input.

This contract is again deployed to replace the existing one, changing the current state of the contract.

The Internal checks verifies whether you are the authorised one to make a certain check or not.

IG, This concept is heavily used in off-chains, as well.

====================

Find deeper readings here

Day16 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 3 minutes

author: aman

Blog V - Part I - Day 16

Hey People, I have been a little busy for last few days. Plus it took me some time to find the correct stuff that should fir right in the series.

So now, after so many micro-blogs, it is possible that you must be wondering on How an attacker can even do this? For that I'll be giving you people an idea about what things are openly available to people, potentially an attacker, to be able to exploit the weaknesses of the blockchain governing codes.

We'll take up Smart Contracts in world's larget Decentralised Application(dAPP) platform. Ethereum works with the currency called ETHER(ETH).

I will give you a quick look into what all information is publicly available, and an idea about what all can be extracted from the information available.

Lets dive deep in...

In this micro-blog

  • Ethereum Virtual Machine (EVM)
  • The two Properties of EVM
  • How the Smart Contracts are actually stored?
Ethereum Virtual Machine (EVM)

Ethereum, is actually a large collection of machines spread across the world in decentralised fashion. And a Ledger containing the details of all the transactions is distributed across all the machines(called nodes).

Ethereum Virtual Machine or EVM, is a system used to refer to this computer.

The two properties of this EVM

1) EVM is Quasi-Turing

A turing complete machine is the one, which is able to solve any problem provided to it, despite the fact how long does it take.

EVM is quasi-Turing because, it is limited by a factor, COST. Any computation you make to it, it is limited by the gas price required to solve this problem.

2) EVM is Stack Based Machine

EVMs Data Structure is Stack Based.

for e.g. 2 + 2 can be given as 2 2 +

How the Smart Contracts are actually stored?

If still you think the contract(i.e. the governing document on the Ethereum Blockchain), is stored in the textual format, as the following one, then you are absolutely wrong.

To work on EVM, the Smart Contracts are to be converted into a specific format called, the bytecodes.

After compiling the Smart Contract into the bytecode using Solidity compiler(solc), it is exported to the EVM.

  • Contract Bytecode: is the bytecode of the complete smart contract. That is actually, what ends up staying on the EVM.

It is comprised of functions(), already initialised variables, and all that is predefined. Plus, Something that can be changed during running.

  • Runtime Bytecode: it is the same bytecode that can be changes during running.

It can be said that Contract Bytecode = (some bytecode) + (Runtime Bytecode)*

-> Now, when compiled the above smart contract will look like,

if we compile it using solc --bin simpleContract.sol, we get the Contract Bytecode

======= simpleContract.sol:SimpleStorage =======

Binary:

608060405234801561001057600080fd5b5060016000819055506 0c6806100276000396000f3fe6080604052348015600f57600080 fd5b506004361060325760003560e01c806360fe47b1146037578 0636d4ce63c146062575b600080fd5b6060600480360360208110 15604b57600080fd5b81019080803590602001909291905050506 07e565b005b60686088565b604051808281526020019150506040 5180910390f35b8060008190555050565b6000805490509056fea 265627a7a723158200e135b4c7bcf7bde9dca1f257d97637d8137 b315e29248b5654ac7830dab9e8264736f6c63430005100032

and, if we compile it using solc --bin-runtime simpleContract.sol, we get the Runtime Bytecode

======= simpleContract.sol:SimpleStorage =======

Binary of the runtime part:

6080604052348015600f57600080fd5b506004361060325760 003560e01c806360fe47b11460375780636d4ce63c146062575b6 00080fd5b606060048036036020811015604b57600080fd5b8101 908080359060200190929190505050607e565b005b60686088565 b6040518082815260200191505060405180910390f35b80600081 90555050565b6000805490509056fea265627a7a723158200e135 b4c7bcf7bde9dca1f257d97637d8137b315e29248b5654ac7830d ab9e8264736f6c63430005100032


If you look very closely, you get to find that, the "Contract Bytecode" contains the "Runtime Bytecode"

608060405234801561001057600080fd5b5060016000819055506 0c6806100276000396000f3fe6080604052348015600f57600 080fd5b506004361060325760003560e01c806360fe47b1146037 5780636d4ce63c146062575b600080fd5b6060600480360360208 11015604b57600080fd5b81019080803590602001909291905050 50607e565b005b60686088565b604051808281526020019150506 0405180910390f35b8060008190555050565b6000805490509056 fea265627a7a723158200e135b4c7bcf7bde9dca1f257d97637d8 137b315e29248b5654ac7830dab9e8264736f6c63430005100032

Metaphorically, the smart contract remain in a way of Fill in the Blanks! The arguments inside the function(), are the blanks, which gets filled, and the state of the Blockchain is changes, or the query result is returned.

Please Note! This thing is publicly available.



-> Will directly, continue in next microblog....

Day15 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 2 minutes

author: aman

Blog IV - Part II - Day 15

Let us get some dirty hands on with some more Solidity code and exploit a few more Ethereum - Solidity bugs.

Here we'll discuss about the famous DAO attack, caused by the reentrancy bug.

Let us do it...

In this micro-blog

  • delegatecall (the proxy calls) (SWC-112) (Inclusion of Functionality from Untrusted Control Sphere)
  • DoS With Block Gas Limit (SWC - 128)
  • Integer Overflow (SWC - 101)
  • Reentrancy Bug(DAO attack) (Improper Enforcement of Behavioral Workflow) (SWC-107)
  • uncheckedSend() (SWC - 113)
  • tx.origin bug
  • Variable Shadowing (SWC-119)
3. Reentrancy Bug(DAO attack) (Improper Enforcement of Behavioral Workflow) (SWC-107)

You can find the related files in this gist.

There are two files. One is simpleDAO.sol which is a simple DAO(Decentralised Autonomous Organisation) contract, which is generally available publicily. Other one is reentrancy.sol which is particularly written by the attacker to exploit this bug.

It is termed as Improper Enforcement of Behavioral Workflow, as the attacker is able to make improper use of the conctract function, and play with the workflow of the contract.

Now, look at the 2 very crucial parts of both the contracts, one from each.

-> Attacking contract

function() public payable{
    DAO.withdraw(DAO.retbalance());
}

The variable DAO is the instantiation of the already deployed contract.

-> DAO Contract

function withdraw(uint amount) public{
    if (credit[msg.sender]>= amount) {
        (msg.sender.call.value(amount)());
        credit[msg.sender]-=amount;
    }
}

Now, just go with the flow.

You being the owner of the "attacking contract", will trigger some function to withdraw your money from the DAO Contract, the flow goes as follows:

call is sent to function withdraw() [DAO]

|

the function checks whether you have that amount, which comes to be true

|

amount is transferred to your contract using sender function

|

to accept the payment, "payable" function of your contract automatically gets called

|

The flow moves again to the "withdraw()" Notice!!! the amount is deducted after sending the amount your contract

"Notice the credit[msg.sender]-=amount; line."

|

The flow repeats.

VULNERABILITY SPOTTED<<<<<

This thing, drained off all the money from the DAO contract to the attacker contract.

"One of the major dangers of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack), a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways."

*Can you Imagine what the Solution was?

Well, I'll tell that in the next blog. laughing

You are surely gonna kill me for this.

Be honest!!! dont search it up

*will be dropping an "answer" box in the cev insta page @cevsvnit

Thank you.


Adding gist frames here

Reentrancy Bug(DAO attack) (Improper Enforcement of Behavioral Workflow) (SWC-107)

Day14 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 3 minutes

author: aman

Blog IV - Part I - Day 14

Let us get some dirty hands on Solidity, to exploit some very dangerous Ethereum - Solidity bugs.

2 Bugs/vulenrabilities in this very micro-blog. Covering bugs like, Denial of Service with Block Gas Limit, where the attacker exploits the bug by taking benefit from limited GAS available for each transaction, and unchecked_send() bug, which when made by mistake, could be a disaster to the host contract holder, and users.

Let us do it...

In this micro-blog

  • delegatecall (the proxy calls) (SWC-112) (Inclusion of Functionality from Untrusted Control Sphere)
  • DoS With Block Gas Limit (SWC - 128)
  • Integer Overflow (SWC - 101)
  • Reentrancy Bug(DAO attack) (Improper Enforcement of Behavioral Workflow) (SWC-107)
  • uncheckedSend() (SWC - 113)
  • tx.origin bug
  • Variable Shadowing (SWC-119)
1. dos_gas.sol() [check out the exploitation of the bug at this gist])(https://gist.github.com/johnsoncarl/480aee528f35b8579c7dcf87c61c59d2)

DOS with Block Gas limit is A denial of service attack, where a host contract denies to perform its duties due to limited amount of gas provided for each transaction (about 3 million).

    for(uint i=0;i<500;i++) {
        listAddresses.push(msg.sender);
    }

Here to make the contract to always true change the upper bound of i to some lesser value, say i<100. Increase the value to fail it at a certain point.

uncheckedSend() [check out the exploitation of the bug at this gist])()

Whenever a contract, say sender, transfers the ether to another contract,say receiver, the payable function of the receiver is triggered, and this can be misused. For eg. payable function of the receiver contains some computationally heavy instructions, it can cause transfer() to fail and send() function to return false. Thus if the send() is not checked, it may cause a bug called uncheckedSend.

Also, since send() doesn't propogate the exception, its harmful of the users to use it.

contract attacker{
    bool public flag=false;
    function change() public{
		if(!flag) 	flag=true;
		else    	flag=false;
	}
	function() external payable {if(flag)	revert();}
}
contract Test{
	attacker a = new attacker();
	bool private flag0 = true;
	bool private status;
	function set0(int val) public returns (bool){
    		if (val % 10 == 0) {a.change();}
    		else flag0=false;
  	}
    function echidna_send() public payable returns(bool){
			address(this).transfer(msg.value);
            return address(a).send(0);
		}
	function() external payable{}
}

Here, echidna_send() will be the main function whose bool value will be checked by the tool.

  • payable functions : payable functions are necessary for the contract to accept the ether. Whenever a contract, say sender, transfers the ether to another contract,say receiver, the payable function of the receiver is triggered.

  • echidna_send() : contains address(this).transfer(msg.value); which is responsible for transferring ether to the Test contract. Which will then be transferred to the the instance of the contract attacker, a. Note: we are transferring 0 ethers to the contract address and then to the instance a. As address.send() doesn't revert state whenever the payment fails. So we try to return its bool value, which is then catched by echidna_send(), and thus by the tool. This is the value that the tool mainly checks for, and thus will be able to tell whether the contract payment through send was completed or not.

  • set0(int val) : random value is provided to set0(int val) as argument. Which then waits for the no. satisfy the condition if (val % 10 == 0). As soon as this value is catched, it triggeres change() function of the contract.

  • change() : This is responsible for flipping the flag value. So as soon as this function is triggered, flag=false changes to true, and now revert state in the payable will be activated. Now, the contract attacker, will be reverting each transaction made to it.

So this is how it works: [a is the instance if contract attacker] We first start running the contract with a.flag == false, and wait for a value in set(int val), to flip the flag of contract a to true, and thus activating the revert in payable. This will fail everytime the payment is made. And since, the send() doesn't revery any exception, it shall revert true of false. Which is catched by echidna_send(), and will be returned to the tool, to state that the payment could not be completed.

View this thread for more about address.send and address.transfer


I took it exactly from the exploitation repo I made earlier. Please email directly, in case of any doubts:

aman0902pandey(@)gmail.com



Adding gist frames here

DoS With Block Gas Limit (SWC - 128)

uncheckedSend() (SWC - 113)


Thanks!!!

Day13 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 3 minutes

author: aman

Blog III - Part III - Day 13

Understanding Hyperproperties and Blockchain together. And how this could be so big!

Let's get in....

In this micro-blog

  • Let us check this vaguely
  • 2-trace property
  • Hyperproperties
  • Safety and Liveness - Another 2 very Important terms
  • Blockchain & Hyperproperties
  • How this could be so big?
Safety and Liveness - Another 2 very Important terms

As already explained, Property is a set of traces(traces are the set of System states). So, intuitively the Properties are the set of all the traces, where the system can reach.

Now, there are two things to be well noted, there are certain states "where a system should never reach & certain states where a system should eventually reach.

Well these are termed as "Safety" and "Liveness" trace properties. Where: Safety: is the property that prescribes that a system should never reach some bad state , while Livenes: is the property that prescribes that a system shoudl "eventually" reach some "Good State".

Give some time understanding this stuff. These are 2 very important terms when thinking about System proofs.

Every trace property is an intersection of safety & liveness property.

Blockchain & Hyperproperties

A very straight explanation from Hyperpoperties paper[1], says

"If systems are modeled as sets of execution traces [35], then the extension of a system property is a set of sets of traces or, equivalently, a set of trace properties. We name this type of set a hyperproperty."

Thus these safety and liveness property are said as heypersafety & hyperliveness.

Every property of any system anywhere can be defined in terms of these hyperproperties...


Now you must remember there was a CIA triangle, that Hrishabh explained about in Winter School 2019, which stands for : (take an example of something stored inside a locker)

C -> Confidentialitycan't see what is inside the locker
I -> Integritycan't tamper what is inside the locker
A -> Availabilitycan't destroy the locker's availability

If you think very crucially, you'll find that only confidentiality and intergrity are the two properties concerned with the secure information flow.

The most invincible idea behind blockchain is the safety of data.

To ensure the flow of data never goes in wrong hands, which is described by the very term secure information flow.

Now considering application of hyperproperties in the Blockchain, let us take 2 traces of blockchain:

π1 & π2.

There are two ways hyperoperties to check here!

  1. Non-interference: if some commands are issued by the high-level users (say the general of the army, that should not reach to the ears of the soldier). These should be removable, without the low-level user noticing any changes.
  2. Observational Determinism: System should always appear deterministic to the trusted users, or in this case high level users.

Suppose, in the blockchain, there are two traces, π1 & π2.

Day13 - "Why?" & "What in?" Security & Blockchain?

This is clipped form Dr. Pramod's teaching. It explains about Observational Determinism, but not with Blockchain

The upper one is π1(set of states as viewed by high level) and lower one is π2(set of states as viewed by low level).

High-Level user is that user, who can make changes to the Blockchain. And Low-level are the ones, who can just look at the states and retrieve data.

Now, whenever some critical input is given by the high level user(like, a general take some decision), it should not be noticed by the low-levels(the soldiers).

So, in OBSERVATIONAL DETERMINISM, the states of blockchain observed by both the low level and high level user should be same. (Notice that obsT between the two traces,showing the observations being made.)

That is all, this has a very crucial implications in the field of Systems, and even larger when applied to Blockchain.

How this could be so big?

This is very big thing. Though introduced back in 2003(observational determinism) & 1982(non interference), these hyperproperties turns out to be very crucial checks in the security.

Just consider a statement:

"If the low level is able to see the change made by the high level, there is the safety issues with Confidentiality adn Intergrity of the data."

Hope you got a very intuitive feel about these stuff.

Hope you had a great read.

See y'all....

Day12 – “Why?” & “What in?” Security & Blockchain?

Reading Time: 4 minutes

author: aman

Blog III - Part II - Day 12

In this blog, we’ll vaguely discuss the Hyperproperties and Information Flow thing.

As continued, this blog will contain the understandings from the Teachings of Dr Pramod, from SAT SMT Winter School 2018[1]. I will try to portray my understanding from his teachings and is working with him closely on Blockchain, I suppose it earned me a proper understanding.

Let us do this....

In this micro-blog

  • Let us check this vaguely
  • 2-trace property
  • Hyperproperties
  • How this could be so big?
Let us check it vaguely

We'll play a game, known as Distinguishability Game.

We pose a challenge game between attacker and a defender, where the attacker needs to exploit flow of information and the defender has to prevent it.

2 people:

day12_01day12_02
attackerdefender

Situation: There are two systems behind a wall, say system_0 and system_1, and the attacker just have the access to a function foo(x). He doesn't know, whenever he makes a call, to what system does this does the call go to.

The attacker is just like any other user, but who is trying to attack an arrangement behind a wall, popularly known as adversaries.

The defender is the arrangement behind the wall, which diverts the calls to different systems, which have following secret keys: "secret_b" , where b -> {0,1}. i.e. secret_0 or secret_1.

Game Initialisation

  • secret_0 := {0,1,2,3}
  • secret_1 := {4,5,6,7}
  • publicx := {10,11,12,13}
  • whenever a normal user makes a call, "only publicx is called, and thus the values inside it are returned"

Game Execution

  • there are a lot of calls to foo(x) made from across the world, and by the users with different access levels, i.e. admins & normal user
  • so the calls by a normal user are interspersed calls made by the admins

Finalisation

  • if attacker is able to identify which system in system_b the call is sent to, he wins, as this information should not be made available to the "normal user"

---> Now consider the following picture

day12_03

The attacker will try to observe the value of "r", and specially "he will be looking for any unexpected values"

Considering this program, try to make following calls to the system(both normal user and admins included),

• priv_level = sup_user, foo(1), obs = ∅ • priv_level = user, foo(1), obs = 11 • priv_level = sup_user, foo(2), obs= ∅ ........ These calls will go on forever the attacker will

But, now if the program has been like the following, and we bagin with our game:

day12_04

we start with the following calls, (notice the introduction of variable t)

day12_05

  • priv_level = sup_user, foo(1), obs = ∅
  • priv_level = user, foo(4),
    • obs = 2 -> b = 0
    • obs = 6 -> b = 1

Woosh!!! Did you realise here attacker wins the game, by observing the value of r & t.

If the value returned to the attacker is 2 clearly the secret key b, chosen will be b = 0 and if the value returned to the attacker is 6 clearly the secret key b, chosen will be b = 1

The system just leaked the information.

AFAIK, during my study I encountered this incident had already been reported, where the highly confidential data was leaked due a misprinted "=", I may be wrong though. But, This is a very critical exploitation of Information Flow.


In the very next blog, I'll take a use case of blockchain, and try to determine for such observations for it.

Thanks y'all..

and yeah, Amid this Corona virus thing, be safe...

_ Team CEV

CEV - Handout